We are committed to ensuring transparency and legal compliance in our services. As part of that commitment, we provide our customers with access to our SaaS Agreement and Data Processing Addendum.
These documents outline the terms and conditions for using our SaaS platform and detail how we handle and process customer data. To review our SaaS Agreement, please click here. For our Data Processing Addendum, please click here. We encourage all users to familiarize themselves with these important agreements to understand their rights and responsibilities when using our services.
This Software-as-a-Service Agreement, entered into as of Date (the “Effective Date”), is by and between Pretaa, Inc. DBA Huml Health, a Delaware corporation (“Provider”), and Customer Name (“Customer”). For purposes of this Agreement, Provider and Customer may each be referred to individually as a “Party” and collectively as the “Parties.”
1. DEFINITIONS
As used in this Agreement:
“Agreement” means the Purchase Order separately delivered to and signed by Customer, this Software-as-a-Service Agreement, any attached schedules and/or exhibits referenced herein, and any supplementary Statements of Work executed by Customer and Provider hereunder.
“Applicable Laws” means all legislation, statutes, regulations, ordinances, rules, judgments, orders, decrees, rulings, and other requirements that are enacted, promulgated, or imposed by any governmental authority or judicial or regulatory body (including any self-regulatory body), in any jurisdiction and at any level (e.g., municipal, county, provincial, state or national), and that are applicable to or enforceable against a Party in relation to its activities under or pursuant to this Agreement.
“Authorized Customer Entities” refers to any specific Customer-affiliated entities who are authorized under the Purchase Order hereto to access and use the Service under Customer’s subscription during the Subscription Term.
“Authorized Users” means all end users of Customer, end users of Authorized Customer Entities, and Authorized Customer Entities who have completed Provider’s online registration process or who otherwise receive a user ID or other access credentials from Provider or Customer authorizing them to access and use the SaaS.
“Authorized Purpose(s)” means any descriptions in the Purchase Order or on Provider’s Website of the purposes for which the applicable SaaS and associated Content are permitted to be used. If no Authorized Purpose is stated, the Authorized Purpose shall be limited to use of the SaaS in Customer’s and Authorized Customer Entities’ internal business operations.
“Confidential Information” means all non-public written or oral information, disclosed by either Party to the other Party, that is (i) related to the business or operations of either Party (or a third party that the disclosing Party has identified as confidential), or that (ii) should reasonably be understood as confidential either by its nature or by the circumstances surrounding its disclosure.
“Content” means any data, media, information, and/or any other type or form of content that is displayed, distributed, or otherwise made available to a Party through or in connection with the SaaS and/or the other Services, including User Content and Provider Content.
“Customer Data” means any data that is owned by Customer or by an Authorized Customer Entity and that is submitted to the Service for processing, transmission, and/or storage.
“Data Privacy and Security Laws” means all applicable laws, statutes, ordinances, regulations, rules, executive orders, and/or other requirements, in any jurisdiction (within the United States or otherwise) and at any level (i.e., federal, state, regional, territorial, and/or local), promulgated by any applicable authority in respect of the privacy, data protection, and/or security of Personally Identifiable Information, and/or in respect of any security breach notifications related to Personally Identifiable Information.
“Including” (and its derivative forms, whether or not capitalized) shall always mean “including without limitation.”
“Intellectual Property Rights” means all legal rights held by the owner of a copyright, patent, trademark, trade secret, or any other form of intellectual property, including: (i) the rights to copy, publicly perform, publicly display, distribute, adapt, translate, modify, and create derivative works of copyrighted subject matter; (ii) the rights to exclude others from using, making, having made, selling, offering to sell, and importing patented subject matter and from practicing patented methods, (iii) the rights to use and display any marks in association with businesses, products or services as an indication of ownership, origin, affiliation, or sponsorship; and (iv) the rights to apply for any of the foregoing rights (as well as all rights in any such applications). “Intellectual Property Rights” also include all rights that are granted by law in respect of any particular information, and that give the owner (independent of contract rights) exclusive authority to control use or disclosure of such information, including privacy rights and any rights in databases recognized by applicable law.
“Losses” means, in connection with a Claim that is subject to defense and indemnification by a Party under this Agreement, all reasonable attorneys’ fees; reasonable costs of investigation, discovery, litigation and settlement; and any associated liabilities, damages, settlements, judgments and awards (including associated taxes, interest and penalties).
“Personally Identifiable Information” means any information relating to an identified or identifiable natural person, including “Personal Data” as defined in the EU General Data Protection Regulation (Regulation (EU) 2016/679), “Personally Identifiable Information” as defined in the California Consumer Privacy Act of 2018 (Cal. Civil. Code §§ 1798.100-1798.199), and “Non-Public Personal Information” as defined in Title V of the Gramm-Leach-Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338), all as may be amended from time to time.
“Professional Services” means any professional services performed or contracted to be performed by Provider pursuant to a Statement of Work entered into by the Parties under this Agreement.
“Provider Content” means Content owned, originated, or controlled by Provider that is made accessible to Customer and Authorized Customer Entities via the SaaS or other Services.
“Provider’s Website” means the web interface of the SaaS platform that Provider offers for interaction with and receipt of the Services.
“SaaS” means Provider’s proprietary web-based software-as-a-service platform and related services made available for use by Authorized Users under this Agreement, as identified and/or described in the Purchase Order, including its technology components, such as Provider’s Website, and related documentation.
“SDK License,” if applicable, means a license granted by Provider to Customer through a separate written supplement to this Agreement in which Provider grants additional rights to Customer to access the program code of the SaaS for the purpose of integrating it with other Customer applications or platforms.
“Services” means, collectively, the SaaS, the Support Services, and any Professional Services performed or provided by Provider pursuant to this Agreement.
“Statement of Work” (or “SOW”) means a supplementary document in a mutually agreed form that is entered into by the Parties under this Agreement and describes Professional Services ordered by Customer from Provider. Upon execution and delivery of an SOW, it is deemed to form part of this Agreement.
“Subscription Fees” means the non-recurring and recurring fees payable by Customer to Provider for the SaaS and associated Support Services, as set forth in the Purchase Order, which shall be payable in accordance with the payment terms set forth in this Agreement. Unless and except as otherwise expressly stated in this Agreement, the Subscription Fees are non-cancellable and non-refundable.
“Subscription Term” means the period during which Customer’s Authorized Users are permitted to access and use the SaaS, as set forth in the Purchase Order.
“Support Services” has the meaning given in Sections 3.1 through 3.3 of these Terms and Conditions.
“Territory” means and is limited to the United States unless otherwise specified in the Purchase Order.
“Update” means any improvement, enhancement, modification, and/or change to the SaaS offered or provided by Provider to its subscribers at no charge.
“User Content” means any Content submitted, posted or displayed by Authorized Users of the SaaS.
“User Data” means any data or information (other than User Content) received or collected by Provider concerning Authorized Users of the SaaS, including data provided by Authorized Users to register to use the SaaS.
