fbpx

Terms of Use & End User Agreement

OK. Now for the legal stuff…

Contents

Terms of Use and End User Agreement

Data Protection Addendum

Standard Contractual Clauses

 

 

PLEASE READ THIS TERMS OF USE AND END USER AGREEMENT (THE “TERMS OF USE”) CAREFULLY. THESE TERMS OF USE GOVERN THE USE OF THE LUPL PLATFORM, APPLICATION AND SERVICES (TOGETHER, THE “SERVICES” AND EACH A “SERVICE”).

BY CLICKING ON THE “I ACCEPT” OR “AGREE” (OR SIMILAR) BUTTON OR OTHERWISE INDICATING ACCEPTANCE, OR COMPLETING THE REGISTRATION PROCESS, OR DOWNLOADING OR ACCESSING LUPL’S WEB, MOBILE OR DESKTOP APPLICATION(S) (THE “APPLICATION”), OR ACCESSING LUPL VIA AN INTEGRATED SERVICE, YOU REPRESENT THAT (1) YOU HAVE READ, UNDERSTAND, AND AGREE TO BE BOUND BY THE TERMS OF USE, (2) YOU ARE OF LEGAL AGE TO FORM A BINDING CONTRACT WITH LUPL, INC., AND (3) YOU HAVE THE AUTHORITY TO ENTER INTO THE TERMS OF USE PERSONALLY AND ON BEHALF OF YOUR ORGANIZATION, AND TO BIND THAT ENTITY TO THE TERMS OF USE. THE TERM “YOU” OR “CUSTOMER” REFERS TO THE INDIVIDUAL AND/OR LEGAL ENTITY ENTERING INTO THESE TERMS OF USE. IF YOU DO NOT AGREE TO BE BOUND BY THE TERMS OF USE, YOU ARE NOT PERMITTED TO ACCESS OR USE THE SERVICES.

YOUR AND YOUR ORGANIZATION’S USE OF LUPL MAY ALSO BE GOVERNED BY A MASTER SERVICES AGREEMENT AND/OR ENTERPRISE AGREEMENT AND/OR ORDER FOR SERVICES (THE “AGREEMENT”). IN THE EVENT OF ANY CONFLICT OR INCONSISTENCY BETWEEN THESE TERMS OF USE AND THE AGREEMENT, THE AGREEMENT WILL PREVAIL.

IF YOU SUBSCRIBE TO THE SERVICES FOR A SPECIFIED TERM (THE “INITIAL TERM”), THEN THE TERMS OF USE WILL BE AUTOMATICALLY RENEWED AS SPECIFIED IN THE RELEVANT ORDER (OR, IF NOT SPECIFIED IN THE ORDER, FOR ADDITIONAL PERIODS OF THE SAME DURATION AS THE INITIAL TERM) AT LUPL’S THEN-CURRENT FEE FOR SUCH SERVICES UNLESS YOU DECLINE TO RENEW YOUR SUBSCRIPTION IN ACCORDANCE WITH SECTION 13.1 (TERM) BELOW.

THESE TERMS OF USE REQUIRE THE USE OF ARBITRATION ON AN INDIVIDUAL BASIS TO RESOLVE DISPUTES, RATHER THAN JURY TRIALS OR CLASS ACTIONS, AND ALSO LIMIT THE REMEDIES AVAILABLE TO YOU IN THE EVENT OF A DISPUTE. ANY DISPUTE, CLAIM OR REQUEST FOR RELIEF RELATING IN ANY WAY TO YOUR USE OF THE SERVICES WILL BE GOVERNED AND INTERPRETED BY AND UNDER THE LAWS OF THE STATE OF VIRGINIA, CONSISTENT WITH THE FEDERAL ARBITRATION ACT, WITHOUT GIVING EFFECT TO ANY PRINCIPLES THAT PROVIDE FOR THE APPLICATION OF THE LAW OF ANY OTHER JURISDICTION. THE UNITED NATIONS CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALE OF GOODS IS EXPRESSLY EXCLUDED FROM THE TERMS OF USE.

You should print a copy of these terms or save them to your computer for future reference.

1. DEFINITIONS. Capitalized terms will have the meanings set forth in this section, or in the section where they are first used.

1.1         “Access Protocols” means the passwords, access codes, technical specifications, connectivity standards or protocols, or other relevant procedures, as may be necessary to allow You to access the Platform and use the Services.

1.2         “Applicable Privacy Laws” means, to the extent applicable to the Services, all worldwide data protection and privacy laws and regulations, including where applicable, the California Consumer Privacy Act Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”), the EU GDPR, the UK GDPR, the UK Data Protection Act 2018, the Personal Data Protection Act 2012 of Singapore, and any U.S. state or national data protection laws as superseded, amended or replaced.

1.3         “EU GDPR” means the EU General Data Protection Regulation, Regulation (EU) 2016/679 (including as further amended or modified).

1.4         “Lupl Materials” means the Platform, Application, and Reports, and all worldwide intellectual property rights in and to each of the foregoing but excluding Personal Data.

1.5         “Matter Space” means a communication, collaboration and matter coordination space created by You or any authorized Lupl user on the Platform.

1.6         “Personal Data” means any personal data or personally identifiable information provided by or collected from You in connection with Your use of the Platform that is: (A) nonpublic personal information, (B) information covered by state or federal law which requires the protection of information related to natural persons, (C) other personal information identifiable to a natural person protected now or in the future by applicable state or federal law, or (D) to the extent that the EU GDPR or the UK GDPR applies, any information relating to an identified or identifiable natural person.

1.7         “Platform” means the Lupl software-as-a-service software platform that allows You to access certain features and functions through an Application interface (or the interface of any integrated service, including without limitation connected communications or document tools), together with any relevant user instructions, support, onboarding and customer success materials and related user materials and documentation.

1.8         “Processing” (including “Process”, “Processes”, “Processed”, and other variants of the term) means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, collation, recording, organization, storage, adaptation or alteration, retrieval, consultation, analysis, interpretation, compilation, aggregation, use, disclosure by transmission, dissemination, viewing, copying, deleting, or otherwise making available, alignment or combination, blocking or erasure, or destruction.

1.9         “Reports” means results, reports, materials, and documentation made available to You as part of the Services, including through the Platform.

1.10       “UK GDPR” means the United Kingdom version of the GDPR as it forms part of the law of each applicable jurisdiction of the United Kingdom pursuant to the European Union (Withdrawal) Act 2018.

2. REGISTRATION.

2.1         Registering Your Account. In order to access certain features of the Platform you may be required to become a Registered User. For purposes of these Terms of Use, a “Registered User” is a user who has registered an account on the Platform (“Account”).

2.2         Registration Data. In registering an account on the Platform, you agree to (a) provide true, accurate, current and complete information about yourself as prompted by the Platform (the “Registration Data”); and (b) maintain and promptly update the Registration Data to keep it true, accurate, current and complete. You represent that you are (l) of legal age to form a binding contract; and (m) not a person barred from using Platform under the laws of the United States, your place of residence / domicile or any other applicable jurisdiction.

