TERMS & CONDITIONS

DATED:  April 21, 2020

These Standard Terms and Conditions and any attachments or riders hereto (collectively, the “Standard Terms”) are incorporated into, and shall govern, all Services Order Forms (“SOF”) between ATELIERE Creative Technologies (“ATELIERE”), and its customers using ATELIERE proprietary CONNECT software, technology, and processes, except as modified in writing by a Master Services Agreement (“MSA”) or similar written agreement signed by both parties. Contrary terms in any purchase order, invoice, agreement, email or other documentation will not be effective unless approved in writing by ATELIERE’ Legal Department, and signed by an authorized representative of ATELIERE.  

1. SAAS LICENSE, SERVICES AND SUPPORT; CHANGE ORDERS.

1.1 Upon the terms and conditions set forth in these Standard Terms, ATELIERE licenses to Company, the right to use the CONNECT platform, software, technology and interface, and any other proprietary software, technology or materials of ATELIERE (collectively, “CONNECT”), during the Term and upon the terms and conditions set forth in the applicable SOF, any Special Terms, these Standard Terms, and any applicable Master Services Agreement or similar master agreement between the parties. ATELIERE will use commercially reasonable efforts to provide certain third party services if requested by Company and agreed by ATELIERE (including for example, but without limitation, media asset logistics and management (such as transcoding, quality control, storage, and delivery), technical support, maintenance, software integration and training (collectively, the “Services”) as more specifically identified on one or more SOFs. Each SOF will be sequentially numbered and shall incorporate these Standard Terms by this reference. ATELIERE will provide support and maintenance assistance as specified in the SOF or an applicable Service Level Agreement signed by both parties.  Monthly minimum service volumes, if any, specified in an SOF must be used within each monthly period and no credit, rollover or refund will be provided for any unused capacity, unless otherwise specifically agreed in writing by the parties.  The Services may be used by Company for media or content (including for example only, feature films and television series), data and information owned and/or controlled by Company (“Company Content”). 

1.2  At any time, either party may request changes to the scope of services in any SOF, which will be reflected in a change order referencing such SOF (“Change Order”).  A Change Order will only become effective when signed by both parties, and in all other respects the relevant SOF will remain in effect. These Standard Terms will remain unchanged and in full force and effect as to any Change Orders.  

2. RESTRICTIONS AND RESPONSIBILITIES. 

As needed, ATELIERE will be provided access to Company’s existing software tools, systems and processes (collectively, “Company Systems”), and all necessary and appropriate documentation related thereto, for the purpose of allowing the use of the Services by the Company. Company will not, directly or indirectly: reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the provision of Services made available by ATELIERE as set forth in the applicable SOF (collectively, “Software”); modify, translate, or create derivative works based on the Services or any Software (except to the extent expressly permitted by ATELIERE or authorized within the Services); use the Services or any Software for timesharing or service bureau purposes or otherwise for the benefit of a third party; or remove any proprietary notices or labels.  With respect to any Software that may be distributed or provided to Company for use in connection with Company Content, ATELIERE hereby grants Company a limited non-exclusive, non-transferable, non-sublicensable license to use such Software during the Term only in connection with the Services. Company shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services (collectively, “Equipment”).  Company shall also be responsible for maintaining the security of the Equipment, Company account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Company’s account or the Equipment with or without Company’s knowledge or consent. Company will use the Services and Software only in compliance with ATELIERE’s standard published policies then in effect and the policies, including acceptable use policies of third party solutions provided as part of the Services (collectively, the “Policies”) and in compliance with all applicable laws and regulations.  

Company may not remove or export from the United States or allow the export or re-export of the Services, Software or anything related thereto, or any direct product thereof in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. Although ATELIERE has no obligation to monitor Company’s use of the Services and Software, ATELIERE may do so and may prohibit any use of the Services and Software it believes may be (or alleged to be) in violation of the foregoing.

