By signing a sales order, by using CONSENSUS Software as a Service (SaaS), or by accepting services from CONSENSUS Professional Services, you agree to the following agreements:
- Master Subscription Agreement and Terms of Service
- Service Level Agreement
- Data Protection Agreement
Master Subscription Agreement and Terms of Services
THIS AGREEMENT GOVERNS YOUR ORGANIZATION’S ACQUISITION AND USE OF CONSENSUS SALES, INC. (HEREAFTER “CONSENSUS”) SOFTWARE SERVICES.
IF YOU REGISTER FOR A FREE TRIAL FOR OUR SERVICES, THIS AGREEMENT WILL ALSO GOVERN THAT FREE TRIAL. BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE OR BY EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS “YOU” OR “YOUR” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICES.
You may not access the Services if You are Our direct competitor, except with Our prior written consent. In addition, You may access, with Our prior written consent, the Services for purposes of monitoring their availability, performance or functionality.
Your use of the Services constitutes your agreement to these terms. It is effective between You and Us as of the date you sign an Order Form or first use the Services, whichever is earlier.
The Agreement incorporates the following components: (1) the Consensus Service Level Agreement (Exhibit A), and (2) the Consensus Data Protection Agreement as Exhibit B. Unless otherwise specified, terms defined in this Agreement shall have the same meaning when used in any other document made part of this Agreement.
1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 “Agreement” means this Master Subscription Agreement and Terms of Service.
1.3 “Beta Services” means Our services that are not generally available to customers.
1.4 “Content” means information obtained by Us from Our content licensors or publicly available sources and provided to You pursuant to an Order Form, as more fully described in the Documentation.
1.5 “Customer” means You and the organization for which you are entering this Agreement.
1.6 “Documentation” means our online user help, guides, documentation, and training materials, as updated from time to time, accessible via our website or after login to the applicable Service.
1.7 “Malicious Code” means code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and Trojan horses.
1.8 “Non-CONSENSUS Applications” means a Web-based or offline software application that is provided by You or a third party and interoperates with a Service.
1.9 “Order Form” means an ordering document specifying the Services to be provided hereunder that is entered into between You and Us or any of Our Affiliates, including any addenda and supplements thereto. By entering into an Order Form hereunder, an Affiliate agrees to be bound by the terms of this Agreement as if it were an original party hereto.
1.10 “Purchased Services” means Services that You or Your Affiliate purchase under an Order Form, as distinguished from those provided pursuant to a free trial.
1.11 “Services” means the products and services that are ordered by You under a free trial or an Order Form and made available online by Us as described in the Documentation. “Services” exclude Content and Non-CONSENSUS Applications.
1.12 “Taxes” means any form of taxation of whatever nature and by whatever authority imposed, including any interest, surcharges or penalties, arising from or relating to this Agreement or any Consensus Content or Services, other than taxes based on the net income of Consensus.
1.13 “User” means an individual who is authorized by You to use a Service, for whom You have ordered the Service, and to whom You (or We at Your request) have supplied a user identification and password. Users may include, for example, Your employees, consultants, contractors and agents, and third parties with which You transact business.
1.14 “We,” “Us” or “Our“, and “CONSENSUS” means CONSENSUS, Inc, a Delaware corporation, located at 125 E. Main Street, #118, American Fork, UT 84003.
1.15 “You” or “Your” means the company or other legal entity for which you are accepting this Agreement, and Affiliates of that company or entity.
1.16 “Your Data” means electronic data submitted by or for You to the Purchased Services or collected and processed by or for You using the Purchased Services, excluding Content and Non-CONSENSUS Applications.
2. OUR RESPONSIBILITIES
2.1 Provision of Purchased Services. We will (a) make the Services and Content available to You pursuant to this Agreement and the applicable Order Forms, (b) provide Our standard support for the Purchased Services to You at no additional charge, and/or upgraded support if purchased, and (c) use commercially reasonable efforts to make the online Purchased Services available 24 hours a day, 7 days a week, except for: (i) planned downtime (of which We shall give at least 24 hours electronic notice and which We shall schedule to the extent practicable during the weekend hours between 6:00 p.m. Friday and 3:00 a.m. Monday Mountain time), and (ii) any unavailability caused by Force Majeure Events.
2.2 Protection of Your Data. We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data, as described in the Documentation. Those safeguards will include, but will not be limited to, measures for preventing access, use, modification or disclosure of Your Data by Our personnel except (a) to provide the Purchased Services and prevent or address service or technical problems, (b) as compelled by law in accordance with Section 8.3 (Compelled Disclosure) below, or (c) as You expressly permit in writing.
2.3 Our Personnel. We will be responsible for the performance of Our personnel (including Our employees and contractors) and their compliance with Our obligations under this Agreement, except as otherwise specified herein.
2.4 Beta Services. From time to time, We may invite You to try Beta Services at no charge. You may accept or decline any such trial in Your sole discretion. Beta Services will be clearly designated as beta, pilot, limited release, developer preview, non-production, evaluation or by a description of similar import. Beta Services are for evaluation purposes and not for production use, are not considered “Services” under this Agreement, are not supported, and may be subject to additional terms. Unless otherwise stated, any Beta Services trial period will expire upon the earlier of one year from the trial start date or the date that a version of the Beta Services becomes generally available. We may discontinue Beta Services at any time in Our sole discretion and may never make them generally available. We will have no liability for any harm or damage, including lost or inaccessible data or unavailability of Beta Services, arising out of or in connection with a Beta Service.
