Master Service Agreement
Last updated: January 19, 2022
PDF version (download)
THIS SERVICE AGREEMENT CONSTITUTES A LEGALLY BINDING CONTRACT ON YOU AND GOVERNS THE USE OF AND ACCESS TO THE SERVICES BY YOU AND END-USERS WHETHER IN CONNECTION WITH A PAID OR FREE TRIAL SUBSCRIPTION TO THE SERVICES.
CUSTOMER IS RESPONSIBLE FOR CAREFULLY READING THE TERMS OF THIS MASTER SERVICES AGREEMENT BEFORE SIGNING A SUBSCRIPTION ORDER, CLICKING “ACCEPT” AND/OR ACCESSING OR USING ANY ETHOSDATA SERVICES. By accepting this Agreement, either by accessing or using the Service, or authorizing or permitting any End- User to access or use a Service, You agree to be bound by this MASTER SERVICE AGREEMENT as of the date of such access or use of the Service (the “Effective Date”) as defined in the “Subscription Order” . If You are entering into this Agreement on behalf of a company, organization or another legal entity (an “Entity”), You are agreeing to this Agreement for that Entity and representing to EthosData that You have the authority to bind such Entity and its Affiliates to this Agreement, in which case the terms “Customer,” “You,” “Your” or a related capitalized term herein shall refer to such Entity and its Affiliates. If You do not have such authority, or if You do not agree with this Agreement, You must not use or authorize any use of the Services.
Each Party represents and warrants to the other that (a) this Agreement has been duly executed and delivered and constitutes a valid and binding agreement enforceable against such Party in accordance with its terms; (b) no authorization or approval from any third party is required in connection with such Party’s execution, delivery or performance of the Agreement; and (c) the execution, delivery and performance of the Agreement does not and will not violate the terms or conditions of any other agreement to which it is a party or by which it is otherwise bound, or any applicable law or regulation.
DEFINITIONS
“Affiliate”: any entity that directly or indirectly owns or controls, is owned or controlled by, or is under common ownership or common control with EthosData or Customer, as the case may be.
“Applicable Laws“: means (a) European Union law or any laws of a member state of the European Union in respect of which EthosData or any EthosData Affiliate is subject to; and (b) any other applicable law in respect of which EthosData or any EthosData Affiliate is subject to;
“Contracted Processor“: means EthosData or a Sub processor;
“Customer”: as set out in the Subscription Order.
“Customer Personal Data“: means any Personal Data which may be Processed by a Contracted Processor on behalf of the Customer pursuant to or in connection with this Agreement;
“Data Protection Legislation“: means from 25 May 2018, the GDPR, and, to the extent applicable, the local data protection or privacy laws of any other country where EthosData is established and provides Services from pursuant to this Agreement, including the United Kingdom following any exit from the European Union;
“Data Room”: collectively those EthosData URLs, web site contents and features licensed by Customer through which Users may access, process, store and communicate User Files.
“EU“: means the European Union;
“GDPR“: means EU General Data Protection Regulation 2016/679;
“Services”: collectively all EthosData Data Rooms, EthosData web site features, software, application programming interfaces, systems, support, additional services, and all related materials and documentation, provided by or on behalf of EthosData to Customer pursuant to this Agreement.
“Subprocessor” means any person (excluding an employee of EthosData) appointed by or on behalf of EthosData to Process Personal Data on behalf of any Customer;
“Term“: as set out in subsection 5(a).
“Subscription Order”: the Data Room Instruction set forth and any written instruction for other or additional Services separately entered into by Customer and EthosData at or after the Contract Date.
“User(s)”: those persons (including without limitation employees and advisors of Customer or any third party) authorized from time to time by Customer or its designated Data Room managers, pursuant to methods directed by EthosData, to access, process, store and/or communicate User Files through Data Rooms. All Users are counted on a per-Data Room basis.
“User File(s)”: any printed, electronic or digital document or information that is uploaded or copied to a Data Room.
