Terms of Service Agreement
Last Updated: December 7, 2021
This Terms of Service Agreement (“Agreement”) is between iboss, Inc. (“iboss”) and the customer listed on the Quote between iboss and such customer (“You” or “Your” or “Customer”), and governs Customer’s purchase of, access to and use of iboss Property (defined below). Capitalized terms are generally defined throughout this Agreement and otherwise in Section 2.
1. BACKGROUND. This Agreement describes Your rights to use iboss Property, inclusive of any associated media, printed materials and “online” or electronic documentation, identified in the Quote to which this Agreement applies. Except for any Hardware that You are purchasing or licensing from iboss under a Quote, You must provide all equipment and software necessary to connect to iboss Property, including devices that are suitable to connect with and use iboss Property. You are solely responsible for any fees, including internet connection or mobile fees, that You incur when accessing iboss Property.
2. DEFINITIONS. The following terms will have the meaning set forth below:
“Acceptable Use Policy” means iboss’ general rules and regulations governing use of iboss Property available here: Acceptable Use Policy.
“Affiliate” means any legal entity that owns, is owned by, or is commonly owned with a party.
“Own” means more than 50% ownership or the right to direct the management of the entity.
“App” means any mobile software application offered by iboss.
“Confidential Information” shall mean all proprietary or confidential information disclosed by one party to the other party, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information or the circumstances of disclosure, including, without limitation: (i) proprietary product, software or services information, or related technology, ideas and algorithms; (ii) trade secrets; (iii) either party’s technical, business or financial information and plans; and (iv) the pricing and other terms reflected on iboss quotes and/or purchase orders that Customer provides iboss pursuant to this Agreement. Confidential Information shall not include information that the receiving party can show (a) is or becomes generally known or publicly available through no fault of the receiving party; (b) is known by, or is in the possession of, the receiving party prior to its disclosure, as evidenced by business records, and is not subject to restriction; (c) was independently developed by the receiving party without the use of or reference to the Confidential Information of the disclosing party; or (d) is lawfully obtained without restriction from a third party who has the right to make such disclosure.
“Customer Content” means any information and other content uploaded by Customer to the Service.
“Documentation” means the manuals provided to Customer along with the Licensed Software.
“End-User” means an end-user of Customer who accesses iboss Property through a mobile device, computer, and/or computer system.
“Error” means a reproducible error of the Licensed Software, App, Hardware and/or Service, as applicable, to substantially conform to the Documentation in all material respects.
“Executable Code” means the fully compiled binary version of a software program that can be executed by a computer and used by an End-User without further compilation.
“Hardware” means any physically tangible electro-mechanical system or sub-system and any related equipment that iboss provides to Customer.
“Host Server” means the server(s) on which iboss has installed the Licensed Software and/or necessary components and services for utilizing Licensed Software or App for Customer’s use.
“iboss Property” means the App, Licensed Software, Host Server, Hardware and Service.
“Intellectual Property Rights” means all copyrights, trade secrets, patents, patent applications, moral rights, contract rights and other proprietary and/or intellectual property rights.
“Licensed Software” means the software program or programs described in the Quote or any software or firmware incorporated into the Hardware, and any modified, updated, or enhanced versions of such programs that iboss may provide to Customer pursuant to this Agreement, or a separate maintenance and support agreement. Licensed Software excludes any Apps.
“Quote” means the written or electronic quote or order form that expressly references, and is governed by, these Terms of Service and is executed by an authorized representative of each party hereto, electronically or in writing.
“Service” means the services ordered by Customer through a Quote.
“Source Code” means the human-readable version of a software program that can be compiled into Executable Code.
3. SOFTWARE LICENSES. iboss offers its software to customers on a subscription basis but delivers the software through one or more of the following technical means: (i) direct download and installation of the software on Your own devices (“Downloaded Software”), (ii) software-as-a-service (“SaaS”), (iii) pre-installed software on a server that iboss provides to You (“Server-Provided Software”), and/or (iv) via an App which is available for download and installation to Your mobile device. Regardless of which of these methods is used, the following license will apply to Your subscription during the Term. iboss grants You a non-exclusive, non-transferable, revocable, worldwide, royalty-free, limited license (without the right to sublicense) to (i) install and execute one copy of, and use the Licensed Software (in Executable Code form) on each device (in the case of Downloaded Software); (ii) access and use the Host Server solely for authentication and syncing purposes (in the case of Downloaded Software or Server-Provided Software); and (iii) use the Licensed Software and Service (whether Downloaded Software, Server-Provided Software, or SaaS) solely for Customer’s internal business purposes and according to the Acceptable Use Policy and Documentation.
In the event that You download and install an App, the Mobile Application Licenses Terms and Conditions shall apply.
4. EVALUATION LICENSES. If Customer is using iboss Property for evaluation purposes, then the license granted in Section 3 only permits Customer to use the Licensed Software, Hardware, App and/or Service, as applicable, for thirty (30) days, or such longer period set forth in the Quote (“Evaluation Period”), and solely to evaluate the performance and functionality of the Licensed Software, Hardware, App and/or Service, as applicable (“Evaluation Software”), according to the Documentation and Acceptable Use Policy. Unless Customer has purchased a subscription to continue using the applicable iboss Property, upon the expiration of the Evaluation Period, including any extensions to the Evaluation Period to which iboss agrees, Customer must (i) discontinue using the Evaluation Software, and (ii) return the Hardware, as applicable, to iboss within seventy-two (72) hours; otherwise, iboss reserves the right to charge Customer at the then current price for such usage of iboss Property. Hardware returned more than thirty (30) days following the Evaluation Period expiration date will not be accepted. Customer shall be liable to iboss, and agrees to pay iboss, for the cost of replacing or fixing Hardware lost or returned damaged, or attempted to be returned after thirty (30) days. Notwithstanding any other provision of this Agreement, iboss provides the Evaluation Software free of charge, without support and “AS IS” without indemnification or warranty of any kind. No support policies or service level agreements apply to the Evaluation Software. Certain features or services may not be available for the Evaluation Software.
5. LICENSE FROM CUSTOMER. During the Term, Customer grants to iboss a limited, non-transferable, royalty-free license to use the Customer Content solely to enable iboss to provide the Service to Customer and fulfill iboss’ obligations hereunder. iboss will maintain reasonable and appropriate physical, organizational, administrative, and technical safeguards designed to protect Customer Content from loss, misuse, unauthorized access, disclosure, alteration and destruction.
6. RESTRICTIONS. The rights granted to Customer in this Agreement are subject to the following restrictions. Customer shall not (a) reproduce, license, sublicense sell, resell, rent, lease, transfer, assign, distribute, host, outsource, disclose or otherwise commercially exploit iboss Property, or make iboss Property available to any third party, including but not limited to any Hardware; (b) make the iboss Property available to any third party for purposes of testing the Licensed Software, and disclosing publicly the results of the tests; (c) interfere with, disrupt, modify, make derivative works of, disassemble, reverse compile or reverse engineer any part of the Licensed Software; (d) access the Licensed Software for research and development or competitive assessment purposes, or to build a similar or competitive product or service or extend term of the license granted hereunder; (e) either publicly or privately, republish, downloaded, display, post or transmit in any form or by any means the Licensed Software or any component of iboss Property (including screenshots or other images of iboss Property), which includes but is not limited to electronic, mechanical, photocopying, recording or other means; (f) interfere with, disrupt, alter, translate, or modify the Licensed Software, or create an undue burden on the Licensed Software or networks or services connected to the Licensed Software; (g) use the Licensed Software on any mobile devices or other computer systems or hardware for which Customer has not received the necessary End-User consent(s); (h) remove any copyright or other proprietary rights notices in the Licensed Software; or (i) use the Licensed Software for any purpose other than the purpose for which the Licensed Software is intended.
7. CUSTOMER AND IBOSS OBLIGATIONS. Customer agrees to take all reasonable steps to safeguard iboss Property and the associated login credentials to ensure that no unauthorized person has access to either, and that no unauthorized copy, publication, disclosure or distribution, in whole or in part, in any form is made. Each party acknowledges and agrees that iboss Property and Customer Content contain valuable, confidential information and trade secrets and that the unauthorized use and/or copying of the same would be harmful to Customer or iboss. Each of Customer and iboss represents and warrants that it will comply with all laws, rules and regulations that apply to its use of iboss Property or Customer Content and any other activities in connection with this Agreement. Customer agrees to cause all its End-Users to comply with the Acceptable Use Policy. Customer hereby further represents and warrants that iboss Property will not be used to filter, screen, manage or censor Internet content for End-Users without permission from the affected End-Users. Customer hereby acknowledges and agrees that (a) Customer’s use of features, including, but not limited to detection, measurements and control relay (DMCR), logging and alerts, are subject to all state, local, and federals laws and regulations applicable within the country of deployment, and (b) Customer will comply with all such restrictions and required disclosures.
