Article 1 – Definitions
“Agreement” means the agreement between Priva and the Client, consisting of the Order, these General Terms and Conditions and any attachments thereto.
“Client” means the customer stated in the Order.
“Cloud Services” means the online Cloud Services, as further described in the Order and made available by Priva via its websites, apps and applications.
"Confidential Information" means all information disclosed by or on behalf of a party (in whatever medium including in written, oral, visual or electronic form and whether before or after the date of the Agreement) including all business, financial, commercial, technical, operational, organisational, legal, management and marketing information which is either marked as being confidential or which would reasonably be deemed to be confidential in the ordinary course of business.
“Effective Date” means i) the date the Order is signed or ii) the date that the Cloud Services were ordered by the Client through Priva’s online purchase environment, insofar available.
“General Terms and Conditions” means these general terms and conditions for Cloud Services.
“Initial Term” means the number of years specified in the Order, commencing from: (i) the date that Priva provides the Client access to the Cloud Services; or (ii) two weeks after the Effective Date, whichever occurs first.
“Order” means i) the order form (as made available digitally or otherwise), ii) the order through the website, apps or applications or iii) an order through a third-party distribution network (including the App Store from Apple and the Play Store from Google) pursuant to which Priva will provide to the Client and the Client will take from Priva the Cloud Services in accordance with the terms of the Agreement.
“Priva” means the relevant Priva entity with which the contract is entered into and which invoices the relevant Cloud Services.
“Priva Platform” means Priva's IT systems (which includes any soft- or hardware and provided by third party providers) that are used to run the Cloud Services.
“Users” means all individuals authorized by the Client to access the Cloud Services as specified in the Order.
Article 2 – Applicability
2.1 These General Terms and Conditions for the Cloud Services shall apply to and are expressly incorporated into the Agreement and all subsequent agreements entered into between Priva and the Client in connection with the Cloud Services.
2.2 The applicability of the Client’s general terms and conditions is hereby expressly excluded.
Article 3 – The Cloud Services
3.1 The Client is granted a non-exclusive and non-transferable right to use the Cloud Services selected in the Order and solely for the purposes described in the Order.
3.2 The Client is responsible for: (i) Implementing and adhering to Priva's instructions, manuals and documentation related to the Cloud Services; (ii) ensuring that it has suitable and properly functioning hardware (including IT, computers and mobile devices), software and internet access to the Cloud Services of sufficient capacity (together the "IT Infrastructure"); (iii) ensuring that it has implemented adequate technical and organisational measures for the security of its IT Infrastructure; (iv) the transmission of any data between its IT Infrastructure and the Priva Platform; and (v) the correct configuration of the Cloud Services and the Client's IT Infrastructure, including the interoperability of both.
3.3 The Client is granted a perpetual, non-exclusive, non-transferable right to use the results of the Cloud Services for its own internal use, unless explicitly otherwise permitted in writing by Priva.
3.4 Unless specifically agreed otherwise, the Cloud Services will be provided without any warranties, including i) any warranties related to availability of the Cloud Services, errors and bug fixes, added functionalities, service requests, consequences and interoperability, and ii) any warranties related to the information provided via the Cloud Services, and the accuracy, completeness or application of such information. For the avoidance of doubt, Priva will not accept liability for any of the aforementioned.
3.5 Moreover, the Client acknowledges and agrees that Priva cannot warrant that the Client will be able to successfully use the Cloud Services for the intended use, that it will be available on a continuous basis nor with consistent levels of quality and connectivity, due to the fact that such use depends partly on circumstances beyond Priva’s reasonable control, including those circumstances for which the Client will be responsible pursuant to this article 3.
3.6 Priva has a right to change the Cloud Services, including its look, feel, functionalities, the content and interoperability with Client’s IT Infrastructure.
3.7 Priva has the right to suspend (wholly or in part) the provision of Cloud Services to Client if, to Priva's reasonable judgement, Client violates any of the obligations in the Agreement.
Article 4 – User names and passwords
4.1 The Client shall provide Priva with the necessary access data, such as account names, user names and e-mail addresses of Users. The Client has, and shall ensure that the Users have, the responsibility to keep all access data (including usernames and passwords) confidential.
4.2 The Client is responsible and liable for any use of the Cloud Services, if any User obtained access to such service via the Client’s access data, even if the Client did not consent to or was unaware of such use.
4.3 The Client will not allow any third party to use the Cloud Services unless with Priva's prior written consent.
4.4 The Client will ensure that, unless specifically stated otherwise, account details (including usernames and passwords) and any individual use of the Cloud Services through such account is restricted to one specific individual only, and for example given not shared among other individuals.