2.3         Your Account. You are responsible for all activities that occur under your Account. You may not share your Access Protocols with anyone, whether within or outside your organization, and you agree to notify Lupl immediately of any unauthorized use of your Account or Access Protocols. If you provide any information that is untrue, inaccurate, not current or incomplete, or Lupl has reasonable grounds to suspect that any information you provide is untrue, inaccurate, not current or incomplete, Lupl has the right to suspend or terminate your Account and refuse any and all current or future use of Platform (or any portion thereof). You agree not to create an Account using a false identity or information, or on behalf of someone other than yourself. Lupl reserves the right to remove or reclaim any usernames at any time and for any reason, including but not limited to, claims by a third party that a username violates the third party’s rights. You agree not to create an Account or use Platform if you have been previously removed by Lupl, or if you have been previously banned from Platform.

2.4         Necessary Equipment and Software. You must provide all equipment and software necessary to connect to the Platform, including but not limited to, a mobile, laptop or other device that is suitable to connect with and use Platform. You are solely responsible for any fees, including Internet connection or mobile fees, that you incur when accessing Platform.

3. SERVICES.

3.1            During the Term, Lupl will use commercially reasonable efforts to provide You with the Services subject to and in accordance with these Terms of Use.

3.2            Subject to these Terms of Use, Lupl grants to You a non-exclusive, non-transferable, non-sublicenseable right during the Term, solely for Your business purposes, to access and use the Services in accordance with the applicable documentation and usage restrictions provided by Lupl from time to time.

4. RESPONSIBILITY FOR CONTENT; INTERACTIONS WITH OTHER USERS

4.1         Types of Content. You acknowledge that all information, documents, data, text, software, music, sound, photographs, graphics, video, messages, tags and/or other materials accessible through the Lupl Materials (collectively, “Content”) is the sole responsibility of the party from whom such Content originated. This means that You, and not Lupl, are entirely responsible for all Content that you upload, post, transmit, sync or otherwise make available (“Make Available”) through the Platform (“Your Content”), and that you and other Registered Users of Platform, and not Lupl, are similarly responsible for all Content that you and they Make Available through Platform (“User Content”).

4.2         Content. You acknowledge that Lupl does not review Your Content. Lupl has no responsibility or liability for the deletion or accuracy of any Content. Certain Services may enable you to specify the level at which such Services restrict access to Your Content. You are solely responsible for applying the appropriate level of access to Your Content. If you do not choose, the system may default to its most permissive setting. You agree that Lupl retains the right to create reasonable limits on use and storage of the Content, including Your Content, such as limits on file size, storage space or processing capacity, as determined by Lupl in its sole discretion.

4.3         User Responsibility. You are solely responsible for your interactions with other Registered Users and any other parties with whom you interact. You agree that Lupl will not be responsible for any liability incurred as the result of such interactions.

4.4         Content Provided by Other Users. Platform may contain User Content provided by other Registered Users. Lupl is not responsible for and does not control User Content. Lupl has no obligation to review or monitor, and does not approve, endorse or make any representations or warranties with respect to User Content. You use all User Content and interact with other Registered Users at your own risk.

5. INTELLECTUAL PROPERTY; PROPRIETARY RIGHTS.

5.1         Personal Data. Your Personal Data is Your exclusive property.

5.2         Lupl Materials. The Lupl Materials are the exclusive property of Lupl and its suppliers. All rights in and to the Lupl Materials not expressly granted to You in these Terms of Use are reserved by Lupl and its suppliers. Except as expressly set forth herein, no express or implied license or right of any kind is granted to You regarding the Lupl Materials, or any part thereof.

5.3         Your Content. Lupl does not claim ownership of Your Content. However, when you as a Registered User post or publish Your Content on or via the Platform, or sync or provide any other data or information to Lupl, you represent that you own and/or have the right to share Your Content, data and information. Without limitation, you must ensure that you clear any third-party intellectual property rights and obtain any necessary third-party privacy or other consents before sharing Your Content, data or information via the Platform and/or with Lupl.

5.4         License to Your Content. You grant Lupl a fully paid, royalty-free, perpetual, irrevocable, worldwide, royalty-free, non-exclusive and fully sublicensable right (including any moral rights) and license to use, license, distribute, reproduce, modify, adapt, publicly perform, and publicly display Your Content (in whole or in part) for the purposes of operating and providing the Services to you and to our other Registered Users.

5.5         Aggregated/Anonymized Data. You acknowledge and agree that notwithstanding anything to the contrary, Lupl may use and disclose Personal Data in aggregated or anonymized form: (a) to improve the Services and Lupl’s related products and services; (b) to provide analytics and benchmarking services; or (c) to generate and disclose statistics regarding use of the Services; provided, however, that such use shall in no way identify You.

5.6         Feedback. You hereby grant to Lupl a royalty-free, worldwide, transferable, sublicensable, irrevocable, perpetual license to use or incorporate into the Services any suggestions, enhancement requests, recommendations or other feedback provided by You relating to the Services. Lupl will not identify You as the source of any such suggestions, enhancement requests, recommendations or other feedback unless (a) otherwise agreed with You; or (b) you submit such suggestions, enhancement requests, recommendations or other feedback via a public ideas platform without specifically marking the idea as anonymous.

6. User Conduct.

6.1         Conduct Generally. You agree that you will not, under any circumstances:

(a)         Allow any third party to access the Lupl Materials except as expressly allowed herein;

(b)         Modify, adapt, alter or translate the Lupl Materials;

(c)          Sublicense, lease, sell, resell, rent, loan, distribute or transfer the Lupl Materials for the benefit of any unauthorized third party;

(d)         Modify, copy or make derivative works based on any part of the Lupl Materials;

(e)         Access or use the Lupl Materials to build a similar or competitive product or service;

(f)          Remove, alter, or obscure any proprietary notices (including copyright and trademark notices) of Lupl or its licensors on the Reports or any copies thereof;

(g)         Make available any Content, information or data that you do not have a right to Make Available under any law or under contractual or fiduciary relationships;

(h)         Make Available any Content that infringes the rights of any person or entity, including without limitation, any patent, trademark, trade secret, copyright, privacy, publicity or other proprietary or contractual rights;

(i)           Interfere with or damage the Lupl Materials, including, without limitation, through the use of viruses, cancel bots, Trojan horses, harmful code, flood pings, denial-of-service attacks, packet or IP spoofing, forged routing or electronic mail address information, or similar methods or technology;

(j)          Disrupt, overburden, or aid or assist in the disruption or overburdening of: (i) any computer or server used to offer or support the Lupl Materials; or (ii) the enjoyment of the Lupl Materials by any other person;

(k)         Attempt to gain unauthorized access to the Lupl Materials, accounts registered to others, or to the computers, servers or networks connected to the Lupl Materials by any means other than the user interface provided by Lupl, including, but not limited to, by circumventing or modifying, attempting to circumvent or modify, or encouraging or assisting any other person to circumvent or modify, any security, technology, device or software that is part of the Lupl Materials;

(l)           Attempt to probe, scan, or test the vulnerability of any Lupl system or network, or breach any security or authentication measures;

(m)        Disrupt or interfere with the security of, or otherwise cause harm to, the Lupl Materials, systems, resources, accounts, passwords, servers or networks connected to or accessible through Lupl Materials or any affiliated or linked sites;

(n)         Avoid, bypass, remove, deactivate, impair, descramble, or otherwise circumvent any technological measure implemented by Lupl or any of Lupl’s providers or any other third party (including another user) to protect the Lupl Materials;

(o)         Impersonate another person or organization or engage in misleading or fraudulent behavior;

(p)         Send illegal, impermissible, unauthorized or spam communications, such as bulk messaging, auto-messaging, auto-dialing, unsolicited commercial or other communications, and the like, or engage in abusive or illegal activities or harassment of other users; or

(q)         Otherwise interfere in any manner with the operation of the Lupl Materials, or the hardware and network used to operate the Lupl Materials.

