Hilti ON! Track - Offer subject to the Software and Services Subscription Agreement (“Offer”)
This offer of Hilti, Inc, 7250 Dallas Parkway, Suite 1000, Plano, TX 75024 ("Service Provider") to you ("Customer") is subject to the terms and conditions of the Software and Services Subscription Agreement (“Agreement”) as stated below to this Offer. The terms being used herein shall have the same meaning as defined in the Agreement and as further specified herein and under the Service Description.
This Offer is conditional on Customer also having entered into an agreement with Trimble Inc., a Delaware corporation with offices at 10368 Westmoor Drive, Westminster, CO 80021 for Viewpoint Vista, an ERP solution within the Trimble Construction One suite.
The Offer is subject to Customer accepting this Offer, including the terms of the Agreement.
1. Services Description, System Requirements and Usage Restriction
The Services are being made available to Customer according to the Services Description, its Usage Restriction and the System Requirements, which need to be fulfilled by Customer, in order to access the Services.
The Services Description, its Usage Restrictions and the System Requirements are being made available to Customer under Service Description.
2. Service Offering and Duration.
Services. The Services, which include On!Track ProPlus, are provided free of charge for a trial duration of six (6) months following Customer’s execution date.
Duration. The Services are provided for a fixed period of six (6) months following Customer’s execution date and shall automatically end, unless otherwise agreed upon between the Customer and the Service Provider in writing.
3. Hardware Offering and Professional Services
Under this Offer the Customer is eligible to two hundred dollars ($200.00) worth of ON! Track Tags and one (1) full day of Professional Services.
Software and Services Subscription Agreement
This Subscription Agreement ("Agreement") for Software and Services by and between Hilti, Inc, 7250 Dallas Parkway, Suite 1000, Plano, TX 75024 ("Service Provider") and you ("Customer") is either effective (i) upon Customer`s electronic acceptance of the Order Form, or (ii) upon the Order Form being signed in writing by both Parties or electronically executed by the Parties via DocuSign (each a "Effective Date"), where in each case the Order Form incorporates the terms and conditions of this Agreement, including its Exhibit 1 (Service Level Agreement) and Exhibit 2 (Data Processing Agreement) by reference. Service Provider and Customer may together be also referred to as the “Parties” or individually as the “Party”. Service Provider intends to grant Customer the right to use the Software through a subscription service and Customer intends to subscribe to such Software. In addition to the Software and the related services required for the provisioning of the Software, the Parties may agree upon specific “Professional Services” to be rendered by Service Provider according to the terms and conditions of this Agreement.
Now, therefore, the Parties agree by considering the stipulations set forth in the Preamble as follows:
1. Customer’s Use of the Service
Service Provider Obligations. Service Provider shall make the Software and the Services required for provisioning the Software (Software and Services hereinafter together and individually may also be referred to as “Service” or “Services”) available to Customer as described in the Services Description and in the Services Specific Terms (together hereinafter referred to as “Services Description”) referenced in the Order Forms and according to the terms and conditions of this Agreement. Service Provider may amend the Services from time to time, provided that such amendments shall not materially diminish the overall Service. Service Provider aims to provide the Software access to Customer within two (2) working days upon the Effective Date, unless otherwise set forth in the Services Description. The Software may consist of a web application provided to Customer in form of a software as a service solution and a mobile application to be installed by Customer on its mobile device. The agreed scope and quality of the Services is exclusively set forth in the Services Description. Public statements concerning the Service made by Service Provider or its agents will only take form when expressively confirmed by Service Provider in writing. Information and specifications contained within the Services Description shall not qualify as warranty or guarantee with regards to the Service’s quality or as any other kind of guarantee, unless they have been confirmed as such by Service Provider in writing. Service Provider may update and improve the Services from time to time; any such Updates, meaning software that remedies "Defects" (as defined in section 7.4) in the Services and/or may include minor improvements of the Services, are included in the Agreement. In addition to Updates, Service Provider may offer Upgrades and/or Add-On Services to the Services, where “Upgrades” mean new capabilities or functionalities of the Services and “Add-On Services” either mean (i) new and/or additional functionality packages in form of separate modules to the Services, or (ii) integrations or connection applications with other Hilti or third party software applications. Upgrades and Add-On Services are only subject to the Agreement, if ordered separately and paid for by Customer, where additional terms and conditions may apply.
System Requirements. The operation or use of the Services by Customer requires certain system requirements as described in the Services Description which are subject to change at the discretion of Service Provider. The specification of system requirements does not form part of Service Provider’s obligations under this Agreement. Customer shall be solely responsible for obtaining any and all system requirements required to operate or use the Services. Service Provider is not responsible for problems, conditions, delays, failures and other loss or damages arising from Customer not complying with the system requirements and/or related to Customer`s network connections, telecommunication links or caused by the Internet.
Authorized Users. Unless otherwise defined in the Services Description, Authorized Users means Customer’s employees authorized by Customer to use the Services according to the terms of the Agreement ("Authorized Users"). Customer shall assign the software access to its Authorized Users to enable registration, access and use of the Services according to the terms and conditions of this Agreement, according to section 3.3.
Customer Obligations. Customer must ensure that (i) its Authorized Users have entered complete and accurate information about its company and person within the registration process and, but not limited to, have not used any pseudonyms, (ii) its Authorized Users use the Service in compliance with the terms of this Agreement and (iii) that its Authorized Users use reasonable efforts to prevent unauthorized access or use of the Service by employees not considered as Authorized Users or third parties, and to notify Service Provider promptly of any such unauthorized access or use.
2. Subscription Fee, Payment & Taxes
Subscription Fee. Customer shall pay to Service Provider in consideration for Service Provider providing the Services, the subscription fee as agreed upon in the Order Form.
Payment Terms. The payment terms are set forth in the Order Form.
Taxes. Service Provider's Subscription Fee generally do not include taxes. Customer is responsible for paying all sales, use, and value-added taxes associated with its receipt of Services hereunder, but excluding taxes based on Service Provider's gross receipts, net income or property. If Service Provider has an obligation to pay or collect taxes for which Customer is responsible under this section, the appropriate amount shall be invoiced to and paid by Customer, unless Customer provides Service Provider with a valid tax exemption certificate authorized by the appropriate taxing authority.
3. Proprietary Rights
Hilti Corporation. Hilti Corporation, Feldkircherstrasse 100, FL-9494 Liechtenstein (“Hilti Corporation”) exclusively and unrestrictedly retains ownership, reserves all Intellectual Property Rights in the Services, where Intellectual Property Rights means any common law, statutory and other industrial property rights and intellectual property rights, including copyrights, trademarks, trade secrets, patents and other proprietary rights issued, honored or enforceable under any applicable laws anywhere in the world, and all moral rights related thereto ("Intellectual Property Rights"). Services Provider is entitled by Hilti Corporation to grant to Customer rights to use the Services according to the terms and conditions of this Agreement.