Article 5 – Fees and Payment
5.1 The Client will pay Priva for the provision of the Cloud Services in accordance with the charges set out in the Order. The charges are exclusive of VAT, and must be paid within 30 days after receipt of the invoice for the Cloud Services, or as otherwise stated in such invoice.
5.2 The charges are fixed for the Initial Term and may be adjusted by Priva thereafter per the first day of each additional period of one year, provided that Priva has given the Client at least four (4) months prior notice.
5.3 The charges will be due annually in advance, or as otherwise stated in Agreement. If the Client fails to make a timely payment under the Agreement:
(i) the Client shall be in breach of the Agreement, without any notice of default being required and all of Priva’s claims against the Client shall become immediately due and payable;
(ii) the Client shall be obliged to pay the statutory interest rate for commercial debts on the outstanding amount and all judicial and extra-judicial costs incurred by Priva relating to the recovery and collection of any overdue amount;
(iii) Priva reserves the right to suspend the Client’s access to and use of the Cloud Services until all outstanding amounts (including interest and costs) are settled; and
(iv) the costs of suspending and reactivating shall be borne by the Client.
5.4 All payments to be made by the Client must be effected without set-off or suspension.
Article 6 – Liability and indemnification
6.1 Without prejudice to article 6.3, in no event, whether in contract, tort (including in either case negligence), misrepresentation (other than fraudulent misrepresentation), breach of statutory duty or otherwise, Priva shall be liable for any loss of profits, anticipated savings, revenue, business, loss or corruption of data, loss of use, loss of goodwill, loss due to delay or any indirect or consequential loss or damage whatsoever.
6.2 Without prejudice to articles 6.1 and 6.3, Priva’s aggregate liability, whether in contract, tort (including in either case negligence), misrepresentation (other than fraudulent misrepresentation), breach of statutory duty or otherwise, shall be limited to the net price paid or to be paid by the Client in the twelve (12) months preceding the date that the loss or damage occurred.
6.3 Nothing in the Agreement shall be deemed to exclude or limit Priva’s liability in respect of: (i) Loss or damage caused by wilful intent or gross negligence of Priva or Priva’s officers, employees, agents or contractors; or (ii) Injuries to or death of any person, caused by Priva or Priva’s officers, employees, agents or contractors.
6.4 Any claim for loss or damages must be notified to Priva within four (4) months as from the date on which the damage was caused, failing which such claim is deemed to be waived.
6.5 The Client shall defend, indemnify and hold harmless Priva against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with the use of the Cloud Services by or any third-party that the Client allows to use the Cloud Services.
Article 7 – Data Protection
7.1 The Client warrants that it has informed the persons who will use the Cloud Services provided to the Client or whose data may be processed through the Cloud Services ("Data Subjects") and that it holds the written consent from these Data Subjects insofar required by law. The Client shall present the relevant consent to Priva on request.
7.2 Insofar Priva processes personal data on behalf of the Client and qualifies as a processor under the implementing legislation of EU Directive 95/46/EC or the EU General Data Protection Regulation, the processing of such personal data will be governed by the Data Processing Agreement in Annex 1.
Article 8 – Intellectual Property
8.1 Subject to the limited rights expressly granted in articles 3.1 and 3.3, Priva reserves all rights, title and interest in and to the Cloud Services, including all related intellectual property rights. No rights are granted to the Client hereunder, other than as expressly set forth herein.
8.2 Priva will exclusively own any and all rights, title, and interest (including intellectual property rights) in and to any software code, algorithms and any know-how, capabilities or data generated and/or collected by the Priva Platform in running the Cloud Services. Insofar as necessary, the Client hereby assigns and transfers any and all such rights, title, and interest (including intellectual property rights) to Priva, which assignment and transfer Priva hereby accepts. For the avoidance of doubt, the previous relates only to technical and analytical data relating to the operation and use of the Priva Platform and the Cloud Services themselves, not the Client and User data, which shall at all times belong to Client, User or to such third party as may be the case.
8.3 Except as permitted in the Agreement, the Client shall not (i) create derivate works based on the Cloud Services, (ii) copy, frame or mirror any part or content of the Cloud Services, (iii) reverse engineer the Cloud Services, or (iv) use the Cloud Services in order to (a) build a competitive product or service, or (b) copy any features, functions or graphics of the Cloud Services.
