These General Terms & Conditions are comprised of three parts: a first general part, a Service Level Agreement and a Data Processing Agreement. By agreeing with an Order Form, Client agrees in full with these General Terms & Conditions.

Capitalized terms in the Order Form have the meaning as defined in these General Terms & Conditions (also referred to as “GT&C”).

Provider and Client hereafter also collectively referred to as the "Parties", and each individually a "Party".

It is hereby agreed as follows:


1. Definitions

"Agreement"
: the Order Form including these GT&C, all schedules, exhibits, appendices and annexes thereto. This Agreement contains, at least, the following elements: (at least) one Order Form and the GT&C, consisting of general terms, a Service Level Agreement and a Data Processing Agreement.

“Account owner"
refers to the person at the Client or its Affiliates’ organization who is responsible for the relationship with the Provider and the payment of Provider’s Services.

"Affiliate"
means in relation to one of the Parties, any entity which is owned or controlled by a Party or which is under common ownership or control of a Party. As used herein, "control" means the power to direct the management or affairs of an entity, and

"ownership"
means the beneficial ownership of fifty percent (50%) or more of the voting equity securities or other equivalent voting interests of the entity.

"Authorized Users"
Client's or its Affiliates’ employees or contractors authorized by the Client or its Affiliates to use the Services as specified in the Order Form.

“Client Account”
means the environment, created by Provider within the Software, through which Client, Affiliates and Authorized Users can access the Service.

"Client Data"
means any data that is provided by Client or any of its Affiliates to Provider (including through the Service) or accessed or processed by Provider on behalf of Client or its Affiliates, including any Personal Data and excluding the Deliverables.

"Client Systems"
means any software, hardware, or systems of Client or its Affiliates or contractors.

"Confidential Information"
: information regarding either Party's or its Affiliates’ products or services, including but not limited to the Services, documentation, software, trade secrets embodied therein and any other written or electronic information that is either (i) marked as confidential and/or proprietary, or which is accompanied by written notice that such information is confidential and/or proprietary, or (ii) not marked or accompanied by notice that it is confidential and/or proprietary but which, if disclosed to any third party, could reasonably and foreseeably cause competitive harm to the owner of such information. Confidential Information shall not include information which, as demonstrated by the receiving Party, is: (i) publicly available, (ii) lawfully obtained by a party from third parties without restrictions on disclosure, or (iii) independently developed by a Party without reference to or use of Confidential Information.

"Deliverables"
: the deliverables relating to the Services to be provided by Provider under the Agreement.

"Effective Date"
: the date on which an Order Form becomes effective. This is typically the date on which Clients signs an Order Form,, except if agreed otherwise.

"Force Majeure"
means any events or circumstances, or any combination of such events or circumstances, which are not attributable to Provider, including but not limited to malfunctions of the internet or other telecommunications facilities, failures by (third) parties on which Provider depends when providing the Services, the defective condition of items, equipment, software, Client Data, or other materials which the Client has instructed Provider to use and/or the non-availability of one or more members of staff (due to illness or other unforeseen circumstances).

"Intellectual Property Rights"
: any and all, rights, titles and interests associated with any copyrights, works, inventions, patents, utility models, trademarks, trademark registrations, trade names, service marks, trade secrets, know-how, technology, discoveries, improvements, processes, techniques, software, code, data (including all associated inchoate rights), whether or not patentable, and any ancillary, corresponding, continuation derivative work, improvement, modification, update, upgrade or enhancement of any of the foregoing.

"Order Form"
means each order form in which agreed Services between Parties are described. Each Order Form will be incorporated into this Agreement upon mutual execution by the Parties.

"Order Form Effective Date"
means the date on which an Order Form becomes effective. Each Order Form will be incorporated into this Agreement upon mutual execution by the Parties.

"Personal Data"
: any information relating to an identified or identifiable natural person.

"Service or Service(s)" means any of the (hosted) services, offered by Provider to Client, as described in an Order Form.

"Service Levels"
means the service levels of a Service set forth in Exhibit B.

"Service Plan" means the Services which have been ordered by the Client in conformity with an Order Form.

"Setup Service" means implementation or customization services for the Service.

"Software"
: the software, software application(s), and all materials related to such applications owned by Provider and accessible by the Client through the internet or other means of access designated by Provider in connection with the Service.

"Subscription Charges"
means the charges that are related to a specific Subscription Term set forth in the applicable Order Form.