3. USE OF SERVICES AND CONTENT
3.1 Subscriptions. Unless otherwise provided in the applicable Order Form: (a) Services and Content are purchased as subscriptions, (b) subscriptions may be added during a subscription term at the same pricing as the underlying subscription pricing, prorated for the portion of that subscription term remaining at the time the subscriptions are added, and (c) any added subscriptions will terminate on the same date as the underlying subscriptions.
3.2 Usage Limits. Services and Content are subject to usage limits, including, for example, the quantities specified in Order Forms. Unless otherwise specified; (a) a quantity in an Order Form refers to Users, and the Service or Content may not be accessed by more than that number of Users, (b) a User’s password may not be shared with any other individual, and (c) a User identification may be reassigned to a new individual replacing one who no longer requires ongoing use of the Service or Content. If You exceed a contractual usage limit, We may work with You to seek to reduce Your usage so that it conforms to that limit. If, notwithstanding Our efforts, You are unable or unwilling to abide by a contractual usage limit, You will execute an Order Form for additional quantities of the applicable Services or Content promptly upon Our request, and/or pay any invoice for excess usage in accordance with Section 6.2 (Invoicing and Payment).
3.3 Your Responsibilities. You will: (a) be responsible for Users’ compliance with this Agreement, (b) be responsible for the accuracy, quality and legality of Your Data and the means by which You acquired Your Data, (c) use commercially reasonable efforts to prevent unauthorized access to or use of Services and Content, and notify Us promptly of any such unauthorized access or use, (d) use Services and Content only in accordance with the Documentation and applicable laws and government regulations, and (e) comply with terms of service of Non- CONSENSUS Applications with which You use Services or Content.
3.4 Usage Restrictions. You will not: (a) make any Service or Content available to, or use any Service or Content for the benefit of, anyone other than You or Users, (b) sell, resell, license, sublicense, distribute, rent or lease any Service or Content, or include any Service or Content in a service bureau or outsourcing offering, (c) use a Service to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights, (d) use a Service to store or transmit Malicious Code, (e) interfere with or disrupt the integrity or performance of any Service or third-party data contained therein, (f) attempt to gain unauthorized access to any Service or Content or its related systems or networks, (g) permit direct or indirect access to or use of any Service or Content in a way that circumvents a contractual usage limit, (h) copy a Service or any part, feature, function or user interface thereof, (i) copy Content except as permitted herein or in an Order Form or the Documentation, (j) frame or mirror any part of any Service or Content, other than framing on Your own intranets or otherwise for Your own internal business purposes or as permitted in the Documentation, (k) access any Service or Content in order to build a competitive product or service, or (l) reverse engineer any Service (to the extent such restriction is permitted by law).
3.5 Removal of Content and Non-CONSENSUS Applications. If We are required by a licensor to remove Content, or receive information that Content provided to You may violate applicable law or third-party rights, We may so notify You and in such event You will promptly remove such Content from Your systems. If You do not take required action in accordance with the above, We may disable the applicable Content, Service and/or Non-CONSENSUS Application until the potential violation is resolved.
4. NON-CONSENSUS PROVIDERS
4.1 Integration with Non-CONSENSUS Applications. The Services may contain features designed to interoperate with Non-CONSENSUS Applications. Consensus makes no warranty or guarantee as to the interoperability of any Non-CONSENSUS Application with any Service or Content and Your use of any Non-CONSENSUS application is wholly at Your own risk. To use such features, You may be required to obtain access to Non-CONSENSUS Applications from their providers, and may be required to grant Us access to Your account(s) on the Non-CONSENSUS Applications. If the provider of a Non-CONSENSUS Application ceases to make the Non- CONSENSUS Application available for interoperation with the corresponding Service features on reasonable terms, or Consensus chooses to remove interoperability with any Non-CONSENSUS Application We may cease providing those Service features without entitling You to any refund, credit, or other compensation.
5. FEES AND PAYMENT FOR PURCHASED SERVICES
5.1 You will pay all fees specified in Order Forms. Except as otherwise specified herein or in an Order Form: (i) fees are based on Services and Content purchased as identified on an Order Form and not Your actual usage of any products (meaning if you fail to use the Service the full amount of all fees are still due), (ii) payment obligations are non- cancelable and fees paid are non-refundable, and (iii) quantities purchased cannot be decreased during the relevant subscription term.
5.2 Invoicing and Payment. You will provide Us with valid and updated credit card information, or with a valid purchase order or alternative document reasonably acceptable to Us. If You provide credit card information to Us, You authorize Us to charge such credit card for all Purchased Services listed in the Order Form for the initial subscription term and any renewal subscription term(s) as set forth in Section 12.2 (Term of Purchased Subscriptions). Such charges shall be made in advance, either annually or in accordance with any different billing frequency stated in the applicable Order Form. If the Order Form specifies that payment will be by a method other than a credit card, We will invoice You in advance and otherwise in accordance with the relevant Order Form. Unless otherwise stated in the Order Form, invoiced charges are due net 14 days from the invoice date. You are responsible for providing complete and accurate billing and contact information to Us and notifying Us of any changes to such information.
5.3 Overdue Charges. If any invoiced amount is not received by Us by the due date, then without limiting Our rights or remedies, (a) those charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, and/or (b) We may condition future subscription renewals and Order Forms on payment terms shorter than those specified in Section 6.2 (Invoicing and Payment).
5.4 Suspension of Service and Acceleration. If any amount owing by You under this or any other agreement for Our services is 30 or more days overdue (or 10 or more days overdue in the case of amounts You have authorized Us to charge to Your credit card), We may, without limiting Our other rights and remedies, accelerate Your unpaid fee obligations under such agreements so that all such obligations become immediately due and payable, and suspend Our services to You until such amounts are paid in full. We will give You at least 10 days’ prior notice by email that Your account is overdue, in accordance with Section 13.2 (Manner of Giving Notice), before suspending services to You.
