BrainStorm Legal Documents

BRAINSTORM PRIVACY POLICY

Effective Date:  January 1, 2020

Last Updated: June 18, 2020

This Privacy Policy applies to BrainStorm, Inc. (“BrainStorm”, “we”, “us” and “our”) and

BrainStorm Inc. is committed to ensuring the privacy of your personal information. We are further committed to preventing unauthorized access to that information. Our Privacy Policy details what personal information is collected from users, business representatives, and others and describes how we use it, how it is stored, and your choices in managing our use of your information.

WHO WE ARE

BrainStorm is an innovative industry leader in software and services for change management to support business investment in technology. BrainStorm provides learning solutions for its clients’ employees to enable change management and promote maximum effectiveness in the client’s adoption of business and other application software. BrainStorm’s change management and learning solutions include its online, cloud-based QuickHelp™ software application and electronic instructional content, instructor-led training (“ILT”) and immersive cloud-based training and facilitator bootcamp (“CIE”). 

BrainStorm is a U.S.-based corporation with a history of providing exceptional service for clients around the world, empowering employees to work smarter and achieve more through increased understanding and engagement with software applications available in the workplace. This Privacy Policy applies to our collection of personal data in the operation of our business and your use of our Services:

• https://www.brainstorminc.com/, https://quickhelp.com, and http://cie.brainstorminc.com/ (collectively referred to as “Websites”)
• Our QuickHelp™ platform
• ILT or CIE events
• Our service and support for our software, training and services
• Our other communications to you, including when you interact with us through our Websites, or when we communicate by phone, email, live chat and social media

We respect your privacy and take safeguarding your personal information seriously. Please read this Privacy Policy carefully together with the Terms and Conditions (“Terms”) available at https://www.brainstorminc.com/terms-and-conditions/, which govern your use of the Services, to understand what Personal Information (defined below) we collect from you, how we use it, and your choices related to our use of your Personal Information. If you do not agree with this Privacy Policy, please do not use the Services.

WHAT IS PERSONAL INFORMATION?

“Personal Information” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Under specific laws, Personal Information may include any information relating to a household.

PERSONAL INFORMATION WE PROCESS

We process Personal Information on behalf of customers, third-party distributors and resellers to fulfill our contractual obligations as a third-party service provider. We also process Personal Information that we collect directly such as when a user navigates to our website or when we engage a vendor or customer. This data may be collected through information you actively submit to us, information provided by our customers, third-party distributors, or resellers who administer your account, or through automated processes.

Personal Information that you actively submit to us

We collect Personal Information that you actively submit to us through your account, website forms, email subscriptions, feedback and suggestions, surveys, events, customer service, inquiries, live chat, social media accounts, and other interactions. You will know when we collect your Personal Information because we will directly ask you for the information. We will require certain Personal Information so you can use our Services or for us to be able to contact you. There may also be circumstances where providing Personal Information is optional and does not impact your access to Services. For example, we provide you an option to include a photo with your profile data in our QuickHelp™ software application.

Personal Information we collect from our customers, third-party distributors, or resellers or other third-party sources

We collect Personal Information from our customers, third-party distributors, or resellers who administer user accounts. Personal Information is collected about the users who are granted access to our Services, including the QuickHelp™ software application. We use this information to create user profiles, assign a User Group, record participation in training, webinars, and use of software products, to assess user ranking, perform analytics, and provide reporting information.

Personal Information collected generally includes a first name, last name, job title, company name, email address, profile photo, and verification information. We authenticate users through their Microsoft Office 365 workplace account.

Personal Information we automatically collect through your use of the Services

We collect some Personal Information automatically when you visit or use BrainStorm Services. This includes information about the device, browser, and operating system you use when accessing our site and Services, your IP address, the website that referred you, which pages you request and visit, and the date and time of each request you make.  We may combine this automatically-collected information with other information we collect about you. If you contact us over the telephone or via fax, we may also log telephony information such as your phone number and the type of call.

For QuickHelp™ software application use, we automatically collect Personal Information to, among other things, provide you information and benchmarking based upon your usage of the Services, which are used in analyzing trends, administering the Services, tracking users’ utilization and to gather information about our user community as a whole.  For example, if enabled by your administrator, we use third-party services such as Microsoft Graph that help us understand details about your usage of Microsoft Office 365, including without limitation total numbers of communications, methods of making attachments, timing of logging into social media and other details that provide us with statistics about how you interact with the software so that we can better assist you in learning new features and capabilities.  BrainStorm does not have any access or ability to read the content of your Microsoft Office 365 usage. 

Personal Information not actively collected or processed

 We do not actively collect or otherwise process Personal Information from minors. The age of a minor varies by country. For the purposes of Information collected from the European Union, the age of a minor is under age sixteen (16). We do not actively collect or otherwise process Personal Information relating to criminal convictions and offences. We do not actively collect or otherwise process Personal Information revealing racial origin, ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Tracking Technologies, Cookies, And Clear Gifs

We use tracking technologies, cookies and clear GIFs to collect information. Tracking technologies are used to collect information from your web browser through our servers or filtering systems when you visit any of our sites.

Cookies store small text files onto a user’s computer hard drive with the user’s browser, containing the session ID and other data. Cookies enable a web site to track a user’s activities on the website for the following purposes: (1) enable essential features; (2) provide analytics to improve website performance and effectiveness; (3) store user preferences; and (4) facilitate relevant targeted advertising on advertising platforms or networks. Users are free to change their web browsers to prevent the acceptance of cookies. Cookies may also be set within emails in order to track how often our emails are opened.

A clear GIF is a transparent graphic image placed on a website. The use of clear GIFs allows us to monitor your actions when you open a web page and makes it easier for us to follow and record the activities of recognized browsers. Clear GIFs are used in combination with cookies to obtain information on how visitors interact with our websites.

Information collected may include but is not limited to your browser type, your operating system, your language preference, any referring web page you were visiting before you came to our site, the date and time of each visitor request, and information you search for on our sites. We can also track the path of page visits on a website and monitor aggregate usage and web traffic routing on our sites. We collect this information to better understand how you use and interact with our sites in order to improve your experience. We also collect this information to better understand what services and marketing promotions may be more relevant to you. We may also share this information with our employees, service providers and customer affiliates.

You can change your web browser settings to stop accepting cookies or to prompt you before accepting a cookie from the sites you visit. If you do not accept cookies, however, you may not be able to use some sections or functions of our sites. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org. To opt out of being tracked by Google Analytics across all websites visit https://tools.google.com/dlpage/gaoptout.

HOW WE USE YOUR PERSONAL INFORMATION

We use your Personal Information to operate our Services, fulfill our contractual obligations in our service contracts with customers, third-party distributors and resellers, to review and enforce compliance with our Terms and Conditions agreement, guidelines, and policies, to analyze the use of the Services in order to understand how we can improve our content and service offerings and products, and for administrative and other business purposes. We process Personal Information for payments, employee training, sales and marketing, data analysis, security monitoring, auditing, research, and to comply with applicable laws, exercise legal rights, and meet tax and other regulatory requirements.  

In this context, the legal basis for our processing of your Personal Information is either the necessity to perform contractual and other obligations, our legitimate business interest as a provider of change management services and software, regulatory requirements, or your explicit consent.

SHARING OF PERSONAL INFORMATION

 We do not sell your Personal Information!

We may share your Personal Information in the following circumstances:

Our Customers

 We share Personal Information with our customers, generally the employer, or the agent assigned to administer your user account. The information shared relates to your participation in training and webinars and your use of software products. If requested by our customers, we also provide an employee ranking of all users assigned to a User Group. Similarly, your Personal Information may be shared with our third-party distributors and resellers, who administer your user account on behalf of your employer.

Your User Group

Our Services are focused on workplace participation. As such, employees are assigned to a User Group. Where the ranking feature has been activated, the rankings of all users in a User Group along with the user’s name, job title, photo, badges earned, and allocated points are made available to the entire User Group.

Third-party Service Providers

We may share information we collect about you with third-party service providers to perform tasks on our behalf in supporting the Services. The types of service providers, or sub-processors, to whom we entrust Personal Information include: (i) technology providers; (ii) providers of hosting services; (iii) email delivery service providers; (iv) sales and marketing providers; (v) technical support services; (vi) providers of analytic data services; and (vii) utilization services.

 Regulatory Bodies, Public Authorities, and Law Enforcement

We may access and disclose your Personal Information to regulatory bodies if we have a good-faith belief that doing so is required under applicable law or regulation. This may include submitting Personal Information required by tax authorities. We may disclose your Personal Information in response to lawful requests by public authorities or law enforcement, including to meet national security or law enforcement requirements. If we are going to release your Personal Information in this instance, our policy is to provide you with notice unless we are prohibited from doing so by law or court order.

Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, then your Personal Information may be transferred as part of such a transaction as permitted by law and/or contract. Should such an event occur, BrainStorm will endeavor to direct the transferee to use Personal Information in a manner that is consistent with the Privacy Policy in effect at the time such Personal Information was collected.

Other Disclosures

We may also disclose your Personal Information to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of the Services, of any individuals, or of the general public; to maintain and protect the security and integrity of our services or infrastructure; to protect ourselves and our services from fraudulent, abusive, or unlawful uses; or to investigate and defend ourselves against third-party claims or allegations. Disclosures may be made to courts of law, attorneys and law enforcement, or other relevant third parties in order to meet these purposes.

Please note that we share aggregated information and non-identifying information with third parties for industry research and analysis, demographic profiling, and other similar purposes. In addition, our Services may contain links to other websites not controlled by us, and these other websites may reference or link to our Services; we encourage you to read the privacy policies applicable to these other websites.

In cases of onward transfers of Personal Information received pursuant to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework (“Privacy Shield”) to third parties of data of individuals located in the European Economic Area (“EEA”), United Kingdom (“UK”), or Switzerland , BrainStorm remains liable for such Personal Information and the actions of such third parties.

California Consumer Privacy Act of 2018 (“CCPA”)

The categories of Personal Information we have collected about consumers and disclosed about consumers for a business purpose in the preceding 12 months are:

• Identifiers such as a real name, alias, email address, unique personal or online identifier, internet protocol address, account name;
• Internet or other electronic network activity information, including, browsing history, search history, and information regarding a consumer’s interaction with an internet website, or advertisement;
• Professional or employment-related information; and
• Inferences drawn from any of the information identified to create a profile about a consumer reflecting the consumer’s preferences, intelligence, abilities, and aptitudes (limited application applying to tracking and ranking of software training and use).

RETENTION OF PERSONAL INFORMATION

BrainStorm retains Personal Information for a reasonable time period to fulfill the processing purposes mentioned above, including retaining personal information to fulfil our obligations under service agreements. Personal Information is then archived for time periods required or necessitated by law or legal considerations. When archival is no longer required, Personal Information is deleted from our records.

You may choose to disable your BrainStorm account at any time. This means your user profile will no longer be visible on the Services. However, for the purposes mentioned above, we may need to retain information within our internal systems.

We retain Personal Information that we are required to retain to meet our regulatory obligations including tax records and transaction history. We regularly review our retention policy to ensure compliance with our obligations under data protection laws and other regulatory requirements. We regularly audit our databases and archived information to ensure that Personal Information is only stored and archived in alignment with our retention policies.

PROTECTION OF PERSONAL INFORMATION

BrainStorm uses technical and organization measures to protect the personal information that we store, transmit, or otherwise process, against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems.

BrainStorm hosts QuickHelp in Microsoft’s cloud computing service known as Azure. Full details on Azure’s data center may be found here. We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input. However, no method of transmission or storage is 100% secure. While we strive to use commercially reasonable and appropriate means to protect your personal information, we cannot guarantee its absolute security.

If you have any questions about security on our website, you can e-mail us at security@brainstorminc.com with "Questions about Data Security" in the subject line.

INTERNATIONAL DATA TRANSFER

Your Personal Information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide your Personal Information to us, we will transfer your Personal Information to the United States and process it there. Where we transfer your Personal Information, we will take all reasonable steps to ensure that your privacy rights continue to be protected.

In the case of transfers of data out of the European Economic Area or the United Kingdom, we have committed to comply with the Privacy Shield and, where appropriate, implement Standard Contractual Clauses. We endeavor to utilize third-party service providers from the United States that have certified with Privacy Shield and provide adequate protections that are compliant with the EU General Data Protection Regulation (“GDPR”), such as implementing Standard Contractual Clauses or Binding Corporate Rules.

OUR COMMITMENT TO THE PRIVACY SHIELD

BrainStorm complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Economic Area, United Kingdom, and Switzerland to the United States in reliance on Privacy Shield. BrainStorm has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov.

As part of its participation in Privacy Shield, BrainStorm is subject to the investigatory and enforcement powers of the Federal Trade Commission. Organizations participating in the Frameworks must respond within 45 days of receiving a complaint. If you have not received a timely or satisfactory response to your question or complaint, please contact the JAMS Privacy Shield Program. Their website can be accessed at: https://www.jamsadr.com/eu-us-privacy-shield.

Please note that this independent dispute resolution body is designated to address complaints and provide appropriate recourse free of charge to the individual. If an individual’s complaint cannot be resolved through BrainStorm’s internal processes, BrainStorm will cooperate with JAMS pursuant to the JAMS International Mediation Rules, available on the JAMS website at https://www.jamsadr.com/international-mediation-rules/. JAMS mediation may be commenced as provided for in the relevant JAMS rules. The mediator may propose any appropriate remedy, such as deletion of the relevant personal data, publicity for findings of noncompliance, payment of compensation for losses incurred as a result of noncompliance, or cessation of processing of the personal information of the individual who brought the complaint. The mediator or the individual also may refer the matter to the Federal Trade Commission. Under certain circumstances, individuals also may be able to invoke binding arbitration to address complaints about BrainStorm’s compliance with the Privacy Shield Principles.

PRIVACY RIGHTS

Residents of the European Economic Area, United Kingdom and Switzerland

In compliance with the Privacy Shield, individuals have the right to access personal information and to correct, amend, restrict, or delete that information where it is inaccurate, or has been processed in violation of the Privacy Shield principles, except where the burden or expense of providing access is disproportionate to the risks to the individual’s privacy in the case in questions, or where the rights of persons other than the individual will be violated.

Privacy Shield ensures compliance with the EU General Data Protection Regulation, which grants rights to individuals in their personal data. These rights include the right to: (i) request access to and rectification or erasure of their Personal Information; (ii) obtain restriction of processing or to object to processing of their Personal Information; (iii) ask for a copy of their Personal Information to be provided to them, or a third party, in a digital format; and (iv) lodge a complaint about the processing of their Personal Information with their local data protection authority. If you wish to exercise one of the above-mentioned rights, please send us your request to the contact details set out below. To delete your personal information from the QuickHelp™ software application, you can select the DELETE DATA button available under the Privacy & Data menu. To access your personal information from the QuickHelp™ software application, you can select the REQUEST DATA button available under the Privacy & Data menu. You may also access software features to action certain rights, as described under the “All Users” section below.

Residents of California

Personal Information subject rights under the CCPA may also apply to certain individuals and households. These rights include the right to: (i) know what Personal Information is being collected about them, (ii) know whether their Personal Information is sold or disclosed at to whom, (iii) say no to the sale of Personal information, (iv) access their Personal Information, and (v) equal service and price, even if they exercise their privacy rights. If you are a resident of California and wish to exercise one of the above-mentioned rights, please send us your request to the contact details set out below. To access your personal information from the QuickHelp™ software application, you can select the REQUEST DATA button available under the Privacy & Data menu. You may also access software features to action certain rights, as described under the “All Users” section below.

All Users

BrainStorm respects and honors privacy rights and provides features for managing Personal Information that are available to all users.

• Users of QuickHelp™ can update their profile under the Settings menu;
• Users of QuickHelp™ have an option to upload their photo or delete their photo under the Settings menu;
• Users of QuickHelp™ can access information from the QuickHelp™ software application by selecting the REQUEST DATA button available under the Privacy & Data menu;
• All other inquiries and requests can be submitted to the contact details provided below.

Where we rely upon consent as a legal basis for processing, you may withdraw your consent at any time. Please note the withdrawal of your consent does not affect the lawfulness of processing based on consent before withdrawal.

CHANGES TO THIS POLICY

This document is effective as of the date indicated at the top of this Privacy Policy under “Last Updated”. This document may be amended from time to time.

CONTACT INFORMATION

Inquiries may be made by contacting us through any of the following means:

Email: security@brainstorminc.com

Mailing Address:
Attn: Data Protection Officer
BrainStorm, Inc.

Ten South Center Street

American Fork, UT 84003

United States of America

Data Protection Addendum

This BrainStorm, Inc. Data Protection Addendum (“DPA”) is between the parties with respect to the terms governing the Processing of Personal Data under the BrainStorm QuickHelp Subscription Agreement (the “Master Agreement”).  This DPA sets out the additional terms, requirements and conditions on which BrainStorm, as Provider (defined below), will obtain, handle, process, disclose, transfer, or store Personal Information (defined below) when providing services under the Master Agreement.  This DPA serves as an addendum to the Master Agreement and is effective upon its incorporation into the Master Agreement, which incorporation may be specified in the Master Agreement, the Order Form (as defined in the Master Agreement), or as otherwise agreed to between the parties. 