1 LICENSE
EthosData grants to Customer a limited, non- exclusive, non-transferable, limited right and license to access and use, and permit its authorized Users to use and access, the Services, in accordance with the terms and conditions of this Agreement and each Work Instruction. The rights and obligations of the parties covered in any Work Instruction between the parties shall be governed by these terms and conditions. In the event of any inconsistency between a provision of these terms and conditions and a provision of any Work Instruction, the provision of the relevant Work Instruction shall prevail solely with respect to the Services provided and used hereunder. Customer may create and use Data Rooms only to the extent and for the purposes provided expressly under each Subscription Order.
2 PAYMENT
Customer agrees to pay EthosData fees and other charges according to each Subscription Order. EthosData may charge Customer separately for services not specified in Work Instructions (including without limitation new service features, consulting, programming, and integration services, and additional Data Rooms), provided that Customer has approved any such additional services and related charges in advance in writing. All fees and charges are payable to EthosData within 15 days of Customer’s receipt of invoice.
Failure to pay all the fees and charges when due may result in suspension of Services in accordance with section 5(b) below and any unpaid amounts shall be subject to interest at the annualized rate of 6% (600 Basis points) above HSBC UK Bank standard debit rate, accruing on a daily basis calculated on such past due amount from the due date for payment until payment is made. EthosData reserves the right to claim interest under the Late Payment of Commercial Debts (Interest) Act 1998. Customer will be responsible with any charges or costs associated with any collection efforts to collect the unpaid amount. Charges and other amounts payable under this Agreement exclude applicable taxes. All amounts are payable in THE CURRENCY MENTIONED IN SUBSCRIPTION ORDER.
3 CUSTOMER EQUIPMENT
Customer shall obtain and maintain, at its own expense, the hardware, software and Internet connectivity (the “Equipment”) required for Customer to access and use the Services. EthosData shall not be responsible for any problem related to the Services resulting from the performance or failure of this Equipment, the failure or disruption of any telecommunications service, Internet connection, Internet service provider, or any other third-party communications provider, force majeure, or any other failure or problem not attributable to EthosData or its subcontractors. Furthermore, EthosData will not be liable to Customer under this Agreement to the extent such liability arises as a consequence of: (i) any act or omission of EthosData undertaken on the instruction of Customer or a User; or (ii) a breach by Customer of this Agreement.
4 DATA ROOM MANAGEMENT
Customer authorizes EthosData to act on any instructions reasonably believed by EthosData to be communications from Customer or, its designated Data Room administrators and Users acting on Customer’s behalf, with respect to the management of Customer’s Data Rooms. Customer acknowledges its Data Room administrators shall be authorized on Customer’s behalf, among other things, to add and remove other Data Room administrators, permit any person to upload User Files to Data Rooms, and manage each User’s access to User Files. The Customer is solely responsible for keeping all user names, passwords and other means of access to the Data Rooms confidential and secure from unauthorized use.
5 TERM & TERMINATION
(a) This Agreement commences on the Effective Date as mentioned in the “SUBSCRIPTION ORDER” and continues in effect until terminated (i) by agreement of the parties (ii) thirty days after the delivery of written notice of termination by either party to the other and after completion of performance of all Subscription Order in accordance with their terms, or (iii) in accordance with subsection 5(b). Except as otherwise expressly provided in any Subscription Order, upon termination of this Agreement, EthosData’s Services shall cease and Customer will discontinue use of any Data Rooms provided hereunder.
