SOURCEPOINT SUBSCRIPTION SERVICE AGREEMENT Last Revised: 01 October 2018
This Sourcepoint Subscription Service Agreement (including any related or attached schedules, exhibits, annexes, appendices and online or other Order Forms) (“Agreement”) is a legal agreement between Sourcepoint Technologies, Inc., a Delaware corporation with the postal mail address of 228 Park Avenue South #87903, New York, New York 10003-1502 (“Sourcepoint”) and you, the person accepting the terms of this Agreement (“Publisher”). If you are using the Sourcepoint Services on behalf of a company, organization, or other entity, then "Publisher" includes you and that entity, and if you are creating an account on behalf of a company, organization, or other entity, you represent and warrant that you are an authorized representative of the entity with the authority to bind the entity to this Agreement, and that you agree to this Agreement on the entity's behalf.
Prior to accessing or using the Sourcepoint Services, Publisher must affirm its consent to being bound by the terms and conditions set forth in this Agreement by checking the box indicating Publisher’s acceptance of such terms and conditions. By checking such box, Publisher acknowledges: (a) that Publisher has read and understood this Agreement; and (b) that Publisher is legally competent to enter into and agree to this Agreement. If Publisher does not check such box or does not agree with this Agreement, Publisher will not be able to access the Sourcepoint Services or be entitled to receive such access.
In consideration of the mutual covenants contained herein, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties, intending to be bound, agree as follows:
1. DEFINITIONS. Capitalized terms shall have the meanings set forth below or as otherwise defined throughout the Agreement:
“Authorized User” means an individual employee, consultant, broker or other authorized representative of Publisher that Publisher has expressly authorized to use and access the Sourcepoint Service through its Sourcepoint account.
“Developments” means the collective ideas, know-how, inventions, methods, or techniques developed or conceived as a result of providing the Sourcepoint Service hereunder, including without limitation any derivative works, improvements, enhancements and/or extensions made to the Sourcepoint Service and all Intellectual Property Rights therein and thereto throughout the world.
“Documentation” means any proprietary documentation made available to Publisher by Sourcepoint for use with the Sourcepoint Service, including any documentation available online or otherwise.
“End User” means an individual user of Publisher Properties
“End User Data” means data supplied to the Sourcepoint Service by End Users
“Intellectual Property Rights” means all patent rights, copyright rights, mask work rights, rights of publicity, trademark, trade dress and service mark rights, goodwill, trade secret rights and other intellectual property rights as may now exist or hereafter come into existence, and all applications therefore and registrations, renewals and extensions thereof, under the laws of any state, country, territory or other jurisdiction.
“Mobile Application” means the Sourcepoint mobile software application(s) that integrates with the online applications offered through the Sourcepoint Site.
“Personally Identifiable Information” means any information relating to an identified or identifiable End User, excluding any information that an End User expressly submits to Sourcepoint in connection with an End User interacting with a Sourcepoint Product or Service. An identifiable End User is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
“Sourcepoint Content” means all content, including without limitation software (in object or source code form), script, programming code, data, information, structural hierarchies, interfaces, processes, HTML code, trademarks, service marks, proprietary logos, distinctive brand features, images, illustrations, graphics, multimedia files and/or text, contained in the Sourcepoint Service, as well as the structure, selection, coordination, expression, “look and feel”, and arrangement of the Sourcepoint Service, and all Intellectual Property Rights therein or relating thereto. “Sourcepoint Data” means any data or information provided by Sourcepoint or generated by or in connection with the provision or use of the Sourcepoint Service.
“Sourcepoint Service” or “Services” means each of Sourcepoint’s proprietary software-as-a-service platforms and tags, together with any fixes, updates, enhancements and upgrades thereto. Without limiting the foregoing, the term “Sourcepoint Service” includes, but is not limited to, the services offered through the Mobile Application and the Sourcepoint Site, which includes the Sourcepoint Content, the Documentation, and the Sourcepoint Data.
“Sourcepoint Site” means Sourcepoint’s website located at http://www.sourcepoint.com/ and all subdomains thereof.
“Publisher Data” means any data, content, or information directly provided to Sourcepoint or the Sourcepoint Service by Publisher or any Authorized User or End User, including End User Data, but excluding data and information relating to the operation and/or performance of the Sourcepoint Service.
“Publisher Properties” means any web sites, web pages or mobile applications on which Publisher utilizes the Sourcepoint Service.
2. LICENSE GRANT. Subject to the terms and conditions of this Agreement, including Publisher’s payment of all applicable fees and compliance with all of Section 3 and 9.2 below, Sourcepoint grants Publisher a limited, revocable, non-exclusive, non-transferable license (without the right to sublicense) during the Term to access and use the Sourcepoint Service(s) selected by Publisher solely for the purpose(s) specified in an Order Form and in accordance with any applicable Documentation. The foregoing license grant is not a sale of the Sourcepoint Service or any copy thereof, and Sourcepoint or its third-party partners or suppliers retain all right, title, and interest in the Sourcepoint Service (and any copies or derivatives thereof). Any attempt by Publisher to transfer any of the rights, duties or obligations hereunder, except as expressly provided for in this Agreement, is void. Sourcepoint reserves all rights not expressly granted under this Agreement. For clarity, this Agreement only grants a license to the portion of the Sourcepoint Services for which Publisher pays a Fee (with the exception of any free version of the Sourcepoint Services) or is eligible for a Trial Term. If Publisher would like to expand its subscription to cover additional Sourcepoint Services, Publisher will be asked to again confirm that this Agreement governs the Publisher’s new subscription.
3. LICENSE RESTRICTIONS. Publisher shall not, directly or indirectly, nor shall Publisher permit any third party to: (a) copy, distribute, attempt to get unauthorized access to, or disclose any part of the Sourcepoint Service in any medium, including without limitation by any automated or non-automated “scraping” of Sourcepoint Data or Sourcepoint Content; (b) use any automated system (including without limitation “robots,” “spiders,” and “offline readers”) to access the Sourcepoint Service in a manner that sends more request messages to the Sourcepoint servers than a human can reasonably produce in the same period of time by using a conventional on-line web browser; (c) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code or underlying ideas or algorithms of the Sourcepoint Service; (d) modify or create derivative works based on the Sourcepoint Service or any related Documentation; (e) rent, lease, distribute, sell, resell, assign, or otherwise transfer Authorized User’s rights to use the Sourcepoint Service; (f) use the Sourcepoint Service for timesharing or service bureau purposes or otherwise for the benefit of a third party; (g) remove any proprietary notices from the Sourcepoint Service or any other Sourcepoint materials furnished or made available hereunder; (h) use the Sourcepoint Service to develop any similar or competitive service, or other information resource of any kind (print, electronic or otherwise) for sale to, distribution to, display to or use by others; (i) use the Sourcepoint Service in violation of any federal, state, or local law, rule, or regulation, or any third-party right known to Publisher; (j) take any action that imposes, or may impose at Sourcepoint’s sole discretion an unreasonable or disproportionately large load on the Sourcepoint infrastructure; (k) upload invalid data, viruses, worms, or other software agents through the Sourcepoint Service; (l) bypass the measures Sourcepoint may use to prevent or restrict access to the Service, including without limitation features that prevent or restrict use or copying of any content or enforce limitations on use of the Service or the content therein; or(m) share login information for the Sourcepoint Services or otherwise allow unauthorized users to use the Sourcepoint Services under the account opened by Publisher pursuant to this Agreement.
