This Master SaaS Agreement (“Agreement”) is entered into and made effective as of the Effective Date indicated on the attached Order Form, by and between:
(i) Sentieo, Inc., a Delaware corporation having an address at 315 Montgomery Street, 10th Floor, San Francisco CA 94104, email: legal@sentieo.com (“Sentieo”); and
(ii) the person or entity whose identity and contact information are designated on the attached Order Form (“Customer”).
Whereas Sentieo is engaged in the business of providing the SaaS services set forth herein, Sentieo desires to supply such services to Customer, and Customer desires to obtain such services from Sentieo, all in accordance herewith, Now, Therefore, for good and valuable consideration the receipt and sufficiency of which are hereby acknowledged, the parties hereby mutually agree to all of the provisions hereof.
1. Services. As designated on one or more mutually executed Order Forms (each an “Order Form”) attached hereto and incorporated herein, the services to be provided by Sentieo to Customer hereunder shall consist of the Services described in the following provisions of this Section 1 (“Services”). To the extent that they differ, the provisions of the Order Form shall supersede the provisions of the main body of this Agreement.
2. Provision of Services as per Order Form. Sentieo shall provide Customer with online access to and use of, and Customer shall compensate Sentieo for, the Sentieo SaaS product offering identified on, and upon the terms (including without limitation pricing and duration) set forth on, the Order Form, together with all updates, bug fixes, error corrections, or other minor enhancements and improvements thereto made available by Sentieo. Customer’s use of the Services is subject to any restrictions designated in the Order Form, which may include without limitation restrictions on the number and kind of Customer’s users authorized to use the Services (“Authorized Users”) and to any other restrictions set forth herein. Customer may increase the number of Authorized Users at any time by requesting authorization for additional Authorized Users from Sentieo at useradditions@sentieo.com. Following receipt of that request, Sentieo will invoice Customer for the number of additional Authorized requested on a co-termed, prorated basis.
3. License Grant to Services. Subject to the terms and conditions of this Agreement, Sentieo hereby grants to Customer a limited term, non-exclusive, non-transferable, non-sublicensable right and license for the Authorized Users to access and use the Services solely for internal business purposes and in accordance with any applicable provisions designated on an Order Form. The foregoing license shall terminate upon the termination of this Agreement or the applicable Order Form.
4. License Restrictions. Customer shall not, directly or indirectly, permit any Authorized User or third party to: (i) reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code or underlying algorithms of the Services; (ii) modify, translate, or create derivative works based on the Services; (iii) rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Services; (iv) use or offer the Services for timesharing or service bureau purposes, or otherwise for the benefit of a third party; (v) remove any proprietary notices from the Services or any other Sentieo materials furnished or made available hereunder; (vi) publish or disclose to third parties any evaluation of the Services or any data obtained from the Services; or (vii) use the Services in automatic, semi-automatic, or manual tools designed to create virus signatures, virus detection routines, or any other data or code for detecting malicious code or data. Customer shall take all reasonable measures to prevent any Authorized User or third party from engaging in or continuing to engage in any of the foregoing activities.
5. Passwords. Sentieo shall issue a password to Customer for each Authorized User. Each password will be unique to a specific Authorized User. Customer and its Authorized Users shall maintain the confidentiality of all passwords and ensure that each password is used only by the Authorized User. Customer is responsible for any and all use that occurs under any Authorized User’s account and all charges incurred from use of the Services accessed with Authorized User’s passwords. Customer shall immediately notify Sentieo of any unauthorized use of Customer’s and Authorized Users’ accounts or any other breach of security known to Customer. Sentieo shall have no liability for any loss or damage arising from Customer’s failure to comply with the foregoing requirements. Customer shall take all actions reasonably requested by Sentieo to terminate access to any and all accounts accessed by an unauthorized user, including without limitation by deactivating any password associated with such account(s).
