Directly Master Subscription Agreement
MSA ORDER FORM
EFFECTIVE DATE: ______________________, 2018 (start of the Agreement)
COMMENCEMENT DATE: _____________________, 2018 (start of Marketplace Platform)
MARKETPLACE PLATFORM: Provide and support customized access to our Marketplace Platform enabling Users to create, view, and complete Requests as provided in the Agreement.
|□ Enterprise Edition||Marketplace Platform||12 months (from Effective Date)|
|□ Corporate Edition||Marketplace Platform||12 months (from Effective Date)|
|□ Launch Fee||Launch services||NA|
|________ Minimum Reward||________ Monthly Minimum||________ Deposit (refundable)|
This Order Form (“Order Form”), together with the Master Services Agreement (“MSA”) and Exhibits 1 & 2, which are incorporated herein, sets forth the terms and conditions under which Directly Software, Inc. (“Directly”, “our”, “us” “we”) will provide to the company identified below (“Customer,” “Company,” or “you”) the software, mobile applications, systems, technology platform and associated services (“Marketplace Platform” or “Services”).
The Order Form, MSA and Exhibits 1 & 2 are collectively referred herein as the “Agreement.” All capitalized terms not otherwise defined in this Order Form shall have the meanings ascribed to them in the MSA and incorporated exhibits.
- Effective Date. The Agreement is effective on the date set forth above (“Effective Date”).
- Opt-out Right. Notwithstanding anything to the contrary in this Agreement, either Directly or Customer may terminate this Order Form (“Opt-out Right”) by informing the other party (in writing, including email sent to the signatory below) no later than thirty (30) days after the date the Marketplace Platform is accessible to users (“Commencement Date”). During this period, Directly will waive the Monthly Minimum.
- Marketplace Platform. Directly’s Marketplace Platform enables Customers and their end-users, customers, partners, resellers, distributors, developers, and community members (“Customer Users”) to post questions about Customer’s products and/or services (“Requests”) for response by Customer Users who apply for or qualify as expert users (collectively “Experts”). Customer Users and Experts are referred to collectively as “Users”.
- User Content. The content made available through the Marketplace Platform, or on behalf of Customer or created by Experts, Customer Users, or you in submitting or responding to Requests (“User Content”) belongs to you (see Section 4.3 of the MSA for details). The Marketplace Platform helps to optimize the routing and resolution of these Requests, but like other marketplace exchanges and social platforms, we do not take responsibility for User Content or for actions by independent Experts, Customers, or Customer Users.
- Pricing. Our pricing is performance-based: You place a reward that Experts can earn if they complete Requests (see Section 3 of the MSA). We pay Experts based on Requests completed and report reward activity to you at the end of each month. Because you control the number of Requests submitted and the reward on each Request (which Directly must pay to Experts), you make a refundable deposit against these rewards and agree to true it up as needed.
- Invoicing: Invoices will be emailed to _____________________ and cc’d to _____________________.
- General. This Agreement, which includes the Order Form, MSA and incorporated exhibits, represents the complete agreement between Directly and Customer regarding the Marketplace Platform, and supersedes all prior agreements and representations on the subject.
By signing below each party agrees to be bound to the terms and conditions of the Agreement, including the MSA and incorporated Exhibits 1 & 2.
|___________________, INC. (“CUSTOMER”)|
|DIRECTLY SOFTWARE, INC. (“DIRECTLY”)|
Terms and Conditions
- Marketplace Platform.
1.1. Marketplace Platform. Directly’s Marketplace Platform enables Customers and their end-users, customers, partners, resellers, distributors, developers, and community members (“Customer Users”) to post questions about Customer’s products and/or services (“Requests”) for response by Customer Users who apply for or qualify as expert users (collectively “Experts”). Customer Users and Experts are referred to collectively as “Users”.