6.2         Unauthorized Use or Access. You agree that you will not, under any circumstances:

(a)         Interfere or attempt to interfere with the proper functioning of the Lupl Materials or connect to or use the Lupl Materials in any way not expressly permitted by the Terms of Use;

(b)         Systematically retrieve data or other Content from the Lupl Materials to create or compile, directly or indirectly, in single or multiple downloads, a collection, compilation, database, directory or the like, whether by manual methods or through the use of bots, crawlers, spiders, or otherwise, except as permitted through the functionality of the Lupl Materials;

(c)          Use, display, mirror or frame the Lupl Materials, or any individual element within the Lupl Materials, Lupl’s name, any Lupl trademark, logo or other proprietary information, or the layout and design of any page or form contained on a page, without Lupl’s express written consent;

(d)         Use any unauthorized software that accesses, intercepts, “mines” or otherwise collects information from or through Platform or that is in transit from or to the Lupl Materials, including, but not limited to, any software that reads areas of RAM or streams of network traffic used by the Lupl Materials;

(e)         Intercept, examine or otherwise observe any proprietary communications protocol used by a client, a server or the Lupl Materials, whether through the use of a network analyzer, packet sniffer or other device;

(f)          Bypass any robot exclusion headers or other measures Lupl takes to restrict access to Platform, or use any software, technology or device to send Content or messages, scrape, spider or crawl the Lupl Materials, or harvest or manipulate data;

(g)         Use, facilitate, create, or maintain any unauthorized connection to the Lupl Materials, including, but not limited to: (i) any connection to any unauthorized server that emulates, or attempts to emulate, any part of Lupl Materials; or (ii) any connection using programs, tools or software not expressly approved by Lupl;

(h)         Reverse engineer, decompile, disassemble, decipher or otherwise attempt to derive the source code (or the underlying ideas, algorithms, structure or organization) of the Lupl Materials or any underlying software or other intellectual property used to provide Platform or the Services;

(i)           Forge headers or otherwise manipulate identifiers in order to disguise the origin of any Content transmitted through the Lupl Materials;

(j)          Upload, post, e-mail, transmit or otherwise Make Available any material that contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer software or hardware or telecommunications equipment;

(k)         Forge any TCP/IP packet header or any part of the header information in any e-mail or newsgroup posting, or in any way use the Lupl Materials to send altered, deceptive or false source-identifying information;

(l)           Attempt to access the Lupl Materials through any unapproved interface; or

(m)        Otherwise use the Lupl Materials in any manner that exceeds the scope of use expressly permitted in these Terms of Use or in a manner inconsistent with applicable law.

7. DATA SECURITY; PRIVACY.

7.1         Data Protection Addendum. The attached Data Protection Addendum shall be deemed incorporated into these Terms of Use and each party shall comply with their respective obligations set out therein.

7.2         Privacy. Each party shall comply with all Applicable Privacy Laws in the performance of their respective obligations under the Terms of Use with respect to the Processing of Personal Data.

8. FEES AND EXPENSES; PAYMENTS.

8.1         Freemium Users. Lupl may offer You certain features or a limited version of the Services on a cost-free basis (“Freemium”). For Freemium users, there is no payment for the access rights granted to You and the applicable Services performed by Lupl under the Terms of Use. Lupl reserves the right to withdraw Freemium access at any time upon notice to You.

8.2         Fees. For customers in a Lupl paid tier, whether Elite, Essentials, Enterprise or another paid tier, in consideration for the access rights granted to You and the Services performed by Lupl under the Terms of Use, You will pay Lupl the Fees agreed to on the basis agreed when you registered for the applicable Services or as otherwise specified in the Agreement or associated Order. All Fees are billed in advance and payable within fourteen (14) days of the date of the invoice. Save as otherwise set out in the Order or Agreement, Lupl reserves the right to modify the Fees payable hereunder upon written notice to You at least sixty (60) days prior to the end of the then-current term. Lupl reserves the right (in addition to any other rights or remedies Lupl may have) to suspend or discontinue Your access to the Services if any Fees are more than thirty (30) days overdue until such amounts are paid in full. For the avoidance of doubt, You shall continue to incur and be responsible for all Fees due for the Services during any such period of suspension or discontinuation. You will maintain complete, accurate and up-to-date billing and contact information at all times.

8.3         Taxes. The Fees are exclusive of all applicable sales, use, value-added and other taxes, and all applicable duties, tariffs, assessments, export and import fees, or other similar charges, and You will be responsible for payment of all such taxes (other than taxes based on Lupl’s income), fees, duties, and charges and any related penalties and interest, arising from the payment of the Fees, the provision of the Services, or the license of the Platform to You. You will make all payments of Fees to Lupl free and clear of, and without reduction for, any withholding taxes; any such taxes imposed on payments of Fees to Lupl will be Your sole responsibility, and You will provide Lupl with official receipts issued by the appropriate taxing authority, or such other evidence as the Lupl may reasonably request, to establish that such taxes have been paid.

8.4         Interest. Any amounts not paid when due will bear interest at the rate of one percent (1%) per month or the maximum legal rate if less (or the mandatory legal rate, whether more or less than this contractual rate, to the extent it automatically overrides any contractual rate by operation of applicable law), from the due date until paid. Moreover, You may automatically be liable to Lupl for certain lump-sum compensation for recovery costs under any mandatory provision of applicable law if a payment is late. If the recovery costs incurred by Lupl are higher than this amount, Lupl may request additional compensation upon justification.

9. YOUR OTHER RESPONSIBILITIES. You will obtain all licenses, consents and permissions needed for Lupl to use the information to provide the Services to You and others invited to a Matter Space by You.

10. WARRANTIES AND DISCLAIMERS.

10.1       Mutual Warranties. Each party represents and warrants that (a) it has all rights, authorizations, consents, and permission necessary to perform its obligations or grant the rights and licenses hereunder and (b) it shall perform all of its obligations and exercise all of its rights hereunder in accordance with all laws, rules and regulations applicable to such party.

10.2       Disclaimer. EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS OF USE, AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE LUPL MATERIALS ARE PROVIDED “AS IS,” AND LUPL MAKES NO (AND HEREBY DISCLAIMS ALL) OTHER WARRANTIES, REPRESENTATIONS, OR CONDITIONS, WHETHER WRITTEN, ORAL, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF SATISFACTORY QUALITY, COURSE OF DEALING, TRADE USAGE OR PRACTICE, SYSTEM INTEGRATION, DATA ACCURACY, MERCHANTABILITY, TITLE, NONINFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE. LUPL DOES NOT WARRANT THAT ALL ERRORS CAN BE CORRECTED, OR THAT OPERATION OF THE LUPL MATERIALS WILL BE UNINTERRUPTED OR ERROR-FREE. LUPL PROVIDES NO REPRESENTATIONS, WARRANTIES, OR GUARANTEES REGARDING RESULTS OR RECOMMENDATIONS MADE OR OBTAINED FROM OR THROUGH THE LUPL MATERIALS, INCLUDING WITHOUT LIMITATION THE ACCURACY, SAFETY, OR APPROPRIATENESS THEREOF, OR THAT ANY OF THE FOREGOING WILL BE ERROR FREE OR WILL PREVENT, AVOID, OR REDUCE ANY CHANCE OR RATE OF ILLNESS, CONTAGION, RISK, OR LIABILITY.