5.5 Payment Disputes. We will not exercise Our rights under Section 6.3 (Overdue Charges) or 6.4 (Suspension of Service and Acceleration) above if You are disputing the applicable charges reasonably and in good faith and are cooperating diligently to resolve the dispute, however, any dispute outstanding more than sixty (60) days past the invoice date will begin to accrue Overdue Charges according to the terms of Section 5.3
5.6 Taxes. The Fees set forth in any Order Form are exclusive of, and You agree you are liable for and will pay, all Taxes, including any value added tax and goods and services tax or any similar Tax imposed on or measured by this Agreement. If You are required to withhold or deduct any Taxes from the fees, then You agree to increase the amount payable to Consensus by the amount of such Taxes so that Consensus receives the full amount of all fees. If We have the legal obligation to pay or collect Taxes for which You are responsible under this Section 6.6, We will invoice You and You will pay that amount unless You provide Us with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, We are solely responsible for taxes assessable against Us based on Our income, property and employees.
5.7 Future Functionality. You agree that Your purchases are not contingent on the delivery of any future functionality or features, or dependent on any oral or written public comments made by Us regarding future functionality or features.
6. PROPRIETARY RIGHTS AND LICENSES
6.1 Reservation of Rights. Consensus and our licensors grant to you only those rights expressly granted in the Agreement with respect to the Consensus Services and Content. Consensus and its licensors reserve all other rights in and to the Services and Content (including all intellectual property rights).
6.2 License by You to Host Your Data and Applications. You grant Us and Our Affiliates a worldwide, limited- term license to host, copy, transmit and display Your Data, and any Non-CONSENSUS Applications and program code created by or for You using a Service, as necessary for Us to provide the Services in accordance with this Agreement. Subject to the limited licenses granted herein, We acquire no right, title or interest from You or Your licensors under this Agreement in or to Your Data or any Non-CONSENSUS Application or program code. Notwithstanding the aforementioned, You grant to Us and Our Affiliates a royalty-free, perpetual, irrevocable, worldwide license to include your data usage analytics in anonymized aggregate combined with the anonymized data analytics from other customers for the purposes of discovering and establishing best practices and analyzing and publishing trends to the larger sales and marketing automation industry.
6.3 License by You to Use Feedback. If You choose to voluntarily provide any feedback to Us regarding Consensus Services or Content, We may use such feedback for any purpose, including incorporating the feedback into, or using the feedback to develop and improve Consensus Services and other Consensus offerings without attribution or compensation. You grant Us a perpetual and irrevocable license to use all feedback for any purpose. You agree to provide feedback to Us only in compliance with applicable laws and You represent that You have the authority to provide the feedback and that feedback will not include proprietary information of a third party. We acknowledge and agree that any feedback provided by the You under this Agreement is on an “as is” basis, without any warranty of any kind.
6.4 License and Agreement by You to Be a Reference. Subject to your satisfaction with the Services and the Content after 90 days, You agree to provide a positive statement, including Your company name, about your experience, either written or in video format, and or case study for use on the CONSENSUS website for marketing purposes. Once provided, You grant us a worldwide, perpetual, royalty-free license to use and incorporate such statements or case studies for the purposes of marketing and promotion. If you become dissatisfied with the Services, you may at any time revoke our right to use Your name in conjunction with your positive statement or case study.
7.1 Definition of Confidential Information. “Confidential Information” means all information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Your Confidential Information includes Your Data; Our Confidential Information includes the Services and Content; and Confidential Information of each party includes the terms and conditions of this Agreement and all Order Forms (including pricing), as well as business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. However, Confidential Information does not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party.
7.2 Protection of Confidential Information. The Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) (i) not to use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, and (ii) except as otherwise authorized by the Disclosing Party in writing, to limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees and contractors who need that access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein. Neither party will disclose the terms of this Agreement or any Order Form to any third party other than its Affiliates, legal counsel and accountants without the other party’s prior written consent, provided that a party that makes any such disclosure to its Affiliate, legal counsel or accountants will remain responsible for such Affiliate’s, legal counsel’s or accountant’s compliance with this Section 7.2.
7.3 Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information.
7.4 Remedies Upon Breach. Each party agrees that the other party may have no adequate remedy at law if there is a breach or threatened breach of this Section 7 and, accordingly, that either party may be entitled (in addition to any legal or equitable remedies available to such party) to injunctive or other equitable relief to prevent or remedy such breach.
8. REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES AND DISCLAIMERS
8.1 Representations. Each party represents that it has validly entered into this Agreement and has the legal power to do so.
8.2 Our Warranties. We warrant that: (a) this Agreement, the Order Forms and the Documentation accurately describe the applicable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data, (b) We will not materially decrease the overall security of the Purchased Services during a subscription term, (c) the Purchased Services will perform materially in accordance with the applicable Documentation, (d) subject to Section 4.1 (Integration with Non-CONSENSUS Applications), We will not materially decrease the functionality of the Purchased Services during a subscription term, and (e) the Purchased Services and Content will not introduce Malicious Code into Your systems. To the maximum extent permitted by applicable law and except as expressly provided in this Section 8.2, the Consensus Purchased Services and Content are provided “as is” and without any representations or warranties express or implied, and Consensus disclaims all such representations and warranties, including the implied warranties of merchantability, non-infringement, and fitness for a particular purpose, and any warranties implied by the course of dealing or usage of trade. Consensus and its suppliers do not represent or warrant that the Consensus Purchased Services and Content will be uninterrupted, secure, error free, accurate or complete or comply with regulatory requirements, or that Consensus will correct all errors. For any breach of an above warranty, Your exclusive remedies are those described in Sections 11.3 (Termination) and 11.4 (Refund or Payment upon Termination).