1.2. License. Subject to this Master Services Agreement terms and conditions (“MSA” or “Agreement”), Directly hereby grants to Customer a non-exclusive, non-transferable right to access and use the Marketplace Platform during the term specified in the Order Form or any renewal term (each a “Term”), via certain third-party software applications (e.g., Salesforce and Zendesk apps) and Directly’s application programming interfaces (“APIs”). Except as expressly provided herein, the Marketplace Platform and any associated services or content, excludes User Content. Directly hereby grants to Company a non-exclusive, non-transferable, non-sublicensable license to copy and execute the APIs on Company’s servers solely for the business purposes of integrating Company’s technology system(s), application(s) and website(s) with the Marketplace Platform, as provided in the Agreement.
1.3. Restrictions. Except as otherwise expressly permitted under this Agreement, Company agrees to NOT: (a) reverse engineer (except to the limited extent required to be permitted by mandatory applicable law notwithstanding contractual prohibition) or otherwise attempt to discover any source code of or trade secrets embodied in the Marketplace Platform or the APIs; (b) distribute, transfer, grant sublicenses to, sell, resell, rent, lease, or otherwise make available the Marketplace Platform or APIs to third parties; (c) create modifications to, or derivative works of, the Marketplace Platform or the APIs; (d) access, use, or copy any aspect of the Marketplace Platform or APIs, or any portion of the Marketplace Platform or related documentation, to develop, promote, distribute, sell, or support any product or service that is competitive with the Marketplace Platform; (e) use the Marketplace Platform to store or transmit infringing, libelous, tortious, or unlawful material, or to store or transmit material in violation of third-party rights; (f) use the Marketplace Platform to store or transmit malware; (g) interfere with, disrupt the integrity or performance of, or attempt to gain unauthorized access to the Marketplace Platform.
- Expert User Terms, Security/Privacy, De-Identified Data
2.1 Directly’s Terms and Experts. Directly’s current Terms of Service (“Terms”) that govern Experts (as defined herein) are available at www.directly.com/legal/terms. Directly agrees to maintain in its Terms (to which Experts responding to Requests are required to agree) provisions that substantively provide the following: (a) a prohibition on Experts engaging in harassing or offensive conduct; (b) provisions that Experts are responsible for, and indemnify and hold harmless Directly and Customer for, any User Content; (c) a limitation on liability; (d) a statement that Customer is a third-party beneficiary of the Terms; (e) a statement that the Experts intellectual property rights in the User Content are assigned to Directly or Customer, and licensed back to the Expert in connection with Requests; (f) a waiver of all “moral rights” that the Expert may have in, or with respect to, any User Content; (g) a provision that nonpublic Customer-provided information is Customer confidential information, which the Expert will only use or disclose to view or to complete Requests; (h) a provision that the Expert is not an employee or agent of Directly or Customer; (i) a requirement that the Customer provide for and maintain their own equipment and Internet connectivity; (j) a provision that all disputes arising or related to the Terms will be resolved by binding arbitration; and (k) a class action waiver stating that any claim related to the Marketplace Platform will proceed solely on an individual basis without the right for any such claim to be decided, in arbitration or otherwise, on a class action basis or on bases involving claims brought in a purported representative capacity on behalf of another. The Marketplace Platform includes filters designed to prevent Personal Data from being disclosed to Experts (“PII Filters”) and the parties agree that no Expert will be deemed to be a Subprocessor of Directly unless otherwise agreed by the Parties. If Customer elects to certify a subset of Experts to complete certain types of Requests, including the receipt of any personal data or personally identifiable information, the parties agree to discuss requiring such Experts to agree to supplemental terms and conditions and additional provisions as required by law.
2.3 De-Identified Data. Directly will not use or disclose (except as expressly provided herein) User Content, except to provide you the Marketplace Platform, but may use data about usage of the Marketplace Platform that does not identify or reasonably could be anticipated to be used to identify any individual user or otherwise constitute Personal Data (“De-Identified Data”) and may disclose De-Identified Data, provided it is “de-identified” with similar data related to other Directly customers.
- Rewards, Deposit and Payment.
