1.1 Subject to the terms and conditions of this Agreement and the parties’ compliance therewith, MetaSpark will provide Customer with access to the Services through the internet for Customer’s internal, non-commercial purposes only. The Services are subject to modification from time to time at MetaSpark’s sole discretion, for any purpose deemed appropriate by MetaSpark. MetaSpark will use reasonable efforts to give Customer prior written notice of any such modification.
1.2 MetaSpark will undertake commercially reasonable efforts to make the Services available twenty-four (24) hours a day, seven (7) days a week. Notwithstanding the foregoing, MetaSpark reserves the right to suspend Customer’s access to the Services: (i) for scheduled or emergency maintenance, or (ii) in the event Customer is in breach of this Agreement, including failure to pay any amounts due to MetaSpark.
1.3 Subject to the terms hereof, MetaSpark will provide reasonable support to Customer for the Services from Monday through Friday during MetaSpark’s normal business hours.
2. RESTRICTIONS AND RESPONSIBILITIES
2.1 Customer will not, and will not permit any third party to: (i) reverse engineer, decompile, disassemble or otherwise attempt to discover or obtain the source code, object code or underlying structure, ideas or algorithms of the Services or any software, documentation or data related to the Services (“Software”) (provided that reverse engineering is prohibited only to the extent such prohibition is not contrary to applicable law); (ii) modify, translate, or create derivative works based on the Services or Software; (iii) use the Services or Software for timesharing or service bureau purposes or for any purpose other than its own internal use for its own internal benefit; (iv) use the Software or Services in any infringing, defamatory, harmful, fraudulent, illegal, deceptive, threatening, harassing, or obscene way; or (v) use the Services or Software other than in accordance with this Agreement and in compliance with all applicable laws, regulations and rights (including but not limited to those related to privacy, intellectual property, consumer and child protection, SPAM, text messaging, obscenity or defamation).
2.2 Customer will cooperate with MetaSpark in connection with the performance of this Agreement by making available such personnel and information as may be reasonably required, and taking such other actions as MetaSpark may reasonably request. Customer will also cooperate with MetaSpark in establishing a password or other procedures for verifying that only designated employees of Customer have access to any administrative functions of the Services.
2.3 Customer will designate an employee who will be responsible for all matters relating to this Agreement (“Primary Contact”). Customer may change the individual designated as Primary Contact at any time by providing written notice to MetaSpark.
2.4 Although MetaSpark has no obligation to monitor the content provided by Customer (hereafter “Content”) or Customer’s use of the Services, MetaSpark may do so and may remove any such Content or prohibit any use of the Services it believes may infringe or violate the rights of a third party or violate any applicable law. If MetaSpark receives any notice or claim from a third party that any Content, or activities hereunder with respect to any Content, may infringe or violate the rights of a third party or violate any applicable law (a “Claim”), Customer will indemnify MetaSpark from all liability or damages in connection with any such Claim, as incurred, provided that Customer is notified by MetaSpark of such Claim in a timely matter and given the opportunity to resolve, settle or contest such Claim. Customer will have no obligation or liability to MetaSpark for such a Claim in the event that MetaSpark opts to settle the Claim directly with the third party.
2.5 Customer acknowledges and agrees that the Services operate on or with or using application programming interfaces (APIs) and/or other services operated or provided by third parties (“Third Party Services”). MetaSpark is not responsible for the operation of any Third Party Services nor the availability or operation of the Services to the extent such availability and operation is dependent upon Third Party Services. MetaSpark does not make any representations or warranties with respect to Third Party Services or any third party providers. Any exchange of data or other interaction between Customer and a third party provider is solely between Customer and such third party provider and is governed by such third party’s terms and conditions.
3.1 Each party (the “Receiving Party”) understands and agrees that the other party (the “Disclosing Party”) has disclosed or may disclose confidential information in connection with this Agreement relating to the Disclosing Party’s technology or business (hereinafter referred to as “Proprietary Information” of the Disclosing Party).
3.2 The Receiving Party agrees: (i) not to divulge to any third person any such Proprietary Information, (ii) to give access to such Proprietary Information solely to those employees with a need to have access thereto for purposes of this Agreement, and (iii) to take the same security precautions to protect against disclosure or unauthorized use of such Proprietary Information that the party takes with its own proprietary information, but in no event will a party apply less than reasonable precautions to protect such Proprietary Information. The Disclosing Party agrees that the foregoing will not apply with respect to any information that the Receiving Party can document (a) is or becomes generally available to the public without any action by, or involvement of, the Receiving Party, or (b) was in its possession or known by it without restriction prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party. Nothing in this Agreement will prevent the Receiving Party from disclosing the Proprietary Information pursuant to any judicial or governmental order, provided that the Receiving Party gives the Disclosing Party reasonable prior notice of such disclosure to contest such order. In any event, MetaSpark may aggregate data and use such aggregated data to evaluate and improve the Services and otherwise for its business purposes.
3.3 Neither party will have the right to disclose the existence or the terms and conditions of this Agreement, without the prior written consent of the other party, with the exception of any filing required to be made by a party with a governmental authority (provided such party will use reasonable efforts to obtain confidential treatment or a protective order) or is made on a confidential basis as reasonably necessary to potential investors or acquirors and will duly advise the other party as soon as possible.
4. INTELLECTUAL PROPERTY RIGHTS
4.1 Notwithstanding anything to the contrary herein, (A) each party will retain all rights in the intellectual property rights or the Proprietary Rights that it owned or developed prior to the Effective Date or acquired or developed after the Effective Date, and (B)MetaSpark alone (and its licensors, where applicable) will retain all intellectual property rights relating to the Service or the Software or any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer or any third party relating to the Service and/or the Software (collectively “Feedback”), which are hereby assigned to MetaSpark. Customer will not copy, distribute, reproduce or use any of the foregoing except as expressly permitted under this Agreement. Customer is hereby granted a non-exclusive, nontransferable, revocable right to use the Resulting Data for its internal analysis purposes only. This Agreement is not a sale and does not convey to Customer any rights of ownership in or related to the Service or Software, or any intellectual property rights.