BrainStorm will periodically update the terms and conditions of this DPA.  You will be notified of any material updates or changes via email or through the Admin Portal.

Terms not otherwise defined in this DPA shall have the meaning as set forth in the Master Agreement.

1. Definitions and Interpretation

• The following definitions and rules of interpretation apply in this DPA.

“Business Purpose” means the services described in the Master Agreement or any other purpose specifically identified in Appendix A.

“Customer” shall mean the Customer defined in the Master Agreement or Order Form, and who shall determine the purpose and means of the Processing of Personal Information. 

“Data Subject” means an individual who is the subject of Personal Information.

“Personal Information” means any information the Provider processes for the Customer that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider’s possession or control or that the Provider is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.

“Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

“Privacy and Data Protection Requirements” means all applicable federal, state, and international laws and regulations relating to the processing, protection, or privacy of Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

“Provider” shall mean BrainStorm, Inc., a Delaware corporation with offices located at Ten South Center Street, American Fork, Utah 84003, who shall process Personal Information on behalf of the Customer.

“Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.

• This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.
• The Appendices form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Appendices.
• A reference to writing or written includes email but not messages sent via fax.
• In the case of conflict or ambiguity between:
  • any provision contained in the body of this DPA and any provision contained in the Appendices, the provision in the body of this DPA will prevail;
  • the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Appendices, the provision contained in the Appendices will prevail;
  • any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail; and
  • any of the provisions of this agreement and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.

2. Personal Information Types and Processing Purposes
   • The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.
   • Appendix A describes the general Personal Information categories and Data Subject types the Provider may process to fulfill the Business Purposes of the Master Agreement.
3. Provider’s Obligations
   • The Provider will only process the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s instructions. The Provider will not process the Personal Information for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements. The Provider will promptly notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Privacy and Data Protection Requirements.
   • The Provider shall promptly comply with any Customer request or instruction requiring the Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.
   • The Provider will maintain the confidentiality of all Personal Information and will not disclose Personal Information to third parties unless the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires the Provider to process or disclose Personal Information, the Provider shall first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
   • The Provider will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Provider’s processing and the information available to the Provider.
   • The Provider will promptly notify the Customer of any changes to Privacy and Data Protection Requirements that may adversely affect the Provider’s performance of the Master Agreement.
   • The Customer acknowledges that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from Authorized Persons or the Personal Information other than as required under the Privacy and Data Protection Requirements.
   • The Provider will only collect Personal Information for the Customer in accordance with the Agreement, the Privacy Policy, and this DPA. 
4. Provider’s Employees
   • The Provider will limit Personal Information access to:
     • those employees who require Personal Information access to meet the Provider’s obligations under this DPA and the Master Agreement; and
     • the part or parts of the Personal Information that those employees strictly require for the performance of their duties.
   • The Provider will ensure that all employees:
     • are informed of the Personal Information’s confidential nature and use restrictions;
     • have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and
     • are aware both of the Provider’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.
   • The Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of the Provider’s employees with access to the Personal Information.
5. Security
   • The Provider will maintain appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage. These shall include any security measures set out in Appendix . The Provider will periodically review these measures at least annually to ensure they remain current and complete.
   • The Provider will immediately notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.
   • The Provider will take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.
6. Security Breaches and Personal Information Loss
   • The Provider will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Information at its own expense.
   • The Provider will immediately notify the Customer if it becomes aware of:
     • any unauthorized or unlawful processing of the Personal Information; or
     • any Security Breach.
   • Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. The Provider will reasonably co-operate with the Customer in the Customer’s handling of the matter, including:
     • assisting with any investigation;
     • providing the Customer with physical access to any facilities and operations affected;
     • facilitating interviews with the Provider’s employees, former employees and others involved in the matter; and
     • making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer.
   • The Provider will not inform any third party of any Security Breach without first obtaining the Customer’s prior written consent, except when law or regulation requires it.
   • The Provider agrees that the Customer has the sole right to determine:
     • whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and
     • whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
   • The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 2 and 6.3, unless the matter arose from the Customer’s specific instructions, negligence, willful default, or breach of this DPA, in which case the Customer will cover all reasonable expenses.
   • The Provider will also reimburse the Customer for actual reasonable expenses the Customer incurs when responding to and mitigating damages, to the extent that the Provider caused a Security Breach, including all costs of notice and any remedy as set out in clause 5.
7. Cross-Border Transfers of Personal Information
   • If the Privacy and Data Protection Requirements restrict cross-border Personal Information transfers, the Customer will only transfer that Personal Information to the Provider under the following conditions:
     • the Provider, either through its location or participation in a valid cross-border transfer mechanism under the Privacy and Data Protection Requirements, as identified in Appendix A, may legally receive that Personal Information, however the Provider will immediately inform the Customer of any change to that status;
     • the Customer obtained valid Data Subject consent to the transfer under the Privacy and Data Protection Requirements; or
     • the transfer otherwise complies with the Privacy and Data Protection Requirements for the reasons set forth in Appendix A.
   • The Provider will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements. In Appendix A, the Provider shall identify the legal basis supporting any transfers it makes and will promptly inform the Customer of any change to that status.
8. Subcontractors
   • The Provider may only authorize a third party (subcontractor) other than those set forth in Appendix A to process the Personal Information if:
     • the Customer is given an opportunity to object within 14 days after the Provider supplies the Customer with details regarding the subcontractor’s proposed role with respect to the Personal Information, contact information for the subcontractor’s data protection officer or other data-protection point-of-contact, and the terms on which the subcontractor shall be able to process the Personal Information;
     • the Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA and, upon the Customer’s written request, provides the Customer with copies of such contracts;
     • the Provider maintains control over all Personal Information it entrusts to the subcontractor; and
     • the subcontractor’s contract terminates automatically on termination of this DPA for any reason.
   • The Provider shall list all subcontractors that it anticipates using to carry out the Business Purposes in Appendix A and include each subcontractor’s name and location and contact information for the person responsible for privacy and data protection compliance. The Customer’s agreement to this DPA shall authorize the Provider to use the subcontractors as described in Appendix A.
   • If a subcontractor fails to fulfill its obligations under such written agreement, the Provider remains responsible to the Customer for the subcontractor’s performance of its obligations.
   • Upon the Customer’s written request, the Provider will audit a subcontractor’s compliance with its obligations regarding the Customer’s Personal Information and provide the Customer with a summary of the audit results.
9. Complaints, Data Subject Requests, and Third-Party Rights
   • The Provider shall notify the Customer promptly if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party’s compliance with the Privacy and Data Protection Requirements.
   • The Provider will notify the Customer within 5 working days if it receives a request from a Data Subject regarding their Personal Information unless the Provider is able to fully handle and respond to such request.
   • The Provider will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.
   • The Provider shall not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer’s request or instruction, permitted by this DPA, or is otherwise required by law.
10. Term and Termination
    • This DPA will remain in full force and effect so long as:
      • the Master Agreement remains in effect; or
      • the Provider retains any Personal Information related to the Master Agreement in its possession or control (the “Term”).
    • Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Information will remain in full force and effect.
    • If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirement within a reasonable time, they may terminate the Master Agreement upon written notice to the other party.
11. Data Return and Destruction
    • At the Customer’s request, the Provider will give the Customer a copy of or access to all or part of the Customer’s Personal Information in its possession or control in the format and on the media reasonably specified by the Customer.
    • On termination of the Master Agreement for any reason or expiration of its term, the Provider will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control, except for one copy that it may retain and use for audit purposes only.
    • If any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. The Provider may only use this retained Personal Information for the required retention reason or audit purposes.
    • If Customer requests, the Provider will certify in writing that it has destroyed the Personal Information within 14 days after receiving the Customer’s request.
12. Records
    • The Provider will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).
    • The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this DPA.
    • The Customer and the Provider shall review the information listed in the Appendices to this DPA annually to confirm its current accuracy and update it if required to reflect current practices.
13. Audit
    • At least annually, the Provider will audit its Personal Information processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices.
    • Upon the Customer’s written request, the Provider will make the relevant audit reports available to the Customer for review. The Customer will treat such audit reports as the Provider’s confidential information under this Agreement.
    • The Provider will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider’s management.

14. Warranties
    • The Provider warrants and represents that:
      • its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to the Personal Information; and
      • it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this DPA and all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and
      • it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Master Agreement’s contracted services; and
      • considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:
        • the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and
        • the nature of the Personal Information protected; and
        • comply with all applicable Privacy and Data Protection Requirement and its information and security policies, including the security measures required in clause 1.
      • The Customer warrants and represents that the Provider’s expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.