"Subscription Upgrade"
means an upgrade of Client's Service Plan or an increase of the number of authorized user accounts during Clients Subscription Term.

"Subscription Term"
: the subscription term to the Service specified in the applicable Order Form.

"Term": the term commencing on the Effective Date and in force until expiration or termination of the last Subscription Term.

"Taxes"
: any taxes, levies, duties or similar governmental assessments, including value-added, sales, use or withholding taxes assessable by any local, state, provincial or foreign jurisdiction.

All words defined in this Agreement can be used in the singular or plural form.


2. Provision, access and use of the service

2.1 Client and its Affiliates will receive a subscription to the Service for the Subscription Term. Provider grants Client and its Affiliates a limited, non-transferable, non-exclusive right to access and use Provider's Software in connection with the Service worldwide for Client's or its Affiliates’ internal business use only.

2.2 During each Subscription Term, Provider will provide the Service in accordance with this Agreement (including the descriptions in each Order Form and the Service Levels). Nothing in this Agreement obligates Provider and its Affiliates to deliver or make available any copies of computer programs or code from the Software to Client, whether in object code or source code form.

2.3 Client will use the Service in compliance with all applicable local, state, national, and international laws, rules and regulations.

2.4 In relation to the Authorized Users, the Client shall ensure that:

  • the maximum number of users that access or use the Service, shall not exceed the number of Authorised Users, as specified in the Order Form;
  • it will not allow an Authorized User subscription to be used by more than one individual; however, if an Authorised User has ceased to work for the Client or any of its Affiliates, the Client or its Affiliates may transfer the subscription to another Authorized User;
  • insofar applicable, each Authorized User shall keep a secure password for his use of the Service, and each Authorized User shall keep his/her password confidential;
  • it shall maintain a written, up to date list of current Authorized Users and provide such list to Provider within 10 business days of Provider’s written request at any time;

2.5 Provider shall use its best efforts to provide the Service in accordance with the Service Levels.

2.6 Unless otherwise specified in the applicable Order Form or Service Levels, Provider will provide Client and its Affiliates, at no additional charge, with technical support services for the Service.

2.7 Provider will perform the Setup Service as specified in an Order Form. Setup Service and any associated deliverables are deemed included in the Subscription Charges, except if agreed in an Order Form differently.

2.8 Provider reserves the right, in its reasonable discretion, to temporarily suspend Authorized Users’ access to and use of the Service:

  • during planned downtime for upgrades and maintenance to the Service, of which Provider will use commercially reasonable efforts to notify Client in advance and a notice to Client's Account owner. Provider will use commercially reasonable efforts to schedule planned downtime for weekends (CET) and other off-peak hours.
  • in case of occurrence of a Force Majeure Event;
  • if Provider suspects or detects any malicious software connected to Client's Account or use of the Service by the Client or its Authorized Users;
  • if the Client breaches this Agreement and such breach is not cured within fourteen (14) business days commencing on the date of receipt of a written notice of default.


3. Restrictions

3.1 Client will not, nor will Client authorize or encourage any third party to:

  • copy, reproduce, alter, modify, or create derivative works from the Software and/or Service;
  • license, sublicense, sell, resell, rent, lease, distribute, transfer, timeshare, assign or resell the Software and/or Service, except to its Affiliates, or use the Software and/or Service as the basis for developing a competitive solution (or contract with a third party to do so);
  • remove or alter any of the logos, trademark, patent or copyright notices, confidentiality or proprietary legends or other notices or markings that are on or in the Service.
  • use the Service to upload, transmit or otherwise distribute any content that is unlawful, defamatory, harassing, abusive, fraudulent, obscene, contains viruses;
  • use any robot, spider, other automated device, or manual process to monitor or copy any content from the Service.


4. Provision of deliverables

4.1 Provider shall provide the Deliverables to Client in accordance with this Agreement. Provider shall provide all Deliverables on the basis of commercially reasonable efforts, unless explicitly specified otherwise in the applicable Order Form.

4.2 The Provider represents that it has means and resources to provide the Service and the Deliverables. Parties agree that after the signing of this Agreement an implementation plan will be set-up together, whereby the intention of Parties is to provide their input as fast as possible in order to ensure a fast and swift implementation of the Service. Neither Party shall be responsible for a delay in the provision of the Service or Deliverable if the delay is caused by the other Party.