4.2 MetaSpark shall indemnify and hold Customer harmless from liability to unaffiliated third parties resulting from infringement by the Service or Software of any United States patent or any copyright or misappropriation of any trade secret, provided MetaSpark is promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the opportunity to assume sole control over defense and settlement; MetaSpark will not be responsible for any settlement it does not approve. The foregoing obligations do not apply with respect to portions or components of the Services (i) not created by MetaSpark, (ii) resulting in whole or in part in accordance from Customer specifications, (iii) that are modified by Customer after delivery by MetaSpark, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where Customer’s use of is not strictly in accordance with this Agreement and all related documentation. Customer will indemnify MetaSpark from all damages, costs, settlements, attorneys' fees and expenses related to any claim of infringement or misappropriation excluded from MetaSpark's indemnity obligation by the preceding sentence.
5. PAYMENT OF FEES
5.1 Customer will pay MetaSpark the applicable fees as set forth on the order form to which these terms and conditions are attached (or, if applicable, such the webpage or electronic site in which these terms were presented by MetaSpark) (the “Order Form” and, such fees, the “Fees”). If Customer use of the Services exceeds the Service Capacity set forth on the Order Form, Customer will be invoiced at the end of each calendar month for the excess usage over the Service Capacity, at the rate set forth on the Order Form, and Customer agrees to pay the additional fees without any right of set-off or deduction. To the extent applicable, Customer will pay MetaSpark for additional services, such as integration fees or other consulting fees. All payments will be made in accordance with the Payment Schedule and the Method of Payment. If not otherwise specified, payments will be due within sixty (60) days of invoice and are nonrefundable.
5.2 Fees under this Agreement are exclusive of all taxes, including national, state or provincial and local use, sales, value-added, property and similar taxes, if any. Customer agrees to pay such taxes (excluding US taxes based on MetaSpark's net income) unless Customer has provided MetaSpark with a valid exemption certificate. In the case of any withholding requirements, Customer will pay any required withholding itself and will not reduce the amount paid to MetaSpark on account thereof.
6.1 Subject to earlier termination as provided below, this Service Agreement is for the Service Term as specified in the Order Form.
6.2 In addition to any other termination rights granted to Customer herein, Customer may terminate this Agreement, or any Order Form enter into under this Agreement without cause upon a at least thirty (30) days prior written notice to MetaSpark.
6.3 In the event of any material breach of this Agreement (including any failure to pay), the non-breaching party may terminate this Agreement prior to the end of the Service Term by giving thirty (30) days (or ten (10) days in the case of nonpayment) prior written notice to the breaching party; provided, however, that this Agreement will not terminate if the breaching party has cured the breach prior to the expiration of such thirty-day period. Either party may terminate this Agreement, without notice, (i) upon the institution by or against the other party of insolvency, receivership or bankruptcy proceedings, (ii) upon the other party's making an assignment for the benefit of creditors, or (iii) upon the other party's dissolution or ceasing to do business.
6.4 All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, restrictions, accrued rights to payment, confidentiality obligations, intellectual property rights, warranty disclaimers, and limitations of liability.
7. CLIENT SOFTWARE SECURITY
MetaSpark represents and warrants that it will not knowingly include, in any MetaSpark software released to the public and provided to Customer hereunder, any computer code or other computer instructions, devices or techniques, including without limitation those known as disabling devices, trojans, or time bombs, that intentionally disrupt, disable, harm, infect, defraud, damage, or otherwise impede in any manner, the operation of a network, computer program or computer system or any component thereof, including its security or user data. If, at any time, MetaSpark fails to comply with the warranty in this Section, Customer may promptly notify MetaSpark in writing of any such noncompliance. MetaSpark will, within thirty (30) days of receipt of such written notification, either correct the noncompliance or provide Customer with a plan for correcting the noncompliance. If the noncompliance is not corrected or if a reasonably acceptable plan for correcting them is not established during such period, in addition to other remedies available to Customer under this Agreement and at law, Customer may terminate this Agreement.
8. WARRANTY DISCLAIMER
EXCEPT FOR THE WARRANTIES EXPRESSLY PROVIDED HEREIN, THE SERVICES AND METASPARK PROPRIETARY INFORMATION AND ANYTHING PROVIDED IN CONNECTION WITH THIS AGREEMENT ARE PROVIDED "AS-IS," WITHOUT ANY WARRANTIES OF ANY KIND. METASPARK (AND ITS AGENTS, AFFILIATES, LICENSORS AND SUPPLIERS) HEREBY DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.
9. LIMITATION OF LIABILITY
EXCLUDING BREACHES OF SECTIONS 3 OR 4 OR EITHER PARTY’S INDEMNIFICATION OBLIGATIONS, IN NO EVENT WILL EITHER PARTY (OR ANY OF ITS AGENTS, AFFILIATES, LICENSORS OR SUPPLIERS) BE LIABLE FOR ANY INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES, OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF THE SERVICES OR ANYTHING PROVIDED IN CONNECTION WITH THIS AGREEMENT, THE DELAY OR INABILITY TO USE THE SERVICES OR ANYTHING PROVIDED IN CONNECTION WITH THIS AGREEMENT OR OTHERWISE ARISING FROM THIS AGREEMENT, INCLUDING WITHOUT LIMITATION, LOSS OF REVENUE OR ANTICIPATED PROFITS OR LOST BUSINESS OR LOST SALES, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. THE TOTAL LIABILITY OF METASPARK, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, WILL NOT EXCEED, IN THE AGGREGATE, THE GREATER OF (A) $5,000 AND (B) THE FEES PAID TO METASPARK HEREUNDER IN THE THREE MONTH PERIOD ENDING ON THE DATE THAT A CLAIM OR DEMAND IS FIRST ASSERTED. THE FOREGOING LIMITATIONS WILL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.