10.3       Additional Disclaimers. Each Matter Space and direct message conversation is Your and any invited third parties’ private work space. Lupl does not routinely monitor the Content or information in such places. Lupl shall not be responsible for any actions, or lack thereof, taken by You, any Lupl user, or any other party as a result of, or in connection with, the Services or the information exchanged in a Matter Space or direct message conversation. In addition, the Platform allows You to connect and/or use integrated third-party software and services to Lupl. Lupl does not control these third-party software or services and as a result makes no promises about such third-party software or services, including whether or not they are available or will interoperate with Lupl in the future (or, in the case of Content, such as via the Knowledge Hub, whether the Content is accurate, complete or up-to-date). In addition, You may be required to have a separate agreement with the third party to use such third-party software and services. Nothing in the Lupl Materials constitutes or shall be construed as legal or other professional advice.

11. LIABILITY AND INDEMNIFICATION.

11.1       Indemnification. You agree to indemnify and hold Lupl, its parents, subsidiaries, affiliates, officers, employees, agents, partners, suppliers, contractors and licensors (each, a “Company Party” and collectively, the “Company Parties”) harmless from any losses, costs, liabilities and expenses (including reasonable attorneys’ fees) relating to or arising out of any and all of the following: (a) Your Content; (b) your use of, or inability to use, Platform; (c) your violation of the Terms of Use; (d) your violation of any rights of another party, including any Registered Users; or (e) your violation of any applicable laws, rules or regulations. Lupl reserves the right, at its own cost, to assume the exclusive defense and control of any matter otherwise subject to indemnification by you, in which event you will fully cooperate with Lupl in asserting any available defenses. This provision does not require you to indemnify any of the Company Parties for any unconscionable commercial practice by such party or for such party’s fraud, deception, false promise, misrepresentation or concealment, suppression or omission of any material fact in connection with the Services provided hereunder. You agree that the provisions in this section will survive any termination of your Account, the Terms of Use and/or your access to Platform.

11.2       Types of Damages. IN NO EVENT WILL LUPL BE LIABLE TO YOU FOR ANY INCIDENTAL, INDIRECT, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, REGARDLESS OF THE NATURE OF THE CLAIM, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, COSTS OF DELAY, ANY FAILURE OF DELIVERY, BUSINESS INTERRUPTION, COSTS OF LOST OR DAMAGED DATA OR DOCUMENTATION, OR LIABILITIES TO THIRD PARTIES ARISING FROM ANY SOURCE, EVEN IF LUPL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION UPON DAMAGES AND CLAIMS IS INTENDED TO APPLY WITHOUT REGARD TO WHETHER OTHER PROVISIONS OF THESE TERMS OF USE HAVE BEEN BREACHED OR HAVE PROVEN INEFFECTIVE.

11.3       Amount of Damages. THE MAXIMUM LIABILITY OF LUPL ARISING OUT OF OR IN ANY WAY CONNECTED TO THESE TERMS OF USE WILL NOT EXCEED THE FEES PAID BY YOU TO LUPL DURING THE TWELVE (12) MONTHS PRECEDING THE ACT, OMISSION OR OCCURRENCE GIVING RISE TO SUCH LIABILITY. IN NO EVENT WILL LUPL’S SUPPLIERS HAVE ANY LIABILITY ARISING OUT OF OR IN ANY WAY CONNECTED TO THESE TERMS OF USE. NOTHING IN THESE TERMS OF USE WILL LIMIT OR EXCLUDE EITHER PARTY’S LIABILITY FOR GROSS NEGLIGENCE OR INTENTIONAL MISCONDUCT OF A PARTY OR ITS EMPLOYEES OR AGENTS OR FOR DEATH OR PERSONAL INJURY.

11.4       Basis of the Bargain. The parties agree that the limitations of liability set forth in this Section (Limitation of Liability) will survive and continue in full force and effect despite any failure of consideration or of an exclusive remedy. The parties acknowledge that the prices have been set and the Terms of Use entered into in reliance upon these limitations of liability and that all such limitations form an essential basis of the bargain between the parties.

11.5       Beta features. From time to time, Lupl may offer new “beta” features or tools with which its users may experiment. Such features or tools are offered solely for experimental purposes and without any warranty of any kind and may be modified or discontinued at Lupl’s sole discretion. The provisions of this section apply with full force to such features or tools.

12. CONFIDENTIALITY.

12.1       Confidential Information. “Confidential Information” means any nonpublic information of a party (the “Disclosing Party”), whether disclosed orally or in written or digital media, that is identified as “confidential” or with a similar legend at the time of such disclosure or that the receiving party (the “Receiving Party”) knows or should have known is the confidential or proprietary information of the Disclosing Party. The Lupl Materials and all enhancements and improvements thereto will be considered Confidential Information of Lupl.

12.2       Protection of Confidential Information. The Receiving Party agrees that it will not use or disclose to any third party any Confidential Information of the Disclosing Party, except as expressly permitted under these Terms of Use. The Receiving Party will limit access to the Confidential Information to those employees who have a need to know, who have confidentiality obligations no less restrictive than those set forth herein, and who have been informed of the confidential nature of such information (with respect to Lupl). In addition, the Receiving Party will protect the Disclosing Party’s Confidential Information from unauthorized use, access, or disclosure in the same manner that it protects its own proprietary information of a similar nature, but in no event with less than reasonable care. At the Disclosing Party’s request or upon termination or expiration of the Terms of Use, the Receiving Party will return to the Disclosing Party or destroy (or permanently erase in the case of electronic files) all copies of the Confidential Information that the Receiving Party does not have a continuing right to use under the Terms of Use, and the Receiving Party will, upon request, certify to the Disclosing Party its compliance with this sentence.

12.3       Exceptions. The confidentiality obligations set forth in Section 12.2 (Protection of Confidential Information) will not apply to any information that (a) is at the time of disclosure or becomes generally available to the public through no fault of the Receiving Party; (b) is lawfully provided to the Receiving Party by a third party free of any confidentiality duties or obligations; (c) was already known to the Receiving Party at the time of disclosure free of any confidentiality duties or obligations; or (d) the Receiving Party can demonstrate was independently developed by employees and contractors of the Receiving Party who had no access to the Confidential Information. In addition, the Receiving Party may disclose Confidential Information to the extent that such disclosure is necessary for the Receiving Party to enforce its rights under the Terms of Use or is required by law or by the order of a court or similar judicial or administrative body, provided that (to the extent legally permissible) the Receiving Party promptly notifies the Disclosing Party in writing of such required disclosure and cooperates with the Disclosing Party if the Disclosing Party seeks an appropriate protective order.