(b) Notwithstanding the foregoing, either party may terminate this Agreement immediately by written notice if the other party: (i) becomes insolvent; (ii) becomes the subject of a petition in bankruptcy which is not withdrawn or dismissed within 60 days thereafter; (iii) makes an assignment for the benefit of creditors; or (iv) breaches any material obligation under this Agreement (including but not limited to payment obligations) and fails to cure such breach within 30 days after delivery of notice thereof by the non-breaching party. Without limiting the generality of any other provision of this Agreement, EthosData may suspend access to Data Rooms by Customer and Users upon 5 business days’ prior written notice to Customer in the event any EthosData invoice that is not then subject to bona fide dispute has not been paid within 30 days after issuance and is still unpaid as of the end of such notice period. EthosData may terminate or suspend this Agreement immediately upon notice if it determines in its reasonable judgment that there exists any actual or potential defect in the Services that materially impairs the reliability or integrity of the operation thereof, or that continuing to provide or use the Services pursuant to this Agreement would infringe upon the intellectual property rights of any third party, or that the Services have been or may be used by the Customer for any illegal transaction or unlawful purpose.
(c) Termination or expiry of this Agreement (in whole or in part) shall be without prejudice to any provision of this Agreement which expressly (or by implication) is intended to survive such termination or expiry (including Sections 5(c) and 6, 7, 9, and 12 through 14).
6 OWNERSHIP OF USER FILES
User Files are and shall remain the property of Customer (or their respective third party owners if any) and shall not be considered part of the Services. Customer acknowledges and agrees that EthosData shall not be responsible for the content of User Files or the modification, use or publication of User Files by any User or third party (other than EthosData’s agents and subcontractors). EthosData shall not be responsible for the content, accuracy or completeness of any User File provided by Customer and obtained by a User from a Data Room. Customer acknowledges that Data Rooms are intended to hold secondary copies of User Files and not to maintain master or original documents.
7 OWNERSHIP OF SERVICES
Customer shall not redistribute for commercial purposes, reverse engineer, disassemble, transfer or use the Services in any manner inconsistent with the terms and conditions of this Agreement. As it relates to the parties, EthosData owns and shall retain all right, title, and interest in and to the Services, including without limitation all related applications, user interface designs, processes, software and source code, and any and all future enhancements or modifications thereto made, and all intellectual property rights therein.
8 CONFIDENTIALITY
(a) “Confidential Information” means any and all information disclosed by or at the direction of either party to the other in connection with the provision or use of Services under this Agreement, including, without limitation, information related to the business, technology, operations, employees, properties, and clients of the disclosing party. Without limiting the foregoing, all information, processes, know-how, designs and technology relating to the Services as well as the terms of this Agreement will be deemed EthosData’s Confidential Information, and all User Files shall be treated as Customer’s Confidential Information. Notwithstanding the foregoing, “Confidential Information” does not include any information that a receiving party can demonstrate: (i) was known to it prior to the information’s disclosure in connection with provision or use of the Services; (ii) is or becomes known publicly through no wrongful act of the receiving party; (iii) was rightfully received from a third party under no contractual, legal or fiduciary obligation to keep such information confidential; or (iv) was independently developed by the receiving party, without the use of any Confidential Information received in connection with provision or use of the Services.
(b) Each receiving party agrees that it shall use Confidential Information of the disclosing party solely in the performance of this Agreement and for no other purpose. Each party shall use the same degree of care to protect the other party’s Confidential Information as it uses to protect its own confidential information of like nature. Each party agrees not to disclose the other party’s Confidential Information to any person or entity other than: (i) to employees, agents, subcontractors or consultants of the receiving party on an as-needed basis, provided such persons have entered into written confidentiality agreements consistent with this section 8 or otherwise are bound under substantially similar confidentiality restrictions; (ii) to the extent required by court order, legal process, governmental or exchange regulation or applicable law, provided that the party required to disclose the information provides prompt advance written notice thereof to the other party; (iii) with respect to User Files, as authorized by Customer or its Data Room managers; or (iv) otherwise solely as expressly authorized in writing by the disclosing party. Notwithstanding any provision hereof to the contrary, EthosData may use and disclose statistical data regarding the use of the Services, provided no User or particular transaction shall be identified in connection with such statistics.
(c) Each party acknowledges and agrees that the use or disclosure of Confidential Information inconsistent with this Agreement might cause irreparable harm to a disclosing party, the extent of which would be difficult to ascertain. Accordingly, each party agrees that, in addition to any remedies available at law, any non- breaching party shall have the right to obtain immediate injunctive relief, in the event of a breach or threatened breach of this section 9 by the other party, any of its Affiliates or their representatives.