*Reservation of Rights. Subject to the limited rights expressly granted hereunder, no rights are granted to Customer hereunder other than as expressly set forth herein. Customer reserves all rights, title and interest in and to its data, other non-Service Provider software and other intellectual property to which Service Provider may from time to time have access while performing the Services.
Grant of Rights. Customer is for the Term of the Agreement granted the rights to access and use the Services as agreed upon in the Order Form, where the following options are available:
- a) Named User. A non-exclusive, non-transferable right to authorize named Authorized Users for remotely accessing the Services and using the Services` functionalities up to the quantity of the Named Users defined in the Order Form. Upon notification to Service Provider, Customer shall be allowed to replace a named Authorized User by another named Authorized User.
- b) Concurrent User. A non-exclusive, non-transferable right to authorize the remote access of the Services and the usage of the Services` functionalities by the maximum amount of concurrent active user sessions as defined in the Order Form. Concurrent active user sessions mean accessing and/or using the Services by (i) a radio frequency device, (ii) personal computer, (iii) CRT and (iv) a VDT that is logged on and connected to the Services.
- c) Enterprise Usage. A non-exclusive, non-transferable right to authorize all of Customer's Authorized Users to remotely access the Services and use the Services' functionalities up to the maximum quantity as defined in the Order Form (if any).
Documentation. Service Provider will provide adequate user guides for the Service upon Customer`s request.
Restrictions. Customer shall not (i) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share, offer in a service bureau, or otherwise make the Service available to any third party, other than to the Authorized Users; (ii) modify, copy or create any derivative works based on the Service; (iii) frame or mirror any content forming part of the Service, other than on Customer's own intranets for its own internal business purposes; (iv) reverse engineer or decompile the Service or any part thereof unless permitted by applicable law; (v) access the Service in order to build any commercially available product or service; (vi) copy any features, functions, interfaces or graphics of the Service or any part thereof; or (vii) use the Service in any manner that exceeds the scope of use permitted herein.
Customer Data. Customer Data means the data or information provided to or uploaded by Customer or its Authorized Users in connection with the Services, where Customer Data shall not contain infringing, obscene, threatening, or otherwise unlawful or tortious material, including material that violates privacy rights or which disrupt the performance of the Service or the data contained therein. As between Service Provider and Customer, Customer owns its Customer Data and (to the extent Customer Data contains personal data) is the responsible data controller (within the meaning of applicable data protection law) for such Customer Data. Service Provider shall not access Customer Data except to the extent: (i) necessary to respond to Service-related issues or other technical problems, (ii) necessary to provide such Customer Data to Authorized Users, (iii) as required to perform its obligations, (iv) necessary to perform the Services, (v) requested by the Customer in written form, (vi) as otherwise explicitly permitted by the terms of this Agreement (including its Exhibits) or (vii) by the Customer’s explicit consent. The Parties agree that Service Provider and/or Service Provider’s affiliates may use Customer Data in anonymized form (i.e., in a form that cannot be linked to an individual Employee) in order to develop, maintain and improve the services and products of Service Provider`s group of companies, to tailor products and services to Customer’s needs and for market research purposes during the term of this Agreement and thereafter. Service Provider may access Customer Data, its related systems or networks and devices to the extent necessary to perform the Services and/or to provide maintenance and/or support remotely as further described in Exhibit 1.
Customer Input. To the extent legally permitted, Customer herewith grants to Hilti Corporation a royalty-free, transferable, sub-licensable, irrevocable, perpetual, worldwide license to use or incorporate into the Services any of Customer`s input, suggestions, enhancement requests, recommendations or other feedback relating to the Services (“Customer Input”). Hilti Corporation and/or Service Provider shall have no obligation to implement Customer Input into the Services.
Confidentiality. Confidential Information means (a) the Software`s source code; (b) Customer Data; and (c) each Party’s business or technical information, including but not limited to any information relating to software plans, designs, costs, prices and names, finances, marketing plans, business opportunities, personnel, research, development or know-how. A Party shall not disclose or use any Confidential Information of the other Party for any purpose outside the scope of this Agreement, except with the other Party’s prior written permission or as required by Law and permitted by section 4.2, below. Each Party agrees to protect the Confidential Information of the other Party in the same manner that it protects its own Confidential Information of like kind (but in no event using less than a reasonable degree of care and reasonable technology industry standards).
Compelled Disclosure. If a Party is compelled by Law to disclose Confidential Information of the other Party, it shall promptly provide the other Party with prior notice of such compelled disclosure (to the extent legally permitted) and provide reasonable assistance, at the other Party's cost, if the other Party wishes to obtain a protective order or prevent or contest the disclosure.
Remedies. If a Party discloses or uses (or threatens to disclose or use) any Confidential Information of the other Party in breach of confidentiality protections hereunder, the other Party shall have the right, in addition to any other remedies available, to injunctive relief to stop such acts, it being acknowledged by the Parties that any other available remedies are inadequate.
Exclusions. Confidential Information shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the other Party; (ii) was known to a party prior to its disclosure by the other Party without breach of any obligation owed to the other Party; (iii) was independently developed by a Party without breach of any obligation owed to the other Party; or (iv) is received from a third party without breach of any obligation owed to the other Party, (provided, that Customer Data containing personal data shall be handled in accordance with the standards required by this Agreement (including its Exhibits), even if the same information may be generally known, publicly available or otherwise accessible to Service Provider from other sources).
5. Usage Restrictions
The Services usage and functional limitations (“Usage Restrictions”) are determined in the Services Description and must be complied with to the fullest by Customer and considered when using the Services. Notwithstanding section Error! Reference source not found., Customer waives any and all warranty and liability claims and remedies resulting due to Customer`s usage of the Services not being in compliance with the Usage Restrictions.
Business Customers. The Services are solely intended and designed to be used by professional business customers in the construction and sub-construction industries, energy system contraction and in building maintenance, and not intended to be used by any other fields of business or private end consumers (“Field of Use”). Notwithstanding section Error! Reference source not found., Customer waives any and all warranty and liability claims and remedies resulting due to Customer`s usage of the Services outside the Field of Use.
6. Indemnification by Customer
Customer Indemnity. Customer shall indemnify, defend and hold harmless Service Provider against any third party claims and/or fines that are based on: (i) Customer’s use of the Services to the extent in violation of the Usage Restrictions as stated in section 5.1 above; (ii) Customer s breach of an applicable data protection law; or (iii) Customer`s Data and any other information or material uploaded or used together with the Services. Service Provider shall reasonably cooperate in the defense of such claim, if requested by Customer, where Customer will reimburse Service Provider’s reasonable out-of-pocket costs incurred in connection with such cooperation. Customer shall – if decided by Service Provider - have the sole authority to defend or settle the claim, provided such settlement does not involve any payment by Service Provider or admission of wrongdoing by Service Provider.