6. Password Replacement. Customer shall have the right to replace Authorized Users, provided that Customer notifies Sentieo immediately of any such replacement, whereupon Sentieo will deactivate any password associated with a replaced Authorized User and issue a new password to the new Authorized User.
7. Security. Sentieo shall implement and adhere to strict industry standard security precautions intended to prevent unauthorized access to any Customer data and shall otherwise provide the Services in accordance with Sentieo’s current privacy policy located at https://sentieo.com/content/legal/privacy-policy.html (the “Privacy Policy”). Customer acknowledges that, notwithstanding such security precautions and privacy measures, use of, or connection to, the Internet provides the opportunity for unauthorized third parties to circumvent such precautions and gain access to the Services and Customer data. Accordingly, Sentieo cannot and does not guarantee the privacy, security, integrity, or authenticity of any information transmitted over or stored using the Services or that any such security precautions will be adequate or sufficient.
8. Third Party Data. As part of the Services, Customer will have access to third-party information that may include, among other things, SEC filings, annual and interim reports, conference call transcripts, press releases, investor relations presentations, research reports, financial data, analyst estimates, consumer interest and traffic data, and other investment and financial documents and data (collectively, “Third Party Data”) that has been independently obtained or aggregated by Sentieo from third-party providers. Sentieo may in its sole discretion and without notice to Customer choose to discontinue or replace any Third Party Data provider. Each item of Third Party Data is the property of the applicable provider and is protected by copyright. Third Party Data is subject to the additional terms available at “Third Party Terms”. Customer shall not knowingly use Third Party Data for any unlawful purpose and shall not reproduce, retransmit, disseminate, sell, distribute, publish, broadcast, circulate, or commercially exploit any Third Party Data in any manner beyond the licenses granted herein and by the Third Party Terms, without the express, written consent of Sentieo and the relevant Third Party Data provider(s). Customer shall comply with reasonable written requests by Sentieo to protect Third Party Data. The Third Party Data providers are third party beneficiaries under this Agreement and shall be entitled (along with Sentieo or alone) to enforce the provisions of this Section 8 by legal proceeding or otherwise against Customer for Customer’s violations of the usage restrictions on the Third Party Data set forth herein. Customer’s obligations under this provision shall survive termination hereof.
9. Customer Responsible for Certain Items. Customer shall be responsible, among other things, for obtaining and maintaining all computer hardware, software, and communications equipment needed to access the Services and for paying all third-party fees and access charges (e.g., ISP, telecommunications, etc.) incurred while using the Services.
10. Compensation; Fees; Taxes. As consideration for performing the Services, Customer shall pay to Sentieo the fees and other compensation set forth on the applicable Order Form. If Sentieo elects to issue Customer invoices for any Services, Customer shall make payment to Sentieo within 30 days of the date specified on the invoice by negotiable instrument drawn on U.S. funds or by wire transfer to such account as Sentieo shall specify. Payments not received by Sentieo when due shall, at Sentieo’s sole discretion, be subject to a finance charge from the due date until the payment is made at a rate equal to the lesser of 1.5% per month or the maximum amount allowable under applicable law. Bank fees for returned checks shall be reimbursed by Customer. Sentieo shall have the right to terminate this Agreement immediately upon written notice if Customer does not make any payment when it becomes due and payable hereunder or if any check presented is returned due to insufficient funds. Customer shall reimburse Sentieo for its reasonable, documented, out-of-pocket expenses in performing the Services. All fees for Services specified herein are exclusive of any U.S. federal, state, or local sales, excise, use, value-added, or other taxes and tariffs. Customer shall pay all taxes that, as per applicable law, accrue to the buyer or beneficiary of services of the type provided by Sentieo to Customer hereunder.
11. Ownership. Subject to any licenses granted by Sentieo to Customer hereunder, as between Sentieo and Customer, all right, title, and interest in and to the Services and any other Sentieo materials furnished or made available as part of the Services hereunder, and all contributions thereto or derivatives, modifications, or enhancements thereof, including without limitation all rights under copyright and patent and other intellectual property rights, belong to and are retained solely by Sentieo or Sentieo’s licensors and providers, as applicable. Sentieo reserves all rights not expressly granted herein.