Article 9 – Confidentiality
9.1 The receiving party of Confidential Information shall use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care) and agrees (i) not to use any Confidential Information of the disclosing party for any purpose outside the scope of the Agreement, and (ii) except as otherwise authorized by the disclosing party in writing, to limit access to Confidential Information of the disclosing party to those of its employees, affiliates, contractors and agents who need such access for purposes consistent with the Agreement and who have signed confidentiality agreements with the receiving party containing protections no less stringent than those herein.
9.2 If the Agreement is terminated, the receiving party shall promptly return or destroy at the request of the disclosing party all Confidential Information of the disclosing party.
9.3 The receiving party may disclose Confidential Information of the disclosing party if it is required by law or regulations to do so, provided the receiving party gives the disclosing party prior notice of such disclosure (to the extent legally permitted) and reasonable assistance, at the disclosing party's cost, if the disclosing party wishes to contest the disclosure.
9.4 The terms and conditions of the Agreement are confidential and may not be disclosed by either party without the prior consent of the other party.
Article 10 – Term and Termination
10.1 The Agreement commences on the Effective Date and shall expire after the Initial Term. Following the Initial Term, the Agreement shall automatically renew for consecutive additional periods of one (1) year each (or such a period as Parties agree in writing), unless either party gives the other party written notice of its intention not to renew at least three (3) months prior to the date on which the Agreement would otherwise renew.
10.2 Each party may, without prejudice to any of its other rights arising hereunder, upon giving written notice to the other party, terminate the Agreement with immediate effect, if:
(i) the other party commits a material breach of the Agreement, which breach is not cured within 30 (thirty) days after written notice of the breach;
(ii) the other party has been granted provisional suspension of payment or is declared bankrupt or a resolution is passed or a petition is presented for the winding-up of the other party, such party has called a meeting of or has entered into or has proposed to enter into an arrangement, scheme of composition with creditors; or (
iii) a situation of force majeure has lasted for more than sixty days.
Article 11 – Miscellaneous
11.1 The Agreement constitutes the entire agreement between the parties and supersedes any previous arrangement, understanding or agreement between them relating to the subject matter hereof.
11.2 Neither party may assign, transfer or dispose of any of its rights under the Agreement, either in whole or in part, without the prior written consent of the other party.
11.3 The invalidity or unenforceability of any provision of the Agreement shall not affect the validity or enforceability of the remainder of the Agreement and the parties shall use all reasonable endeavours to agree within a reasonable time upon any lawful and reasonable variations to the Agreement which may be necessary in order to achieve, to the greatest extent possible, the same effect as would have been achieved by the invalid or unenforceable provision.
11.4 No amendment to the Agreement is valid or binding, unless made in writing (subject to Priva's right pursuant to article 11.5).
11.5 Priva is entitled to amend these General Terms and Conditions, which amendments shall apply to the Agreement with effect of the date that the Client is notified thereof. 11.6 Each dispute arising under the Agreement shall, in first instance, be settled by the competent Court of The Hague, which shall have exclusive jurisdiction in respect of any such disputes. The Agreement is subject to Dutch law.
ANNEX 1 - DATA PROCESSING AGREEMENT
In this data processor agreement, (1) the Client (is referred to as the “Controller” and (2) Priva is referred to as the “Processor”. Controller and Processor are jointly referred to as the “Parties”. Unless stated otherwise, the definitions from the agreement mentioned below apply to this annex 1.
(A) The Parties executed the agreement for the provision of Cloud Services to the Controller (the “Agreement”). In the course of exercising its obligations under the Agreement, the Processor may process Personal Data as a processor for or on behalf of the Controller (“Personal Data”) which parties wish to further address via the data processing agreement in this Annex 1 (the “DPA”).
THE PARTIES HEREBY AGREE AS FOLLOWS:
1. DEFINITIONS AND INTERPRETATION
1.1 In this DPA the following words and phrases shall have the following meanings, unless as otherwise specified:
"Data Subject" shall mean an identifiable person whose data will be processed under this DPA and who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic cultural or social identity;
“Privacy Legislation” shall mean the European Commission Data Protection Directive (95/46/EC) and the Directive on Privacy and Electronic Communications (2002/58/EC), any national laws implementing such Directives and/or, when applicable, the Regulation (EU) 2016/679, and any legislation or regulation amending, supplementing or any of the foregoing from time to time;
“processing of Personal Data” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
“Security Incident” shall mean any breach of technical and organisational security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any data; and
“sub-contract” and “sub-contracting” shall mean the process by which either party arranges for a third party to carry out its obligations under this DPA, and “Sub-Contractor” shall mean the party to whom the obligations are subcontracted.