7. Limited Warranty and remedies in case of Defects
Service Provider Warranties. Service Provider warrants that the Services are materially provided according to the Services Description.
Customer Warranties. Customer covenants to use the Services in accordance with the terms and conditions of this Agreement and that its use of the Service does not and shall not constitute non-compliance with any law or regulation.
Limitation of Warranties. EXCEPT AS EXPLICITLY SET FORTH IN SECTION 7.1 ABOVE, SERVICE PROVIDER DOES NOT MAKE ANY WARRANTIES, AND EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, GUARANTIES, CONDITIONS, AND REPRESENTATIONS, WHETHER ORAL OR WRITTEN, EXPRESSED OR IMPLIED, OR ARISING BY USAGE OF THE SERVICES, INCLUDING, BUT NOT LIMITED TO, NON-INFRINGEMENT, THE MERCHANTABILITY OF THE SERVICES, ITS FITNESS FOR A PARTICULAR PURPOSE, MEETING CUSTOMER`S REQUIREMENTS, OR SATISFACTORY QUALITY. SERVICE PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE PROVIDED UNINTERRUPTED OR FREE OF DEFECTS IN MATERIAL OR TITLE. SERVICE PROVIDER DOES NOT WARRANT THAT THE SERVICES DO NOT CAUSE ANY LOSS OR DAMAGES RESULTING FROM THE TRANSFER OF DATA OVER COMMUNICATION NETWORKS OR FACILITIES.
Warranty Remedies. Customer shall promptly notify Service Provider of any alleged Defects of the Service in writing, including a description of the alleged Defect, where the term Defect shall mean a material deviation of the warranty pursuant to section 7.1 above. All Defects will be cured by the Service Provider within a reasonable time as set forth by Service Provider; Service Provider may decide at its sole discretion whether to cure a given Defect by means of repair (e.g. workaround) or replacement delivery. Service Provider may also cure a Defect by using remote means and for this purpose may remotely access Customer Data, systems and/or devices. If Service Provider is unable to cure the Defect within the reasonable time, the Customer may (i) request a reasonable reduction of the Subscription Fee for the Services or (ii), if Service Provider has failed to cure the same Defect for two consecutive times within the reasonable time, either Party may terminate the Agreement with immediate effect. In such case, Customer may also claim damages subject to section 8.
8. Limitation of Liability
Limitation of Liability. IN NO EVENT WILL SOFTWARE PROVIDER OR ITS AFFILIATES, DIRECTORS, OFFICERS, EMPLOYEES OR AGENTS BE LIABLE FOR ANY CAUSE RELATED TO OR ARISING OUT OF THIS AGREEMENT, WHETHER IN CONTRACT, NEGLIGENCE OR TORT, IN EXCESS OF THE TOTAL FEES AND CHARGES PAID OR PAYABLE BY THE CUSTOMER FOR THE SOFTWARE DURING THE SIX (6) MONTH PERIOD IMMEDIATELY PRIOR TO THE DATE THE CAUSE OF ACTION AROSE. IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES HOWEVER CAUSED AND WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, WHETHER OR NOT SOFTWARE PROVIDE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES INCLUDING, WITHOUT LIMITION, LOSS OFBUSINESS, LOST PROFITS OR REVENUE.
Customer’s Obligation to Mitigate Damages. Service Provider will create daily backup copies of the whole system on which Customer Data is stored to enable restoration of these system data in case of data loss. However, Service Provider does not restore Customer Data of individual Customers e.g. in case of accidental data loss caused by Customer. Customer shall take adequate measures to avert and reduce damages due to data loss.
9. Term & Termination
Term. Unless terminated earlier pursuant to this Agreement's express provisions, this Agreement enters into effect upon the Effective Date and shall be concluded for an indefinite term (“Term”), unless otherwise set forth in the Order Form.
Termination for Convenience. Each Party may terminate this entire Agreement for convenience on not less than sixty (60) days' prior written notice to the end of a calendar month, unless otherwise set forth in the Order Form.
Termination for Cause. In addition, each Party may terminate this Agreement for good cause if the other party materially breaches and the Agreement does not remedy such a material breach within thirty (30) days of the notification of such a breach.
Consequences of Termination of the Agreement. Upon any termination by Service Provider, Customer shall immediately cease accessing and otherwise utilizing the Service (except as otherwise provided below). Termination shall not relieve Customer of the obligation to pay any Subscription Fee accrued or due and payable to Service Provider prior to the effective date of termination.
Return of Customer Data. During the Term of the Agreement, Customer may extract Customer Data and for sixty (60) days thereafter (“Extraction Period”), unless otherwise set forth in the Services Description. Service Provider will - subject to Service Provider’s right to use Customer Data in anonymized form as provided for in section 3.6, at its discretion delete Customer Data or block such data upon the expiration of the Extraction Period.
Surviving Provisions. All provisions of this Agreement intended by their terms to survive shall survive any termination or expiration of this Agreement.
10. Changes to the Agreement and/or Subscription Fee
Changes to the Agreement. Service Provider reserves the right to change the Agreement and/or the Subscription Fee ("Change"). Unless otherwise set forth in the Services Description, Service Provider will notify Customer about the Change with at least four (4) weeks prior notice (“Change Notification”). Customer has the right to object to the change with two (2) weeks prior notice before the change is intended to become effective ("Change Effective Date"). If the Customer does not object in due time, this shall be deemed as Customer’s acceptance of the Change and the Change shall become effective at the Change Effective Date. If Customer objects in due time, Service Provider may choose to either continue the Agreement with Customer under the terms of this Agreement without the Change, or to terminate the Agreement with effect at the Change Effective Date. Service Provider will specifically inform Customer about Service Provider’s termination right, the notice period for Customer’s objection, the Change Effective Date and the consequences of not objecting to the Change Notification.
Changes to Subscription Fee. The Subscription Fee agreed upon is fixed for the remainder of the calendar year following the Effective Date of this Agreement. Thereafter, Service Provider may increase the Subscription Fee unilaterally by no more than three percent (3 %) annually without having to abide by the procedure for a Change as set forth in section 10.1 above and without Customer having an objection right.
11. Terms for Free of Charge Services
Free of Charge Services.
The Service Provider may provide certain Services free of charge as set forth in the Services Description (“Free of Charge Services”).