15. Indemnification
    • The Provider agrees to indemnify the Customer against all costs, claims, damages, or expenses incurred by the Customer or for which the Customer may become liable due to any failure by the Provider or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.
    • The limitations on liability set forth in the Master Agreement shall apply to this DPA’s indemnity or reimbursement obligations.
16. Notice
    • Any notice or other communication given to a party under or in connection with this DPA shall be in writing and delivered to:

For the Customer: (i) to the points of contact Customer designates in the Master Agreement or Order Form, or (ii) to the Customer’s Admins such as Customer may identify in the QuickHelp Admin Portal;

For the Provider: BrainStorm, Inc. Ten South Center Street, American Fork, Utah 84003, security@brainstorminc.com.

• Clause 1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

Appendix A

Personal Information Processing Purposes and Details

Business Purposes:  To provide Customer with the Service, as set forth in the Master Agreement. 

Personal Information Categories:  The personal data transferred includes the name, work email, title, department, IP address, and other data in an electronic form in the context of Provider’s Service. 

Data Subject Types:  The data subjects include Customer’s representatives and end-users, primarily Customer’s employees, but also, potentially, contractors, affiliates and their affiliate’s employees and contractors, and collaborators thereof. 

Approved Subcontractors:  Microsoft Azure (hosting services); Google Analytics (data analytics); HubSpot (communications platform within the Service), and SendGrid (email messaging tool within the Service)

Provider’s legal basis for receiving Personal Information with cross-border transfer restrictions:  EU/US Privacy Shield Certified

Appendix B

Security Measures

Provider will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of the data uploaded to the service, as described in the Master Agreement or in this DPA, or otherwise made reasonably available by Provider. The security practices described int his Appendix B are currently observed by Provider.  Although it reserves the right to modify or update these practices, Provider will not materially decrease the overall security of the Service during a subscription term.

PHYSICAL ACCESS CONTROLS:  QuickHelp is hosted in Microsoft Azure, a multi-tenant environment.  The physical and environmental security controls are audited for SOC 2 Type II compliance, among other certifications.

SYSTEM ACCESS CONTROLS:  Access controls within the Service are designed to permit role-based access control using least privileged access principals.  Provider utilizes multi-factor authentication for access to management system portals. 

DATA ACCESS CONTROLS:  Users of the Service have access to non-public data via the application.  Customers and their users are not allowed direct access to the underlying infrastructure of the Service.  Only Provider has direct access to Customer data and Customer’s Personal Information.  The authorization protocols is designed to permit only designated individuals access to the underlying infrastructure.  Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

TRANSMISSION CONTROLS:  Provider encrypts all QuickHelp data and Personal Information at rest and in-transit using HTTPS encryption.

INPUT CONTROLS:  Provider logs information regarding system behavior, system authentication, and other application requests.  Utilizing Azure Threat Detection, Provider is able to monitor and be responsive to malicious, unintended, or anomalous activities. Provider also maintains a record of security incidents.  Any suspected or confirmed security incident is investigated by Provider’s personnel, who then identify appropriate steps to resolve the incident and minimize damage or unauthorized disclosure (if any). 

DATA BACKUPS.  By hosting the Service in Azure, Provider is able to ensure redundancy and fail-over protections, including geo-redundancy.  All databases are backed up and maintained using industry standard methods. 

Appendix C

Standard Contractual Clauses

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

The Customer, as defined in the Subscription Agreement (the “data exporter”)

And

BrainStorm, Inc., 10 South Center Street, American Fork, Utah 84003, United States (the “data importer”)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1: Definitions

For the purposes of the Clauses:

• ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
• ‘the data exporter’ means the controller who transfers the personal data;
• ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
• ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
• ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
• ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2: Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3: Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4: Obligations of the data exporter

The data exporter agrees and warrants:

• that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
• that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
• that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
• that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
• that it will ensure compliance with the security measures;
• that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
• to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
• to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
• that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
• that it will ensure compliance with Clause 4(a) to (i).

Clause 5: Obligations of the data importer

The data importer agrees and warrants:

• to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
• that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
• that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
• that it will promptly notify the data exporter about: (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, (ii) any accidental or unauthorised access, and (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
• to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
• at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
• to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
• that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
• that the processing services by the subprocessor will be carried out in accordance with Clause 11;
• to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6: Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7: Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority; (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8: Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9: Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10: Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11: Sub-processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12: Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is the Customer listed under the DPA.

Data importer

The data importer is BrainStorm, Inc.  

Data subjects

Please see Appendix A of the DPA.

Categories of data

Please see Appendix A of the DPA.

Special categories of data (if appropriate)

The parties do not anticipate the transfer of special categories of data.

Processing operations

Please see Appendix A of the DPA.

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

 Please see Appendix B of the DPA.

BrainStorm Content Submission Policy

This Content Submission Policy (this “Policy”) covers any Content (as defined below) submitted by you, the customer (“You”), a user of BrainStorm, Inc.’s (“BSI”) online, cloud-based QuickHelp™ software application (the “Service”), and is incorporated by reference to the QuickHelp Subscription Agreement (the “Agreement”) covering the Service.  Terms not otherwise defined in this Policy shall have the meaning as set forth in the Agreement.

The Service, among other things, allows certain authorized users to submit content to the Service and BSI is willing to allow You to submit content to the Service and to otherwise access and use the additional functionality of the Service in accordance with the terms of the Agreement and this Policy.  Except as otherwise provided in this Policy, the terms of the Agreement will continue to govern Customer’s and Your access to and use of the Service.  Unless otherwise agreed to in a separate writing between BSI and Customer, this Policy sets out the general duties that all of Customer’s users of the Service must follow with regard to any Content they submit to the Service.

BY SUBMITTING CONTENT TO THE SERVICE, YOU ACCEPT AND AGREE TO THE TERMS AND CONDITIONS OF THIS POLICY.  IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, YOU MAY NOT UPLOAD OR SUBMIT ANY CONTENT TO THE SERVICE. 

1. The Service contains interactive features that allow users to post, upload, submit, publish, display, or transmit content or other materials on or through the Service and that allow BSI to deliver the Content back to Customer and its users.  All Content must comply with the Content Standards set forth in paragraph 4 below (the “Content Standards”).  You are responsible for any Content submitted or contributed to the Service by You, including its legality, reliability, accuracy, and appropriateness.  BSI is not responsible or liable for the content or accuracy of any Content posted by Customer, You or any other users.  For purposes of this Policy, “Content” means all data, text, information, images, audio and video clips, sounds, musical works, works of authorship, links, and other content or materials that is created or originally provided by You or any other user of the Service and submitted, uploaded, posted or displayed on or via the Service.  Content shall not include any content prepared or created by or for BSI or that is originally provided to You or Customer by BSI. 
2. Reservation of Rights; License to Use. By providing Content to BSI via the Service, You represent and warrant that You or Customer own or control all rights in and to the Content uploaded or posted on or through the Service.  Except for Content, as between the parties, BSI and its licensors own and retain all right, title and interest in and to all other content created, submitted, uploaded, posted or displayed by, to, on or through the Service.  BSI does not claim ownership of any Content posted on or uploaded to the Service by You, Customer or any other user of the Service.  Instead, and only as necessary for BSI to provide the Service, You and Customer hereby grant to BSI a worldwide, assignable, sublicensable, royalty-free, irrevocable, perpetual license to display, perform, reproduce, distribute, transmit, create Derivatives of, provide user access to, and otherwise use Content and any Derivatives.  For purposes of the Agreement, the term “Derivatives” of any subject matter shall mean and include, without limitation, all derivatives, enhancements, extensions, improvements, modifications, new products and the like, that to any extent incorporate or are based on or related to any portion of that subject matter. 
3. You agree not to upload any Content to the Service that (i) violates any applicable federal, state, local, or international law or regulation (including, without limitation, any laws regarding the export of data or software to and from the United States or other countries), including, but not limited to, copyright and trademark laws, (ii) does not comply with the Content Standards, (iii) introduces any viruses, Trojan horses, worms, logic bombs, or other material that is malicious or technologically harmful, or attempts to gain unauthorized access to any parts of the Service, or (iv) otherwise interferes with the proper working of the Service.
4. Content Standards.  Content must not (i) contain any material that is defamatory, obscene, indecent, abusive, offensive, harassing, violent, hateful, inflammatory, or otherwise objectionable, (ii) promote or contain any sexually explicit or pornographic material, violence, or discrimination based on race, sex, religion, nationality, disability, sexual orientation, or age, (iii) infringe any patent, trademark, trade secret, copyright, or other intellectual property or other rights of any other person, (iv) violate the legal rights (including the rights of publicity and privacy) of others or contain any material that could give rise to any civil or criminal liability under applicable laws or regulations or that otherwise may be in conflict with the Agreement, (v) be likely to deceive any person, (vi) promote any illegal activity, or advocate, promote, or assist any unlawful act, (vii) cause annoyance, inconvenience, or needless anxiety or be likely to upset, embarrass, alarm, or annoy any other person, (viii) impersonate any person, or misrepresent Customer’s or any user’s identity or affiliation with any person or organization, (ix) involve commercial activities, advertising or sales, such as contests, sweepstakes and other sales promotions, or (x) give the impression that Content emanates from or is endorsed by BSI or any other person or entity.  The foregoing restrictions are collectively referred to as the “Content Standards.” 
5. Violations of this Policy may, at BSI’s sole discretion, result in the suspension or termination of Your and/or Customer’s access to the Service and/or immediate removal of Content.  If Content uploaded by You violates this Policy, You and/or Customer will bear legal responsibility for that Content.  By uploading Content to the Service, You and Customer agree that BSI is not responsible for Content uploaded.
6. Changes and Updates to This Policy.  BSI reserves the right, in its sole discretion, to change the terms and conditions contained in this Policy from time to time.  Unless BSI makes a change for legal or administrative reasons, BSI will provide reasonable advance notice before the updated terms to this Policy become effective (“Updated Policy Terms”).  All Updated Policy Terms will be posted to the Service, and will be effective as of the time of posting, or such later date as may be specified in the Updated Policy Terms.