4. free trials & free versions of the services; VOLUME LIMITS
4.1 The following provision only applies to Publishers granted access to a free trial to use the Sourcepoint Services, as expressly indicated by Sourcepoint at the time Publisher accepts this Agreement: PUBLISHER UNDERSTANDS AND HEREBY AGREES THAT IF PUBLISHER DOES NOT UPGRADE INTO A FEE-PAYING SUBSCRIPTION FOR THE RELEVANT SERVICE ON OR PRIOR TO THE LAST DAY OF THE TRIAL TERM SPECIFIED BY SOURCEPOINT, ANY AND ALL ACCESS RIGHTS TO THE SOURCEPOINT SERVICE WILL TERMINATE AS OF THE END OF SUCH FREE TRIAL TERM AND ANY AND ALL PUBLISHER DATA (INCLUDING ANY PUBLISHER PROFILES OR CUSTOMIZATIONS PUBLISHER MADE OR UPLOADED TO THE SERVICE) WILL NO LONGER BE ACCESSIBLE BY PUBLISHER. SOURCEPOINT RESERVES THE RIGHT TO TERMINATE PUBLISHER’S FREE TRIAL PERIOD AT ANY TIME IN SOURCEPOINT’S SOLE DISCRETION. Upon entering a paid subscription by executing an Order Form (or the online equivalent), Publisher’s use of the Sourcepoint Services shall continue to be governed by this Agreement and by offering payment for the applicable Fee, Publisher agrees to continue to be bound by the terms hereof.
4.2 The following provision only applies to Publishers granted access to a free version of the Sourcepoint Services, as expressly indicated by Sourcepoint at the time Publisher accepts this Agreement: PUBLISHER UNDERSTANDS AND HEREBY AGREES THAT SOURCEPOINT MAY DISCONTINUE ANY FREE VERSION OF THE SERVICES UPON 60 DAYS NOTICE TO PUBLISHER, AND IF THAT OCCURS, IF PUBLISHER DOES NOT UPGRADE INTO A FEE-PAYING SUBSCRIPTION FOR THE RELEVANT SERVICE ON OR PRIOR TO THE LAST DAY SPECIFIED BY SOURCEPOINT, ANY AND ALL ACCESS RIGHTS TO THE SOURCEPOINT SERVICE WILL TERMINATE AS OF SUCH DATE AND ANY AND ALL PUBLISHER DATA (INCLUDING ANY PUBLISHER PROFILES OR CUSTOMIZATIONS PUBLISHER MADE OR UPLOADED TO THE SERVICE) WILL NO LONGER BE ACCESSIBLE BY PUBLISHER. Upon entering a paid subscription by executing an Order Form (or the online equivalent), Publisher’s use of the Sourcepoint Services shall continue to be governed by this Agreement and by offering payment for the applicable Fee, Publisher agrees to continue to be bound by the terms hereof.
4.3 An Order Form, price lists or other Documentation may indicate volume limits, such as a page-view limit per month, for each version or price tier of the Sourcepoint Service, including any free trial or free version (“Volume Limit”). If Volume Limits are exceeded, unless otherwise specified on the applicable Order Form, Sourcepoint may charge Publisher, and Publisher agrees to pay, $0.10 per thousand page-views that exceed the Volume Limit (“Overage Fees”). Sourcepoint at its option may also or instead automatically upgrade Publisher to the tier of pricing applicable to the volume being used, and charge Publisher, and Publisher agrees to pay, accordingly.
7. PROPRIETARY RIGHTS.
7.1. Publisher Proprietary Rights and License.
(b) Sourcepoint hereby acknowledges that, as between Publisher and Sourcepoint and subject to Section 7.2 below, Publisher owns all legal right, title, and interest in and to Publisher Marks (as defined below) and all Intellectual Property Rights therein. Nothing in this Agreement will confer on Sourcepoint any right of ownership or interest in Publisher Marks or the Intellectual Property Rights therein. Publisher reserves all rights in Publisher Marks not expressly granted under this Agreement. Sourcepoint may use Publisher’s trade names, trademarks, service marks, logos, domain names, and other distinctive brand features (collectively, “Publisher Marks”), in presentations, marketing materials, customer lists, financial reports and website listings (including links to Publisher website) for the purpose of advertising or publicizing the Sourcepoint Service and/or Sourcepoint’s business.
7.2. Sourcepoint Proprietary Rights.
(a) Publisher hereby acknowledges that, as between Publisher and Sourcepoint, Sourcepoint owns all legal right, title and interest in and to (a) (i) the Sourcepoint Service (including, without limitation, the Sourcepoint Site, the Sourcepoint Content, the Mobile Application, and the Sourcepoint Data), (ii) the Developments, and (iii) all Intellectual Property Rights in the foregoing. Without limiting the foregoing, Sourcepoint shall own all right, title, and interest in and to any Developments resulting from any work performed to customize the Sourcepoint Service for Publisher. If Publisher or any Authorized User is ever held to have any right or interest in or to the Sourcepoint Service or any Developments, Publisher hereby assigns, and shall procure that the Authorized User assigns, to Sourcepoint all such right, title, and interest, including all Intellectual Property Rights therein. Nothing in this Agreement will confer on Publisher any right of ownership or interest in the Sourcepoint Service, the Developments, or the Intellectual Property Rights therein. Sourcepoint reserves all rights in the Sourcepoint Service not expressly granted under this Agreement, whether arising under the theories of license or estoppel.
(b) If Publisher provides Sourcepoint with any suggestions, ideas, feedback, reports, error identifications or other information related to the operation of the Sourcepoint Service or Publisher’s use and evaluation thereof (“Feedback”), Publisher hereby assigns to Sourcepoint all right, title and interest in and to all Feedback, including all Intellectual Property Rights therein, and shall assist Sourcepoint in perfecting such rights and obtaining assignments of such rights from all individuals involved in generating the Feedback.