13. TERM AND TERMINATION.

13.1       Term. Unless otherwise agreed to by the parties in a separate agreement, the Terms of Use will begin on the date when you accept them (as described in the preamble above) and continue in full force and effect while you use the Services, unless terminated earlier in accordance with the Terms of Use or Agreement (the “Term”). Unless otherwise agreed to by the parties in the Agreement or associated Order (e.g., if you purchase an annual or multi-year license), the Term will begin on the date of registration for the Services and continue in full force and effect for one month, unless earlier terminated in accordance with the Terms of Use. Thereafter, the Terms of Use will automatically renew for additional terms of one (1) month unless either party gives written notice of non-renewal to the other party at least ten (10) days prior to the expiration of the then-current term.

13.2       Termination for Breach. Either party may terminate the Terms of Use immediately upon notice to the other party if the other party materially breaches the Terms of Use, and if such breach is curable remains uncured more than ten (10) days after receipt of written notice of such breach.

13.3       Effect of Termination. Upon termination or expiration of the Terms of Use for any reason: (a) all licenses granted hereunder will immediately terminate; (b) promptly after the effective date of termination or expiration, each party will comply with the obligations to return all Confidential Information of the other party, as set forth in Section 9 (Confidentiality); and (c) any amounts owed to Lupl under the Terms of Use or any other applicable agreement between the parties will become immediately due and payable. Any provision of the Terms of Use that expressly or by implication is intended to come into or continue in force on or after the expiration or termination of the Terms of Use shall survive expiration or termination of the Terms of Use for any reason, including without limitation to Sections 1 (Definitions), 5 (Intellectual Property; Proprietary Rights); 7 (Data Security; Privacy); 8 (Fees and Expenses; Payments), 10.2 (Disclaimer), 10.3 (Additional Disclaimer), 11 (Liability and Indemnification), 12 (Confidentiality), 13.3 (Effect of Termination), 15 (Dispute Resolution), and 16 (Miscellaneous).

14. THIRD-PARTY SERVICES.

14.1       Third-Party Applications. The Services may contain links to and/or integrate with third-party applications (“Third-Party Applications”). When you click on a link to a Third-Party Application or use an integration with a Third-Party Application, we will not warn you that you have left the Services and are subject to the terms and conditions (including privacy policies) of another website or destination. Such Third-Party Applications are not under the control of Lupl. Lupl is not responsible for any Third-Party Application. Lupl provides these links and integrations to Third-Party Applications as a convenience and does not review, approve, monitor, endorse, warrant, or make any representations with respect to Third-Party Applications or any product or service provided in connection therewith. You use all links and integrations to Third-Party Applications at your own risk. When you leave our Services, the Terms of Use and our policies no longer govern. You should review applicable terms and policies, including privacy and data gathering practices, of any Third-Party Applications and make whatever investigation you feel necessary or appropriate before proceeding with any transaction with any third party.

14.2       Accessing and Downloading the Application from iTunes. The following applies to any Application accessed through or downloaded from the Apple App Store (“App Store Sourced Application”):

(a)         You acknowledge and agree that (i) the Terms of Use are concluded between You and Lupl only, and not Apple, and (ii) Lupl, not Apple, is solely responsible for the App Store Sourced Application and Content thereof. Your use of the App Store Sourced Application must comply with the App Store Terms of Service.

(b)         You acknowledge that Apple has no obligation whatsoever to furnish any maintenance and support services with respect to the App Store Sourced Application.

(c)          In the event of any failure of the App Store Sourced Application to conform to any applicable warranty, You may notify Apple, and Apple will refund the purchase price for the App Store Sourced Application to You and to the maximum extent permitted by applicable law, Apple will have no other warranty obligation whatsoever with respect to the App Store Sourced Application. As between Lupl and Apple, any other claims, losses, liabilities, damages, costs or expenses attributable to any failure to conform to any warranty will be the sole responsibility of Lupl.

(d)         You and Lupl acknowledge that, as between Lupl and Apple, Apple is not responsible for addressing any claims you have or any claims of any third party relating to the App Store Sourced Application or your possession and use of the App Store Sourced Application, including, but not limited to: (i) product liability claims; (ii) any claim that the App Store Sourced Application fails to conform to any applicable legal or regulatory requirement; and (iii) claims arising under consumer protection or similar legislation.

(e)         You and Lupl acknowledge that, in the event of any third-party claim that the App Store Sourced Application or your possession and use of that App Store Sourced Application infringes that third party’s intellectual property rights, as between Lupl and Apple, Lupl, not Apple, will be solely responsible for the investigation, defense, settlement and discharge of any such intellectual property infringement claim to the extent required by the Terms of Use.

(f)          You and Lupl acknowledge and agree that Apple, and Apple’s subsidiaries, are third-party beneficiaries of the Terms of Use as related to your license of the App Store Sourced Application, and that, upon your acceptance of the terms and conditions of the Terms of Use, Apple will have the right (and will be deemed to have accepted the right) to enforce the Terms of Use as related to your license of the App Store Sourced Application against you as a third-party beneficiary thereof.

(g)         Without limiting any other terms of the Terms of Use, you must comply with all applicable third-party terms of agreement when using the App Store Sourced Application.

15. DISPUTE RESOLUTION.

15.1       Except for disputes that can be brought in small claims court, all disputes between you and Lupl, including any dispute regarding the Terms of Use, shall be exclusively settled through binding arbitration through the American Arbitration Association (“AAA”) pursuant to the AAA’s then-current rules for commercial arbitration. There is no judge or jury in arbitration. Arbitration procedures are simpler and more limited than rules applicable in court and review by a court is limited. YOU AND LUPL AGREE THAT ANY SUCH ARBITRATION SHALL BE CONDUCTED ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, CONSOLIDATED OR REPRESENTATIVE ACTION. Notwithstanding any provision in the Terms of Use to the contrary, if the class-action waiver in the prior sentence is deemed invalid or unenforceable, however, neither you nor we are entitled to arbitration. This arbitration agreement is subject to the Federal Arbitration Act. The arbitrator’s award may be entered in any court of competent jurisdiction. Notwithstanding any provision in the Terms of Use to the contrary, we agree that if Lupl makes any future material change to this dispute resolution provision, it will not apply to any individual claim(s) that you had already provided notice of Lupl. Information on AAA and how to start arbitration can be found at www.adr.org or by calling 800-778-7879.

15.2       These Terms of Use are governed by the laws of the Commonwealth of Virginia without regard to conflict of law principles. If the arbitration provision in this section is found unenforceable or not to apply for a given dispute, then the proceeding must be brought exclusively in and each party hereby irrevocably submits to the exclusive jurisdiction of a court of competent jurisdiction in the Commonwealth of Virginia. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to the Terms of Use.

16. MISCELLANEOUS.

16.1       Governing Law and Venue. These Terms of Use and any action related thereto will be governed and interpreted by and under the laws of the Commonwealth of Virginia, without giving effect to any conflicts of laws principles that require the application of the law of a different jurisdiction. The parties hereby expressly consent to the exclusive personal jurisdiction and venue in the state and federal courts of Virginia for any lawsuit arising from or related to the Terms of Use. The United Nations Convention on Contracts for the International Sale of Goods does not apply to the Terms of Use.

16.2       Export. You agree not to export, reexport, or transfer, directly or indirectly, any U.S. technical data acquired from Lupl, or any products utilizing such data, in violation of the United States export laws or regulations.

16.3       Severability. If any provision of the Terms of Use is, for any reason, held to be invalid or unenforceable, the other provisions of the Terms of Use will remain enforceable and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law.