2. ACCESS TO AND USE OF THE SAAS
2.1. Limited-Purpose Access Grant. Subject to Customer’s, all Authorized Customer Entities’, and all Authorized Users’ full and continuing compliance with this Agreement and payment of all applicable fees, Provider hereby grants to Customer a limited, personal, non-exclusive, non-sub-licensable, non-transferable right to access the features and functions of the SaaS in the Territory during the Subscription Term (and to authorize Authorized Customer Entities and Authorized Users to do the same), solely through Provider’s Website and solely for the Authorized Purpose(s). This access grant may not be sub-licensed, in whole or in part. The scope of Customer’s use of the SaaS is subject to the terms and conditions of this Agreement, including any usage restrictions or other parameters or limitations that may be set forth in the Purchase Order.
.
2.2. Access Protocols. Upon execution of this Agreement, Provider shall provide to Customer the necessary access credentials and protocols to allow Authorized Users to access the SaaS (the “Access Protocols”). For the avoidance of doubt and in accordance with Customer’s obligations under Section 2.5 of this Agreement, Customer acknowledges and agrees that it shall require each Authorized User to accept expressly Provider’s Terms of Service and End User License Agreement (the “EULA”) prior to Customer’s provision to such Authorized User of any Access Protocols in respect of the SaaS. Customer further acknowledges and agrees that, as between Customer and Provider, Customer shall be responsible for all acts and omissions of Authorized Users, including: (i) any act or omission by an Authorized User, which, if undertaken by Customer, would constitute a breach of this Agreement; and (ii) any act or omission by a person (whether or not an Authorized User) using any Access Protocols. Customer shall notify all Authorized Users of all provisions of this Agreement that are applicable to such Authorized Users’ use of the SaaS, and Customer shall cause all Authorized Users to comply with such provisions.
2.3. Company Account Administration. Customer shall designate at least one Authorized User to act as Customer’s principal point of contact with Provider for purposes of this Agreement.
2.4. Content. The SaaS may enable Customer’s Authorized Users to search for, find, store, manage, and use Content. Customer acknowledges that Provider does not endorse, support, represent, or guarantee the completeness, truthfulness, accuracy, reliability, or other attributes of any Content, and Customer acknowledges that Provider does not review (and/or attempt to verify the accuracy or currency of) any Content other than Provider Content. As between Customer and Provider, Customer has sole responsibility for: (i) determining the suitability of any Content for its intended use by Customer, and (ii) to the extent necessary, verifying the authenticity, integrity, and accuracy of any Content prior to its use. Provider has no obligation to preview, verify, flag, modify, filter, or remove any Content other than Provider Content. Provider may remove or disable access to any Content at its sole discretion, but Provider is not responsible for any failures or delays in removing or disabling access to any Content (including Content that may be considered harmful, inaccurate, unlawful, or otherwise objectionable) unless otherwise provided herein.
2.5. Compliance. (a) Customer’s and all Authorized Users’ access to and use of the SaaS is subject to Customer’s and all Authorized Users’ continuing compliance with all of the following: (i) all provisions of this document; (ii) the EULA; (iii) any additional terms and/or policies that Provider has made available on its Website [including, without limitation, the Data Processing Addendum]; (iv) any third-party service terms and conditions governing any Content that is accessed through the SaaS and that is published or distributed by a third-party website; and (v) all Applicable Laws (including all Data Privacy and Security Laws). As between Provider and Customer, in the event of a conflict between this Agreement and any additional terms and/or policies that Provider has made available on its Website, this Agreement shall prevail and control. (b) In addition to complying with all applicable Data Privacy and Security Laws, Provider will employ commercially reasonable security and access controls designed to protect the types of data collected and stored by the SaaS, including Personally Identifiable Information.
2.6. Restrictions. Customer agrees not to act outside the scope of the rights that are expressly granted by Provider in this Agreement. Further, Customer will not: (i) use the SaaS in any manner that is inconsistent with this Agreement; (ii) except as expressly permitted under an SDK License (if any) granted by Provider to Customer, modify any program code of the SaaS or attempt to create or permit the creation of any derivative works of the SaaS; (iii) access or use the SaaS or in order to develop or support, or assist another party in developing or supporting, any products or services competitive with the SaaS; (iv) decompile, reverse engineer (unless required by law for interoperability), or use any other method in an attempt to view or recreate any of the source code of the SaaS or extract any trade secrets from it; (v) use the SaaS to operate the business of a third party or to process data or content provided by a third party for the operation of a third party’s business (or otherwise use the SaaS on a third party’s behalf and/or act as a service bureau or provider of application services to any third party); (vi) knowingly or intentionally re-use, disseminate, copy, or otherwise use the SaaS or associated Content in a way that infringes, misappropriates, or violates any trademark, copyright, patent, trade secret, publicity, privacy right, or other right of Provider or any third party; and/or (vii) sell, lend, lease, assign, transfer, pledge, permit a lien upon, or sub-license any of the rights granted by this Agreement with respect to the SaaS.
2.7. No Interference with Service Operations. Customer and its Authorized Users will not take any action designed or intended to: (a) interfere with the proper working of the SaaS; (b) circumvent, disable, or interfere with security-related features of the SaaS or features that prevent or restrict use, access to, or copying of the SaaS (or any Content or other data), or that enforce limitations on use of the SaaS or Content; or (c) impose (or potentially impose, as determined by Provider in its sole discretion) an unreasonable or disproportionately large load on the SaaS infrastructure.
2.8. Access and Use of the SaaS from Outside the Territory. The SaaS is offered for use in the Territory. As between Customer and Provider, Customer is solely responsible for compliance with Applicable Laws relevant to any Authorized Users’ access or use of the SaaS outside the Territory.
3. SUPPORT SERVICES; PROFESSIONAL SERVICES; SERVICE-LEVEL AGREEMENT
3.1. Technical Support. At no additional charge and during Provider’s normal business hours (which are 9-5pmET, Monday through Friday, but – to the extent not otherwise agreed upon in writing by the Parties –excluding Provider-designated holidays), Provider will provide reasonable technical support and assistance for Authorized User requests by telephone or sent via email to support@Huml.health. Provider may charge additional fees for additional and/or upgraded support services.
3.2. Updates. Customer will be given access to any free Updates of the SaaS that Provider implements during the Subscription Term. Customer acknowledges, however, that Provider may charge fees for other optional value-added functions, features, or other capabilities.
3.3. Scheduled Maintenance. Provider reserves the right to disable applicable servers hosting the SaaS in order to conduct scheduled and/or emergency maintenance. Provider will use commercially reasonable efforts to perform scheduled maintenance outside of regular business hours and will provide at least 24 hours’ advance notice for non-emergency maintenance. Provider will not be responsible for any damages or costs incurred by Customer due to unavailability of the SaaS during scheduled or emergency maintenance.
3.4. Professional Services. If Provider has agreed to perform Professional Services for Customer or an Authorized Customer Entity under this Agreement, the Parties shall prepare and sign a Statement of Work describing the Professional Services to be performed and setting forth any other pertinent details, including the locations at which the Professional Services will be performed, the planned schedule of performance, the deliverables (if any) to be produced by Provider and delivered to Customer, the amount and manner of payment of Provider’s fees for the Professional Services, and any associated responsibilities of Customer or Authorized Customer Entities relating to the Professional Services. For the avoidance of any doubt, Customer’s obligation to pay Subscription Fees is not dependent on Provider’s performance of any Professional Services pursuant to an SOW.