5. Client obligations

5.1 The Client is obliged to facilitate the performance of the Service by Provider. If Provider is providing the Service on the basis of information to be provided by the Client, including but not limited to Client Data, the Client shall undertake reasonable efforts to prepare this information in accordance with the conditions to be specified by Provider. Such information shall be provided at the risk, responsibility and expense of the Client. If the Client fails to provide the required information, it is possible that the execution of the Service will be delayed.


6. Subscription charges and payment

6.1 Unless otherwise indicated on an Order Form, all Subscription Charges are due in full upon commencement of the Subscription Term.

6.2 Any increase in the Subscription Charges will take effect upon renewal of a Subscription Term.

6.3 The Client shall inform the Provider in each case to whom each invoice shall be issued.

6.4 If Client opts for a Subscription Upgrade, any incremental Subscription Charges associated with such Subscription Upgrade will be prorated over the remaining period of Client's then current Subscription Term. The Subscription Upgrade will be charged to Client with equivalent payment conditions as applicable to Client in an Order Form, and due and payable upon implementation of such Subscription Upgrade. In any future Subscription Term, Client's Subscription Charges will reflect any such Subscription Upgrades.

6.5 No refunds or credits for Subscription Charges or other fees or payments will be provided to Client if Client elects to downgrade its Service Plan. Downgrading a Service Plan may cause loss of content, features, or capacity of the Service as available to Client, and Provider does not accept any liability for such loss.

6.6 Unless otherwise stated, Provider’s charges do not include any Taxes. Each Party is responsible for paying their own Taxes in connection with this Agreement in accordance with the applicable laws.

6.7 Unless otherwise indicated on the Order Form, no refunds or credits for Subscription Charges or other fees or payments will be provided to Client if Client elects to terminate an Order Form prior to the end of Client’s then effective Subscription Term. If Client terminates an Order Form prior to the end of Client’s then effective Subscription Term, in addition to other amounts Client may owe to Provider, Client shall immediately pay any then unpaid Subscription Charges associated with the remainder of such Subscription Term. This amount will not be payable by Client in the event Client terminates its subscription to the Service as a result of a material breach of this Agreement by Provider, provided that Client provides advance notice of such breach to Provider and this breach is not reasonably remedied by Provider within (30) days after receipt of this notice.


7. Term and termination

7.1 This Agreement is a framework agreement which governs all applicable Order Form(s). This Agreement commences on the Effective Date and shall be in force until 6 months after the termination of the last Order Form.

7.2 Either Client or Provider may elect to terminate an Order Form as of the end of Client’s then current Subscription Term by providing notice, in accordance with this Agreement, on or prior to thirty (30) days preceding the end of such Subscription Term. For the avoidance of doubt, termination of an Order Form will not affect other Order Forms, which shall continue until terminated/expired.

7.3 A Party may terminate the Agreement and/or any Order Form(s) at any time, without payment of compensation, and without notice if any of the following events occur:

  • a request is made, or a petition is filed for the other Party's bankruptcy or the other Party is granted a suspension of payments or becomes subject to other insolvency proceedings;
  • the other Party is dissolved, liquidates its business or otherwise terminates or suspends its business activities;
  • the other Party breaches this Agreement and such breach is not cured within twenty (20) business days commencing on the date of a written notice of default.

7.4 Upon any termination or expiration of this Agreement each Party (as recipient) will return the other Party's Confidential Information or destroy it and certify destruction.


8. Independent contractor

8.1 Provider is an independent contractor of Client, and not an employee, partner, agent or joint venture partner. Provider is solely responsible and liable for its own taxes, insurance premiums and employment benefits. No Provider employee is eligible for any benefits (including stock options, health insurance or retirement benefits) provided by Client to its employees. Provider will not make any commitment binding on Client or represent that it has authority to do so


9. Intellectual property

9.1 Client acknowledges that Provider owns all right, title and interest in and to the Software, the Service and/or the Deliverables and any modifications and enhancements thereof, including without limitation all Intellectual Property Rights, and such rights are protected by amongst others U.S., European and international intellectual property laws.

9.2 Provider grants Client and its Affiliates a non-exclusive, worldwide, perpetual and non-transferable right to use the Software, Service, Deliverables, solely for Client’s or its Affiliates’ internal business operations, unless specified otherwise in the applicable Order Form.

