TERMS OF PURCHASE AND SERVICE
Last Updated October 21, 2019
THESE TERMS OF PURCHASE AND SERVICE (“AGREEMENT”) WILL GOVERN YOUR PURCHASE OF DENSITY HARDWARE, INCLUDING ANY SOFTWARE EMBEDDED IN DENSITY HARDWARE, AND USE OF DENSITY SUBSCRIPTIONS (BOTH DEFINED BELOW) AND IS ENTERED INTO BETWEEN DENSITY INC. (“DENSITY”) AND THE BUSINESS YOU REPRESENT (“CUSTOMER”). THIS AGREEMENT TAKES EFFECT WHEN YOU AGREE TO THE TERMS OF THIS AGREEMENT. YOU MAY SHOW YOUR AGREEMENT TO AND ACCEPTANCE OF THESE TERMS BY EITHER EXECUTING AN ORDER FORM OR STATEMENT OF WORK REFERENCING THIS AGREEMENT, CLICKING THE CHECK BOX LINKING TO THIS AGREEMENT, OR OTHERWISE ACCESSING OR USING THE SERVICES. DENSITY’S ACCEPTANCE OF ANY CUSTOMER ORDER IS EXPRESSLY CONDITIONED ON CUSTOMER’S ASSENT TO THIS AGREEMENT. NO TERMS OR CONDITIONS SET FORTH IN ANY CUSTOMER ORDER FORM, TO WHICH NOTICE OF OBJECTION IS HEREBY GIVEN, OR IN ANY FUTURE CORRESPONDENCE BETWEEN CUSTOMER AND DENSITY WILL ALTER OR SUPPLEMENT THIS AGREEMENT UNLESS BOTH PARTIES HAVE AGREED IN WRITING TO MODIFY THIS AGREEMENT. NEITHER DENSITY’S COMMENCEMENT OF PERFORMANCE NOR DELIVERY WILL BE DEEMED OR CONSTRUED AS ACCEPTANCE OF CUSTOMER’S ADDITIONAL OR DIFFERENT TERMS AND CONDITIONS.
1.1 “Channel Partner” means an entity that Density has authorized as a “reseller” of Density Products.
1.2 “Channel Partner Sale Agreement” means the order, agreement or other document between Customer and a Channel Partner for Customer’s purchase of Density Products. Terms that apply to Customer’s purchase and use of Density Products when purchased from a Channel Partner are specified in Section 12.
1.3 “Density Hardware” means any device ordered by Customer from Density hereunder.
1.4 “Density Products” means, collectively, the Density Hardware and the Density Subscriptions.
1.5 “Density Subscriptions” means those subscriptions to Density services ordered by Customer from Density hereunder.
2. SALES OF DENSITY HARDWARE
2.1 Sale. Subject to the terms and conditions of this Agreement, Density hereby sells to Customer the ordered Density Hardware. The Density Hardware is sold to Customer solely for use by Customer in connection with Density Subscriptions. Customer will not use the Density Hardware for any purpose other than use in connection with the Density Subscriptions.
2.2 Acceptance. Density reserves the right to accept or reject orders, in whole or in part, in its sole discretion, or to cancel any order previously accepted if Density determines that Customer is in default, Customer is in a location where Density cannot provide Density Products, or otherwise.
2.3 Fulfillment of Orders and Invoicing. Density will use commercially reasonable efforts to fill orders by Customer promptly upon acceptance by Density. Density retains the right to fulfill orders in part, based upon a Density-approved schedule. Any Customer requests for partial fulfillment are subject to approval by Density. Density will not be liable for any failure to deliver Density Products by any particular date or if the specified Density Product has not been commercially released.
2.4 Shipment Terms. All Density Hardware delivered pursuant to this Agreement will be suitably packed for shipment in Density’s standard shipping cartons, marked for shipment, and delivered to Customer or its carrier agent EXW (Incoterms 2010) Density’s facility, at which time title and risk of loss will pass to Customer. Density will select the carrier, unless the carrier chosen by Density will not fulfill the delivery, in which case Customer’s choice of substitute carrier is subject to Density approval. Customer will pay all freight, insurance, and other shipping expenses, as well as any special packing expense, unless otherwise agreed between the parties.
2.5 Embedded Software. The Density Hardware includes embedded software and firmware running on the Density Hardware (collectively, “Embedded Software”). Subject to Customer’s compliance with this Agreement, Density hereby grants Customer a limited, non-exclusive, non-transferable license to use the Embedded Software solely in connection with Customer’s authorized use of the Density Hardware under this Agreement during each Subscription Term (defined below). If Density integrates any modifications into the Density Hardware or Embedded Software, each such modification will be deemed to be part of the Density Hardware or Embedded Software and made available to Customer only under the terms of this Agreement.
3. DENSITY SUBSCRIPTIONS
3.1 Subscriptions. Density Subscriptions are sold on a monthly, annual or other specified period (each, a “Subscription Term”). The initial Subscription Term starts when Customer purchases the Density Subscription. Subject to the terms and conditions of this Agreement, solely during the Subscription Term, Density grants to Customer a limited, non-exclusive, non-transferable right during the Subscription Term to access and use the Density dashboard solely in connection with Customer’s internal business operations.
3.2 API Access. Subject to the terms and conditions of this Agreement, Density grants to Customer a limited, non-exclusive, non-transferable, revocable license during the Subscription Term to access and use the Density API materials in accordance with the related documentation provided by Density, and this Agreement, solely for the purposes of developing and operating an implementation of the Density API that permits Customer to access Customer Data and import it into other software applications. Customer must only use the Density API materials and documentation in accordance with applicable law.
3.3 Service Level Agreement. Density will use commercially reasonable efforts to provide Customer with the services during the Subscription Term and in accordance with the service levels set forth in the Density Service Level Agreement.
