Terms of Service Agreement
This Terms of Service Agreement (“Agreement”) is between iboss, Inc. (“iboss”) and the customer listed on the Quote between iboss and such customer (“You” or “Your” or “Customer”), and governs Customer’s purchase of, access to and use of iboss Property (defined below). Capitalized terms are generally defined throughout this Agreement and otherwise in Section 2.
1. BACKGROUND. This Agreement describes Your rights to use iboss Property, inclusive of any associated media, printed materials and “online” or electronic documentation, identified in the Quote to which this Agreement applies. Except for any Hardware that You are purchasing or licensing from iboss under a Quote, You must provide all equipment and software necessary to connect to iboss Property, including devices that are suitable to connect with and use iboss Property. You are solely responsible for any fees, including internet connection or mobile fees, that You incur when accessing iboss Property.
2. DEFINITIONS. The following terms will have the meaning set forth below:
“Acceptable Use Policy” means iboss’ general rules and regulations governing use of iboss Property available here: Acceptable Use Policy.
“Affiliate” means any legal entity that owns, is owned by, or is commonly owned with a party.
“Own” means more than 50% ownership or the right to direct the management of the entity.
“App” means any mobile software application offered by iboss.
“Confidential Information” shall mean all proprietary or confidential information disclosed by one party to the other party, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information or the circumstances of disclosure, including, without limitation: (i) proprietary product, software or services information, or related technology, ideas and algorithms; (ii) trade secrets; (iii) either party’s technical, business or financial information and plans; and (iv) the pricing and other terms reflected on iboss quotes and/or purchase orders that Customer provides iboss pursuant to this Agreement. Confidential Information shall not include information that the receiving party can show (a) is or becomes generally known or publicly available through no fault of the receiving party; (b) is known by, or is in the possession of, the receiving party prior to its disclosure, as evidenced by business records, and is not subject to restriction; (c) was independently developed by the receiving party without the use of or reference to the Confidential Information of the disclosing party; or (d) is lawfully obtained without restriction from a third party who has the right to make such disclosure.
“Customer Content” means any information and other content uploaded by Customer to the Service.
“Documentation” means the manuals provided to Customer along with the Licensed Software.
“End-User” means an end-user of Customer who accesses iboss Property through a mobile device, computer, and/or computer system.
“Error” means a reproducible error of the Licensed Software, App, Hardware and/or Service, as applicable, to substantially conform to the Documentation in all material respects.
“Executable Code” means the fully compiled binary version of a software program that can be executed by a computer and used by an End-User without further compilation.
“Hardware” means any physically tangible electro-mechanical system or sub-system and any related equipment that iboss provides to Customer.
“Host Server” means the server(s) on which iboss has installed the Licensed Software and/or necessary components and services for utilizing Licensed Software or App for Customer’s use.
“iboss Property” means the App, Licensed Software, Host Server, Hardware and Service.
“Intellectual Property Rights” means all copyrights, trade secrets, patents, patent applications, moral rights, contract rights and other proprietary and/or intellectual property rights.
“Licensed Software” means the software program or programs described in the Quote or any software or firmware incorporated into the Hardware, and any modified, updated, or enhanced versions of such programs that iboss may provide to Customer pursuant to this Agreement, or a separate maintenance and support agreement. Licensed Software excludes any Apps.
“Quote” means the written or electronic quote or order form that expressly references, and is governed by, these Terms of Service and is executed by an authorized representative of each party hereto, electronically or in writing.
“Service” means the services ordered by Customer through a Quote.
“Source Code” means the human-readable version of a software program that can be compiled into Executable Code.
3. SOFTWARE LICENSES. iboss offers its software to customers on a subscription basis but delivers the software through one or more of the following technical means: (i) direct download and installation of the software on Your own devices (“Downloaded Software”), (ii) software-as-a-service (“SaaS”), (iii) pre-installed software on a server that iboss provides to You (“Server-Provided Software”), and/or (iv) via an App which is available for download and installation to Your mobile device.Regardless of which of these methods is used, the following license will apply to Your subscription during the Term. iboss grants You a non-exclusive, non-transferable, revocable, worldwide, royalty-free, limited license (without the right to sublicense) to (i) install and execute one copy of, and use the Licensed Software (in Executable Code form) on each device (in the case of Downloaded Software); (ii) access and use the Host Server solely for authentication and syncing purposes (in the case of Downloaded Software or Server-Provided Software); and (iii) use the Licensed Software and Service (whether Downloaded Software, Server-Provided Software, or SaaS) solely for Customer’s internal business purposes and according to the Acceptable Use Policy and Documentation.
In the event that You download and install an App, the Mobile Application Licenses Terms and Conditions shall apply.
4. EVALUATION LICENSES. If Customer is using iboss Property for evaluation purposes, then the license granted in Section 3 only permits Customer to use the Licensed Software, Hardware, App and/or Service, as applicable, for thirty (30) days, or such longer period set forth in the Quote (“Evaluation Period”), and solely to evaluate the performance and functionality of the Licensed Software, Hardware, App and/or Service, as applicable (“Evaluation Software”), according to the Documentation and Acceptable Use Policy. Unless Customer has purchased a subscription to continue using the applicable iboss Property, upon the expiration of the Evaluation Period, including any extensions to the Evaluation Period to which iboss agrees, Customer must (i) discontinue using the Evaluation Software, and (ii) return the Hardware, as applicable, to iboss within seventy-two (72) hours; otherwise, iboss reserves the right to charge Customer at the then current price for such usage of iboss Property. Hardware returned more than thirty (30) days following the Evaluation Period expiration date will not be accepted. Customer shall be liable to iboss, and agrees to pay iboss, for the cost of replacing or fixing Hardware lost or returned damaged, or attempted to be returned after thirty (30) days. Notwithstanding any other provision of this Agreement, iboss provides the Evaluation Software free of charge, without support and “AS IS” without indemnification or warranty of any kind. No support policies or service level agreements apply to the Evaluation Software. Certain features or services may not be available for the Evaluation Software.
5. LICENSE FROM CUSTOMER. During the Term, Customer grants to iboss a limited, non-transferable, royalty-free license to use the Customer Content solely to enable iboss to provide the Service to Customer and fulfill iboss’ obligations hereunder. iboss will maintain reasonable and appropriate physical, organizational, administrative, and technical safeguards designed to protect Customer Content from loss, misuse, unauthorized access, disclosure, alteration and destruction.