10. U.S. GOVERNMENT MATTERS
Notwithstanding anything else, Customer may not provide to any person or export or re-export or allow the export or re-export of the Services or any software or anything related thereto or any direct product thereof (collectively “Controlled Subject Matter”), in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. Without limiting the foregoing Customer acknowledges and agrees that the Controlled Subject Matter will not be used or transferred or otherwise exported or re-exported to countries as to which the United States maintains an embargo (collectively, “Embargoed Countries”), or to or by a national or resident thereof, or any person or entity on the U.S. Department of Treasury’s List of Specially Designated Nationals or the U.S. Department of Commerce’s Table of Denial Orders (collectively, “Designated Nationals”). The lists of Embargoed Countries and Designated Nationals are subject to change without notice. Use of the Service is representation and warranty that the user is not located in, under the control of, or a national or resident of an Embargoed Country or Designated National. The Controlled Subject Matter may use or include encryption technology that is subject to licensing requirements under the U.S. Export Administration Regulations. As defined in FAR section 2.101, any software and documentation provided by MetaSpark are “commercial items” and according to DFAR section 252.227 7014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.” Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of this Service Agreement and will be prohibited except to the extent expressly permitted by the terms of this Agreement.
If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sublicensable by Customer except with MetaSpark’s prior written consent. MetaSpark may transfer and assign any of its rights and obligations under this Agreement with written notice to Customer. Both parties agree that this Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this Agreement and Customer does not have any authority of any kind to bind MetaSpark in any respect whatsoever. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; and upon receipt, if sent by certified or registered mail (return receipt requested), postage prepaid. MetaSpark will not be liable for any loss resulting from a cause over which it does not have direct control. This Agreement will be governed by the laws of the State of California, U.S.A. without regard to its conflict of laws provisions. The federal and state courts sitting in Los Angeles, California, U.S.A. will have proper and exclusive jurisdiction and venue with respect to any disputes arising from or related to the subject matter of this Agreement, provided that either party may seek injunctive relief in any court of competent jurisdiction.
Compliance with Laws
MetaSpark will comply with all laws and regulations applicable to its provision of the Online Services, including security breach notification law and Data Protection Requirements. However, MetaSpark is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry that are not generally applicable to information technology service providers. MetaSpark does not determine whether Customer Data includes information subject to any specific law or regulation. All Security Incidents are subject to the Security Incident Notification terms below.Customer must comply with all laws and regulations applicable to its use of Online Services, including laws related to biometric data, confidentiality of communications, and Data Protection Requirements. Customer is responsible for determining whether the Online Services are appropriate for storage and processing of information subject to any specific law or regulation and for using the Online Services in a manner consistent with Customer’s legal and regulatory obligations. Customer is responsible for responding to any request from a third party regarding Customer’s use of an Online Service, such as a request to take down content under the U.S. Digital Millennium Copyright Act or other applicable laws.
The Agreement Terms apply to all MetaSpark Online Services except Beta Previews which customer may manually opt into participating. Previews may employ lesser or different privacy and security measures than those typically present in MetaSpark Online Services. Unless otherwise noted, Customer should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in this Agreement do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and HIPAA Business Associate.
Nature of Data Processing: Ownership
MetaSpark will use and otherwise process Customer Data and Personal Data only in accordance with Customer’s documented instructions and as described and subject to the limitations provided below (a) to provide Customer the MetaSpark Online Services, and (b) for MetaSpark's legitimate business operations incident to delivery of the MetaSpark Online Services to Customer. As between the parties, Customer retains all right, title and interest in and to Customer Data. MetaSpark acquires no rights in Customer Data, other than the rights Customer grants to MetaSpark in this section. This paragraph does not affect MetaSpark’s rights in software or services MetaSpark licenses to Customer.Processing to Provide Customer the MetaSpark Online Services
For purposes of this Agreement, “to provide” an Online Service consists of:
• Delivering functional capabilities as licensed, configured, and used by Customer and its users, including providing personalized user experiences;
• Troubleshooting (preventing, detecting, and repairing problems); and
• Ongoing improvement (installing the latest updates and making improvements to user productivity, reliability, efficacy, and security).
When providing MetaSpark Online Services, MetaSpark will not use or otherwise process Customer Data or Personal Data for: (a) user profiling, (b) advertising or similar commercial purposes, or (c) market research aimed at creating new functionalities, services, or products or any other purpose, unless such use or processing is in accordance with Customer’s documented instructions.
Processing for MetaSpark’s Legitimate Business Operations
For purposes of this Agreement, “MetaSpark’s legitimate business operations” consist of the following, each as incident to delivery of the MetaSpark Online Services to Customer: (1) billing and account management; (2) compensation (e.g., calculating employee commissions and partner incentives); (3) internal reporting and business modeling (e.g., forecasting, revenue, capacity planning, product strategy); (4) combatting fraud, cybercrime, or cyber-attacks that may affect MetaSpark or MetaSpark Products; (5) improving the core functionality of accessibility, privacy or energy-efficiency; and (6) financial reporting and compliance with legal obligations (subject to the limitations on disclosure of Processed Data outlined below).When processing for MetaSpark’s legitimate business operations, MetaSpark will not use or otherwise process Customer Data or Personal Data for: (a) user profiling, (b) advertising or similar commercial purposes, or (c) any other purpose, other than for the purposes set out in this section.
Disclosure of Processed Data
MetaSpark will not disclose or provide access to any Processed Data except: (1) as Customer directs; (2) as described in this Agreement; or (3) as required by law. For purposes of this section, “Processed Data” means: (a) Customer Data; (b) Personal Data; and (c) any other data processed by MetaSpark in connection with the Online Service that is Customer’s confidential information under the volume license agreement. All processing of Processed Data is subject to MetaSpark’s obligation of confidentiality under the volume license agreement. MetaSpark will not disclose or provide access to any Processed Data to law enforcement unless required by law. If law enforcement contacts MetaSpark with a demand for Processed Data, MetaSpark will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose or provide access to any Processed Data to law enforcement, MetaSpark will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so.Upon receipt of any other third-party request for Processed Data, MetaSpark will promptly notify Customer unless prohibited by law. MetaSpark will reject the request unless required by law to comply. If the request is valid, MetaSpark will attempt to redirect the third party to request the data directly from Customer.MetaSpark will not provide any third party: (a) direct, indirect, blanket, or unfettered access to Processed Data; (b) platform encryption keys used to secure Processed Data or the ability to break such encryption; or (c) access to Processed Data if MetaSpark is aware that the data is to be used for purposes other than those stated in the third party’s request. In support of the above, MetaSpark may provide Customer’s basic contact information to the third party.