3.4 Support Policy. Density will use commercially reasonable efforts to provide Customer with the services during the Subscription Term and in accordance with the support levels set forth in the Density Support Policy.
4.1 Prices and Fees. The price of the Density Hardware and the fees for the Density Subscriptions are set forth on the order confirmation page prior to finalizing the purchase. Customer agrees to pay Density the amounts indicated for the Density Hardware and Density Subscriptions Customer selects. The price of the Density Hardware will be charged to the Payment Method (defined below) upon checkout, and the cost of freight, insurance, and other shipping expenses, as well as any special packing expense, will be charged to the Payment Method upon shipment. The fees for the Density Subscriptions will be charged to the Payment Method upon checkout and will cover fees for the initial Subscription Term. If the Subscription Term is renewed, the fees for any renewal Subscription Terms will be the then-current fee applicable to the Density Subscriptions and will be charged to the payment method upon renewal, unless otherwise agreed in writing between Customer and Density. Customer authorizes Density to charge the Payment Method for the prices and fees described above. Customer may upgrade, downgrade or cancel the selected Density Subscription plan at any time. Plan downgrades or cancellations will take effect only at the end of the then-current Subscription Term and must be made at least 3 business days prior to the next any renewal of the Subscription Term in order to avoid billing of the next renewal Subscription Term’s fees for any renewal Subscription Term at the prior rate. Customer will not receive a refund or credit for the remainder of the Subscription Term in the event of any downgrade or cancellation during a Subscription Term. Density Subscription upgrades will take effect immediately and Customer will be charged a prorated fee for the remainder of the then-current term based on the difference in price between the current plan and the upgraded plan. Stated fees do not include any related taxes, duties and similar charges (including without limitation sales and use taxes, duties or other governmental taxes or fees), all of which are Customer’s responsibility and will be charged to Customer’s Payment Method in addition to the fees.
4.2 Payment Method. Density may, from time to time, offer various payment methods, including without limitation payment by credit card, by debit card, by certain mobile payment providers or by using PayPal. Customer authorizes Density to charge Customer for Density Products through the payment method selected by Customer when purchasing the Density Products (the “Payment Method”) and Customer agrees to make payment using such Payment Method(s). Density may, from time to time, receive and use updated payment method information provided by Customer or that financial institutions or payment processors may provide to Density to update information related to the Payment Method(s), such as updated expiration dates or account numbers. Certain Payment Methods, such as credit cards and debit cards, may involve agreements between Customer and the financial institution, credit card issuer or other provider of the chosen Payment Methods (the “Payment Method Provider”). If Density does not receive payment from the Payment Method Provider, Customer agrees to directly pay all amounts due upon demand from Density. Customer’s non-termination or continued use of the Density Subscriptions reaffirms that Density is authorized to charge the Payment Method for each renewal Subscription Term.
4.3 Current Information Required. Customer agrees to provide current, complete and accurate billing information and agrees to promptly update all such information (such as changes in billing address, credit card number or credit card expiration date) as necessary for the processing of all payments that are due to Density. Customer agrees to promptly notify Density if the selected Payment Method is canceled (for example, due to loss or theft) or if Customer becomes aware of a potential breach of security related to any Payment Method. If Customer fails to provide any of the foregoing information, Customer acknowledges that its current Payment Method may continue to be charged for Density Products and it remains responsible for all such charges.
4.4 Payment Matters. If the Payment Method fails or Customer’s account is past due, Density reserves the right to withhold shipment of Density Hardware and to either suspend or terminate Customer’s use of the Density Subscriptions. Customer agrees to submit any disputes regarding any charge to its account in writing to Density within 60 days of such charge, otherwise such dispute will be waived and such charge will be final and not subject to challenge. Customer agrees to reimburse Density for all collection costs. Density reserves the right to charge Customer interest at a rate of 1.5% per month on any overdue amounts, or the maximum rate permitted by applicable law, whichever is lower. All fees and charges are nonrefundable and there are no refunds or credits for shipped Density Hardware or any partially used Subscription Terms except (a) as expressly set forth in this Agreement or a separate written agreement between Density and Customer; (b) as otherwise required by applicable law; or (c) at Density’s sole and absolute discretion. All prices for Density Products are subject to change without notice.
5. TERM AND TERMINATION
5.1 Termination by Customer. Customer may return the Density Hardware (and cancel the Density Subscriptions) within 30 days of the order date and receive a full refund of the price paid for the Density Hardware and fees paid for the Density Subscriptions. Customer must contact Density and receive cancellation and return shipping information for cancellation to be effective.
5.2 Termination for Cause. If either party fails to perform any of its material obligations under this Agreement, the other party may terminate this Agreement by giving 30 days prior written notice if the matters set forth in such notice are not cured to the other party’s reasonable satisfaction within the 30-day period.
5.3 No Liability for Termination. Except as expressly required by law, if either party terminates this Agreement in accordance with any of the provisions of this Agreement, neither party will be liable to the other because of such termination for compensation, reimbursement, or damages on account of the loss of prospective profits or anticipated sales or on account of expenditures, inventory, investments, leases, or commitments in connection with the business or goodwill of Density or Customer. Termination will not, however, relieve either party of obligations incurred prior to the effective date of the termination.
5.4 Effects of Termination. In addition, the following provisions will survive any expiration or termination of this Agreement: Sections 2.4, 2.5, 4, 5.3, 5.4, 6, 7.2, and 8 through 11 and 13. The termination or expiration of this Agreement will not relieve Customer of the obligation to pay any amounts that are due to Density under this Agreement.
6. PROPRIETARY RIGHTS AND NOTICES
6.1 Proprietary Rights. Density and its licensors own all right, title, and interest, including all intellectual property rights, in and to the Density Products. Customer will not act to jeopardize, limit, or interfere in any manner with Density’s ownership of and rights with respect to the Density Products. Customer will have only those rights in or to the Density Products and documentation granted to it pursuant to this Agreement.