3.1 Rewards. Company will set a reward that is equal to or greater than the “Minimum Reward” specified in the Order Form that Company will pay when User(s) complete a Request (“Full Reward”). Company and Directly may also set a reward (which may be lower than the Minimum Reward) that Company will pay when User(s) partially complete a Request (“Partial Reward,” which, along with “Full Reward,” is a “Reward”). Directly reasonably will set criteria for determination of completion or partial completion of a Request. Directly will retain thirty percent (30%) of each Reward (the “Directly Share”) and will pay to the applicable User(s) the remaining seventy percent (70%) of the Reward (the “User Share”). If a Request is completed using an automated answer, the Company will receive fifty percent (50%) of the Reward as a credit, while thirty percent (30%) will be paid to Directly and twenty percent (20%) will be paid to applicable User(s). If the Directly Share of all Rewards in a month (the “Monthly Total”) is less than the minimum amount described in the Order Form (the “Monthly Minimum”), Company will pay to Directly the difference between the Monthly Total and the Monthly Minimum.
3.2 Deposit. Prior to Directly allowing any Requests to be created, and no later than the “Commencement Date,” Company will pay Directly the deposit amount identified in the Order Form as a deposit against Rewards under this Agreement (the “Deposit”) and will pay Directly additional amounts from time to time to maintain the Deposit at an amount that is equal to or greater than the sum of the then-prior three (3) months’ Rewards. Directly will not be required to escrow or otherwise keep the Deposit separate from other money, and will use the Deposit to pay User Shares to Users and to credit Directly Shares to Directly.
3.3 Payment Terms. Before the end of each month, Directly will deliver to Company an invoice of all Rewards accrued in the prior month, and Company will pay such invoice within thirty (30) days. If any invoiced Rewards are not received by Directly by the due date, then without limiting our rights or remedies, those charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower.
- IP, User Content & Confidentiality
4.1 IP. Each party and its suppliers will retain all ownership rights in and to such party’s trademarks, technology, and other intellectual property. Any goodwill associated with the use of any trademarks of a party belongs exclusively to such party. No rights are granted to either party hereunder, other than as expressly set forth herein. Directly may use (including in the Marketplace Platform, and APIs), without limitation, any suggestions, recommendations, or other feedback provided by Company in connection with this Agreement. During the Term, Directly may use Company’s name and logo to identify Company as a Directly customer in Directly’s customer lists.
4.2 IP Indemnity. Directly will hold Company harmless against any claim, demand, suit, or proceeding (“Claim”) brought against Company by a third party alleging that the Marketplace Platform (excluding any User Content) infringes or misappropriates the intellectual property rights of such third party. Directly will pay those costs and damages finally awarded against Company in any such action that are specifically attributable to such Claim or those costs and damages agreed to by Directly in a monetary settlement of such action. The foregoing obligations are conditioned on Company notifying Directly promptly in writing of such Claim, Company giving Directly sole control of the defense thereof and any related settlement negotiations, and Company cooperating in such defense. If the Marketplace Platform (or any component thereof) becomes, or in Directly’s opinion is likely to become, the subject of an infringement claim, Directly may, at its option and expense, either (a) procure for Company the right to continue exercising the rights licensed to Company in this Agreement, or (b) replace or modify the Marketplace Platform so that they become non-infringing and remain functionally equivalent. If neither of the foregoing options are, in Directly’s reasonable opinion, commercially reasonable, Directly may terminate this Agreement and will refund to Company any unused portion of the Deposit.
4.3 User Content. Except as specifically provided otherwise herein, all User Content will be the exclusive property of Company. Directly hereby irrevocably transfers and assigns to Company all of its right, title and interest in and to any User Content, including all intellectual property rights therein; provided that Company hereby grants to Directly a perpetual, irrevocable license to (a) reproduce, create derivative works of, distribute, display, and perform all User Content in connection with performing and improving the Services and exercising its rights hereunder, (b) use De-Identified Data to improve the Marketplace Platform, and (c) grant to each Expert and Customer User who submitted or responded to a Request, a perpetual, irrevocable license to reproduce, create derivative works of, distribute, display, and perform the User Content related to such Request and subject to our Terms. Directly does not control or endorse the User Content posted via the Marketplace Platform and, as such, does not make any representations, warranties, or commitments regarding User Content (including its accuracy, integrity or quality), even if Directly provides a “helpfulness grade” or other appraisal of the User or User Content. Directly and our designees shall have the right (but not the obligation) in its sole discretion to pre-screen, refuse, or remove any User Content that is available via the Marketplace Platform. You bear all risks associated with, the use of any User Content, including any reliance on the accuracy, completeness, or usefulness of such User Content. Company will indemnify and hold Directly harmless against any Claim brought by or on behalf of any Customer User against Directly or its affiliates and arising from or related to any User Content; provided that, as conditions of Customer’s obligations under this subsection, Directly must: (a) promptly notify Customer in writing of such Claim and furnish a copy of each communication or notice relating to the Claim; (b) give Customer sole control over the defense and negotiation of any settlement of such Claim; and (c) give Customer, at Customer’s expense, all reasonable assistance as requested by Customer. Company will pay those costs and damages finally awarded against Directly in any such Claim that are specifically attributable to such Claim or those costs and damages agreed to in a monetary settlement of such Claim.