12. Term. The Term of this Agreement shall begin on the Effective Date and shall automatically renew for an additional one (1) year period on each subsequent anniversary of the Effective Date thereafter unless, at least sixty (60) days prior to an Effective Date anniversary, either party gives the other party written notice of its intent not to so renew.
13. Termination.
a) Breach. Either party may terminate this Agreement upon thirty (30) days prior written notice to the other party in the event of a material breach of any of the terms hereof by such other party, provided that such breach has not been cured within such 30-day period.
b) Insolvency. Either party shall have the right to terminate this Agreement immediately upon written notice if: (i) the other party has a receiver judicially appointed for itself or its property; (ii) the other party makes an assignment for the benefit of creditors; (iii) any proceedings are commenced by, for, or against the other party under any bankruptcy, insolvency, or debtor’s relief law and not dismissed within 45 days; or (iv) the other party is liquidated or dissolved.
c) Payments. All payments due hereunder are payable in advance of the period to which they apply. Sentieo shall have the right to suspend or terminate access to any Services, at its sole option, with or without notice to Customer if: (i) any payment is delinquent by more than sixty (60) days; (ii) if Customer breaches Sections 4 of this Agreement; or (iii) any contact or other information provided to Sentieo by Customer is false or fraudulent.
d) Effect of Termination. Neither Sentieo nor its suppliers shall be liable to Customer or any third party for suspension or termination of Customer’s access to, or right to use, the Services under this Agreement, provided such suspension or termination was effected in good faith. Customer shall owe and pay the balance due for the Services up to the date of termination. Upon the effective date of termination of this Agreement for any reason, Customer and its Authorized Users’ access to the Services shall terminate and Customer shall cease accessing and using the Services immediately. Within thirty (30) days of termination, Customer will purge the Services and any Sentieo materials from its infrastructure, return all materials provided in connection with the Services, and provide written notification that the Services have been purged. Sections 4, 11, 14, 16, 17, 18, 20, and 21, of this Agreement shall survive termination for any reason. Section 15 shall survive termination for a period of two years following termination.
14. Confidentiality.
a) Obligations. Each of the parties shall maintain in confidence any proprietary and non-public information of the other party, whether written or otherwise, disclosed by the other party in the course of performance of this Agreement that the receiving party knows or reasonably should know is considered confidential by the disclosing party (“Confidential Information”). The term Confidential Information shall include: (i) the terms and conditions of this Agreement, including pricing; (ii) any information about Customer’s or its Authorized Users’ utilization of the Services, including without limitation information concerning the companies or industries that Customer or its Authorized Users are researching; and (iii) any Third Party Data labeled as confidential by its provider. The receiving party shall not disclose, use, transmit, inform, or make available to any entity, person, or body any of the Confidential Information, except as a necessary part of performing its obligations hereunder, and shall take all such actions as are reasonably necessary and appropriate to preserve and protect such Confidential Information and the parties’ respective rights therein. Each party shall restrict access to the Confidential Information to those employees or agents who require access in order to perform and who agreed to be bound by these obligations of confidentiality and non-disclosure. Upon termination of this Agreement for any reason, the receiving party shall promptly return or destroy, all copies of the other party’s Confidential Information. After termination or expiration of this Agreement, each party will continue to treat Confidential Information received from the other party (or its suppliers and providers) in accordance with this Agreement, for so long as such information fits the definition of Confidential Information as limited by Section 14.b or until use and disclosure of the information would no longer be restricted by law even if this Agreement remained in full force. Notwithstanding anything in this Agreement to the contrary, Sentieo shall have the right to use and disseminate any data or information arising from the Services on an aggregated and anonymous basis only in connection with general enhancement and updates to the Services and for no other purpose whatsoever.