6.2 General Restrictions. Except as otherwise explicitly provided in this Agreement or as may be expressly permitted by applicable law, Customer will not, and will not permit or authorize third parties to: (a) reproduce, modify, translate, enhance, create derivative works of, decompile, disassemble, reverse engineer, or otherwise attempt to discover the source code or underlying ideas or algorithms of any portion of any Density Products; (b) remove software from equipment on which it is preloaded; (c) modify or attempt to service or repair the Density Hardware; nor (d) circumvent or disable any technological features or measures in the Density Products, including security features. Customer shall take reasonable measures to prevent the Density Products from being stolen or accessed without authorization and to prevent third parties from carrying out the restricted activities set forth in this Section 6.2.
6.3 Customer Data. Customer will own all right, title, and interest in and to any data collected by Density Hardware used by Customer, including any such data processed in connection with Density Subscriptions (“Customer Data”). Customer hereby grants to Density a nonexclusive, worldwide, royalty-free, fully paid right and license to the Customer Data for the Subscription Term of any Density Subscriptions to the extent necessary for Density to provide the services in connection with the Density Subscriptions. Customer hereby grants to Density a nonexclusive, worldwide, perpetual, royalty-free, fully paid right and license to the Customer Data (i) for Density’s internal use only for research and development purposes and to improve Density’s products and services, and (ii) in aggregate, anonymized format, so long as Density does not disclose Customer as the source of the data.
6.4 Proprietary Rights Notices. Customer and its employees and agents will not remove or alter any trademark, trade name, copyright, patent, patent pending, or other proprietary notices, legends, symbols, or labels appearing on the Density Products or related documentation delivered by Density.
6.5 Third Party Copyright Notices. The Density Products include third-party code licensed to Density for use and redistribution under open-source licenses (“Third Party Software”). The terms of certain open-source licenses may be applicable to Customer’s use of the Density Products, as set forth in the applicable open-source license. A list of disclosures and disclaimers in connection with Density’s incorporation of certain open-source licensed software into the Density Products is provided upon request.
7. WARRANTY; WARRANTY DISCLAIMER
7.1 Warranty. Density warrants that the Density Hardware shall be and shall remain free from defects in design, material and workmanship for a period ending five (5) years from the date of shipment if Customer maintains an active subscription to the Density Subscriptions during this period (the “Warranty Period”). If Customer’s subscription to the Density Subscriptions terminates earlier, then the Warranty Period will also terminate as of the same date. This warranty does not cover defects or malfunction caused by neglect, misuse, abuse, vandalism or accident; installation or use in an improper environment; or failure to follow installation, maintenance or operating instructions. Also, this warranty will not apply to damage caused by unauthorized alteration, modification or repair of the Density Hardware. This warranty applies only to the original purchaser and is non-transferable.
7.2 If during the Warranty Period any Density Hardware fails, is nonoperational, or is otherwise found faulty due to a breach of this warranty, Customer may submit a request to Density for replacement Density Hardware, which must be received before the end of the Warranty Period. Density will evaluate any such request, and if Density determines in its sole discretion that the Density Hardware is faulty due to a breach of this warranty, Density will replace the Density Hardware. Customer will return any faulty Density Hardware to Density upon Density’s request, but in no event later than 30 days after receipt of replacement Density Hardware. Replacement of the Density Hardware is Customer’s sole remedy, and Density’s sole liability, for any breach of this warranty.
7.3 Warranty Disclaimer. OTHER THAN AS SET FORTH IN THIS AGREEMENT, DENSITY MAKES NO ADDITIONAL REPRESENTATION OR WARRANTY OF ANY KIND WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, AS TO ANY MATTER WHATSOEVER. DENSITY EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, ACCURACY, AND TITLE. DENSITY DOES NOT WARRANT AGAINST INTERFERENCE WITH THE ENJOYMENT OF THE DENSITY PRODUCTS OR AGAINST INFRINGEMENT. DENSITY DOES NOT WARRANT THAT THE DENSITY PRODUCTS ARE ERROR-FREE OR THAT OPERATION OF THE DENSITY PRODUCTS WILL BE SECURE OR UNINTERRUPTED. DENSITY EXERCISES NO CONTROL OVER AND EXPRESSLY DISCLAIMS ANY LIABILITY ARISING OUT OF OR BASED ON A CUSTOMER’S USE OF THE DENSITY PRODUCTS. DENSITY PRODUCTS ARE NOT DESIGNED, OR INTENDED FOR USE IN ANY MEDICAL, LIFE SAVING OR LIFE SUSTAINING SYSTEMS, OR FOR ANY OTHER MISSION CRITICAL APPLICATION IN WHICH THE FAILURE OF THE DENSITY PRODUCTS COULD CREATE A SITUATION WHERE SUBSTANTIAL PROPERTY DAMAGE OR PERSONAL INJURY OR DEATH MAY OCCUR. DENSITY RECOMMENDS AGAINST, AND DISCLAIMS ANY LIABILITY FOR, USE OF THE DENSITY PRODUCTS IN ANY SUCH MANNER.
8. INFRINGEMENT INDEMNIFICATION
8.1 Defense of Claims. Density will, at its option and expense, defend Customer and its officers, employees, directors, agents, and representatives (“Customer Indemnified Parties”) from or settle any claim, proceeding, or suit (“Claim”) brought by a third party against a Customer Indemnified Party alleging that Customer’s use of the Density Product (excluding Third Party Software) infringes or misappropriates any United States patent, copyright, trade secret, trademark, or other intellectual property right if: (a) the Customer Indemnified Party gives Density prompt written notice of the Claim; (b) Density has full and complete control over the defense and settlement of such Claim; (c) the Customer Indemnified Parties provide assistance, at Density’s expense as specified in Section 8.2, in connection with the defense and settlement of such Claim as Density may reasonably request; and (d) the Customer Indemnified Parties comply with any settlement or court order made in connection with such Claim (e.g., relating to the future use, sale, or distribution of any infringing Density Products). The Customer Indemnified Parties will not defend or settle any such Claim without Density’s prior written consent. The applicable Customer Indemnified Party shall have the right to participate in the defense of such Claim at its own expense and with counsel of its own choosing, but Density will have sole control over the defense and settlement of the Claim.