6. RESTRICTIONS. The rights granted to Customer in this Agreement are subject to the following restrictions. Customer shall not (a) reproduce, license, sublicense sell, resell, rent, lease, transfer, assign, distribute, host, outsource, disclose or otherwise commercially exploit iboss Property, or make iboss Property available to any third party, including but not limited to any Hardware; (b) make the iboss Property available to any third party for purposes of testing the Licensed Software, and disclosing publicly the results of the tests; (c) interfere with, disrupt, modify, make derivative works of, disassemble, reverse compile or reverse engineer any part of the Licensed Software; (d) access the Licensed Software for research and development or competitive assessment purposes, or to build a similar or competitive product or service or extend term of the license granted hereunder; (e) either publicly or privately, republish, downloaded, display, post or transmit in any form or by any means the Licensed Software or any component of iboss Property (including screenshots or other images of iboss Property), which includes but is not limited to electronic, mechanical, photocopying, recording or other means; (f) interfere with, disrupt, alter, translate, or modify the Licensed Software, or create an undue burden on the Licensed Software or networks or services connected to the Licensed Software; (g) use the Licensed Software on any mobile devices or other computer systems or hardware for which Customer has not received the necessary End-User consent(s); (h) remove any copyright or other proprietary rights notices in the Licensed Software; or (i) use the Licensed Software for any purpose other than the purpose for which the Licensed Software is intended.
7. CUSTOMER AND IBOSS OBLIGATIONS. Customer agrees to take all reasonable steps to safeguard iboss Property and the associated login credentials to ensure that no unauthorized person has access to either, and that no unauthorized copy, publication, disclosure or distribution, in whole or in part, in any form is made. Each party acknowledges and agrees that iboss Property and Customer Content contain valuable, confidential information and trade secrets and that the unauthorized use and/or copying of the same would be harmful to Customer or iboss. Each of Customer and iboss represents and warrants that it will comply with all laws, rules and regulations that apply to its use of iboss Property or Customer Content and any other activities in connection with this Agreement. Customer agrees to cause all its End-Users to comply with the Acceptable Use Policy. Customer hereby further represents and warrants that iboss Property will not be used to filter, screen, manage or censor Internet content for End-Users without permission from the affected End-Users. Customer hereby acknowledges and agrees that (a) Customer’s use of features, including, but not limited to detection, measurements and control relay (DMCR), logging and alerts, are subject to all state, local, and federals laws and regulations applicable within the country of deployment, and (b) Customer will comply with all such restrictions and required disclosures.
8. SUPPORT. Subject to the terms of this Agreement and payment of any applicable fees, during the Term, iboss will provide support services to Customer according to iboss’ Service Level Agreement.
9. UPDATES. iboss may revise, update, upgrade or discontinue any iboss Property at any time, without prior notice to You but will endeavor to provide You notice wherever possible. If iboss ceases to make available any iboss Property, iboss will provide a pro rata refund to You for any prepaid fees paid by You to iboss for the applicable iboss Property, based on the amount of time remaining in the applicable term. During the Term, iboss may, in its sole discretion, provide You with updates or upgrades. iboss and its suppliers are not obligated to provide any updates or upgrades to iboss Property. Any future release, update, or other addition to functionality of iboss Property shall be subject to the terms of this Agreement, unless iboss expressly states otherwise.
10. HARDWARE PRODUCTS. If You require Hardware in connection with Your use of the Licensed Software and Service, then in addition to any other terms of this Agreement that pertain to Hardware, the Hardware Products Purchases and Licenses Terms shall apply.
11. SUBSCRIPTION FEES AND PAYMENT.
11.1. Fees. In consideration for the Licensed Software and Service, Customer will pay to iboss all fees set forth in the Quote. If Customer elects to pay by credit card, (i) iboss will automatically renew and bill Customer’s credit card periodically per the Quote, and (ii) Customer hereby authorizes iboss to automatically charge or debit such credit card for the full amount due (on a recurring basis, if applicable) according to the Quote. Customer understands that the amounts charged or debited may vary and that this authorization will remain in effect until the expiration or termination of this Agreement.
11.2. Payment Terms. Excepting Section 9 (Updates) and Section 21 (Term and Termination), all payment obligations are non-cancellable and all amounts paid are non-refundable, except as expressly set forth herein or as required by applicable law. All payments are due from Customer net thirty (n/30) days from the date of iboss’ undisputed invoice. Past due invoices are subject to a monthly charge equal to the lesser of: (a) one and one-half percent (1.5%) per month; or (b) the highest rate of interest permitted by applicable law. If any undisputed invoice remains unpaid after thirty (30) days from the invoice date, then notwithstanding any agreement or course of dealing between iboss and Customer, iboss may suspend Customer’s access to and use of iboss Property until all outstanding invoices are paid. Delinquent amounts owed by Customer may be referred to a collection agency, and will be subject to additional fees.
12. TAXES. Unless iboss otherwise states in writing, all iboss fees are exclusive of transportation, insurance, federal, state, local, excise, value-added, use, sales, property (ad valorem) and similar taxes or duties now in force or hereafter enacted. Customer will pay all taxes, fees or charges of any nature whatsoever imposed by any governmental authority on, or measured by, the transaction between Customer and iboss; provided that such taxes shall exclude federal, state or local income taxes to which iboss may be subject. If iboss is required to collect any of the foregoing, such amounts will be separately stated on the invoice, and must be paid by Customer unless Customer provides iboss with a valid tax exemption certificate authorized by the appropriate taxing authority.
13. OWNERSHIP. All right, title, and interest, including all Intellectual Property Rights, in and to iboss Property other than Customer-purchased Hardware shall be owned and retained by iboss or its suppliers. Any rights not expressly granted by iboss in the Agreement are reserved. Customer acknowledges that it acquires no ownership interest in iboss Property. iboss acknowledges and agrees that Customer is the sole and exclusive owner of all Customer Content. Any third-party software included in iboss Property may only be used in conjunction with the applicable product or service, and is not licensed for use independent from such product or service.
14. CUSTOMER MARKS. Subject to Customer’s prior written consent, iboss may use Customer’s logo and trademarks on iboss’ website and in other marketing material, when referring to Customer. Customer will retain all title and rights to such logos and trademarks.
15. OPEN SOURCE SOFTWARE. Certain items of software may be provided to Customer with the Licensed Software or App and are subject to “open source” or “free software” licenses (“Open Source Software”). Some of the Open Source Software is owned by third parties. The Open Source Software is not subject to the terms and conditions of Section 3. Instead, each item of Open Source Software is licensed under the terms of the license that accompanies such Open Source Software. Nothing in this Agreement limits Customer’s rights under, or grants Customer rights that supersede, the terms and conditions of any applicable license for the Open Source Software. If required by any license for particular Open Source Software, Company makes such Open Source Software, and Company’s modifications to that Open Source Software, available by written request to [email protected]
16. CONFIDENTIAL INFORMATION.
16.1. Protection of Confidential Information. Each party shall protect the other party’s Confidential Information from unauthorized dissemination, and the receiving party shall use, and shall ensure that its employees and agents use, the same degree of care that it uses to protect its own like information, at all times employing at least a reasonable standard of care. The receiving party shall not disclose to third parties the disclosing party’s Confidential Information without the prior written consent of the disclosing party. The receiving party shall use the disclosing party’s Confidential Information solely as necessary to directly fulfill the receiving party’s obligations under this Agreement.