Specific Terms. For the Free of Charge Services, the following specific terms shall apply in addition and shall take precedence in case of any contradictions with the other provisions of this Agreement:
- a) Exclusion of Warranty. NOTWITHSTANDING SECTION 7.1 ABOVE, SERVICE PROVIDER HEREWITH, EXCEPT FOR FRAUDULENTLY CONCEALED DEFECTS, EXCLUDES ANY AND ALL REPRESENTATIONS, WARRANTIES, AND, GUARANTEES, CONDITIONS, AND REPRESENTATIONS, WHETHER ORAL OR WRITTEN, EXPRESSED OR IMPLIED, OR ARISING BY USAGE OF THE SERVICES, INCLUDING, BUT NOT LIMITED TO, NON-INFRINGEMENT, THE MERCHANTABILITY OF THE SERVICES, ITS FITNESS FOR A PARTICULAR PURPOSE, MEETING CUSTOMER`S REQUIREMENTS, OR SATISFACTORY QUALITY. SERVICE PROVIDER DOES NOT WARRANT ANY AVAILABILITY OF THE SERVICES OR THAT THE SERVICES WILL BE PROVIDED UNINTERRUPTED OR FREE OF DEFECTS IN MATERIAL OR TITLE. SERVICE PROVIDER DOES NOT WARRANT THAT THE SERVICES DO NOT CAUSE ANY LOSS OR DAMAGES RESULTING FROM THE TRANSFER OF DATA OVER COMMUNICATION NETWORKS OR FACILITIES.
- b) Limitation of Liability. Subject to the foregoing, Service Provider’s liability for damages relating to the Free of Charge Services shall be limited to fifty dollars (USD $50).
- c) Service Level Agreement. The Service Level Agreement as set forth in Exhibit 1 shall not be applicable to the Free of Charge Services.
12. Data Protection
Data Protection. As regards the processing of Customer Data for the purpose of this Agreement, the Service Provider and Customer herewith agree to enter into the data processing agreement as set forth in Exhibit 2 (Data Processing Agreement).
13. Non-Hilti Services
Acquisition of Non-Hilti Products and Services. Service Provider or third parties may make available third-party products or services, including, for example, connectors, add-ons, implementation and other consulting services (“Non-Hilti-Services”). Any acquisition by Customer of such products or services, and any exchange of data between Customer and any provider of such Non-Hilti-Services (“Non-Hilti-Provider”) is solely between Customer and the applicable Non-Hilti-Provider. Service Provider does not warrant or support Non-Hilti-Services, whether or not they are designated by Service Provider as “certified” or otherwise, unless expressly provided otherwise in an Order Form.
Non-Hilti-Services and Customer Data. If Customer chooses to use Non-Hilti-Services with the Services, Customer grants Service Provider permission to allow the Non-Hilti-Services and its provider to access Customer Data as required for the interoperation of that Non-Hilti-Services with the Services. Separate terms shall apply between Customer and the Non-Hilti-Provider regarding the use of such Non-Hilti-Services, and Customer shall be responsible for evaluating whether such terms with the Non-Hilti-Provider ensure appropriate protection of and access to Customer Data, and address responsibility for any disclosure, modification or deletion of Customer Data by the Non-Hilti-Provider, or any breach of data protection laws and regulations resulting from Non-Hilti-Provider`s access to Customer Data. Non-Hilti-Providers shall not be considered subcontractors or Subprocessors (as defined in the DPA) of Service Provider nor any of its affiliates. Neither Service Provider nor its affiliates shall be responsible for any disclosure, modification, corruption, loss or deletion of Customer Data, or any breach of applicable data protection laws and regulations, resulting from access by such Non-Hilti-Services or its provider.
Integration with Non-Hilti-Services. The Services may contain features designed to interoperate with Non-Hilti-Services. To use such features, Customer may be required to obtain access to such Non-Hilti-Services from their providers and may be required to grant Service Provider access to Customer’s account(s) on such Non-Hilti-Services. Service Provider cannot guarantee the continued availability of such Service features and may cease providing them without entitling Customer to any refund, credit, or other compensation, if for example and without limitation, the provider of Non-Hilti-Services ceases to make the Non-Hilti-Services available for interoperation with the corresponding Service features in a manner acceptable to Service Provider.
14. Professional Services
*Professional Services. Customer may order the Professional Services as offered by Service Provider. The full scope of the Professional Services, including the Professional Services Fee will be agreed between Service Provider and Customer in the Order Form or via a separate work order (“Work Order”), where the timings and Professional Services Fees stated therein shall only serve as estimates.
Specific Terms. For the Professional Services the following specific terms shall apply in addition and shall take precedence in case of any contradictions with the other provisions of this Agreement:
- a) Work Order. A Work Order can be agreed between Service Provider and Customer in writing or by Service Provider sending Customer a Work Order proposal by e-mail and Customer accepting this proposal. Service Provider will provide the Professional Services either by itself or by its subcontractors. Each Work Order hereto will form an agreement separate from all the other Work Orders and each Work Order shall be subject to the terms of Agreement.
- b) Qualification of Professional Services. Unless otherwise agreed between the Parties in writing, Professional Services shall qualify as services and not contracts for work and labor. If certain Professional Services are agreed or being qualified as contracts for work and labor, a warranty period of ninety (90) days shall apply. Within such warranty period, Service Provider will either re-perform the non-conforming portions of the Professional Services at no cost to Customer or waive or return, as applicable, any Professional Services Fees owed or paid for the non-conforming portions of the Professional Services as Customer’s sole remedy for breach of this Professional Services warranty.
- c) Customer Obligations. Customer shall provide reasonable co-operation related to the provision of the Professional Services. Such co-operation and support by Customer shall include, but not be limited to: (i) reasonable level of responsiveness to Service Provider’s requirements and communications; (ii) transmittal and release to Service Provider of appropriate and accurate documentation and information within reasonable timeframe; (iii) prompt review of the Professional Services performed by Service Provider; (iv) subject to Service Provider’s specification of the required hardware and software environment, the making available of all permissions and licenses of the relevant parties (such as required third party software licenses) that are required for enabling Service Provider to provide the Professional Services. If and to the extent the Service Provider requires technical infrastructure or access to Customers systems to perform the contractual services, Service Provider and Customer will agree on the specifics in the relevant Work Order. Customer will grant the Service Provider’s personnel access to Customer’s premises and technical infrastructure and will make available free of charge additional office space and equipment to the extent required for the performance of the contractual services. If Customer fails to provide the co-operation duties in this section, Service Provider shall not be responsible for any consequences resulting therefrom, including but not limited to any delays.
- d) Term & Termination. Any orders for Professional Services will remain in effect for the term which is specified in the Order Form or in the relevant Work Order or – if no such time is specified – until completion of the relevant Professional Services.
15. General Provisions
Relationship of the Parties. The Parties are independent contractors. This Agreement does not create nor is it intended to create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties.
Definitions. Capitalized terms shall have the meaning as defined in parentheses (“…”).