8. SUPPORT. Subject to the terms of this Agreement and payment of any applicable fees, during the Term, iboss will provide support services to Customer according to iboss’ Service Level Agreement.
9. UPDATES. iboss may revise, update, upgrade or discontinue any iboss Property at any time, without prior notice to You but will endeavor to provide You notice wherever possible. If iboss ceases to make available any iboss Property, iboss will provide a pro rata refund to You for any prepaid fees paid by You to iboss for the applicable iboss Property, based on the amount of time remaining in the applicable term. During the Term, iboss may, in its sole discretion, provide You with updates or upgrades. iboss and its suppliers are not obligated to provide any updates or upgrades to iboss Property. Any future release, update, or other addition to functionality of iboss Property shall be subject to the terms of this Agreement, unless iboss expressly states otherwise.
10. HARDWARE PRODUCTS. If You require Hardware in connection with Your use of the Licensed Software and Service, then in addition to any other terms of this Agreement that pertain to Hardware, the Hardware Products Purchases and Licenses Terms shall apply.
11. SUBSCRIPTION FEES AND PAYMENT.
11.1. Fees. In consideration for the Licensed Software and Service, Customer will pay to iboss all fees set forth in the Quote. If Customer elects to pay by credit card, (i) iboss will automatically renew and bill Customer’s credit card periodically per the Quote, and (ii) Customer hereby authorizes iboss to automatically charge or debit such credit card for the full amount due (on a recurring basis, if applicable) according to the Quote. Customer understands that the amounts charged or debited may vary and that this authorization will remain in effect until the expiration or termination of this Agreement.
11.2. Payment Terms. Excepting Section 9 (Updates) and Section 21 (Term and Termination), all payment obligations are non-cancellable and all amounts paid are non-refundable, except as expressly set forth herein or as required by applicable law. All payments are due from Customer net thirty (n/30) days from the date of iboss’ undisputed invoice. Past due invoices are subject to a monthly charge equal to the lesser of: (a) one and one-half percent (1.5%) per month; or (b) the highest rate of interest permitted by applicable law. If any undisputed invoice remains unpaid after thirty (30) days from the invoice date, then notwithstanding any agreement or course of dealing between iboss and Customer, iboss may suspend Customer’s access to and use of iboss Property until all outstanding invoices are paid. Delinquent amounts owed by Customer may be referred to a collection agency, and will be subject to additional fees.
12. TAXES. Unless iboss otherwise states in writing, all iboss fees are exclusive of transportation, insurance, federal, state, local, excise, value-added, use, sales, property (ad valorem) and similar taxes or duties now in force or hereafter enacted. Customer will pay all taxes, fees or charges of any nature whatsoever imposed by any governmental authority on, or measured by, the transaction between Customer and iboss; provided that such taxes shall exclude federal, state or local income taxes to which iboss may be subject. If iboss is required to collect any of the foregoing, such amounts will be separately stated on the invoice, and must be paid by Customer unless Customer provides iboss with a valid tax exemption certificate authorized by the appropriate taxing authority.
13. OWNERSHIP. All right, title, and interest, including all Intellectual Property Rights, in and to iboss Property other than Customer-purchased Hardware shall be owned and retained by iboss or its suppliers. Any rights not expressly granted by iboss in the Agreement are reserved. Customer acknowledges that it acquires no ownership interest in iboss Property. iboss acknowledges and agrees that Customer is the sole and exclusive owner of all Customer Content. Any third-party software included in iboss Property may only be used in conjunction with the applicable product or service, and is not licensed for use independent from such product or service.
14. CUSTOMER MARKS. Subject to Customer’s prior written consent, iboss may use Customer’s logo and trademarks on iboss’ website and in other marketing material, when referring to Customer. Customer will retain all title and rights to such logos and trademarks.
15. OPEN SOURCE SOFTWARE. Certain items of software may be provided to Customer with the Licensed Software or App and are subject to “open source” or “free software” licenses (“Open Source Software”). Some of the Open Source Software is owned by third parties. The Open Source Software is not subject to the terms and conditions of Section 3. Instead, each item of Open Source Software is licensed under the terms of the license that accompanies such Open Source Software. Nothing in this Agreement limits Customer’s rights under, or grants Customer rights that supersede, the terms and conditions of any applicable license for the Open Source Software. If required by any license for particular Open Source Software, Company makes such Open Source Software, and applicable Open Source Software copyright statements and license text available by Customer’s written request to [email protected]
16. CONFIDENTIAL INFORMATION.
16.1. Protection of Confidential Information. Each party shall protect the other party’s Confidential Information from unauthorized dissemination, and the receiving party shall use, and shall ensure that its employees and agents use, the same degree of care that it uses to protect its own like information, at all times employing at least a reasonable standard of care. The receiving party shall not disclose to third parties the disclosing party’s Confidential Information without the prior written consent of the disclosing party. The receiving party shall use the disclosing party’s Confidential Information solely as necessary to directly fulfill the receiving party’s obligations under this Agreement.
16.2. Disposition Upon Termination. Upon the termination of this Agreement for any reason whatsoever, or in the event that the disclosing party reasonably determines that the receiving party no longer requires access to the Confidential Information to perform its obligations, the receiving party shall return to the disclosing party, or shall destroy, as the disclosing party shall specify, all copies of all the Confidential Information in the receiving party’s possession.
16.3. Permitted Disclosure. Notwithstanding any provision in this Agreement to the contrary, the receiving party may disclose portions of disclosing party’s Confidential Information (i) to its lawyers and accountants who have a need to know such information and who are under the same protection and use obligations as in Section 16.2, above, and (ii) pursuant to an order of a governmental agency or court of competent jurisdiction compelling disclosure, provided that the receiving party shall provide the disclosing party reasonable advance notice of such intended disclosure. Additionally, iboss may disclose Customer Confidential Information to law enforcement agencies and/or social service organizations (each, a “Public Service Agency”) without Customer’s or a Customer End-User’s consent under the following circumstances: (a) an exigent circumstance has arisen, as determined by iboss in its reasonable discretion, in which a Customer End-User presents imminent risk of physical harm to self or others (the “Risk”); (b) iboss has undertaken a reasonable investigation to confirm that the exigency is genuine; (c) iboss has attempted unsuccessfully to contact Customer for purposes of (1) directing Customer to communicate directly with the Public Service Agency, or (2) obtaining Customer’s consent to make the disclosure to the Public Service Agency; (d) the Public Service Agency is unable to obtain a legal order to compel the disclosure of the Confidential Information in sufficient time to respond adequately to the Risk; and (e) iboss minimizes the scope of its disclosure solely to that Confidential Information which is determined by iboss in its sole discretion to be necessary to assist the Public Service Agency to address the Risk.
16.4. Remedies. The receiving party acknowledges that its breach of this Agreement may cause irreparable damage to the disclosing party, and hereby agrees that the disclosing party is entitled to seek, in addition to any other remedies available to it, injunctive and other relief as may be granted by a court of competent jurisdiction, associated with the receiving party’s breach.
17. LIMITED WARRANTY. For purchased or licensed Hardware, the only warranties are as set forth in the Hardware Products Purchases and Licenses Terms. For the avoidance of doubt, regardless of whether the Hardware is purchased or licensed from iboss, no warranty is provided with respect to the Licensed Software.
18. DISCLAIMER OF WARRANTIES. EXCEPT FOR THE WARRANTIES REGARDING PURCHASED AND LICENSED HARDWARE SET FORTH IN THE HARDWARE PRODUCTS PURCHASES AND LICENSES TERMS, THE IBOSS PROPERTY IS PROVIDED TO CUSTOMER ON AN “AS-IS” BASIS. ADDITIONALLY, NO WARRANTIES WILL BE EFFECTIVE, AND IBOSS WILL NOT BE OBLIGATED TO HONOR ANY WARRANTIES, UNLESS AND UNTIL IBOSS RECEIVES PAYMENT IN FULL FOR THE APPLICABLE IBOSS PROPERTY. IBOSS AND ITS SUPPLIERS DISCLAIM ALL EXPRESS, IMPLIED OR STATUTORY WARRANTIES RELATING TO THE IBOSS PROPERTY, INCLUDING BUT NOT LIMITED TO, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. IBOSS DOES NOT REPRESENT OR WARRANT THAT THE IBOSS PROPERTY OR ANY NETWORKS, SOFTWARE, OR SYSTEMS USED WITH SUCH PRODUCTS WILL BE FREE FROM VULNERABILITY, INTRUSION, ATTACK, OR OTHER DAMAGE. CERTAIN STATES AND/OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES SO THE EXCLUSIONS SET FORTH ABOVE MAY NOT APPLY TO YOU.
