Terms of Service

  • Terms of Service

  • 1. Changes

  • 2. Information Submitted

  • 3. Jurisdictional Issues

  • 4. Rules of Conduct

  • 5. Fees

  • 6. Registration

  • 7. Profiles and Forums

  • 8. License

  • 9. Monitoring

  • 10. Your Limited Rights

  • 11. Company’s Proprietary Rights

  • 12. Third Party Materials; Links

  • 13. Disclaimer of Warranties

  • 14. Limitation of Liability

  • 15. Indemnity

  • 16. Termination

  • 17. Governing Law; Jurisdiction

  • 18. Copyright Infringement Claims

  • 19. Miscellaneous

  • 20. Data Processing Addendum

  • Addendum

  • Schedule 1

  • Schedule 2

For any other questions please Contact Us

Terms

Effecive: October 5th, 2023

Terms of Service

Last Updated: January 27th, 2025


Please read these Terms of Service (the “Agreement”) carefully. Your use of the Site (as defined below) constitutes your consent to this Agreement.

This Agreement is between you and Tomato.ai, Inc. (“Company” or “we” or “us”) concerning your use of (including any access to) the Tomato.ai site currently located at https://tomato.ai and https://app.tomato.ai (together with any materials and services available therein, and successor site(s) thereto, the “Site”). This Agreement hereby incorporates by this reference any additional terms and conditions posted by Company through the Site, or otherwise made available to you by Company.

By using the Site, you affirm that you are of legal age to enter into this Agreement.

If you are an individual accessing or using the Site on behalf of, or for the benefit of, any corporation, partnership or other entity with which you are associated (an “Organization”), then you are agreeing to this Agreement on behalf of yourself and such Organization, and you represent and warrant that you have the legal authority to bind such Organization to this Agreement. References to “you” and “your” in this Agreement will refer to both the individual using the Site and to any such Organization.

1. Changes

We may change this Agreement from time to time by notifying you of such changes by any reasonable means, including by posting a revised Agreement through the Site. Any such changes will not apply to any dispute between you and us arising prior to the date on which we posted the revised Agreement incorporating such changes, or otherwise notified you of such changes.

Your use of the Site following any changes to this Agreement will constitute your acceptance of such changes. The “Last Updated” legend above indicates when this Agreement was last changed. We may, at any time and without liability, modify or discontinue all or part of the Site (including access to the Site via any third-party links); charge, modify or waive any fees required to use the Site; or offer opportunities to some or all Site users.

2. Information Submitted

Your submission of information through the Site is governed by Company’s Privacy Policy, located at www.tomato.ai/privacy/ (the “Privacy Policy”). You represent and warrant that any information you provide in connection with the Site is and will remain accurate and complete, and that you will maintain and update such information as needed.

3. Jurisdictional Issues

The Site is controlled or operated (or both) from the United States, and is not intended to subject Company to any non-U.S. jurisdiction or law. The Site may not be appropriate or available for use in some non-U.S. jurisdictions. Any use of the Site is at your own risk, and you must comply with all applicable laws, rules and regulations in doing so, including without limitation any requirements to provide notice and/or obtain consent of individuals whose Personal Data (as defined in Attachment 1) may be Processed (as defined in Attachment 1) in connection with your use of the Site, as may be required by laws governing the Processing of Personal Data, or laws governing interception or recording of communications. We may limit the Site’s availability at any time, in whole or in part, to any person, geographic area or jurisdiction that we choose.

4. Rules of Conduct

In connection with the Site, you must not:

  • Post, transmit or otherwise make available through or in connection with the Site any materials that are or may be: (a) threatening, harassing, degrading, hateful or intimidating, or otherwise fail to respect the rights and dignity of others; (b) defamatory, libelous, fraudulent or otherwise tortious; (c) obscene, indecent, pornographic or otherwise objectionable; or (d) protected by copyright, trademark, trade secret, right of publicity or privacy or any other proprietary right, without the express prior written consent of the applicable owner.
  • Post, transmit or otherwise make available through or in connection with the Site any virus, worm, Trojan horse, Easter egg, time bomb, spyware or other computer code, file or program that is or is potentially harmful or invasive or intended to damage or hijack the operation of, or to monitor the use of, any hardware, software or equipment (each, a “Virus”).
  • Use the Site for any purpose that is fraudulent or otherwise tortious or unlawful.
  • Harvest or collect information about users of the Site.
  • Interfere with or disrupt the operation of the Site or the servers or networks used to make the Site available, including by hacking or defacing any portion of the Site; or violate any requirement, procedure or policy of such servers or networks.
  • Reproduce, modify, adapt, translate, create derivative works of, sell, rent, lease, loan, timeshare, distribute or otherwise exploit any portion of (or any use of) the Site except as expressly authorized herein, without Company’s express prior written consent.
  • Reverse engineer, decompile or disassemble any portion of the Site, except where such restriction is expressly prohibited by applicable law.
  • Remove any copyright, trademark or other proprietary rights notice from the Site.
  • Frame or mirror any portion of the Site, or otherwise incorporate any portion of the Site into any product or service, without Company’s express prior written consent.
  • Systematically download and store Site content.
  • Use any robot, spider, site search/retrieval application or other manual or automatic device to retrieve, index, “scrape,” “data mine” or otherwise gather Site content, or reproduce or circumvent the navigational structure or presentation of the Site, without Company’s express prior written consent.

You are responsible for obtaining, maintaining and paying for all hardware and all telecommunications and other services needed to use the Site.

5. Fees

Company offers a subscription model, including a pro plan, tailored to small and medium size companies and an enterprise plan designed for large companies as detailed below. Depending on the plan made available to and selected by you, the following terms apply:

5.1 Pro Plan Subscription.
You,  representing a small or medium size company, may sign up for our subscription services to use our Site. Your subscription will continue month-to-month or annually, based on your selection, until terminated. A subscription plan requires you to provide us with one or more Payment Methods. “Payment Methods” means a current, valid, accepted method of payment, as may be updated from time to time, and which may include payment through your account with a third party. Unless you cancel your subscription through our Web Console before your renewal date, which is when your current subscription expires, you authorize us to charge your next term’s subscription to your Payment Method.

5.2 Free Trials.
Your subscription to use the Site may start with a free trial. The free trial period of your subscription lasts for fourteen (14) days, unless the period is modified which may be changed by the Company at any time in its sole and exclusive discretion, or as otherwise specified during sign-up and is intended to allow new users and certain former users to try the Site. Free trial eligibility is determined by Company at its sole discretion, and we may limit eligibility or duration to prevent free trial abuse. We reserve the right to revoke the free trial and put your account on hold in the event that we determine that you are not eligible. We may use information such as Payment Method or account email address to determine eligibility. At the same time that you sign up for your free trial subscription, you must select your post-trial license for “Accent Softening” or “Noise Cancellation”. We will charge your Payment Method for your applicable monthly or annual subscription fee at the end of the free trial period unless you cancel your subscription prior to the end of the free trial period.

5.3 Enterprise Plans.
If you select the enterprise plan for use of the Site, you will have access to additional Payment Methods, such as a bank wire. Alternatively, if you are approved for invoicing then you may choose to not provide a Payment Method, and you will receive invoices for offline payment. Payments are to be made according to the payment schedule stated in your invoice, or if no schedule is stated, invoices are payable net thirty (30) days of the invoice date.

5.4 Exclusions.
All prices are exclusive of, and you are solely responsible for, all fees and taxes, including custom duties, importation fees, sales, use, withholding, gross revenue, and like taxes, dues, and charges assessed or incurred in connection with your use of the Site under this Agreement.

6. Registration

User Names and Passwords. You may need to register to use all or part of the Site. We may reject, or require that you change, any user name, password or other information that you provide to us in registering. Your user name and password are for your personal use only and should be kept confidential; you, and not Company, are responsible for any use or misuse of your user name or password, and you must promptly notify us of any confidentiality breach or unauthorized use of your user name or password, or your Site account.

7. Profiles and Forums

Site visitors may make available certain materials (each, a “Submission”) through or in connection with the Site, including on profile pages or on the Site’s interactive services, such as message boards and other forums, and chatting, commenting and other messaging functionality. Company has no control over and is not responsible for any use or misuse (including any distribution) by any third party of Submissions. If you choose to make any of your personally identifiable or other information publicly available through the Site, you do so at your own risk.