b) Exclusions. Confidential Information shall not include any information that is: (i) already known to the receiving party at the time of the disclosure; (ii) publicly known at the time of the disclosure or becomes publicly known through no wrongful act or failure of the receiving party; (iii) subsequently disclosed to the receiving party on a non-confidential basis by a third party not having a confidential relationship with the disclosing party and who rightfully acquired such information; or (iv) independently developed by or for the receiving party without use of or reference to any Confidential Information. A disclosure of Confidential Information that is legally compelled to be disclosed pursuant to a subpoena, summons, order, or other judicial or governmental process shall not be considered a breach of this Agreement, provided that the receiving party provides prompt notice of any such subpoena, order, or the like to the other party so that such party will have the opportunity to obtain a protective order or otherwise oppose the disclosure.
15. Non-Solicitation. During the term hereof and for a period of 2 years after the termination hereof, Customer shall not directly solicit for employment, hire away, or otherwise engage any employee or independent contractor of Sentieo.
16. Warranties, Disclaimers.
a) Sentieo Warranties. Sentieo represents and warrants that Sentieo has in place policies and procedures designed to adhere to the laws, rules, and regulations applicable to the securities industry, including without limitation policies and procedures applicable the provision of material, non-public information, and that the Services do not contain any material, non-public information.
b) Disclaimers. Neither Sentieo nor its suppliers, licensors, or Data Providers warrant that Customer’s use of the Services will be uninterrupted or that the Services will be error-free. Both parties acknowledge that software has inherent limitations, and Sentieo does not warrant that the Services will meet Customer’s requirements. EXCEPT AS SET FORTH IN THIS AGREEMENT, TO THE MAXIMUM EXTENT PERMITTED BY LAW, SENTIEO MAKES NO WARRANTIES (WHETHER IMPLIED OR ARISING BY STATUTE OR OTHERWISE IN LAW OR FROM A COURSE OF DEALING OR USAGE OF TRADE) FOR THE SERVICES OR ANY DATA TRANSMITTED THROUGH THE SERVICES. SENTIEO AND ITS SUPPLIERS, LICENSORS, AND PROVIDERS EXPRESSLY DISCLAIM ALL EXPRESS, STATUTORY, AND IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
17. Indemnification.
a) Sentieo shall indemnify, defend, or at its option settle, any third party claim or suit based on a claim that the Services (excluding any third party software) violate, infringe, or misappropriate any United States copyright, trademark, or trade secret, and Sentieo shall pay any final judgment entered against Customer in any such proceeding or agreed to in settlement, provided that: (i) Sentieo is promptly notified in writing of such claim or suit; (ii) Sentieo or its designee has control of such defense or settlement, provided, however, Sentieo will not settle any claim or suit without the prior written consent of Customer; and (iii) Customer gives information and assistance reasonably requested by Sentieo or its designee. To the extent that use of the Services is enjoined, but without derogating from Sentieo’s indemnification obligations set forth above, Sentieo may at Customer’s option either: (a) procure for Customer the right to use the Services; (b) replace the Services with other suitable products; or (c) refund the prepaid portion of the fee paid by Customer for the Services or the affected part thereof. Sentieo and its suppliers shall have no liability under this Section 17 or otherwise to the extent a claim or suit is based upon: (1) use of the Services in combination with software or hardware not provided by Sentieo if infringement would have been avoided in the absence of such combination; (2) modifications to the Services not made by Sentieo, if infringement would have been avoided by the absence of such modifications; or (3) modifications made to the Services by Sentieo but for which the design or specifications were dictated by the Customer, if infringement would have been avoided by the absence of such modifications. THIS SECTION 17 STATES SENTIEO’S AND ITS SUPPLIERS’ ENTIRE LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY FOR VIOLATION, INFRINGEMENT, AND MISAPPROPRIATION CLAIMS BASED ON THE SERVICES.