Processing of Personal Data; GDPR
All Personal Data processed by MetaSpark in connection with the MetaSpark Online Services is obtained as either Customer Data, Diagnostic Data, or Service Generated Data. Personal Data provided to MetaSpark by, or on behalf of, Customer through use of the Online Service is also Customer Data. Pseudonymized identifiers may be included in Diagnostic Data or Service Generated Data and are also Personal Data. Any Personal Data pseudonymized, or de-identified but not anonymized, or Personal Data derived from Personal Data is also Personal Data.
Processor and Controller Roles and Responsibilities
Customer and MetaSpark agree that Customer is the controller of Personal Data and MetaSpark is the processor of such data, except (a) when Customer acts as a processor of Personal Data, in which case MetaSpark is a subprocessor; or (b) as stated otherwise in the Online Service Specific terms or this Agreement. When MetaSpark acts as the processor or subprocessor of Personal Data, it will process Personal Data only on documented instructions from Customer. Customer agrees that its volume licensing agreement (including the Agreement Terms and any applicable updates), along with the product documentation and Customer’s use and configuration of features in the MetaSpark Online Services, are Customer’s complete documented instructions to MetaSpark for the processing of Personal Data. In any instance where the GDPR applies and Customer is a processor, Customer warrants to MetaSpark that Customer’s instructions, including appointment of MetaSpark as a processor or subprocessor, have been authorized by the relevant controller. To the extent MetaSpark uses or otherwise processes Personal Data subject to the GDPR for MetaSpark’s legitimate business operations incident to delivery of the MetaSpark Online Services to Customer, MetaSpark will comply with the obligations of an independent data controller under GDPR for such use. MetaSpark is accepting the added responsibilities of a data “controller” under GDPR for processing in connection with its legitimate business operations to: (a) act consistent with regulatory requirements, to the extent required under GDPR; and (b) provide increased transparency to Customers and confirm MetaSpark’s accountability for such processing. MetaSpark employs safeguards to protect Customer Data and Personal Data in processing, including those identified in this Agreement and those contemplated in Article 6(4) of the GDPR.
The parties acknowledge and agree that:
• Subject Matter.
The subject-matter of the processing is limited to Personal Data within the scope of the section of this Agreement entitled “Nature of Data Processing; Ownership” above and the GDPR.
• Duration of the Processing.
The duration of the processing shall be in accordance with Customer instructions and the terms of the Agreement.
• Nature and Purpose of the Processing.
The nature and purpose of the processing shall be to provide the Online Service pursuant to Customer’s volume licensing agreement and for MetaSpark’s legitimate business operations incident to delivery of the Online Service to Customer (as further described in the section of this Agreement entitled “Nature of Data Processing; Ownership” above).
• Categories of Data.
The types of Personal Data processed by MetaSpark when providing the Online Service include: (i) Personal Data that Customer elects to include in Customer Data; and (ii) those expressly identified in Article 4 of the GDPR that may be contained in Diagnostic Data or Service Generated Data. The types of Personal Data that Customer elects to include in Customer Data may be any categories of Personal Data identified in records maintained by Customer acting as controller pursuant to Article 30 of the GDPR.
• Data Subjects.
The categories of data subjects are Customer’s representatives and end users, such as employees, contractors, collaborators, and customers, and may include any other categories of data subjects as identified in records maintained by Customer acting as controller pursuant to Article 30 of the GDPR.,
Data Subject Rights; Assistance with Requests
MetaSpark will make available to Customer, in a manner consistent with the functionality of the Online Service and MetaSpark’s role as a processor of Personal Data of data subjects, the ability to fulfill data subject requests to exercise their rights under the GDPR. If MetaSpark receives a request from Customer’s data subject to exercise one or more of its rights under the GDPR in connection with an Online Service for which MetaSpark is a data processor or subprocessor, MetaSpark will redirect the data subject to make its request directly to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Online Service. MetaSpark shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request.
Records of Processing Activities
To the extent the GDPR requires MetaSpark to collect and maintain records of certain information relating to Customer, Customer will, where requested, supply such information to MetaSpark and keep it accurate and up-to-date. MetaSpark may make any such information available to the supervisory authority if required by the GDPR.
Data SecuritySecurity Practices and Policies
MetaSpark will implement and maintain appropriate technical and organizational measures to protect Customer Data and Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Those measures shall be set forth in a MetaSpark Security Policy. MetaSpark will make that policy available to Customer, along with descriptions of the security controls in place for the Online Service and other information reasonably requested by Customer regarding MetaSpark security practices and policies. In addition, those measures shall comply with the requirements set forth in ISO 27001, ISO 27002, and ISO 27018. Each Core Online Service also complies with the control standards and frameworks shown in the table in Attachment 1 to the OST (or successor location in the Use Rights) and implements and maintains the security measures set forth in Appendix A for the protection of Customer Data.MetaSpark may add industry or government standards at any time. MetaSpark will not eliminate ISO 27001, ISO 27002, ISO 27018 or the standards or frameworks in the table in Attachment 1 to the OST (or successor location in the Use Rights), unless it is no longer used in the industry and it is replaced with a successor (if any).
Customer Data (including any Personal Data therein) in transit over public networks between Customer and MetaSpark, or between MetaSpark data centers, is encrypted by default. MetaSpark also encrypts Customer Data stored at rest in MetaSpark Online Services. In the case of MetaSpark Online Services on which Customer or a third-party acting on Customer’s behalf may build applications (e.g., certain Azure Services), encryption of data stored in such applications may be employed at the discretion of Customer, using either capabilities provided by MetaSpark or obtained by Customer from third parties.
MetaSpark employs least privilege access mechanisms to control access to Customer Data (including any Personal Data therein). For Core MetaSpark Online Services, MetaSpark maintains Access Control mechanisms described in the table entitled “Security Measures” in Appendix 1 – Notices, and there is no standing access by MetaSpark personnel to Customer Data. Role-based access controls are employed to ensure that access to Customer Data required for service operations is for an appropriate purpose, for a limited time, and approved with management oversight.