16.4       Waiver. Any waiver or failure to enforce any provision of the Terms of Use on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion.

16.5       No Assignment. You may not assign the Terms of Use or any of your rights or obligations hereunder without the prior written consent of Lupl and any such assignment shall be null and void. Lupl expressly reserves the right to assign the Terms of Use and to delegate any of its obligations hereunder. These Terms of Use will be binding upon the parties and their respective successors and permitted assigns.

16.6       Compliance with Law. You will always comply with all international and domestic laws, ordinances, regulations, and statutes that are applicable to its purchase and use of the Services, Report and Documentation.

16.7       Force Majeure. Any delay in the performance of any duties or obligations of either party (except the payment of Fees owed) will not be considered a breach of the Terms of Use if such delay is caused by a labor dispute, shortage of materials, fire, earthquake, flood, pandemic, epidemic, or any other event beyond the control of such party, provided that such party uses reasonable efforts, under the circumstances, to notify the other party of the cause of such delay and to resume performance as soon as possible.

16.8       Independent Contractors. Your relationship to Lupl is that of an independent contractor, and neither party is an agent or partner of the other. You will not have, and will not represent to any third party that it has, any authority to act on behalf of Lupl.

16.9       Notices. All notices required or permitted under the Terms of Use must be delivered in writing, if to Lupl, by emailing hello@lupl.com (or such other email address notified by Lupl) and if to You by emailing the email address You provided when registering for the Services.

16.10    Counterparts. These Terms of Use may be executed in one or more counterparts, each of which will be deemed an original and all of which will be taken together and deemed to be one instrument.

16.11    Entire Agreement. These Terms of Use is the final, complete and exclusive agreement of the parties with respect to the subject matters hereof and supersedes and merges all prior discussions between the parties with respect to such subject matters. No modification of or amendment to the Terms of Use, or any waiver of any rights under the Terms of Use, will be effective unless in writing and signed by an authorized signatory of You and the Lupl.

17. INTERNATIONAL USERS. The Services can be accessed from countries around the world and may contain references to Services and features that are not available in your country. These references do not imply that Lupl intends to announce such Services or features in your country. Lupl makes no representations that the Services are appropriate or available for use in other locations. Those who access or use the Services from other countries do so at their own volition and are responsible for compliance with local law.

 

 

 

Data Protection Addendum

This Data Protection Addendum is attached to and forms part of the Lupl Terms of Use and End User Agreement available at www.lupl.com, the Master Services Agreement, Enterprise Agreement or other agreement between Customer and Lupl governing the processing of Personal Data (“Agreement”).

Definitions

1.1 In this Data Protection Addendum, defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of our Agreement. In addition, in this Data Protection Addendum the following definitions have the meanings given below:

Applicable Law means the following to the extent applicable and binding on either party or the Services:

(a)             any law, statute, regulation, byelaw or subordinate legislation in force from time to time;

(b)             the common law and laws of equity as applicable to the parties from time to time;

(c)             any binding court order, judgment or decree; or

(d)             any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;

Controller has the meaning given to that term in Data Protection Laws;
Data Protection Laws means all laws relating to the protection of personal data and privacy in force from time to time in any jurisdiction as applicable and binding on either party or the Services, including (without limitation):

(a)             the EU GDPR;

(b)             any laws which implement the EU GDPR;

(c)             the UK GDPR;

(d)             the UK Data Protection Act 2018;

(e)             the Singapore Personal Data Protection Act;

(f)              any laws implementing the Privacy and Electronic Communications Directive (EU) 2002/58/EC;

(g)             the Privacy and Electronic Communications (EC Directive) Regulations 2003; and

(h)             any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;

and, in this Data Protection Addendum, references to the “GDPR” refer to the EU GDPR and/or UK GDPR (as applicable);

Data Protection Losses means all liabilities, including all:

(a)             costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and

(b)             to the extent permitted by Applicable Law:

(i)              administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;

(ii)            compensation which is ordered by a court or Supervisory Authority to be paid to a Data Subject; and

(iii)           the reasonable costs of compliance with investigations by a Supervisory Authority;

Data Subject has the meaning given to that term in Data Protection Laws;
Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR;
International Recipient means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without the Customer’s prior written authorisation;
Lawful Safeguards means such legally enforceable mechanism(s) for Transfers of Personal Data as may be required under Data Protection Laws from time to time;
List of Sub-Processors means the latest version of the list of Sub-Processors used by Lupl, as updated from time to time;
Personal Data is defined in the Agreement;
Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
processing has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings);
Processing Instructions has the meaning given to that term in paragraph 3.1.1;
Processor has the meaning given to that term in Data Protection Laws;
Protected Data means Personal Data in the Customer Information;
Sub-Processor means a Processor engaged by Lupl or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the Customer;
Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws; and
Transfer

 

bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR (and related terms such as Transfers, Transferred and Transferring have corresponding meanings).

2  Processor and Controller

2.1 The parties agree that, for the Protected Data, the Customer shall be the Controller and Lupl shall be the Processor. Nothing in our Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.

2.2 To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct Lupl to process the Protected Data in accordance with our Agreement.

2.3 Lupl shall process Protected Data in compliance with:

2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under our Agreement; and

2.3.2 the terms of our Agreement.

2.4 The Customer shall ensure that it, its affiliates and each Authorised User shall at all times comply with:

2.4.1 all Data Protection Laws in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under our Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and

2.4.2 the terms of our Agreement.

2.5 The Customer warrants, represents and undertakes, that at all times:

2.5.1 the processing of all Protected Data (if processed in accordance with our Agreement) shall comply in all respects with Data Protection Laws, including in terms of its collection, use and storage;

2.5.2 fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by Lupl and its Sub-Processors in accordance with our Agreement;

2.5.3 the Protected Data is accurate and up to date;

2.5.4 it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure) and maintain complete and accurate backups of all Protected Data provided to Lupl (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by Lupl or any other person;

2.5.5 all instructions given by it to Lupl in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and

2.5.6 it has undertaken due diligence in relation to Lupl’s processing operations and commitments and it is satisfied (and during all times it continues to use the Services remains satisfied) that:

(a) Lupl’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage Lupl to process the Protected Data;

(b) the technical and organisational measures set out in this Data Protection Addendum and our Agreement (each as updated from time to time) shall (if Lupl complies with its obligations under such Data Protection Addendum and our Agreement) ensure a level of security appropriate to the risk in regards to the Protected Data as required by Data Protection Laws; and

(c) Lupl has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.

Instructions and details of processing

3.1 Insofar as Lupl processes Protected Data on behalf of the Customer, Lupl:

3.1.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in our Agreement (including with regard to Transfers of Protected Data to any International Recipient), as updated by Lupl from time to time (Processing Instructions);

3.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and

3.1.3 shall promptly inform the Customer if Lupl becomes aware of a Processing Instruction that, in Lupl’s opinion, infringes Data Protection Laws, provided that:

(a) this shall be without prejudice to paragraphs 4 and 2.5; and

(b) to the maximum extent permitted by Applicable Law, Lupl shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Processing Instructions following the Customer’s receipt of the information required by this paragraph 1.3.

3.2 The Customer shall be responsible for ensuring all Authorised affiliates’ and Authorised User’s read and understand the Lupl Privacy Policy at lupl.com (as updated by Lupl from time to time).