Notices. Unless otherwise set forth in this Agreement, all notices under this Agreement must be given at least in textual form (e.g. e-mail). Service Provider will deliver such notices by email to the address(es) and contact person(s) indicated by Customer upon registration of Customer’s account for the Service with Service Provider. Additionally, Service Provider may notify Customer directly within Services or by making available information at Service Provider`s webpage. The Parties shall immediately notify each other about any changes of the contact data they have provided each other with. If Customer is not updating its contact details on a regular basis, Customer may not receive Updates, Upgrades or important information about the Services.
Severability. If any provision of this Agreement is invalid, illegal or unenforceable in any jurisdiction, such invalidity, illegality or unenforceability shall not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal or unenforceable, the Parties shall negotiate in good faith to modify this Agreement to affect the original intent of the Parties as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby may be consummated as originally contemplated to the greatest extent possible.
*Waiver and Cumulative Remedies.** No failure or delay by either Party in exercising any right under this Agreement shall constitute a waiver of that right. Other than as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a Party.
Subcontractors. Service Provider may commission subcontractors with the performance of the Services. If the provision of the subcontracted Services requires the processing of personal data, the requirements and obligations set forth in the Data Processing Agreement shall apply.
Assignment. Customer may not assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the Service Provider (which consent shall not be unreasonably withheld).
Governing Law and Place of Jurisdiction. This Agreement shall be governed exclusively by the Laws of [the State of Texas], without regard to conflicts of laws principles, and excluding the Convention on the International Sale of Goods. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the state or federal courts of the State of Texas, and all courts competent to hear appeals therefrom.
Further Provisions. The respective Order Form, including the Services Description it references to, this Agreement and its Exhibits, constitute the entire agreement between the Parties with respect to the subject matter hereof. There are no agreements, representations, warranties, promises, covenants, commitments, or undertakings other than those expressly set forth herein. This Agreement supersedes all prior agreements, proposals or representations, written or oral, concerning its subject matter. In the event of a conflict between this Agreement and one or more of the documents attached hereto or referenced herein, the documents shall be construed consistently, insofar as reasonably practicable, but to the extent of any inconsistency, they shall be controlling in the following order: (1) the Order Form, (2) Services Description, (3) this Agreement, and (4) its Exhibits. Notwithstanding any language to the contrary therein, no terms or conditions stated in a Customer purchase order or in any other Customer order documentation shall be incorporated into or form any part of this Agreement, and all such terms or conditions shall be null and void.
Form Requirement. No modification, amendment, or waiver of any provision of this Agreement shall be effective, unless being agreed upon in text form (e.g. email, notifications, etc.) or in writing by the Party against whom the modification, amendment or waiver is to be asserted. Transmission by fax, e-mail or any other equivalent form of electronic exchange or execution shall be deemed to comply with such form requirement. The Parties furthermore acknowledge and agree that this Agreement may be executed, exchanged, stored and processed by applying any form simple- or advanced eSignatures (e.g. DocuSign, etc.) and that such eSignatures shall comply with the written form requirement. The Parties agree that they will not challenge the authenticity or correctness for the sole reason of the Order Form and/or the Agreement being executed in electronic form only. Force Majeure. Neither Party shall be liable for delay or failure in the performance of any of its obligations under this Agreement (other than the payment of money) to the extent such delay or failure is due to causes beyond its reasonable control, including acts of God, fires, floods, pandemics, earthquakes, labor strikes, acts of war, terrorism or civil unrest "Force Majeure". Each Party shall, if possible, promptly notify the other in writing if it is or will be affected by a Force Majeure event. If a Force Majeure event persists for an uninterrupted period of sixty (60) days, either party shall be entitled to terminate this Agreement.
Exhibit 1 (Service Level Agreement) to the Software and Services Subscription Agreement
1. Service Availability
1.1. Target Monthly Availability SLAs
Service Provider will use commercially reasonable efforts to make the Service available twenty-four (24) hours a day, seven (7) days a week (24/7), with the targeted monthly end to end uptime of ninety-five percent (95%), meaning that access to the Service (Web-application or a smartphone application) is targeted to be available 95% of the time over a whole calendar month (“Target Monthly Availability SLAs”). Customer acknowledges that the Target Monthly Availability SLAs are only targets and cannot be guaranteed.
The stated Target Monthly Availability SLAs exclude: (i) Planned Service Downtime (as set forth in Section 1.2 below) and (ii) any unavailability caused by circumstances beyond Service Provider’s reasonable control, including without limitation, force majeure acts of God, acts of government, flood, fire, earthquake, civil unrest, acts of terror, strikes or other labor problems (other than one involving employees of Service Provider), denial of service attacks as well as failures or delays in connection with computers, telecommunications, internet service providers or hosting facilities involving hardware, software or power systems not within Service Provider’s possession or reasonable control.
1.2. Planned Service Downtime
For the purpose of supporting or maintaining the Service (including, but not limited to the roll-out of Updates), the Service might experience a Planned Service Downtime. Service Provider shall, to the extent reasonably practicable, schedule Planned Service Downtime outside of general business hours. The Service Provider shall make good faith efforts to give notice to Customer of such Planned Service Downtime as soon as possible, but at least twenty-four (24) hours via appropriate means (e.g. email or telephone).
1.3. Unplanned Service Downtime
In case of Unplanned Service Downtime with or without control of Service Provider, Service Provider shall make good faith efforts to send a notification to Customer informing Customer thereof. Service Provider shall further make good faith efforts to provide reasonable updates on the progress for restoring the Service and to inform Customer as soon as the Service is available again.
2.1. Severity Levels of Support Requests
Support requests can be raised for Defects of the Service (Severity Level 1-4, as described below) and for general questions regarding the Service (Severity Level 4, as described below). In case of a support request the severity is determined in accordance with the following definitions below (“Severity Levels”):
Severity 1. Customer production use of the Service is stopped or so severely impacted that the Customer cannot reasonably continue work. Customer experiences a complete loss of Service. The operation is mission critical to the business and the situation is an emergency. A Severity 1 service request has one or more of the following characteristics:
• All or the majority of data is corrupted which makes it impossible for the Customer to work with the Software (Web-application and smartphone application).
• All functions or most functions not available; no backup system in place
• Software (web-application and smartphone application) hangs indefinitely, causing unacceptable or indefinite delays for resources or response
• Software (web-application and smartphone application) is not available, aside of announced Planned and/or communicated Unplanned Service Downtime
Severity 2. Customer experiences a severe loss of Service. Important features of the Service are unavailable with no acceptable workaround; however, operations can continue in a restricted fashion. A Severity 2 service request has one or more of the following characteristics:
• Important functions not available; backup system in place
• Software (web-application and smartphone application)experiences major performance delays, timeouts
Severity 3. Customer experiences a minor loss of Service. The impact is an inconvenience, which may require a workaround to restore functionality.
Severity 4. Requests that do not address a Defect of the Services but are related to general information about the Service.