4.4.1. Confidential Information. “Confidential Information” means non-public information pertaining to a party’s business and (a) disclosed by such party (the “Discloser”) to the other party (“Recipient”) and marked as confidential, or (b) collected by the Recipient in connection with this Agreement and would be regarded reasonably as being of a confidential nature. Confidential Information of Company will include non-public User Content; Confidential Information of Directly will include non-public information about the Marketplace Platform (including De-Identified Data), APIs, and the documentation of any of the foregoing, regardless of any confidentiality marking. Recipient will use reasonable care to protect the confidentiality of Discloser’s Confidential Information. Recipient will use the Confidential Information of Discloser only to exercise rights and perform obligations under this Agreement.
4.4.2. Recipient will not be liable to Discloser for the release of Confidential Information if such information: (i) was known to Recipient on or before the Effective Date without restriction as to use or disclosure; (ii) is released into the public domain through no fault of Recipient; (iii) was independently developed solely by the employees of Recipient who have not had access to Confidential Information; or (iv) is divulged pursuant to any legal proceeding or otherwise required by law, provided that, to the extent legally permissible, Recipient will notify Discloser promptly of such required disclosure and reasonably assists Discloser in efforts to limit such required disclosure.
5.1. WARRANTY. DIRECTLY AND ITS AFFILIATES AND SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. DIRECTLY MAKES NO WARRANTY REGARDING ANY USERS, USER CONTENT, OR HELPFULNESS GRADE GENERATED BY THE MARKETPLACE PLATFORM, INCLUDING THE AVAILABILITY, ACCURACY, RELIABILITY, OR USEFULNESS THEREOF.
5.2. COMPANY ACKNOWLEDGES AND AGREES THAT THE MARKETPLACE PLATFORM IS A TECHNOLOGY PLATFORM THAT ENABLES INDEPENDENT USERS TO SUBMIT, ACCESS AND RESPOND TO REQUESTS. DIRECTLY DISCLAIMS ANY RESPONSIBILITY FOR USER CONTENT OR THE ACTIONS OF USERS. DIRECTLY IS NOT A BUSINESS PROCESSING OUTSOURCER, CUSTOMER SERVICE PROVIDER, OR OTHER SIMILAR SERVICE.
- Limitation of Liability.
(A) IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, EXEMPLARY, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING ANY LOST PROFITS OR LOSS OF USE, ARISING FROM OR RELATING IN ANY WAY TO THIS AGREEMENT, EVEN IF SUCH PARTY KNOWS OR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES; AND EXCEPT WITH RESPECT TO SECTION 4 AND ANY BREACH OF ANY LICENSE RESTRICTION; AND (B) EACH PARTY’S TOTAL CUMULATIVE LIABILITY IN CONNECTION WITH THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR OTHERWISE, WILL NOT EXCEED THE DIRECTLY SHARE PAID TO DIRECTLY UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM. THE EXISTENCE OF MORE THAN ONE CLAIM WILL NOT ENLARGE THE LIMIT.
- Term & Termination.
7.1 Subscription Term. The Term of the Agreement will commence on the Effective Date and will continue for the initial term described on the Order Form. At the end of the initial term or any extension or renewal, the Term will automatically extend for the renewal or extension period specified on the Order Form, or, if not specified, for a period of one (1) year, unless either party notifies the other party, as provided herein, at least sixty (60) days prior to the then-current end of the Term, of its intent to not extend or renew the Term.