Customer is solely responsible for making an independent determination as to whether the technical and organizational measures for an Online Service meet Customer’s requirements, including any of its security obligations under applicable Data Protection Requirements. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Personal Data as well as the risks to individuals) the security practices and policies implemented and maintained by MetaSpark provide a level of security appropriate to the risk with respect to its Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls (such as devices enrolled with MetaSpark Intune or within a MetaSpark Azure customer’s virtual machine or application).
MetaSpark will conduct audits of the security of the computers, computing environment and physical data centers that it uses in processing Customer Data and Personal Data, as follows:
• Where a standard or framework provides for audits, an audit of such control standard or framework will be initiated at least annually.
• Each audit will be performed according to the standards and rules of the regulatory or accreditation body for each applicable control standard or framework.
• Each audit will be performed by qualified, independent, third party security ditors at MetaSpark’s selection and expense.
Each audit will result in the generation of an audit report (“MetaSpark Audit Report”), which MetaSpark will make available upon request to customer. The MetaSpark Audit Report will be MetaSpark’s Confidential Information and will clearly disclose any material findings by the auditor. MetaSpark will promptly remediate issues raised in any MetaSpark Audit Report to the satisfaction of the auditor. If Customer requests, MetaSpark will provide Customer with each MetaSpark Audit Report. The MetaSpark Audit Report will be subject to non-disclosure and distribution limitations of MetaSpark and the auditor.To the extent Customer’s audit requirements under the Standard Contractual Clauses or Data Protection Requirements cannot reasonably be satisfied through audit reports, documentation or compliance information MetaSpark makes generally available to its customers, MetaSpark will promptly respond to Customer’s additional audit instructions. Before the commencement of an audit, Customer and MetaSpark will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree will not permit MetaSpark to unreasonably delay performance of the audit. To the extent needed to perform the audit, MetaSpark will make the processing systems, facilities and supporting documentation relevant to the processing of Customer Data and Personal Data by MetaSpark, its Affiliates, and its Subprocessors available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to MetaSpark, and subject to reasonable confidentiality procedures. Neither Customer nor the auditor shall have access to any data from MetaSpark’s other customers or to MetaSpark systems or facilities not involved in the MetaSpark Online Services. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time MetaSpark expends for any such audit, in addition to the rates for services performed by MetaSpark. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with MetaSpark and MetaSpark shall promptly cure any material non-compliance.Security Incident Notification
If MetaSpark becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data while processed by MetaSpark (each a “Security Incident”), MetaSpark will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.Notification(s) of Security Incidents will be delivered to one or more of Customer’s administrators by any means MetaSpark selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on each applicable MetaSpark Online Services portal. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.MetaSpark shall make reasonable efforts to assist Customer in fulfilling Customer’s obligation under GDPR Article 33 or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.MetaSpark’s notification of or response to a Security Incident under this section is not an acknowledgement by MetaSpark of any fault or liability with respect to the Security Incident.Customer must notify MetaSpark promptly about any possible misuse of its accounts or authentication credentials or any security incident related to an Online Service.
Data Transfers and LocationData Transfers
Customer Data and Personal Data that MetaSpark processes on Customer’s behalf may not be transferred to, or stored and processed in a geographic location except in accordance with the Agreement Terms and the safeguards provided below in this section. Taking into account such safeguards, Customer appoints MetaSpark to transfer Customer Data and Personal Data to the United States or any other country in which MetaSpark or its Subprocessors operate and to store and process Customer Data and Personal Data to provide the MetaSpark Online Services, except as described elsewhere in the Agreement Terms.
MetaSpark will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area, United Kingdom, and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.In addition, MetaSpark is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail, although MetaSpark does not rely on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18. MetaSpark agrees to notify Customer if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles.
Location of Customer Data at Rest
For the Core MetaSpark Online Services, MetaSpark will store Customer Data at rest within certain major geographic areas (each, a Geo) as set forth in Attachment 1 to the OST (or successor location in the Use Rights).MetaSpark does not control or limit the regions from which Customer or Customer’s end users may access or move Customer Data.
Data Retention and Deletion
At all times during the term of Customer’s subscription, Customer will have the ability to access, extract and delete Customer Data stored in each Online Service.Except for free trials and LinkedIn services, MetaSpark will retain Customer Data that remains stored in MetaSpark Online Services in a limited function account for 90 days after expiration or termination of Customer’s subscription so that Customer may extract the data. After the 90-day retention period ends, MetaSpark will disable Customer’s account and delete the Customer Data and Personal Data within an additional 90 days, unless MetaSpark is permitted or required by applicable law, or authorized under this Agreement, to retain such data.The Online Service may not support retention or extraction of software provided by Customer. MetaSpark has no liability for the deletion of Customer Data or Personal Data as described in this section.
Processor Confidentiality Commitment
MetaSpark will ensure that its personnel engaged in the processing of Customer Data and Personal Data (i) will process such data only on instructions from Customer or as described in this Agreement, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. MetaSpark shall provide periodic and mandatory data privacy and security training and awareness to its employees with access to Customer Data and Personal Data in accordance with applicable Data Protection Requirements and industry standards.
Notice and Controls on use of Subprocessors
MetaSpark may hire Subprocessors to provide certain limited or ancillary services on its behalf. Customer consents to this engagement and to MetaSpark Affiliates as Subprocessors. The above authorizations will constitute Customer’s prior written consent to the subcontracting by MetaSpark of the processing of Customer Data and Personal Data if such consent is required under the Standard Contractual Clauses or the GDPR Terms. MetaSpark is responsible for its Subprocessors’ compliance with MetaSpark’s obligations in this Agreement. MetaSpark makes available information about Subprocessors on a MetaSpark website. When engaging any Subprocessor, MetaSpark will ensure via a written contract that the Subprocessor may access and use Customer Data or Personal Data only to deliver the services MetaSpark has retained them to provide and is prohibited from using Customer Data or Personal Data for any other purpose. MetaSpark will ensure that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required of MetaSpark by the Agreement, including the limitations on disclosure of Processed Data. MetaSpark agrees to oversee the Subprocessors to ensure that these contractual obligations are met.From time to time, MetaSpark may engage new Subprocessors. MetaSpark will give Customer notice (by updating the website and providing Customer with a mechanism to obtain notice of that update) of any new Subprocessor at least 6 months in advance of providing that Subprocessor with access to Customer Data. Additionally, MetaSpark will give Customer notice (by updating the website and providing Customer with a mechanism to obtain notice of that update) of any new Subprocessor at least 30 days in advance of providing that Subprocessor with access to Personal Data other than that which is contained in Customer Data. If MetaSpark engages a new Subprocessor for a new Online Service, MetaSpark will give Customer notice prior to availability of that Online Service.If Customer does not approve of a new Subprocessor, then Customer may terminate any subscription for the affected Online Service without penalty by providing, before the end of the relevant notice period, written notice of termination. Customer may also include an explanation of the grounds for non-approval together with the termination notice, in order to permit MetaSpark to re-evaluate any such new Subprocessor based on the applicable concerns. If the affected Online Service is part of a suite (or similar single purchase of services), then any termination will apply to the entire suite. After termination, MetaSpark will remove payment obligations for any subscriptions for the terminated Online Service from subsequent invoices to Customer or its reseller.