2.2. Service Levels for Support Request
Service Provider will respond to the support request as described in Section 2.4 and will use commercially reasonable efforts to provide a response within the time frame described in the table set forth below. The response time indicates the time from a support request being received by Service Provider via one of the Support Channels defined in Section 2.3 to the receipt of a response by Service Provider that addresses the issue, by either requesting additional information or providing information on the course of action to resolve the support request. Response times are only applicable during Service Hours, excluding public holidays in the country of residence of Service Provider
|Severity Level||Target Response Time|
|Severity 1||Four (4) hours|
|Severity 2||One (1) day|
|Severity 3||Two (2) days|
|Severity 4||Four (4) days|
2.3. Support Channels
Service Provider will provide telephone and email support via Service Provider Customer Service ("Support Channels") during the defined Service Hours. To make sure that severity 1-3 requests get respective attention by Service Provider, such support requests have to be raised by phone via the customer support number. Severity 4 support requests can be also raised via email. Contact details and Service Hours are published online under the following link.
2.4. Support Process Description
The Service Provider logs the support request with the appropriate initial Severity Level and informs Customer that the support request has been logged via appropriate means. If further information needs to be provided by Customer, Service Provider will contact Customer to request the missing information. For Customer specific support requests or critical issues Service Provider will use best efforts to directly inform Customer as soon as a workaround solution, another temporary fix or a resolution has been found. For general application Defects and improvements, Customer can find relevant information in the general release documentation and will not be informed proactively. The Severity Level of a support request may be adjusted during the support process.
2.5. Accessing Customer Data and Using Remote Assistance Tools
In order to be able to provide the support services, Service Provider may need to use Remote Assistance Tools or access Customer Data in accordance with the Agreement as well as applicable data protection laws and legislation. By allowing the Service Provider the use of Remote Assistance Tools, Customer consents to granting Service Provider remote access to Customer Data and temporary access to and control over the relevant computer and/or device. Before granting remote access to Service Provider Customer should take adequate measures such as backing up its data that resides on the relevant device and make sure that any Customer confidential information not relevant for the support request is not available or exchanged via the remote session. Without Customer`s consent data not related to the provided Service is not stored or processed in any form by Service Provider.
2.6. Escalation Process
If Customer believes in good faith that Customer has not received quality or timely assistance in response to a support request or that Customer urgently need to communicate important support related business issues to Service Provider’s management, Customer may escalate the support request by contacting Service Provider and requesting that the support request be escalated to work with Customer to develop an action plan.
3. Customer Obligations
3.1. Availability of Contact Person
Customer must ensure to provide reasonable availability of a contact person when resolving a support request.
3.2. Process Updates
Customer needs to make sure to communicate to Service Provider the following changes/updates:
• any changes/additional information that occurred/got available since the support request was raised and that influence the support request.
• any changes in the system environment at Customer’s site that might influence the resolution of the support request.
• in case the support request is not valid any more (e.g. resolved).
3.3. System Requirements and latest Versions
To be eligible for support of the Service Customer is obliged to ensure compliance with the minimum System Requirements as set forth in the Services Description.
3.4. Communication to User Community
Service Provider will inform Customer about any system relevant events (e.g. communication of Planned Service Downtimes etc.) via the announcements in the Services or via the Services dedicated information webpage. It is the obligation of Customer to inform the relevant Customer’s end users about this event.
3.5. Failure to co-operate
If Customer fails to meet the obligations described above, Service Provider shall not be responsible for any consequences resulting therefrom, including but not limited to any delays in resolving a support request and/or any failure in meeting any Service Levels as set forth in this Agreement.
3.6. Non-Applicability of the Service Level Agreement
Unless otherwise set forth in the Services Description, the Service Level Agreement does not apply to (i) Services being provided Free of Charge, (ii) Services being provided for mobile applications, (ii) Add-On Services and (iii) Non-Hilti-Services (“Excluded Services”). Service Provider does not warrant for the Excluded Services any availability and does not provide any Support or rectification services for the Excluded Services.
Exhibit 2 (Data Processing Agreement) to the Software and Services Subscription Agreement
The terms being used in this DPA shall have the same meaning as under the Agreement and as further specified herein.
This DPA is entered into by and between:
(i) the Customer, acting as controller (“Controller”); and
(ii) Service Provider, acting as processor (“Processor”);
(iii) each a “Party”, together the “Parties”.
This DPA is intended to comply with the requirements of applicable data protection laws. This means that the GDPR references and obligations should be considered mutatis mutandis of the applicable local data protection laws when said is not GDPR. When equivalent obligations do not exist under local laws, then the clauses should be considered as contractual obligations designed to apply an equivalent level of protection as the one prescribed under GDPR, referencing the GDPR articles as guidance to clarify the intent.
1. Subject of this DPA
In the course of rendering the Services under the Agreement, Service Provider handles personal data with regard to which Customer acts as the controller in terms of applicable data protection law (hereinafter referred to as “Customer Personal Data”). This DPA specifies the data protection rights and obligations of the Parties in connection with the Service Provider’s activities of processing Customer Personal Data.
2. Scope of the Processing
Service Provider shall process the Customer Personal Data on behalf of and in accordance with the instructions of the Customer within the meaning of article 28 GDPR. The Parties agree that Customer is the controller within the meaning of article 4 paragraph 7 GDPR and Service Provider is the processor within the meaning of article 4 paragraph 8 GDPR.
The processing of Customer Personal Data by Service Provider occurs in the manner and the scope and for the purpose specified in the Services Description; the processing relates to the types of personal data and categories of data subjects and involves the processing operations that are specified in the Services Description, where those being applicable at the time of the Parties entering into the Agreement may also be set forth in an Exhibit to this DPA. In case of any contradictions the processing activities as being set forth in the online Services Description shall prevail.
The duration of processing corresponds to the term of the Agreement or as otherwise set forth in the Services Description.
Service Provider reserves the right to anonymize or aggregate the Customer Personal Data in such a way that it is no longer possible to identify individual data subjects, and to use them in this form for the purposes specified in the Agreement. The Parties agree that anonymized and according to the above requirement aggregated Customer Personal Data are no longer considered Customer Personal Data for the purposes of this DPA.
The processing of Customer Personal Data by Service Provider shall in principle take place in the Service Provider’s country or inside the European Union or another contracting state of the European Economic Area (EEA) or equivalent country. Service Provider is nevertheless permitted to process Customer Personal Data in accordance with the provisions of this DPA outside of the EEA if it informs the Customer in advance about the place of data processing and if the requirements of Chapter V GDPR are fulfilled. If Customer Personal Data shall be processed by a sub-processor whose processing of the Customer Personal Data is not subject to the GDPR, section 7.4 of this DPA applies.