3. CONFIDENTIALITY; PROPRIETARY RIGHTS.

3.1 Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, marketing, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party).  Proprietary Information of ATELIERE includes, without limitation, non-public information regarding features, functionality and performance of the Services and Software.  Proprietary Information of Company includes non-public data provided by Company to ATELIERE to enable the provision of the Services (“Company Data”). The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information.  The Disclosing Party agrees that the foregoing shall not apply with respect to any information after five (5) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law.  

3.2 Company shall own all right, title and interest in and to the Company Data and Company Content. ATELIERE shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto including without limitation any software developed and/or controlled by ATELIERE for purposes of integrating the Company Systems for use with the Services and Software and any intellectual property resulting from such integration, (b) any software, applications, inventions or other technology developed in connection with Services or support, and (c) all intellectual property rights related to any of the foregoing. Notwithstanding anything to the contrary set forth in this Agreement, ATELIERE shall have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services, Software and related systems and technologies (including, without limitation, information concerning Company Data and data derived therefrom), and ATELIERE will be free (during and after the Term  hereof) to (i) use such information and data to improve and enhance the Services and Software and for other development, diagnostic and corrective purposes in connection with the Services, Software and other ATELIERE offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business. No rights or licenses are granted except as expressly set forth herein. 

3.3  CCTV Footage.  Closed circuit tv footage recorded onsite at ATELIERE facilities pursuant to security measures may be archived onsite or in cloud-based storage.    

4. PAYMENT OF FEES. 

Company will pay ATELIERE the applicable fees described in the SOF for the Services in accordance with the terms therein (the “Fees”). Amounts payable in advance must be paid prior to the rendering of Services, and any monthly payments in advance must be received by ATELIERE on or before the first day of the applicable month. Fees or other amounts specified as payable in arrears shall be billed to Company on a monthly basis, and must be received by ATELIERE within thirty (30) days of the invoice date.  ATELIERE reserves the right to change the Fees or applicable charges and to institute new charges and Fees at the end of the Initial Term (defined below) or any Successive Term (defined below), upon thirty (30) days prior notice to Company (which may be sent by email); provided, however, during the Initial Term and any Successive Term, the Fees may be increased in accordance with an applicable inflation index. If Company believes that ATELIERE has billed Company incorrectly, Company must contact ATELIERE no later than sixty (60) days after the closing date on the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit.  Inquiries should be directed to ATELIERE’s support department. ATELIERE may choose to bill through an invoice, in which case, full payment for invoices issued in any given month must be received by ATELIERE within thirty (30) days of the invoice date.  Company will make payments via wire transfer. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and may result in immediate termination of Services. ATELIERE reserves the right to disable Company’s account for non-payment, and until it receives payment in full of all fees, charges, and costs of collection.  Company shall be responsible for all taxes associated with Services other than U.S. taxes based on ATELIERE’s net income.  All Fees shall be paid in United States Dollars.

5. TERM

Subject to earlier termination as provided below, the initial term will begin upon the Effective Date and will continue for a period set forth in the SOF (“Initial Term”). If no Initial Term is specified, then the Initial Term shall be twelve (12) months from the Effective Date.  If no Effective Date is specified, then the “Effective Date” shall be the date the agreement was fully executed, or if none, then the date that Company began using CONNECT, after the end of any applicable Trial Period.  The Initial Term will automatically renew for successive one (1) year periods (each a “Successive Term”), unless one party gives the other party, written notice of termination not less than ninety (90) days prior to the end of the Initial Term or then current Successive Term. The Initial Term and any Successive Term(s) are collectively referred to as the “Term”.

6. TERMINATION

In addition to any other remedies it may have, either party may also terminate this Agreement or an applicable SOF upon thirty (30) days’ notice (or without notice in the case of nonpayment), if the other party materially breaches any of the terms or conditions of this Agreement or an applicable SOF.  Company will pay in full for the Services up to and including the last day on which the Services are provided. All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, and limitations of liability.