19.1. By iboss. iboss shall indemnify and hold Customer and its employees, officers, and directors harmless from and against any and all liabilities, claims, causes of action and suits (collectively “Claims”) arising out of third-party Claims that iboss Property infringes or misappropriates such third party’s intellectual proprietary rights. iboss shall, at its expense, defend such Claims and pay damages finally awarded against Customer, or paid by Customer pursuant to an executed settlement agreement, in connection therewith.
19.2. Exclusive Remedy. If iboss Property becomes, or in iboss’ opinion is likely to become, the subject of an infringement claim, iboss may, at its option and expense, in addition to its indemnity obligations in Section 19.1, above, either (a) procure for Customer the right to continue exercising the rights licensed to Customer in this Agreement, (b) replace or modify iboss Property so it becomes non-infringing, or (c) terminate this Agreement by written notice to Customer and promptly refund any prepaid amounts to Customer. Notwithstanding the foregoing, iboss will have no obligation under this Section or otherwise with respect to any infringement claim based upon (i) any unauthorized use, reproduction, or distribution of iboss Property by Customer or any End User, (ii) any use of iboss Property in combination with other products, equipment, software, or data not supplied by iboss, except such products, equipment software and data to which the parties mutually agree, (iii) any use, reproduction, or distribution of any release of iboss Property other than the most current release and the next most recent prior release of iboss Property if the Customer has been advised of the need to upgrade by iboss in order to protect against infringement, or (iv) any modification of the technology by any person other than iboss, if the infringement would not have occurred but for such modification. This Section 19.2 states iboss’ entire liability and Customer’s sole and exclusive remedy for Customer infringement Claims.
19.3. By Customer. Customer shall indemnify and hold iboss and its employees, officers, and directors harmless from and against any and all third-party Claims arising from Customer’s alleged or actual breach of Sections 5, 6 or 7 of this Agreement. Customer shall, at its expense, defend such Claims and pay damages finally awarded against iboss, or paid by iboss pursuant to an executed settlement agreement, in connection therewith.
19.4. Indemnification Procedures. The indemnification obligations in this Section 19 shall be subject to the indemnified party: (i) promptly notifying the indemnifying party in writing upon receiving notice of any threat or claim of such action; (ii) giving the indemnifying party exclusive control and authority over the defense and/or settlement of such claim (provided any such settlement unconditionally releases the indemnified party of all liability); and (iii) providing reasonable assistance requested by the indemnifying party, at the indemnifying party’s expense.
20. LIMITATION OF REMEDIES AND DAMAGES. EXCEPT FOR EITHER PARTY’S INDEMNITY OBLIGATIONS UNDER THIS AGREEMENT, TO THE MAXIMUM EXTENT PERMITTED BY LAW, (A) NEITHER PARTY NOR ITS SUPPLIERS SHALL BE RESPONSIBLE OR LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY, OR CONSEQUENTIAL DAMAGES INCLUDING, BUT NOT LIMITED TO LOSS OF REVENUES AND LOSS OF PROFITS EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE; AND (B) EACH PARTY AND ITS SUPPLIER’S AGGREGATE CUMULATIVE LIABILITY FOR ANY CAUSE WHATSOEVER HEREUNDER SHALL NOT EXCEED THE AMOUNT PAID BY CUSTOMER FOR IBOSS PROPERTY DURING THE 12 MONTHS IMMEDIATELY PRIOR TO THE DATE ON WHICH CUSTOMER ALLEGES THE EVENTS THAT CAUSED SUCH DAMAGE OCCURRED.
21. TERM AND TERMINATION.
21.1. Term. This Agreement and the licenses granted hereunder are effective upon Customer’s execution of the Quote, and shall continue for the subscription period set forth on the Quote unless and until this Agreement is terminated by either party pursuant to this Section 21 (the “Term”). Upon the expiration of the Term, this Agreement shall automatically renew for successive twelve (12) month periods (each such period is a “Renewal Term”) unless, not less than sixty (60) days prior to the commencement of a Renewal Term, a party notifies the other party in writing that the notifying party elects not to renew the Agreement. Additionally, iboss may increase the prices for the Licensed Software and/or Service applicable to a Renewal Term, provided that it notifies Customer in writing of such increase not less than (60) days prior to the commencement of the applicable Renewal Term. The price increase will apply to the Renewal Term unless Customer provides written notice of its objection to the price increase not less than thirty (30) days prior to the Renewal Term’s commencement.
21.2. Termination. Either party may terminate the Quote and this Agreement if the other party (a) materially breaches this Agreement and fails to cure such breach within thirty (30) days following receipt of a breach notice from the terminating party, provided that iboss may terminate this Agreement immediately upon notice if Customer breaches Section 6 of this Agreement; or (b) becomes insolvent, makes a general assignment for the benefit of creditors, files a voluntary petition of bankruptcy, suffers or permits the appointment of the receiver for its business or assets, or becomes subject to any proceeding under any bankruptcy or insolvency law.
21.3. Effect of Termination. If iboss terminates this Agreement due to Customer’s material breach, then all amounts set forth in the Quote shall become immediately due and payable (including amounts not yet paid for the remainder of the subscription period set forth in the Quote) and Customer shall not be entitled to any refunds for any pre-paid amounts. In such case, Customer will promptly pay all such amounts to iboss upon receipt of the termination notice. If Customer terminates this Agreement due to iboss’ material breach, then iboss shall provide Customer a pro rata refund for any amounts pre-paid for the remainder of the then current term. iboss is not responsible or liable for any records or information that are made unavailable to Customer as a result of Customer’s termination of its account. Customer agrees that iboss will not be liable to Customer for any termination of Customer’s access to iboss Property. Upon termination, the license(s) granted hereunder shall terminate and Customer shall immediately cease all use of iboss Property and destroy any copies of the Licensed Software or App in its possession, if any. Notwithstanding any termination of this Agreement, those sections of this Agreement that, by their terms, are intended to survive the termination of this Agreement, will remain in effect.
22. DISPUTE RESOLUTION. Excluding any claims arising from or related to the infringement or misappropriation of iboss Property, the parties will attempt to resolve any claim, dispute or controversy between the parties (whether in contract, tort or otherwise) (a “Dispute”) through face-to-face negotiation between authorized representatives of each party or through mediation using a mutually agreeable mediator. If the parties are unable to resolve the Dispute through negotiation or mediation within a reasonable time period after a party has notified the other of the Dispute’s existence, the Dispute will be settled by binding arbitration, held in Boston, Massachusetts, according to the then current CPR Rules for Non-Administered Arbitration (“Arbitration”). Each party agrees that such arbitration shall be conducted on an individual basis and not in a class, consolidated or representative action. Notwithstanding any provision in this Agreement to the contrary, if the class-action waiver in the prior sentence is deemed invalid or unenforceable, neither party is entitled to arbitration. This arbitration agreement is subject to the Federal Arbitration Act. The arbitrator’s award may be entered in any court of competent jurisdiction. The existence or results of any negotiation, mediation or arbitration will be treated as confidential. If the arbitration provision in this Agreement is found unenforceable or not to apply for a given dispute, then the proceeding must be brought exclusively in a court of competent jurisdiction in Boston, Massachusetts.
23. EXPORT. iboss Property and Customer Content may be subject export requirements, including licenses, under United States or foreign laws. Each party shall comply with all applicable relevant laws, whether United States or foreign, governing the exports of iboss Property and/or Customer Content.
25. GOVERNING LAW. This Agreement is governed by the laws of the Commonwealth of Massachusetts without regard to conflict of law principles.
26. FORCE MAJEURE. Neither party will be liable to the other for failure to fulfill obligations hereunder if such failure is due to causes beyond its control, including, without limitation, acts of God, earthquake, fire, flood, embargo, catastrophe, sabotage, utility or transmission failures, governmental prohibitions or regulations, national emergencies, insurrections, riots or wars, acts of terrorism, Internet or power outages, or viruses which did not result from the acts or omissions of such party (“Force Majeure Event”). The time for any performance required hereunder will be extended by the delay incurred as a result of such Force Majeure Event.
27. HEADINGS; INTERPRETATION. The section headings used herein are for convenience of reference only and do not form a part of this Agreement. No construction or inference shall be derived therefrom. All references to “including” mean “including without limitation.”
28. WAIVER. iboss’ failure to enforce at any time, or for any period of time, any term of this Agreement shall not be construed as a waiver of iboss’ rights thereafter to enforce such term. iboss’ waiver of a Customer default will not be deemed a continuing waiver, but will apply solely to the instance to which the waiver is directed.