3. Instructions by Customer
Service Provider shall process the Customer Personal Data in accordance with the documented instructions of Customer within the meaning of article 28 GDPR, unless Service Provider is by applicable law required to do otherwise. In the latter case, Service Provider shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The instructions of Customer are in principle conclusively stipulated and documented in this DPA. Deviating individual instructions or instructions which impose additional requirements shall be consulted beforehand with Service Provider to assess feasibility and estimate the costs. Any additional costs incurred by Service Provider as a result of deviating individual instructions or instructions which impose additional requirements shall be borne by Customer.
Notwithstanding anything contrary in this DPA, Customer shall serve as a single point of contact for Service Provider and is solely responsible for the internal coordination, review and submission of instructions or request of other controllers (belonging to Customer group of companies) to the Service Provider. Service Provider shall be discharged of its obligation to inform or notify a controller when it has provided such information or notice to Customer. Similarly, Service Provider is entitled to refuse any instructions provided directly by a controller that is not the Customer. Service Provider will serve as a single point of contact for Customer and is solely responsible for the internal coordination, review and submission of instructions or requests from Customer to Service Provider’s sub-processor(s).
If Service Provider is of the opinion that an instruction from Customer infringes this DPA or applicable data protection law, Service Provider is after correspondingly informing Customer entitled but not obliged to suspend the execution of the instruction until Customer confirms the instruction. The Parties agree that the sole responsibility for the lawfulness of processing (as within the meaning of article 6 GDPR) Customer Personal Data lies with Customer.
4. Legal Responsibility of Customer
Customer is solely responsible for the permissibility of the processing of the Customer Personal Data and for safeguarding the rights of data subjects (as within the meaning of article 12 to 22 GDPR) in the relationship between the Parties.
Customer shall provide Service Provider with the Customer Personal Data in time for the rendering of the Services and it is responsible for the quality of the Customer Personal Data. The Customer shall inform Service Provider immediately and completely if, during the examination of Service Provider’s results, it finds errors or irregularities with regard to data protection law or its instructions.
On request, Customer shall provide Service Provider with the information specified in article 30 paragraph 2 GDPR, insofar as it is not available to Service Provider itself.
If Service Provider is required due to a mandatory statutory law or request to provide information to a governmental body or person on the processing of Customer Personal Data or to cooperate with these bodies in any other way, Customer shall at first request assist Service Provider in providing such information and in fulfilling other cooperation obligations, where Service Provider`s reasonable costs for such activities shall be borne by Customer.
5. Confidentiality Obligation
Service Provider shall oblige all personnel handling Customer Personal Data to maintain confidentiality.
6.Security of Processing
Within the meaning of article 32 GDPR, Service Provider shall implement necessary, appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the Customer Personal Data processing, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to warrant a level of protection of Customer Personal Data appropriate to the risk.
The current set of technical and organizational measures in place can be found in the Services Description, where those being applicable at the time of the Parties entering into the Agreement may also being set forth in an Exhibit to this DPA. In case of any contradictions the technical and organizational security measures as being set forth in the online Services Description shall prevail.
Service Provider shall have the right to modify the technical and organizational measures during the term of this DPA, as long as they continue to comply with the statutory requirements.
7. Engagement of sub-processors
Customer grants Service Provider the general authorization to engage sub-processors with regard to the processing of Customer Personal Data. Sub-processors engaged at the time of conclusion of the Agreement are listed in the Services Description where those being applicable at the time the Parties entering into the Agreement may also being set forth in an Exhibit to this DPA. In case of any contradictions the sub-processor list as being set forth in the online Services Description shall prevail.
Service Provider shall notify Customer of any intended change in relation to the engagement or replacement of sub-processors via email, notification within the Services or via a subscription service offered by the Service Provider. Customer has the right to object to the engagement of a potential sub-processor. When raising such an objection, Customer shall specify its reasonable grounds for the objection. If Customer does not object within fourteen (14) calendar days upon Service Provider`s notification, its right to object to the corresponding engagement lapses. If Customer objects, Service Provider is entitled to terminate the Agreement and this DPA with a notice period of five (5) working days according to the further specifications in the Agreement.
The agreement between Service Provider and the sub-processor must impose the same or similar obligations on the latter as those incumbent upon Service Provider under this DPA. The Parties agree that this requirement is fulfilled if the contract provides a level of protection corresponding to this DPA, respectively if the obligations within the meaning of article 28 paragraph 3 GDPR are imposed on the sub-processor. The Parties further agree that this requirement may be satisfied in relation to cloud service providers providing platform, infrastructure or software as a service by concluding the latter’s standard data processing agreements provided, they comply with the requirements within the meaning of article 28 GDPR.
Subject to compliance with the requirements of section 2.4 of this DPA, the provisions of this section 7 of this DPA shall also apply in the case of an engagement of a sub-processor whose processing of Customer Personal Data is not subject to the GDPR. In such a case, Service Provider shall be entitled and – to the extent that the requirements of section 2.4 of this DPA are not otherwise met – obliged to conclude a contract with the sub-processor incorporating the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council in accordance with Commission Implementing Decision (EU) 2021/914 of June 4, 2021, incorporating Module 3 (Transfer of Processors to Processors). If and to the extent necessary for providing an adequate level of protection in the relevant third country, such a contract shall provide for additional safeguards necessary for that purpose. Such additional safeguards (if any) may also be set forth in the Services Description. The Parties agree that such a contract shall also meet the requirements pursuant to section 7.3 of this DPA. Customer declares its willingness to cooperate in the fulfilment of the derogation requirements within the meaning of article 49 GDPR to the extent necessary.
8. Data subjects’ rights
Within the meaning of article 28 (paragraph 3, point e) GDPR, Service Provider shall assist Customer, insofar as this is possible, by virtue of technical and organizational measures in fulfilling the latter’s obligation to respond to requests for exercising data subjects’ rights.
As far as a data subject submits a request for the exercise of his/her rights directly to Service Provider, Service Provider will forward this request to Customer in a timely manner if Service Provider is able to identify the data subject and an association with Customer is possible with reasonable efforts.
Service Provider shall, within the limits of what is reasonable and necessary, against reimbursement of the expenses and costs incurred by Service Provider as a result thereof and to be proven, enable Customer to correct, delete, block or restrict the further processing of Customer Personal Data, or at the instruction of Customer correct, delete, block or restrict further processing by itself, if and to the extent that this is impossible for Customer.
Insofar as the data subject has a right of data portability vis-à-vis Customer in respect of the Customer Personal Data within the meaning of article 20 GDPR, Customer should be enabled via the Services to extract the Customer Personal Data itself. Beyond that, Service Provider may, but is not obligated to, support Customer within the limits of what is reasonable and necessary in return for reimbursement of the expenses and costs incurred by Service Provider as a result thereof and to be proven.
9. Notification and Support Obligations of Service Provider
Insofar as Customer is subject to a statutory notification obligation due to a breach of the security of Customer Personal Data (in particular within the meaning of articles 33, 34 GDPR), Service Provider shall inform Customer in a timely manner of any reportable events in its area of responsibility.