8.2 Indemnification. Density will indemnify the Customer Indemnified Parties against and pay (a) all damages, costs, and attorneys’ fees finally awarded against a Customer Indemnified Party in any Claim under Section 8.1; (b) all out-of-pocket costs (including reasonable attorneys’ fees) reasonably incurred by any of them in connection with the defense of such Claim, including assistance provided under Section 8.1(c) (other than attorneys’ fees and costs incurred without Density’s consent after Density has accepted defense of such claim); and (c) if any Claim arising under Section 8.1 is settled, all amounts to be paid to any third party in settlement of any such Claim (as agreed to by Density).
8.3 Mitigation. If Customer’s or their respective agents’ use, sale, or distribution of a Density Product is, or in Density’s reasonable opinion is likely to become, enjoined or materially diminished as a result of a Claim under Section 8.1, then Density will either: (a) procure the continuing right of Customer to use the Density Product; (b) replace or modify the Density Product in a functionally equivalent manner while maintaining the same form, fit, and function so that it no longer infringes; or if, despite its commercially reasonable efforts, Density is unable to do either (a) or (b), Density will (c) terminate Customer’s rights to the Density Products under this Agreement and Customer will return all Density Hardware for a prorated refund by Density of prepaid fees covering the remainder of the term of this Agreement.
8.4 Exceptions. Density will have no obligation under this Section 8 for any alleged infringement or misappropriation to the extent that it arises out of or is based upon (a) use of a Density Product in combination with other products, including other Density Products, if such alleged infringement or misappropriation would not have arisen but for such combination; (b) a Density Product that is provided to comply with designs, requirements, or specifications required by or provided by Customer, if the alleged infringement or misappropriation would not have arisen but for the compliance with such designs, requirements, or specifications; (c) use of a Density Product for purposes not intended; (c) use of Density Products after Customer has been notified of any termination of its right to use the Density Products pursuant to Section 8.3(c); (e) Customer’s failure to use a Density Product in accordance with instructions provided by Density, if the alleged infringement or misappropriation would not have occurred but for such failure; or (f) any modification of a Density Product not made or authorized in writing by Density where such alleged infringement or misappropriation would not have occurred absent such modification. Customer is responsible for any costs or damages that result from these actions.
8.5 Exclusive Remedy. This Section 8 states Density’s sole and exclusive liability, and Customer’s sole and exclusive remedy, for the actual or alleged infringement or misappropriation of any third party intellectual property right by a Density Product.
9. CUSTOMER INDEMNIFICATION
9.1 Defense of Claims. Customer will defend Density and its affiliates and their employees, directors, agents, and representatives (“Density Indemnified Parties”) from any actual or threatened third party claim arising out of or based upon Customer’s performance or failure to perform under this Agreement, its negligence or willful misconduct, or its breach of this Agreement. The Density Indemnified Parties will: (a) give Customer prompt written notice of the claim; (b) grant Customer full and complete control over the defense and settlement of the claim; and (c) assist Customer with the defense and settlement of the claim as Customer may reasonably request.
9.2 Indemnification. Customer will indemnify each of the Density Indemnified Parties against (a) all damages, costs, and attorneys’ fees finally awarded against any of them in any proceeding under Section 9.1; (b) all out-of-pocket costs (including reasonable attorneys’ fees) reasonably incurred by any of them in connection with the defense of such proceeding (other than attorneys’ fees and costs incurred without Customer’s consent after Customer has accepted defense of such claim); and, (c) if any proceeding arising under Section 9.1 is settled, Customer will pay any amounts to any third party agreed to by Customer in settlement of any such claims.
10. CONFIDENTIAL INFORMATION
10.1 “Confidential Information” means any trade secrets or other information of a party, whether of a technical, business, or other nature (including information relating to a party’s technology, software, products, services, designs, methodologies, business plans, finances, marketing plans, distributors, prospects, or other affairs), that is disclosed to a party during the term of this Agreement. The Density Products and related information will be the Confidential Information of Density. Confidential Information does not include any information that: (a) was known to the receiving party prior to receiving the same from the disclosing party in connection with this Agreement; (b) is independently developed by the receiving party without use of or reference to the Confidential Information of the disclosing party; (c) is acquired by the receiving party from another source without restriction as to use or disclosure; or (d) is or becomes part of the public domain through no fault or action of the receiving party.
10.2 Nondisclosure. During and after the term of this Agreement, each party will: (a) not disclose the other party’s Confidential Information to a third party unless the third party must access the Confidential Information to perform in accordance with this Agreement and the third party has executed a written agreement that contains terms that are substantially similar to the terms contained in this Section 10; and (b) protect the other party’s Confidential Information from unauthorized disclosure to the same extent (but using no less than a reasonable degree of care) that it protects its own Confidential Information of a similar nature.
10.3 Confidentiality of Agreement. Neither party to this Agreement will disclose the terms of this Agreement to any third party without the consent of the other party, except as required by securities or other applicable laws. Notwithstanding the above provisions, each party may disclose the terms of this Agreement (a) in connection with the requirements of a public offering or securities filing; (b) in confidence, to accountants, banks, and financing sources and their advisors; (c) in confidence, in connection with the enforcement of this Agreement or rights under this Agreement; or (d) in confidence, in connection with a merger or acquisition or proposed merger or acquisition, or the like.