9 WARRANTIES
EthosData warrants the Services will be provided in a manner reasonably designed for the secure maintenance and distribution of User Files. Other than the foregoing, the Services are provided on an “as is” and “as available” basis without warranty of any kind. EthosData makes no warranty that the Services will be uninterrupted, error free or available at all times. EthosData does not warrant the compatibility or operation of the Services with all hardware and software configurations. Customer acknowledges and agrees that technical problems may prevent EthosData from providing all or part of the Services. In no event shall EthosData be liable hereunder to Customer or any third party for any damages or loss resulting from problems as defined in section 3. Without limiting the foregoing, Customer acknowledges that features of the EthosData service designed to restrict access to or use of User Files cannot prevent manual copying of displayed information and may not prevent electronic or digital capture of document contents by Users using third party software designed to circumvent such system features. Except as set forth in this section 9, EthosData makes and Customer receives no warranties, express or implied, regarding or relating to the subject matter hereof. EthosData disclaims, to the fullest extent permitted by law, all implied warranties of merchantability, fitness for a particular purpose and non-infringement with respect to the subject matter hereof. Customer hereby acknowledges that it has not relied on any warranty, condition, guaranty or representation by EthosData other than those contained in this Agreement.
Customer warrants that it is not owned or controlled by, nor does it own or control, directly or indirectly, a person or entity that is (i) on the list of Specially Designated Nationals and Blocked Persons maintained by the Office of Foreign Assets Control of the U.S. Department of the Treasury or the U.K. Consolidated Financial Sanctions List maintained by Her Majesty’s Treasury; or (ii) subject to country sanctions imposed by the U.S. Government for anyreason, including but not limited to being organized or headquartered in or a governmental entity of a country subject to such sanctions (currently Cuba, Iran, Syria and Sudan); or (iii) organized or headquartered in any other country to which the export or re-export of U.S. origin goods or technologies are generally embargoed (currently North Korea). Additionally, Customer warrants that it does not intend to and will not knowingly supply or use EthosData Services to or for the benefit of any of the foregoing. Customer agrees that it will notify EthosData if these circumstances change. For purposes of this provision, “owned” and “own” mean an interest of 50 percent or more and “control” means the right or ability to dictate the decisions, actions, and/or policies of an entity or its management. If Customer breaches this section, in addition to any other rights or remedies EthosData may have, EthosData may without obligation immediately terminate this Agreement and/or any affected Subscription Order.
10 REPRESENTATIONS
Customer represents and warrants to EthosData that the disclosure of User Files to EthosData and to Users at the direction of Customer’s Data Room managers shall not violate any applicable law, regulation or third party rights in any material respect. Each party executing this Agreement represents to the other that it is authorized and has all rights necessary to enter into and be bound under this Agreement, and no law, regulation, court order or third party agreement prohibits its performance of this Agreement.
11 INDEMNIFICATION
(a) EthosData will indemnify, defend and hold harmless Customer from and against any and all damages, liabilities, losses, costs and expenses (including, but not limited to, reasonable lawyers’ fees) (collectively, “Losses”) resulting from any third-party claim, suit, action, investigation or proceeding (each, an “Action”) brought against Customer based on the infringement by EthosData of any third-party trade secret, copyright, U.S.- or UK-issued patent or registered trademark (an “Infringement Claim”) except to the extent such Action is based on Customer’s wilful misconduct or technical problems. In the event of an Infringement Claim, EthosData may satisfy Its obligations hereunder by any of the following actions: (A) procure for Customer the necessary right to continue using the Services; (B) replace or modify any infringing portion of the Services with a functionally equivalent non-infringing substitute thereof; (C) modify the Services so as to be non-infringing; or (D) if none of the foregoing are commercially reasonable, terminate this Agreement. In the event of such termination, Customer shall be entitled to a refund of any prepaid fees for the unexpired portion of the Term. EthosData shall have no liability for any Infringement Claim based on Customer’s use of the Services in a manner not authorized hereunder, use of any third party software or Equipment not furnished by EthosData, or use of a superseded or altered release of the Services or associated software if the infringement would have been avoided by the use of a current unaltered release of the Services or associated software made available to Customer.