18. Limitation Of Liability.
a) Limitation on Direct Damages. IN NO EVENT WILL EITHER PARTY’S AGGREGATE LIABILITY, IF ANY, ARISING OUT OF OR IN ANY WAY RELATED TO THIS AGREEMENT EXCEED THE FEES PAID BY CUSTOMER FOR THE SERVICES FOR THE PERIOD OF TWELVE (12) MONTHS PRIOR TO THE EVENT THAT DIRECTLY GAVE RISE TO THE DAMAGES CLAIMED, WITHOUT REGARD TO WHETHER SUCH CLAIM IS BASED IN CONTRACT, TORT (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE), PRODUCT LIABILITY, OR OTHERWISE.
b) Waiver of Special Damages. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, EXEMPLARY, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, INCLUDING WITHOUT LIMITATION LOSS OF DATA OR LOSS OF PROFITS, WITHOUT REGARD TO WHETHER SUCH CLAIM IS BASED IN CONTRACT, TORT (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE), PRODUCT LIABILITY, OR OTHERWISE, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
c) Exceptions to Limitation of Liability. The limitations of liability set forth in this Section 18 shall not apply to: (i) losses or damages due to either party’s gross negligence, willful misconduct, or fraud; or (ii) either party’s indemnification obligations set forth in Section 17.
19. Marketing/Use Of Name. Except as otherwise set forth herein, Sentieo may refer to the Customer or Customer’s related funds, entities, or affiliates (together, the “Customer Group”) in any publicity materials, advertising, sales promotions, trade shows, or marketing materials or similar communications.
20. Governing Law; Venue; Dispute Resolution. This Agreement shall be governed by the laws of the State of California, excluding its conflict of laws rules. The parties agree that the United Nations Convention for the International Sale of Goods is excluded in its entirety from this Agreement. Any dispute or action arising out of or relating to this Agreement shall be submitted to and determined exclusively by binding arbitration under the then current Commercial Arbitration Rules of the American Arbitration Association and shall be adjudicated in San Francisco, California. With respect to the enforcement of such arbitration’s findings, each of the parties hereby irrevocably submits to the exclusive jurisdiction of the courts of the state of California and the United States of America, in each case located in San Francisco, California and waives any objection to venue being laid in such Courts whether based on the grounds of venue, forum non conveniens, or otherwise. EACH PARTY WAIVES, TO THE FULLEST EXTENT PERMITTED BY LAW, ANY RIGHT IT MAY HAVE TO A TRIAL BY JURY IN ANY ACTION, PROCEEDING, OR LITIGATION DIRECTLY OR INDIRECTLY ARISING OUT OF, UNDER, OR IN CONNECTION WITH THIS AGREEMENT.
21. General. The parties to this agreement are independent entities, and no agency, partnership, franchise, joint venture, or employee-employer relationship is intended or created by this Agreement. All notices to a party shall be in writing and sent to the addresses specified in the Order Forms or such other address as a party notifies the other party in writing, and shall be deemed to have been duly given: (i) when received, if personally delivered; (ii) when receipt is electronically confirmed, if transmitted by facsimile or email; (iii) the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and (iv) upon receipt, if sent by certified or registered mail, return receipt requested. This Agreement may not be assigned or transferred by either party without the other party’s prior written consent, except that Sentieo may without seeking or obtaining such consent assign this Agreement to its successor-in-interest by way of merger or acquisition. Any assignment in derogation of the foregoing is null and void ab initio. This Agreement, together with any addenda, schedules, and exhibits, constitutes the entire agreement between the parties and supersedes all prior or contemporaneous agreements and understandings between the parties relating to the subject matter hereof. These Terms and the Privacy Policy may be reasonably updated by Sentieo from time to time. Any provision of this Agreement held to be unenforceable shall not affect the enforceability of any other provisions of this Agreement. Neither party shall be in default if its failure to perform any obligation under this Agreement is caused solely by supervening conditions beyond that party’s reasonable control including, without limitation, acts of God, civil commotion, war, strikes, labor disputes, third party Internet service interruptions or slowdowns, vandalism or “hacker” attacks, acts of terrorism, or governmental demands or requirements. Pre-printed terms and conditions on or attached to any Customer purchase order shall be of no force or effect.