7.2. Termination. This Agreement may be terminated by either party (and Directly may suspend its performance) upon the other party’s breach of a material provision of this Agreement, which breach remains uncured thirty (30) days following receipt of detailed written notice thereof from the non-breaching party.
7.3. Effect of Termination. Upon any termination or expiration of this Agreement and except as provided herein, (a) all licenses granted to Company hereunder will immediately cease, (b) Company will pay Directly for any Rewards that have not been satisfied by the then-current Deposit, (c) upon request a), each party will promptly deliver to the other party (and delete any copies of) any Confidential Information of the other party in the possession or control of such party, (d) Directly will reimburse Company the amount of any unused Deposit, and (e) Sections 2 through 8 will survive.
8.1 Defined Terms. All capitalized terms not otherwise defined in this MSA shall have the meanings ascribed to them in the Order and incorporated exhibits.
8.2. Assignment. Neither party may assign this Agreement, in whole or in part, without the other party’s written consent, provided, however, that either party may assign this Agreement without such consent in connection with any merger, consolidation, sale of all or substantially all of such party’s assets or shares. Any attempt to assign this Agreement other than in accordance with this provision will be null and void. The terms of this Agreement will be binding on the parties and their successors and assigns.
8.3. Waiver; Amendment. This Agreement may not be modified except by a written instrument signed by authorized agents of both parties. Failure by either party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision.
8.4. Interpretation. As used in this Agreement, the term “including” is meant to be inclusive and means “including without limitation.” The headings and italicized lead-in sentences of Sections in this Agreement are intended solely for convenience of reference and will be given no effect in the interpretation or construction of this Agreement.
8.5. Governing Law; Venue. This Agreement will be governed and construed in accordance with the laws of the State of California, without giving effect to any principles that may provide for the application of the law of any other jurisdiction. Any action or proceeding arising from or relating to this Agreement will be brought in the state and federal courts for San Francisco County, California and each party irrevocably submits to the jurisdiction and venue of any such court in any such action or proceeding.
8.6. Severability. If any provision of this Agreement is, for any reason, held to be invalid, prohibited, or otherwise unenforceable by legal authority of competent jurisdiction, the other provisions of this Agreement will remain enforceable and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law.
8.7. Notices. Except for the exercise of the Opt-Out Right, each party must deliver all notices, consents, and approvals required or permitted under this Agreement in writing to the other party at the address listed on the Order Form by courier, by certified or registered mail (postage prepaid and return receipt requested), or by a nationally-recognized overnight carrier. Any such notice will be effective upon receipt, refusal of delivery, or (at latest) three days after notice is sent. Each party may change such party’s address for receipt of notice by giving notice of such change to the other party.
8.8. Independent Contractor Relationship. Directly’s relation to Company under this Agreement is that of an independent contractor. Nothing in this Agreement is intended or should be construed to create a partnership, joint venture, or employer-employee relationship between Company and Directly. Directly will take no position with respect to or on any tax return or application for benefits, or in any proceeding directly or indirectly involving Directly, that is inconsistent with Directly being an independent contractor (and not an employee) of Company. Directly is not the agent of Company and is not authorized, and must not represent to any third party that Directly is authorized, to make any commitment or otherwise act on behalf of Company.
8.9 Force Majeure. Nonperformance of either party will be excused to the extent that performance is rendered impossible by any reason where failure to perform is beyond the reasonable control of the non-performing party.
8.10. Entire Agreement. The parties agree that any terms required to be accepted electronically through any Company vendor enrollment, login, invoice submission, or other, process will not apply to this Agreement, are expressly rejected by the parties, and form no basis for any agreement between the parties; notwithstanding any “agreement” to such terms, no such agreement is formed between the parties, and the parties acknowledge that only authorized representatives of the parties may enter into agreements between the parties or amendments to this Agreement. Any professional services or consulting services provided by Directly will be provided under the terms of this Agreement.
By signing below each party agrees to be bound to the terms of the Agreement, including the Order Form and all incorporated exhibits.