3.3 The Customer acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Services by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons). The Customer shall ensure that Authorised Users do not execute any such command unless authorised by the Customer (and by all other relevant Controller(s)) and acknowledges and accepts that if any Protected Data is deleted pursuant to any such command Lupl is under no obligation to seek to restore it.

3.4 Subject to applicable Service terms, the processing of the Protected Data by Lupl under our Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in the schedule.

Technical and organisational measures

4.1 Lupl shall implement and maintain technical and organisational measures:

4.1.1 in relation to the processing of Protected Data by Lupl, as set out in this Data Protection Addendum; and

4.1.2 to assist the Customer insofar as is possible (taking into account the nature of the processing) in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data, in each case at the Customer’s cost on a time and materials basis in accordance with Lupl’s standard pricing terms. The parties have agreed that (taking into account the nature of the processing) Lupl’s compliance with paragraph 1 below shall constitute Lupl’s sole obligations under this paragraph 4.1.2.

4.2 During the period in which Lupl processes any Protected Data, the Customer shall (to the extent required by law) regularly undertake a documented assessment of whether the security measures implemented in accordance with paragraph 1 are sufficient to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access to the extent required by Data Protection Laws in the circumstances. The Customer shall promptly notify Lupl of full details of any additional measures the Customer believes are required as a result of the assessment. The Customer acknowledges that Lupl provides a commoditised one-to-many service and the needs or assessments of other customers may differ. Lupl shall not be obliged to implement any further or alternative security measures, but this is without prejudice to the Customer ’s right to terminate our Agreement for convenience in accordance with the express provisions of our Agreement if it concludes the measures adopted by Lupl are no longer sufficient for its needs.

Using staff and other Processors

5.1 Subject to paragraph 2, Lupl shall not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data in connection with our Agreement without the Customer’s prior written authorisation. The Customer shall not unreasonably object to any new Sub-Processor (or any change to any of the Sub-Processors).

5.2 The Customer:

5.2.1 authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors attached hereto; and

5.2.2 authorises the appointment of each Sub-Processor (or any change to any of the Sub-Processors) identified on the List of Sub-Processors as updated by Lupl from time to time. Lupl will provide no less than 5 working days (Monday to Friday, excluding bank and public holidays in the United States of America) prior notice of any such change. The Customer’s right to object to the appointment of a new Sub-Processor following the relevant update notice introducing that change may be exclusively exercised by terminating the portion of the Services that cannot be performed without the new Sub-Processor within such period.

5.3 Lupl shall:

5.3.1 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially the same obligations as under paragraphs 2 to 12 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures); and

5.3.2 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.

5.4 Lupl shall ensure that all natural persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Lupl shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).

5.5 For the avoidance of doubt, the use by Customer of integrated applications with the Platform (e.g., and without limitation, an integrated Document Management System) may enable the processing of Protected Data by that integrated application and such third party shall not constitute a Sub-Processor of Lupl but, rather, a processor (or, in certain cases, joint controller) of Customer. Lupl is under no circumstances responsible for Customer’s use of integrated applications. Customer is responsible for performing its own due diligence and obtaining its own legal advice on integrated applications.

Assistance with compliance and Data Subject rights

6.1 Lupl shall refer all Data Subject Requests it receives to the Customer without undue delay. The Customer shall pay Lupl for all work, time, costs and expenses incurred by Lupl or any Sub-Processor(s) in connection with such activity, calculated on a time and materials basis at Lupl’s rates set out in Lupl’s Standard Pricing Terms.

6.2 Lupl shall provide such assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to Lupl) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:

6.2.1 security of processing;

6.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);

6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and

6.2.4notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,

provided the Customer shall pay Lupl for all work, time, costs and expenses incurred Lupl or any Sub-Processor(s) in connection with providing the assistance in this paragraph 6.2, calculated on a time and materials basis at Lupl’s rates set out in Lupl’s standard pricing terms.

International data Transfers

7.1 Subject to paragraphs 2 and 7.5, Lupl shall not Transfer any Protected Data:

7.1.1 from any country to any other country (and, for the purposes of this paragraph 7, the European Economic Area shall be treated as one country); and/or

7.1.2 to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,

without the Customer’s prior written authorisation except where required by Applicable Law (in which case the provisions of paragraph 3.1 shall apply).

7.2 The Customer hereby authorises Lupl (or any Sub-Processor) to Transfer any Protected Data for the purposes referred to in paragraph 4 to any International Recipient(s) in accordance with paragraph 7.3, provided all Transfers of Protected Data by Lupl of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Lawful Safeguards and in accordance with Data Protection Laws and our Agreement. The provisions of our Agreement (including this Data Protection Addendum) shall constitute the Customer’s instructions with respect to Transfers in accordance with paragraph 3.1.1.

7.3 Lupl (and its Sub-Processors) may only Transfer the Protected Data to (or process Protected Data in) the following countries: anywhere in the European Union; the United Kingdom; the United States; Singapore; Australia; Hong Kong and such other locations as are specified in Lupl’s Privacy Policy from time to time.

7.4 The Lawful Safeguards employed or relied upon by Lupl in connection with Transfers pursuant to paragraph 2 shall be the use of Standard Contractual Clauses or such other mechanisms as are permitted by Applicable Laws and may be updated from time to time if required to comply with or to ensure alignment with Applicable Law. As between the Parties, the Standard Contractual Clauses set out in the Annex to this Data Protection Addendum apply to the extent required by applicable law.

7.5 The Customer acknowledges that due to the nature of cloud services, the Protected Data may be Transferred to other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by Authorised Users. The Customer acknowledges that Lupl does not control such processing and the Customer shall ensure that Authorised Users (and all others acting on its behalf) only initiate the Transfer of Protected Data to other geographical locations if Lawful Safeguards are in place and that such Transfer is in compliance with all Applicable Law For the avoidance of doubt, if an End User in one country collaborates on the Platform with a user in another country, Protected Data will be transferred to that user in the other country and this shall not constitute a breach of any transfer obligations under this Agreement.

Information and audit

8.1 Lupl shall maintain, in accordance with Data Protection Laws binding on Lupl, written records of all categories of processing activities carried out on behalf of the Customer.

8.2 On request and at Customer’s cost, Lupl shall provide the Customer (or auditors mandated by the Customer) with a copy of the third party certifications and audits to the extent made generally available to its customers. Such information shall be confidential to Lupl and shall be Lupl’s Confidential Information as defined in our Agreement, and shall be treated in accordance with applicable terms.

8.3 The Customer acknowledges and accepts that relevant contractual terms agreed with Sub-Processor(s) may mean that Lupl or Customer may not be able to undertake or facilitate an information request or audit or inspection of any or all Sub-Processors pursuant to paragraph 3 and the Customer’s rights under paragraph 8.3 shall not apply to the extent inconsistent with relevant contractual terms agreed with Sub-Processor(s).

8.4 Notwithstanding paragraph 3, Lupl shall ensure that it has appropriate mechanisms in place to ensure its Sub-Processors meet their obligations under Data Protection Laws and Lupl’s obligations in respect of Protected Data under our Agreement. The Customer accepts that the provisions of this paragraph 8.4 shall satisfy Lupl’s obligations in that regard.