3.5. Service-Level Agreement. Subject to your compliance with this Agreement, Provider will make the applicable Services available to you during the term hereof. To the extent applicable to such Services, the service-level terms set forth in this document [Huml’s SaaS Agreement] hereto describe Provider’s commitments in respect of such Services’ availability and/or uptime, as well as any remedies and/or credits that may apply in respect of such Services’ unavailability and/or downtime.
4. FEES
4.1. Payment of Fees. Customer shall pay to Provider: (i) all Subscription Fees, as set forth in the Purchase Order; (ii) all fees for Professional Services, as set forth in the associated SOWs; and (iii) any and all other amounts that may be payable by Customer to Provider under this Agreement (together with Subscription Fees and fees for Professional Services, “Fees and Other Amounts”). All Fees and Other Amounts be denominated and paid in U.S. Dollars, and all Fees and Other Amounts shall be due within thirty (30) days of the date of the associated invoice(s) sent by Provider. Except as expressly provided in this Agreement, all Fees and Other Amounts set forth in the Purchase Order and/or in any associated SOW(s) (as applicable) are non-cancellable and non-refundable upon execution of this Agreement and/or such associated SOW(s) (as applicable).
4.2. Documentation Originating from Customer. Notwithstanding any language to the contrary therein, purchase orders originating from Customer have no legal effect in respect of this Agreement, and all terms and conditions set forth in any of Customer’s purchase orders (or Customer’s websites, or Customer’s web portals, or Customer’s vendor onboarding process, or other documentation originating from Customer) are null and void.
4.3. Failure to Pay. If Customer fails to pay to Provider any Fees and Other Amounts within thirty (30) days of the date of the associated invoice(s), Provider may impose upon the outstanding balance of such Fees and Other Amounts a finance charge of 3% monthly if any Fees and Other Amounts are more than thirty (30) days overdue, then, without limitation of any of Provider’s other rights and/or remedies, Provider may suspend performance of the Services until Customer has paid in full its outstanding balances on such Fees and Other Amounts.
4.4. Taxes. Except for those taxes based on Provider’s gross revenue, net income, business privileges, or real property, and Provider’s payroll or license taxes, Customer will be responsible for all applicable taxes in connection with this Agreement including, but not limited to, sales, use, excise, value-added, goods and services, consumption, and other similar taxes or duties (“Taxes”), and Taxes shall not be considered a part of, a deduction from, or an offset against any Fees and Other Amounts. Should any payment for any Services be subject to withholding tax by any government, Customer will reimburse Provider for such withholding tax. If Customer is exempt from any such Taxes for any reason, Provider will exempt Customer from such Taxes on a going-forward basis only once Customer delivers a duly executed and dated valid exemption certificate to Provider and Provider has approved such exemption certificate. If, for any reason, a taxing jurisdiction determines that Customer is not exempt from any such purportedly exempted Taxes, and such taxing jurisdiction then assesses such Taxes against Provider, Customer shall promptly reimburse Provider in full in respect of such Taxes (plus any applicable interest or penalties assessed). Provider and Customer shall reasonably cooperate with each other in minimizing any applicable Taxes and in obtaining any exemption from tax (or reduced rate of tax) available under any applicable law or treaty.
5. ALLOCATIONS OF RISK
5.1. Representations and Warranties.
(a) Each Party represents to the other: (i) that the execution and performance of its obligations under this Agreement will not conflict with or violate any provision of any Applicable Laws or any other agreement or order by which the representing Party is bound; and (ii) that this Agreement, when executed and delivered, will constitute a valid and binding obligation of such Party and will be enforceable against such Party in accordance with its terms.
(b) Provider warrants that any Professional Services performed by Provider under this Agreement will be performed in a good and workmanlike manner in accordance with prevailing industry standards. In the event of a breach of this warranty, Provider’s sole obligation (and Customer’s sole remedy) will be for Provider to correct or re-perform the affected Professional Service to remedy the breach, at no charge to Customer.
5.2. DISCLAIMERS.
(a) CUSTOMER REPRESENTS THAT IT IS ENTERING THIS AGREEMENT WITHOUT RELYING UPON ANY PROVIDER REPRESENTATION OR WARRANTY THAT IS NOT EXPRESSLY STATED IN THIS AGREEMENT. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PROVIDER DISCLAIMS ANY AND ALL PROMISES, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, DATA ACCURACY, SYSTEM INTEGRATION, SYSTEM RELIABILITY, TITLE, NON-INFRINGEMENT, NON-INTERFERENCE, AND/OR QUIET ENJOYMENT, AND ALL WARRANTIES THAT MAY OTHERWISE BE IMPLIED. NO WARRANTIES ARE MADE ON THE BASIS OF TRADE USAGE, COURSE OF DEALING, OR COURSE OF PERFORMANCE.
(b) CUSTOMER ASSUMES COMPLETE RESPONSIBILITY, WITHOUT ANY RECOURSE AGAINST PROVIDER, FOR THE SELECTION OF THE SAAS TO ACHIEVE CUSTOMER’S INTENDED RESULTS AND FOR CUSTOMER’S USE OF THE RESULTS OBTAINED FROM THE SAAS IN CUSTOMER’S BUSINESS. CUSTOMER ACKNOWLEDGES THAT IT IS SOLELY RESPONSIBLE FOR THE RESULTS OBTAINED FROM USE OF THE SAAS, INCLUDING THE COMPLETENESS, ACCURACY, AND CONTENT OF SUCH RESULTS. PROVIDER DOES NOT WARRANT THAT THE SAAS WILL MEET CUSTOMER’S REQUIREMENTS, THAT THE OPERATION OF THE SAAS WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ERRORS WILL BE CORRECTED.
(c) THE SAAS IS NOT DESIGNED OR PERMITTED TO BE USED IN OR FOR HIGH-RISK OR HAZARDOUS ENVIRONMENTS REQUIRING FAIL-SAFE PERFORMANCE, INCLUDING OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION, COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL, WEAPONS SYSTEMS, DIRECT LIFE-SUPPORT MACHINES, OR ANY OTHER APPLICATION IN WHICH THE FAILURE OF THE SAAS COULD LEAD DIRECTLY TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR PROPERTY DAMAGE (COLLECTIVELY, “HIGH RISK ACTIVITIES”). PROVIDER EXPRESSLY DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY OF FITNESS OF THE SAAS FOR HIGH RISK ACTIVITIES.
5.3. Indemnification of Customer by Provider. Provider agrees to defend, indemnify, and hold harmless Customer and its affiliates from and against all third-party claims and actions (collectively referred to as “Claims,” and each individually a “Claim”), as well as any associated Losses, that may, at any time, arise out of or relate to: (a) a breach or alleged breach by Provider of any of its representations given in Section 5.1(a) of these Terms and Conditions; (b) a Claim that the SaaS or any Provider Content (excluding, however, all User Content) provided by Provider hereunder (or Customer’s use of same in accordance with the terms hereof) infringes upon any third party’s Intellectual Property Rights; or (c) a Claim arising with respect to Provider’s posting or display of Provider Content on Provider’s Website.