8. SECURITY; PRIVACY.
8.1 Sourcepoint uses reasonable physical, managerial, and technical safeguards to preserve the integrity and security of Publisher Data and End User Data. Publisher acknowledges that, notwithstanding such security precautions, use of, or connection to, the Internet provides the opportunity for unauthorized third parties to circumvent such precautions and illegally gain access to the Sourcepoint Service and Publisher Data. Accordingly, Publisher acknowledges and agrees that Sourcepoint cannot and does not guarantee or accept any liability in connection with the privacy, security, integrity or authenticity of any information so transmitted over or stored in any system connected to the Internet (including Publisher Data) or that any such security precautions will be adequate or sufficient.
8.2 Sourcepoint shall not collect any Personally Identifiable Information of End Users, including without limitation through the Tags or the Sourcepoint Platform, unless required to perform the Services or unless Publisher has given prior written consent; provided that Publisher hereby consents to the collection of usage statistics associated with any End User’s access of the Publisher Properties solely in connection with Sourcepoint performing its obligations under this Agreement.
8.3 For Companies based in the EU/EEA or Companies that fall in scope of GDPR under Art. 3 GDPR, the following applies: In context of providing the Services under the Agreement, Sourcepoint may process certain Publisher Data that qualifies as personal data (as defined by GDPR). In this regard, Publisher is data controller and Sourcepoint is data processor that acts upon instructions of Publisher. Details are agreed in the data processing agreement in Schedule 1 to this Agreement - Data Processing Agreement which is attached to and incorporated into this Agreement, If there is any conflict between the main body of this Agreement (including but not limited to the Order Form) and Schedule 1, then the terms of Schedule 1 shall prevail.
9. PUBLISHER OBLIGATIONS.
9.1. Hardware. Publisher is solely responsible for obtaining and maintaining all computer hardware, software and communications equipment needed to access and use the Sourcepoint Service, and for paying all third-party fees and access charges (e.g., ISP, telecommunications) incurred while using the Sourcepoint Service.
9.2. Conduct. Publisher represents and warrants that Publisher and its Authorized Users: (a) will abide by all local, state, national, and international laws, rules, and regulations applicable to Publisher’s use of the Sourcepoint Service, including without limitation, all applicable privacy laws and data protection legislation; (b) has all necessary rights to provide and use any data and/or content (including Publisher Data) that Publisher provides or makes available to Sourcepoint in connection with Publisher’s use of the Sourcepoint Service and that Sourcepoint’s use thereof as contemplated by this Agreement will not violate any right of any third party or any law, rule, or regulation; (c) will not provide any content or information in violation of any fiduciary duty, duty of confidentiality, or contractual obligation; (d) will not transmit through or store on the Sourcepoint Service any data or content in violation of the rights of any individual or entity in any jurisdiction, including without limitation, rights of privacy, rights of publicity, trade secret rights, or any Intellectual Property Rights; (e) will not use the Sourcepoint Service for illegal, fraudulent, unethical or inappropriate purposes; (f) will not interfere or disrupt networks connected to Sourcepoint Service or interfere with the ability of others to access or use the Sourcepoint Service; and (g) will not transmit or upload any material or otherwise use the Sourcepoint Service in any manner that could constitute a criminal offense or give rise to civil liability. Publisher acknowledges that Publisher is solely responsible for any Publisher Data and other content that Publisher makes available to the Sourcepoint Service and that the Sourcepoint Service is a passive conduit. Sourcepoint neither endorses the contents of any of Publisher Data nor assumes any responsibility for any infringement of third party rights arising therefrom or any crime facilitated thereby. Publisher shall notify Sourcepoint if Publisher becomes aware that the Sourcepoint Service is being used for any illegal or unauthorized purpose.
10. enterprise subscription
10.1. If after an individual Publisher purchases a subscription to use the Services, an entity that employs Publisher or that is otherwise affiliated with Publisher subsequently purchases a subscription to use the Sourcepoint Services (an “Enterprise Subscription”), and such entity then elects to assume Publisher’s subscription, Publisher’s initial subscription will be terminated (and Publisher’s account and related Publisher Data will be transferred to the Enterprise Subscription) and Publisher will have no further payment obligations under such terminated subscription; provided that Publisher’s other obligations under this Agreement will remain in force and unaffected by such transfer.
10.2. Regardless of whether any Enterprise agreement is in effect, if Publisher is an individual and Publisher’s account (i) is paid for by an employer or company (in the case of an independent contractor), (ii) was created at the request of an employer or company, (iii) uses a work-sponsored email address, (iv) is administered by an employer or company, and/or (v) otherwise reasonably appears to Sourcepoint as controlled by an employer or company, Sourcepoint will consider Publisher’s account and all information associated therewith as property of such employer or company as the ultimate account holder. This means that upon request of Publisher’s employer, Sourcepoint will disclose information Publisher shares with Sourcepoint to such employer or company. Upon the cessation of Publisher’s employment or contract for any reason, Publisher will have to create a new account to continue to access the Services, and Sourcepoint may block or discontinue access rights associated with any former employer or company account or any Publisher Data connected thereto.
11. FEES AND TAXES.
11.1. Fees and Payment. In consideration for the provision of the Sourcepoint Services to Publisher, Publisher shall pay Sourcepoint the subscription and/or other fees (including Overage Fees, if any) applicable to such use, as set forth in any order form (or the online equivalent) or other written communication between the parties (“Order Forms”) executed between the parties or submitted by Publisher via the Order Form page on the Sourcepoint Service (“Fees”) in accordance with the payment terms set forth in such Order Form(s). If Publisher provides its payment by way of credit card or debit card, Publisher hereby grants permission to Sourcepoint to charge all Fees due and owing to such credit card or debt card, including monthly, annual or other renewals, on the date on which such Fees are due. Publisher may withdraw its consent to Sourcepoint’s use of such credit card or debit card by providing thirty (30) days’ prior written notice to Sourcepoint. Such withdraw does not constitute a termination of the Services and Publisher shall remain liable for any Fees as they become due. Publisher represents that it is the card holder of any credit card or debit card that it provides to Sourcepoint for payment(s), or that Publisher is duly authorized to provide the consent to use such credit card or debit card as set forth in this Section. Payment obligations for use of the Sourcepoint Services are non-cancelable and fees paid are non-refundable.
11.2. Taxes. All Fees are exclusive of all taxes, levies or duties, and Publisher will be responsible for payment of such taxes, levies or duties resulting from its use of the Sourcepoint Service, excluding only federal and state taxes based solely upon Sourcepoint’s net income. If Sourcepoint has the legal obligation to pay or collect taxes for which Publisher is responsible pursuant to this Section, Sourcepoint will invoice the amount of such taxes to Publisher and Publisher shall pay such amount, unless Publisher provides Sourcepoint with a valid tax exemption certificate authorized by the appropriate taxing authority.