7.  WARRANTY AND DISCLAIMER

ATELIERE shall use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and shall perform the Services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by ATELIERE or by third-party providers, or because of other causes beyond ATELIERE’s reasonable control, but ATELIERE shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption. HOWEVER, ATELIERE DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES.  EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES ARE PROVIDED “AS IS” AND ATELIERE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

8. COMPANY REPRESENTATIONS AND WARRANTIES

Company represents and warrants as follows:  (i) it owns and controls, or has the right to use, the Company Content, Company Systems and Company Data; and (ii) the Company Content, Company Systems and Company Data do not defame any person or entity, or otherwise violate or infringe upon, the rights of any third parties, including without limitation, any copyrights, trademarks, patent or other intellectual property rights, or any rights of privacy or publicity.

9. INDEMNITY

9.1 ATELIERE shall indemnify, defend and hold Company harmless from liability to third parties resulting from infringement by the Services and Software (excluding any third party intellectual property or solutions integrated into or made a part of any of the Services) of any United States patent or any copyright or misappropriation of any trade secret, provided ATELIERE is promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the opportunity to assume sole control over defense and settlement; ATELIERE will not be responsible for any settlement it does not approve in writing.  The foregoing obligations do not apply with respect to portions or components of the Service and Software (i) not supplied by ATELIERE, (ii) made in whole or in part in accordance with Company specifications, (iii) that are modified after delivery by ATELIERE, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where Company continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where Company’s use of the Services and Software is not strictly in accordance with this Agreement or any applicable SOF.  If, due to a claim of infringement, the Services or Software are held by a court of competent jurisdiction to be or are believed by ATELIERE to be infringing, ATELIERE may, at its option and expense (a) replace or modify the Services or Software to be non-infringing provided that such modification or replacement contains substantially similar features and functionality, (b) obtain for Company a license to continue using the Services or Software, or (c) if neither of the foregoing is commercially practicable, terminate this Agreement and Company’s rights hereunder and provide Company a refund of any prepaid, unused fees for the Services. 

9.2 Company shall indemnify, defend and hold ATELIERE harmless from liability to third parties arising out of or related to (i) any Company Content, Company Systems and Company Data, including without limitation infringement by the content, media or other material provided by Company in connection with the Services of any copyright or misappropriation of any trade secret, (ii) any breach of a representation, warranty or covenant of Company hereunder, and/or (ii) Company’s use of Services and Software in a manner not authorized hereunder. Company must be promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the opportunity to assume sole control over defense and settlement. Company will not be responsible for any settlement it does not approve in writing.

10. LIMITATION OF LIABILITY 

NOTWITHSTANDING ANYTHING TO THE CONTRARY AND EXCEPT FOR BODILY INJURY OF A PERSON, NEITHER ATELIERE NOR ITS AFFILIATES AND THEIR RESPECTIVE SUPPLIERS (INCLUDING BUT NOT LIMITED TO ALL EQUIPMENT AND TECHNOLOGY SUPPLIERS), OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS, EMPLOYEES, AGENTS, AND ADVISORS SHALL BE RESPONSIBLE OR LIABLE TO COMPANY OR ANY THIRD PARTY WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT OR ANY SOF OR TERMS AND CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY FOR

(A)  ANY ERROR OR INTERRUPTION OF USE OR FOR ANY LOSS OR INACCURACY OR CORRUPTION OF COMPANY CONTENT, COMPANY SYSTEMS, OR COMPANY DATA, COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR LOSS OF BUSINESS;

(B)  ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (C)  ANY MATTER BEYOND THE REASONABLE CONTROL OF ATELIERE; OR (D) ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY COMPANY TO ATELIERE FOR THE SERVICES UNDER THIS AGREEMENT IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, IN EACH CASE, WHETHER OR NOT ATELIERE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

11. PUBLICITY 

The parties shall work together in good faith to issue at least one mutually agreed upon press release within ninety (90) days after the Effective Date, and Customer otherwise agrees to reasonably cooperate with Company to serve as a reference account upon request.