29. CONFLICTS; AMENDMENT. This Agreement sets forth the entire agreement and understanding between iboss and Customer regarding the subject matter hereof and supersedes any previous or contemporaneous communications, representations, proposals, commitments, understandings, negotiations, discussions, understandings or agreements (including non-disclosure or confidentiality agreements), whether oral or written, regarding the same subject matter. This Agreement expressly supersedes and replaces in their entirety any pre-printed terms on a Customer purchase order or similar document. In the event of a conflict between the terms of a Quote and the terms of this Agreement, the terms of the Quote shall govern. Any Amendment to this Agreement requires the written agreement of both parties.
30. SEVERABILITY. If any term or condition of this Agreement is deemed unenforceable, it shall be severed, and every other provision of this Agreement shall be enforced as if the unenforceable term or condition had never been a part hereof.
31. ASSIGNMENT. Neither party may assign this Agreement (or any rights or duties under it) without the other party’s prior written consent, provided that either party may assign this Agreement without the other party’s consent in connection with a merger, acquisition, or sale of all or substantially all of its assets. Either party who assigns this Agreement as permitted in this Section 31 shall provide the other party with prompt notice of such assignment. Subject to the foregoing, this Agreement will be binding upon and inure to the benefit of the parties and their permitted successors and assigns.
32. NO JOINT VENTURE OR THIRD PARTY BENEFCIARIES. The parties to this Agreement are independent contractors, and this Agreement does not create any partnership, joint venture or agency relationship between iboss and Customer. Except as this Agreement otherwise expressly states, the Agreement does not create any third-party beneficiaries.
33. NOTICES. Any notice delivered by iboss to Customer under this Agreement will be delivered by email to the email address set forth in the Quote. Customer will direct legal notices or other correspondence under this Agreement to iboss at 101 Federal Street, 23rd Floor, Boston, MA 02110, Attn: General Counsel
Last Updated: June 28, 2021
Please note that our website and other digital platforms may contain links to third-party websites/digital platforms that are provided for your convenience. We are only responsible for the privacy practices and security of our own products, services, and digital platforms. We recommend that you check the privacy and security policies and procedures of every other website/digital platform that you visit.
WHAT INFORMATION DO WE COLLECT?
Personal Information that You Disclose to Us
We collect Personal Information that you voluntarily provide to us when expressing an interest in obtaining information about us or our products and services, when using our website, services, mobile-device applications, and other digital platforms, and when otherwise interacting with us.
The Personal Information that we collect depends on the context of your interactions with us. You may be providing Personal Information when (i) submitting questions and seeking information from us; (ii) subscribing to iboss’ marketing material; (iii) requesting product and/or services support; (iv) providing services to iboss; (v) applying for a job at iboss; or (vi) otherwise communicating with us via phone calls, chats, emails, web forms, social media, and other methods of communication.
When working with us or using our services, you may be prompted to create an account that may hold Personal Information such as your name, mailing address, email address, or credit card information. Additionally, the nature of the services that we provide to our customers entails iboss processing Personal Information.
- In connection with operating the Platform, we may collect Personal Information (e.g., name, email address, and other contact information) from individuals associated with a corporate customer, for example, a corporate contact or administrator. We store this administrator information in our systems and use it for account maintenance and recordkeeping purposes.
- The Platform permits our customers’ corporate administrators to enable rules and functionality to monitor and secure corporate networks. In this way, the corporate administrator may elect to use the Platform to track employees’ and end users’ Personal Information associated with their use of corporate networks, systems, and mobile devices, including but not limited to email addresses, IP addresses, login credentials, websites search terms input, websites visited, and files downloaded (“Employee Personal Information”), and can correlate Employee Personal Information to the name or identity of the employee or end user.
- By default, our Platform processes Employee Personal Information. However, we do not ordinarily access or review Employee Personal Information because it is protected within segregated, containerized reporting databases that isolate this information. Additionally, critical information, such as passwords, is encrypted during transit and at rest, preventing direct access to the underlying information. By default, Employee Personal Information is only accessible to the customers’ administrator(s) and other authorized users who were designated by the administrator(s). In some cases, however, a customer may provide us administrative access to the Employee Personal Information, typically to enable us to provide customer support to the customer.
- In connection with our mobile-device applications, we permit customers to control, secure, and enforce policies on user mobile devices (phones, tablets, PCs, etc.) in support of our services. Our mobile-device applications work in conjunction with our Platform to enforce these policies, and as such, we require expansive mobile-device permissions from the user. For example, because our service supports customer policies affecting the ability to set bookmarks and view web clips, our mobile-device applications must be granted permissions to read and write bookmarks, and install and uninstall shortcuts.
- The Platform processes Personal Information anywhere in which a customer may be located (e.g., the US, EU, or other non-EU countries) via global data centers that are most proximate to an end user’s physical location when the end user is connected to a network and engaging in activity on the Internet. However, the customer can designate and control where the processed data are stored based on the customer’s geo-location requirements. Thus, for example, an EU-based customer may designate that all data from the customer’s end users – irrespective of where the end users are located globally – are processed and stored only in EU-based data centers.
Information That We Collect Automatically
Website Technical Information
iboss may collect Technical Information about you when you visit our website, which your web browser automatically sends whenever you visit a website on the Internet. “Technical Information” is information that does not, by itself, identify a specific individual but which could be used to indirectly identify you. Our servers automatically record this information, which may include your Internet Protocol (“IP”) address, browser type, browser language, and the date and time of your request. Gathering Technical Information helps us ensure our website and other services work correctly and support our customer analytics efforts.
We use pixel tags and cookies in our marketing emails so that we can track your interaction with those messages, such as when you open the email or click a URL link that’s embedded within them. When recipients click on one of those URLs, they pass through a separate web server before arriving at the destination page on a company website. We use tools like pixel tags and cookies so that we can determine interest in particular topics and measure and improve the effectiveness of our communications.
Mobile-Device Applications & Communications
When you download or use our mobile-device applications, we may receive information about you and your mobile device, such as username, group names, and other device-specific information (e.g., UUID), which we transmit to iboss’ secure cloud gateway to authenticate your device and thereby enable our customers to control, secure, and enforce internet content filtering and other cybersecurity protocols on the device (“Policies”). The mobile-device applications also obtain permissions from a mobile-device user to access device settings and data, including but not limited to Bluetooth, WiFi, geolocation data, firewalls, and browser histories and bookmarks (collectively, “Settings”), to enable the application of Policies to those Settings. Our mobile-device applications may access geolocation data for the purpose of enabling our customers’ administrators to track end users’ devices, for example, in situations where the end user loses the device and seeks assistance from the administrator to locate it. Geolocation features can be disabled by the mobile device user.
The specific types of information the mobile-device applications collect may differ based on the cybersecurity package that you or your organization has purchased from iboss, the operating system (e.g., iOS or Android) of the device on which an application is installed, and the deployment and Policies chosen. Our mobile-device applications access the foregoing information automatically when installed on mobile devices, and solely to provide user functionality concerning our cybersecurity services. In addition, the gateway to which our mobile-device applications communicate may track and monitor content and URL destinations depending on the Policies applied to your device and your internet browsing activity.
Cookies and Similar Technologies
Some web browsers (including some mobile web browsers) provide settings that allow you to control or reject cookies or to alert you when a cookie is placed on your computer, tablet or mobile device. Although you are not required to accept cookies, if you block or reject them, you may not have access to all features available through our services. For more information, visit the help page for your web browser or see http://www.allaboutcookies.org.
HOW DO WE USE PERSONAL INFORMATION?
We use Personal Information as necessary to create your account, enable you to sign up for and use the Platform, manage payments, and provide customer support. This processing is necessary to perform our contracts with our customers.
We also use Personal Information as necessary for the following legitimate business interests:
- To respond to your inquiries, comments, feedback or questions;
- To manage our relationship with you, which includes sending administrative information to you relating to our service and changes to our terms, conditions, and policies, and asking you to leave a review or take a survey;
- To administer and protect our business, website, and Platform;
- To prevent fraud, criminal activity, or misuses of our website or Platform;
- To ensure the security of our IT systems, architecture, and networks (including troubleshooting, testing, system maintenance, support, and hosting of data); and
- To comply with legal obligations and legal process as well as protect our, our affiliates, your and third parties’ rights, privacy, safety, or property, and to recover debts due to us.
For information about what we mean by legitimate interests and the rights of individuals in the European Union (“EU”), please see the “WHAT ARE EU DATA SUBJECTS’ SPECIFIC PRIVACY RIGHTS?” section, below.
Marketing. We may contact you to provide information we believe will be of interest to you. For instance, if you elect to provide your email address, we may use that information to send you promotional information about our products and services. If we do, where required by law (for example if you are in the EU), we will only send you such emails if you consent to us doing so at the time you provide us with your Personal Information. You may opt out of receiving emails by following the instructions contained in each promotional email we send you or by contacting us where indicated below. If you unsubscribe from our marketing lists, you will no longer receive marketing communications, but we will continue to contact you regarding our Site and Services and to respond to your requests.