(b) Customer shall indemnify, defend and hold harmless EthosData, its Affiliates and its and their respective officers, directors, employees and representatives from and against any and all Losses arising from or relating to any Action brought against EthosData based on: (i) breach by Customer of any terms and conditions of this Agreement; or (ii) the use of the Services or any User Files by Customer or any Users acting for Customer or its Affiliates, in violation of this Agreement, any applicable law, regulation or third party rights, except, in any case, to the extent such Action is based on EthosData’s wilful misconduct.
(c) Indemnification under subsections (a) and (b) hereof will be provided only on the conditions that: (i) the indemnifying party is given written notice within 15 calendar days after the indemnified party receives notice of the subject Action; (ii) the indemnifying party has sole control of the defence and all related settlement negotiations, provided any settlement that would impose any monetary or injunctive obligation upon the indemnified party shall be subject to such party’s prior written approval; and (iii) the indemnified party provides cooperation and information in furtherance of such defence, as reasonably required by the indemnifying party.
12 LIMITATION OF LIABILITY
Except to the extent permissible under applicable laws, in no event shall either party be liable to the other party for any loss of profit, loss of business, loss of data, or for any indirect, incidental, consequential, special or exemplary damages arising in connection with the Services provided in terms of this Agreement (whether based on breach of contract, breach of warranty, negligence or any other legal theory), even if the other party has been advised of the possibility of such damages. Except to the extent permissible under applicable laws, in no event shall EthosData’s aggregate liability exceed for any damages, the total Fees payable by Customer to EthosData, and for any and all damages in connection with this Agreement during such year. No action, regardless of form, arising out of or related to this agreement may be brought by Customer more than twelve (12) months after the cause of action first arose.
13 DATA PROTECTION
(a) The terms “Controller”, “Data Subject”, “member state”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the GDPR.
(b) Processing of Customer Personal Data.
(b.1) Customer is the Controller and will comply with all obligations applicable to a Controller pursuant to the Data Protection Legislation. EthosData shall only process Customer Personal Data on the documented instructions of the Customer or their appointed representative (administrator), unless otherwise required by an Applicable Law to which EthosData is subject, in which case EthosData shall inform Customer of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest.
(b.2) For the purpose of section (b.1) the Customer instructs EthosData (and authorises EthosData to instruct each Subprocessor) to Process Customer Personal Data and in particular to transfer Customer Personal Data to, and access Personal Data from, any country or
territory, as reasonably necessary to provide the Services and comply with this Agreement. Customer warrants and represents that it is and will at all relevant times remain duly authorised to give this instruction.
(b.3) Annex 1 to this Agreement sets out certain information as required by Article 28(3) of the GDPR, and the Customer warrants it is an accurate reflection of the Processing activities pursuant to this Agreement.
(c) Personnel. EthosData will ensure that all employees or contractors of any Contracted Processor who have access to Customer Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
(d) Security. During the Term, EthosData will implement appropriate technical and organisational measures, taking into account the measures required by Article 32 of the GDPR, which measures may be updated by EthosData from time to time provided that such updates shall not [materially] decrease the protection of Personal Data for Data Subjects. The Customer may implement its own additional measures, for example applying encryption before the data is transferred to any Contracted Processor (“Customer Security Measures”), provided always that no Contracted Processor shall be required to change any of its measures.
(D.3) The Customer warrants that on the date of this Agreement, all Customer Personal Data provided to any Contracted Processor has been collected and Processed by the Customer in accordance with all Applicable Laws and the Customer has ensured that there is and there will continue to be a lawful basis for the Contracted Processors to Process such Personal Data.