10.4 Return of Materials. Upon the termination or expiration of this Agreement, or upon earlier request, each party will deliver to the other all Confidential Information that it may have in its possession or control. Notwithstanding the foregoing, neither party will be required to return materials that it must retain in order to receive the benefits of this Agreement or properly perform in accordance with this Agreement.
10.5 Existing Obligations. The obligations in this Section 10 are in addition to, and supplement, each party’s obligations of confidentiality under any nondisclosure or other agreement between the parties.
11. LIMITATION OF LIABILITY
11.1 Disclaimer of Consequential Damages. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS AGREEMENT, DENSITY WILL NOT, UNDER ANY CIRCUMSTANCES, BE LIABLE TO CUSTOMER FOR CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING OUT OF OR RELATED TO THE TRANSACTION CONTEMPLATED UNDER THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO LOST PROFITS OR LOSS OF BUSINESS, EVEN IF DENSITY IS APPRISED OF THE LIKELIHOOD OF SUCH DAMAGES OCCURRING.
11.2 Cap on Liability. UNDER NO CIRCUMSTANCES WILL DENSITY’S TOTAL LIABILITY OF ALL KINDS ARISING OUT OF OR RELATED TO THIS AGREEMENT (INCLUDING BUT NOT LIMITED TO WARRANTY CLAIMS), REGARDLESS OF THE FORUM AND REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON CONTRACT, TORT, OR OTHERWISE, EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER (OR PAID BY THE APPLICABLE CHANNEL PARTNER FOR CUSTOMER’S PURCHASES) TO DENSITY UNDER THIS AGREEMENT.
11.3 Independent Allocations of Risk. EACH PROVISION OF THIS AGREEMENT THAT PROVIDES FOR A LIMITATION OF LIABLITY, DISCLAIMER OF WARRANTIES, OR EXCLUSION OF DAMAGES IS TO ALLOCATE THE RISKS OF THIS AGREEMENT BETWEEN THE PARTIES. THIS ALLOCATION IS REFLECTED IN THE PRICING OFFERED BY DENSITY TO CUSTOMER AND IS AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. EACH OF THESE PROVISIONS IS SEVERABLE AND INDEPENDENT OF ALL OTHER PROVISIONS OF THIS AGREEMENT, AND EACH OF THESE PROVISIONS WILL APPLY EVEN IF THE REMEDIES IN THIS AGREEMENT HAVE FAILED OF THEIR ESSENTIAL PURPOSE.
12. PURCHASE THROUGH CHANNEL PARTNERS
12.1 Applicability. This Section 13 only applies to Customers purchasing Density Products through a Channel Partner. If Customer is uncertain as to the applicability of this section to its purchase of Density Products, Customer should contact Density for further information.
12.2 Channel Partners. If Customer acquired the Density Products from a Channel Partner, then this Agreement is not exclusive of any rights Customer obtains under the Channel Partner Sale Agreement; however, if there is any conflict between the provisions of this Agreement and the Channel Partner Sale Agreement, then the provisions of this Agreement prevail. If a Channel Partner has granted Customer any rights that Density does not also directly grant to Customer in this Agreement, or that conflict with this Agreement, then Customer’s sole recourse with respect to such rights is against the Channel Partner.
12.3 Purchase, Term and Renewal. If Customer ordered the Density Products through a Channel Partner, then (a) the Channel Partner and not Density is the selling entity, and conflicting provisions in Sections 2 and 3 that are specific only to sales by Density do not apply; (b) with regard to Sections 3.1 and 4.1, the Subscription Term will begin on the subscription start date specified in Customer’s order with the Chanel Partner and, subject to the remainder of this Agreement, the Subscription Term will expire, renew and terminate in accordance with the terms of the Channel Partner Sale Agreement.
12.4 Fees and Payment; Renewal. If Customer ordered the Density Products through a Channel Partner, then the payment-related provisions of Section 4 do not apply to Customer, and Customer’s billing and payment rights and obligations are governed by the Channel Partner Sale Agreement. However, if the Channel Partner from whom Customer purchased the Density Products fails to pay Density any amounts due in connection with Customer’s purchase and use of the Density Products, then Density may suspend Customer’s rights to use the Density Subscriptions without liability, upon notice to Customer. Customer agrees that Customer’s remedy in the event of such suspension is solely against the Channel Partner.
13.1 Marketing. Customer agrees Density may publicly use Customer’s logo and name to identify Customer as a customer of Density.
13.2 Export Restrictions. Customer will not resell or otherwise distribute the Density Products in any foreign territory where applicable laws would not provide the protections to Density and the Density Products intended under this Agreement, or where there is a significant risk that the Density Products would fall into the public domain. Customer will not directly or indirectly import, export, or re-export the Density Products outside the United States without obtaining all permits and licenses as may be required by, and conforming with, all applicable laws and regulations of the governments of the United States and the foreign territory.
13.3 Independent Contractors. The relationship of the parties established by this Agreement is that of independent contractors, and nothing contained in this Agreement should be construed to give either party the power to (a) act as an agent or (b) direct or control the day-to-day activities of the other. Financial and other obligations associated with each party’s business are the sole responsibility of that party.
13.4 Assignability. Customer may not assign its right, duties, or obligations under this Agreement without Density’s prior written consent. As used in this Section 13.4, “assign” includes undergoing any direct or indirect change in control, whether via a merger, acquisition, or sale of all or substantially all assets of Customer. If consent is given, this Agreement will bind Customer’s successors and assigns. Any attempt by Customer to transfer its rights, duties, or obligations under this Agreement except as expressly provided in this Agreement is void.
13.5 Nonsolicitation. During the term of this Agreement and for a period of one year thereafter, Customer will not, directly or indirectly, employ or solicit the employment or services of a Density employee or independent contractor without the prior written consent of Density.