16.2. Disposition Upon Termination. Upon the termination of this Agreement for any reason whatsoever, or in the event that the disclosing party reasonably determines that the receiving party no longer requires access to the Confidential Information to perform its obligations, the receiving party shall return to the disclosing party, or shall destroy, as the disclosing party shall specify, all copies of all the Confidential Information in the receiving party’s possession.
16.3. Permitted Disclosure. Notwithstanding any provision in this Agreement to the contrary, the receiving party may disclose portions of disclosing party’s Confidential Information (i) to its lawyers and accountants who have a need to know such information and who are under the same protection and use obligations as in Section 16.2, above, and (ii) pursuant to an order of a governmental agency or court of competent jurisdiction compelling disclosure, provided that the receiving party shall provide the disclosing party reasonable advance notice of such intended disclosure. Additionally, iboss may disclose Customer Confidential Information to law enforcement agencies and/or social service organizations (each, a “Public Service Agency”) without Customer’s or a Customer End-User’s consent under the following circumstances: (a) an exigent circumstance has arisen, as determined by iboss in its reasonable discretion, in which a Customer End-User presents imminent risk of physical harm to self or others (the “Risk”); (b) iboss has undertaken a reasonable investigation to confirm that the exigency is genuine; (c) iboss has attempted unsuccessfully to contact Customer for purposes of (1) directing Customer to communicate directly with the Public Service Agency, or (2) obtaining Customer’s consent to make the disclosure to the Public Service Agency; (d) the Public Service Agency is unable to obtain a legal order to compel the disclosure of the Confidential Information in sufficient time to respond adequately to the Risk; and (e) iboss minimizes the scope of its disclosure solely to that Confidential Information which is determined by iboss in its sole discretion to be necessary to assist the Public Service Agency to address the Risk.
16.4. Remedies. The receiving party acknowledges that its breach of this Agreement may cause irreparable damage to the disclosing party, and hereby agrees that the disclosing party is entitled to seek, in addition to any other remedies available to it, injunctive and other relief as may be granted by a court of competent jurisdiction, associated with the receiving party’s breach.
17. LIMITED WARRANTY. For purchased or licensed Hardware, the only warranties are as set forth in the Hardware Products Purchases and Licenses Terms. For the avoidance of doubt, regardless of whether the Hardware is purchased or licensed from iboss, no warranty is provided with respect to the Licensed Software.
18. DISCLAIMER OF WARRANTIES. EXCEPT FOR THE WARRANTIES REGARDING PURCHASED AND LICENSED HARDWARE SET FORTH IN THE HARDWARE PRODUCTS PURCHASES AND LICENSES TERMS, THE IBOSS PROPERTY IS PROVIDED TO CUSTOMER ON AN “AS-IS” BASIS. ADDITIONALLY, NO WARRANTIES WILL BE EFFECTIVE, AND IBOSS WILL NOT BE OBLIGATED TO HONOR ANY WARRANTIES, UNLESS AND UNTIL IBOSS RECEIVES PAYMENT IN FULL FOR THE APPLICABLE IBOSS PROPERTY. IBOSS AND ITS SUPPLIERS DISCLAIM ALL EXPRESS, IMPLIED OR STATUTORY WARRANTIES RELATING TO THE IBOSS PROPERTY, INCLUDING BUT NOT LIMITED TO, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. IBOSS DOES NOT REPRESENT OR WARRANT THAT THE IBOSS PROPERTY OR ANY NETWORKS, SOFTWARE, OR SYSTEMS USED WITH SUCH PRODUCTS WILL BE FREE FROM VULNERABILITY, INTRUSION, ATTACK, OR OTHER DAMAGE. CERTAIN STATES AND/OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES SO THE EXCLUSIONS SET FORTH ABOVE MAY NOT APPLY TO YOU.
19.1. By iboss. iboss shall indemnify and hold Customer and its employees, officers, and directors harmless from and against any and all liabilities, claims, causes of action and suits (collectively “Claims”) arising out of third-party Claims that iboss Property infringes or misappropriates such third party’s intellectual proprietary rights. iboss shall, at its expense, defend such Claims and pay damages finally awarded against Customer, or paid by Customer pursuant to an executed settlement agreement, in connection therewith.
19.2. Exclusive Remedy. If iboss Property becomes, or in iboss’ opinion is likely to become, the subject of an infringement claim, iboss may, at its option and expense, in addition to its indemnity obligations in Section 19.1, above, either (a) procure for Customer the right to continue exercising the rights licensed to Customer in this Agreement, (b) replace or modify iboss Property so it becomes non-infringing, or (c) terminate this Agreement by written notice to Customer and promptly refund any prepaid amounts to Customer. Notwithstanding the foregoing, iboss will have no obligation under this Section or otherwise with respect to any infringement claim based upon (i) any unauthorized use, reproduction, or distribution of iboss Property by Customer or any End User, (ii) any use of iboss Property in combination with other products, equipment, software, or data not supplied by iboss, except such products, equipment software and data to which the parties mutually agree, (iii) any use, reproduction, or distribution of any release of iboss Property other than the most current release and the next most recent prior release of iboss Property if the Customer has been advised of the need to upgrade by iboss in order to protect against infringement, or (iv) any modification of the technology by any person other than iboss, if the infringement would not have occurred but for such modification. This Section 19.2 states iboss’ entire liability and Customer’s sole and exclusive remedy for Customer infringement Claims.
19.3. By Customer. Customer shall indemnify and hold iboss and its employees, officers, and directors harmless from and against any and all third-party Claims arising from Customer’s alleged or actual breach of Sections 5, 6 or 7 of this Agreement. Customer shall, at its expense, defend such Claims and pay damages finally awarded against iboss, or paid by iboss pursuant to an executed settlement agreement, in connection therewith.
19.4. Indemnification Procedures. The indemnification obligations in this Section 19 shall be subject to the indemnified party: (i) promptly notifying the indemnifying party in writing upon receiving notice of any threat or claim of such action; (ii) giving the indemnifying party exclusive control and authority over the defense and/or settlement of such claim (provided any such settlement unconditionally releases the indemnified party of all liability); and (iii) providing reasonable assistance requested by the indemnifying party, at the indemnifying party’s expense.