(e) Subprocessing.
(e.1) Customer authorises EthosData to appoint (and permit each Subprocessor to appoint) Subprocessors in accordance with this Agreement and any restrictions in this Agreement.
(e.2) Customer specifically authorises EthosData to permit any of its Affiliates to process Personal Data, further, as at the date of the agreement, the Customer generally authorises the subprocessors listed on EthosData’s sub- contracting webpage at [https://blog.ethosdata.com/dataroom-blog/subprocessors/] (“Subprocessor List”) to Process Customer Personal Data as required to provide the Services, subject to EthosData in each case, as soon as practicable, meeting the obligations set out in section (e.4) (in each case, an “Authorised Sub-Processor”).
(e.3) Provided the Customer has enrolled to receive automatic notifications of any updates to the Subprocessor List, EthosData shall ensure the Customer receives a notification of any updates to the list as soon as reasonably practicable of any intended changes concerning the addition or replacement of any of the Authorised Sub-Processors, save for any Affiliates, that will Process any Customer Personal Data (“New Sub-Processor”). If, within [14] calendar days of receipt of that notice, Customer notifies EthosData in writing of any objections (on reasonable grounds) to the proposed appointment of a New Sub-Processor, the parties will endeavour to agree (acting reasonably) the commercially reasonable steps to be taken to ensure that the New Subprocessor in question is compliant with Article 28(4) of the GDPR. Where the Customer considers, acting reasonably, that the risks involved with the subprocessing are still unacceptable in the context of Article 28(4), within 30 calendar days following the proposal in relation to the appropriate steps, the parties shall promptly seek to resolve the issues. Where the parties are unable to resolve the issues within such timeframe, Customer’s sole remedy will be to terminate this Agreement.
(e.4) With respect to each Subprocessor, EthosData shall: (i) ensure that the arrangement between EthosData and the Subprocessor is governed by terms and conditions or a service agreement which [are the same] OR [offers no less protection for Customer Personal Data] as those terms set out in this Agreement and (ii) if that arrangement involves the transfer of Personal Data to a country outside of the European Union that has not been determined to ensure an adequate level of protection for Personal Data, at EthosData’s discretion: either (a) ensure that an appropriate data transfer safeguard is in place in compliance with Chapter IV of the GDPR, including certification with the privacy shield framework, or (b) where required to ensure compliance with Data Protection Legislation, use commercially reasonable endeavours to procure that the Subprocessor enters into standard contractual clauses approved by the European Commission directly with the relevant Customer.
(f) Data Subject Rights.
(f.1) Customer shall, in the first instance, comply with requests received from any Data Subjects to exercise their rights pursuant to Chapter III of the GDPR by itself accessing the Customer Personal Data held on EthosData’s website platform.
(f.2) Subject to section (f.1) and taking into account the nature of the Processing, EthosData shall assist Customer, at the Customer’s cost, to comply with requests to exercise Data Subject rights under the Data Protection Legislation by notifying the Customer without undue delay if any Contracted Processor receives a formal request directly from a Data Subject to exercise any of its rights under Chapter III of any Data Protection Legislation in respect of Customer Personal Data.
(g) Personal Data Breach.
(G.1) EthosData shall notify the Customer without undue delay, [and in any event within 72 hours], upon EthosData becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with information (as and when available) to assist the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Legislation.
(g.2) EthosData shall, at the Customer’s cost, co-operate with the Customer and take such reasonable commercial steps as are reasonably instructed by the Customer to assist in the investigation of each such Personal Data Breach.
(h) Data Protection Impact Assessment and Prior Consultation. Where the Services involve high risk Processing of Personal Data, EthosData shall, at the Customer’s cost, provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
(i) Deletion or Return of Customer Personal Data. Subject to the requirements of any applicable exit plan in this Agreement, EthosData shall either return or delete and procure the deletion of all Customer Personal Data held by EthosData upon termination of this Agreement and following cessation of any Services involving the Processing of Customer Personal Data. Each Contracted Processor may retain Customer Personal Data to the extent required by Applicable Laws to the extent and for such period as required by Applicable Laws (and for clarity, it is acknowledged that EthosData may retain troubleshoot/service desk ticket information in an anonymised and aggregate manner).