PROFESSIONAL SERVICES ADDENDUM 

The following terms apply to the Professional Services to be provided by BrainStorm to Customer.  This addendum (this “Addendum”) is incorporated into BrainStorm Subscription Agreement (the “Agreement”) above.   

The parties hereby agree as follows:

1. Definitions. Capitalized terms used but not defined in this Addendum have the meanings given in the Agreement. The following definitions also apply:
   1. “Threat Defense Service” shall mean those phishing simulation services, including, but not limited to, content, campaigns, and assessments, identified in an Order Form as being included in Customer’s purchase and that are provided by BrainStorm to Customer via the Cloud Service.
2. THE THREAT DEFENSE SERVICE
   1. Provision of the Threat Defense Service. Subject to the terms and conditions of the Agreement, this Addendum and the applicable Order Form, and upon Customer’s payment of the applicable fees set forth in Section 2.2. below, BrainStorm shall make the Threat Defense Service available to Customer via the Internet during the Term. Customer agrees that its purchase of a subscription to the Threat Defense Service is neither contingent on the delivery of any future functionality or features nor dependent on any oral or written comments made by BrainStorm regarding future functionality or features.
   2. Fees and Payment. In consideration of BrainStorm’s performance of the Threat Defense Service, Customer agrees to pay BrainStorm the Fees described in the applicable Order Form (the “Threat Defense Service Fees”).   Except as otherwise specified in an Order Form, the fees are based on the type of license, the applications included in the Threat Defense Service, and/or the number of subscriptions purchased and not on actual usage, and payment obligations are non-cancelable and fees paid for the Cloud Service are non-refundable.
   3. Limitation of BrainStorm Content. Customer’s rights under this Addendum to Threat Defense Service entitles Customer to access only the content expressly listed in the Order Form. The All content and data associated with the Threat Defense Service, including the remedial training content, is hosted and accessed via the Cloud Service. Customer recognizes that, due to technical, BrainStorm cannot currently partition off and block Customer from accessing the BrainStorm Content generally available in the Cloud Service beyond the content associated with the Threat Defense Service. Therefore, Customer agrees that should Customer or its Users access any BrainStorm Content not expressly authorized in the Order Form, then BrainStorm shall have the right to charge Customer the applicable Fees (at the then current rate) for access to the Cloud Service for the remainder of the Term.
   4. Services Support. Support is limited to the points of contact agreed to by the parties and is generally not available to Customer’s Users. Customer’s point of contact may reach the support helpdesk support@quickhelp.com. Except as provided herein and in Section 2. of this Addendum, BrainStorm shall have no other maintenance or support obligations to Customer.
   5. Updates to the Threat Defense Service. BrainStorm will support, maintain, upgrade, and update the Threat Defense Service as appropriate and in BrainStorm’s sole determination in order to fulfill its obligations under this Addendum and the Agreement.
3. PROPRIETARY RIGHTS, RESPONSIBILITIES, & SUGGESTIONS
   1. Reservation of Rights. As between the parties, the Threat Defense Service (including without limitation, any updates, upgrades modifications, customizations, and improvements thereto) and all intellectual property rights therein, are and will remain the sole property of BrainStorm, and no rights are granted to Customer with respect to the Threat Defense Service, or the intellectual property rights therein, other than the limited rights and licenses specified in this Addendum or the Agreement. Customer will not access or use the Threat Defense Service except as expressly permitted by this Addendum or the Agreement.
   2. Customer Responsibilities. In addition to the Customer Responsibilities set forth in Section 2.4 of this Threat Defense Service Addendum, Customer shall (i) be responsible for Customer’s and its Users’ compliance with this Addendum and the Agreement and all applicable laws and regulations, (ii) use commercially reasonable efforts to prevent unauthorized access to or use of the Threat Defense Service, and notify BrainStorm promptly of any such known or suspected unauthorized access or use, and (iii) be responsible for Customer’s and Users’ use of the Threat Defense Service, including, without limitation, Customer shall solely be responsible for any use of the Threat Defense Service that is in violation of applicable laws and regulations.  
   3. Customer shall not, and shall not permit any third party to (i) access or use the Threat Defense Service except, except for its Users, and as permitted herein or in an Order Form, (ii) create derivative works based on the Threat Defense Service, (iii) copy, frame, mirror or otherwise distribute any part or content of the Threat Defense Service, (iv) reverse engineer the Threat Defense Service, or (v) access the Threat Defense Service in order to (a) build a competitive product or service, or (b) copy any content, features, functions or graphics of the Threat Defense Service.
   4. Suggestions. BrainStorm shall have a royalty-free, worldwide, transferable, sub-licenseable, irrevocable, perpetual license to use or incorporate into the Threat Defense Service any suggestions, enhancement requests, recommendations or other feedback provided by Customer, including Users, relating to the operation of the Threat Defense Service.
4. TRADEMARK DISCLAIMER; DISCLAIMER OF ENDORSEMENT. In providing the Threat Defense Service, BrainStorm may utilize the trademarks of products or services of third parties. All such product, services, and company names are trademarks™ or registered® trademarks of their respective holders. BrainStorm’s use of the same does not imply any affiliation with or endorsement by those mark holders. Any references to such entities, products, or services that are included on the Threat Defense Service by trade name, trademark or otherwise are provided for informational purposes only. These references do not represent the opinions of BrainStorm. Such references are neither an endorsement or approval by BrainStorm.
5. REPRESENTATIONS AND WARRANTIES
   1. Performance of the Threat Defense Services. BrainStorm warrants that it will perform the Threat Defense Services:
      1. In accordance with the terms and subject to the conditions set out in the applicable Order Form, this Addendum, and the Agreement.
      2. Using personnel of industry standard skill, experience, and qualifications.
      3. In a timely, workmanlike, and professional manner in accordance with generally recognized industry standards for similar services.
   2. BrainStorm’s sole and exclusive liability and Customer’s sole and exclusive remedy for breach of this warranty shall be as follows:
      1. BrainStorm shall use commercially reasonable efforts to promptly cure any such breach; provided, that if BrainStorm cannot cure such breach within a reasonable time after Customer’s written notice of such breach, Customer may, at its option, terminate this Addendum by serving written notice of termination in accordance with the terms of the Agreement.
      2. In the event the Agreement is terminated pursuant to Section 2.4 above, BrainStorm shall within thirty (30) days after the effective date of termination, refund to Customer any fees paid by Customer as of the date of termination for the Threat Defense Services, less a deduction equal to the fees for BrainStorm’s performance of such Threat Defense Services up to and including the date of termination on a pro-rated basis.  
      3. The foregoing remedy shall not be available unless Customer provides written notice of such breach within thirty (30) days after delivery or performance of such Threat Defense Services.
   3. NO WARRANTIES. IN ADDITION TO SECTION 3.6.3 OF THE AGREEMENT, BRAINSTORM EXPRESSLY DISCLAIMS ANY REPRESENTATION OR WARRANTY AS TO WHETHER (I) THE INFORMATION ACCESSIBLE OR PROVIDED VIA THE THREAT DEFENSE SERVICES IS ACCURATE, RELIABLE, COMPLETE, OR CURRENT, (II) USE OF THE THREAT DEFENSE SERVICES OR THE ASSOCAITED BRAINSTORM CONTENT WILL BE UNINTERRUPTED OR ERROR-FREE, (C) THE THREAT DEFENSE SERVICES AND ASSOCIATED BRAINSTORM CONTENT WILL BE AVAILABLE AT ANY PARTICULAR TIME, OR (D) THE THREAT DEFENSE SERVICES ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. BRAINSTORM WILL BE LIABLE WITH RESPECT TO ANY DECISIONS MADE BY CUSTOMER OR ANY OTHER PERSON AS A RESULT OF RELIANCE ON THE THREAT DEFENSE SERVICES AND BRAINSTORM MATERIAL.
6. TERM AND TERMINATION. The term of this Addendum will be coterminous with the Agreement. Unless otherwise terminated as provided in the Agreement or this Addendum, this Addendum commences on the Effective Date and continues until the expiration of the term specified in the applicable Order Form. Any termination of this Addendum shall not affect the Agreement or any other Addendum between the parties.
7. INTELLECTUAL PROPERTY RIGHTS. The parties acknowledge and agree that this is a services arrangement only and that BrainStorm is not developing or preparing any deliverables that will be owned by Customer. Accordingly, the parties agree that, except as otherwise provided in the Agreement, BrainStorm and its licensors are, and shall remain, the sole and exclusive owners of all right, title, and interest in and to the Threat Defense Services and all results thereof.
8. INTERPRETATION.  This Addendum is intended to be consistent with and supplementary to the Agreement. However, in the event of a direct conflict between language included in this Addendum and language included in the Agreement, the provisions of this Addendum will control solely with respect to the Threat Defense Service.