12. MISCELLANEOUS

12.1 Force Majeure. “Force Majeure” means and refers to any of the following events: acts of war, acts of God; riots, rebellion or sabotage or damage resulting therefrom; expropriation or confiscation of facilities by any governmental authority; compliance with any order of any governmental authority; acts of the government in its sovereign capacity, including changes in law, which cause a delay, deferral or suspension in ATELIERE’ ability to provide the Services; subsidence; earthquakes; hurricanes; fires; floods; explosion; accidents; quarantine restrictions; freight or other embargoes; casualty loss; strikes; labor disputes; shortages of materials or transportation; electrical blackouts or brownouts; and the failure of any utility services. Notwithstanding the above, Force Majeure shall not include (a) any event caused by the fault, negligence, failure to pay money or financial inability of the party claiming Force Majeure, and (b) any event within the reasonable control of the party claiming Force Majeure. A party’s obligation to pay money to another party will not be delayed, affected or changed by an event of Force Majeure. In the event of Force Majeure, a party who is affected by such Force Majeure event will be excused from performing its obligations under this Agreement and any applicable SOF to the degree impacted by such Force Majeure event.

12.2 If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sublicensable by Company except with ATELIERE’s prior written consent.  ATELIERE may transfer and assign any of its rights and obligations under this Agreement without consent.  This Agreement and any Confidentiality Agreement signed by the parties, shall be the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement. In the event of any conflict between this Agreement and any Confidentiality Agreement between the parties, the stricter terms shall control. All waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein.  No agency, partnership, joint venture, or employment is created as a result of this Agreement and Company does not have any authority of any kind to bind ATELIERE in any respect whatsoever.  In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees.  All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested.  This Agreement shall be governed by the laws of the State of California without regard to its conflict of laws provisions. Jurisdiction and venue shall be vested solely in the state and federal courts sitting in Los Angeles County, California, and Company consents to the personal jurisdiction of such courts.

This Agreement may be executed in counterparts or duplicate originals, all of which shall be regarded as one and the same instrument. A scanned (.pdf) copy of the signed Agreement or an electronically signed copy, shall have the same force and effect as an original.

RIDERS:  Attached and incorporated herein by this reference are the following Riders: Data Processing Rider

END OF STANDARD TERMS AND CONDITIONS

ATELIERE CREATIVE TECHNOLOGIES, INC. DATA PROCESSING RIDER

This Data Processing Rider is incorporated into and made a part of ATELIERE CREATIVE TECHNOLOGIES INC.’s Standard Terms and Conditions.

The parties are ATELIERE and its customer under a SaaS License or Services Order Form (“SOF”), each a “Data Processor” or a “Data Controller” as the case may be.  The party providing the personal data will be the “Data Controller” of the relevant data, and the party processing personal data will be the “Data Processor” of the relevant data.  

1. INTRODUCTION

1.1 Under the Act (as defined in clause 2.1 below) a data controller may only appoint a data processor that provides sufficient guarantees to appropriate technical and organisational measures in such a manner that the processing will meet the requirements set out in the Act and hence ensure the protection of the rights of data subjects. 

The purpose of this Data Processing Agreement is to: (i) establish a binding personal data processing agreement between the Parties, (ii) confirm that Data Processor has the required expert knowledge, reliability and resources, and (iii) specify the subject matter and duration of the processing, the purpose of the processing, the type of personal data to be processed, the categories of data subjects and the obligations and rights of the Parties.

The Data Processor shall, on behalf of the Data Controller, process the types of personal data and in relation to the relevant data subjects as specified in Exhibit 1.

In this Data Processing Agreement defined terms and expressions shall, unless otherwise explicitly stated, have the same meaning as in the Agreement.

In consideration of the above, the Parties agree as follows:

2. GENERAL

2.1 The term ”Personal Data” shall for the purposes of this Data Processing Agreement be given the same meaning as defined in the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation” or the “GDPR”) (hereinafter the “Act”), or any more protective law that may apply to the parties under this Agreement. 

2.2 The term ”Data Subject” means an individual to whom Personal Data relates.

2.3 The term “Processing” shall be given the same meaning as in the Act and, for the avoidance of doubt, shall mean, for example: perform an operation or set of operations, whether by automatic means, such as accessing, collecting, recording, registering, organizing, storing, structuring, adapting or altering, deleting, retrieving, consulting, using, disclosing (or otherwise making available) by transmission, dissemination or otherwise, aligning or combining, blocking or destroying of Personal Data.