11.3. Reporting. All reported numbers for purposes of billing, payments, the determination of fees and general delivery reporting, including but not limited to any page-view-based or other Volume Limits and Overage Fees, shall be based on measurements within the Sourcepoint Service.
11.4. Suspension. Sourcepoint reserves the right to suspend Publisher’s access to the Sourcepoint Service with notice in the event of Publisher non-payment or late payment.
12. term & TERMINATION.
12.1. Agreement Term. This Agreement shall commence on the date Publisher accepts this Agreement and, unless earlier terminated pursuant to Section 12.4, shall continue until all of Publisher’s subscriptions or rights to access or use the Sourcepoint Services are terminated or expired (the “Term”). The initial term shall be specified on the Order Form.
12.2. Automatic Renewal. Except as otherwise specified in an Order Form, subscriptions will automatically renew for additional periods, either for one month or one year, as determined by the initial term on the Order Form, unless either party gives the other 30 days prior notice of non-renewal before the end of the relevant subscription term. The subscription fee for a renewal term will be at Sourcepoint’s applicable list price in effect at the time of the renewal, unless Sourcepoint notifies Publisher of a different price at least 30 days before the end of the relevant subscription term. Notwithstanding anything to the contrary, any renewal in which subscription volume for any Services has decreased from the prior term will result in re-pricing at renewal without regard to the prior term’s per-unit pricing.
12.3. Trial Term. The following provision only applies to Publishers entitled to a free trial, as indicated by Sourcepoint at the time Publisher accepts this Agreement: Publisher has a free trial for the period of time specified by Sourcepoint at the time Publisher accepts this Agreement (“Trial Term”), during which Publisher will have full access and use of the Services without payment obligations of any kind. If Publisher does not opt in to a paid subscription within the Trial Term, this Agreement will terminate and Sourcepoint will terminate Publisher’s account and all access rights to the Services and Publisher Data will not be accessible by Publisher. For the avoidance of doubt, if this Agreement terminates for Publisher’s failure to opt in to a paid subscription, the effects of termination set forth in Section 12.5 shall apply.
12.4. Termination. Either party may terminate this Agreement at the end of any subscription term set forth in an Order Form (whether 12 months or otherwise) by providing the other party written notice at least 30 days’ prior to the end of such term. Notwithstanding the foregoing, (i) either party may terminate this Agreement for a material breach by the other party that remains uncured for 30 days, and (ii) Sourcepoint may immediately terminate this Agreement and any Order Form(s) then in effect and the rights granted hereunder and thereunder, including the use of the Sourcepoint Services, in the event of any breach or alleged breach by Publisher of Sections 2, 3, 7.2, or 9.2 (or any portion thereof), or for non-payment. In the case Sourcepoint elects to terminate this Agreement for cause in accordance with the foregoing provision, Publisher will not be entitled to any refund, regardless of the remaining duration of the Term.
12.5. Effect of Termination. Upon the expiration or termination of this Agreement for any reason, whether by Publisher or Sourcepoint: (a) all licenses granted to Publisher hereunder shall terminate and Publisher will have no rights to use any portion of the Sourcepoint Service, including any Sourcepoint Content or Sourcepoint Data; (b) Publisher’s right to use the Sourcepoint Service shall cease; (c) Publisher shall immediately cease accessing and using the Sourcepoint Service; and (d) Publisher will comply with Section 13.3. All terms which by their nature should survive the expiration or termination of this Agreement shall so survive, including Sections 1, 7, and 13-17.
13.1. Obligations. Each of the parties shall maintain in confidence any non-public, confidential or proprietary information disclosed by the other party before, on or after the date upon which Publisher agrees to the terms of this Agreement, either directly or indirectly, whether disclosed orally or disclosed or accessed in written, electronic or any other form or media, whether tangible or intangible, and whether or not marked, designated, or otherwise identified as “confidential” (“Confidential Information”). The receiving party and its Authorized Users shall not disclose, use, transmit, inform or make available to any third party any Confidential Information of the disclosing party, and shall not use any Confidential Information of the other party except as necessary in order to perform its obligations under this Agreement. Each party shall take all actions as are reasonably necessary and appropriate to preserve and protect the Confidential Information of the other party and such party’s respective rights therein, at all times exercising at least the same degree of care that it uses to protect its own Confidential Information of a similar nature, but in no event less than a reasonable degree of care. Each party shall restrict access to the Confidential Information of the other party to those employees or agents who require access in order to perform hereunder. Sourcepoint’s “Confidential Information” includes, without limitation, the Sourcepoint Service (and all components thereof), the terms of this Agreement and any negotiations between Publisher and Sourcepoint regarding future use of the Sourcepoint Services (including, without limitation, any fees payable thereunder).
13.2. Exclusions. Confidential Information shall not include any information that is (a) already rightfully known to the receiving party at the time of the disclosure; (b) publicly known at the time of the disclosure or becomes publicly known through no wrongful act or failure of the receiving party; (c) subsequently disclosed to the receiving party on a non-confidential basis by a third party not having a confidential relationship with the other party that rightfully acquired such information; or (d) communicated to a third party by Publisher with the express written consent of the disclosing party. A disclosure of Confidential Information that is legally compelled to be disclosed pursuant to a subpoena, summons, order or other judicial or governmental process shall not be considered a breach of this Agreement; provided the receiving party provides prompt notice of any such subpoena, order, or the like to the disclosing party so that such party will have the opportunity to obtain a protective order or otherwise oppose the disclosure.
13.3. Destruction or Return of Confidential Information. Upon expiration of the Trial Term or termination of this Agreement for any reason, the receiving party shall, upon request of the disclosing party, return to the disclosing party, or otherwise destroy (with written certification of the same), all copies of the disclosing party’s Confidential Information , except for archival and back-up copies on back-up tapes and if, and to the extent, the receiving party is required to retain such material under applicable laws or regulations.
13.4. Remedies. Publisher acknowledges and agrees that Sourcepoint’s Confidential Information has been developed at significant cost and has significant commercial value to Sourcepoint, and that Sourcepoint may suffer irreparable damage as a result of any breach of this Agreement. Therefore, in addition to all other remedies available at law (which Sourcepoint does not waive by the exercise of any rights hereunder), Sourcepoint shall be entitled to specific performance and injunctive and other equitable relief as a remedy for any such breach or threatened breach, and Publisher hereby waives any requirement for the securing or posting of any bond or the showing of actual monetary damages in connection with such claim.