Instructor-Led Training Terms and Conditions

These BrainStorm, Inc. (“BrainStorm” or “We”) Instructor-Led (“ILT”) Terms and Conditions are applicable to all ILT Services, unless otherwise mutually agreed to by the parties.  For the purposes of these Terms and Conditions, “ILT Services” consists of the instructor led training services described in the attached Quote or Statement of Work (collectively, the “SOW”).

Fees & Expenses

In consideration of BrainStorm’s performance of the ILT Services, You agree to pay BrainStorm the fees and expenses described in the SOW (the “Training Fees”).  All Training Fees are due and payable within 30 days of the date of the invoice.  Any amounts that are unpaid after the due date shall be subject to a late fee of 1.5% per month, or the highest rate allowed by law if lower, from the due date until such amounts are paid.  Without limiting its rights or remedies hereunder, BrainStorm shall have the right to suspend the Services if any payment is not received within 30 days of the invoice date.  Client shall be responsible for any taxes imposed on the Services, other than taxes measured by any net income derived by BrainStorm. 

ILT Services Policies

The following policies are subject to change at any time and for any reason. 

Rush Requests

All trainings must be scheduled and confirmed at least twenty (20) business days prior to the start date of the requested training. Customers scheduling a training within fifteen (15) business days of the start date will be charged a scheduling rush premium of thirty percent (30%) of the price for the services delivered and flat travel rate within the rush period.

The customer will confirm and provide BrainStorm with the training location for all onsite trainings no later than ten (10) business days prior to the start date of the training. If a customer confirms a training under (10) business days prior to the start date of the training, customers will be charged actual travel costs.

Training Hours

One training day is defined as a consecutive, 10-hour time period between 8:30 a.m. – 8:00 p.m. EST/EDT. This 10-hour consecutive time includes a one-hour prep period, 30-minute breaks between sessions, and a one-hour lunch break. If sessions need to be scheduled outside of these hours, this preference must be indicated upon requesting training dates. Training outside of BrainStorm’s supported training hours has an associated price premium. Finally, when delivering training outside of BrainStorm’s standard hours, the customer understands there is limited technical support available from BrainStorm.

Buzz Session - Attendee Limit

Buzz Sessions are capped at 200 attendees per session, and are priced accordingly. 

Cancellation and Rescheduling Policy

Customers cancelling or rescheduling confirmed training dates within fifteen (15) business days of the start date will be charged fifty percent (50%) of the total cost of canceled or rescheduled services + non-refundable travel expenses. Canceling or rescheduling confirmed training dates within ten (10) business days of the start date will incur 100% the cost of canceled services + non-refundable travel expenses.

Recording and Distribution Policy

BrainStorm does not allow the recording or distribution of any instructor-led training service.

Curriculum Customization Policy

Any customization of the training curriculum must be finalized at least ten (10) business days prior to the start date of training. Customizations that are not finalized at least ten (10) business days prior to the start date are not guaranteed to be implemented during the training.

Online Training Policy

BrainStorm has assembled a best-in-class technology solution and has further added redundancies to ensure seamless trainings. 95% of the time these trainings are completed without incident. However, due to specific client technology setups, internet speed variability, etc., there are rare occasions where users may experience technology issues or failure. 

To mitigate most issues, BrainStorm will conduct a tech check session prior to online training events and provide troubleshooting documentation to all clients. This documentation includes step-by-step resolution for common issues and tech support contact information.

In the event that a training has to be cancelled, we are unable to deliver the agreed upon curriculum, or the majority of users are unable to access the training environment due to technology issues, we will offer a make-up session to ensure all users have the opportunity to complete the training.

We monitor and evaluate our online meeting technology on an ongoing basis to ensure we are providing the best possible experience for our clients. As technology changes, we will continue to adopt best- in-class solutions.

Online Training Audio Solutions

BrainStorm’s primary audio options for virtual training are:

1. VoIP (integrated computer audio)
2. BrainStorm’s toll conference bridge
3. Customer provided conference bridge

Please note that BrainStorm’s primary conference bridge is a toll conferencing solution. Any costs incurred by callers are based solely on the caller's long-distance plan with their provider. Most providers do not charge for long distance calling. However, if unsure, please verify with your provider that this is the case.

We recommend participants outside of the US or Canada use the VoIP solution. Using the toll conference bridge will result in a long-distance charge to callers outside of North America, rates varying by provider.

You may also choose to supply their own conference bridge for a virtual training. Note that in this case, the audio is not integrated with VoIP.

Materials; Intellectual Property Rights

As part of the ILT Services, BrainStorm may provide You with handouts or other written materials (the “Materials”).  BrainStorm hereby grants You a worldwide, perpetual, non-exclusive, non-transferable, royalty-free license to retain and use all such Materials for Your internal business purposes.  BrainStorm retains all ownership and all intellectual property rights in and to such Materials. 

BrainStorm Software

The ILT Services that BrainStorm will provide may be in support of Your purchase or license, under separate agreement(s), of BrainStorm’s QuickHelp™ software (the “Software”) and/or BrainStorm’s Quick Start™ Cards (the “Cards”).  Such separate agreement(s) shall govern Your use of the Software and/or the Cards.  Neither these Terms and Conditions nor any Statement of Work grants You any right or license to access or use such Software or Cards.

Warranties

You acknowledge that BrainStorm’s obligations hereunder are limited to providing the Services and BrainStorm shall not be deemed to have guaranteed any results or the achievement of any certain performance levels as a result of the Services.  BRAINSTORM PROVIDES THE SERVICES ON AN “AS IS” AND “AS AVAILABLE” BASIS WITHOUT WARRANTY OF ANY KIND.  ACCORDINGLY, BRAINSTORM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE AND ANY IMPLIED WARRANTIES ARISING OUT OF COURSE OF PERFORMANCE OR COURSE OF DEALING.

Indemnification

BrainStorm agrees to defend You against any claim, demand, suit, or proceeding (each, a "Claim") made or brought against You by a third party alleging that the ILT Services infringe or misappropriate the intellectual property rights of such third party and to indemnify You from any damages finally awarded by a court of competent jurisdiction against You or amounts agreed to in settlement in connection with any such Claim.  BrainStorm’s obligations under this Section shall only apply to the extent that: (a) You promptly notify BrainStorm in writing of the Claim; (b) BrainStorm has control of the defense and all related settlement negotiations relating to the Claim; and (c) You provide BrainStorm with the assistance, information and authority reasonably necessary to perform the above.  The foregoing constitutes BrainStorm’s total liability with respect to any Claim.  Should BrainStorm’s right to provide the ILT Services pursuant to these Terms and Conditions be subject to a Claim of infringement or if BrainStorm reasonably believes such a Claim of infringement may arise, BrainStorm may, at its option and in its sole discretion and at no cost to Client: (i) procure the right to continue to provide the ILT Services; (ii) modify the ILT Services to render them non-infringing; or (iii) immediately cease providing the ILT Services. 