2.4  The Parties acknowledge that this Data Processing Agreement has been adopted to reflect the requirements of the Act, which became effective on 25 May 2018, and the Parties acknowledge and agree that if such laws or regulatory guidelines are significantly amended, the terms and conditions of this Data Processing Agreement shall be revised so as to reflect, to the greatest extent possible, the originally intended principles of the Parties when executing this Data Processing Agreement.

2.5 If there is any conflict between the terms of this Data Processing Agreement and specific terms of the Agreement, then the terms of this Data Processing Agreement will prevail.

3. OBLIGATIONS OF THE DATA PROCESSOR

Processing in accordance with applicable law and instructions

3.1 When Processing Personal Data on behalf of the Data Controller, the Data Processor shall comply with relevant requirements of the Act, other applicable law and regulations, the Data Processor’s own security policy, and such other security requirements as set out in Exhibit 3 (together the “Security Requirements”). Should the Data Controller require the Data Processor to comply with any other requirements, such requirements shall be separately agreed between the Parties.

3.2 The Data Processor may only Process Personal Data on behalf of the Data Controller in accordance with the Data Controller’s instructions as specified in Exhibit 1 or as reasonably instructed from time to time. Should no other instructions have been issued by the Data Controller, then this Data Processing Agreement and the Agreement itself shall be deemed to constitute the Data Controller’s instructions to the Data Processor for the Processing of Personal Data. Should the Data Controller’s instructions go beyond what is deemed required by the Data Processor in accordance with the Act, and require changes to the Services under the Agreement or otherwise entail incremental costs for the Data Processor, such changes shall be separately agreed between the Parties and the Data Processor shall be compensated for any such direct and documented costs.

3.3 In the event that the Data Processor lacks instructions which the Data Processor deems necessary to perform the tasks requested by the Data Controller, the Data Processor shall, without delay, inform the Data Controller of its position and await any additional instructions the Data Controller deems necessary. Furthermore, upon notice or knowledge that an instruction is contrary to or in breach of the Act, the Data Processor shall promptly inform the Data Controller thereof, and pending receipt of instructions from the Data Controller, shall handle any Personal Data in the manner that it deems to be in compliance with the Act.  For the avoidance of doubt, the Data Processor shall not be entitled to terminate this Data Processing Agreement on the basis thereof and hence shall continue to Process the Data Controller’s Data until instructed otherwise.

Safety measures

3.4 The Data Processor shall take appropriate technical, organisational and security measures, respectively in accordance with Article 32 of the Act, to safeguard against unauthorised access, use, modification or Processing of the Data Controller’s Personal Data and against accidental loss, alteration or destruction of, or damage to the Data Controller’s Personal Data and will ensure that such measures are no less rigorous than those maintained by the Data Processor in respect of its own Personal Data of a similar nature. In addition, the Data Processor shall ensure that any personnel, contractor, or sub-processor entrusted with Processing the Data Controller’s Personal Data have signed appropriate confidentiality agreements and are properly instructed to perform their duties in a manner designed to ensure compliance with the terms of this Data Processing Agreement and have been duly instructed to follow the applicable data security and confidentiality standards.

Notifications to Data Controller and information requests from Data subjects and third parties

3.5 The Data Processor shall promptly notify the Data Controller and refer any request to the Data Controller:

(a) if the Data Processor, or one of its sub-processors, becomes aware of a confirmed Personal Data breach, it will promptly, within 48 hours from becoming aware of the breach, notify the Data Processor. Information provided to the Data Controller shall, to the extent such information is available to the Data Processor, include: (i) a description of the nature of the Personal Data breach including, where possible, the categories and approximate number of Data Subjects involved and the categories and approximate number of Personal Data records involved; (ii) a description of the likely consequences of the Personal Data breach; and (iii) a description of the measures taken or proposed to be taken by the Data Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects. In addition, the Data Processor shall without undue delay inform the Data Controller of the circumstances giving rise to the Personal Data breach, and any other related information reasonably requested by the Data Controller and available to the Data Processor, to the extent required by law.;

(b) in the event of a legally binding request for disclosure of Personal Data by a law enforcement authority unless prohibited under applicable law; and

(c) if a request is received by the Data Processor from Data Subjects regarding the Processing of their Personal Data, by a supervisory authority or a third party. Unless given prior express instruction by the Data Controller, or if required under applicable legislation, the Data Processor shall not disclose any Data Controller’s Personal Data or any information relating to the processing of the Data Controller’s Personal Data to any third party but should instead refer such third party to the Data Controller.