13.6 Notices. Any notice required or permitted to be given in accordance with this Agreement will be effective if it is in writing and sent by certified or registered mail, or insured courier, return receipt requested, to the appropriate party at the address set forth in the Order Form and with the appropriate postage affixed. Density may also be contacted at the email address listed in the Order Form. Either party may change its address for receipt of notice by notice to the other party in accordance with this Section. Notices are deemed given two business days following the date of mailing or one business day following delivery to a courier.
13.7 Force Majeure. Density will not be liable for, or be considered to be in breach of or default under this Agreement on account of, any delay or failure to perform as required by this Agreement as a result of any cause or condition beyond Density’s reasonable control, so long as Density uses commercially reasonable efforts to avoid or remove such causes of non-performance.
13.8 Foreign Corrupt Practices Act. In conformity with the United States Foreign Corrupt Practices Act and with Density’s corporate policies regarding foreign business practices, Customer and its employees and agents shall not directly or indirectly make and offer, payment, promise to pay, or authorize payment, or offer a gift, promise to give, or authorize the giving of anything of value for the purpose of influencing an act or decision of an official of any government, including the United States Government (including a decision not to act) or inducing such a person to use his influence to affect any such governmental act or decision in order to assist Density in obtaining, retaining, or directing any such business.
13.9 Governing Law. This Agreement will be interpreted, construed, and enforced in all respects in accordance with the local laws of the State of California, U.S.A without reference to its choice of law rules and not including the provisions of the 1980 U.N. Convention on Contracts for the International Sale of Goods.
13.10 Arbitration. The parties agree to resolve all disputes arising under or in connection with this Agreement through binding arbitration. The arbitration will be held in San Francisco County, California, USA. If Customer is an entity incorporated or formed under the state or federal laws of the United States of America, the arbitration will be conducted in accordance with the applicable rules of the American Arbitration Association (“AAA”). If Customer is an entity incorporated or formed under the laws of a foreign jurisdiction, the arbitration will be conducted in accordance with the International Chamber of Commerce (“ICC”) Rules of Arbitration. If there is a dispute between the parties under this Agreement, the parties will use good faith efforts to agree upon and appoint one arbitrator no later than 20 days after the notice of arbitration is received from the other party. If the parties do not agree on an arbitrator, the arbitrator will be selected in accordance with the applicable rules of the AAA or ICC (as applicable) for the appointment of an arbitrator. The selection of an arbitrator under the rules of the AAA or ICC will be final and binding on the parties. The arbitrator must be independent of the parties. The arbitrator will conduct the arbitration in accordance with the applicable rules of the AAA or ICC (as applicable). The arbitrator will limit discovery as reasonably practicable to complete the arbitration as soon as practicable. The arbitrator’s decision will be final and binding on both parties. The costs and expenses of the arbitration will be shared equally by both parties. This Section 13.10 will not prohibit either party from seeking injunctive relief in a court of competent jurisdiction.
13.11 Waiver. The waiver by either party of any breach of any provision of this Agreement does not waive any other breach. The failure of any party to insist on strict performance of any covenant or obligation in accordance with this Agreement will not be a waiver of such party’s right to demand strict compliance in the future, nor will the same be construed as a novation of this Agreement.
13.12 Severability. If any part of this Agreement is found to be illegal, unenforceable, or invalid, the remaining portions of this Agreement will remain in full force and effect. If any material limitation or restriction on the grant of any rights to Customer under this Agreement is found to be illegal, unenforceable, or invalid, the right granted will immediately terminate.
13.13 Interpretation. The headings appearing at the beginning of several sections contained in this Agreement have been inserted for identification and reference purposes only and must not be used to construe or interpret this Agreement. Whenever required by context, a singular number will include the plural, the plural number will include the singular, and the gender of any pronoun will include all genders. Whenever the words “include”, “includes” or “including” are used in this Agreement, they will be deemed to be followed by the words “without limitation.” The word “or” is used in the inclusive sense of “and/or.” The terms “or,” “any” and “either” are not exclusive.
13.14 Entire Agreement. This Agreement is the final and complete expression of the agreement between these parties regarding the Density Products. This Agreement supersedes, and the terms of this Agreement govern, all previous oral and written communications regarding these matters, all of which are merged into this Agreement. No employee, agent, or other representative of Density has any authority to bind Density with respect to any statement, representation, warranty, or other expression unless the same is specifically set forth in this Agreement. No usage of trade or other regular practice or method of dealing between the parties will be used to modify, interpret, supplement, or alter the terms of this Agreement.
13.15 Updates to this Agreement. From time to time, Density may change, modify, add, or remove portions of this Agreement (each an “Update”), and reserves the right to do so in its sole discretion. If Density Updates this Agreement, it will make the Updated Agreement available here, and the Updated Agreement will indicate the date of the latest revision. Customer is encouraged to review this Agreement periodically for changes. In the event that Updates to this Agreement materially alter Customer’s rights or obligations hereunder, Density will make reasonable efforts to notify Customer of the Updates. For example, Density may send a message to Customer’s email address that is currently associated with its Density account or generate a pop-up or similar notification when Customer accesses its Density account for the first time after such material changes are made. All Updated Agreements automatically take effect 30 days after they are posted, except that (i) disputes between Customer and Density will be governed by the version of this Agreement that was in effect on the date the dispute arose and (ii) unless specifically agreed otherwise, if Customer does not agree with any changes to this Agreement, Customer may terminate this Agreement as set forth above. Customer’s continued access to or use of the Services after an Updated Agreement has become effective indicates that Customer has read, understood and agreed to the current version of this Agreement.
Data Processing Agreement
Last Updated: January 29, 2019
This Data Processing Agreement (“DPA”), which includes the Standard Contractual Clauses adopted by the European Commission, as applicable, reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data under the Density Master Subscription Agreement or other written agreement referencing this DPA (the “Agreement”) between Density Inc. (“Density ”) and the customer that is party to the Agreement (“Customer”). This DPA is incorporated into and made a part of the Agreement. Please contact us at email@example.com if you need a signed copy of this DPA for your records.