WHAT PERSONAL INFORMATION DO WE SHARE WITH THIRD PARTIES?
Vendors and Service Providers
iboss will not rent or sell your Personal Information to others but may disclose personal information with third-party vendors and service providers that work with iboss. For example, if you acquire our products and services via an authorized iboss distribution partner or reseller, we may provide your Personal Information to that partner or reseller to facilitate your use of those products and services. We will only share personal information to third-party vendors and service providers to help us provide a product or service to you.
We require that our third-party service providers agree to keep confidential all information that we share with them and to use the information only to perform their obligations in the agreements we have in place with them. These third-party service providers are expected to maintain privacy and security protections that are consistent with iboss’ privacy and information security policies. In cases of onward transfer to third parties of your Personal Information, iboss is potentially liable. In particular, iboss remains responsible and liable if third-party service providers that it engages to process the Personal Information on iboss’ behalf do so in a manner inconsistent with iboss’ principles, unless iboss proves that it is not responsible for the event giving rise to the damage.
Disclosure of Personal Information for Legal and Safety Reasons
iboss may be required to disclose Personal Information to the authorities, law enforcement agencies, government agencies, or legal entities to comply with valid legal process including subpoenas, court orders, or search warrants, and as otherwise authorized by law. Additionally, we may disclose Personal Information (i) to the extent permitted by applicable law in special cases in which we believe it is reasonably necessary to investigate, identify, or take preventive measures, or bring legal action against someone who may commit or cause harm, fraud, abuse, or illegal conduct, such as a threat of harm to you or anyone else, interference with our rights or property, or interference with U.S. homeland or national security or public safety anywhere in the world; or (ii) in the event of an emergency that threatens an individual’s life, health, or security.
iboss may share customer information within our family of companies for a variety of purposes, for example to provide you with the latest information about our products and services.
DO WE TRANSFER PERSONAL INFORMATION INTERNATIONALLY?
Personal Information that end users transmit through our Platform while accessing the Internet always resides within secure, containerized reporting databases, within countries that our customers designate (for example, an EU-based customer may elect for all of its end users’ Personal Information processed on the Platform to reside within containerized reporting databases located in the EU). Additionally, we create customer-specific, encrypted backups of end user data that are stored in third party data centers, however that data reside in purely encrypted form and cannot be decrypted without a private key that our customers hold.
If the Personal Information is transferred to countries without ‘adequate’ protection as determined by the European Commission, we will use additional safeguards to ensure your Personal Information receives adequate security and your rights continue to be protected, such as the EU Standard Contractual Clauses. You understand that in providing Personal Information to us via our website, Platform, or through other interactions with us, you consent to the transfer of your Personal Information to the United States and other jurisdictions in which we operate.
In addition to EU Standard Contractual Clauses, the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield programs (“Privacy Shield”) previously provided a framework for companies to transfer Personal Information between the EU and United States. iboss was previously Privacy Shield certified, but due to the European Court of Justice’s July 16, 2020 decision invalidating Privacy Shield, iboss is no longer applying Privacy Shield to relevant transfers of Personal Information and is instead relying on EU Standard Contractual Clauses. To the extent Personal Information was transferred to iboss under our prior Privacy Shield Certification, and if we have retained such information, we will provide protection for such information according to the EU Standard Contractual Clauses.
WHAT IS OUR RETENTION POLICY?
If you have elected to receive marketing communications from us, we retain information about your marketing preferences until you opt out of receiving these communications and in accordance with our policies.
To determine the appropriate retention period for your Personal Information, we will consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we use your Personal Information and whether we can achieve those purposes through other means, and the applicable legal requirements.
HOW DO WE HANDLE INFORMATION THAT WE RECEIVE FROM CHILDREN?
Our website and services are directed toward a general audience. We do not knowingly collect information about children under the age of 13, or minors otherwise defined in local law or regulation, without verifiable parental consent. If we learn that someone under 13 has provided Personal Information through our website, we will use reasonable efforts to remove that information from our databases.
WHAT ARE CALIFORNIA RESIDENTS’ SPECIFIC PRIVACY RIGHTS?
WHAT ARE EU DATA SUBJECTS’ SPECIFIC PRIVACY RIGHTS?
Scope. This section applies to individuals in the EU (for these purposes, reference to the EU also includes the European Economic Area countries of Iceland, Liechtenstein, Norway, the United Kingdom, and, to the extent applicable, Switzerland).
Data Controller. Data protection laws in the EU differentiate between the “data controller” and “data processor” of Personal Information. iboss is the data controller for the processing of your Personal Information relating to customer accounts, marketing, and Personal Information collected through our website and other digital platforms. You can find our contact information, and the contact information of our EU-based representative, below.
Data Processor. iboss is the data processor for the processing of Employee Personal Information. If you are an employee or end user of one of our customers, please contact the appropriate customer of iboss to exercise the rights described below.
Your Rights. Pursuant to the European Union General Data Protection Regulation (or GDPR), you have the following rights in relation to your Personal Information, under certain circumstances:
- Right of access: If you ask us, we will confirm whether we are processing your Personal Information and, if so, provide you with a copy of that Personal Information along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
- Right to rectification: If your Personal Information is inaccurate or incomplete, you are entitled to ask that we correct or complete it. If we shared your Personal Information with others, we will tell them about the correction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Information so you can contact them directly.
- Right to erasure: You may ask us to delete or remove your Personal Information, such as where you withdraw your consent. If we shared your data with others, we will tell them about the erasure where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Information with so you can contact them directly.
- Right to restrict processing: You may ask us to restrict or “block” the processing of your Personal Information in certain circumstances, such as where you contest the accuracy of the data or object to us processing it (please read below for information on your right to object). We will tell you before we lift any restriction on processing. If we shared your Personal Information with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Information so you can contact them directly.
- Right to data portability: You have the right to obtain your Personal Information from us that you consented to give us or that was provided to us as necessary in connection with our contractual obligations, and that is processed by automated means. We will give you your Personal Information in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
- Right to object: You may ask us at any time to stop processing your Personal Information, and we will do so:
- If we are relying on a legitimate interest to process your Personal Information — unless we demonstrate compelling legitimate grounds for the processing or we need to process your data to establish, exercise, or defend legal claims;
- If we are processing your Personal Information for direct marketing. We may keep minimum information about you in a suppression list to ensure your choices are respected in the future and to comply with data protection laws (such processing is necessary for our and your legitimate interest in pursuing the purposes described above).
- Right to withdraw consent: If we rely on your consent to process your Personal Information, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect any processing of your data before we received notice that you wished to withdraw consent.
- Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we handled your Personal Information, you can report it to the data protection authority that is authorized to hear those concerns (in the UK, the Information Commissioner’s Office (ICO), who can be contacted at https://ico.org.uk/concerns, and in other EU countries the data protection authority of the country in which you are located).
Please contact us for information on how to exercise your rights.
HOW DOES IBOSS SECURE YOUR PERSONAL INFORMATION?
iboss uses technical and physical safeguards to protect the security of your Personal Information from unauthorized disclosure. We also make commercially reasonable attempts to ensure that only necessary people and third parties have access to Personal Information. Nevertheless, such security measures cannot prevent all loss, misuse, or alteration of Personal Information, and we are not responsible for any damages or liabilities relating to any such incidents to the fullest extent permitted by law.
HOW MAY I CONTACT IBOSS?
To contact iboss about any of the foregoing matters, please use the following addresses:
101 Federal Street, 23rd Floor
Boston, MA 02110 USA
ATTN: General Counsel
Email Address: [email protected]
If you are an individual in the EU, you may also contact Simon Eappariello, our Senior Vice President of EMEIA & APJ, who has been appointed as iboss’ representative in the EU pursuant to Article 27 of the GDPR on matters related to the processing of Personal Information activities that take place in the EU. To make such an inquiry, please contact Mr. Eappariello via our [email protected] email address, or at iboss Network Security Limited, 50 St. Mary Axe, London, United Kingdom EC3A 8FR.
DATA PROCESSING ADDENDUM
Last Updated: July 7, 2022
This Data Processing Addendum (the “Addendum”) is made by and between iboss, Inc. with a registered office in Boston, Massachusetts, USA (“Company”) and the entity identified as Customer (collectively, “Customer”) in the iboss Terms of Service Agreement, in the iboss Cloud Services End User Terms of Service Agreement, in the iboss Quote, in the Master Software License and Services Agreement, or in such other agreement between Customer and iboss for the purchase of iboss software and services (in each case, the “Agreement”).
This Addendum is incorporated into the Agreement between Company and Customer and applies in respect of the provision of the Services (as defined in the Agreement) to Customer if the Processing of Customer Personal Data (as defined below) is subject to Data Protection Legislation. This Addendum shall be effective for so long as the Company Processes Customer Personal Data.