8. License

For purposes of clarity, you retain ownership of your Submissions. For each Submission, you hereby grant to us a worldwide, royalty-free, fully paid-up, non-exclusive, perpetual, irrevocable, transferable and fully sublicensable (through multiple tiers) license, without additional consideration to you or any third party, to reproduce, distribute, perform and display (publicly or otherwise), create derivative works of, adapt, modify and otherwise use, analyze and exploit such Submission, in any format or media now known or hereafter developed, and for any purpose (including promotional purposes, such as testimonials).

In addition, if you provide to us any ideas, proposals, suggestions or other materials (“Feedback”), whether related to the Site or otherwise, such Feedback will be deemed a Submission, and you hereby acknowledge and agree that such Feedback is not confidential, and that your provision of such Feedback is gratuitous, unsolicited and without restriction, and does not place Company under any fiduciary or other obligation.

You represent and warrant that you have all rights necessary to grant the licenses granted in this section, and that your Submissions, and your provision thereof through and in connection with the Site, are complete and accurate, and are not fraudulent, tortious or otherwise in violation of any applicable law or any right of any third party. You further irrevocably waive any “moral rights” or other rights with respect to attribution of authorship or integrity of materials regarding each Submission that you may have under any applicable law under any legal theory.

9. Monitoring

We may (but have no obligation to) monitor, evaluate, alter or remove Submissions before or after they appear on the Site, or analyze your access to or use of the Site. We may disclose information regarding your access to and use of the Site, and the circumstances surrounding such access and use, to anyone for any reason or purpose.

10. Your Limited Rights

Subject to your compliance with this Agreement, and solely for so long as you are permitted by Company to use the Site, you may view one (1) copy of any portion of the Site to which we provide you access under this Agreement, on any single device, solely for your personal, non-commercial use.

11. Company’s Proprietary Rights

We and our suppliers own the Site, which is protected by proprietary rights and laws. All trade names, trademarks, service marks and logos on the Site not owned by us are the property of their respective owners. You may not use our trade names, trademarks, service marks or logos in connection with any product or service that is not ours, or in any manner that is likely to cause confusion. Nothing contained on the Site should be construed as granting any right to use any trade names, trademarks, service marks or logos without the express prior written consent of the owner.

13. Disclaimer of Warranties

To the fullest extent permitted under applicable law: (a) the Site and any Products and Third Party Materials are made available to you on an “As Is,” “Where Is” and “Where Available” basis, without any warranties of any kind, whether express, implied or statutory; and (b) Company disclaims all warranties with respect to the Site and any Products and Third Party Materials, including the warranties of merchantability, fitness for a particular purpose, non-infringement and title. All disclaimers of any kind (including in this section and elsewhere in this Agreement) are made for the benefit of both Company and its affiliates and their respective directors, officers, employees, affiliates, agents, representatives, licensors, suppliers and service providers (collectively, the “Affiliated Entities”), and their respective successors and assigns.

While we try to maintain the timeliness, integrity and security of the Site, we do not guarantee that the Site is or will remain updated, complete, correct or secure, or that access to the Site will be uninterrupted. The Site may include inaccuracies, errors and materials that violate or conflict with this Agreement. Additionally, third parties may make unauthorized alterations to the Site. If you become aware of any such alteration, contact us at www.tomato.ai/contact-us/ with a description of such alteration and its location on the Site.

14. Limitation of Liability

To the fullest extent permitted under applicable law: (a) Company will not be liable for any indirect, incidental, consequential, special, exemplary or punitive damages of any kind, under any contract, tort (including negligence), strict liability or other theory, including damages for loss of profits, use or data, loss of other intangibles, loss of security of Submissions (including unauthorized interception by third parties of any Submissions), even if advised in advance of the possibility of such damages or losses; (b) without limiting the foregoing, Company will not be liable for damages of any kind resulting from your use of or inability to use the Site or from any Products or Third Party Materials, including from any Virus that may be transmitted in connection therewith; (c) your sole and exclusive remedy for dissatisfaction with the Site or any Products or Third Party Materials is to stop using the Site; and (d) the maximum aggregate liability of Company for all damages, losses and causes of action, whether in contract, tort (including negligence) or otherwise, shall be the greater of the total amount, if any, paid by you to Company to use the Site in the past six (6) months or one hundred dollars ($100.00). All limitations of liability of any kind (including in this section and elsewhere in this Agreement) are made for the benefit of both Company and the Affiliated Entities, and their respective successors and assigns.