We periodically update this DPA. If you have an active Density subscription, we will let you know when we do via an email or in-app notification.
The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.
THIS DPA INCLUDES:
(i) Standard Contractual Clauses, attached hereto as Exhibit 1.
(a) Appendix 1 to the Standard Contractual Clauses, which includes specifics on the Personal Data transferred by the data exporter to the data importer.
(b) Appendix 2 to the Standard Contractual Clauses, which includes a description of the technical and organizational security measures implemented by the data importer as referenced.
(ii) The list of current Density Sub-Processors, attached hereto as Exhibit 2.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Law” means all applicable legislation relating to data protection and privacy including without limitation the GDPR and all local laws and regulations which amend or replace any of them, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time. The terms “process”, “processes” and “processed” will be construed accordingly.
“Data Subject” means the individual to whom Personal Data relates.
“Density Products” means that Density hardware and associated services provided by Density to Customer under the Agreement.
“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Instruction” means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” means the clauses attached hereto as Exhibit 1 pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Sub-Processor” means a Processor engaged by Density to Process Personal Data.
2. Details of the Processing
a. Categories of Data Subjects. Customer’s contacts and other end users authorized by Customer to use the Density Products including Customer’s employees and contractors, and employees and visitors to Customer’s offices.
b. Types of Personal Data. Identification and contact data (name, email, title, contact information etc.); employment details (employer, employee ID, job title, department, etc.); usage-related data for the Density Products and the systems used to provide and support the Density Products; and other electronic data submitted, stored, sent, or received by the Density Products.
c. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Personal Data by Processor is the provision of the Density Products to the Controller that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in the Agreement and any applicable Order Form or Statement of Work.
d. Purpose of the Processing. Personal Data will be Processed for purposes of providing the Density Products set out and otherwise agreed to in the Agreement and any applicable Order Form or Statement of Work.
e. Duration of the Processing. Personal Data will be Processed for the duration of the Agreement, subject to Section 4 of this DPA.
3. Customer Responsibility
The parties acknowledge and agree that Customer is the Controller of Personal Data, and Density is the Processor of the Personal Data. Within the scope of the Agreement and in its use of the Density Products, Controller shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to the Processor and the Processing of Personal Data. Controller shall inform Processor comprehensively and without undue delay about any errors or irregularities related to statutory provisions on the Processing of Personal Data.
4. Obligations of Processor
a. Compliance with Instructions. Processor shall collect, process and use Personal Data only within the scope of Controller’s Instructions. Controller’s instructions are documented in this DPA, the Agreement, and any applicable Order Form. Controller may reasonably issue additional Instructions as required to comply with Data Protection Law. Processor may charge a reasonable fee to comply with any additional Instructions.
If Processor believes that an Instruction of the Controller infringes the Data Protection Law, it shall promptly inform the Controller without delay. Unless prohibited by applicable law, Processor will inform Controller if Processor is subject to a legal obligation that requires Processor to Process Controller Personal Data in contravention of the Instructions; and (ii) may cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Controller issues new Instructions with which Processor is able to comply. If this provision is invoked, Processor will not be liable to the Controller under the Agreement for any failure to perform the applicable Density Products until such time as the Controller issues new instructions in regard to the Processing.
b. Security. Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, described under Appendix 2 to the Standard Contractual Clauses. Upon Controller’s request, Processor shall provide a current Personal Data protection and security program relating to the Processing hereunder.
Processor will facilitate Controller’s compliance with the Controller’s obligation to implement security measures with respect to Personal Data (including if applicable Controller’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR), by (i) implementing and maintaining the security measures described under Appendix 2, (ii) complying with the terms of Section 4(d) (Personal Data Breaches); and (iii) providing the Controller with information in relation to the Processing in accordance with Section 5 (Audits).
c. Confidentiality. Processor shall ensure that any personnel whom Processor authorizes to process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities.
d. Personal Data Breaches. Processor will notify the Controller as soon as reasonably practicable after it becomes aware of any Personal Data Breach affecting any Personal Data. At the Controller’s request, Processor will provide the Controller with all reasonable assistance necessary to enable the Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Controller is required to do so under the Data Protection Law.
e. Data Subject Requests. Processor will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Controller to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to Processor, Processor will inform Controller and will advise Data Subjects to submit their request to the Controller. Controller shall be solely responsible for responding to any Data Subjects’ requests.
To the extent that Controller does not have the ability to address a Data Subject request, then upon Controller’s request Processor shall provide reasonable assistance to the Controller to facilitate such Data Subject request to the extent able and only as required by applicable Data Protection Law. Controller shall reimburse Processor for the commercially reasonable costs arising from this assistance.
f. Deletion or Retrieval of Personal Data. Other than to the extent required to comply with Data Protection Law, following termination or expiration of the Agreement, Processor will delete or return all Personal Data (including copies thereof) processed pursuant to this DPA. If Processor is unable to delete Personal Data for technical or other reasons, Processor will apply measures to ensure that Personal Data is blocked from any further Processing.
Controller shall, upon termination or expiration of the Agreement and by way of issuing an Instruction, stipulate, within a period of time set by Processor, the reasonable measures to return data or to delete stored data. Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Agreement shall be borne by Controller.
g. Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is available to Processor and the Controller does not otherwise have access to the required information, Processor will provide reasonable assistance to Controller with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to the processing of Personal Data.
Processor shall, in accordance with Data Protection Laws and in response to a reasonable written request by Controller, make available to Controller such information in Processor’s possession or control related to Processor’s compliance with the obligations of data processors under Data Protection Law in relation to its Processing of Personal Data.
Controller may, upon written request and at least 30 days’ notice to Processor, during regular business hours and without interrupting Processor’s business operations, conduct an inspection of Processor’s business operations or have the same conducted by a qualified third party auditor subject to Processor’s approval, which shall not be unreasonably withheld.