Exhibit A
To
Master SaaS Agreement
Data Processing Policies
1. Definitions and interpretation
a. “Affiliates” means any person or entity controlling, controlled by or under common control with such party. For the purposes of this definition, control of an entity means the power, direct or indirect, to direct or cause the direction of the management and policies of such entity whether by contract or otherwise and, in any event and without limitation of the foregoing, any entity owning more than 50% of the voting securities of a second entity shall be deemed to control that second entity;
b. “Best Industry Practice” means, in relation to any undertaking or any circumstances, the exercise of the skill, care, diligence, prudence, foresight and judgement which would be expected from a suitably skilled, trained and experienced person operating to the standard that would be expected of a leading provider of services similar to the services described herein, under the same or similar circumstances;
c. “Customer” or “Customer Group” means “Customer,” as such term is defined in the agreement to which this Exhibit A is attached;
d. “Customer Data” means any data (including Personal Data), information, text, drawings or other material (in whatever form and on any medium including all electronic, optical, magnetic and tangible media) relating to the Customer Group or its customers, suppliers or personnel which is:
i. supplied or made available to Sentieo, its Staff and/or its Sub-Contractors by or on behalf of the Customer Group in furtherance of provision of Sentieo’s provisions the services to Customer;
e. “Data Protection Legislation” means all applicable laws and regulations relating to the processing of Personal Data and privacy including the EU Data Protection Directive (95/46/EC), the Electronic Communications Data Protection Directive (2002/58/EC) and the EU’s General Data Protection Regulation (2016/679/EC), including all law and regulations implementing or made under them, any amendment or re-enactment of them and, where applicable, the guidance and codes of practice issued by applicable Regulatory Bodies;
f. “Data Subject” shall have the meaning set out in the Data Protection Legislation;
g. “Intellectual Property Rights” means all rights in inventions, patents, copyrights, design rights, trademarks and trade names, service marks, trade secrets, know-how and any other intellectual property rights (whether registered or unregistered) and all applications for any of them, anywhere in the world;
h. “Personal Data” shall have the meaning set out in the Data Protection Legislation and for the purposes of this Agreement, “processing” has the meaning given to that term in the Data Protection Legislation and “process” and “processed” shall have a corresponding meaning;
i. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
j. “Regulatory Bodies” shall mean those government departments and regulatory, statutory and other bodies, entities and committees which, whether under statute, rule, regulation, code of practice or otherwise, are entitled to regulate, investigate or influence the matters relating to the security of data, personal data and privacy;
k. “Security Policies” means those respective security policies of Sentieo as set out in Section 7 of the Master SaaS Agreement and as amended and notified from time to time, and those security policies of Customer;
l. “Staff” means the employees, officers, independent contractors (and Affiliates of any independent contractors and their staff), agency workers and agents in each case of Sentieo and/or its Affiliates and/or of any Sub-Contractor of any such company engaged in the performance of the services or any part thereof; and
m. “Sub-Contractor” means any sub-contractor of Sentieo to whom any part of the services have been sub-contracted pursuant to this Agreement.