8.3 Disclaimers. EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, AND ANY WARRANTIES IMPLIED BY THE COURSE OF DEALING OR USAGE OF TRADE TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. CONSENSUS AND ITS SUPPLIERS DO NOT REPRESENT OR WARRANT THAT THE CONSENSUS PURCHASED SERVICES AND CONTENT WILL BE UNINTERRUPTED, SECURE, ERROR FREE, ACCURATE OR COMPLETE OR COMPLY WITH REGULATORY REQUIREMENTS, OR THAT CONSENSUS WILL CORRECT ALL ERRORS. CONTENT AND BETA SERVICES ARE PROVIDED “AS IS,” EXCLUSIVE OF ANY WARRANTY WHATSOEVER. EACH PARTY DISCLAIMS ALL LIABILITY AND INDEMNIFICATION OBLIGATIONS FOR ANY HARM OR DAMAGES CAUSED BY ANY THIRD-PARTY HOSTING PROVIDERS.
9. MUTUAL INDEMNIFICATION
9.1 Indemnification by Us. We will defend You against any claim, demand, suit or proceeding made or brought against You by a third party alleging that the use of a Purchased Service in accordance with this Agreement infringes or misappropriates such third party’s intellectual property rights (a “Claim Against You”), and will indemnify You from any damages, attorney fees and costs finally awarded against You as a result of, or for amounts paid by You under a court-approved settlement of, a Claim Against You, provided You (a) promptly give Us written notice of the Claim Against You, (b) give Us sole control of the defense and settlement of the Claim Against You (except that We may not settle any Claim Against You unless it unconditionally releases You of all liability), and (c) give Us all reasonable assistance, at Our expense. If We receive information about an infringement or misappropriation claim related to a Service, We may in Our discretion and at no cost to You (i) modify the Service so that it no longer infringes or misappropriates, without breaching Our warranties under Section 8.2 (Our Warranties), (ii) obtain a license for Your continued use of that Service in accordance with this Agreement, or (iii) terminate Your subscriptions for that Service upon 30 days’ written notice and refund You any prepaid fees covering the remainder of the term of the terminated subscriptions. The above defense and indemnification obligations do not apply to the extent a Claim Against You arises from Content, a Non-CONSENSUS Application or Your breach of this Agreement.
9.2 Indemnification by You. You will defend Us against any claim, demand, suit or proceeding made or brought against Us by a third party alleging that Your Data, or Your use of any Service or Content in breach of this Agreement, infringes or misappropriates such third party’s intellectual property rights or violates applicable law (a “Claim Against Us”), and will indemnify Us from any damages, attorney fees and costs finally awarded against Us as a result of, or for any amounts paid by Us under a court-approved settlement of, a Claim Against Us, provided We (a) promptly give You written notice of the Claim Against Us, (b) give You sole control of the defense and settlement of the Claim Against Us (except that You may not settle any Claim Against Us unless it unconditionally releases Us of all liability), and (c) give You all reasonable assistance, at Your expense.
9.3 Exclusive Remedy. This Section 10 states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any type of claim described in this Section 10.
10. LIMITATION OF LIABILITY
10.1 Limitation of Liability. NEITHER PARTY’S AND ITS AFFILIATES’ TOTAL AND AGGREGATE LIABILITY WITH RESPECT TO ANY CLAIM RELATING TO OR ARISING OUT OF THIS AGREEMENT WILL EXCEED THE FEES PAYABLE TO CONSENSUS DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE FIRST EVENT GIVING RISE TO SUCH CLAIM. THIS LIMITATION APPLIES REGARDLESS OF THE NATURE OF THE CLAIM, WHETHER CONTRACT, TORT (INCLUDING NEGLIGENCE), STATUTE OR OTHER LEGAL THEORY. THESE LIMITATIONS DO NOT LIMIT CLAIMS OF BODILY INJURY (INCLUDING DEATH) AND DAMAGE TO REAL OR TANGIBLE PERSONAL PROPERTY CAUSED BY THE NEGLIGENCE OF A PARTY OR ITS AFFILIATES.
10.2 Exclusion of Consequential and Related Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY, NOR ITS AFFILIATES, WILL BE LIABLE FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, INDIRECT, EXEMPLARY, COVER OR PUNITIVE DAMAGES, OR FOR ANY DAMAGES FOR LOST OR DAMAGED DATA, LOST PROFITS, LOST SAVINGS OR BUSINESS OR SERVICE INTERRUPTION, EVEN IF SUCH PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.
11. TERM AND TERMINATION
11.1 Term of Agreement. This Agreement commences on the date of the last signature affixed below and continues until the Agreement is terminated by a party or all subscriptions hereunder have expired or have been terminated.
11.2 Term of Purchased Subscriptions. The term of each subscription shall be as specified in the applicable Order Form. Except as otherwise specified in an Order Form, subscriptions will automatically renew for additional periods equal to the expiring subscription term or one year (whichever is shorter), unless either party gives the other notice of non-renewal at least 30 days before the end of the relevant subscription term. Non-renewal notice can be provided by email to email@example.com.
11.3 Termination. A party may terminate this Agreement for cause (i) upon 30 days written notice, sent by regular mail to the address in Section 11.4 to the other party of a material breach if such breach remains uncured after attempt to cure the breach for 90 days, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.