15. Indemnity

To the fullest extent permitted under applicable law, you agree to defend, indemnify and hold harmless Company and the Affiliated Entities, and their respective successors and assigns, from and against all claims, liabilities, damages, judgments, awards, losses, costs, expenses and fees (including attorneys’ fees) arising out of or relating to (a) your use of, or activities in connection with, the Site (including all Submissions); (b) any violation or alleged violation of this Agreement by you; or (c) any recording of phone calls, wiretapping or any other activities involving the interception or monitoring of communications, whether conducted with or without proper consent or authorization.

16. Termination

This Agreement is effective until terminated. Company may terminate or suspend your use of the Site at any time and without prior notice, for any or no reason, including if Company believes that you have violated or acted inconsistently with the letter or spirit of this Agreement. Upon any such termination or suspension, your right to use the Site will immediately cease, and Company may, without liability to you or any third party, immediately deactivate or delete your user name, password and account, and all associated materials, without any obligation to provide any further access to such materials. Sections 2–9 and 11–19 shall survive any expiration or termination of this Agreement.

17. Governing Law; Jurisdiction

This Agreement is governed by and shall be construed in accordance with the laws of the State of Delaware, U.S.A., without regard to its principles of conflicts of law, and regardless of your location. You agree to exclusive jurisdiction of the federal and state courts located in New Castle County, Delaware, and waive any jurisdictional, venue or inconvenient forum objections to such courts.

19. Miscellaneous

This Agreement does not, and shall not be construed to, create any partnership, joint venture, employer-employee, agency or franchisor-franchisee relationship between you and Company. If any provision of this Agreement is found to be unlawful, void or for any reason unenforceable, that provision will be deemed severable from this Agreement and will not affect the validity and enforceability of any remaining provision. You may not assign, transfer or sublicense any or all of your rights or obligations under this Agreement without our express prior written consent. We may assign, transfer or sublicense any or all of our rights or obligations under this Agreement without restriction. No waiver by either party of any breach or default under this Agreement will be deemed to be a waiver of any preceding or subsequent breach or default. Any heading, caption or section title contained herein is for convenience only, and in no way defines or explains any section or provision. All terms defined in the singular shall have the same meanings when used in the plural, where appropriate and unless otherwise specified. Any use of the term “including” or variations thereof in this Agreement shall be construed as if followed by the phrase “without limitation.” This Agreement, including any terms and conditions incorporated herein, is the entire agreement between you and Company relating to the subject matter hereof, and supersedes any and all prior or contemporaneous written or oral agreements or understandings between you and Company relating to such subject matter. Notices to you (including notices of changes to this Agreement) may be made via posting to the Site or by e-mail (including in each case via links), or by regular mail. Without limitation, a printed version of this Agreement and of any notice given in electronic form shall be admissible in judicial or administrative proceedings based upon or relating to this Agreement to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form. Company will not be responsible for any failure to fulfill any obligation due to any cause beyond its control.

20. Data Processing Addendum

To the extent that Company Processes Personal Data in connection with your use of the Site, both Company’s and your obligations with respect to such Processing are set out in Attachment 1.
Site © 2022–2025 Tomato.ai, Inc. unless otherwise noted. All rights reserved.
Tomato.ai

Addendum

This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the terms and conditions of, the Terms of Service (“Agreement”) Tomato.ai, Inc. (“Company”) and the entity entering into the Agreement (“Customer”). This DPA applies to the extent Company’s Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.
1. Definitions

1.1. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.2. “Customer Personal Data” means the Personal Data described under Schedule 1 to this DPA.

1.3. “Data Protection Laws” means all laws and regulations, including laws and regulations of: (i) the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom; (ii) the United States (including, but not limited to the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”)); and (iii) any other jurisdiction in which the parties operate, all (i)–(iii) applicable to the Processing of Personal Data under the Agreement.