5.4. Indemnification of Provider by Customer. Except for any Claims in respect of which Provider is obligated to indemnify Customer under Section 5.3, Customer agrees to defend, indemnify, and hold harmless Provider and its affiliates from and against all Claims, as well as any associated Losses, that may, at any time, arise out of or relate to: (a) use of the SaaS or any Content by or on behalf of Customer or an Authorized Customer Entity other than in accordance with this Agreement; (b) the posting, display, distribution, broadcast or other use of User Content by or on behalf of Customer or an Authorized Customer Entity, including Claims that any such use infringes upon or otherwise violates any third party’s rights (including Intellectual Property Rights, privacy rights, publicity rights, or other personal or proprietary rights), and/or Claims that the User Content posted, displayed, distributed, broadcast or otherwise published contains libelous, defamatory, or otherwise injurious or unlawful material.
5.5. Indemnification Procedures. If any third party makes a Claim covered by Section 5.3 or Section 5.4 against an indemnified Party (the “Covered Party”) with respect to which the Covered Party intends to seek indemnification under this Agreement, the Covered Party shall provide to the indemnifying Party prompt written notice of the Claim (including a brief description of the amount and basis for the claim, if known). Upon receipt of such notice, the indemnifying Party shall be obligated to defend the Covered Party (and its indemnitees) against the Claim, and the indemnifying Party shall be entitled to assume control of the defense and settlement of the Claim. The Covered Party may participate in the defense and settlement of the Claim at its own expense, using its own counsel, but without any right of control. The indemnifying Party shall keep the Covered Party reasonably apprised as to the status of the Claim. Neither the indemnifying Party nor the Covered Party shall be liable for any settlement of a Claim made without its consent. Notwithstanding the foregoing, the Covered Party shall retain responsibility for all aspects of the Claim (including any Losses) that are not subject to indemnification by the indemnifying Party hereunder.
5.6. Limitation of Liability. Except as expressly provided in this Section 5.6, neither Party shall have any liability under (or in connection with) this Agreement for any indirect, incidental, consequential, special, exemplary, or punitive damages, nor any liability for lost profits, loss of data, loss of business opportunity, or business interruption, regardless of the theory of liability (including theories of contractual liability, tort liability, or strict liability), even if the liable Party knew or should have known that such damages were possible. Each Party’s maximum cumulative liability under or in connection with this Agreement shall never exceed the other Party’s actual direct damages, capped at an amount equal to the total amount paid or payable under this Agreement by Customer to Provider during the 12 month period preceding the occurrence of the event giving rise to liability. The foregoing limitations of liability shall not be applicable to a Party’s indemnification obligations under this Section 5, either Party’s confidentiality obligations under Section 8, or to any damages that the liable Party is not permitted to disclaim (or, as applicable, limit) under Applicable Law. Each Party acknowledges that this Section 5.6 is an essential part of this Agreement, and that the economic terms and other provisions of this Agreement would be substantially different in its absence.
6. TERM AND TERMINATION
6.1. Term. This Agreement shall commence as of the Effective Date, and this Agreement shall continue for the duration of the Subscription Term set forth in the Purchase Order; upon the expiration of the Subscription Term, the Agreement shall automatically renew for successive one (1)-year terms (each a “Renewal Term”) unless either Party delivers to the other Party a notice of non-renewal at least thirty (30) days prior to the date of any such auto-renewal.
6.2. Termination. Either Party may terminate this Agreement: (i) if the other Party has breached this Agreement, and such breach remains uncured within 30 days of the breaching Party’s receipt of written notice thereof; or (ii) if the other Party has become the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, assignment for the benefit of creditors, or customer lacks appropriated funding to continue the contract.
6.3. Effect of Termination on Fees. If this Agreement is terminated by Customer pursuant to Section 6.2, any pre-paid fees for the unused portion of the terminated Subscription Term will be refunded to Customer. In all other cases, all fees paid or payable for the terminated Subscription Term are non-cancellable and non-refundable, and any unpaid fees for the remainder of the terminated Subscription Term will become immediately due and payable.
6.4. Other Effects of Termination. Effective immediately upon expiration or termination of this Agreement, (i) all rights granted under this Agreement will become void, (ii) Customer shall cease all use of the SaaS, and (iii) neither Party will have continuing rights to use any Confidential Information of the other Party or to exercise any Intellectual Property Rights of the other Party that are licensed under this Agreement. Notwithstanding the foregoing, Customer shall have up to 30 days following any such expiration or termination to download or to otherwise obtain an extract of any Customer Data stored by the SaaS at the time of such expiration or termination.
6.5. Survival. Any right, obligation, or required performance of the Parties in this Agreement will survive this Agreement’s termination or expiration to the extent that such survival is intended by the express terms (or the nature and context) of such right, obligation, or required performance.
7. PROPRIETARY RIGHTS
7.1. Services and Provider Content. Customer acknowledges that the Services (including the SaaS) and Provider Content – and all Intellectual Property Rights therein – are owned and shall remain owned by Provider (and/or its licensors, as applicable) and are protected by applicable laws, regulations, and treaties governing rights of copyright, trademark, patent, trade secret, and any other recognized forms of intellectual property. Provider shall retain full and sole ownership of any derivative work that Customer, any Authorized Customer Entity, or any Authorized User may create with respect to any part of the SaaS or Provider Content. Accordingly, Customer hereby irrevocably transfers and conveys to Provider, without further consideration, all right, title and interest that Customer or any Authorized User may have or acquire in any such derivative work; upon Provider’s request, Customer shall perform, during and after the term of this Agreement, any and all acts that Provider reasonably deems necessary or desirable to permit and assist Provider, at its expense, to obtain, perfect, and enforce throughout the world its full benefits, enjoyment, rights, and title in any such derivative works as provided herein.
7.2. User Content License. Customer hereby grants to Provider a non-exclusive and non-transferable right and license to access, use, host, copy, display, process, transmit, and deliver the User Content as necessary or convenient for Provider to comply with its obligations and exercise its rights under this Agreement.
7.3. Trademarks. For the duration of the Subscription Term, Customer grants to Provider a non-exclusive, worldwide, royalty-free license to use and display the Customer’s name, logo, and other trademarks and/or brand indicia (“Customer Trademarks”) in respect of the Parties’ relationship under this Agreement. Provider will use the relevant Customer Trademarks in accordance with any trademark and branding usage guidelines provided by Customer to Provider, and Provider will use the relevant Customer Trademarks only for the purposes agreed upon by the Parties. Subject to the foregoing license, Customer will retain all Intellectual Property Rights that it may have in and to the Customer Trademarks, and all use thereof by Provider shall inure to the sole benefit of Customer.
7.4. Provider Content and Service Usage Data. As between Provider and Customer, Provider shall retain sole ownership of all Provider Content, as well as all data in de-identified form pertaining to usage of the Services.