2. Data Protection and Data Security
a. In relation to the parties’ rights and obligations under this Agreement, the parties agree, subject to Clause 2a, that the Customer is the “controller” and Sentieo is the “processor” as defined in the Data Protection Legislation.
b. Sentieo agrees that in respect of any Personal Data supplied to the Customer by Sentieo relating to Sentieo’s Staff, Sentieo is the “controller” as defined in the Data Protection Legislation in respect of such Personal Data. Sentieo shall be exclusively responsible for ensuring compliance with all Data Protection Legislation relating to such Personal Data.
c. Neither party shall do, nor cause or permit to be done, anything which may result in a breach of the Data Protection Legislation by the other party.
d. Without limiting Clause 2c, Sentieo warrants, represents and undertakes to each member of the Customer Group that in respect of any Personal Data supplied by the Customer to Sentieo, Sentieo shall:
i. on behalf of the Customer, carry out Personal Data processing activities necessary for the purposes described in Clause 2g below and in processing Personal Data act only on the written instructions of the Customer. In the event that a legal requirement prevents Sentieo from complying with such written instructions (a “Conflicting Requirement”), Sentieo shall, unless such Conflicting Requirement prohibits it from doing so, promptly inform the Customer of the relevant Conflicting Requirement, before carrying out the processing activities, providing reasonable details of the nature and scope of the Conflicting Requirement and its anticipated impact on this Agreement and the processing of Personal Data by Sentieo;
ii. take reasonable measures to keep the Customer Data physically and logically separate and distinct from any other data compiled, maintained or used by Sentieo as required;
iii. take all appropriate technical and organizational measures against unauthorised or unlawful processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data, including, without limitation by:
1. taking reasonable steps to ensure the reliability of any Sentieo Staff who have access to the Personal Data;
2. ensuring a level of security appropriate to the nature of the Personal Data and the risks that are presented by its processing (including , without limitation the risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, or processing of such Customer Data);
3. the encryption, and (where reasonably practicable) the pseudonymisation, of Personal Data;
4. maintaining the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services processing Personal Data and the premises at which such Personal Data are processed (including, without limitation, by complying with the Security Policies);
5. maintaining the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident and performing regular and secure backups of all of the Personal Data in its possession or control;
6. implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data; and
7. taking any other steps required by Data Protection Legislation,
iv. ensure that only those Sentieo Staff that need to have access to the Personal Data are given access to the extent necessary to provide the services and only after the relevant Staff have been informed by Sentieo of the confidential nature of the Personal Data and such Staff agree in writing to be bound by a duty of confidentiality and comply with the obligations set out in this Clause 2;
v. not publish, disclose or divulge (and ensure that its Staff do not publish, disclose or divulge) any of the Personal Data to any third party, nor allow any third party to process the Personal Data on Sentieo’s behalf, unless the Customer has given its prior written consent. Where the Customer gives such written consent and Sentieo allows a third party to process the Personal Data:
1. Sentieo shall ensure that the third party is bound by the same data protection obligations that Sentieo is subject to under this Clause 2;
2. the Customer shall be entitled to revoke a consent given in respect of a third party in the event that the third party’s processing of Personal Data in connection with this Agreement is in breach of or is reasonably likely to breach this Agreement;
vi. not transfer, or otherwise permit access to, the Personal Data outside the European Economic Area without the prior written consent of the Customer;
vii. implement and guarantee all such further technical and organizational security measures in relation to the processing of the Personal Data as the Customer may reasonably consider necessary in order to comply with Data Protection Legislation;
viii. comply with the relevant requirements of Data Protection Legislation at its own reasonable and required expense;
ix. provide the Customer with reasonable cooperation and assistance in connection with its compliance with Data Protection Legislation;
x. notify the Customer of any queries, complaints and other correspondence received from any Regulatory Body in relation to the processing of the Customer Data without undue delay and only respond to the Regulatory Body after consultation with, and in accordance with the instructions of, the Customer;