(h) Audit Rights
(H.1) Subject to section (h.2) and (h.3), EthosData shall make available to Customer on reasonable request such information reasonably necessary to demonstrate compliance with Article 28(3) of the GDPR, but in any event EthosData is not obliged to provide permanent copies of such information (and, at EthosData’s discretion, EthosData may instead invite the Customer to attend on-site subject to supervision and a commitment to comply with reasonable security and confidentiality controls). In particular, EthosData shall inform Customer if, in its reasonable opinion, an instruction provided by the Customer pursuant to section (b.2) infringes the GDPR or any other Data Protection Legislation, save that EthosData shall not be obliged to conduct any legal review or analysis and in such instance, EthosData shall not be required to comply with such unlawful instruction until the Customer varies its instruction to ensure legal compliance.
(h.2) Where applicable, if the Customer is not otherwise satisfied by its audit rights pursuant to this Agreement, EthosData shall, at the Customer’s costs, allow for audits by an auditor mandated by Customer (subject to section (H.3) and to such auditor being subject to written confidentiality obligations in relation to such information) in relation to the Processing of the Customer Personal Data, provided that: (i) Customer shall give EthosData reasonable notice of any audit or inspection to be conducted; (ii) Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) it minimises the disruption to the Contracted Processors’ business in the course of such an audit or inspection and such audits or inspections shall be conducted during normal working hours; and (iii) a Contracted Processor need not contribute or allow for an inspection or audit more than once in any calendar year, except for any audit or inspections mandated by a regulator.
(H.3) EthosData may object in writing to an auditor mandated by the Customer if the auditor is, in EthosData’s reasonable opinion, not suitably qualified or independent, a competitor of EthosData, or otherwise unsuitable. In the event of such an objection, the Customer shall appoint another auditor or conduct the audit itself.
(i) Transfers. Customer and each Customer Affiliate (as “data exporter”) and EthosData on behalf of each Contracted Processor established outside the European Union (as “data importer”) with effect from the commencement of the relevant transfer hereby enter into the Processor EU Model Clauses in respect of any transfer (or onward transfer) where such transfer would otherwise be prohibited by Data Protection Legislation. Appendix 1 to the Processor EU Model Clauses shall be deemed to be prepopulated with the relevant sections of Annex 1 to this Agreement and the processing operations are deemed to be those described in this Agreement. Appendix 2 to the Processor EU Model Clauses shall be deemed to be prepopulated with the following “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood for the rights and freedoms of natural persons, each Contracted Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate the controls described in Article 32(1) of GDPR.”
(j) Costs. EthosData shall provide assistance pursuant to this Agreement upon reasonable prior written notice during normal working hours. Any effort beyond [two (2)] man days’ effort per annum (or its equivalent in hours) shall be at the Customer’s cost as per EthosData’s then current standard rate card.
14 GENERAL TERMS
(a) Notices. Except as otherwise expressly provided, all notices, requests, demands or consents under this Agreement must be in writing, and be delivered personally, by certified mail, or by internationally recognized courier service to the addresses of the parties set forth in this Agreement.
(b) Assignment. Except as otherwise provided below, neither party may assign this Agreement or any rights or obligations hereunder without the prior written consent of the other party. In the event of any proposed assignment of this Agreement to an Affiliate of a party, such consent shall not be unreasonably withheld. Either party shall have the right to assign this Agreement in connection with the merger, reorganization or acquisition of such party or the sale of all or substantially all of its assets related to this Agreement, without such consent. Any purported assignment of this Agreement in violation of this subsection shall be invalid. This Agreement shall be binding upon and inure to the benefit of the parties, their respective successors and permitted assigns.