20. LIMITATION OF REMEDIES AND DAMAGES. EXCEPT FOR EITHER PARTY’S INDEMNITY OBLIGATIONS UNDER THIS AGREEMENT, TO THE MAXIMUM EXTENT PERMITTED BY LAW, (A) NEITHER PARTY NOR ITS SUPPLIERS SHALL BE RESPONSIBLE OR LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY, OR CONSEQUENTIAL DAMAGES INCLUDING, BUT NOT LIMITED TO LOSS OF REVENUES AND LOSS OF PROFITS EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE; AND (B) EACH PARTY AND ITS SUPPLIER’S AGGREGATE CUMULATIVE LIABILITY FOR ANY CAUSE WHATSOEVER HEREUNDER SHALL NOT EXCEED THE AMOUNT PAID BY CUSTOMER FOR IBOSS PROPERTY DURING THE 12 MONTHS IMMEDIATELY PRIOR TO THE DATE ON WHICH CUSTOMER ALLEGES THE EVENTS THAT CAUSED SUCH DAMAGE OCCURRED.
21. TERM AND TERMINATION.
21.1. Term. This Agreement and the licenses granted hereunder are effective upon Customer’s execution of the Quote, and shall continue for the subscription period set forth on the Quote unless and until this Agreement is terminated by either party pursuant to this Section 21 (the “Term”). Upon the expiration of the Term, this Agreement shall automatically renew for successive twelve (12) month periods (each such period is a “Renewal Term”) unless, not less than sixty (60) days prior to the commencement of a Renewal Term, a party notifies the other party in writing that the notifying party elects not to renew the Agreement. Additionally, iboss may increase the prices for the Licensed Software and/or Service applicable to a Renewal Term, provided that it notifies Customer in writing of such increase not less than (60) days prior to the commencement of the applicable Renewal Term. The price increase will apply to the Renewal Term unless Customer provides written notice of its objection to the price increase not less than thirty (30) days prior to the Renewal Term’s commencement.
21.2. Termination. Either party may terminate the Quote and this Agreement if the other party (a) materially breaches this Agreement and fails to cure such breach within thirty (30) days following receipt of a breach notice from the terminating party, provided that iboss may terminate this Agreement immediately upon notice if Customer breaches Section 6 of this Agreement; or (b) becomes insolvent, makes a general assignment for the benefit of creditors, files a voluntary petition of bankruptcy, suffers or permits the appointment of the receiver for its business or assets, or becomes subject to any proceeding under any bankruptcy or insolvency law.
21.3. Effect of Termination. If iboss terminates this Agreement due to Customer’s material breach, then all amounts set forth in the Quote shall become immediately due and payable (including amounts not yet paid for the remainder of the subscription period set forth in the Quote) and Customer shall not be entitled to any refunds for any pre-paid amounts. In such case, Customer will promptly pay all such amounts to iboss upon receipt of the termination notice. If Customer terminates this Agreement due to iboss’ material breach, then iboss shall provide Customer a pro rata refund for any amounts pre-paid for the remainder of the then current term. iboss is not responsible or liable for any records or information that are made unavailable to Customer as a result of Customer’s termination of its account. Customer agrees that iboss will not be liable to Customer for any termination of Customer’s access to iboss Property. Upon termination, the license(s) granted hereunder shall terminate and Customer shall immediately cease all use of iboss Property and destroy any copies of the Licensed Software or App in its possession, if any. Notwithstanding any termination of this Agreement, those sections of this Agreement that, by their terms, are intended to survive the termination of this Agreement, will remain in effect.
22. DISPUTE RESOLUTION. Excluding any claims arising from or related to the infringement or misappropriation of iboss Property, the parties will attempt to resolve any claim, dispute or controversy between the parties (whether in contract, tort or otherwise) (a “Dispute”) through face-to-face negotiation between authorized representatives of each party or through mediation using a mutually agreeable mediator. If the parties are unable to resolve the Dispute through negotiation or mediation within a reasonable time period after a party has notified the other of the Dispute’s existence, the Dispute will be settled by binding arbitration, held in Boston, Massachusetts, according to the then current CPR Rules for Non-Administered Arbitration (“Arbitration”). Each party agrees that such arbitration shall be conducted on an individual basis and not in a class, consolidated or representative action. Notwithstanding any provision in this Agreement to the contrary, if the class-action waiver in the prior sentence is deemed invalid or unenforceable, neither party is entitled to arbitration. This arbitration agreement is subject to the Federal Arbitration Act. The arbitrator’s award may be entered in any court of competent jurisdiction. The existence or results of any negotiation, mediation or arbitration will be treated as confidential. If the arbitration provision in this Agreement is found unenforceable or not to apply for a given dispute, then the proceeding must be brought exclusively in a court of competent jurisdiction in Boston, Massachusetts.
23. EXPORT. iboss Property and Customer Content may be subject export requirements, including licenses, under United States or foreign laws. Each party shall comply with all applicable relevant laws, whether United States or foreign, governing the exports of iboss Property and/or Customer Content.
25. GOVERNING LAW. This Agreement is governed by the laws of the Commonwealth of Massachusetts without regard to conflict of law principles.
26. FORCE MAJEURE. Neither party will be liable to the other for failure to fulfill obligations hereunder if such failure is due to causes beyond its control, including, without limitation, acts of God, earthquake, fire, flood, embargo, catastrophe, sabotage, utility or transmission failures, governmental prohibitions or regulations, national emergencies, insurrections, riots or wars, acts of terrorism, Internet or power outages, or viruses which did not result from the acts or omissions of such party (“Force Majeure Event”). The time for any performance required hereunder will be extended by the delay incurred as a result of such Force Majeure Event.
27. HEADINGS; INTERPRETATION. The section headings used herein are for convenience of reference only and do not form a part of this Agreement. No construction or inference shall be derived therefrom. All references to “including” mean “including without limitation.”
28. WAIVER. iboss’ failure to enforce at any time, or for any period of time, any term of this Agreement shall not be construed as a waiver of iboss’ rights thereafter to enforce such term. iboss’ waiver of a Customer default will not be deemed a continuing waiver, but will apply solely to the instance to which the waiver is directed.
29. CONFLICTS; AMENDMENT. This Agreement sets forth the entire agreement and understanding between iboss and Customer regarding the subject matter hereof and supersedes any previous or contemporaneous communications, representations, proposals, commitments, understandings, negotiations, discussions, understandings or agreements (including non-disclosure or confidentiality agreements), whether oral or written, regarding the same subject matter. This Agreement expressly supersedes and replaces in their entirety any pre-printed terms on a Customer purchase order or similar document. In the event of a conflict between the terms of a Quote and the terms of this Agreement, the terms of the Quote shall govern. Any Amendment to this Agreement requires the written agreement of both parties.
30. SEVERABILITY. If any term or condition of this Agreement is deemed unenforceable, it shall be severed, and every other provision of this Agreement shall be enforced as if the unenforceable term or condition had never been a part hereof.
31. ASSIGNMENT. Neither party may assign this Agreement (or any rights or duties under it) without the other party’s prior written consent, provided that either party may assign this Agreement without the other party’s consent in connection with a merger, acquisition, or sale of all or substantially all of its assets. Either party who assigns this Agreement as permitted in this Section 31 shall provide the other party with prompt notice of such assignment. Subject to the foregoing, this Agreement will be binding upon and inure to the benefit of the parties and their permitted successors and assigns.