7.5. Feedback. If Provider receives from Customer or any of its Authorized Users any suggestions, ideas, improvements, modifications, feedback, error identifications, or other information related to the Services or any other Provider products, offerings or services (“Feedback”), Provider may use, disclose, and exploit such Feedback without restriction (and without paying any royalties or other compensation) in order to improve the Services and to develop, market, offer, sell, and provide other products and services.
7.6. No Implied Licenses by Provider. Customer acknowledges that there are no licenses granted by Provider by implication under this Agreement. Provider reserves all rights that are not expressly granted herein. Customer acknowledges that, as between the Parties, Provider owns all Intellectual Property Rights and proprietary interests that are embodied in, or practiced by, the SaaS or other Services, with the exception of Intellectual Property Rights in or to Customer Data or to User Content that may be distributed through the SaaS.
8. PUBLICITY; CONFIDENTIALITY OBLIGATIONS
8.1. Publicity. Neither Party may use the name of the other in any published advertising or publicity materials without the prior written consent of the other party. However, and notwithstanding anything to the contrary in Section 8.2, Provider may include Customer’s name on Provider’s customer list and may describe briefly, and in general terms, the nature of the services provided by Provider to Customer.
8.2. Confidentiality. All activities of the Parties under or in relation to this Agreement are subject to the following provisions with respect to Confidential Information:
(a) Obligations. With respect to any Confidential Information that belongs to or originates from one Party (the “Disclosing Party”) and that is received by the other Party (the “Receiving Party”), the Receiving Party shall: (i) hold all such Confidential Information in strict confidence, and protect such Confidential Information from any unauthorized disclosure (or other use) by means of the same degree of care as the Receiving Party uses to protect its own similar confidential information (but, in any event, no less than a reasonable degree of care); (ii) refrain from disclosing any such Confidential Information to any third party except with the prior written approval of the disclosing Party or as expressly permitted by Section 8.2(a)(iv) below; (iii) use or reproduce such Confidential Information only as reasonably necessary to perform its obligations under this Agreement and/or to exercise its rights under this Agreement (and not otherwise to any other purpose or benefit of the Receiving Party or any other party); (iv) limit disclosure of such Confidential Information only to those of its employees, contractors, and professional and/or legal advisors to whom such Confidential Information must be disclosed for the purposes of this Agreement, who have been advised of the Receiving Party’s obligations hereunder, and who are contractually bound to preserve the confidentiality of such Confidential Information to the same extent as the Receiving Party; and (v) refrain from reverse engineering, disassembling, or decompiling any prototypes, software, or other tangible objects that are provided to it pursuant to this Agreement and that embody the disclosing Party’s Confidential Information, and prohibit any such reverse engineering, disassembly, or de-compilation by other parties. Any violation of this Section 8.2(a) shall constitute a material breach of this Agreement.
(b) Exceptions. The foregoing obligations shall not apply to the Disclosing Party’s Confidential Information that the Receiving Party demonstrates to have been: (i) publicly disclosed prior to its disclosure to the Receiving Party, or publicly disclosed subsequent to its disclosure to the Receiving Party through no fault of the Receiving Party; (ii) known to or otherwise independently developed by the Receiving Party prior to the date of disclosure by the Disclosing Party (provided that the Receiving Party can demonstrate, using documents and/or other competent evidence in the Receiving Party’s possession prior to the time of disclosure by the Disclosing Party, that such knowledge did not originate from the Disclosing Party or its personnel); or (iii) subsequently disclosed to the Receiving Party in good faith by a third party with the right to make such disclosure to the Receiving Party (and without any obligation to restrain further disclosure).
(c) Disclosures Required by Law. To the extent that the Receiving Party is required to disclose any of the Disclosing Party’s Confidential Information in response to any valid court order or other process of law in any jurisdiction with authority in respect of the subject matter thereof, the Receiving Party agrees to give the Disclosing Party prompt advance notice of such required disclosure (unless the Receiving Party legally prohibited from providing the Disclosing Party with such notice); and the Receiving Party agrees to reasonably cooperate with the Disclosing Party’s efforts to contest such disclosure or to seek a protective order (or other applicable legal remedy) in respect of such disclosure).
(d) No Intellectual Property License via Disclosure. The Parties acknowledge and agree that disclosures of Confidential Information and/or the provisions of this Section 8.2 do not — in themselves — grant to either Party (or imply any grant of) a license to the other Party’s Intellectual Property Rights (as defined in the Terms and Conditions). Notwithstanding the foregoing, no provision of this Section 8.2 shall invalidate or curtail any license or sub-license rights granted to any Party under other provisions of this Agreement.
(e) No Obligation to Furnish Additional Confidential Information. The Parties acknowledge and agree that disclosures of Confidential Information and/or the provisions of this Section 8.2 do not — in themselves – obligate a Disclosing Party to furnish additional Confidential Information to the Receiving Party.
(f) Return or Destruction of Confidential Information Upon Request or Termination. Upon written request or upon termination of this Agreement, a Receiving Party shall cease all further use of the Disclosing Party’s Confidential Information, and such Receiving Party shall either return or destroy (as directed by the Disclosing Party) all of the Disclosing Party’s Confidential Information (including any and all copies thereof and/or derivative works made therefrom) in the Receiving Party’s possession as of the time of such written request or termination. To the extent that the Disclosing Party’s Confidential Information is destroyed upon such written request or termination, the Receiving Party shall upon request certify in writing such destruction to the Disclosing Party.
(g) Representation and Warranty of Disclosing Party. Each Disclosing Party represents and warrants that it has the unobstructed and unqualified right to disclose to the Receiving Party any of the Disclosing Party’s Confidential Information that is made available to such Receiving Party under this Agreement.
9. GENERAL
9.1. Governing Law. The validity, construction, and interpretation of this Agreement and the rights and duties of the Parties shall be governed by the internal laws of New York State without regard to principles of conflicts of laws. The Parties agree that neither the United Nations Convention on Contracts for the International Sale of Goods nor the Uniform Computer Information Transactions Act (UCITA) will apply in any respect to this Agreement. All disputes arising out of or relating to this Agreement will be submitted to the exclusive jurisdiction of the courts situated in Steuben County, New York, United States or the appropriate federal court, and each Party irrevocably consents to such personal jurisdiction and waives all objections to this venue. Each Party hereby irrevocably waives any and all right to jury trial in respect of any suit, action, or proceeding arising out of (or relating to) this Agreement or to any transaction hereunder, and each Party further acknowledges that such waiver is a material inducement to the other Party’s entry into this Agreement.
9.2. Force Majeure. Notwithstanding any other provision of this Agreement, neither Party shall be deemed in default or breach of this Agreement or liable for any loss or damages or for any delay or failure in performance (except for the payment of money) due to any cause beyond the reasonable control of, and without fault or negligence by, such Party.
9.3. Insurance. Provider shall have and maintain in force throughout the Subscription Term insurance coverage in types and amounts customarily maintained by reputable companies in the same or similar line of business as Provider.