[Signature page to follow]
|DIRECTLY SOFTWARE, INC. (“DIRECTLY”)|
EXHIBIT 1 (To the Directly Agreement)
Directly Information Security Policy
Directly has implemented administrative, technical, and physical security measures designed to protect the confidentiality and integrity of data, including confidential information and personal data as referred to in the Master Subscription Agreement (“Agreement”). These measures may be modified from time to time, provided that any such modification will not materially decrease the overall security of the Marketplace Platform during the term of the Agreement.
Physical Access control (to data processing systems). Measures designed to prevent unauthorized persons from obtaining physical access to the data processing systems with which personal data are processed.
- The data center buildings are controlled by Directly’s hosting providers, which are ISO 27001 certified and provide SOC 2, Type 2 attestation reports.
Access control (to use of data processing systems and methods). Measures designed to prevent data processing systems and methods from being used by unauthorized persons.
- We require 2 Factor Authentication for access to our data systems.
- Accounts are locked for repeated invalid attempts to log on and audit trails are logged and monitored for inappropriate and unauthorized activity.
- Role based authentication is used where possible with auditing processes and activities to manage appropriateness of access. Privileged accounts utilize two-factor authentication with enterprise level management where required.
- Data systems are encrypted at rest using AES-256 and in transit using HTTPS.
- Strict Firewall rules are established only allowing required access to and from the production environment.
- Internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data.
- Data systems are designed to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access.
- These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. The granting or modification of access rights must also be in accordance with Directly’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented.
Access control (to data). Measures designed to ensure that persons who are authorized to use a data processing method only have access to that personal data to which their access authorization applies and that this data cannot be read, copied, modified or removed during processing without authorization.
- User accounts are unique and assigned to appropriate groups by administrative personnel for control.
- Roles limit access to objects through an authorization process with appropriate audit trails.
- Audit logs are monitored for activity and access appropriateness.
- System policies and procedures protect data during processing for appropriate access by authorized personnel.
- All changes to access are logged and reviewed during periodic audits. Abnormal changes create alerts to appropriate personnel.
- Data is deleted according to policy and wiped when no longer required.
Disclosure controls. Measures designed to prevent data from being read, copied, modified or removed during electronic transmission, data transport or storage on data carriers without authorization.
- Industry standard practices are employed to protect data in transit. Private Networks, Virtual Private Networks and Secure Socket Layer technologies are used to prevent unauthorized access
- Logging of system access is monitored and reviewed for appropriateness
Input controls. Measures to allow Directly to retroactively check and verify whether, when and by whom data has been entered into, modified or removed from the data processing system.
- Access and activity logs are monitored for unauthorized or inappropriate activity as well as to provide change history
Control of instructions. Measures designed to restrict processing of personal data in accordance with the instructions of the Client.
- Corporate compliance and security policies highlight that client data is accessed only with a business need and is not disclosed
Availability control. Measures designed to protect data from accidental destruction or loss.
- Systems are backed up daily to enable recovery of data on a schedule determined by policy
- High availability or recovery technologies are employed to maintain system operation, availability and redundancy
- Production environments are replicated in geographically separated data centers with remote storage of backups and recovery systems
- Our infrastructure includes malicious activity detection technology
- Our Disaster Recovery Plans are documented, reviewed and tested on a regular basis
Separation controls. Measures to separately process data that is stored for separate purposes.
- Tiered development, testing, stage and production environment to separate function and operation
- Access controls are employed to segregate the environments
- Personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Directly conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
- Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Directly’s confidentiality and privacy policies. Personnel are provided with security training.
- Prior to onboarding subprocessors, Directly evaluates the security and privacy protections of subprocessors to ensure subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Directly has assessed the risks presented by the subprocessor, the subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.
- Directly’s data trustees, the Head of Engineering and the Head of Product, have primary responsibility for reviewing and updating Directly’s information security policies, and for provisioning and revoking authorization for data access.
(Exhibit 2 to MSA)
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of Personal Data to processors established in third countries that do not ensure an adequate level of data protection
Name of the data exporting organisation: [Customer]
Other information needed to identify the organisation:
(the data exporter)
Name of the data importing organization: Directly Software, Inc.