32. NO JOINT VENTURE OR THIRD PARTY BENEFCIARIES. The parties to this Agreement are independent contractors, and this Agreement does not create any partnership, joint venture or agency relationship between iboss and Customer. Except as this Agreement otherwise expressly states, the Agreement does not create any third-party beneficiaries.
33. NOTICES. Any notice delivered by iboss to Customer under this Agreement will be delivered by email to the email address set forth in the Quote. Customer will direct legal notices or other correspondence under this Agreement to iboss at 101 Federal Street, 23rd Floor, Boston, MA 02110, Attn: General Counsel
Last Updated: September 20, 2020
Please note that our website and other digital platforms may contain links to third-party websites/digital platforms that are provided for your convenience. We are only responsible for the privacy practices and security of our own products, services, and digital platforms. We recommend that you check the privacy and security policies and procedures of every other website/digital platform that you visit.
WHAT INFORMATION DO WE COLLECT?
Personal Information that You Disclose to Us
We collect Personal Information that you voluntarily provide to us when expressing an interest in obtaining information about us or our products and services, when using our website, services, mobile-device applications, and other digital platforms, and when otherwise interacting with us.
The Personal Information that we collect depends on the context of your interactions with us. You may be providing Personal Information when (i) submitting questions and seeking information from us; (ii) subscribing to iboss’ marketing material; (iii) requesting product and/or services support; (iv) providing services to iboss; (v) applying for a job at iboss; or (vi) otherwise communicating with us via phone calls, chats, emails, web forms, social media, and other methods of communication.
When working with us or using our services, you may be prompted to create an account that may hold Personal Information such as your name, mailing address, email address, or credit card information. Additionally, the nature of the services that we provide to our customers entails iboss processing Personal Information.
- In connection with operating the Platform, we may collect Personal Information (e.g., name, email address, and other contact information) from individuals associated with a corporate customer, for example, a corporate contact or administrator. We store this administrator information in our systems and use it for account maintenance and recordkeeping purposes.
- The Platform permits our customers’ corporate administrators to enable rules and functionality to monitor and secure corporate networks. In this way, the corporate administrator may elect to use the Platform to track employees’ and end users’ Personal Information associated with their use of corporate networks, systems, and mobile devices, including but not limited to email addresses, IP addresses, login credentials, websites search terms input, websites visited, and files downloaded (“Employee Personal Information”), and can correlate Employee Personal Information to the name or identity of the employee or end user.
- By default, our Platform processes Employee Personal Information. However, we do not ordinarily access or review Employee Personal Information because it is protected within segregated, containerized reporting databases that isolate this information. Additionally, critical information, such as passwords, is encrypted during transit and at rest, preventing direct access to the underlying information. By default, Employee Personal Information is only accessible to the customers’ administrator(s) and other authorized users who were designated by the administrator(s). In some cases, however, a customer may provide us administrative access to the Employee Personal Information, typically to enable us to provide customer support to the customer.
- In connection with our mobile-device applications, we permit customers to control, secure, and enforce policies on user mobile devices (phones, tablets, PCs, etc.) in support of our services. Our mobile-device applications work in conjunction with our Platform to enforce these policies, and as such, we require expansive mobile-device permissions from the user. For example, because our service supports customer policies affecting the ability to set bookmarks and view web clips, our mobile-device applications must be granted permissions to read and write bookmarks, and install and uninstall shortcuts.
- The Platform processes Personal Information anywhere in which a customer may be located (e.g., the US, EU, or other non-EU countries) via global data centers that are most proximate to an end user’s physical location when the end user is connected to a network and engaging in activity on the Internet. However, the customer can designate and control where the processed data are stored based on the customer’s geo-location requirements. Thus, for example, an EU-based customer may designate that all data from the customer’s end users – irrespective of where the end users are located globally – are processed and stored only in EU-based data centers.
Information That We Collect Automatically
Website Technical Information
iboss may collect Technical Information about you when you visit our website, which your web browser automatically sends whenever you visit a website on the Internet. “Technical Information” is information that does not, by itself, identify a specific individual but which could be used to indirectly identify you. Our servers automatically record this information, which may include your Internet Protocol (“IP”) address, browser type, browser language, and the date and time of your request. Gathering Technical Information helps us ensure our website and other services work correctly and support our customer analytics efforts.
We use pixel tags and cookies in our marketing emails so that we can track your interaction with those messages, such as when you open the email or click a URL link that’s embedded within them. When recipients click on one of those URLs, they pass through a separate web server before arriving at the destination page on a company website. We use tools like pixel tags and cookies so that we can determine interest in particular topics and measure and improve the effectiveness of our communications.
Mobile-Device Applications & Communications
When you download or use our mobile-device applications, we may receive information about you and your mobile device, such as username, group names, and other device-specific information (e.g., UUID), which we transmit to iboss’ secure cloud gateway to authenticate your device and thereby enable our customers to control, secure, and enforce internet content filtering and other cybersecurity protocols on the device (“Policies”). The mobile-device applications also obtain permissions from a mobile-device user to access device settings and data, including but not limited to Bluetooth, WiFi, geolocation data, firewalls, and browser histories and bookmarks (collectively, “Settings”), to enable the application of Policies to those Settings. Our mobile-device applications may access geolocation data for the purpose of enabling our customers’ administrators to track end users’ devices, for example, in situations where the end user loses the device and seeks assistance from the administrator to locate it. Geolocation features can be disabled by the mobile device user.
The specific types of information the mobile-device applications collect may differ based on the cybersecurity package that you or your organization has purchased from iboss, the operating system (e.g., iOS or Android) of the device on which an application is installed, and the deployment and Policies chosen. Our mobile-device applications access the foregoing information automatically when installed on mobile devices, and solely to provide user functionality concerning our cybersecurity services. In addition, the gateway to which our mobile-device applications communicate may track and monitor content and URL destinations depending on the Policies applied to your device and your internet browsing activity.
Cookies and Similar Technologies
Some web browsers (including some mobile web browsers) provide settings that allow you to control or reject cookies or to alert you when a cookie is placed on your computer, tablet or mobile device. Although you are not required to accept cookies, if you block or reject them, you may not have access to all features available through our services. For more information, visit the help page for your web browser or see http://www.allaboutcookies.org.
HOW DO WE USE PERSONAL INFORMATION?
We use Personal Information as necessary to create your account, enable you to sign up for and use the Platform, manage payments, and provide customer support. This processing is necessary to perform our contracts with our customers.