xi. notify the Customer of any complaint or request made in relation to Data Subject rights (including a request made in respect of the Data Subject’s right of access, right to object, right to be provided with fair processing information and his/her rights to rectification and erasure of the data within the statutory response periods) without undue delay (a “Data Subject Request”) and provide the Customer with full co-operation and assistance in relation to:
1. any such Data Subject Request, including by allowing the Customer unrestricted access to the Customer Data and such other records as the Customer shall reasonably require, providing the Customer with full details of any such Data Subject Request and taking such steps as are required by the Customer in order for the Customer to comply with the Data Subject Request; and
2. any request from the Customer requiring Sentieo to take reasonable steps to ensure that third parties to whom the Personal Data has been provided by the Supplier erase any links to, or copies of, Personal Data in accordance with the requirements of Data Protection Legislation;
xii. permit, by not less than 24 hours’ notice, at any time (and immediately by notice if the Customer reasonably believes there to have been a breach of this Clause 2 or if required by law or a Regulatory Body requires it), the Customer and/or a reputable third party auditor appointed by the Customer, at Customer’s expense, after the auditor signs Sentieo’s non-disclosure agreement, to access the Sentieo Systems and locations or any data centers from which Services data is being stored and all other information reasonably required by the Customer in order to establish whether Sentieo has complied with its obligations under this Clause 2;
xiii. amend, update, delete or supplement, any Personal Data forthwith if the Customer so requests in order to comply with Data Protection Legislation;
xiv. if there is a Personal Data Breach, or if Sentieo identifies any imminent risk of a Personal Data Breach, notify the Customer within 24 hours (providing all such details as the Customer may reasonably request) and take all steps to mitigate or avoid such Personal Data Breach;
xv. provide all reasonable cooperation and assistance to the Customer in connection with addressing any actual or threatened Personal Data Breach;
xvi. assist the Customer with the making of any mandatory notifications to Regulatory Bodies and/or affected individuals in the event of a Personal Data Breach;
xvii. if any of the Personal Data is lost, corrupted, degraded or otherwise altered, due to an act or omission of Sentieo or its Staff, permit the Customer to, at Sentieo’s expense, require Sentieo to restore or procure the restoration to the Customer Data within ten (10) days (or other reasonable timeframe that may be updated upon notice to Customer from time to time);
xviii. upon expiry or termination of this Agreement for any reason or when requested in writing to do so:
1. redeliver all records of the Customer Data (or the relevant part thereof) to the Customer without charge within fourteen (14) days in such a format as the Customer may require or; and/or
2. if so requested by the Customer, irretrievably delete the Personal Data (or the relevant part thereof), including any copies thereof, instead of delivering that Personal Data to the Customer (except to the extent that Sentieo is required by law to retain copies of the Personal Data);
xix. take steps to ensure that it, its Staff and/or its Sub-Contractors do not deliberately or negligently corrupt, erase or otherwise alter such Personal Data;
xx. not disclose passwords (if any) supplied by the Customer to access the Customer’s systems or the Personal Data to any person other than its Staff or Sub-Contractors with a need to know;
xxi. notify the Customer without undue delay if it considers that this Clause 2 has, or may have, been breached (other than in relation to Personal Data Breaches where Clause 2.d.xiv shall apply; and
xxii. without prejudice to the generality of any applicable clause above, use encryption technology on all mobile devices used to share and/or transport Personal Data, such technology to be appropriate to the nature of the Personal Data and the harm that could result from unauthorised processing of such Personal Data.
e. Sentieo hereby completely and irrevocably assigns to Customer by way of present assignment of all present and future rights, all copyright, database rights, other Intellectual Property Rights and other rights of whatever nature in and to the Customer Data to the extent that they have been or are acquired by Sentieo in the provision of the Services.
f. The Personal Data processing to be carried out under this Agreement is described below1 :
| Subject matter of the processing | User account data for providing the services, including SaaS services |
| Types of personal data being processed | User-provided information, account information, service data, usage information, device information, cookies, site tags |
| Categories of individuals whose data is being processed | Consenting customers of service |
| Types of data processing to be carried out | Storage and user authentication |
| Purpose of the data processing | User authentication, usage monitoring, marketing (when appropriate levels of consent received), and fulfillment of services |
| Duration of processing | The term of the Agreement |
1 Article 28(3) states that the data processing contract must explain the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.