4. Exercise of the data subject’s rights

4.1 To the extent possible with regard to the nature of the Processing, the Data Processor shall ensure that it has the technical and organisational measures in place to enable the Data Controller to meet its obligations regarding the Data Subject’s rights under Chapter 3 in the Act.

4.2 Where the Data Controller, based upon applicable data protection law or following a request from a Data Subject, is obliged to: (i) provide information about the Processing of the information pertaining to a requesting individual (such as excerpts of the information collected), (ii) erase or block information collected and pertaining to a requesting individual, (iii) transfer information collected and pertaining to a requesting individual to a third party designated by the requesting individual, or (iv) is obliged to perform a data protection impact assessment in accordance with Article 35 in the Act, the Data Processor shall promptly assist the Data Controller therewith, at no extra cost except that the Data Processor may require payment for actual costs incurred, if requested in advance in writing by the Data Processor. Where the required information can be retrieved by the Data Controller itself from the systems of the Data Processor through the access methods made available by the Data Processor to the Data Controller, the Data Controller may retrieve such information by itself using the reporting features available for such purpose in the systems of the Data Processor.

5. TRANSFER TO A THIRD COUNTRY

5.1 If the Data Processor collects Personal Data from individuals located in below), the United Kingdom and/or the United States:  The Data Processor may only transfer the Data Controller’s Personal Data outside of the territory of the member states of the European Union, the European Economic Area or the countries which the European Commission has found to guarantee an adequate level of data protection, the United Kingdom and the United States (“Approved Jurisdictions”), with the Data Controller’s prior written consent. Each party, to the extent it is a Data Controller, approves of the transfer of Personal Data to the United Kingdom and the United States, and to the Approved Jurisdictions from the United Kingdom and the United States. 

5.2 The Data Processor shall enter into sufficient contractual arrangements with required parties (including the Data Controller itself or any of the Data Controller’s affiliates) for the safe transfer of the Data Controller’s Personal Data from the Approved Jurisdictions to any third countries, including as required by the European Commission under the standard contractual clauses (for the purposes of this Data Processing Agreement the “Standard Contractual Clauses”). As an alternative to entering into the Standard Contractual Clauses, the Data Processor may rely upon an alternative framework permitting the lawful transfer of the Data Controller’s Personal Data outside of the Approved Jurisdictions, provided that such framework is in compliance with the Act and applicable legislation (such as the EU-U.S. Privacy Shield scheme and Binding Corporate Rules).

6. SUB-PROCESSORS

6.1 The Data Processor may not use sub-processors for the Processing of the Data Controller’s Personal Data except with the Data Controller’s prior written consent. If the Data Processor uses a subcontractor for the Processing of the Data Controller’s Personal Data, the Data Processor shall execute a data processing agreement with the subcontractor according to which the subcontractor, as sub-processor of Personal Data, undertakes the same obligations regarding the protection of Personal Data as set forth in this Data Processing Agreement and which provides sufficient guarantees that the sub-processer will perform appropriate technical and organisational measures in a manner that ensures that the Processing satisfies laws or regulations as applicable from time to time. The Data Processor is responsible for its sub-processor’s performance as for its own performance. 

6.2 If applicable, the sub-processors used by the Data Processor, and hence approved by the Data Controller, are specified in Exhibit 2. As between the parties, the Data Processor may not change the specified sub-processors without the Data Controller’s prior written consent.