We also use Personal Information as necessary for the following legitimate business interests:
- To respond to your inquiries, comments, feedback or questions;
- To manage our relationship with you, which includes sending administrative information to you relating to our service and changes to our terms, conditions, and policies, and asking you to leave a review or take a survey;
- To administer and protect our business, website, and Platform;
- To prevent fraud, criminal activity, or misuses of our website or Platform;
- To ensure the security of our IT systems, architecture, and networks (including troubleshooting, testing, system maintenance, support, and hosting of data); and
- To comply with legal obligations and legal process as well as protect our, our affiliates, your and third parties’ rights, privacy, safety, or property, and to recover debts due to us.
For information about what we mean by legitimate interests and the rights of individuals in the European Union (“EU”), please see the “WHAT ARE EU DATA SUBJECTS’ SPECIFIC PRIVACY RIGHTS?” section, below.
Marketing. We may contact you to provide information we believe will be of interest to you. For instance, if you elect to provide your email address, we may use that information to send you promotional information about our products and services. If we do, where required by law (for example if you are in the EU), we will only send you such emails if you consent to us doing so at the time you provide us with your Personal Information. You may opt out of receiving emails by following the instructions contained in each promotional email we send you or by contacting us where indicated below. If you unsubscribe from our marketing lists, you will no longer receive marketing communications, but we will continue to contact you regarding our Site and Services and to respond to your requests.
WHAT PERSONAL INFORMATION DO WE SHARE WITH THIRD PARTIES?
Vendors and Service Providers
iboss will not rent or sell your Personal Information to others but may disclose personal information with third-party vendors and service providers that work with iboss. For example, if you acquire our products and services via an authorized iboss distribution partner or reseller, we may provide your Personal Information to that partner or reseller to facilitate your use of those products and services. We will only share personal information to third-party vendors and service providers to help us provide a product or service to you.
We require that our third-party service providers agree to keep confidential all information that we share with them and to use the information only to perform their obligations in the agreements we have in place with them. These third-party service providers are expected to maintain privacy and security protections that are consistent with iboss’ privacy and information security policies. In cases of onward transfer to third parties of your Personal Information, iboss is potentially liable. In particular, iboss remains responsible and liable if third-party service providers that it engages to process the Personal Information on iboss’ behalf do so in a manner inconsistent with iboss’ principles, unless iboss proves that it is not responsible for the event giving rise to the damage.
Disclosure of Personal Information for Legal and Safety Reasons
iboss may be required to disclose Personal Information to the authorities, law enforcement agencies, government agencies, or legal entities to comply with valid legal process including subpoenas, court orders, or search warrants, and as otherwise authorized by law. Additionally, we may disclose Personal Information (i) to the extent permitted by applicable law in special cases in which we believe it is reasonably necessary to investigate, identify, or take preventive measures, or bring legal action against someone who may commit or cause harm, fraud, abuse, or illegal conduct, such as a threat of harm to you or anyone else, interference with our rights or property, or interference with U.S. homeland or national security or public safety anywhere in the world; or (ii) in the event of an emergency that threatens an individual’s life, health, or security.
iboss may share customer information within our family of companies for a variety of purposes, for example to provide you with the latest information about our products and services.
DO WE TRANSFER PERSONAL INFORMATION INTERNATIONALLY?
Before July 16, 2020, we relied on our EU-U.S. Privacy Shield certification to transfer Personal Data that we received from the EU to Company in the U.S. but on July 16, 2020, the European Court of Justice ruled that the EU-U.S. Privacy Shield is no longer available for these data transfers. We continue to comply with the Privacy Shield Principles described in the “What is Our Privacy Shield Certification” section below as required by the U.S. Department of Commerce.
We rely on our EU-U.S. Privacy Shield certification to transfer Personal Information that we receive from the EU to iboss in the U.S. (for more information, please read the “Privacy Shield” section, below).
Personal Information that end users transmit through our Platform while accessing the Internet always resides within secure, containerized reporting databases, within countries that our customers designate (for example, an EU-based customer may elect for all of its end users’ Personal Information processed on the Platform to reside within containerized reporting databases located in the EU). Additionally, we create customer-specific, encrypted backups of end user data that are stored in third party data centers, however that data reside in purely encrypted form and cannot be decrypted without a private key that our customers hold.
If the Personal Information is transferred to countries without ‘adequate’ protection as determined by the European Commission, we will use additional safeguards to ensure your Personal Information receives adequate security and your rights continue to be protected. You understand that in providing Personal Information to us via our website, Platform, or through other interactions with us, you consent to the transfer of your Personal Information to the United States and other jurisdictions in which we operate.
WHAT IS OUR PRIVACY SHIELD CERTIFICATION?
General. We rely on our Privacy Shield certification to transfer Personal Information that we receive from the EU to iboss in the U.S. and we process such Personal Information in accordance with the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability (“Privacy Shield Principles”), as described below.
Accountability for Onward Transfers. We may be accountable for the Personal Information we receive under the Privacy Shield that we may transfer to third-party service providers (described in the “Personal Information We Share with Third Parties” section, above). If such service providers process Personal Information in a manner inconsistent with the Privacy Shield Principles, we are responsible for the harm caused.
Access. EU users have certain rights to access, correct, amend, or delete Personal Information where it is inaccurate, or has been processed in violation of the Privacy Shield Principles. Please see the “WHAT ARE EU DATA SUBJECTS’ SPECIFIC PRIVACY RIGHTS?” section, below, for more information on the rights of users in the EU.
Recourse, Enforcement, Liability. In compliance with the Privacy Shield Principles, iboss commits to resolve complaints about our processing of your Personal Information. EU users with inquiries or complaints regarding this Privacy Shield Policy should first contact Company at the addresses set forth in the HOW MAY I CONTACT IBOSS? section, below.
We have further committed to refer unresolved Privacy Shield complaints to an alternative dispute resolution provider. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider, JAMS (free of charge), via the contact information provided at the following URL: https://www.jamsadr.com/file-an-eu-us-privacy-shield-claim.
If your complaint is not resolved through these channels, under certain conditions a binding arbitration option may be available before a Privacy Shield Panel. For additional information, please visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
We are subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to Personal Information received or transferred pursuant to the Frameworks.
WHAT IS OUR RETENTION POLICY?
If you have elected to receive marketing communications from us, we retain information about your marketing preferences until you opt out of receiving these communications and in accordance with our policies.
To determine the appropriate retention period for your Personal Information, we will consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we use your Personal Information and whether we can achieve those purposes through other means, and the applicable legal requirements.
HOW DO WE HANDLE INFORMATION THAT WE RECEIVE FROM CHILDREN?
Our website and services are directed toward a general audience. We do not knowingly collect information about children under the age of 13, or minors otherwise defined in local law or regulation, without verifiable parental consent. If we learn that someone under 13 has provided Personal Information through our website, we will use reasonable efforts to remove that information from our databases.
WHAT ARE CALIFORNIA RESIDENTS’ SPECIFIC PRIVACY RIGHTS?