9.4. Notice. All notices required or permitted under this Agreement will be in writing and sent by certified mail (return receipt requested), by reputable oversight courier, or by hand delivery. The notice address for each of Provider and Customer shall be its address as specified in the Purchase Order. Any notice sent in the manner specified herein shall be deemed sufficiently given for all purposes hereunder: (i) in the case of certified mail, on the second business day after deposited in the U.S. mail; and (ii) in the case of overnight courier or hand delivery, upon delivery. Either Party may change its notice address by giving written notice to the other Party by the means specified in this Section.
9.5. Construction; Headings. No provision of this Agreement shall be construed against or interpreted to the disadvantage of any Party by any court or arbitrator by reason of such Party having or being deemed to have structured or drafted such provision. The headings in this Agreement are for reference purposes only and shall not be deemed to have any substantive effect.
9.6. Severability. If any provision of this Agreement is held by a court or arbitrator of competent jurisdiction to be contrary to law, then the Parties agree to replace it with an enforceable provision reflecting the intent of the original provision as nearly as possible in accordance with applicable law, and the remaining provisions of this Agreement will remain in full force and effect.
9.7. Waiver. The failure of either Party at any time to require performance by the other Party of any provision of this Agreement shall not affect in any way the full right to require the performance at any subsequent time. The waiver by either Party of a breach of any provision of this Agreement shall not be taken or held to be a waiver of the provision itself. Any course of performance shall not be deemed to amend or limit any provision of this Agreement.
9.8. Entire Agreement; Amendments. The Agreement constitutes the entire agreement between Provider and Customer with respect to the subject matter hereof. There are no restrictions, promises, warranties, covenants, or undertakings other than those expressly set forth herein and therein. This Agreement supersedes all prior negotiations, agreements, and undertakings between the Parties with respect to such matter. This Agreement may be amended only by an instrument in writing executed by the Parties’ duly authorized representatives.
9.9. Counterparts; Signatures. This Agreement may be signed in counterparts with the same effect as if the signatures were upon a single instrument, and all such counterparts together shall be deemed an original of this Agreement. For purposes of this Agreement, a facsimile copy of a Party’s signature made by reliable means shall be sufficient to bind such Party.
SERVICE-LEVEL AGREEMENT
The Huml Platform is designed to be fully available on a 24×7 basis. As such, Huml commits that the Huml Platform will perform with the following availability:
24x7x365: 99.5% of the time
This Service Level will be calculated by dividing (the amount of time during the coverage window of the applicable month that the Service does not experience Downtime) by (the amount of time during the coverage window of the applicable month). Scheduled maintenance periods will be excluded from the calculation of this Service Level. Huml will notify Customer ahead of time regarding any maintenance periods. “Downtime” means unscheduled loss of external connectivity or access due to the failure of Huml’s systems.
As the sole and exclusive remedy for Huml’s failure to meet this availability Service Level, if Huml fails to meet the same Service Level for any period of three consecutive months, Huml will credit Customer 10% of the charges for the applicable month. If charges are paid on an annual basis then the credit will be based on 1/12th of the annual recurring charges.
In order to receive any of the Service Level Credits described above, Customer must notify Huml technical support within thirty (30) days from the time Customer becomes eligible to receive a Service Level Credit. Customer must also provide Huml with server log files showing loss of connectivity errors and the date and time those errors occurred. Service Level Credits will be made in the form of a monetary credit applied to future use of the Service and will be applied within sixty (60) days after the Service Level Credit was requested.
This Service Level does not apply to: (i) any features excluded from this Service-Level Agreement in the associated Documentation; (ii) errors caused by factors outside of Huml’s reasonable control, resulting from Customer’s software or hardware or third party software or hardware (or both), or resulting from abuses or other behaviors that violate the Agreement; (iii) disruption or unavailability of the SaaS as a result of planned maintenance thereof; and/or (iv) disruption or unavailability of the SaaS as a result of a Force Majeure event (as contemplated by Section 9.2 of this Agreement).
This Data Processing Addendum (“Addendum”) is incorporated by reference into the Purchase Order, or other agreement between Customer and Pretaa, Inc. DBA Huml Health (“Huml” or “Huml Health”) governing Customer’s use of the Services (the “Purchase Order”) and reflects the parties’ agreement with regard to the processing of personal information in accordance with the requirements of the applicable Data Protection Legislation.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. This Addendum forms part of the Agreement and will have the same force and effect as if set out in the body of the Agreement.
1.1 The following terms shall have the following meanings:
(a) “Applicable Law” means all applicable laws, statutes, codes, ordinances, decrees, rules, regulations, municipal by-laws, judgments, orders, decisions, rulings or awards of any government, quasi-government, statutory or regulatory body, ministry, government agency or department, court, agency or association of competent jurisdiction;
(b) “Controller” means an entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Information and shall also mean a “Business”, where applicable, as defined by the CCPA;
(c) “Customer Personal Information” shall have the meaning given to it in Section 3.1;
(d) “Data Protection Legislation” means all laws and regulations, including state, federal and national laws and regulations of the European Union (“EU”), the European Economic Area (“EEA”), their Member States, the United Kingdom, Switzerland and the United States, applicable to the processing of Personal Information under the Agreement, including, as applicable, the GDPR and the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 –1798.199, and its implementing regulations (the “CCPA”), each, as amended, repealed or replaced from time to time;
(e) “GDPR” means Regulation (EU) 2016/679 and also refers to the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) (in this Addendum, any references to specific articles of the GDPR shall be construed as also referring to the equivalent sections of the UK GDPR, where applicable);
(f) “Personal Information” means any information relating to an identified or identifiable natural person (a “Data Subject”) and/or any such information as may be defined as constituting Personal Information, personally identifiable information or any equivalent thereof, in any applicable Data Protection Legislation;
(g) “Process” and variants of it, such as “processing” and “processed” (whether capitalized or not) means any operation or set of operations performed upon Personal Information or sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(h) “Processor” means an entity which processes Personal Information on behalf of the Controller and shall also mean a “Service Provider”, where applicable, as defined by the CCPA;
(i) “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Information to processors established in third countries, as approved by the European Commission in Decision (EU) 2021/914 as set out in Schedule A;
(j) “Services” shall have the meaning set forth in the Agreement or, if the Agreement does not define “Services”, shall mean the services and other activities to be performed by Huml as set forth in and pursuant to the Agreement;
(k) “Subprocessor” means any person or entity appointed by or on behalf of Huml (or the relevant intermediate Subprocessor) to process Personal Information as described in Section 6; and
(l) “Supervisory Authority” means a supervisory authority established by an EEA Member State or the United Kingdom, pursuant to Article 51 of the GDPR, or any other competent government authority with jurisdiction over the processing of Personal Information under the Agreement.
1.2 In this Addendum (except where the context otherwise requires any phrase introduced by the terms “including”, “include”, “in particular” or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms.
2. ROLES OF THE PARTIES
2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Section 2.1 is in addition to, and does not relieve, remove or replace, either party’s obligations under the Data Protection Legislation.
2.2 The parties acknowledge and agree that for the purposes of the Data Protection Legislation, Customer is the Controller and Huml is the Processor.