- “Customer Personal Data” means the Personal Data described under Section 2 of this Addendum, in respect of which Customer is the Controller and which is provided to Company by or on behalf of Customer and Processed by Company, each in connection with the Agreement for Company to provide Services to Customer;
- “Data Protection Legislation” means all applicable legislation relating to data protection and privacy including without limitation the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time;
- “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
- “Personal Data”, “Data Subject”, “Process”, “Processor” and “Controller” will each have the meaning given to them in applicable Data Protection Legislation; and
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed by Company that compromises the confidentiality, integrity, or availability of such Customer Personal Data.
- “Standard Contractual Clauses” or “SCC” means the Standard Contractual Clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
- Details of The Processing
- Categories of Data Subjects. Categories of Data Subjects whose Personal Data may be included in Customer Personal Data include Customer’s customers, end users, partners, suppliers, employees, other personnel, and other Data Subjects about whom Customer receives or collects, and thereafter provides, Personal Data to Customer in the form of Customer Personal Data.
- Types of Personal Data. Customer Personal Data may include Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, such as names, email addresses, IP addresses, and web browsing data, including websites visited; location data; and browsing, search, and other network activity of authorized users of Customer’s network.
- Subject-Matter and Nature of the Processing. The subject-matter of Company’s Processing of Customer Personal Data is the provision of the Services to Customer, which include the Processing of Customer Personal Data. Customer Personal Data will be subject to those Processing activities that Company must perform to provide the Services pursuant to the Agreement and any applicable statement of work or other ordering document.
- Purpose of the Processing. Company will process Customer Personal Data for purposes of providing the Services described in the Agreement and any applicable statement of work or other ordering document.
- Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 10 of this Addendum.
- Processing of Customer Personal Data
- This Addendum applies to the Processing of Customer Personal Data. If applicable Data Protection Legislation recognizes the roles of “Controller” and “Processor” as applied to Customer Personal Data, then as between Company and Customer, Customer acts as Controller and Company acts as a Processor (or Subprocessor, as the case may be) of Customer Personal Data. Company will only Process Customer Personal Data as a Processor on behalf of and in accordance with the Agreement and this Addendum, including with respect to transfers of Customer Personal Data, unless Processing is required by applicable Data Protection Legislation to which Company is subject, in which case Company shall, to the extent permitted by applicable law, inform Customer of that legal requirement before so Processing that Customer Personal Data. The Parties agree that Company may Process Customer Personal Data as necessary to enable Company to provide the Services according to the Agreement. Any additional or different instructions from Customer pertaining to the Processing of Customer Personal Data require a signed agreement between Company and Customer and may be subject to additional fees. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Personal Data. Company will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Legislation, provided, however, Company is not responsible for performing legal research and/or for providing legal advice to Customer.
- If Company cannot process Customer Personal Data according to Customer’s instructions due to a legal requirement under any applicable Data Protection Legislation, Company will (i) promptly notify Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) Process (or continue to Process) Customer Personal Data to the extent Company is able to comply with Customer’s instructions in order to provide the Services as set forth in the Agreement.
- Each of Customer and Company will comply with their respective obligations under the Data Protection Legislation. Customer shall (a) provide all required notices and appropriate disclosures to all Data Subjects regarding Customer’s, and Company’s, Processing of Customer Personal Data and (b) ensure that Customer has obtained (or will obtain) and maintain during the term of the Agreement all rights and consents (if required) which are necessary for Company to Process Customer Personal Data in accordance with this Addendum and the Agreement. If Customer is not required by Data Protection Legislation to obtain and maintain valid consent from Data Subjects, Customer will otherwise comply with requirements under Data Protection Legislation to obtain and maintain a valid legal basis to Process Customer Personal Data and for providing such data to Company for Processing under the Agreement.
- Cross-border transfers of Customer Personal Data:
- The Services allow Customer to designate the location in which Customer Personal Data will be Processed based on compatibility with the Services. If Customer elects to transfer Customer Personal Data to Company outside a jurisdiction restricting the transfer of Personal Data relating to Data Subjects located in that jurisdiction, either directly or via onward transfer, to a jurisdiction which the Data Protection Legislation in such originating jurisdiction concluded does not provide an adequate level of protection for such Personal Data, such transfer shall be subject to the protections and provisions of the Standard Contractual Clauses (where Schedule 1 specifically delineates the terms in the SCC’s Appendix) or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Legislation.
- In Annex I, Customer shall be deemed to have signed the SCC in its capacity of “data exporter” and Company in its capacity as “data importer.” Module Two or Module Three of the SCC shall apply to the transfer depending on whether Customer is Data Controller of the Customer Personal Data (for Module Two) or a Data Processor of the Customer Personal Data on behalf of its customer (for Module Three). If Module Three applies, Customer hereby notifies Company that it is a Processor and the instructions shall be as set forth in Section 3.1. For purposes of Clauses 17 and 18 of the SCCs, the Parties select The Netherlands. Additional provisions applicable to Customer Personal Data transferred pursuant to SCC are set forth in Schedule 2.
- The SCC will cease to apply if Company has implemented an alternative recognized compliance mechanism for the lawful transfer of personal data in accordance with applicable Data Protection Legislation and has informed Customer thereof.
- In the event of any conflict between any terms in the SCC and Addendum, the SCC shall prevail to the extent of the conflict.
- Where Customer Personal Data originating from the United Kingdom (“UK”) specifically is processed by Company outside of the UK, in a territory that has not been designated by the UK Information Commissioner’s Office (“ICO”) as ensuring an adequate level of protection pursuant to Data Protection Legislation (“UK Transfer”), and to the extent such processing and transfer would be subject to the SCC and Data Protection Legislation applicable in the UK (“UK Data Protection Legislation”) the Parties agree that the UK’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses available on the ICO’s website (“UK SCC Addendum”) shall apply to such UK Transfer and the UK SCC Addendum shall be completed with the information set forth in this Addendum and the Agreement.
- Customer is responsible for compliance with all applicable Data Protection Legislation regarding its content, including without limitation that which regulates (a) content directed toward children (as defined under applicable Data Protection Legislation and for example, individuals under 13 years old in the United States or under 16 years old in certain other countries) (b) financial, payment, or credit data or (c) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or an individual’s genetic data, biometric data, health data, or data regarding sex life or sexual orientation ((a) – (c) collectively, “Sensitive Data”), where Customer is specifically responsible for obtaining express consent from individuals whose Personal Data is provided to Company for Processing, where required by Data Protection Legislation. Any Sensitive Data provided by Customer to Company is provided solely at Customer’s election, and Customer understands and agrees that Company does not differentiate between different types of data sensitivity when Processing Customer Personal Data or treat certain types of Customer Personal Data differently from other types and applies the same security measures to all Customer Personal Data as set forth in Section 5 of this Addendum.
- Confidentiality. Company shall implement processes designed to ensure that Customer Personal Data is only made available to those of its personnel, including its sub-Processors, who (i) need to access such Customer Personal Data in order to carry out their roles in the performance of Company’s obligations under the Agreement and this Addendum and (ii) have committed themselves to protect the confidentiality of such Customer Personal Data or are otherwise under an appropriate statutory obligation of confidentiality.
- Security Measures
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (described under Annex II to the Standard Contractual Clauses). Company may update its security practices from time to time but will not materially decrease the overall security of the Services during the term of a statement of work or other ordering document.
- Company will provide Customer with legally-required and reasonable assistance as necessary for the fulfilment of Customer’s obligations under applicable Data Protection Legislation.
- Customer authorizes Company to appoint the entities identified in Company’s support portal at https://support.ibosscloud.com as sub-Processors of Customer Personal Data and generally authorizes Company’s engagement of additional sub-Processors and Company’s replacement of any sub-Processors identified within https://support.ibosscloud.com. For the avoidance of doubt, the above authorization constitutes Customer’s prior written consent to the sub-Processing of Customer Personal Data for purposes of Clause 9, Option 2 of the Standard Contractual Clauses. Company will inform Customer of any intended changes concerning the addition or replacement of any sub-Processors. If Customer can show on reasonable and objective grounds that a new sub-Processor does not or cannot comply with applicable Data Protection Legislation and wishes to object to Company’s use of such sub-Processor, then Customer has fifteen (15) days after Company notifies customer of such new sub-Processor to notify Company in writing of its reasonable and objective basis, supported by documentary evidence, for objection to the use of the new sub-Processor. Upon receipt of Customer’s written objection, Customer and Company will work together without unreasonable delay to find a mutually acceptable resolution to address the objection, including but not limited to reviewing additional documentation supporting the sub-Processor’s ability to comply with Data Protection Legislation. To the extent Customer and Company do not reach a mutually acceptable resolution within a reasonable timeframe, Company will use reasonable endeavors to make available to Customer a change in the Services or will recommend a commercially reasonable change to the Services to prevent the applicable sub-Processor from Processing Customer Personal Data. If Company is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, Customer shall have the right, as its sole remedy, to terminate the relevant Services (i) in accordance with the termination provisions in the Agreement; (ii) without liability to Customer or Company, and (iii) without relieving Customer from its payment obligations under the Agreement up to the date of termination.