1.4. “Data Subjects” means the individuals identified in Schedule 1.

1.5. “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time.

1.6. “GDPR” means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA (“EU GDPR”) and the EU GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”).

1.7. “Personal Data” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws.

1.8. “Personal Data Breach” means a material breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.

1.9. “Processor” means the entity which Processes Personal Data on behalf of the Controller.

1.10. “Sell” has the meaning given in the Data Protection Laws.

1.11. “Service” means the services provided by Company to Customer pursuant to the Agreement.

1.12. “Share” has the meaning given in the CCPA.

1.13. “UK Addendum” means the International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner for parties making restricted transfers, which entered into force on 21 March 2022 (collectively, with the EU SCCs, “the SCCs”)

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

2. Processing of Customer Personal Data

2.1. Customer is a Controller of Customer Personal Data and Company is a Processor of Customer Personal Data. The details of Company’s Processing of Customer Personal Data are described in Schedule 1.

2.2. Company will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions, including any instructions provided through Customer’s use of the Service. Customer hereby instructs Company to Process Customer Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA. Company shall not (1) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Company, including by combining Customer Personal Data with Personal Data Company receives from third parties, other than Customer, except as permitted by the Data Protection Laws; or (3) Sell or Share Customer Personal Data. Upon notice to Company, Customer may take reasonable and appropriate steps to remediate Company’s use of Customer Personal Data in violation of this DPA.

2.3. Company will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws. If applicable laws preclude Company from complying with Customer’s instructions, Company will inform Customer of its inability to comply with the instructions, to the extent permitted by law.

2.4. Each of Customer and Company will comply with their respective obligations under the Data Protection Laws. Company shall notify Customer if it determines that it cannot meet its obligations under the Data Protection Laws. Customer has the right to take reasonable steps to ensure that Company uses Customer Personal Data in a manner consistent with Customer’s obligations under Data Protection Laws by exercising Customer’s audit rights in Section 10.

3. Cross-Border Transfers of Personal Data

3.1. With respect to Customer Personal Data originating from the European Economic Area (“EEA”), the United Kingdom (the “UK”) or Switzerland that is transferred from Customer to Company, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) of the EU SCCs, which are incorporated herein by reference, with Customer as the “data exporter” and Company as the “data importer.”
3.2. For purposes of the EU SCCs the parties agree that:

3.2.1. In Clause 7, the optional docking clause will not apply.

3.2.2. In Clause 9, Option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 5.1 of this DPA.

3.2.3. In Clause 11, the optional language will not apply.

3.2.4. For the purposes of Clause 15(1)(a), Company shall notify Customer and/or Customer (only) and not the Data Subject(s) in case of government access requests and Customer and/or Customer shall be solely responsible for promptly notifying the affected Data Subjects as necessary.

3.2.5. In Clause 17, Option 1 applies and the EU SCCs shall be governed by the laws of Ireland.

3.2.6. In Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland.

3.2.7. In Annex I, Section A (List of Parties), (i) the Customer is the data exporter and Company is the data importer and their identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a Controller, and Company is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Service pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA.

3.2.8. In Annex I, Section B (Description of Transfer): (i) Schedule 1 to this DPA describes Company’s Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Service); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) Company uses Sub-Processors to support the provision of the Service.

3.2.9. In Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to Company.

3.2.10. In Annex II, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described at Schedule 2.

3.3. If the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection (“FADP”), the parties agree to rely on the EU SCCs with the following modifications: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Personal Data that is governed by the FADP; (iii) the term “Member State” in the EU SCCs will not prevent Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the FADP.

3.4. With respect to transfers from Customer to Company of Customer Personal Data originating from the UK, the parties agree that the UK Addendum will complement the EU SCCs to the extent required under Data Protection Law. The UK Addendum is incorporated herein by reference. The parties agree that the UK Addendum is completed as follows:

3.4.1. For the purpose of Part 1 of the UK Addendum:

3.4.1.1. Table 1: the start date is the effective date of the Agreement, the exporter is the Customer and the importer is Company, the table is deemed to be completed with the information set out in Section 3.2 of this DPA, and by signing this DPA, parties are deemed to have signed the UK Addendum.