Notice. All notices, including breach notification, shall be sent to:
If to Consensus:
Name: Attn: Legal Department
Physical mail: 125 E. Main Street, #118, American Fork, UT 84003
If to Customer:
Physical mail address:
11.4 Refund or Payment upon Termination. If this Agreement is terminated by You in accordance with Section 11.3 (Termination), We will refund You any prepaid but unused fees, less costs accrued through the termination date, covering the remainder of the term of all Order Forms after the effective date of termination. If this Agreement is terminated by Us in accordance with Section 11.3, You will pay any unpaid fees covering the remainder of the term of all Order Forms within thirty (30) days of the termination date. In no event will termination relieve You of Your obligation to pay any fees payable to Us for the period prior to the effective date of termination.
11.5 Your Data Portability and Deletion. Upon request by You made within 30 days after the effective date of termination or expiration of this Agreement, We will make Your Data available to You for export or download as provided in the Documentation. After that 30-day period, We will have no obligation to maintain or provide Your Data, and will thereafter delete or destroy all copies of Your Data in Our systems or otherwise in Our possession or control as provided in the Documentation, unless legally prohibited.
11.6 Surviving Provisions. The Sections titled “Fees and Payment for Purchase Services,” “Proprietary Rights and Licenses,” “Confidentiality,” “Disclaimers,” “Mutual Indemnification,” “Limitation of Liability,” “Refund or Payment upon Termination,” “Portability and Deletion of Your Data,” “Notices, Governing Law and Jurisdiction,” and “General Provisions” will survive any termination or expiration if this Agreement.
12. NOTICES, GOVERNING LAW AND JURISDICTION
12.1 Governing Law and Claims. The Agreement, and any claim, controversy or dispute related to the Agreement, are governed by and construed in accordance with the laws of the State of Utah without giving effect to any conflicts of laws provisions. To the extent permissible, the United Nations Convention on Contracts for the International Sale of Goods will not apply, even if adopted as part of the laws of the State of Utah. Any claim, suit, action or proceeding arising out of or relating to this Agreement or its subject matter will be brought exclusively in the state or federal courts of Salt Lake County, Utah, and each party irrevocably submits to the exclusive jurisdiction and venue of such Courts. No claim or action, regardless of form, arising out of this Agreement may be brought by either party more than one (1) year after the earlier of the following: a) the expiration or termination of all subscriptions, b) the termination of this Agreement, or c) the time a party first became aware, or reasonably should have been aware, of the basis for the claim. To the fullest extent permitted, each party waives the right to trial by jury in any legal proceeding arising out of or relating to this Agreement or the transactions contemplated hereby.
12.2 Manner of Giving Notice. Except as otherwise specified in this Agreement, all notices, permissions and approvals hereunder shall be in writing, in English, and shall be deemed to have been given upon: (i) personal delivery, (ii) the second business day after mailing, , or (iii) the first business day after sending by email (provided email shall not be sufficient for notices of termination or an indemnifiable claim). Billing-related notices to You shall be addressed to the relevant billing contact designated by You. All other notices to You shall be addressed to person and address specified in Section 11.4.
12.3 Agreement to Governing Law and Jurisdiction. Each party agrees to the applicable governing law above without regard to choice or conflicts of law rules, and to the exclusive jurisdiction of the applicable courts above.
13. GENERAL PROVISIONS
13.1 Export Compliance. The Services, Content, other technology We make available, and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that it is not named on any U.S. government denied-party list. You shall not permit Users to access or use any Service or Content in a U.S.-embargoed or in violation of any U.S. export law or regulation.
13.2 Anti-Corruption. You have not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any of Our employees or agents in connection with this Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction. If You learn of any violation of the above restriction, You will use reasonable efforts to promptly notify Our legal department.
13.3 Entire Agreement and Order of Precedence. This Agreement is the entire agreement between You and Us regarding Your use of Services and Content and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of this Agreement will be effective unless in writing and signed by the party against whom the modification, amendment or waiver is to be asserted. The parties agree that any term or condition stated in Your purchase order or in any other of Your order documentation (excluding Order Forms) is void. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) the applicable Order Form, (2) his Agreement, and (3) the Documentation.
13.4 Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other party’s prior written consent (not to be unreasonably withheld); provided, however, either party may assign this Agreement in its entirety (including all Order Forms), without the other party’s consent to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Notwithstanding the foregoing, if a party is acquired by, sells substantially all of its assets to, or undergoes a change of control in favor of, a direct competitor of the other party, then such other party may terminate this Agreement upon written notice. In the event of such a termination, We will refund to You any prepaid fees covering the remainder of the term of all subscriptions. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their respective successors and permitted assigns.
13.5 Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties.
13.6 Third-Party Beneficiaries. Our Content licensors shall have the benefit of Our rights and protections hereunder with respect to the applicable Content. There are no other third-party beneficiaries under this Agreement.
13.7 Waiver. No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right.
13.8 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this Agreement will remain in effect.
13.9 Force Majeure: Force Majeure means any circumstances beyond Our reasonable control, including, for example, an act of God, act of government, flood, fire, earthquake, pandemic, civil unrest, act of terror, strike or other labor problem (other than one involving Our employees), Internet service provider failure or delay, Non-CONSENSUS Applications, or denial of service attack. If the period of non-performance of one party exceeds 30 calendar days from receipt of notice of the force majeure event, the other party may, by giving written notice, terminate this Agreement.
13.10 No Class Actions. You and Consensus agree that each may bring claims against the other only in your or its individual capacity, and not as a plaintiff or class member in any purported class or representative proceeding. Further, unless both you and Consensus agree otherwise, a court may not consolidate more than one person’s claims and may not otherwise preside over any form of a representative or class proceeding.