- Company will enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor the same level of restrictions that apply to Company under this Addendum to the extent applicable to the nature of the services provided by such sub-Processor. Where any of its sub-Processors fails to fulfil its data protection obligations in relation to the Services provided to Customer, such that Company would be found to have violated its obligations to Customer under this Addendum, Company will be responsible to Customer for the performance of its sub-Processors’ obligations.
- Data Subject Rights
- To the extent legally permitted, and where a Data Subject identifies Customer as the entity that collected its Personal Data, Company shall notify Customer without undue delay of receiving any request or complaint from Data Subjects regarding Customer Personal Data (“Data Subject Inquiry”). Company shall not respond to Data Subject Inquiries without Customer’s prior written consent and written instructions. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Inquiry, Company will provide Customer with assistance necessary for the fulfilment of Customer’s obligation to respond to requests for the exercise of Data Subjects’ rights in accordance with Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from Company’s provision of such assistance.
- If a Data Subject does not identify an entity that collected its Personal Data, Company will instruct the Data Subject to identify and contact the relevant entity that collected its Personal Data.
- Company shall comply with Customer’s instructions regarding the handling of a Data Subject Inquiry, subject to the terms of Section 3.1.
- Personal Data Breaches
- Company will notify Customer at the contact information on file without undue delay and in any event within forty-eight (48) hours after it becomes aware of and confirms any Personal Data Breach. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to Company, Company will also provide Customer with information regarding (i) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned; (ii) the reasonably anticipated consequence of the Personal Data Breach; (iii) measures taken to mitigate any possible adverse effects; and (iv) other information concerning the Personal Data Breach reasonably known or available to Company that Customer is required to disclose to a Supervisory Authority or Data Subjects under Data Protection Legislation. Company’s contact point for additional details regarding a Personal Data Breach is [email protected] Except as required by applicable Data Protection Legislation, the obligations set out in this Section shall not apply to Personal Data Breaches caused by Customer.
- Customer is solely responsible for complying with data incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any data incidents. Customer and Company shall work together in good faith within the timeframes for Customer to provide Personal Data Breach notifications in accordance with Data Protection Legislation to finalize the content of any notifications to Data Subjects or Supervisory Authorities, as required by Data Protection Legislation. In any event, Customer shall not disclose any confidential or proprietary information of Company in the content of any notification.
- Data Protection Impact Assessment; Prior Consultation. Company will provide Customer with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, including by providing Customer with documentation regarding Company’s Processing operations, if Customer is required to engage in such activities under applicable Data Protection Legislation and such assistance relates to the Processing by Company of Customer Personal Data.
- Return or Deletion of Customer Personal Data
- Subject to Section 10.2 below, and unless Company and Customer otherwise agree in writing in the Agreement, Company shall, following termination or expiration of the Agreement, delete and use all reasonable efforts to procure the deletion of all copies of Customer Personal Data Processed by Company or any sub-Processors, and where deletion is not possible, sufficiently de-identify Customer Personal Data such that it is no longer Personal Data, except if required or permitted by applicable law or for compliance, audit, or security purposes. Company and Customer may agree in writing for Company to provide certain log data containing Customer Personal Data.
- Company and its sub-Processors may retain Customer Personal Data to the extent required by applicable laws, only to the extent and for such period as required by applicable laws, and provided that Company shall protect the confidentiality of all such Customer Personal Data and Process such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
- Company will provide Customer with all information reasonably necessary to enable Customer to demonstrate compliance with its obligations under Data Protection Legislation (which such information is Company Confidential Information under the Agreement), and, subject to the terms below, allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, to the extent that such information is within Company’s control and Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
- Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Company shall make available to Customer that is not a competitor of Company (or Customer’s independent, third-party auditor that is not a competitor of Company) a copy of Company’s security documentation and summaries of any available and recent third-party audits or certifications, as applicable, each for the sole purposes of confirming Company’s compliance with this Addendum and to assist Customer with complying with its obligations under Data Protection Legislation. If no such audit report is available at the time of Customer’s request, Company will allow and contribute to audits as set forth below.
- Customer may, upon reasonable notice and at reasonable times, and at Customer’s own expense, audit (either by itself or using independent third-party auditors) Company’s compliance with this Addendum. Company shall assist with and contribute to any audits conducted in accordance with this Section 11. Such audits may be carried out once per year or more often if required by Data Protection Legislation.
- Any third party engaged by Customer to conduct an audit must be pre-approved by Company (such approval not to be unreasonably withheld) and sign Company’s confidentiality agreement. Customer must provide Company with a proposed audit plan at least two weeks in advance of the audit, after which Customer and Company shall discuss in good faith and finalize the audit plan prior to commencement of any audit activities.
- Audits may be conducted only during regular business hours, in accordance with the finalized audit plan and Company’s security and other policies, and may not unreasonably interfere with Company’s regular business activities. Customer shall reimburse Company for any reasonable costs or expenses incurred by Company in connection with the audit.
- Information obtained or results produced in connection with an audit are Company Confidential Information under the Agreement and may only be used by Customer to confirm compliance with this Addendum and for complying with its requirements under Data Protection Legislation.
- Fees. Company may charge Customer a reasonable fee for time spent in connection with any assistance or cooperation required by Customer under this Addendum if such assistance or cooperation involves the commitment of resources over a prolonged period of time, which are not included as part of the Services, or involve third-party costs and does not arise from any breach by Company of this Addendum.
- Each party’s liability to the other under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.
- Customer acknowledges that Company is reliant on Customer for direction as to the extent to which Company is entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently, Company will not be liable under the Agreement or this Addendum for any claim brought by a Data Subject arising from any action or omission by Company, to the extent that such action or omission resulted from Customer’s instructions or from Customer’s failure to comply with its obligations under the applicable Data Protection Legislation.
- General Provisions
- With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail.
- To the extent the California Consumer Privacy Act (“CCPA”) applies to Customer Personal Data and no exemptions in the CCPA apply, Company shall not (a) sell or share (as such terms are defined in the CCPA) Customer Personal Data; (b) retain, use or disclose Customer Personal Data for any purpose other than providing Services under the Agreement, and (c) retain, use or disclose Customer Personal Data outside of the direct business relationship between Company and Customer. As required by Section 1798.140(w)(2)(A) of the CCPA, Company certifies that it understands and will comply with these restrictions to the extent no other CCPA exemptions apply.
- Company may share and disclose Customer Personal Data in connection with, or during the negotiation of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of Company’s business by or to another company, including the transfer of contact information and data of Customer’s customers, partners and end users, and Customer Personal Data Processed in connection with the Services.
- The parties agree that the bundling of Customer’s data exporters, for example, if Customer consists of multiple global affiliates, as controllers within this single Addendum is undertaken for efficiency purposes (i.e., to avoid a multitude of different contract documents) and (i) shall result in legally separate Addenda between the respective Customer entity and Company solely for purposes of addressing any such obligations under Data Protection Legislation; (ii) shall not create any new or different legal or other relationship whatsoever between the “bundled” Customer entities; (iii) does not create any additional rights or remedies for such bundled Customer entities; (iv) all processing instructions must be provided by the Customer entity that is signatory to the Agreement and Company is not responsible for consolidating or evaluating the validity of instructions received from other Customer entities; (v) any commercial terms not provided by the Addendum are provided by the Agreement regardless of whether the bundled Customer entities signed or were consulted regarding the terms of the Agreement; and (vi) any audits conducted in accordance with the Addendum shall be conducted only by and through the Customer entity that is signatory to the Agreement.