3.4.1.2. Table 2: the “Approved EU SCCs” which the UK Addendum is appended to are the EU SCCs incorporated into this DPA and completed as set out in Section 3.2 of this DPA.

3.4.1.3. Table 3: the information requested in Annex 1 is provided in Section 3.2.8 and 3.2.9 of this DPA; the security measures requested in Annex 2 is provided at Schedule 2.

3.4.1.4. Table 4: the importer may end the UK Addendum as set out in section 19 of the UK Addendum.

4. Confidentiality and Security

4.1. Company will require Company’s personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data.

4.2. Company will implement commercially reasonable technical and organisational measures, as further described at Schedule 2, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

4.3. To the extent required by Data Protection Laws, Company will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligations under Data Protection Laws to maintain the security of Customer Personal Data.

5. Sub-Processing

5.1. Customer agrees that Company may engage Sub-Processors to Process Customer Personal Data on Customer’s behalf. Company may replace or engage new Sub-Processors from time to time. If Company and Customer are unable to resolve Company’s objections to changes in Sub-Processors, Company or Customer may terminate the Agreement by providing written notice to the other party. Any termination pursuant to this Section 5.1 will not affect Customer’s obligation to pay fees incurred prior to the termination.

5.2. Company will impose on its Sub-Processors substantially the same data protection obligations that apply to Company under this DPA. Company will be liable to Customer for its Sub-Processors’ acts or omissions as it would be for its own.

5.3. The parties agree that the copies of the Sub-Processor agreements that must be provided by Company to Customer pursuant to the SCCs, if applicable, may have commercial information or clauses unrelated to the SCCs removed by Company beforehand; and, that such copies will be provided by Company, in a manner to be determined in its discretion, only upon Customer’s written request.

6. Data Subject Rights

Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data (“Requests”). If Company receives any Requests during the term, Company will advise the Data Subject to submit the request directly to Customer. Company will provide Customer with self-service functionality or other reasonable assistance to permit Customer to respond to Requests.

7. Personal Data Breaches

Upon becoming aware of a Personal Data Breach affecting Customer Personal Data, Company will (i) promptly take measures designed to remediate the Personal Data Breach and (ii) notify Customer without undue delay. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer. Customer may request that Company reasonably assist Customer’s efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects if Customer is required to do so under the Data Protection Laws. Company’s notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by Company of any fault or liability with respect to the Personal Data Breach.

8. Data Protection Impact Assessment; Prior Consultation

Customer may request reasonable assistance from Company in connection with conducting data protection impact assessments and consultation with data protection authorities if Customer is required to engage in such activities under applicable Data Protection Laws and the data protection impact assessment or consultation relate to the Processing by Company of Customer Personal Data.

9. Deletion of Customer Personal Data

Customer instructs Company to delete Customer Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. The parties agree that the certification of deletion described in the SCCs, if applicable, shall be provided only upon Customer’s written request. Notwithstanding the foregoing, Company may retain Customer Personal Data to the extent and for the period required by applicable laws provided that Company maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.

10. Audits 

10.1. Customer may audit Company’s compliance with its obligations under this DPA up to once per year. In addition, Customer may perform more frequent audits (including inspections) in the event: (1) Company suffers a Personal Data Breach affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding Company’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. Company will contribute to such audits by providing Customer or Customer’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service, as described below.

10.2. To request an audit, Customer must submit a detailed proposed audit plan at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Customer intends to appoint to perform the audit. Company will review the proposed audit plan and provide Customer with any concerns or questions (for example, Company may object to the third-party auditor as described in Section 10.3, provide an Audit Report as described in Section 10.4, or identify any requests for information that could compromise Company confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date.  Nothing in this Section 10 shall require Company to breach any duties of confidentiality.

10.3. Company may object to third party auditors that are, in Company’s reasonable opinion, not suitably qualified or independent, a competitor of Company, or otherwise manifestly unsuitable. Customer will appoint another auditor or conduct the audit itself if the parties cannot resolve Company’s auditor objection after negotiating in good faith.