Address: 333 Bryant Street, San Francisco, CA 94107
Other information needed to identify the organization:
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the Personal Data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘Personal Data,’ ‘special categories of data,’ ‘process/processing,’ ‘controller,’ ‘processor,’ ‘data subject,’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the Personal Data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter Personal Data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer Personal Data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of Personal Data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organizational security measures’ means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of Personal Data where applicable are specified in Appendix 1, which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants that:
(a) the processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) it has instructed and throughout the duration of the Personal Data processing services will instruct the data importer to process the Personal Data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) it will ensure compliance with the security measures;
(f) if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) it will forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) it will make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the Personal Data and the rights of data subject as the data importer under the Clauses; and
(j) it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants the following:
(a) It will process the Personal Data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) It has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) It has implemented the technical and organizational security measures specified in Appendix 2 before processing the Personal Data transferred;
(d) It will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorized access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) It will deal promptly and properly with all inquiries from the data exporter relating to its processing of the Personal Data subject to the transfer and abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) At the request of the data exporter, it will submit its data processing facilities for audit of the processing activities covered by the Clauses, which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) It will make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) In the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) The processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) It will send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor, is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case, the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely the United States.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor, which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement, the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer, because they have factually disappeared or have ceased to exist in law or have become insolvent, and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely the United States.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of Personal Data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the Personal Data transferred and the copies thereof to the data exporter, or shall destroy all the Personal Data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter (including with respect to Appendix 1 and 2):
Name (written out in full): [name]
Other information necessary in order for the contract to be binding (if any):
(stamp of organisation)
On behalf of the data importer (including with respect to Appendix 1 and 2):
Name (written out in full): David Phillips
Position: Head of Corporate Development & Legal
Address: 333 Bryant Street, #250 San Francisco, CA 94107
Other information necessary in order for the contract to be binding (if any):
(stamp of organization)
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The “data exporter” is identified in the Order Form to which this Agreement is incorporated exhibit/appendix. Data Exporter provides (please briefly specify your activities relevant to the transfer):
The data exporter is (i) the legal entity that has executed the Agreement and/or these Standard Contractual Clauses as a data exporter and, (ii) all Affiliates (as defined in the Agreement) of Customer established within the European Economic Area (EEA) and Switzerland that have purchased SCC Services on the basis of one or more Order Form(s).
The data importer is (please specify briefly activities relevant to the transfer): Directly Software, Inc.
Data importer’s services are the provision of a marketplace technology platform for customer support (“SCC Services”) which upon configuration by the data exporter Customer processes personal data upon the instruction of the data exporter in accordance with the terms of the Agreement.
The personal data transferred concern the following categories of data subjects (please specify):
- The Data Subjects are customer users of Data Exporter Customer authorized by it to use the SCC Services.
- Employees, agents, advisors, freelancers of Data Exporter (who are natural persons)
Categories of data
The personal data transferred concern the following categories of data (please specify):
Data exporter may submit Personal Data to the SCC Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, subject to the data exporter configuration of Directly’s technology, the following categories of Personal Data:
- Customer User first and last name
- Customer User email address/and/or mobile number
- Customer User request information (e.g., text of request thread)
- Customer User ID data (ID number – internal/external)
- Customer User log data (e.g., IP address, browser type, mobile network information).
- Data about question type (question category and language type)
- Customer Employee contact information (company, email, phone, physical business address)
Special categories of data (if appropriate)
The Personal Data transferred concern the following special categories of data (please specify):
None as of the Effective Date.
The Personal Data transferred will be subject to the following basic processing activities (please specify):
The objective of Processing of Personal Data by data importer is the performance of the SCC Services pursuant to the Agreement.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(c) and 5(c) (or document/legislation attached):
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the SCC Services, as described in in the Directly Information Security Policy to the specific SCC Services purchased by data exporter, and which is incorporate as Exhibit 1, or otherwise made reasonably available. Data Importer will not materially decrease the overall security of the SCC Services during a term.
APPENDIX 3 TO THE STANDARD CONTRACTUAL CLAUSES
|Amazon Web Services Inc. (“AWS”)||Data hosting||USA|
|Google LLC||Language detection||USA|
|Current as of May 21, 2018|