If Customer is an educational agency or institution to which regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), apply, MetaSpark acknowledges that for the purposes of the Agreement, MetaSpark is a “school official” with “legitimate educational interests” in the Customer Data, as those terms have been defined under FERPA and its implementing regulations, and MetaSpark agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) on school officials.Customer understands that MetaSpark may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer will be responsible for obtaining any parental consent for any end user’s use of the Online Service that may be required by applicable law and to convey notification on behalf of MetaSpark to students (or, with respect to a student under 18 years of age and not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Customer Data in MetaSpark’s possession as may be required under applicable law.
California Consumer Privacy Act (CCPA)
If MetaSpark is processing Personal Data within the scope of the CCPA, MetaSpark makes the following additional commitments to Customer. MetaSpark will process Customer Data and Personal Data on behalf of Customer and, not retain, use, or disclose that data for any purpose other than for the purposes set out in the Agreement Terms and as permitted under the CCPA, including under any “sale” exemption. In no event will MetaSpark sell any such data. These CCPA terms do not limit or reduce any data protection commitments MetaSpark makes to Customer in the Agreement Terms, Use Rights, or other agreement between MetaSpark and Customer.
If Customer uses an Online Service to process Biometric Data, Customer is responsible for: (i) providing notice to data subjects, including with respect to retention periods and destruction; (ii) obtaining consent from data subjects; and (iii) deleting the Biometric Data, all as appropriate and required under applicable Data Protection Requirements. MetaSpark will process that Biometric Data following Customer’s documented instructions (as described in the “Processor and Controller Roles and Responsibilities” section above) and protect that Biometric Data in accordance with the data security and protection terms under this Agreement. For purposes of this section, “Biometric Data” will have the meaning set forth in Article 4 of the GDPR and, if applicable, equivalent terms in other Data Protection Requirements.
MetaSpark Corporation (“MetaSpark”) provides additional safeguards to Customer and additional redress to the data subjects to whom Customer’s personal data relates.
This Addendum supplements and is made part of, but is not in variation or modification of, the terms outlined above.
1. Challenges to Orders. In the event MetaSpark receives an order from any third party for compelled disclosure of any personal data, MetaSpark shall:
a. use every reasonable effort to redirect the third party to request data directly from Customer;
b. promptly notify Customer, unless prohibited under the law applicable to the requesting third party, and, if prohibited from notifying Customer, use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to Customer as soon as possible; and
c. use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable Member State law. For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
2. Indemnification of Data Subjects. Subject to Sections 3 and 4, MetaSpark shall indemnify a data subject for any material or non-material damage to the data subject caused by MetaSpark’s disclosure of personal data of the data subject in response to an order from a non-EU/EEA government body or law enforcement agency (a “Relevant Disclosure”). Notwithstanding the foregoing, MetaSpark shall have no obligation to indemnify the data subject under this Section 2 to the extent the data subject has already received compensation for the same damage, whether from MetaSpark or otherwise.
3. Conditions of Indemnification. Indemnification under Section 2 is conditional upon the data subject establishing, to MetaSpark’s reasonable satisfaction, that:
a. MetaSpark engaged in a Relevant Disclosure;
b. the Relevant Disclosure was the basis of an official proceeding by the non-EU/EEA government body or law enforcement agency against the data subject; and
c. the Relevant Disclosure directly caused the data subject to suffer material or non-material damage.The data subject bears the burden of proof with respect to conditions a. though c.Notwithstanding the foregoing, MetaSpark shall have no obligation to indemnify the data subject under Section 2 if MetaSpark establishes that the Relevant Disclosure did not violate its obligations under Chapter V of the GDPR.
4. Scope of Damages.
Indemnification under Section 2 is limited to material and non material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from MetaSpark’s infringement of the GDPR.
5. Exercise of Rights.
Rights granted to data subjects under this Addendum may be enforced by the data subject against MetaSpark irrespective of any restriction in Clauses 3 or 6 of the Standard Contractual Clauses. The data subject may only bring a claim under this Addendum on an individual basis, and not part of a class, collective, group or representative action. Rights granted to data subjects under this Addendum are personal to the data subject and may not be assigned.
6. Notice of Change.
MetaSpark agrees and warrants that it has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from the data exporter and its obligations under this Addendum or the Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this Addendum or the Standard Contractual Clauses, it will promptly notify the change to Customer as soon as it is aware, in which case Customer is entitled to suspend the transfer of data and/or terminate the contract.
This Addendum shall automatically terminate if the European Commission, a competent Member State supervisory authority, or an EU or competent Member State court approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Standard Contractual Clauses (and if such mechanism applies only to some of the data transfers, this Addendum will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Addendum.
MetaSpark makes the commitments in these GDPR Terms, to all customers effective May 25, 2020. These commitments are binding upon MetaSpark with regard to Customer regardless of (1) the version of the OST and Agreement that is otherwise applicable to any given MetaSpark Online Services subscription or (2) any other agreement that references this attachment.
For purposes of these GDPR Terms, Customer and MetaSpark agree that Customer is the controller of Personal Data and MetaSpark is the processor of such data, except when Customer acts as a processor of Personal Data, in which case MetaSpark is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by MetaSpark on behalf of Customer. These GDPR Terms do not limit or reduce any data protection commitments MetaSpark makes to Customer in the Use Rights or other agreement between MetaSpark and Customer. These GDPR Terms do not apply where MetaSpark is a controller of Personal Data.