Service Provider shall assist Customer in fulfilling the notification obligations at the latter’s request to the extent reasonable and necessary, taking into account the nature of processing and the information available to the Service Provider, in return for reimbursement of the expenses and costs incurred by Service Provider as a result thereof and to be proven.
Insofar as Customer is subject to a legal or regulatory obligation of conducting a data protection impact assessment (in particular within the meaning of articles 35, 36 GDPR) or equivalent assessment, Service Provider shall assist Customer in fulfilling such obligation at the latter’s request to the extent reasonable and necessary, taking into account the nature of processing and the information available to the Service Provider, in return for reimbursement of the expenses and costs incurred by Service Provider as a result thereof and to be proven.
10. Term, Termination, Deletion and Return of Customer Personal Data
This DPA shall come into effect upon the Agreement`s Effective Date and shall upon its Effective Date be concluded for the term of the Agreement and shall be construed and interpreted together with the Agreement as one consistent document. In case of conflicts between this DPA and other arrangements between the Parties, in particular the Agreement, the provisions of this DPA shall prevail.
The termination provisions as being set forth in Agreement shall also apply to this DPA.
Service Provider shall delete the Customer Personal Data promptly after termination of this DPA, unless Service Provider is obligated by applicable law to further store the Customer Personal Data. If Customer would prefer the Customer Personal Data to be returned before being deleted, then Customer must immediately inform Service Provider for the latter to provide Customer a reasonable time period or as otherwise set forth in the Agreement - to extract the Customer Personal Data by itself.
Service Provider may keep documentations, which serve as evidence of the orderly and accurate processing of Customer Personal Data, also after the termination of the DPA.
11. Evidence and Audits
Service Provider shall provide Customer, at the latter’s request, with all information required and available to Service Provider to prove compliance with its obligations under this DPA.
Customer shall be entitled to audit Service Provider with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organizational measures, including inspections on Customer behalf by a certified independent third-party professional.
In order to carry out inspections in accordance with section 11.2 of this DPA, the Customer is entitled to access the business premises of Service Provider in which Customer Personal Data is processed within the usual business hours (Mondays to Fridays from 10 a.m. to 4 p.m. local time) after timely advance notification in accordance with section 11.5 of this DPA at its own expense, without disruption of the course of business and under strict secrecy by means of written commitment of Service Provider’s business and trade secrets.
Service Provider is entitled, at its own discretion and taking into account the legal obligations of Customer, not to disclose information which is sensitive with regard to Service Provider’s business or if Service Provider would be in breach of statutory or other contractual provisions as a result of its disclosure. Customer is not entitled to get access to data or information about Service Provider’s other customers, cost information, quality control and contract management reports, or any other confidential data of Service Provider that is not directly relevant for the agreed audit purposes.
Customer shall inform Service Provider in good time (usually at least thirty (30) calendar days in advance) of all circumstances in relation to the performance of the audit. Customer may carry out only one audit per calendar year against reimbursement of the costs.
If Customer commissions a third party to carry out the audit, Customer shall obligate the third party in writing the same way, as Customer is obliged vis-à-vis Service Provider according to this section 11 of this DPA. In addition, Customer shall obligate in writing the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of Service Provider, Customer shall immediately submit to Service Provider the commitment agreements with the third party. Customer may not commission any of Service Provider’s competitors to carry out the audit.
At the discretion of Service Provider, proof of compliance with the obligations under this DPA may be provided, instead of an inspection, by submitting an appropriate, current independent third party audit report or a suitable certification by an IT security or data protection audit – e.g. according to ISO 27001, the IT baseline protection approach from the German Federal Office for Information Security (so-called “BSI-Grundschutz”) or of any comparable approach – (“Audit Report”), if the Audit Report makes it possible in an appropriate manner for Customer to convince itself of compliance with the contractual obligations.
12. Final Provisions
In case individual provisions of this DPA are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The Parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements within the meaning article 28 GDPR.
Annex 1 to the DPA (technical and organizational measures)
Description of the technical and organizational measures implemented by Processor as verified and confirmed by Controller:
Access Control to Processing Areas
Data Importer implements suitable measures in order to prevent unauthorized persons from gaining physical access to the data processing equipment where Personal Data is processed or used, in particular:
- Site access is tracked and documented.
- Site access is supervised and secured by an appropriate security system and/or security organization.
- Visitors will be continuously escorted.
Access Control to Data Processing Systems
Data Importer implements suitable measures to prevent the data processing systems used for the processing of Personal Data from being used or logically accessed by unauthorized persons, in particular:
- User identification and user authentication methods are in place to grant controlled access to the processing system.
- Access control and authorizations are defined according to a ‘need to have’ principle.
- Data Importer’s internal endpoints used to support the software service are protected to prevent unwanted access to the systems and to avoid infiltration of malicious software. This covers technologies as firewalls, antivirus detection, malware detection, intrusion detection and prevention and others. These technologies will be adjusted to new levels based on the overall development in these areas.
Access Control to Use Specific Areas of Data Processing Systems
Data Importer implements suitable measures within the applications so that the persons entitled to use the data processing system are only able to access the data within the scope and to the extent covered by its access permission (authorization) and that personal data cannot be read, copied or modified or removed without proper authorization, in particular:
- For Data Importer personnel policies are in place and trained related to the access to personal data.
- Data Importer informs its personnel about relevant security procedures including possible consequences of breaching the security rules and procedures.
- For training purposes Data Importer will only use anonymous data.
- Access to the data is either done from a controlled location or via a controlled network access.
- End devices used to access the data are protected by up to date client protection mechanisms.
Data Importer implements suitable measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission can be established and verified (data transfer control), in particular:
- Control of data transfer between Data Exporter and the Data Importer supplied software service:
a) Data Importer’s software services use encryption to ensure confidentiality and integrity/authenticity when transferring data from the Data Exporter to the software service.
b) Control of data transfers between Data Importer and Sub Processors:
- In addition to the contractual agreed areas, data retrieval is only allowed for dedicated support activities and only for authorized support staff.
a) The authorization process for Data Importer support staff performing data transfers is regulated through a defined process.
b) If data has to be copied to specific media for transport to a 3rd party, these media will be treated with discernment in accordance with the sensitivity of the data.
c) Documented procedures for the secure transfer of Personal Data are established.
Input Control, Processing Control and Separation for different purposes
Data Importer implements suitable measures to ensure that Personal Data is processed safe and solely in accordance with the Data Exporter’s instructions, in particular:
- Access to data is separated through application security for the appropriate users.
- The application supports the identification and authentication of users.
- Application roles and resulting access is based on roles based on the function to be executed within the application.
When reasonable and feasible, Data Importer may implement in their software controls to validate data input and/or to track usage or modification of data.