Confidentiality

“Confidential Information” means all confidential or proprietary information disclosed orally or in writing by one Party to the other that is identified as confidential or the confidential nature of which is reasonably apparent.  Confidential Information shall not include information which:  (a) is or becomes a part of the public domain through no fault of the receiving Party; (b) was in the receiving Party’s lawful possession prior to the disclosure; (c) is lawfully disclosed to the receiving Party by a third party without restriction on disclosure or any breach of confidence; (d) is independently developed by the receiving Party; or (e) is required to be disclosed by law.  Each Party agrees to hold the other’s Confidential Information in confidence, and to not use or disclose such Confidential Information other than in connection with the performance of its obligations hereunder.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL BRAINSTORM BE LIABLE TO YOU WITH RESPECT TO ANY SUBJECT MATTER OF THE ILT SERVICES OR THESE TERMS AND CONDITIONS, WHETHER UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL OR EQUITABLE THEORY, FOR (I) ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, OR LOST PROFITS; OR (II) ANY AMOUNTS THAT IN THE AGGREGATE ARE IN EXCESS OF THE AMOUNTS YOU PAY TO BRAINSTORM, REGARDLESS OF WHETHER BRAINSTORM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 

Force Majeure

Except for the payment of money, neither Party shall be liable for any delays or nonperformance resulting from circumstances or causes beyond its reasonable control, including, without limitation, fire or other casualty, act of God, strike or labor dispute, failures or outages of the Internet or other information transmission systems, war or other violence, or any law, order, or requirement of any governmental agency or authority.

Independent Contractors

It is understood and agreed that each Party hereto is an independent contractor and that neither Party is, nor shall be considered to be, the other’s agent, partner, fiduciary, joint venturer, co-owner, or representative.  Neither Party shall act or represent itself, directly or by implication, in any such capacity or in any manner assume or create any obligation on behalf of, or in the name of, the other.

General

You may not assign or transfer the ILT Services or these Terms and Conditions without the prior written consent of BrainStorm, and any attempt to do so shall be void.  Subject to the foregoing, the ILT Services or these Terms and Conditions shall be binding upon and inure to the benefit of the Parties hereto and their permitted successors and assigns.  Any notice required to be given hereunder by either Party shall be in writing and shall be delivered personally or sent by certified or registered mail, postage prepaid, or by private courier to the other Party to the address set forth in the SOW, or to such other address as either Party may designate from time to time.  No waiver of any of the provisions of these Terms and Conditions shall be deemed, or shall constitute, a waiver of any other provision, whether or not similar, nor shall any waiver constitute a continuing waiver.  Any waiver, modification or amendment of any provision of the ILT Services or these Terms and Conditions shall be effective only if in writing in a document that specifically refers to the ILT Services or these Terms and Conditions and such document is signed by both of the Parties hereto.  If any provision of these Terms and Conditions shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that these obligations shall otherwise remain in full force and effect and enforceable.  The ILT Services and these Terms and Conditions shall be governed by and construed in accordance with the laws of the State of Utah, without reference to choice of law principles.  The Parties hereby submit themselves to the exclusive jurisdiction of the federal and state courts located in Salt Lake City, Utah.  In the event of any litigation or arbitration arising out of the ILT Services or these Terms and Conditions, the prevailing Party shall be entitled to be reimbursed for all reasonable costs and expenses, including reasonable attorneys’ fees incurred in connection with such litigation or arbitration.  Without limiting the foregoing, You agrees to pay all costs and expenses incurred by BrainStorm in any attempt to collect any amount due to BrainStorm for the provision of the ILT Services, including all costs of legal action and reasonable attorneys’ fees.  These Terms and Conditions constitute the full and complete understanding and agreement of the Parties hereto with respect to the subject matter covered herein and supersedes all prior oral or written understandings and agreements with respect thereto.  No terms, provisions or conditions of any purchase order, acknowledgement or other business form that either of the Parties may use in connection with the Services will have any effect on the rights, duties or obligations of the Parties under, or otherwise modify, the ILT Services or these Terms and Conditions, regardless of any failure of the other Party to object to such terms, provisions or conditions.  BrainStorm may, in its reasonable discretion, use subcontractors to perform any of its obligations hereunder.  Your rights under these Terms and Conditions are non-exclusive and nothing herein shall be deemed to prohibit BrainStorm from providing training or other services that are similar to the ILT Services for its other customers and clients.

QUICK START CARD LICENSE AGREEMENT

PLEASE READ THIS LICENSE AGREEMENT CAREFULLY. BY UTILIZING THE LICENSED WORKS YOU ACCEPT AND AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, YOU MAY NOT UTILIZE THE LICENSED WORKS, BUT CAN OBTAIN A REFUND.

This Quick Start Card License Agreement (this “Agreement”), is entered into by and between BrainStorm, Inc, a Delaware corporation, with principal offices at 10 South Center Street, American Fork, Utah 84003 (the “Licensor”), and YOU (the “Licensee”).  This Agreement is effective as of the Effective Date of our Order Form or the date You download the Licensed Works (defined below), whichever is earlier (the “Effective Date”). 

WHEREAS, Licensor owns the Quick Start Cards, which contain step-by-step instructions on how to use one or more off-the-shelf software programs on an electronic portable document format (.pdf) as further set forth Your Order Form (the “Licensed Works”). Licensee desires to license from Licensor certain rights with respect to the Licensed Works, as more fully set forth below.

NOW THEREFORE, in consideration of the covenants contained herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereto hereby agree as follows:

1. Grant of License. Subject to the terms and conditions of this Agreement, Licensor hereby grants to Licensee, under Licensor's applicable intellectual property rights, and Licensee hereby accepts from Licensor, upon the terms set forth in this Agreement, an non-exclusive, non-transferable (except as provided in Section 10(a)), non-sublicensable, time-limited, restricted, revocable, internal license to (a) host non-editable electronic copies (.pdf files) of the Licensed Works on an internal Licensee computer network, or intranet, for access by the number of authorized users set forth in Your Order Form attached hereto who are employees or independent contractors of Licensors (“Authorized Users”), and (b) print non-professional quality (e.g. inkjet, laserjet) for the sole purpose of providing computer and software training and support up to Authorized Users .  Licensor shall include, and if already included, shall not remove or obscure, a copyright notice at the bottom of each Licensed Work indicating that Licensor is the copyright holder of the Licensed Works, and Licensee shall not remove or obscure such notice. 

2. Restrictions on Use. Licensee acknowledges that the Licensed Works constitute valuable property of Licensor.  Accordingly, Licensee agrees that without Licensor’s prior written consent, it will not (a) modify, adapt, alter, translate, or create derivative works from the Licensed Works; (b) sublicense, lease, rent, loan, or otherwise transfer (except as provided in Section 10(a)) any portion of the Licensed Works or any copies (whether electronic or paper) thereof to any third party, (c) otherwise use or copy the Licensed Software except as expressly allowed in this Agreement, (d) sell, distribute, or provide access to, in part or in whole, internally or externally, professionally printed copies (e.g. card stock, laminated, etc.) of the Licensed Works, or (e) make the Licensed Works available to users who are not Authorized Users through any network or electronic media, including without limitation the Internet.

3. Proprietary Rights. Licensee acknowledges and agrees that the Licensed Works and all right, title and interest therein, is and shall remain the exclusive property of Licensor. Licensee agrees never to contest Licensor’s rights in and to the Licensed Works, and agrees never to take any action that could reasonably be expected to limit or diminish Licensor’s rights in the Licensed Works.

4. Payment. Licensee shall submit payment to Licensor for the Licensed Works in the amounts set forth in the invoice issued by Licensor to Licensee and in accordance with the payment terms set forth in Schedule A attached hereto.

5. Term. The term of this Agreement commences on the Effective Date and shall terminate, unless sooner terminated by Licensor, on the ten (10) year anniversary hereof (the “Term”).

6. Termination. Licensor may terminate this Agreement upon ten (10) days’ notice to Licensee if Licensee is in material breach of this Agreement and such breach has not been cured with such 10-day period (to the extent curable). Such termination shall not be deemed to be a waiver on Licensor’s part of any other rights or remedies it may have by reason of the circumstances on which the termination is predicated.  Upon termination or expiration of this Agreement, Licensee shall immediately discontinue the use of the Licensed Works by its employees and independent contractors and remove all copies, regardless of the format or medium thereof, of the Licensed Works from its premises, servers, and cloud, and return to Licensor, within five (5) days, all the Licensed Works, including all copies thereof, regardless of the format or medium thereof. Upon termination or expiration of this Agreement, all rights granted to Licensee hereunder shall automatically revert to Licensor without further notice.

7. DISCLAIMER OF WARRANTIES. LICENSOR LICENSES THE LICENSED WORKS TO LICENSEE “AS IS,” WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, AND LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESSED OR IMPLIED.