Relevant GDPR Obligations: Articles 28, 32, and 33
1. MetaSpark shall not engage another processor without prior specific or general written authorisation of Customer. In the case of general written authorisation, MetaSpark shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes. (Article 28(2))
2. Processing by MetaSpark shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on MetaSpark with regard to Customer. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of the Customer are set forth in the Customer’s licensing agreement, including these GDPR Terms. In particular, MetaSpark shall:
(a) process the Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which MetaSpark is subject; in such a case, MetaSpark shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) take all measures required pursuant to Article 32 of the GDPR;
(d) respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
(e) taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
(f) assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to MetaSpark;
(g) at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
(h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
MetaSpark shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))
3. Where MetaSpark engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, MetaSpark shall remain fully liable to the Customer for the performance of that other processor's obligations. (Article 28(4))
4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and MetaSpark shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. (Article 32(1))
5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))
6. Customer and MetaSpark shall take steps to ensure that any natural person acting under the authority of Customer or MetaSpark who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law. (Article 32(4))
7. MetaSpark shall notify Customer without undue delay after becoming aware of a Personal Data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to MetaSpark.
Execution of the licensing agreement by Customer includes execution of this agreement which is countersigned by MetaSpark Corporation.
In countries where regulatory approval is required for use of the Standard Contractual Clauses, the Standard Contractual Clauses cannot be relied upon under European Commission 2010/87/EU (of February 2010) to legitimize export of data from the country, unless Customer has the required regulatory approval.
Beginning May 25, 2018 and thereafter, references to various Articles from the Directive 95/46/EC in the Standard Contractual Clauses below will be treated as references to the relevant and appropriate Articles in the GDPR.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, Customer (as data exporter) and MetaSpark Corporation (as data importer, whose signature appears below), each a “party,” together “the parties,” have agreed on the following Contractual Clauses (the “Clauses” or “Standard Contractual Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1: Definitions
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2: Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 below which forms an integral part of the Clauses.
Clause 3: Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4: Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 below;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and (j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5: Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about: (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, (ii) any accidental or unauthorized access, and (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11; and
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6: Liability
1. The parties agree that any data subject who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7: Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority; (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8: Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9: Governing Law.
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10: Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11: Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Clause 12: Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 to the Standard Contractual Clauses
Data exporter: Customer is the data exporter. The data exporter is a user of Online Services or Professional Services as defined in the DPA and OST.
Data importer: The data importer is METASPARK CORPORATION, a global producer of software and services.
Data subjects: Data subjects include the data exporter’s representatives and end-users including employees, contractors, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by data importer. MetaSpark acknowledges that, depending on Customer’s use of the Online Service or Professional Services, Customer may elect to include personal data from any of the following types of data subjects in the personal data:
• Employees, contractors and temporary workers (current, former, prospective) of data exporter;
• Dependents of the above;
• Data exporter's collaborators/contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/contact persons (current, prospective, former);
• Users (e.g., customers, clients, patients, visitors, etc.) and other data subjects that are users of data exporter's services;• Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the data exporter and/or use communication tools such as apps and websites provided by the data exporter;
• Stakeholders or individuals who passively interact with data exporter (e.g., because they are the subject of an investigation, research or mentioned in documents or correspondence from or to the data exporter);
• Minors; or
• Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).
Categories of data:
The personal data transferred that is included in e-mail, documents and other data in an electronic form in the context of the Online Services or Professional Services. MetaSpark acknowledges that, depending on Customer’s use of the Online Service or Professional Services, Customer may elect to include personal data from any of the following categories in the personal data:
• Basic personal data (for example place of birth, street name and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children;• Authentication data (for example user name, password or PIN code, security question, audit trail);
• Contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details);
• Unique identification numbers and signatures (for example Social Security number, bank account number, passport and ID card number, driver's license number and vehicle registration data, IP addresses, employee number, student number, patient number, signature, unique identifier in tracking cookies or similar technology);
• Pseudonymous identifiers;
• Financial and insurance information (for example insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior, creditworthiness);
• Commercial Information (for example history of purchases, special offers, subscription information, payment history);
• Biometric Information (for example DNA, fingerprints and iris scans);
• Location data (for example, Cell ID, geo-location network data, location by start call/end of the call. Location data derived from use of wifi access points);
• Photos, video and audio;
• Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities);
• Device identification (for example IMEI-number, SIM card number, MAC address);
• Profiling (for example based on observed criminal or anti-social behavior or pseudonymous profiles based on visited URLs, click streams, browsing logs, IP-addresses, domains, apps installed, or profiles based on marketing preferences);• HR and recruitment data (for example declaration of employment status, recruitment information (such as curriculum vitae, employment history, education history details), job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details and location and organizations);
• Education data (for example education history, current education, grades and results, highest degree achieved, learning disability);
• Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit);
• Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority;
• Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offenses); or
• Any other personal data identified in Article 4 of the GDPR.
The personal data transferred will be subject to the following basic processing activities:
a. Duration and Object of Data Processing. The duration of data processing shall be for the term designated under the applicable volume licensing agreement between data exporter and the MetaSpark entity to which these Standard Contractual Clauses are annexed (“MetaSpark). The objective of the data processing is the performance of Online Services and Professional Services.
b. Scope and Purpose of Data Processing. The scope and purpose of processing personal data is described in the “Processing of Personal Data; GDPR” section of the DPA. The data importer operates a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors operate such facilities in accordance with the “Security Practices and Policies” section of the DPA.
c. Customer Data and Personal Data Access. For the term designated under the applicable volume licensing agreement data importer will at its election and as necessary under applicable law implementing Article 12(b) of the EU Data Protection Directive, either: (1) provide data exporter with the ability to correct, delete, or block Customer Data and personal data, or (2) make such corrections, deletions, or blockages on its behalf.
d. Data Exporter’s Instructions. For Online Services and Professional Services, data importer will only act upon data exporter’s instructions as conveyed by MetaSpark.
e. Customer Data and Personal Data Deletion or Return. Upon expiration or termination of data exporter’s use of Online Services or Professional Services, it may extract Customer Data and personal data and data importer will delete Customer Data and personal data, each in accordance with the DPA Terms applicable to the agreement.