13.11 GDPR. The parties acknowledge that certain of the Personal Data processed under this Agreement may be governed by the General Data Protection Regulation (“GDPR”) adopted by the European Union. The capitalized terms in this Section 13.11 shall have the meaning given them in the GDPR. To the extent the Personal Data processed under this Agreement is subject to the GDPR, the parties agree to govern themselves as joint Controllers of the Processed Data (defined below) as follows:
13.11.1 “Customer Data” means the Personal Data related to Your customers and their employees, agents, and customers that is processed by You or Us using the Services. You are the Controller of the Customer Data, and we are the Processer of Customer Data.
13.11.2 “Anonymized Data” means the Customer Data after the Customer Data has been anonymized and aggregated and is rendered not identifiable to any individual. We are the Controller and the Processer of the Customer Data to the extent the Anonymized Data is subject to the GDPR.
13.11.3 “Usage Data” means usage information related to the use of the Services by Your customers and their employees, agents, and customers. As an example only, and not by way of limitation, “Usage Data” includes the times and dates You and your agents or customers log in to the Services, the pages accessed, latencies, type of device used, and other analytical information regarding the usage of the Services. It does not include any Customer Data. We are the Controller and the Processer of the Usage Data.
Service Level Agreement
99.9% UPTIME GUARANTEE
CONSENSUS shall make commercially reasonable efforts to maintain availability of the Hosted Services 99.9% of the time (the “Uptime Goal”). At a customer’s request, each instance of unavailability that exceeds .1%, CONSENSUS will extend Customer’s subscription renewal date by a period equal to 10x (ten times) the outage period, with a minimum of one business day. The Uptime Goal is measured over a calendar month and is based on total outage time incurred by Customer. Unavailability is deemed to have occurred from the time unavailability is reported to CONSENSUS to the time CONSENSUS confirms that the affected Hosted Services is available to transmit and receive data.
Unavailability shall not be deemed to occur as a result of: a) maintenance activities during a scheduled maintenance period; b) beta periods; c) force majeure events; d) any failures to meet the Uptime Goal caused by Customer, its employees, agents, subcontractors or End Users; e) an outage in the underlying infrastructure required to provide the Services that is not controlled by Consensus, this includes, but is not limited to cloud provider - Amazon Web Services (AWS) outages (http://aws.amazon.com and any successor or related site designated by Consensus); f) internet network or backbone outages, g) internet DNS outages, or b) Consensus’ suspension or termination of your right to use the Services in accordance with the Agreement.
If Customer requests that CONSENSUS retrieve data from the CONSENSUS backup, it shall be at Customer’s cost and expense. Consensus makes no warranty or guarantee that such data can or will be retrieved or that such data will be accurate, complete, or conform to original data stored. Any data retrieved from backup is provided to Customer as-is.
RESPONSE AND RESOLUTION SCHEDULE
Customer may choose to classify each Error or defect in the software and may report such error or defect to CONSENSUS based on the following criteria:
ERROR CLASSIFICATION CRITERIA
Severity 1 – Fatal: Errors preventing all useful work from being performed. If a Severity 1 issue has an identified workaround it will be reclassified as a Severity 2 issue.
Severity 2 – Severe Impact: Errors, which disable major functions from being performed. If a Severity 2 issue has an identified workaround it will be reclassified as a Severity 3 issue.
Severity 3 – Degraded Operations: Errors disabling only certain nonessential functions.
Severity 4 – Minimal Impact: Includes all other as reasonably determined by Customer.
The Customer will provide an initial severity level associated with a ticket. The Consensus support manager will determine, in Consensus’ sole discretion, if the ticket was correctly classified and may increase or decrease the assigned severity level. The Consensus support manager may also decrease the severity level of a ticket based on Customer non-responsiveness.
Response 1 — Acknowledgment of receipt of Error report
Response 2 — Provide patch, workaround, or other temporary fix
Response 3 — Official object code fix, update or major release and/or updated manuals
CONSENSUS shall use best efforts to respond to Error reports according to the following schedule:
CLASSIFICATION RESPONSE 1 RESPONSE 2 RESPONSE 3
Severity 1 2 business hours** 1 day Next version*
Severity 2 4 business hours** 1 day Next version*
Severity 3 1 business day As appropriate
Severity 4 1 business day As appropriate
*Provided such error is reported by Customer to CONSENSUS prior to close of development for such Version.
** For the purposes of the SLA, “business hours” means 7:00 a.m. – 6:00 p.m. Mountain Time, U.S.A. For example, if a Severity 1 issue were reported at 3 a.m. Mountain Time, CONSENSUS will respond no later than 2 business hours later, which means 9:00 am Mountain Time.
Customer will consider a problem resolved when Customer has either:
Implemented a satisfactory recommendation received from CONSENSUS or received applicable Internet-based access to all upgraded software necessary to correct the Error.
Data Protection Agreement
Consensus Sales, Inc. (“Consensus,” “we,” or “us”) is a software as a service provider, using our software, platforms, applications, and any other services (“Services”). As such, we act as a “Processor” under the GDPR. As one of our clients, you control the means and purposes for the processing of the data you gather using the Services, and thus, you are a Controller under the GDPR. Unless otherwise agreed between us in writing, those items the GDPR requires of Processors will be our responsibility, and those items required of Controllers will be your responsibility. Specifically, the parties agree as follows:
How to Execute this DPA
We have incorporated this DPA into any Terms of Service to which the DPA is attached, and it is also binding as a stand-alone document if we have not incorporated it into any Terms of Service with you. Therefore, it is binding on both parties without further action on your part. Each provision of the DPA, including the provisions of the Standard Contractual Clauses attached hereto, is enforceable against the parties as if it had been separately signed.