9.3 Provider acknowledges that Client or its Affiliates own all right, title and interest (including all Intellectual Property Rights) in and to the Client Data provided to the Provider.


10. Data protection

10.1 Parties shall process the personal data they obtain as part of the performance of this Agreement in accordance with the applicable privacy laws. The Parties shall comply with their respective obligations as set forth in the Data Processing Agreement as defined in this Agreement.


11. Limitation of liability

11.1 Client acknowledges that, the Service, as an internet-delivered software application, may experience periods of downtime, including but not limited to scheduled maintenance. Provider makes no representations or warranties, whether express, implied or statutory, with respect to the Services provided hereunder, including the Service and any documentation, content, data and materials made available with the Services. Provider specifically disclaims any implied warranties of merchantability, fitness for a particular purpose, non-infringements, and accuracy. Provider does not warrant that the Service will be error-free or operate without interruptions or downtime, or that the results obtained from the Services will meet Client’s needs.

11.2 Provider will not be liable for any use of the Service and/or Deliverables, and will not be liable for any incidental, consequential, special, indirect, or punitive damages in connection with any claim of any nature arising under the Agreement. Provider’s liability is limited in any and all cases to the amount covered by Provider’s insurance, i.e. EURO 1.000.000.

11.3 Client agrees to hold harmless and indemnify Provider, and its Affiliates, management, officers, agents, subcontractors and employees from and against any third party claim arising from or in any way related to Client’s, including its Affiliates’, management, officers, agents, subcontractors and employees, and or other person's use of the Service and/or Deliverables, including any liability or expense arising from all claims, losses, damages (actual and consequential), suits, judgments, litigation costs and attorneys' fees, of every kind and nature.


12. Confidential information

12.1 Parties shall keep Confidential Information about the other Party strictly confidential. Each Party shall not in any way disclose, to the possible exception of the other Party’s brand logo and name in their general communication, to anyone any Confidential Information about the other Party, including (but not limited to) any information about any Services, the provision of the Services, any activity, financial matter, business plan, intellectual property right, information system, working method, employee and supplier relating to the Services. This clause is not applicable if and insofar as:

  • A Party is obliged by law to disclose such information, in which event any Party so obliged shall consult with the other Party about how this will be affected; or
  • A Party has obtained the other Party's prior written consent, which shall not be unreasonably withheld.

Provider shall not use Deliverables to the extent these reveal any of Client’s Confidential Information.


13. Force Majeure

13.1 Either Party shall not be liable for any non-performance of its obligations pursuant to this Agreement, if such non-performance is caused by a Force Majeure Event. In case of a Force Majeure Event, the affected Party has the right to suspend the execution or further execution of the Service.


14. General

14.1 The rights and obligations of a Party under this Agreement cannot be assigned or transferred except with the prior written approval of the other Party.

14.2 Unless provided otherwise in this Agreement, the Parties shall each pay their own costs, charges and expenses in relation to this Agreement.

14.3 This Agreement constitutes the entire agreement and understanding of the Parties with respect to its subject matter and replaces and supersedes all prior agreements, arrangements, undertakings or statements regarding such subject matter.

14.4 Any variation of this Agreement is not valid unless and until it is in writing and has been signed by or on behalf of the Parties.

14.5 If a provision of this Agreement is or becomes invalid or non-binding, the Parties shall remain bound to the remaining provisions. In that event, the Parties shall replace the invalid or non-binding provision by provisions that are valid and binding and that have, to the greatest extent possible, a similar effect as the invalid or non-binding provision, given the contents and purpose of this Agreement.


15. Governing law and jurisdiction

15.1 If this Agreement is signed between Client and Impraise B.V., the Dutch entity, this Agreement is governed by and shall be construed in accordance with the laws of the Netherlands. Any dispute arising out of or in connection with this Agreement shall be submitted exclusively to the competent courts of Amsterdam.

15.2 If this Agreement is signed between Client and Impraise Inc., the American entity, this Agreement will be deemed to have been made in, and shall be construed pursuant to the laws of the State of California and the United States without regard to conflicts of laws provisions thereof, and without regard to the United Nations Convention on the International Sale of Goods. Any suit or proceeding arising out of or relating to this Agreement shall be commenced in a federal court in the Northern District of California or in a state court in San Francisco, California, and each party irrevocably submits to the jurisdiction and venue of such courts.