WHAT ARE EU DATA SUBJECTS’ SPECIFIC PRIVACY RIGHTS?
Scope. This section applies to individuals in the EU (for these purposes, reference to the EU also includes the European Economic Area countries of Iceland, Liechtenstein, Norway, the United Kingdom, and, to the extent applicable, Switzerland).
Data Controller. Data protection laws in the EU differentiate between the “data controller” and “data processor” of Personal Information. iboss is the data controller for the processing of your Personal Information relating to customer accounts, marketing, and Personal Information collected through our website and other digital platforms. You can find our contact information, and the contact information of our EU-based representative, below.
Data Processor. iboss is the data processor for the processing of Employee Personal Information. If you are an employee or end user of one of our customers, please contact the appropriate customer of iboss to exercise the rights described below.
Your Rights. Pursuant to the European Union General Data Protection Regulation (or GDPR), you have the following rights in relation to your Personal Information, under certain circumstances:
- Right of access: If you ask us, we will confirm whether we are processing your Personal Information and, if so, provide you with a copy of that Personal Information along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
- Right to rectification: If your Personal Information is inaccurate or incomplete, you are entitled to ask that we correct or complete it. If we shared your Personal Information with others, we will tell them about the correction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Information so you can contact them directly.
- Right to erasure: You may ask us to delete or remove your Personal Information, such as where you withdraw your consent. If we shared your data with others, we will tell them about the erasure where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Information with so you can contact them directly.
- Right to restrict processing: You may ask us to restrict or “block” the processing of your Personal Information in certain circumstances, such as where you contest the accuracy of the data or object to us processing it (please read below for information on your right to object). We will tell you before we lift any restriction on processing. If we shared your Personal Information with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Information so you can contact them directly.
- Right to data portability: You have the right to obtain your Personal Information from us that you consented to give us or that was provided to us as necessary in connection with our contractual obligations, and that is processed by automated means. We will give you your Personal Information in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
- Right to object: You may ask us at any time to stop processing your Personal Information, and we will do so:
- If we are relying on a legitimate interest to process your Personal Information — unless we demonstrate compelling legitimate grounds for the processing or we need to process your data to establish, exercise, or defend legal claims;
- If we are processing your Personal Information for direct marketing. We may keep minimum information about you in a suppression list to ensure your choices are respected in the future and to comply with data protection laws (such processing is necessary for our and your legitimate interest in pursuing the purposes described above).
- Right to withdraw consent: If we rely on your consent to process your Personal Information, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect any processing of your data before we received notice that you wished to withdraw consent.
- Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we handled your Personal Information, you can report it to the data protection authority that is authorized to hear those concerns (in the UK, the Information Commissioner’s Office (ICO), who can be contacted at https://ico.org.uk/concerns, and in other EU countries the data protection authority of the country in which you are located).
Please contact us for information on how to exercise your rights.
HOW DOES IBOSS SECURE YOUR PERSONAL INFORMATION?
iboss uses technical and physical safeguards to protect the security of your Personal Information from unauthorized disclosure. We also make commercially reasonable attempts to ensure that only necessary people and third parties have access to Personal Information. Nevertheless, such security measures cannot prevent all loss, misuse, or alteration of Personal Information, and we are not responsible for any damages or liabilities relating to any such incidents to the fullest extent permitted by law.
HOW MAY I CONTACT IBOSS?
To contact iboss about any of the foregoing matters, please use the following addresses:
101 Federal Street, 23rd Floor
Boston, MA 02110 USA
ATTN: General Counsel
Email Address: [email protected]
If you are an individual in the EU, you may also contact Simon Eappariello, our Senior Vice President of EMEIA & APJ, who has been appointed as iboss’ representative in the EU pursuant to Article 27 of the GDPR on matters related to the processing of Personal Information activities that take place in the EU. To make such an inquiry, please contact Mr. Eappariello via our [email protected] email address, or at iboss Network Security Limited, 50 St. Mary Axe, London, United Kingdom EC3A 8FR.
DATA PROCESSING ADDENDUM
Last Updated: February 20, 2020
This Data Processing Addendum (the “Addendum”) is made by and between iboss, Inc. with a registered office in Boston, Massachusetts, USA (“Company”) and the entity identified as Customer, Partner, Distributor or Reseller (collectively, “Customer”) in the iboss Terms of Service Agreement, in the iboss Cloud Services End User Terms of Service Agreement, in the iboss Quote, in the Software License and Service Provider Agreement, or in such other agreement between Customer and iboss for the purchase of iboss software and services (in each case, the “Agreement”).
This Addendum is incorporated into the Agreement between Company and Customer and applies in respect of the provision of the Services (as defined in the Agreement) to Customer if the Processing of Customer Personal Data (as defined below) is subject to the GDPR, only to the extent Customer is a Controller of Customer Personal Data and Company is a Processor. This Addendum is intended to satisfy the requirements of Article 28(3) of the GDPR. This Addendum shall be effective for the term of the Agreement.
1.1. For the purposes of this Addendum:
1.1.1. “Customer Personal Data” means the Personal Data described under Section 2 of this Addendum, in respect of which Customer is the Controller;
1.1.2. “Data Protection Legislation” means all applicable legislation relating to data protection and privacy including without limitation the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time;
1.1.3. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
1.1.4. “Personal Data”, “Data Subject”, “Personal Data Breach”, “Process”, “Processor” and “Controller” will each have the meaning given to them in the GDPR; and
1.1.5. “Standard Contractual Clauses” means the agreement executed by and between the parties and attached hereto as Schedule 1 pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2. Details of The Processing
2.1. Categories of Data Subjects. This Addendum applies to the Processing of Customer Personal Data provided to Company by Customer in connection with its provision of the Services.
2.2. Types of Personal Data. Customer Personal Data includes Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, such as names, email addresses, IP addresses, and web browsing data, including websites visited; location data (any data processed in an electronic communications network or by an electronic communications service indicating the geographical position of the terminal equipment of a user of a public electronic communications service); and browsing, search, and other network activity of authorized users of Customer’s network.
2.3. Subject-Matter and Nature of the Processing. The subject-matter of Company’s Processing of Customer Personal Data is the provision of the Services to Customer, which include the Processing of Customer Personal Data. Customer Personal Data will be subject to those Processing activities that Company must perform to provide the Services pursuant to the Agreement and any applicable statement of work.
2.4. Purpose of the Processing. Company will process Customer Personal Data for purposes of providing the Services described in the Agreement and any applicable statement of work.
2.5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 10 of this Addendum.
3. Processing of Customer Personal Data
3.1. The parties acknowledge and agree that Customer is the Controller of Customer Personal Data and Company is the Processor of that data. Company will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions, including with respect to transfers of personal data. Company is hereby instructed to Process Customer Personal Data to the extent necessary to enable Company to provide the Services according to the Agreement.