14. WARRANTY DISCLAIMER.
PUBLISHER ACKNOWLEDGES THAT THE SOURCEPOINT SERVICE IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, SOURCEPOINT, ITS LICENSORS AND SUPPLIERS EXPRESSLY DISCLAIM ALL, AND MAKE NO, WARRANTIES OF ANY KIND (WHETHER EXPRESS, STATUTORY, IMPLIED OR OTHERWISE ARISING IN LAW OR FROM A COURSE OF DEALING OR USAGE OF TRADE) WITH RESPECT TO THE SOURCEPOINT SERVICE, INCLUDING, WITHOUT LIMITATION, THE CONDITIONS AND/OR WARRANTIES OF MERCHANTABILITY, MERCHANTABLE QUALITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. SOURCEPOINT FURTHER EXPRESSLY DISCLAIMS ANY AND ALL LIABILITY ARISING OUT OF OR RELATING TO ANY THIRD PARTY SITES LINKED TO FROM THE SOURCEPOINT SERVICE. SOURCEPOINT DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOURCEPOINT SERVICE WILL MEET PUBLISHER’S REQUIREMENTS OR THAT THE OPERATION OF THE SOURCEPOINT SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE OR THAT DEFECTS WILL BE CORRECTED. SOURCEPOINT IS NOT OBLIGATED TO PROVIDE PUBLISHER WITH ANY UPDATES TO THE SOURCEPOINT SERVICE BUT MAY ELECT TO DO SO IN ITS SOLE DISCRETION.
15.1. Publisher shall indemnify, hold harmless, and defend Sourcepoint and its officers, directors, employees, agents, affiliates, successors and permitted assigns (collectively, “Indemnified Party”) against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, that are incurred by Indemnified Party (collectively, “Losses”) arising out of any third party claim (a) alleging breach or non-fulfillment of any representation, warranty or covenant under this Agreement by Publisher or its Authorized Users (including use of the Sourcepoint Service in violation of this Agreement), (b) alleging any grossly negligent or more culpable act or omission of Publisher or its Authorized Users, including any reckless or willful misconduct, in connection with the performance of its obligations under this Agreement, or (c) relating to, or arising out of, the use or provisioning of any Publisher Data or Sourcepoint Data.
16. LIMITATION OF LIABILITY.
16.1. Exclusive Remedy. If Publisher is dissatisfied with the Sourcepoint Services, its sole and exclusive remedy is to terminate its use of the Sourcepoint Services and this Agreement in accordance with Section 12.
16.2. Consequential Damages Waiver. UNDER NO CIRCUMSTANCES SHALL SOURCEPOINT, OR ITS LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION AND THE LIKE) ARISING OUT OF OR RELATING TO THE USE AND/OR INABILITY TO USE THE SOURCEPOINT SERVICE, EVEN IF SOURCEPOINT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
16.3. Essential Purpose. The limitations set forth in this Section shall apply even if this Agreement or any limited remedy specified herein is found to have failed of its essential purpose. These limitations are integral to the calculation of fees in connection with the license of the Sourcepoint Service, and were Sourcepoint to assume any further liability, such consideration would out of necessity been substantially increased.
17.1. Notices. All notices or reports permitted or required under this Agreement shall be in writing and shall be delivered in person, mailed by first class mail, postage prepaid, (registered or certified) or by overnight courier, or sent by fax or electronic mail with confirming copy sent by mail or courier as set forth above, to the party to receive the notice at the address set forth at the beginning of this Agreement or such other address as either party may specify in writing in accordance with this Section. All such notices shall be effective upon receipt.
17.2. Assignment. Neither party may assign this Agreement without the other party’s prior written consent, provided, however, that Sourcepoint may assign this Agreement without Publisher’s prior written consent to any entity that acquires all or substantially all of the business or assets of Sourcepoint relating to this Agreement, whether by merger, reorganization, acquisition, sale or otherwise. Any assignment made in violation with this provision shall be void, and this Agreement shall benefit and bind the permitted successors and assigns of the parties.
17.3. Relationship of Parties. Sourcepoint and Publisher’s relationship is solely that of independent contractors, and this Agreement will not establish any partnership, joint venture, employment, franchise or agency between Sourcepoint and Publisher. Neither Sourcepoint nor Publisher will have the power to bind the other or incur obligations on the other’s behalf without the other’s prior written consent.
17.4. Export Control. Publisher understands and acknowledges that the Sourcepoint Service and technology are subject to regulation by agencies of the United States, including, but not limited to, the U.S. Department of Commerce, which prohibit export or diversion of certain products and technology to certain countries. Any and all obligations of Sourcepoint to provide the Sourcepoint Service and technology shall be subject in all respects to such laws and regulations as shall from time to time govern the license and delivery of technology and products abroad by persons subject to the jurisdiction of the United States, including without limitation the U.S. Export Administration Act of 1979, as amended, any successor legislation, and the Export Administration Regulations issued by the U.S. Department of Commerce, Bureau of Export Administration. Publisher represents and warrants that Publisher will comply with the U.S. Export Administration Regulations and other laws and regulations governing exports in effect from time to time.
17.5. U.S. Government-restricted Rights. If the Sourcepoint Service is licensed to the United States government or any agency thereof, then the Sourcepoint Service will be deemed to be “commercial computer software” and “commercial computer software documentation,” respectively, pursuant to DFARS Section 227.7202 and FAR Section 12.212, as applicable. Any use, reproduction, release, performance, display or disclosure of the Sourcepoint Service and any accompanying Documentation by the U.S. Government will be governed solely by this Agreement and is prohibited except to the extent expressly permitted by this Agreement.