7. AUDIT

7.1 The Data Controller has the right to by itself or through a recognized, independent auditor with proven experience and procedures, who is not a competitor of the Data Processor, perform a reasonable audit of the Data Processor’s Processing of the Data Controller’s Personal Data under this Data Processing Agreement and the Act (exercisable by giving prior written notice to the Data Processor, such notice to be given at least ten (10) calendar days in advance. Note that, this limitation is not applicable in case of an audit by any applicable regulatory authority). The audit shall be performed during normal working days and business hours, and not more than once per calendar year unless mutually agreed upon by the parties. The Data Controller shall bear all audit expenses and compensate the Data Processor for direct and verifiable costs resulting from the audit.

7.2 The Data Processor shall use reasonable commercial efforts to assist the Data Controller in any request made by any applicable regulatory authority in relation to the Processing of Personal Data.

7.3 The Data Processor shall permit an audit in accordance with clauses 7.1 and 7.27.2 to be performed in relation to any sub-processer of the Data Processor.  

8. WARRANTIES

8.1 The Data Processor warrants that, to its knowledge:

(a) it is in compliance with the Act, in particular Article 28, and it shall provide to the Data Controller all such information required by law and requested by the Data Controller, for the Data Processor to substantiate and verify its compliance with the Act;

(b) it is in compliance with clause 3.43.4 of this Data Processing Agreement and has taken appropriate technical and organisational measures in such a manner that the Processing will meet the requirements set out in the Act; and

(c) it has the required expert knowledge, reliability and resources to fulfil and to adhere to the terms and conditions of this Data Processing Agreement.

9. LIABILITY

9.1 Each Party’s liability for breach of this Data Processing Agreement, the liability limitation of any liability shall be as set out below under this Section 10 and in Article 82 in the Act. Any limitations of liability in the Agreement shall not apply to the Processing of Personal Data under this Data Processing Agreement. 

9.2 In the event a Data Subject or any third party directs any claims towards the Data Controller based on the Data Processor’s Processing of Personal Data, the Data Processor shall hold the Data Controller harmless from and against any such claims if they result from the Data Processor’s failure to comply with this Data Processing Agreement or Data Controller’s instructions, but only to the extent of the claim attributable to such failure.

9.3 The Data Controller is, in addition to compensation for breach of the obligations that may follow from the Agreement, entitled to compensation for damages from the Data Processor, including amounts that shall be paid to third parties as damages or sanctions assessed by governmental authorities or through a citizen’s private right of action, according to the Act and other applicable law, if the Processing of Personal Data that forms the basis of the damages has been performed by or by means of the Data Processor contrary to this Data Processing Agreement or the Data Controller’s instructions and remains uncured after written notice of any deficiency and a reasonable time for cure. , but not more than the amounts received by the Data Processor pursuant to this Agreement within the twelve (12) month period immediately preceding the date notice of the claim was received.

10. REMUNERATION

10.1 Other than what is stated under clause 3.2 above, the Data Processor is not entitled to any specific remuneration for the Processing of Personal Data under this Data Processing Agreement. Any right to remuneration is stipulated in the Agreement.

11. TERM AND TERMINATION

11.1 This Data Processing Agreement shall be valid as of the Effective Date and will be valid for as long as the Data Processor is Processing any Data Controller’s Personal Data. 

11.2  Each Party is entitled to terminate this Data Processing Agreement if the other Party materially defaults in its obligations arising from this Data Processing Agreement (except as set out in clause 3.5(b)), if such default is not cured within thirty (30) days after receiving written notice from the Data Controller requiring the default to be cured.

11.3 Upon expiry of the Agreement or this Data Processing Agreement, for whatever reason, the Data Processor shall return the Data Controller’s Personal Data to the Data Controller, or to the extent this is not possible and with Data Controller’s acceptance, destroy and confirm the destruction of such Personal Data. No Data Controller’s Personal Data shall remain with the Data Processor after the expiry of this Data Processing Agreement, except to the extent the Data Processor is required under applicable law or regulation to keep any such data, or for backup purposes (for up to six (6) months upon termination of the applicable subscription to the Services under the Agreement and applicable Service Order Form thereunder). 

END OF DATA PROCESSING RIDER