2.3 Customer shall ensure that it has and will continue to have, the right to transfer, or provide access to, Customer Personal Information to Huml for processing in accordance with the Agreement. For the avoidance of doubt, Customer’s instructions for the processing of Customer Personal Information shall comply with applicable Data Protection Legislation. Huml will inform Customer if it considers, in its opinion, that any of Customer’s instructions infringe applicable Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Information and the means by which Customer acquires Customer Personal Information and shall be responsible for ensuring that the processing of Personal Information, which Huml is instructed to perform, has a valid legal basis.
3. SCOPE OF PROCESSING
3.1 Customer agrees that Huml may process Personal Information on behalf of Customer to perform its obligations under the Agreement for the term of the Agreement (“Customer Personal Information”) in accordance with this Addendum. A list of the categories of data subjects, types of Customer Personal Information and the processing activities are set out in Appendix I to the Standard Contractual Clauses. The duration of the processing corresponds to the term of the Agreement, unless otherwise stated in the Agreement or this Addendum.
3.2 Huml shall process Customer Personal Information only on the written instructions of Customer unless Huml is required by Applicable Law to process such data. Where Huml is relying on Applicable Law as the basis for processing Customer Personal Information, Huml shall notify Customer of this before performing the processing required by Applicable Law unless Applicable Law prohibits Huml from so notifying Customer.
3.3 The following is deemed an instruction by Customer to process Customer Personal Information, subject to Huml’s compliance with this Addendum and the Data Protection Legislation: (i) processing necessary to perform the Services and/or for Huml’s performance of its obligations under the Agreement; (ii) processing initiated by Customer, (or its authorized representative) in their use of the Services; and (iii) processing necessary to comply with other reasonable instructions provided by Customer where such instructions are consistent with the Agreement and this Addendum.
4 DATA PROCESSING OBLIGATIONS
4.1 Without prejudice to the generality of Section 2.1, Huml shall, in relation to any Customer Personal Information processed in connection with the performance by Huml of its obligations under the Agreement:
(a) maintain technical and organizational measures designed to protect against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Information in its possession or control (a “Personal Information Breach”);
(b) ensure that all personnel who have access to and/or process Customer Personal Information are obliged to keep Customer Personal Information confidential;
(c) taking into account the nature of the processing and the information available to it, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in responding to a request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to records of processing, security, breach notifications, impact assessments and consultations with Supervisory Authorities. To the extent legally permitted, Customer shall be responsible for any costs arising from Huml’s provision of such assistance;
(d) notify Customer without undue delay on becoming aware of a Personal Information Breach and shall provide Customer with further information about the Personal Information Breach in phases as such information becomes available to Huml; and
(e) at the written direction of Customer, delete or return Customer Personal Information and copies thereof in its possession or control to Customer on termination of the Agreement unless required by Applicable Law to store Customer Personal Information.
4.2 Huml shall maintain records and information to demonstrate its compliance with this Addendum. Customer shall, with reasonable notice to Huml, have the annual right (unless required more frequently by an order of a Supervisory Authority or court, or in the event of a Personal Information Breach) to review such records at Huml’s offices during regular business hours.
4.3 Upon Customer’s request, Huml shall, no more than once per calendar year (unless required more frequently by an order of a Supervisory Authority or court, or in the event of a Personal Information Breach) make available for Customer’s review copies of certifications or reports demonstrating Huml’s compliance with this Addendum and the prevailing data security standards applicable to the processing of Customer Personal Information.
4.4 Where Customer reasonably believes the information provided under Section 4.2 and 4.3 above is not sufficient to demonstrate Huml’s compliance with this Addendum, at Customer’s expense and subject to Section 5, Huml shall permit Customer, or its appointed third-party auditors (collectively, “Auditor”), to audit the architecture, systems and procedures relevant to Huml’s compliance with this Addendum and shall make available to the Auditor all information, systems and staff necessary for the Auditor to conduct such audit. To the extent any such audit incurs in excess of 10 hours of Huml personnel time, Huml may charge Customer on a time and materials basis for any such excess hours.
4.5 To the extent Huml, in its role as a Service Provider (as defined by the CCPA), receives Customer Personal Information that is subject to the CCPA, Huml shall not (i) Sell (as defined by the CCPA) such Personal Information; (ii) retain, use, or disclose such Personal Information for any purpose other than performing its obligations under the Agreement or as otherwise permitted under the Agreement or CCPA or its underlying regulations; (iii) retain, use, or disclose the Personal Information for a commercial purpose other than performing its obligations under the Agreement or as otherwise permitted under the Agreement or CCPA or its underlying regulations; or (iv) retain, use, or disclose such Personal Information outside of the direct business relationship between Customer and Huml unless otherwise permitted under the Agreement. Huml agrees to comply with the CCPA, as applicable to Service Providers, in performing its obligations under the Agreement and certifies its compliance with its obligations set forth in this Section 4.5.
5. AUDITS
5.1 Before the commencement of an audit described in Section 4, Huml and Customer will mutually agree upon the reasonable scope, start date, duration of and security and confidentiality controls applicable to the audit. Customer agrees that:
(a) audits will be conducted during Huml’s normal business hours;
(b) it will not exercise its on-site audit rights more than once per calendar year, (unless required more frequently by an order of a Supervisory Authority or court, or in the event of a Personal Information Breach);
(c) it will be responsible for any fees charged by any third party auditor appointed by Customer to execute any such audit;
(d) Huml may object to any third-party auditor appointed by Customer to conduct an audit if the auditor is, in Huml’s opinion, not suitably qualified or independent, a competitor of Huml or otherwise manifestly unsuitable. Any such objection by Huml will require Customer to appoint another auditor or conduct the audit itself;
(e) nothing in this Section 5 will require Huml either to disclose to the Auditor, or to allow the Auditor access to (a) any data processed by the Huml on behalf of any other organization, (b) any Huml internal accounting or financial information, (c) any trade secret of Huml, (d) any information that, in Huml’s opinion, could (i) compromise the security of any Huml systems or premises, or (ii) cause Huml to breach its obligations to Customer or any third party, or (e) any information that Customer seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Applicable Data Protection Law; and
(f) shall provide Huml with copies of any audit reports completed by the Auditors, which reports shall be subject to the confidentiality provisions of the Agreement.
6. APPOINTMENT OF SUBPROCESSORS
6.1 Customer authorizes Huml to appoint (and permit each Subprocessor appointed in accordance with this Section 6 to appoint) Subprocessors in accordance with this Section 6 and any restrictions in the Agreement.
6.2 Huml may continue to use those Subprocessors already engaged by Huml, subject to Huml in each case as soon as practicable meeting the obligations set out in Section 6.4.
6.3 Huml shall give Customer prior notice of any intended changes concerning the appointment or replacement of Subprocessors. If, within fourteen (14) days of receipt of that notice, Customer notifies Huml in writing of any objections (on reasonable grounds) to the proposed appointment:
(a) Huml shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
(b) where such a change cannot be made within thirty (30) days from receipt by Huml of Customer’s notice, notwithstanding anything in the Agreement, Customer may by written notice to Huml terminate those Services which cannot be provided by Huml without the use of the objected-to Subprocessor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any proposed Subprocessor.