17.6. Governing Law; Dispute Resolution. This Agreement shall be governed by the laws of the State of New York, excluding its conflict of laws rules. The United Nations Convention for the International Sale of Goods is excluded in its entirety from this Agreement. Informal Process First. Publisher agrees that in the event of any dispute between Publisher and Sourcepoint, Publisher will first contact Sourcepoint and make a good faith sustained effort to resolve the dispute before resorting to more formal means of resolution, including without limitation any court action. Arbitration Agreement. After the informal dispute resolution process any remaining dispute, controversy, or claim (collectively, “Claim”) relating in any way to Publisher’s use of the Services, or relating in any way to the communications between Publisher and Sourcepoint or any other user of the Services, will be finally resolved by binding arbitration. This mandatory arbitration agreement applies equally to Publisher and Sourcepoint. However, this arbitration agreement does not (a) govern any Claim by Sourcepoint for infringement of its intellectual property or access to the Service that is unauthorized or exceeds authorization granted in these Terms or (b) bar Publisher from making use of applicable small claims court procedures in appropriate cases. If Publisher is an individual, Publisher may opt out of this arbitration agreement within thirty (30) days of the first of the date of access or use this Service by following the procedure described below. Arbitration is more informal than a lawsuit in court. There is no judge or jury in arbitration. Instead, the dispute is resolve by a neutral arbitrator. Court review of an arbitration award is limited. Except to the extent the parties agree otherwise, arbitrators can award the same damages and relief that a court can award. Publisher agree that the U.S. Federal Arbitration Act governs the interpretation and enforcement of this provision, and that Publisher and Sourcepoint are each waiving the right to a trial by jury or to participate in a class action. This arbitration provision will survive any termination of these Terms. If Publisher wishes to begin an arbitration proceeding, after following the informal dispute resolution procedure, Publisher must send a letter requesting arbitration and describing its claim to Sourcepoint. The arbitration will be administered by the American Arbitration Association (AAA) under its rules including, if Publisher is an individual, the AAA's Supplementary Procedures for Consumer-Related Disputes. If Publisher is not an individual or has used the Services on behalf of an entity, the AAA's Supplementary Procedures for Consumer-Related Disputes will not be used. The AAA's rules are available at www.adr.org or by calling 1-800-778-7879. The number of arbitrators will be one. Publisher may choose to have the arbitration conducted by telephone, based on written submissions, or in person in the county of residence or at another mutually agreed location. The arbitration will be conducted in the English language. New York law will apply. Judgment on the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. Payment of all filing, administration and arbitrator fees will be governed by the AAA's rules. If Publisher is an individual and have not accessed or used the Service on behalf of an entity, Sourcepoint will reimburse those fees for claims totaling less than $10,000, unless the arbitrator determines the claims are frivolous, and Sourcepoint will not seek attorneys’ fees and costs in arbitration unless the arbitrator determines the claims are frivolous. The arbitrator, and not any federal, state, or local court, will have exclusive authority to resolve any dispute relating to the interpretation, applicability, unconscionability, arbitrability, enforceability, or formation of this arbitration agreement, including any claim that all or any part of this arbitration agreement is void or voidable. However, the preceding sentence will not apply to the “Class Action Waiver” section below. If Publisher does not want to arbitrate disputes with Sourcepoint and Publisher is an individual, Publisher may opt out of this arbitration agreement by sending an email to firstname.lastname@example.org within thirty (30) days of the first of the date access or use the Service. Class Action Waiver. Any Claim must be brought in the respective party’s individual capacity, and not as a plaintiff or class member in any purported class, collective, representative, multiple plaintiff, or similar proceeding (“Class Action”). The parties expressly waive any ability to maintain any Class Action in any forum. If the Claim is subject to arbitration, the arbitrator will not have authority to combine or aggregate similar claims or conduct any Class Action nor make an award to any person or entity not a party to the arbitration. Any claim that all or part of this Class Action Waiver is unenforceable, unconscionable, void, or voidable may be determined only by a court of competent jurisdiction and not by an arbitrator. The parties understand that any right to litigate in court, to have a judge or jury decide their case, or to be a party to a class or representative action, is waived, and that any claims must be decided individually, through arbitration. If this class action waiver is found to be unenforceable, then the entirety of the Arbitration Agreement, if otherwise effective, will be null and void. The arbitrator may award declaratory or injunctive relief only in favor of the individual party seeking relief and only to the extent necessary to provide relief warranted by that party's individual claim. If for any reason a claim proceeds in court rather than in arbitration, Publisher and Sourcepoint each waive any right to a jury trial.
17.7. Waiver. Any waiver of the provisions of this Agreement or of a party’s rights or remedies under this Agreement must be in writing to be effective. Failure, neglect, or delay by a party to enforce the provisions of this Agreement or its rights or remedies at any time, will not be construed and will not be deemed to be a waiver of such party’s rights under this Agreement and will not in any way affect the validity of the whole or any part of this Agreement or prejudice such party’s right to take subsequent action. Except as expressly stated in this Agreement, no exercise or enforcement by either party of any right or remedy under this Agreement will preclude the enforcement by such party of any other right or remedy under this Agreement or that such party is entitled by law to enforce.
17.8. Severability. If any provision of this Agreement, or portion thereof, is found to be invalid, unlawful or unenforceable to any extent, the parties shall negotiate in good faith amendments to this Agreement to reflect the original intent of the parties as closely as possible. Such invalid provision or portion thereof will be severed from the remaining provisions, which will continue to be valid and enforceable to the fullest extent permitted by law.
NEITHER SOURCEPOINT NOR THE SERVICES PROVIDE BUSINESS, LEGAL, OR CONSULTING ADVICE OR DIRECTION OF ANY KIND. SOURCEPOINT DISCLAIMS, AND DOES NOT WARRANT OR GUARANTEE, THAT USE OF THE SERVICES WILL ENSURE COMPLIANCE WITH ANY PARTICULAR LEGAL REQUIREMENTS.SOURCEPOINT MAY MAKE CHANGES TO THE METHODOLOGY USED BY THE SERVICES AT ANYTIME WITHOUT NOTIFICATION. PUBLISHER REMAINS SOLELY RESPONSIBLE FOR COMPLIANCE WITH ALL APPLICABLE LEGAL REQUIREMENTS, INCLUDING BUT NOT LIMITED TOTHE EU GENERAL DATA PROTECTION REGULATION, OTHER PRIVACY AND DATA PROTECTION LAWS APPLICABLE WITHIN THE EEA, AND ANY PRIVACY AND DATA PROTECTION LAWS APPLICABLE IN ANY OTHER JURISDICTION(S) (collectively, “DATA PRIVACY LAWS”). SOURCEPOINT, ITS AFFILIATES, AND ITS BUSINESS PARTNERS SHALL NOT BE LIABLE TO PUBLISHER, ITS AFFILIATES, OR ITS BUSINESS PARTNERS FOR FINES, DAMAGES, PENALTIES, OR OTHER ADVERSE CONSEQUENCES THAT MAY ARISE FROM NONCOMPLIANCE WITH ANY DATA PRIVACY LAWS, REGARDLESS OF WHETHER SUCH NONCOMPLIANCE ARISES IN WHOLE OR IN PART FROM USE OF THE SERVICES (TO ASSIST PUBLISHER IN MANAGING CONSENTS, OR OTHERWISE) AND REGARDLESS OF ANY NEGLIGENCE ONTHE PART OF SOURCEPOINT, ITS AFFILIATES, OR ITS BUSINESS PARTNERS. THE FOREGOING SHALL NOT BE CONSTRUED AS LIMITING A PARTY’S INDEMNIFICATION OBLIGATIONS SET FORTH IN INDEMNIFICATION SECTIONS OF THIS AGREEMENT.