Consensus’s GDPR Obligations
When you use the Services, you may obtain Personal Data about your customers, employees, prospects, marketplace partners, vendors, suppliers, or other individuals with whom you interact, or about whom you gather personal data (“Your Personal Data”), using the Services (the individuals whose data is collected being collectively and individually referred to as “Your Data Subjects”). That Personal Data may be subject to the protections of the GDPR. For purposes of clarity, the parties agree that Your Personal Data does not include data that is anonymized or de-identified in a manner that prevents the tracking or identification of any specific individual. Acknowledging that certain of your obligations as a Controller must be passed along to any company or individual that Processes the Personal Data of Your Data Subjects, we agree to perform the following functions and to facilitate your compliance with the GDPR in the following ways:1.1 Right of Access by Data Subject and Communication with Authorities and Your Data Subjects.
We agree that, in order to assist you in your obligations as a Controller, we will implement the necessary technical and organizational measures to allow you to (1) respond to any request by any individual to exercise his or her rights under the GDPR, and (2) respond to correspondence, inquiries, or complaints from entitled third parties such as individuals, regulators, courts, and other authorities in connection with the processing of Personal Data. If any such requests or correspondence is received directly by us, we will forward you the request or correspondence and will wait for further direction from you before taking action. We will not communicate with authorities or Your Data Subjects without receiving your advance permission, except as required by applicable law. Upon documented request from you, we will correct, supplement, modify or delete any of Your Personal Data, except as required by applicable law.
1.2 Use LimitationWe agree that we will not use or process any of Your Personal Data for any purpose other than the purpose set forth in the Agreement, except to respond to specifically document requests from you regarding Your Personal Data. In no event will we process, use, or transfer any of Your Personal Data for our own purposes or for the purposes of any third party. In addition, we will delete all Your Personal Data from our systems thirty (30) days after termination of the Agreement, except as may be required by applicable law.1.3 Standard Contractual Clauses, Privacy Shield, and International Transfers of Data
To the extent your transfer of Your Personal Data to us involves a transfer out of the EU, we agree to comply with the Standard Contractual Clauses attached hereto as Appendix 1.
We have not obtained certification under the Privacy Shield Framework (“Privacy Shield”) for the EU or Switzerland, but we agree to comply with the requirements of the GDPR and the Standard Contractual Clauses nonetheless.
In the event of any conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall control and supersede. If the European Union or courts thereof decide that the Standard Contractual Clauses or Privacy Shield certification are insufficient protection for citizens of the EU, then the parties agree to work in good faith together to determine how a new valid method can be implemented to meet any new requirements.
We agree that we will not process or transfer any of Your Personal Data originating from the European Economic Area in any country or territory that has been determined to offer an inadequate level of data protection unless it has first obtained your consent or ensured that a valid transfer mechanism similar to the Privacy Shield is in place with respect to such country or territory.
1.4 Processing Confidentiality and Agreements by Agents
We agree that we will keep Your Personal Data strictly confidential and that we will ensure that any of our employees, vendors, or other agents “Our Agents” who have access to Your Personal Data (1) are informed of and subject to this strict duty of confidentiality; (2) access and process only such of Your Personal Data as is strictly to perform our obligations under the Agreement; and (3) agree not to permit any person to process Your Personal Data who is not subject to the foregoing duties. We accept responsibility for the conduct of Our Agents in this regard, including their acts, errors and omissions.1.5 Disposition of Your Personal Data Upon Request or Termination
At your request or at termination of the Agreement, whichever is sooner, we agree to delete or return to you all Your Personal Data, including any of Your Personal Data subcontracted to a third party for processing, except as required by applicable law. At that time, with respect to Your Personal Data that we are required by applicable law to retain, we will isolate and protect Your Personal Data from further processing, except as required by applicable law. We will ensure that any of our sub-processors who are in possession of Your Personal Data shall also comply with this provision.1.6 Security Incidents and Security
We will at all times take reasonable measures to ensure that Your Personal Data is adequately protected in accordance with the requirements of the GDPR. To this end, we agree that we will implement appropriate technical and organizational measures to protect Your Personal Data from security incidents. These measures are described in Appendix 2 to the Standard Contractual Clauses attached to this DPA.
When we become aware of any security incident, which consists of the unpermitted, accidental, or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any of Your Personal Data, we will inform you without any undue delay, and in no event longer than 24 hours after we discover the security incident. We will cooperate reasonably with you and provide you the information you need in order to fulfil your data breach obligations under the GDPR. We will also take other further measures and actions that are necessary to remedy or mitigate the effects of the security incident, and we will keep you informed of every material development connected with the security incident. Except as required by law, we will not take action to notify Your Data Subjects of any security incident.1.7 Subprocessors
In the course of providing our Services, we may be required to contract with a third-party processor (“Subprocessor”) to perform a portion of the Services. We have included as Appendix 3 a list of the Subprocessors we currently use. We will not add any additional Subprocessors without informing you of such Subprocessors and giving you an opportunity to object to the use of such Subprocessors. We agree to impose the same data protection obligations upon each of our Subprocessors that we agree to in this DPA, and we agree to be fully responsible for any liability arising out of the acts and omissions of our Subprocessors.
For the avoidance of doubt, the approval requirements as set out in this subsection will not apply in cases where we subcontract ancillary services to third parties without having access to Your Personal Data. Such ancillary services are not considered data processing.1.8 Audits, Requests from Law Enforcement, and Impact Assessment
In certain instances, you as a Controller are required to submit to an audit to show that you are complying with the provisions of the GDPR. In any such instance, we agree to cooperate fully with such audit and to maintain a record of all processing activities that we carry out on your behalf. After reasonable notice, we will allow you or your auditors to audit our compliance with this DPA, to include communication with our staff and access to our systems and information; provided you conduct your audit during normal business hours and make reasonable efforts to minimize the disruption to our business.