Service level agreement

This Service Level Agreement is entered under the Agreement signed between Parties. The Services described in herein are fully subject to the terms as defined in the Agreement. Capitalized terms not defined in this Service Level Agreement have the meaning as defined in other parts of the Agreement.

Problem Classifications and Definitions

A problem is a defect in the accessibility or performance of a function or component of the Service which had previously performed as expected or which was guaranteed in Provider's representations and warranties. Problems do not include issues caused by network modification(s) by Client. Problem priority will be reasonably determined by Provider using the following:

Priority level 1

Problem description: Fatal – Services are not available
Communication time (up to): 4 business hours
Response time (up to): 8 business hours

Priority level 2:

Problem description: Severe Impact – disabled functionality, errors that result in a lack of significant functionality in the Service
Communication time (up to): 8 business hours
Response time (up to): 12 business hours

Priority level 3:

Problem description: Degraded Operations – errors that cause non-critical features consistently to malfunction
Communication time (up to): 8 business hours
Response time (up to): 16 business hours

Priority level 4:

Problem description: Minimal Impact – errors that cause attributes and/or options of utility programs not to operate in accordance with specifications
Communication time (up to): 40 business hours
Response time (up to): Provider will provide Client with an update within 72 hours.


Communication Time: Communication Time means the time between the discovery of a problem, and the communication, by the Provider, to Client with information regarding the problem.

Response Time:
Response Time means the time between the discovery of a problem, until the technical person assigned by the Provider fixes the reported problem.

Service Availability:
The Service will be available to Client no less than 98% (ninety eight percent) of the time calculated on quarterly basis, based on 24*7 service availability.

Office hours: Working hours are Monday-Friday, between 9am and 6pm CET.

Credit to Client: In the event that Service Availability falls below the threshold specified above, and to the extent that such non-availability is not caused by (1) any failure of Client's equipment, systems or local access services, (2) a previously scheduled maintenance or (3) an event beyond Provider's control such as Force Majeure, Provider will credit Client's account with 5% of the monthly Subscription Fees for each 1% (one percent) of non-availability of the Services below the threshold specified above. After reaching 10% of non-availability over a period of 3 months or more in any twelve-month period, Client has right to withdraw from the Agreement or Order Form with no financial consequences.

Data processing agreement

This Data Protection Agreement is entered under the Agreement signed between Parties. The Services described in herein are fully subject to the terms as defined in the Agreement. Capitalized terms not defined in this Data Protection Agreement have the meaning as defined in other parts of the Agreement.


1. Preamble

1.1 Pursuant to Article 28 of Regulation (EU) 2016/679 (hereinafter ‘GDPR’), this Exhibit covers the data protection obligations of the Parties, including all employees of the Data Processor or third parties commissioned by the Data Processor, insofar as such obligations relate to the processing of personal data of or from the Data Controller (henceforth referred to as ‘Data Controller Personal Data’).


2. Definitions

2.1 In this Exhibit, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

  • “Data Controller” means the Client, as defined in the Agreement;
  • "Data Controller Personal Data" means any personal data processed by the Data Processor or third parties commissioned by the Data Processor on behalf of and on the documented instruction of the Data Controller pursuant to or in connection with this Exhibit;
  • "Data Subject" means a natural person whose personal data is processed by the Data Processor under this Exhibit;
  • “Data Processor” means, in relationship to this Agreement, the Provider;
  • "EEA" means the European Economic Area;
  • "GDPR" means EU General Data Protection Regulation 2016/679;
  • "Privacy Shield" means the EU-U.S. framework to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States;
  • "Sub-processor" means any person or entity appointed by or behalf of the Data Processor to process Data Controller Personal Data

All terms not defined shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.


3. Processing of controller personal data

3.1 Purpose of processing:

3.2 The purpose of processing of Data Controller Personal Data is to ensure that the Services are functioning
properly.

3.3 The Data Processor shall:

  • Process Data Controller Personal Data solely for the purpose of providing the Services to data Controller. It is agreed that Data Processor may process Data Controller Personal Data to monitor and audit the Services, to analyse statistics and optimize the Services.
  • Comply with all applicable data protection laws in the processing of Data Controller Personal Data and not process Data Controller Personal Data other than as agreed between Parties in writing.
  • Immediately inform the Data Controller if, in the opinion of the Data Processor, an instruction of the Data Controller in relationship to the processing of Data Controller Personal Data, infringes relevant data protection laws and/or Terms.