Schedule 1 – Data Processing Agreement
Data Processing Agreement (“DPA”)
Based on European Commission Decision 2010/87/EU (Standard Contractual Clauses) and the General Data Protection Regulation (GDPR).
Between Publisher and Sourcepoint (Publisher and Sourcepoint together: the “Parties” or each a “Party”)
Sourcepoint provides certain IT services to Publisher in context of the Service Agreement between the Parties. In context of providing the services, Sourcepoint will process certain Personal Data as a Processor on behalf of Publisher as further detailed in this DPA. Therefore, the Parties agree as follows:
Unless expressly stated otherwise, capitalized terms shall have the following meaning:
“Applicable Data Protection Laws” means all applicable data protection laws, particularly from 25 May 2018 Regulation (EU) 2016/679 (“GDPR”) and applicable local data protection laws.
“DPA” means this data processing agreement.
“Party” and “Parties” is defined in the header of this Agreement.
“Data Subjects” as defined in Appendix 1 of the Standard Contractual Clauses.
“Personal Data” as defined and listed in Appendix 1 of the Standard Contractual Clauses.
“Service Agreement” is the Agreement concluded between the Parties which further defines the scope of data Processing and the Parties’ obligations with respect to the processing of Personal Data.
“Standard Contractual Clauses” means the Standard Contractual Clauses covering controller to processor data transfers (European Commission Decision 2010/87/EU) as attached to this DPA.
Subject matter and duration of data processing
Sourcepoint provides Publisher with services for website publishers within the scope of the Service Agreement. In this context, Sourcepoint processes the Personal Data of Data Subjects as described in Appendix 1 to the Standard Contract Clauses.
The term of this DPA is identical to the term of the Service Agreement. Save as otherwise agreed herein, termination rights and requirements shall be the same as set forth in the Service Agreement.
Structure; Application of the Standard Contractual Clauses
Personal Data will be stored and processed by Sourcepoint in the EU and the EEA, but Sourcepoint’s employes might need to access the personal data for purposes of maintenance and support from the USA.
Personal data are stored and processed by potential sub-processors (listed below) in the EU, the EEA and the USA.
For the processing of Personal Data by Sourcepoint outside the EU/EEA, the Standard Contractual Clauses attached as Annex 1 to the DPA shall apply to their full extent. If and to the extent a provision of this DPA is in conflict with a provision of the Standard Contractual Clauses or to the detriment of the Data Subject, the Standard Contractual Clauses shall prevail.
The Standard Contractual Clauses shall be interpreted in such a way that Sourcepoint is the data importer and Publisher is the data exporter.
Instruction RightsIn addition to Clause 5(a) and (b) of the Standard Contractual Clauses Publisher is entitled and obliged to instruct Sourcepoint in connection with the Service Agreement, generally or in the individual case, regarding the collection, processing and use of the Personal Data. Instructions may also relate to the correction, deletion or blocking of Personal Data. Instructions shall generally be given in writing, unless the urgency or other specific circumstances require another (e.g., oral, electronic) form. Instructions in another form than in writing shall be confirmed by Sourcepoint in writing, if Publisher so requests.
Sourcepoint shall notify Publisher without undue delay if Sourcepoint reasonably believes that an instruction contravenes statutory provisions.
Rectification, Deletion, BlockingIf so requested by Publisher, Sourcepoint shall correct, delete or block Personal Data. If Sourcepoint is legally required to retain Personal Data beyond the deletion instruction, Sourcepoint shall be obliged to restrict the further Processing of such particular Personal Data in such way that this may exclusively occur to the purpose pursued with the aforementioned duties of retention (hereinafter referred to as “Blocking”).
In case Sourcepoint is subject to a Blocking obligation pursuant to the previous paragraph, Sourcepoint is obliged to completely and irrevocably erase the respective Personal Data on the last day of the calendar year during which the blocking term ends.
The erasure and/or blocking of Personal Data shall be documented by Sourcepoint and be confirmed to Publisher in written form upon request.
Reporting Duties and AssistanceIn addition to the notification obligation pursuant to Clause 5(d) of the Standard Contractual Clauses, Sourcepoint shall notify Publisher without undue delay if Sourcepoint or its employees or subcontractors violate Applicable Data Protection Laws with regard to the Personal Data. If Sourcepoint is of the opinion that Personal Data have been or might have been illegally processed or illegally disclosed to or accessed by a third party, Sourcepoint will notify Publisher without undue delay in writing.
Sourcepoint shall assist Publisher with its third party notification and communication obligations, taking into account the nature of processing and the information available to Data Importer. However, Publisher is solely responsible for fulfilling any third party notification and communication obligations. Sourcepoint will take, where appropriate, measures to mitigate the possible adverse effects of the security incident.
Self-controls by SourcepointSourcepoint shall control, by appropriate means, its compliance with its data protection obligations in connection with this DPA and shall provide Publisher upon request with regular and occasion-based reports of such controls.
Verification of compliance and audit rightsWith regard to the audit right under Clause 5(f) of the Standard Contractual Clauses the Parties agree that Sourcepoint shall offer and provide substantive documentation to Publisher to demonstrate and prove compliance with this DPA and of the implementation of the agreed technical and organisational measures (Appendix 2 to the Standard Contractual Clauses). Such documentation can be in the form of a current attestation, of reports or report excerpts from third parties (e.g., accountant or auditor), certification resulting from an IT security audit or from a data protection audit (e.g., according to ISO 27001 or ISO 27018) provided that the Processing activities under this DPA are covered or a certification approved by the competent authority. If such information is not sufficient, Publisher may request additional information or carry out on-site audits. Evidence of sufficient technical and organizational measures may also be provided by Sourcepoint by ensuring compliance with approved Codes of Conduct pursuant to Article 40 GDPR.
Return and further use of data after end of contractUnless otherwise instructed by Publisher, Sourcepoint shall return to Publisher, without undue delay, all data carriers received from Publisher and all Personal Data obtained or generated in connection with the Service Agreement, and shall refrain from any further processing and use of such Personal Data, to the extent this is possible without infringing Publisher’s own statutory obligations.
Requests by authorities and Data SubjectsTo the extent not prohibited by Data Protection Laws and applicable national laws, Sourcepoint shall notify Publisher as soon as reasonably practicable in writing of any subpoena or other judicial or administrative order or proceeding seeking access to, or disclosure of, Personal Data. Sourcepoint acknowledges that Publisher may, at its sole expense, seek to defend against or contest such action in lieu of and on behalf of Sourcepoint.