(c) Governing law; Jurisdiction. This Agreement shall be governed by and construed in accordance with English law, without giving effect to its conflict of laws principles, and the parties submit to the exclusive jurisdiction of English courts. The parties agree the United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement. All claims, controversies and disputes arising in connection with this Agreement shall be finally and exclusively settled by binding arbitration before a single arbitrator in London, England, such arbitration to be conducted pursuant to the UNCITRAL arbitration rules. A judgment upon any award rendered in such arbitration may be entered in courts of law.
(d) Independent Contractors; No Third Party Beneficiaries. The parties are independent contractors with respect to each other, and neither shall be deemed an employee, agent, partner or legal representative of the other for any purpose or shall have any authority to create any obligation on behalf of the other. No third- party beneficiary rights are granted as a result of or pursuant to thisAgreement.
(e) Force Majeure. Any delay in or failure of performance by either party under this Agreement will not be considered a breach and will be excused to the extent caused by any event beyond the reasonable control of such party including, but not limited to, acts of God, acts of civil or military authorities, strikes or other labor disputes, fires, interruptions in telecommunications or Internet or network provider services, power outages, and governmental restrictions.
(f) Modification. EthosData may make modifications or amendments to this Agreement by communicating to the Customer in writing where the Customer does not object (acting reasonably) to such amendments or modifications within 30 days of the date of such communication. No failure or delay by either party in exercising any right, power, or remedy hereunder shall operate as a waiver of such right, power, or remedy.
(g) Entire Agreement; Severability. This Agreement supersedes all prior agreements, understandings, representations, warranties, proposals, requests for proposal and negotiations, if any, related to the subject matter hereof (unless expressly repeated in this Agreement), and Customer shall have no right of action (except in the case of fraud) against EthosData in connection with any such agreement, understanding, representation, warranty, proposal or request. Each provision of this Agreement is severable from each other provision for the purpose of determining the enforceability of any specific provision.
ANNEX 1: DETAILS OF PROCESSING
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Customer Personal Data. The subject matter are set out in this Agreement. The Customer Personal Data will be Processed for the duration of the term plus the period from the expiry until deletion in accordance with this Agreement.
The nature and purpose of the Processing of Customer Personal Data. The purpose of the processing is to allow Customer to utilize the Services for its operations. In particular, the Personal Data will be subject to the following basic processing operations, such as: use to set up, operate, monitor and provide the Services (including operational and technical support), data back-ups, fixes or upgrades, execution of Customer instructions and to ensure customer service of improvements in the platform.
The types of Customer Personal Data to be Processed. Data relating to individuals provided via the Services, by (or at the direction of) Customer or by end users, including name, email address and job details, and any other information uploaded by a Customer including name, address, phone number, email address, employment data. Information will also be collected automatically when a Customer or end-user logs on to the platform including, IP address, MAC address, website cookies, location data, log files, browser details.
Special Categories of Personal Data to be Processed
May reside in the files uploaded on the dataroom by the Customer, including information related to health of an individual. Such data will be stored on the dataroom but will not be accessed by EthosData.
The categories of Data Subject to whom the Customer Personal Data relates. Data subjects include the individuals about whom data is provided via the Services by (or at the direction of) Customer or by Customer end users.
The obligations and rights of Customer and Customer Affiliates
The obligations and rights of Customer and Customer Affiliates are set out in this Agreement. In addition, Data Controller agrees and declares as follows : (a) it is solely responsible for the accuracy of personal data and the means by which such personal data are acquired and the processing by the Data Controller, including instructing processing by Ethos Data, is and will be in accordance with the relevant provisions of the applicable data protection law particularly with respect to the security, protection and disclosure of personal data; (b) If processing by data processor involves any “special” or “sensitive” categories of personal data (as defined under the applicable data protection law), Data Controller warrants that it has collected such personal data in accordance with applicable data protection law; (c) the Data Controller will inform the data subjects (i) about its use of data processors to process their personal data including data processor and (ii) that their personal data may be processed outside of EU.