APPENDIX TO THE STANDARD CONTRACTUAL CLAUSES
A. LIST OF PARTIES
|Name:||The data exporter is the entity identified as “Customer” in the Addendum|
|Address:||As set forth in the Agreement|
|Contact person:||As set forth in the Notices provision in the Agreement|
|Activities relevant to the data transferred under these Clauses:||As set forth in the Agreement|
|Signature and date:||Refer to Addendum|
|Role:||Controller, except when processing data on behalf of another entity, in which case data exporter is a processor|
|Name:||The data importer is the entity identified as “Company” in the Addendum|
|Address:||As set forth in the Agreement|
|Contact person:||As set forth in the Notices provision in the Agreement|
|Activities relevant to the data transferred under these Clauses:||As set forth in the Agreement|
|Signature and date:||Refer to Addendum|
|Role:||Processor, or sub-processor if data exporter is a processor|
B. DESCRIPTION OF TRANSFER
|Categories of data subjects whose personal data is transferred:||Data subjects are defined in Section 2.1 of the Addendum|
|Categories of personal data transferred:||Categories of personal data are defined in Section 2.2 of the Addendum.|
|Sensitive categories of data (if appropriate):||As determined and controlled by Customer in its sole discretion, and if provided to data importer, data exporter shall comply with Section 3.5 of the Addendum.|
|The frequency of the transfer:||As set forth in the Agreement|
|Nature of the processing:||As set forth in Sections 2 and 3 of the Addendum and in the Agreement|
|Purposes of the data transfer
and further processing:
|As set forth in Sections 2 and 3 of the Addendum and in the Agreement|
|The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:||As set forth in Sections 2.5 and 10 of the Addendum, and in the Agreement|
|For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:||As set forth in Sections 2, 6, and 10 of the Addendum, and in the Agreement|
C. COMPETENT SUPERVISORY AUTHORITY
If Customer is established in an EU Member state, the competent supervisory authority shall be the supervisory authority applicable to the establishment location of Customer. If Customer is not established in an EU Member state, the competent supervisory authority shall be the supervisory authority located where Customer has appointed its EU Representative. If Customer is not established in an EU Member state and is not required to appoint an EU Representative, the competent supervisory authority shall be the supervisory authority applicable to the location of the Data Subject whose data is at issue.
Technical and organizational measures, including technical and organizational measures,
to ensure the security of the data:
- The iboss architecture, platform, points of presence, security controls and security program are audited and assessed both internally and by external third parties. Iboss holds ISO 27001 and ISO 9000 certifications and contracts with an external audit firm for ongoing SOC 2 Type II audits. iboss also contracts with multiple industry leading assessment and testing organizations to complete external and internal penetration and vulnerability scanning on a routine basis.
- The iboss Information Security Policy is an umbrella policy for other policies, including:
- Access Control and Business Continuity Policies (incl. Data backup and Recovery)
- Asset management
- Human resources security
- Data encryption
- Physical access
- Network security
- Access control
- Each customer service delivery environment is deployed in an isolated containerized node(s), inclusive of any gateway nodes and a separate reporter node. Nodes are deployed in iboss datacenters or the customer’s own managed environment. Containerization allows iboss to decommission and destroy IT assets and data in a customer-specific methodology.
- Customer Personal Data are input within the containerized environment from the gateway node to the reporter node.
- Customers may configure their deployment to redirect Customer Personal Data to its SIEM environment. This data can be controlled, downloaded and reported on via the Services’ administrative web application. This application is wholly accessed and managed by Customer administrators.
- Adoption of architecture design principles that minimize system surface area that can be attacked, remove exposure to protocols or applications from where there is no expectation of communication, and provide dynamic scale in the gateway design to mitigate volumetric attacks that consumer heavy resources and prioritize the ability to quickly scale computation resources up or down.
- An Information Security awareness program is in place for all employees.
- An Access Management Policy is in place that establishes access control rules for iboss information, IT systems and resources (non-critical and critical) and details how iboss manages system accounts, including establishing, activating, modifying, reviewing, disabling and removing accounts. The iboss Access Management Policy covers the following supporting standards: Application Access Control, Network access control, password settings, and user access management and administration.
- Remote network access is restricted by role to limit access to employees as necessary to perform their duties. Remote network access is only granted through the provisioning process with proper approvals from iboss Human Resources and Management. Remote access is only granted to iboss-owned and configured equipment. Two factor authentication, Active Directory, and VPN services are used to deliver the Service.
- iboss conducts monthly, quarterly and annual reviews of systems and procedures. Review processes include providing evidence of policy and procedure compliance. Additionally, annual internal and external audits, semiannual compliance audits, and annual external technology platform testing are conducted.
- Data retention configuration and backups are customizable by customer administrators. Backups of customer environments are encrypted using AES 256 by private key and stored solely in the Customer’s node environment and not stored with the data backup. iboss can return or security destroy Customer data upon written request.
- An iboss information security group, separate from iboss operations, daily reviews all alarms, alerts and reports from the tools, information systems and network appliances deployed in the Services environment and results in the categorization, escalation, remediation and tracking of any identified issues.
- iboss maintains an asset inventory including hardware, software and information assets. Documentation is maintained in dedicated or existing inventories. Ownership of assets is assigned and a classification is defined for each asset.
- All assets and data are destroyed with techniques aligned with NIST 800-88 (industry standard DOD 5220-22M).
- iboss maintains an Information Classification Policy to help manage and protect its information assets. Iboss personnel are required to abide by the Information Classification Policy and handle information accordingly.
- iboss utilizes secured datacenters in appropriately staffed co-location facilities featuring cement walled buildings, no windows, no external signage to identify facility, and natural barriers to secured/video protected parking areas. Physical protection is provided by a combined effort of iboss and the co-location facility. The co-location facility provides alarms, fire, water, power, generators, monitoring, video surveillance cameras and a secure card-key with additional biometric access system. Additionally, all iboss servers are in a secured cage in locked cabinets with keys distributed only as needed for specific entry and only at the time entry is needed. Servers are locked at the OS level, with all administrators using identifiable, auditable and privileged IDs. Remote access tools are password protected.
- A software development methodology requires architects and developers to consider security aspects. Design reviews focus on potential security exposure and provide for identification of security best practices for application and database design, as well as for all related infrastructure elements. The development methodology requires that developers consider the appropriate treatment of data capture, validation, storage, presentation and security. Where appropriate, audit and transaction records are captured and stored within the databases. Access to application and database source code is restricted to the appropriate members of the application development team. Personnel performing testing are independent from the original developer.
List of iboss Sub-processors
Please refer to the list provided at https://support.ibosscloud.com/.
SCHEDULE 2 – ADDITIONAL SCC PROVISIONS
BASED ON EUROPEAN DATA PROTECTION BOARD RECOMMENDATIONS 01/2020
- Company shall promptly notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) (“Disclosure Request”) unless otherwise prohibited by law or a legally binding order of such body or agency and without responding to such request, unless otherwise required by applicable law (including to provide acknowledgement of receipt of the request). Company will review applicable law to evaluate any Disclosure Request, for example the ability of the requesting authority to make the Disclosure Request, and to challenge the Disclosure Request if, after a careful assessment, it concludes that there are grounds under applicable law to do so. When challenging a Disclosure Request, Company shall seek interim measures to suspend the effects of the Disclosure Request until an applicable court or other authority has decided on the merits. Company shall not disclose Customer Personal Data requested until required to do so under applicable law. Company shall only provide the minimum amount of Customer Personal Data permissible when responding to the Disclosure Request, based on a reasonable interpretation of the Disclosure Request. If the Disclosure Request is incompatible with the SCCs or other data transfer mechanism utilized in accordance with Section 3.4 in this Addendum, Company will so notify the requesting authority and, if permitted by applicable law, notify the competent EEA government authority with jurisdiction over the Customer Personal Data subject to the Disclosure Request. Company will maintain a record of Disclosure Requests and its evaluation, response, and handling of the requests. Company will provide Customer with such records relevant to Customer Personal Data except as prohibited by applicable law or legal process or in the interest in protecting Company’s legal rights in connection with threatened, pending, or current litigation.
- Company will utilize industry standard encryption while Customer Personal Data are being Processed by Company as set forth in Schedule 1, Annex II.
- Company has not purposefully created “back doors” or similar programming in its systems that provide Services that could be used to access the systems and/or Customer Personal Data, nor has Company purposefully created or changed its business processes in a manner that facilitates access to Customer Personal Data or its systems that provide the Services. To the best of Company’s knowledge, United States Data Protection Legislation does not require Company to create or maintain “back doors” or to facilitate access to Customer Personal Data or systems that provide Services or for Company to possess or provide the encryption key in connection with a United States Disclosure Request.
- Company shall use reasonable efforts to assist Customer and its Data Subjects, as instructed by Customer (in accordance with Section 7 of the Addendum), regarding Disclosure Requests, unless prohibited by applicable law, for example to provide information to Customer in connection with the Data Subject’s efforts to exercise its rights and obtain legally available redress, provided Company shall not be required to provide Customer or Data Subjects with legal advice.
- Customer may request to audit Company access logs regarding access to Customer Personal Data, subject to the terms of Section 11 of the Addendum.
- Company has established an internal policy and procedure regarding handling of Disclosure Requests and applicable transfers of Personal Data of customers. Company Legal and Audit personnel are provided information regarding applicable transfers of Customer Personal Data prior to the transferring of any such data, where such information may include an explanation of the necessity of the transfer and any data protection safeguards in scope.
- In the event Company receives a request to voluntarily disclose unencrypted Customer Personal Data to a government authority, Company will use reasonable efforts to first obtain Customer’s consent, either on its behalf or on behalf of the relevant Data Subject.