3.4 Data processed by Data Processor: data of Data Controller’s employees (Authorised Users) who use the Service. The data includes the name of employee, e-mail address, team and manager name, as well as any performance management data inserted as a consequence of the normal use of the Services.


4. Data Processor Authorised Individuals

4.1 The Data Processor shall ensure that any access to Data Controller Personal Data by employees, agents and/or Sub-processors is strictly limited to those individuals who need to access the relevant Data Controller Personal Data as is directly necessary for the relevant purpose (need-to-know basis).

4.2 The Data Processor shall ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. The Data Processor shall provide such copies of confidentiality undertakings upon the Data Controller's request.


5. Security

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall, as it pertains to Data Controller Personal Data, implement reasonable technical and organizational measures to ensure a level of security appropriate to reasonable risk, including the measures referred to in Article 32(1) of the GDPR. All actions taken by the Data Processor shall be communicated and demonstrated to the Data Controller upon request.

5.2 In assessing the appropriate level of security, the Data Processor shall pay particular attention to the particular risks associated with the processing of Data Controller Personal Data as they relate to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data Controller Personal Data.

5.3 The Data Processor shall ensure the existence and/or adoption of procedures to regularly check the effectiveness of said technical and organizational measures and make such information available to the Data Controller upon request of the Data Controller.


6. Sub-processing

6.1 The Data Processor shall only engage a Sub-processor for any processing activities pursuant to this Exhibit if such Sub-processor (1) is located within the European Union and/or the United Kingdom and/or the United States of America (subject to such US party being compliant with the Privacy Shield), and (2) has appropriate GDPR standards and processes in place. In all other cases the Data Processor will ask for a prior authorisation of the Data Controller before using a Sub-processor.

6.2 With respect to each Sub-processor, the Data Processor shall ensure that:

  • Such engagement is set out in a written contract or other written legal act;
  • The data protection obligations as laid out in this Exhibit and under Article 28(3) of the GDPR are imposed mutatis mutandis on the Sub-processor;
  • The Sub-processor processes Data Controller Personal Data in line with appropriate and technical organizational measures pursuant to this Exhibit and Article 32 of the GDPR; and,
  • It is able to provide to the Data Controller for review such copies of the terms with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Exhibit or to Data Controller Personal Data) upon the Data Controller’s request.

6.3 If and to the extent the Data Processor is permitted by the Data Controller to transfer Data Controller Personal Data in such a manner, where such transfer is directly or via onward transfer to any recipient or country (i) not recognized by the European Commission as providing an adequate level of protection for personal data, or (ii) not covered by a suitable framework or certification recognized by the relevant authorities or courts as providing an adequate level of protection of personal data, the Data Processor shall implement Standard Contractual Clauses (pursuant to the European Commission’s decision of 5th February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection).

6.4 Where a Sub-processor fails to meet its obligations in relation to any terms with Data Processor pursuant to activities outlined in this Exhibit or in relation to the processing of Data Controller Personal Data, the Data Processor shall remain fully responsible to the Data Controller for such failure and for the performance of those Sub-processors’ obligations.

6.5 Data Processor will keep an up-to-date list of Sub-processors online: help.impraise.com. Data Processor will notify Data Controller before engaging a new Sub-processor, after which Data Controller will receive 7 days to object to the use of such Sub-processor. It is agreed between Parties that Data Controller will only object to the use of a Sub-processor if there are reasonable grounds to suspect that the new Sub-processor will not be able to protect the Data Controller Personal Data in line with GDPR.


7. Data Subject Rights

7.1 The Data Processor shall assist the Data Controller, through implementing appropriate technical and organisational measures, in the fulfilment of the Data Controller´s obligations pursuant to Chapter III of the GDPR. This shall include making Data Processor personnel and resources available, against payment of reasonable commercial rates, to the Data Controller as the Data Controller deems necessary in order to respond to the Data Subject request or communication.

7.2 The Data Processor shall:

  • Immediately forward any request or communication from a Data Subject as it relates to this Exhibit or Data Controller Personal Data without undue delay (in no event later than three (3) business days) to the Data Controller;
  • Not respond to that request except on the documented instructions of the Data Controller or as required by applicable laws to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by applicable laws inform the Data Controller of that legal requirement before the Data Processor responds to the request or communication.