Records of Processing activitiesSourcepoint shall keep a record of any processing of Personal Data it carries out on behalf of Publisher and shall only disclose such records to third parties with the prior written consent of Publisher, unless provided otherwise by applicable law.
SubprocessorsPublisher expressly authorizes Sourcepoint and its subprocessors to assist Sourcepoint with respect to the processing of Personal Data under the DPA provided that (i) Sourcepoint has executed a written agreement with such subprocessors that imposes materially similar obligations as this DPA, as permitted or required by Applicable Data Protection Laws, and (ii) informs Publisher about the engagement of the subprocessor.
Publisher acknowledges that it has been informed by Sourcepoint, or its local representative, that Sourcepoint has entered into and executed written obligations with the following subprocessors on materially similar obligations to this DPA and hereby approves the following subprocessors that are currently used by Sourcepoint:
Name of subprocessorTask of subprocessorLocation of subprocessorAmazon Web ServicesCloud providerFrankfurt,Germany (Corporate Office: Seattle, WA)BraintreeAltpay Payment ProcessedChicago, ILSnowflakeReporting DataSan Mateo, CASendGridEmail DistributionDenver, COMaxmindGeotargetingWaltham, MAIntercomCustomer supportSan Francisco, CA
ConfidentialitySourcepoint is aware that Personal Data may be specially protected information and might be subject to special protection under Applicable Data Protection Laws as well as other laws, e.g. criminal laws. Sourcepoint shall treat Personal Data strictly confidential and shall only grant its employees and subcontractors access to Personal Data to the extent necessary to fulfil the obligations under this DPA and the Service Agreement. Sourcepoint shall not disclose Personal Data to third parties other than instructed by Publisher. Sourcepoint shall impose adequate confidentiality obligations on its employees to reflect the requirements above.
General Data Protection RegulationThe Parties agree to revise, and if necessary amend, the DPA if and to the extent the European Commission issues new or updated EU Standard Data Protection Clauses under Article 46(2)(c) of the GDPR within two (2) months after the official publication of their final text.
Limitation of LiabilityThe limitation of liability agreed between the Parties in the Service Agreement shall also apply to this DPA, unless otherwise expressly agreed in writing.
GeneralSeverabilityIf any provision of the DPA (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, be deemed not to form part of the DPA, and the validity and enforceability of the other provisions of the DPA shall not be affected. If a provision of the DPA (or part of any provision) is found illegal, invalid or unenforceable, the provision shall apply with the minimum modification necessary to make it legal, valid and enforceable.
AttachmentsThe DPA is an attachment to and integral part of the Service Agreement. In case of contradictions between clauses of the Service Agreement and the DPA, the DPA shall prevail.The Standard Contractual Clauses and their Appendices are integral part of this DPA.
Annex 1 to the DPA – Standard Contractual Clauses
STANDARD CONTRACTUAL CLAUSES (PROCESSORS)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Publisher as defined in the DPA
(hereinafter referred to as the “data exporter”)
Sourcepoint as defined in the DPA
(hereinafter referred to as “data importer”)each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1);
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Clause 7Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
Clause 9Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established
Clause 10Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses (3). Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12Obligation after the termination of personal data-processing services
1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the Parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
The data exporter is a website, app or other digital goods provider or operator.
The Data Importer is Sourcepoint Technologies, Inc.. The Data importer provides support services to the data exporter in relation to provision of the Services under the Service Agreement, in the course of which it may process certain personal data as a processor as defined under the EU General Data Protection Regulation. The data importer will store and process such data on servers located in the EU; however, there may be access by employees of the data importer to such data, e.g. for purposes of maintenance or support from outside the EU.Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
Past, present and future consumers of data exporter's products and services and / or users of the websites of data exporter that use the services of the data importer. Categories of data
The personal data transferred concern the following categories of data (please specify):
As a general matter, data importer only processes hashed IP addresses and related use data which do not qualify as personal data. Only in certain situations and for certain services (e.g. All Pay product), data importer may process email addresses or un-hashed IP addresses and related usage data.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The data exporter does not transfer any special categories of personal data to the data importer.
The personal data transferred will be subject to the following basic processing activities (please specify):
The nature and purpose of the data processing includes all processing activities (including the collection, access, viewing, organization, storage and deletion of personal data) as are reasonably required to facilitate or support the provision of the services described under the Agreement.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) and Art. 32 GDPR (or document/legislation attached):
Data importer has implemented the following technical and organizational security measures to provide the on-going confidentiality, integrity, availability and resilience of processing systems and services:
ConfidentialityData importer has implemented the following technical and organizational security to provide the confidentiality of processing systems and services, in particular:
Data importer processes all data exporter data on remote server sites owned and operated by industry leading cloud service providers that offer highly sophisticated measures to protect against unauthorized persons gaining access to data processing equipment (namely telephones, database and application servers and related hardware). Such measures include:
Data security is provided per the security requirements of AWS (Amazon Web Services)
Data importer implements suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:
letting data exporters define individual user accounts with permissions across Data importer resources;industry standard encryption and requirements for passwords (minimum length, use of special characters, etc.); andall access to data content is logged, monitored, and tracked.
Data importer’s employees entitled to use its data processing systems are only able to access personal data within the scope of and to the extent covered by their respective access permission (authorization). In particular, access rights and levels are based on employee job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. This is accomplished by:
employee policies and training;effective and measured disciplinary action against individuals who access personal data without authorization;limited access to personal data to only authorized persons; industry standard encryption; andpolicies controlling the retention of back-up copies.
Data importer has implemented the following technical and organizational security to provide the integrity of processing systems and services, in particular:
Data importer implements suitable measures to prevent personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;industry standard encryption; andavoiding the storage of personal data on portable storage media for transportation purposes and on company issued laptops or other mobile devices.
Data importer does not access any data exporter content except as necessary to provide that data exporter with the data importer products and professional services it has selected. Data importer does not access data exporter’s’ content for any other purposes. Accordingly, data importer does not know what content data exporters choose to store on its systems and cannot distinguish between personal data and other content, so data importer treats all Publisher content the same. In this way, all data exporter content benefits from the same robust data importer security measures, whether this content includes personal data or not.
Data importer has implemented the following technical and organizational security measure to provide the availability of processing systems and services, in particular: Data importer implements suitable measures to provide that personal data is protected from accidental destruction or loss. This is accomplished by:infrastructure redundancy;performing regular data back-ups.
Data importer has implemented the following technical and organizational security measures to provide the resilience of processing systems and services, in particular:
Data importer implements a variety of monitoring tools in and out of AWS to ensure systems are monitored. These include AWS’ own monitoring capabilities as well as component level monitoring via New Relic. Leverage AWS’ redundancy, all systems are backed up on a regular basis.