3.2. If Company cannot process Customer Personal Data according to Customer’s instructions due to a legal requirement under any applicable European Union or Member State law, Company will (i) promptly notify Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as Customer issues new instructions with which Company is able to comply.
3.3. Each of Customer and Company will comply with their respective obligations under the Data Protection Legislation. Customer shall ensure that Customer has obtained (or will obtain) all rights and consents (if required) which are necessary for Company to Process Customer Personal Data in accordance with this Addendum.
3.4. The Services allow Customer to designate the location in which Customer Personal Data will be Processed. If Customer elects to transfer Customer Personal Data to Company outside the European Economic Area (“EEA”), either directly or via onward transfer, to any country not recognised by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR), the Standard Contractual Clauses attached to this Addendum as Schedule 1 will apply to such Customer Personal Data. The Standard Contractual Clauses will cease to apply if Company has implemented an alternative recognised compliance mechanism for the lawful transfer of personal data outside the EEA pursuant to Article 46 of the GDPR, like certification to the Privacy Shield framework, and has informed Customer thereof and provided evidence of such alternative recognised compliance mechanism.
4.1. Company shall ensure that Customer Personal Data is only made available to those of its personnel who (i) need to access such Customer Personal Data in order to carry out their roles in the performance of Company’s obligations under the Agreement and this Addendum and (ii) have agreed in writing to protect the confidentiality of such Customer Personal Data or are otherwise under an appropriate statutory obligation of confidentiality.
5. Security Measures
5.1. Company will implement appropriate technical and organisational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data (described under Appendix 2 to the Standard Contractual Clauses).
5.2. Company will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligation to keep Customer Personal Data secure.
6.1. Customer authorizes Company to appoint the entities identified on Schedule 2 of this Addendum as sub-Processors of Customer Personal Data. For the avoidance of doubt, the above authorization constitutes Customer’s prior written consent to the sub-Processing of Customer Personal Data for purposes of Clause 11 of the Standard Contractual Clauses. Company will inform Customer of any intended changes concerning the addition or replacement of any sub-Processors and Customer will have an opportunity to object to such changes on reasonable grounds within fifteen (15) business days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.
6.2. Company will enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor the same obligations that apply to Company under this Addendum. Where any of its sub-Processors fails to fulfil its data protection obligations, Company will be liable to Customer for the performance of its sub-Processors’ obligations.
7. Data Subject Rights
7.1. Company will provide Customer with assistance necessary for the fulfilment of Customer’s obligation to respond to requests for the exercise of Data Subjects’ rights. Company shall notify Customer without undue delay and in any event within five (5) business days of receiving any request or complaint from Data Subjects regarding Customer Personal Data. Company shall not respond to such requests without Customer’s prior written consent and written instructions.
8. Personal Data Breaches
8.1. Company will notify Customer without undue delay and in any event within forty-eight (48) hours after it becomes aware of any of any Personal Data Breach affecting any Customer Personal Data. At Customer’s request, Company will promptly provide Customer with all reasonable assistance necessary to investigate the Personal Data Breach and enable Customer to notify relevant security breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the GDPR. Customer is solely responsible for complying with data incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any data incidents.
9. Data Protection Impact Assessment; Prior Consultation
9.1. Company will provide Customer with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, if Customer is required to engage in such activities under the GDPR and such assistance relates to the Processing by Company of Customer Personal Data.
10. Return or Deletion of Customer Personal Data
10.1. Company will return or delete, at Customer’s choice, Customer Personal Data to Customer after the end of the provision of Services relating to the Processing or at any other time Customer so requests, and delete existing copies unless the applicable European Union or member state law requires storage of the data.
11.1. Company will provide Customer with all information necessary to enable Customer to demonstrate compliance with its obligations under the GDPR, and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, to the extent that such information is within Company’s control and Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, and provided that such audits shall be carried out with reasonable notice during regular business hours not more often than once per year. Company will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Legislation.
12.1. Company may charge Customer a reasonable fee for time spent in connection with any assistance or cooperation required by Customer under this Addendum if such assistance or cooperation involves the commitment of resources over a prolonged period of time or third-party costs and does not arise from any breach by Company of this Addendum.
13.1. Each party’s liability towards the other party under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.
13.2. Customer acknowledges that Company is reliant on Customer for direction as to the extent to which Company is entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently Company will not be liable under the Agreement or this Addendum for any claim brought by a Data Subject arising from any action or omission by Company, to the extent that such action or omission resulted from Customer’s instructions or from Customer’s failure to comply with its obligations under the applicable data protection law.
14. General Provisions
14.1. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail.
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
The entity identified as Customer in the Addendum (the data exporter)
The data importing organisation, iboss, Inc. (the data importer)
Tel: +1 (877) 742-6832
Email: [email protected]
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
The data exporter is the entity identified as “Customer” in the Addendum.
The data importer is the entity identified as “Company” in the Addendum.
The personal data transferred concern the following categories of data subjects (please specify):
Data subjects are defined in Section 2.1 of the Addendum.
Categories of data
The categories of personal data transferred concern the following categories of data (please specify):
Categories of personal data are defined in Section 2.2 of the Addendum.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The personal data transferred will be subject to the following basic processing activities (please specify):
The processing activities defined in Section 2 of the Addendum and in the Agreement.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
The following measures will be implemented:
1. Physical measures taken to prevent any unauthorized person from accessing Company’s facilities used for data processing (e.g., identification badges, electronic key cards, visitor logs, etc.);
2. Security measures taken to prevent data media from being read, copied, amended, or moved by any unauthorized persons (e.g., data encryption, technical controls, data kept in locked premises, data destruction and disposal procedures, etc.);
3. Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment, or deletion of recorded data (e.g., restricted access to the IT infrastructure);
4. Security measures taken to prevent data processing systems from being used by unauthorized persons using data transmission facilities (e.g., security monitoring, firewalls);
5. Software measures taken to ensure vulnerabilities are mitigated (e.g., vulnerability scans, patch management, remediation steps);
6. Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence (e.g., specific users accounts);
7. Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities (e.g. VPN, encryption of data);
8. Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded at any time and by any authorized person;
9. Measures taken to prevent data from being read, copied, amended, or deleted in an unauthorized manner when data are disclosed and data media transported; and
10. Measures taken to safeguard data by creating backup copies (encryption of data backups).
List of iboss Sub-processors
1. salesforce.com, inc., The Landmark @ One Market, Suite 300, San Francisco, California, 94105
2. Zendesk, Inc., 1019 Market Street, San Francisco, CA 94103
3. Sharefile – Citrix Systems, Inc., 851 West Cypress Road, Fort Lauderdale, FL 33309
4. Credit Card Sub-Processors:
a. EVO Payments International – 320 Cumberland Ave, Portland, ME 04101
b. Authorize.NET – 915 South 500 East, Suite 200, American Fork, UT 84003