8. Personal Data Breach

8.1 The Data Processor shall use reasonable efforts to notify the Data Controller without undue delay (but in no event later than two (2) business days) upon Data Processor or any Sub-processor becoming aware of a possible personal data breach affecting Data Controller Personal Data. Such notification shall provide the Data Controller with sufficient information to allow the Data Controller to meet any obligations to report the breach to a supervisory authority or inform data subjects of the personal data breach pursuant to Article 33 and Article 34 of the GDPR.

8.2 The Data Processor shall take immediate, independent measures to address the breach and mitigate any adverse effects. To the exception of any authorities, the Data Processor shall not communicate the event of a personal data breach to any party other than the Data Controller without the written authorisation of the Data Controller.

8.3 The Data Processor shall document in detail all personal data breaches relating to the Data Controller Personal Data, and further assist the Data Controller with their documentation of the breach pursuant to Article 33(5) of the GDPR.


9. Data Protection Impact Assessment and Prior Consultation

9.1 The Data Processor shall provide assistance to the Data Controller with regard to any data protection impact assessments, including any consultations with supervising authorities or other competent data privacy authorities, as the Data Controller considers necessary in order to fulfil obligations as outlined under Article 35 or Article 36 of the GDPR or equivalent provisions of any other data protection law.


10. Documentation Requirements

10.1 The Data Processor shall maintain a record of processing activities as they relate to this Exhibit and to Data Controller Personal Data in accordance and with the relevant detail as specified under Article 30 of the GDPR.

10.2 The Data Processor shall further maintain detailed documentation as to how systems used to process Data Controller Personal Data comply with Article 24 and Article 32 of the GDPR.

10.3 The Data Processor shall make such records available to the Data Controller on request and without undue delay.


11. Deletion or return of Data Controller Personal Data

11.1 The Data Processor shall promptly (in no event later than fourteen (14) days) after the date of cessation of any Services, return and/or delete all Data Controller Personal Data to the Data Controller. This further includes any personal data that has been created or change as a result of this Exhibit. The Data Processor shall furthermore make sure that disabled accounts are deleted within 6 months after the account has been disabled.

11.2 The Data Controller may in its absolute discretion by written notice to the Data Processor require the Data Processor to (a) return a complete copy of all Data Controller Personal Data to the Data Controller by secure file transfer in such format as is reasonably notified by the Data Controller to the Data Processor; and/or (b) delete and procure the deletion of all other copies of Data Controller Personal Data processed.

11.3 Where so requested, the Data Processor shall, against payment of reasonable commercial rates, provide assistance to the Data Controller to have the Data Controller Personal Data transferred in a suitable standard format to a specified third-party service provider.

11.4 The Data Processor shall ensure that this clause is enforced against and carried out by any relevant Sub-processors.


12. Audit rights

12.1 Upon request, the Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this Exhibit and with applicable data protection laws, and shall allow for and contribute to any onsite audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the processing of Data Controller Personal Data at locations where Data Controller Personal Data is processed. Any cost in relationship to such an audit shall be paid by the Data Controller.

12.2 This audit right can be exercised mutatis mutandis against any relevant Sub-processors.

12.3 Any failure to comply with any requested audit or inspection, or other failure to demonstrate compliance with this Exhibit or with applicable data protection laws within eight (8) weeks of any such request, shall permit the Data Controller to terminate the Agreement.


13. Breach of Exhibit

13.1 The Data Processor shall indemnify and hold the Data Controller harmless from all direct damages resulting from the Data Processor’s failure to comply with the requirements set out in this Exhibit or with applicable data protection laws.

13.2 The Data Processor shall further indemnify and hold the Data Controller harmless from all claims, liabilities, costs, expenses, damages and/or loss resulting from any Sub-processor’s failure to comply with the requirements set out in this Exhibit, any associated terms or with applicable data protection laws.

13.3 The liability of Data Processor, under this Exhibit or by law, shall at all times be limited to the amount covered by the liability insurance of Data Processor, as agreed in the Agreement between Parties. If such liability insurance does not provide for adequate coverage, the aggregate liability of Data Processor shall at all times be limited to the amount of fees paid by the Data Controller to the Data Processor under the Master Agreement in a given calendar year.


14. General Terms


14.1 This Exhibit and all non-contractual or other obligations arising out of or in connection with it are governed by the laws as defined in the Agreement.

14.2 Should any provision of this Exhibit be deemed invalid or unenforceable, the remainder of this Exhibit shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, whilst preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.