Breach notification

9.1 In respect of any Personal Data Breach, Lupl shall, without undue delay (and in any event within 72 hours):

9.1.1 notify the Customer of the Personal Data Breach; and

9.1.2 provide the Customer with details of the Personal Data Breach.

10  Deletion of Protected Data and copies

Following the end of the provision of the Services (or any part) relating to the processing of Protected Data Lupl shall dispose of Protected Data in accordance with its obligations under our Agreement. Lupl shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with our Agreement.

11  Compensation and claims

11.1 Subject to applicable limitations and exclusions of liability contained herein, Lupl shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with our Agreement:

11.1.1 only to the extent caused by the processing of Protected Data under our Agreement and directly resulting from Lupl’s breach of our Agreement; and

11.1.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Agreement by the Customer (including in accordance with paragraph 1.3(b)).

11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with our Agreement or the Services, it shall promptly provide the other party with notice and full details of such claim.

11.3 The parties agree that the Customer shall not be entitled to claim back from Lupl any part of any compensation paid by the Customer in respect of such damage to the extent that the Customer is liable to indemnify or otherwise compensate Lupl in accordance with our Agreement.

11.4 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:

11.4.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and

11.4.2 that it does not affect the liability of either party to any Data Subject.

12  Survival

This Data Protection Addendum (as updated by Lupl from time to time) shall survive termination (for any reason) or expiry of our Agreement and continue until no Protected Data remains in the possession or control of Lupl or any Sub-Processor, except that paragraphs 10 to 12 (inclusive) shall continue indefinitely.

13  Data protection contact

Lupl’s Data Protection Officer may be contacted at privacy@lupl.com.

 

 

 

THE SCHEDULE

DATA PROCESSING DETAILS

Subject-matter of processing:

Providing the Services, including the provision of the Platform, Application and associated support, training and customer success services, as described in the Agreement.

Duration of the processing:

Until no Protected Data remains in the possession or control of Lupl or any Sub-Processor. This would be for as long as necessary to provide the Services as described in the Agreement, as legally or contractually required, or upon receipt of Customer’s written request for deletion.

Nature and purpose of the processing:

  • Processing as reasonably required to provide the Services as described in the Agreement.
  • Processing as initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by the Customer, in each case in a manner consistent with our Agreement.

Type of Personal Data:

The categories of personal data transferred are determined solely by the data exporter. In the normal course of the data importer’s Service, the categories of personal data transferred might include (but are not limited to): name, profile information, email address, telephone, title, organization. For further information, see Lupl Privacy Policy at www.lupl.com.

Categories of Data Subjects:

The categories of data subjects whose personal data is transferred are determined solely by the data exporter. In the normal course of the data importer’s Service, the categories of data subject might include (but are not limited to): the data exporter’s personnel, customers, service providers, business partners, affiliates and authorized users.

Special categories of Personal Data:

The data importer does not intentionally or knowingly process any special category data. However the categories of personal data transferred are determined solely by the data exporter.

 

 

Annex to Data Protection Addendum – Standard Contractual Clauses

 

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)

have agreed to these standard contractual clauses (hereinafter: “Clauses”).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii) Clause 9(a), (c), (d) and (e);

(iv) Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

  • Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
  • These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
  • These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

 

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1               Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2               Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3               Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4               Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5               Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6               Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7               Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8               Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

 

 

8.9               Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

9                   Use of Sub-Processors

(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 5 working days (Monday to Friday, excluding bank and public holidays in the United States of America) in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

(f) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a) Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

 

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1             Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2             Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

 

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State. The Parties agree that those shall be the courts of Ireland.

(b) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(c) The Parties agree to submit themselves to the jurisdiction of such courts.

 

 

 

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: The entity identified as or defined as “Customer” (or similar) in the Agreement.

Address: The address for Customer as specified in the Agreement.

Contact person’s name, position and contact details: The contact details associated with Customer, as specified in the Agreement

Activities relevant to the data transferred under these Clauses: Receiving the Services, using the Platform, and exercising associated rights and performing associated obligations as described in the Agreement.

Signature and date: By entering into the Agreement, and using the Services for EEA Transfers, the data exporter is deemed to have signed these Standard Contractual Clauses and their respective Annexes.

Role: Controller

 

Data importer(s):

Name: Lupl Inc.

Address: One Freedom Square, Reston Town Center, 11951 Freedom Drive, Reston, VA 20190-5656, United States

Contact person’s name, position and contact details: Data Protection Officer, privacy@lupl.com.

Activities relevant to the data transferred under these Clauses: Providing the Services as described in the Agreement.

Signature and date: The date on which the Agreement becomes binding upon the Parties.

Role (controller/processor): Processor

 

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The categories of data subjects whose personal data is transferred are determined solely by the data exporter. In the normal course of the data importer’s Service, the categories of data subject might include (but are not limited to): the data exporter’s personnel, customers, service providers, business partners, affiliates and authorized users.

Categories of personal data transferred

The categories of personal data transferred are determined solely by the data exporter. In the normal course of the data importer’s Service, the categories of personal data transferred might include (but are not limited to): name, profile information, email address, telephone, title, organization. For further information, see Lupl Privacy Policy at www.lupl.com.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The data importer does not intentionally or knowingly process any special category data. However the categories of personal data transferred are determined solely by the data exporter.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous as part of the Services

Nature of the processing

Providing the Services, including the provision of the Platform, Application and associated support, training and customer success services, as described in the Agreement.

Purpose(s) of the data transfer and further processing

Providing the Services, including the provision of the Platform, Application and associated support, training and customer success services, as described in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Until no Protected Data remains in the possession or control of Lupl or any Sub-Processor. This would be for as long as necessary to provide the Services as described in the Agreement, as legally or contractually required, or upon receipt of Customer’s written request for deletion.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As specified above and in the Agreement.

 

C. COMPETENT SUPERVISORY AUTHORITY

Data Protection Commission (DPC) of Ireland.

 

 

 

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measures are described in the Lupl Support Hub Privacy & Security pages. Certifications include Cloud Security Alliance STAR Level 1.

  • Measures of pseudonymisation and encryption of personal data
  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  • Measures for user identification and authorisation
  • Measures for the protection of data during transmission
  • Measures for the protection of data during storage
  • Measures for ensuring physical security of locations at which personal data are processed
  • Measures for ensuring events logging
  • Measures for ensuring system configuration, including default configuration
  • Measures for internal IT and IT security governance and management
  • Measures for certification/assurance of processes and products
  • Measures for ensuring data minimisation
  • Measures for ensuring data quality
  • Measures for ensuring limited data retention
  • Measures for ensuring accountability
  • Measures for allowing data portability and ensuring erasure

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

As described in the Agreement.

 

ANNEX III – LIST OF SUB-PROCESSORS

As at 1 November 2021. This list will be updated from time to time in accordance with the Agreement.

Entity Subprocessing Activities Location(s)
Pendo.io Inc. Usage Analytics EU, US
Microsoft Inc. Cloud Service Provider EU, US
Modular Services S.R.L. IT Support EU
Auth0, Inc. Authentication US
Expel.io Security Operations Center US
Frogslayer, LLC Development, Support and Maintenance US
Yonder B.V. Development, Support and Maintenance EU
ZenDesk, Inc. Support EU
Hubspot, Inc. CRM US
ServiceNow, Inc. Support Ticketing System US