6.4 With respect to each Subprocessor, Huml shall:
(a) ensure that the arrangement between on the one hand (a) Huml, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Information as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR;
(b) to the extent that Subprocessor processes Customer Personal Information to which the GDPR or UK GDPR applies outside of the EU, EEA, Switzerland and/or the United Kingdom, Huml will ensure that appropriate safeguards are at all relevant times incorporated into the agreement between on the one hand (a) Huml, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, or before the Subprocessor first processes Customer Personal Information procure that it enters into an agreement incorporating appropriate safeguards; and
(c) provide to Customer for review such copies of the agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Customer may request from time to time.
6.5 Huml may replace a Subprocessor if the need for the change is urgent and necessary to provide the Services and the reason for the change is beyond Huml’s reasonable control. In such instance, Huml shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Subprocessor pursuant to Section 6.3 above.
6.6 Where the Subprocessor fails to fulfil its data protection obligations and Huml is the initial Processor, Huml shall remain fully liable to Customer for the performance of that Subprocessor’s obligations.
7. INTERNATIONAL TRANSFERS
7.1 The Parties hereby enter into the Standard Contractual Clauses with respect to any transfer of Customer Personal Information to which the GDPR and/or UK GDPR applies from Customer (as “data exporter”) to Huml (as “data importer”) where such transfer would otherwise be prohibited by Data Protection Legislation. The Standard Contractual Clauses shall come into effect on the commencement of a relevant transfer as described in this Section 7.
7.2 In case of any transfers of Customer Personal Information subject to the UK GDPR, (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Data Protection Legislation of the UK including the UK GDPR (“UK Data Protection Laws”), as applicable; (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK Data Protection Laws, as applicable, (iii) Clause 13(a) and Part C of Annex I are not used; (iv) the “competent supervisory authority” is the UK Information Commissioner’s Office; and (v) Clause 17 is replaced to state “These Clauses are governed by the laws of England and Wales” and Clause 18 is replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
7.3 In case of any transfers of Customer Personal Information subject to the Data Protection Legislation or Switzerland (“Swiss Data Protection Laws”), (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Swiss Data Protection Laws, as applicable; (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under Swiss Data Protection Laws, as applicable, (iii) Clause 13(a) and Part C of Annex I are not used; (iv) the “competent supervisory authority” is the Swiss Federal Data Protection and Information Commissioner; and (v) Clause 17 is replaced to state “These Clauses are governed by the laws of Switzerland”.
7.4 Additional terms for Standard Contractual Clauses:
(a) For the purposes of Clause 8.1(a) of the Standard Contractual Clauses, the processing described in Section 3 of this Addendum is deemed an instruction by Customer to process Customer Personal Information, subject to Huml’s compliance with applicable Data Protection Legislation.
(b) Pursuant to Clause 9(a) of the Standard Contractual Clauses, Customer agrees that Huml may continue to use those Subprocessors already engaged by Huml as at the date of this Addendum, subject to Huml in each case as soon as practicable meeting the obligations set out in Section 6.4.
(c) Pursuant to Clause 9(a) of the Standard Contractual Clauses, Customer agrees that Huml may engage new Subprocessors as detailed in Section 6 of this Addendum.
(d) Customer agrees that the audits described in Clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Sections 4 and 5 of this Addendum.
(e) In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. The parties’ signature to the Agreement shall be considered as signature to the Standard Contractual Clauses.
7.5 Huml may propose variations to this Addendum and the Standard Contractual Clauses which Huml reasonably considers to be necessary to address the requirements of any Data Protection Legislation, and the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Huml’s notice as soon as is reasonably practicable.
8. GENERAL TERMS
8.1 Termination and Survival. The parties agree that this Addendum shall terminate automatically upon termination of the Agreement. Notwithstanding the foregoing, any obligation imposed on Huml under this Addendum in relation to the processing of Customer Personal Information shall survive any termination or expiration of this Addendum.
8.2 Governing Law. This Addendum shall be governed by the governing law of the Agreement.
8.3 Jurisdiction. The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum.
8.4 Order of precedence. Nothing in this Addendum reduces Huml’s obligations under the Agreement in relation to the protection of Customer Personal Information or permits Huml to process (or permit the processing of) Customer Personal Information in a manner which is prohibited by the Agreement. In the event of any inconsistency between this Addendum and any other agreements between the parties, including but not limited to the Agreement, the Addendum shall prevail.
8.5 Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
SCHEDULE
STANDARD CONTRACTUAL CLAUSES (CONTROLLER-TO-PROCESSOR)
SECTION I
Clause 1
Purpose and scope
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
Clause 4
Interpretation
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Docking clause
[NOT USED]
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
Clause 9
Use of Subprocessors
Clause 10
Data subject rights
Clause 11
Redress
Clause 12
Liability
Clause 13
Supervision
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
15.2 Review of legality and data minimisation
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.
Clause 18
Choice of forum and jurisdiction
APPENDIX TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Standard Contractual Clauses and must be completed by the parties.
ANNEX I
A. LIST OF PARTIES
Data exporter
The data exporter is:
The data exporter is the Customer.
Role:
Controller.
Data importer
The data importer is:
The data importer is Huml.
Role:
Processor.
Signature and date:
The parties’ signature and date on the Addendum constitutes their signature and date on this Annex I.A.
B. DESCRIPTION OF TRANSFER
Data subjects
The Personal Data transferred concern the following categories of data subjects:
Data subjects include the individuals about whom data is provided to Huml via the Services by (or at the direction of) the Customer, which may include:Customer’s current or perspective customers/clients, vendors or suppliers.
Categories of data
The Personal Data transferred concern the following categories of data:
Data relating to individuals provided Huml via the Services by (or at the direction of) the Customer, which may include:
System logs, including access logs, changes to data, IP addresses, and security relevant changes (such as password resets, account locks, etc.).
Sensitive data transferred (if appropriate)
The Personal Data transferred concern the following sensitive data:
N/A
The sensitive data transferred will be subject to the following applied restrictions and safeguards that fully take into consideration the nature of the data and the risks involved:
N/A
Frequency of the transfer
(e.g. whether the data is to be transferred on a one-off or continuous basis):
Continuous.
Nature of the processing
The Personal Data transferred will be subject to the following basic processing activities:
Receiving data, including collection, accessing, retrieval, recordings and data entry.Holding data, including storage, organisation and structuring.Protecting data, including restricting, encrypting and security testing.Returning data to the data exporter. Erasing data, including destruction and deletion.
Purpose(s) of the data transfer and further processing
The Personal Data is transferred for the following purpose(s):
For the provision of Services.
The period for which the personal data will be retained
If that is not possible, the criteria used to determine that period:
The duration of the Services, unless otherwise stated in the Addendum.
Transfers to subprocessors
Specify the subject matter, nature and duration of the processing:
Transfers to Subprocessors will occur where necessary for the provision of the Services in accordance with the Addendum.
C. DESCRIPTION OF TRANSFER
Competent supervisory authority/ies in accordance with Clause 13:
Irish Data Protection Commission.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational security measures implemented by the data importer:
Infrastructure Level
Application Level