10.4. If the requested audit scope is addressed in an SSAE 18/ISAE 3402 Type 2, SOC 2, ISO, NIST or similar audit report performed by a qualified third party auditor on Company’s systems that Process Customer Personal Data (“Audit Reports”) within twelve (12) months of Customer’s audit request and Company confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the Audit Report.

10.5. The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Company’s health and safety or other relevant policies. The audit may not unreasonably interfere with Company business activities.

10.6. Any audits are at Customer’s expense and Customer will promptly disclose to Company any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.

10.7. The parties agree that the audits described in the SCCs, if applicable, shall be performed in accordance with this Section 10.

11. Analytics Data

Customer acknowledges and agrees that Company may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify or relate to Customer or any Data Subject (“Analytics Data”) and use such Analytics Data to improve the Service.

12. Liability

12.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
12.2. Customer acknowledges that Company is reliant on Customer for direction as to the extent to which Company is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service. Consequently, Company will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Company in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.

13. General Provisions

With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the SCCs, the SCCs will prevail.

Schedule 1

1. Categories of Data Subjects. This DPA applies to Company’s Processing of Customer Personal Data relating to Customer’s personnel (“Data Subjects”).

2. Types of Personal Data. The extent of Customer Personal Data Processed by Company is determined and controlled by Customer in its sole discretion and includes names, email addresses, and any other Personal Data that may be transmitted through the Service by Data Subjects. 

3. Subject-Matter and Nature of the Processing. Customer Personal Data will be subject to the Processing activities that Company needs to perform in order to provide the Service pursuant to the Agreement.

4. Purpose of the Processing. Company will Process Customer Personal Data for purposes of providing the Service as set out in the Agreement.

5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 9 of the DPA.

Schedule 2

Company will, at a minimum, implement the following types of security measures:

Physical access control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data Processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data is Processed, including:

  • Establishing security areas, restriction of access paths;
  • Establishing access authorizations for employees and third parties;
  • Access control system (ID reader, magnetic card, chip card);
  • Key management, card-keys procedures;
  • Door locking (electric door openers etc.);
  • Security staff, janitors;
  • Surveillance facilities, video/CCTV monitor, alarm system; and
  • Securing decentralized data Processing equipment and personal computers.

Virtual access control

Technical and organizational measures to prevent data Processing systems from being used by unauthorized persons including:

  • User identification and authentication procedures;
  • ID/password security procedures (special characters, minimum length, change of password);
  • Automatic blocking (e.g. password or timeout);
  • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
  • Creation of one master record per user, user-master data procedures per data Processing environment; and
  • Encryption of archived data media.

Data access control

Technical and organizational measures to ensure that persons entitled to use a data Processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, including:

  • Internal policies and procedures;
  • Control authorization schemes;
  • Differentiated access rights (profiles, roles, transactions and objects);
  • Monitoring and logging of accesses;
  • Disciplinary action against employees who access Personal Data without authorization;
  • Reports of access;
  • Access procedure;
  • Change procedure;
  • Deletion procedure; and
  • Encryption.

Disclosure control

Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, including:

  • Encryption/tunneling;
  • Logging; and
  • Transport security.

Entry control

Technical and organizational measures to monitor whether Personal Data has been entered, changed or removed (deleted), and by whom, from data Processing systems, including:

  • Logging and reporting systems; and
  • Audit trails and documentation.

Control of instructions

Technical and organizational measures to ensure that Personal Data is Processed solely in accordance with the instructions of the Company, including:

  • Unambiguous wording of the contract;
  • Formal commissioning (request form); and
  • Criteria for selecting the Company.

Availability control

Technical and organizational measures to ensure that Personal Data is protected against accidental destruction or loss (physical/logical), including:

  • Backup procedures;
  • Mirroring of hard disks (e.g. RAID technology);
  • Uninterruptible power supply (UPS);
  • Remote storage;
  • Anti-virus/firewall systems; and
  • Disaster recovery plan.

Separation control

Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately, including:

  • Separation of databases;
  • “Internal client” concept / limitation of use;
  • Segregation of functions (production/testing); and
  • Procedures for storage, amendment, deletion, transmission of data for different purposes.
Top Safety Shape Bottom Safety Shape