1.2 In the event of any inconsistency arising between the provisions of this DPA and the Agreement, the provisions of the Agreement shall prevail.
2. PROCESSING OBLIGATIONS
2.1 The Processor shall only carry out those actions in respect of the Personal Data processed on behalf of the Controller as are stipulated in the Agreement, this DPA or otherwise with prior written consent from the Controller.
2.2 The Controller will ensure that its instructions for the processing of the Personal Data are in accordance with the Privacy Legislation which applies to the processing of Personal Data under the Agreement.
2.3 In the course of exercising its obligations, the Processor will not transfer, and must ensure that no Sub-Contractor transfers, any Personal Data to any country or territory outside the European Economic Area without the prior written consent of the Controller.
3.1 Processor shall take such technical and organisational security measures as are required to protect Personal Data processed by the Processor on behalf of the Controller against loss or other unlawful forms of processing. Such measures will guarantee an adequate level of security, taking into account the risks involved with the processing and the nature of the Personal Data.
3.2 In addition to the general obligation set out under clause 3.1, such technical and organisational security measures shall include, as a minimum standard of protection, compliance with the security measures set out below under clause 3.3, and any further instructions or policies provided by the Processor from time to time.
3.3 Processor, as a minimum requirement, shall give due consideration to the following types of security measures: ▪ Information Security Management Systems; ▪ Physical Security;
▪ Access Control;
▪ Security and Privacy Enhancing Technologies;
▪ Awareness, training and security checks in relation to personnel; and
▪ Incident/Response Management/Business Continuity.
4. SECURITY INCIDENTS
4.1 The Processor shall take technical and organisational security measures to address obligations in Privacy Legislation with respect to Security Incidents.
4.2 In case of any Security Incident, the Processor will notify the Controller as soon as reasonably possible and with initial details regarding the nature, period and affected Data Subjects of the Security Incident.
4.3 The Controller acknowledges that the Processor must promptly take all necessary and appropriate corrective actions to remedy any deficiencies in its technical and 10 organisational security measures, and Controller will provide reasonable assistance to Processor upon first request.
5.1 The Processor agrees that it shall maintain the Personal Data in confidence and will ensure that its personnel has agreed to appropriate confidentiality obligations.
5.2 Within 30 days following termination or expiry of this DPA the Processor shall, destroy all Personal Data unless i) prohibited from doing so by any applicable law or ii) further arrangements have been made with the Controller regarding the Personal Data.
5.3 This clause 5 shall be considered without prejudice to any independent confidentiality obligations agreed between the Parties.
6. DATA SUBJECTS' RIGHTS
6.1 The Processor will reasonably co-operate with the Controller, subject to the Controller's prior written instructions and/or consent, to allow Data Subjects to exercise any rights they might have, including rights of access to their Personal Data and rights to correct, update, delete, port or block Personal Data and the processing thereof.
7.1 The Controller acknowledges and agrees that Processor may sub-contract any of its obligations under this DPA by way of a written agreement with the Sub-Contractor which provides a similar level of protection in relation to the protection of the Personal Data as is imposed on the Processor under this DPA.
7.2 The Processor will inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes. Should Controller persist in its objection, it may, as its sole and exclusive remedy for such objection, terminate the Agreement under the condition that it pays all fees and charges for the remainder of the term of the Agreement.
8.1 Upon first request, the Processor shall make available to the Controller information which is reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and will – if available - provide the Controller with certificates (such as, for example, ISO certifications) issued by independent third party auditors evidencing this.
8.2 The Controller has the right to audit the Processor’s compliance with this DPA, up to one time per contractual year and at the Controller's costs, if the Controller in its reasonable discretion believes that the right under clause 8.1 is not sufficient in an individual case, or a competent data protection authority requests this. At the selection of the Controller and the approval of the Processor, such audit will be either performed by i) the Processor or ii) a qualified, independent third party security auditor (the "Auditor"). In the course of such audit, the Auditor may enter the Processor’s facilities during normal business hours and without unreasonably 11 impacting Processor’s business, in particular with no impact on the general IT security of the Processor, and examine Processor’s work routines, set ups and technical infrastructure.
8.3 The Processor may claim remuneration for its efforts when performing and/or enabling audits. The Processor will support up to one man days’ time per audit free of additional cost for the Controller.
9. TERM AND TERMINATION
9.1 This DPA will continue in full force and effect until expiry or termination of the Agreement.