Processor shall, upon Controller’s written request and on at least 30 days’ notice to the Processor, provide Controller with all information necessary for such audit, to the extent that such information is within Processor’s control and Processor is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
Controller hereby authorizes Processor to engage Sub-Processors. A list of Processor’s current Sub-Processors is included in Exhibit 2. For the avoidance of doubt, the above authorization constitutes Controller’s prior written consent to the sub-Processing by Processor for purposes of Clause 11 of the Standard Contractual Clauses. Processor will enter into a written agreement with Subprocessors which imposes on the Sub-Processor data protection obligations to the standard required by Data Protection law. Processor will notify Controller prior to any intended change to Sub-Processors. Controller may object to the addition of a Sub-Processor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Processor’s notification of the intended change. Controller and Processor will work together in good faith to address Controller’s objection. If Processor chooses to retain the Sub-Processor over Controller’s objection, Processor will inform Controller at least thirty (30) days before authorizing the Sub-Processor to Process Personal Data, and Controller may immediately discontinue using the relevant parts of Density Products, and may terminate the relevant parts of Density Products within thirty (30) days.
7. Data Transfers
Controller acknowledges and agrees that, in connection with the performance of the Density Products under the Agreement, Personal Data will be transferred to Density in the United States. The Standard Contractual Clauses attached hereto as Exhibit 1 will apply with respect to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to the United States or any other country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Law).
8. Privacy by Design
Controller understands and agrees that one of the key features of Density Products is to measure occupancy in a privacy-friendly manner. Controller will not use Density Products to track individual Data Subjects nor instruct Processor to assist Controller in identifying or tracking individual Data Subjects. Processor will not comply with such instruction unless Controller confirms in writing that the instruction is required by applicable law. Controller will defend and indemnify Processor from and against every claim, liability, damage, loss, and expense, including reasonable attorneys’ fees and costs, arising out of or in any way connected with Controller’s use of the Density Products to track individual Data Subjects.
9. General Provisions
With respect to updates and changes to this DPA, the terms that apply in the “Changes to Agreement” and “General” subsections in the Agreement shall apply. Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
Upon the incorporation of this DPA into the Agreement, the parties to this DPA are agreeing to the Standard Contractual Clauses (where and as applicable) and all appendixes attached thereto. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses in Exhibit 1, the Standard Contractual Clauses shall prevail, provided however: (a) Controller may exercise its right of audit under clause 5(f) of the Standard Contractual Clauses as set out in, and subject to the requirements of, Section 5 of this DPA; and (b) Processor may appoint Sub-Processors as set out, and subject to the requirements of, Section 6 of this DPA.
Standard Contractual Clauses (Processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection,
The Customer according to the Data Processing Agreement to which the Clauses are attached (the “data exporter”)
Density Inc., 369 Sutter St, San Francisco, CA 94108 (the “data importer”),
each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data-processing services
- The parties agree that on the termination of the provision of data-processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
A. Data exporter
The data exporter is the Customer according to the Data Processing Agreement to which the Clauses are attached.
B. Data importer
The data importer is Density Inc., a provider of an online business performance management tool.
C. Data subjects
Categories of data subjects set out under Section 2 of the Data Processing Agreement to which the Clauses are attached.
D. Categories of data
Categories of personal data set out under Section 2 of the Data Processing Agreement to which the Clauses are attached.
E. Special categories of data (if appropriate)
The parties do not anticipate the transfer of special categories of data.
F. Processing operations
The processing activities set out under Section 2 of the Data Processing Agreement to which the Clauses are attached:
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Density currently observes the security practices described in this Appendix 2. Notwithstanding any provision to the contrary otherwise agreed to by data exporter, Density may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Density Terms of Service.
Vendor will implement the following types of security measures:
- Physical access control
Technical and organizational measures designed to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are processed, include:
- Establishing security areas, restriction of access paths;
- Establishing access authorizations for employees and third parties;
- Access control system (badge readers);
- Key management, card-keys procedures;
- Door locking (electric door openers etc.);
- Security staff, janitors;
- Surveillance facilities, video/CCTV monitor, alarm system;
- Securing decentralized data processing equipment and personal computers.
- Adherence to principles of least-privilege and time-bound access for authorized personnel;
- Clean Desk policy; and
- WiFi and LAN access policies
- Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
- User identification and authentication procedures;
- ID/password security procedures (special characters, minimum length, password rotation);
- 2FA and/or equivalent for secure systems;
- Short-lived session expiry;
- Monitoring of break-in-attempts and automatic locking of user accounts upon several erroneous login attempts; and
- Encryption of archived data media.
- Data access control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include:
- Internal policies and procedures;
- Control authorization schemes;
- Differentiated access rights (profiles, roles, transactions and objects);
- Monitoring and logging of accesses;
- Disciplinary action against employees who access Personal Data without authorization;
- Reports of access;
- Access procedure;
- Change procedure;
- Deletion procedure; and
- Disclosure control
Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include:
- Limited access to decryption keys
- Encryption / tunneling;
- Logging / regular auditing; and
- Transport security.
- Entry control
Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
- Logging and reporting systems; and
- Audit trails and documentation.
- Control of instructions
Technical and organizational measures to ensure that Personal Data are processed solely in accordance with the instructions of the controller include:
- Unambiguous wording of the contract:
- Formal commissioning; and
- Criteria for selecting processors
- Availability control
Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include:
- Backup procedures;
- Uninterruptible power supply (UPS);
- Remote storage;
- Multi-region availability;
- Antivirus / firewall systems; and
- Disaster recovery plan.
- Separation control
Technical and organizational measures to ensure that Personal Data collected for different purposes can be processed separately include:
- Separation of databases;
- Segregation of functions (production/testing); and
- Procedures for storage, amendment, deletion, transmission of data for different purposes.
- Amazon Web Services
- Google Analytics