8. DISCLAIMER OF DAMAGES; LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCE SHALL LICENSOR OR LICENSEE BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF LICENSOR OR LICENSEE, AS THE CASE MAY BE, HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. LICENSOR’S CUMULATIVE LIABILITY FOR DAMAGES FOR ANY CAUSE WHATSOEVER, AND REGARDLESS OF THE FORM OF THE ACTION, WILL BE LIMITED TO NO GREATER THAN THE AMOUNT OF MONEY PAID TO LICENSOR BY LICENSEE FOR THE LICENSED WORKS THAT CAUSED THE DAMAGES.

9. Survival of Certain Provisions. Notwithstanding any provisions of this Agreement stating otherwise, the provisions of Sections 2, 3, 6, 7, 8, 9, and 10 shall survive any completion, rescission, expiration or termination of this Agreement, and be enforceable against the parties hereto.
   
   
10. Miscellaneous Provisions.

(a)        The parties hereto hereby certify that each has read and understands the terms hereof.  Any term hereof may be amended or waived only with the written consent of both parties or their respective successors and assigns.  This Agreement may be assigned only with the written consent of the both parties.  This Agreement shall inure to the benefit of, and is binding upon the heirs, executors, administrators, successors, and assigns of the parties.  This Agreement may be executed in two or more counterparts, each of which shall be deemed an original, and all of which together shall constitute one instrument.  If any provision hereof is held by a court of competent jurisdiction to be void or unenforceable for any reason, the remaining provisions hereof shall nevertheless continue in full force and effect.  This Agreement (including Schedule A and the invoice issued in connection herewith) constitutes the entire agreement between the parties hereto with respect to the subject matters covered by it, and supersedes all prior oral or written agreements between the parties hereto relating to such matters.  All notices, requests and other communications to any party hereunder will be in writing and will be given to such party at its address stated in the invoice issued by Licensor to Licensee.  In the event that a party hereto who is required to engage the services of legal counsel to enforce the terms and conditions hereof against the other is successful in doing so, regardless of whether such action results in litigation, such party shall be entitled to the reimbursement by the other party of all reasonable attorneys' fees and court costs incurred by the successful party.  This Agreement shall be governed by the laws of the State of Utah without regard to its conflicts of laws rules.  Each of the parties hereto consents to the exclusive jurisdiction and venue of the courts of the State of Utah or the Federal District Court for the District of Utah.

(b)        The parties hereto acknowledge and agree that a violation of this Agreement may result in irreparable injury to the non-breaching party hereto, the exact amount of which may be difficult to ascertain and the remedies at law for which will not be reasonable or adequate compensation to the non-breaching party hereto for such a violation. Accordingly, each party hereto agrees that if it violates any of the provisions of this Agreement, in addition to any other remedy available at law or in equity, the other party hereto will be entitled to seek specific performance or injunctive relief without posting a bond, or other security, and without the necessity of proving actual damages.

Terms & Conditions:

Legal and Privacy Notices

This website is owned and operated by BrainStorm, Inc (BrainStorm) at https://www.brainstorminc.com. The material contained within this website is periodically checked for accuracy and is presented without any warranties, either expressed or implied. BrainStorm, will assume no, and hereby disclaims any, responsibility for any errors or omissions of this website's content. BrainStorm shall not be responsible for any damages incurred as a result of the content or use of this website.

By using the material at this website, all users agree to all terms and conditions contained in this website, which are subject to change without notice, as well as all applicable laws, and do so at their own risk. All changes to this legal notice will be posted to this website in a timely manner.

Materials contained within this website are intended for U.S. residents. While BrainStorm does ship internationally, any deliveries requested for addresses outside the U.S. are subject to refusal by BrainStorm, Inc.

Any link between BrainStormInc.com and any other website does not constitute an endorsement of the linked site. BrainStorm does not make and hereby disclaims any warranty as to the content of any other website linked to BrainStormInc.com. Exercise caution when communicating or interacting with any website.

This website and all information contained herein are provided "as is" and without warranties of any kind, express or implied. BrainStorm shall not be liable for any damages whatsoever arising out of or relating to the use by any person of this site, including but not limited to direct, indirect, consequential or punitive damages, including damages to hardware or software resulting from use of this site.

Any questions regarding these legal notices may be directed to:

BrainStorm, Inc.
Ten South Center
American Fork, UT
84003 USA

Our Pricing Policy

BrainStorm is committed to offering quality merchandise at fair, competitive prices. In most cases, the internet prices will reflect prices available by calling or otherwise contacting BrainStorm. However, there may be some exceptions. Prices and sales are subject to change without notice.

Our Return Policy

We are confident that you will be satisfied with your BrainStorm purchase. However, should you decide that the item(s) that you have purchased does not, for some reason, meet your needs, BrainStorm will accept returns for in-store credit (less original shipping amount) based on the following Return Policy:

• The item(s) is returned within thirty (30) calendar days of purchase.
• The item(s) is returned with its original BrainStorm receipt.
• The item(s) is in its original, unused condition (unless there is a product defect).

Please mail return item(s) to BrainStorm at one of the following addresses:

United States Postal Service:
BrainStorm, Inc.
Attn: Returns Department
Ten South Center
American Fork, UT
84003 USA

FedEx or UPS:
BrainStorm, Inc.
Attn: Returns Department
Ten South Center
American Fork, UT
84003 USA

Please note that return postage, and lost and damaged packages will be the responsibility of the returner. BrainStorm strongly suggests that you insure your return package. If you have any questions about BrainStorm's return policy, please email websupport@brainstorminc.com.

Our Cancellation Policy

Customers cancelling within twenty (20) business days of the start date will be charged fifty percent (50%) of the total cost of services. Canceling within ten (10) business days of the start date will incur the total cost of services. Any such fee charged will not be applied to the price of any rescheduled courses. Customer will always incur any non-refundable travel expenses associated with a course cancellation.

Our Rescheduling Policy

Customers rescheduling within ten (10) business days of the start day of training will incur the cost of any non-refundable or change charges incurred for travel arrangements. Any rescheduling within five (5) business days of the start day of training will incur fifty percent (50%) of the total cost of services along with any non-refundable or change charges incurred.

Our Privacy Statement

We understand that your privacy is very important to you. You can trust we make every effort to handle your personal information in a secure and safe way. Please feel free to review our privacy policy below and contact websupport@brainstorminc.com if you have any questions.

BrainStorm will not share any information about our customers which we collect at our website with anyone. If you provide us with your personal information, comments, or requests for information, we keep your personal information private. We value your privacy as much as you do.

No unauthorized parties will be allowed access to your personal information and we will not sell or otherwise knowingly make your information available to anyone outside our organization, unless required to do so by law. As a customer, your information may be applied to our in-house marketing programs to inform you of product arrivals and other items we think you might find of interest. If you begin receiving materials from us and wish to have them stopped, simply contact us.

Privacy is of great importance on the internet. Technology is constantly changing, and we will change along with it. We will be on constant guard against piracy, and implement whatever measures are required to give you the most secure experience we can reasonably provide. We reserve the right to change this policy, and to apply any changes to information previously collected, as permitted by law.

BrainStorm uses cookies. Cookies are files that a website transfers to your computer's hard drive to store data that you provide. Cookies facilitate future visits to the website so we can customize content to specific interests. If the cookie contains confidential information, we encrypt it and deliver it using secure sockets layer (SSL) security, which protects the information as it travels between your computer and our service. (If you are uncomfortable with the use of cookies, please keep in mind that you can disable cookies on your computer by changing the settings your browser's "Preferences" or "Options" menu selection.)

Our site may link to other sites not controlled by BrainStorm. We are not responsible for the privacy or security practices of any other websites.

We reserve the right to change this policy at any time without notice.

The Children's Online Privacy Protection Act (COPPA)

The Children's Online Privacy Protection Act (COPPA) protects the online privacy and personal information of children under 13 years of age. In compliance with this act, BrainStorm does not promote online to children, and does not intentionally collect any personally identifiable information from children under 13.

Our Copyright Notice

The contents of this site are the property of BrainStorm and are subject to United States and worldwide laws and treaties restricting the copy, distribution, publishing and transmission of same. No portion of this site may be copied, distributed, published or transmitted without the express written consent of BrainStorm.

All of this website's content and supporting code are copyrighted by or licensed to BrainStorm and all rights are reserved. All content copies, either electronic or printed, are for personal use only. The content and supporting code contained herein may not be used in any other manner unless express written permission is obtained in advance.

Our Trademarks Policy

BrainStorm has attempted to supply trademark information about company names, products, and services mentioned on this website. The following list of trademarks was derived from various sources:

• BrainStorm, Inc. is a registered trademark of BrainStorm, Inc.
• NetWare, GroupWise, and Novell are registered trademarks of Novell, Inc. in the United States and other countries.
• Adobe is a registered trademark of Adobe Systems Incorporated. Microsoft is a registered trademark of Microsoft Corporation. All other product names mentioned herein may be trademarks or registered trademarks of their respective companies.