If we are requested by law enforcement to disclose any of Your Personal Data, we will, unless prohibited by law, inform you of the request, attempt to re-direct the law enforcement agency to contact you directly, and only provide such information as required by law.
In the event that you believe that our processing of Your Personal Data is likely to result in a high risk to the data protection rights and freedoms of citizens of the EU, we agree to assist you in a reasonable and timely manner to conduct a data protection impact assessment, which may include consulting with the relevant data protection authority.
As a Controller under the GDPR, you are required to carry out certain responsibilities and to comply with certain requirements. For example, and without intending to limit your obligations, you are required to comply with the privacy and confidentiality provisions of the GDPR, just as we are. You are also required in certain instances to ensure that the consent of Data Subjects is obtained and that collection of Your Personal Data is otherwise justified under the GDPR. We acknowledge that in doing so, you are required to ensure that your Processors also comply with certain requirements, and we agree to reasonably cooperate with your requests in this regard. However, if you make requests of us that go beyond our obligations set forth in the “Consensus’s GDPR Obligations” section of this DPA, we will comply with your requests at your expense.
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
The Client, the “data exporter”,
Consensus Sales, Inc.
Address: 1633 W. Innovation Way, 5th Floor, Lehi, UT 84043
Tel.: +1 801.653.0028 e-mail: firstname.lastname@example.org
(the data importer),
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and is deemed completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is the party with whom Consensus has entered into an agreement incorporating Consensus’ Data Processing Agreement.
The data importer is Consensus Sales, Inc., Inc., a service that provides a platform for its clients to post video-based interactive software demonstrations and other presentations for potential customers and to track and manage engagement and those relationships, all in accordance with the terms of the Agreement.
The personal data transferred concern the following categories of data subjects:
- Prospects, customers, business partners and vendors of data exporter (who are natural persons)
- Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
- Employees, agents, advisors, and contractors of data exporter (who are natural persons)
- Data exporter’s Users authorized by data exporter to use the Services
Categories of data
The personal data transferred include, but not limited to, the following categories of data:
- First, Middle, and Last Name
- Contact Information (Company name, email, phone)
- Engagement data concerning how the data exporter’s users interact with our services
- Other optional fields defined by the Client
Special categories of data (if appropriate)
The personal data transferred include, but not limited to, the following special categories of data:
- Data exporter does not intend to transfer any special categories of personal data.
The personal data transferred will be subject to the following basic processing activities (please specify):
- The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and is deemed completed and signed by the parties.
Consensus utilizes Amazon Web Services (“Cloud Provider”) and relies to a great extent on the technical security measures adopted by Cloud Provider. In addition to the security measures adopted by Cloud Provider, and to the extent data processing activities occur outside the Cloud provider system, Consensus has implemented the following technical and organizational measures to ensure the security of Your Personal Data:
- Unauthorised persons are prevented from gaining physical access to our premises and the rooms where data processing systems are located.
- Employees are only allowed access to tasks assigned to them.
- We use video surveillance and alarm devices with reference to access areas.
- Personnel without access authorization (e.g. technicians, cleaning personnel) are accompanied all times.
- We ensure that all computers processing personal data (including computers with remote access) are password protected, both after booting up and when left, even for a short period.
- We assign individual user passwords for authentication.
- We only grant system access to our authorised personnel and strictly limit their access to applications required for those personnel to fulfil their specific responsibilities.
- We have implemented a password policy that prohibits the sharing of passwords, outlines procedures to follow after disclosure of a password, and requires that passwords be changed regularly.
- We ensure that passwords are always stored in encrypted form.
- We have adopted procedures to deactivate user accounts when an employee, agent, or administrator leaves Consensus or moves to another responsibility within the company.
- We prevent the installation and use of unauthorized hardware and software in our premises.
- We have established rules for the safe and permanent destruction of data that are no longer required.
- Except as necessary for the provision of the Services, Your Personal Data cannot be read, copied, modified or removed without authorization during transfer or storage.
- We encrypt data during any transmission.
- We are able to retrospectively examine and establish whether and by whom Your Personal Data has been entered into data processing systems, modified or removed.
- We log administrator and user activities.
- We process the personal data received from different clients so that in each step of the processing the Controller can be identified and so that data is always physically or logically separated.
- We create back-up copies stored in protected environments.
- We perform regular restore tests from our backups.
- We have created business recovery strategies.
- We do not use personal data for any purpose other than what have been contracted to perform.
- We do not remove Your Personal Data from our business computers or premises for any reason (unless you have specifically authorised such removal for business purposes).
- Whenever a user leaves his or her desk unattended during the day and prior to leaving the office at the end of the day, he or she is required to place any documents containing Your Personal Data in a secure environment such as a locked desk drawer, filing cabinet, or other secured storage space.
- We ensure that each computer system runs a current anti-virus solution.
- We have designated a responsible person to perform the functions of a data protection officer.
- We have obtained the written commitment of our employees to maintain confidentiality and to comply with our requirements under the DPA and the GDPR.
- We regularly train our staff on data privacy and data security.
APPENDIX 3 TO THE STANDARD CONTRACTUAL CLAUSES
List of SubProcessors
|Subprocessor||Services provided to Vendor||Location of the Processing (country)|
|HubSpot||Customer Communications and CRM||USA|
|SendGrid||Transactional Notification Emails||USA|
 Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.
 Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.
 This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.