In accordance with the DPA, the data importer may hire other companies to provide limited services on data importer’s behalf, such as providing customer support. Any such subcontractors will be permitted to obtain Customer Data and personal data only to deliver the services the data importer has retained them to provide, and they are prohibited from using Customer Data and personal data for any other purpose.
Appendix 2 to the Standard Contractual Clauses
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
1. Personnel. Data importer’s personnel will not process Customer Data or personal data without authorization. Personnel are obligated to maintain the confidentiality of any such Customer Data and personal data and this obligation continues even after their engagement ends.
2. Data Privacy Contact. The data privacy officer of the data importer can be reached at the following address: MetaSpark Corporation Attn: Chief Privacy Officer 8605 Santa Monica Blvd #44942, West Hollywood, CA 90069
3. Technical and Organization Measures. The data importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect Customer Data and personal data, as defined in the Security Practices and Policies section of the DPA, against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows: The technical and organizational measures, internal controls, and information security routines set forth in the Security Practices and Policies section of the DPA are hereby incorporated into this Appendix 2 by this reference and are binding on the data importer as if they were set forth in this Appendix 2 in their entirety.
Organization of Information Security
MetaSpark has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures.
Security Roles and Responsibilities.
MetaSpark personnel with access to Customer Data are subject to confidentiality obligations.
Risk Management Program.
MetaSpark performed a risk assessment before processing the Customer Data or launching the Online Services service.MetaSpark retains its security documents pursuant to its retention requirements after they are no longer in effect.
MetaSpark maintains an inventory of all media on which Customer Data is stored. Access to the inventories of such media is restricted to MetaSpark personnel authorized in writing to have such access.
MetaSpark classifies Customer Data to help identify it and to allow for access to it to be appropriately restricted.- MetaSpark imposes restrictions on printing Customer Data and has procedures for disposing of printed materials that contain Customer Data. MetaSpark personnel must obtain MetaSpark authorization prior to storing Customer Data on portable devices, remotely accessing Customer Data, or processing Customer Data outside MetaSpark’s facilities
Human Resources Security
MetaSpark informs its personnel about relevant security procedures and their respective roles. MetaSpark also informs its personnel of possible consequences of breaching the security rules and procedures. MetaSpark will only use anonymous data in training.
Physical and Environmental Security
Physical Access to Facilities.
MetaSpark limits access to facilities where information systems that process Customer Data are located to identified authorized individuals.
Physical Access to Components.
MetaSpark maintains records of the incoming and outgoing media containing Customer Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of Customer Data they contain.
Protection from Disruptions.
MetaSpark uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.
Component Disposal. MetaSpark uses industry standard processes to delete Customer Data when it is no longer needed.
Communications and Operations Management
MetaSpark maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.
Data Recovery Procedures
- On an ongoing basis, but in no case less frequently than once a week (unless no Customer Data has been updated during that period),
MetaSpark maintains multiple copies of Customer Data from which Customer Data can be recovered.
- MetaSpark stores copies of Customer Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data is located.- MetaSpark has specific procedures in place governing access to copies of Customer Data.
MetaSpark reviews data recovery procedures at least every six months, except for data recovery procedures for Azure Government Services, which are reviewed every twelve months.
- MetaSpark logs data restoration efforts, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.
Malicious Software. MetaSpark has anti-malware controls to help avoid malicious software gaining unauthorized access to Customer Data, including malicious software originating from public networks.
Data Beyond Boundaries
- MetaSpark encrypts, or enables Customer to encrypt, Customer Data that is transmitted over public networks.- MetaSpark restricts access to Customer Data in media leaving its facilities.
Event Logging. MetaSpark logs, or enables Customer to log, access and use of information systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity.
MetaSpark maintains a record of security privileges of individuals having access to Customer Data.
- MetaSpark maintains and updates a record of personnel authorized to access MetaSpark systems that contain Customer Data.
- MetaSpark deactivates authentication credentials that have not been used for a period of time not to exceed six months.
- MetaSpark identifies those personnel who may grant, alter or cancel authorized access to data and resources.
- MetaSpark ensures that where more than one individual has access to systems containing Customer Data, the individuals have separate identifiers/log-ins.
- Technical support personnel are only permitted to have access to Customer Data when needed.
- MetaSpark restricts access to Customer Data to only those individuals who require such access to perform their job function.
Integrity and Confidentiality
- MetaSpark instructs MetaSpark personnel to disable administrative sessions when leaving premises MetaSpark controls or when computers are otherwise left unattended.
- MetaSpark stores passwords in a way that makes them unintelligible while they are in force.
- MetaSpark uses industry standard practices to identify and authenticate users who attempt to access information systems.
- Where authentication mechanisms are based on passwords, MetaSpark requires that the passwords are renewed regularly.
- Where authentication mechanisms are based on passwords, MetaSpark requires the password to be at least eight characters long.
- MetaSpark ensures that de-activated or expired identifiers are not granted to other individuals.
- MetaSpark monitors, or enables Customer to monitor, repeated attempts to gain access to the information system using an invalid password.
- MetaSpark maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
- MetaSpark uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
MetaSpark has controls to avoid individuals assuming access rights they have not been assigned to gain access to Customer Data they are not authorized to access.
Information Security Incident Management
Incident Response Process
- MetaSpark maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.
- For each security breach that is a Security Incident, notification by MetaSpark (as described in the “Security Incident Notification” section above) will be made without undue delay and, in any event, within 72 hours.
- MetaSpark tracks, or enables Customer to track, disclosures of Customer Data, including what data has been disclosed, to whom, and at what time.
MetaSpark security personnel verify logs at least every six months to propose remediation efforts if necessary.
Business Continuity Management
- MetaSpark maintains emergency and contingency plans for the facilities in which MetaSpark information systems that processCustomer Data are located.
- MetaSpark’s redundant storage and its procedures for recovering data are designed to attempt to reconstructCustomer Data in its original or last-replicated state from before the time it was lost or destroyed.