BrainStorm Terms & Conditions

BRAINSTORM SUBSCRIPTION AGREEMENT

Last Modified:  August 31, 2020

Effective: April 6, 2020 (unless otherwise agreed to)

PLEASE READ THIS AGREEMENT CAREFULLY. 

This Subscription Agreement (this “Agreement”) is a contract between you (“You,” “Your,” or “Customer”) and us (“Us,” “We,” “Our,” or “BrainStorm”).  Sometimes, this Agreement will refer to You and BrainStorm individually as a “Party” or collectively as the “Parties.”  This Agreement describes the services BrainStorm will provide to You, how the Parties will interact, and other aspects of the business relationship between You and BrainStorm.  We cannot provide the Service to You unless You agree to the terms and conditions of this Agreement.  By using the Service, You accept and agree to be bound by these terms and conditions. 

BrainStorm will periodically update the terms and conditions of this Agreement as provided in Section 6.2 below.  You will be notified of any material updates or changes via email or through the Admin Portal. 

1. Definitions.
   1. “Agreement” means this Subscription Agreement and all materials referred to or linked to herein.
   2. “Billing Period” means the period for which You agree to prepay Fees under an Order Form, which will be the same as or shorter than the Subscription Term. For example, if You subscribe to the Service for a three (3) year Subscription Term, with a twelve (12) month upfront payment, the Billing Period will be twelve (12) months.
   3. "BrainStorm Content” means all data, text, information, images, audio and video clips, works of authorship and other content that is created by or for BrainStorm and provided to You via the Service or otherwise.
   4. “Confidential Information” means all confidential or proprietary information disclosed orally or in writing by one Party (the “Discloser”) to the other (the “Receiver”) that is identified at the time of disclosure as confidential. Confidential Information includes, without limitation, Customer Data, any information about the Discloser’s business plans or technical data, and the terms of the Order Form. Except when contradictory to applicable privacy laws and regulations, Confidential Information does not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Discloser, (ii) was known to the Receiver before receipt from the Discloser, or (iii) is lawfully disclosed to the Receiver by a third party without restriction on disclosure or any breach of confidence. Our Confidential Information includes, without limitation and regardless of whether it has been identified as confidential, (a) any content provided to You in connection with the Service, or (b) any materials or content provided to You as part of the implementation services or any other services provided by Us.
   5. “Customer Data” means all data, text, information, images, audio and video clips, works of authorship and other content that is created or originally provided by Customer and/or Users and submitted, uploaded, posted or displayed on or via the Service. Customer Data will not include any content prepared or created by or for BrainStorm or that is originally provided to Customer by BrainStorm.
   6. “Fees” means the amount You agree to pay for the Service and any other services we may provide, as evidenced by the Order Form.
   7. “Order Form” means a mutually accepted, formal, transaction document, such as the invoice or order form, as applicable, that includes some or all of the following information: a listing of the software applications and BrainStorm Content to be provided to Customer, the name of Customer, Customer’s address and billing information, the length of the Subscription Term (if applicable), the Fees due from Customer, the maximum number of Users authorized to access and use the Service, and any maintenance and support being purchased (if applicable).
   8. “Service” means the online, cloud-based software application(s) and BrainStorm Content that are identified in the Order Form as being included in Customer’s purchase and that are provided by BrainStorm to Customer via the website https://www.quickhelp.com.
   9. “Sensitive Information” means (a) credit or debit card numbers; personal financial account information; Social Security numbers or local equivalents; passport numbers; driver’s license numbers or similar identifiers; passwords; racial or ethnic origin; physical or mental health condition or information; or other employment, financial or health information, including any information subject to the Health Insurance Portability and Accountability Act (“HIPPA”), the Payment Card Industry Data Security Standards, and other regulations, laws or industry standards designed to protect similar information; and (b) any information defined under European Union data protection laws as “Sensitive Personal Data.”
   10. “Subscription Term” means the Initial Term (as defined below) of Your subscription (or access) to the Service, as specified in the Order Form, and any subsequent Renewal Term (as defined below), during which You agree to pay (or prepay) the Fees under an Order Form.
   11. “Users” means individuals who are authorized by Customer to access and use the Service and who have been supplied user identifications and login credentials by Customer (or by BrainStorm at Customer’s request). Users may include employees, consultants, contractors and agents of Customer.

1.  
2. General Commercial Terms
   1. The Service.
      1. Access. Subject to the terms and conditions of this Agreement and the applicable Order Form, and upon Your payment of the applicable Fees, BrainStorm will provide You with access to the Service via the Internet during the Subscription Term. You understand and agree that Your purchase of a subscription to the Service is not contingent on the delivery of any future functionality or features nor dependent on any oral or written comments made by BrainStorm regarding future functionality or features.
      2. Maximum Authorized Users. The Service may not be accessed or used by more than the maximum number of Users, as set forth in the Order Form. User accounts cannot be shared or used by more than one User. You may, however, reassign a former User’s account to a new User. The maximum number of Users cannot be decreased during the Subscription Term. If, at the end of any year of the Subscription Term, the actual number of Users exceeds the maximum number of Users listed in the Order Form by ten percent (10%) or more, then BrainStorm will increase the Fees to account for such additional Users on a pro rata basis for the remainder of the Subscription Term. For this to happen, BrainStorm will complete a review of active Users between ninety (90) and sixty (60) days before the end of each year. BrainStorm will not count Users deleted, removed, or reassigned, unless the Users are temporarily removed to avoid a fee increase. This review and increase process will continue for each year of Your Subscription Term.
   2. Fees and Payment.
      1. Subscription Fees. The Fees are set forth in the Order Form and will remain fixed during Your Subscription Term unless (a) You exceed Your maximum Users (see Section 2.1.2), or (b) You and BrainStorm mutually agree in writing to modify or amend the Order Form. All payment obligations hereunder are non-cancelable and Fees paid are non-refundable, unless specifically provided otherwise in this Agreement.
      2. Fee Increases at Renewal. The pricing for any Renewal Term (as defined below) may be set forth in Your Order Form. If Your Order Form does not include any pricing for a Renewal Term, then BrainStorm’s standard pricing available at the date of renewal will apply. Prior to each Renewal Term, BrainStorm may increase the Fees to the then-current rate for the Service. BrainStorm will provide notice of any Fee increase prior to renewal.
      3. Payment by Credit Card. If You are paying by credit card, You authorize Us to charge Your credit card or bank account for all Fees payable during the Subscription Term. You further authorize Us to use a third party to process payments, and consent to the disclosure of Your payment information to such third party.
      4. Invoices. BrainStorm will invoice You in accordance with the terms of the Order Form (generally at the beginning of each Billing Period). Unless the Order Form states differently, all amounts invoiced are due and payable within thirty (30) days from the date of invoice.
      5. Late Fees. If BrainStorm does not receive payment of the invoiced Fees on the appropriate due date, then Your Fees will accrue late interest at the rate of one and a half percent (1.5%) of the outstanding Fees per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid.
      6. Suspension of the Service. BrainStorm will provide You with notice of non-payment of any amount due. If Your Fees are thirty (30) days or more overdue, BrainStorm may, without limiting its other rights and remedies, suspend Your access to the Service (or any portion thereof) until such amounts are paid in full.
      7. Payment Disputes. BrainStorm will not exercise its right to charge interest under Section 2.2.5 (Late Fees), or its right to suspend Your access to the Service under Section 2.2.6 (Suspension of the Service), if the applicable charges are under reasonable and good-faith dispute and You are cooperating diligently to resolve the dispute.
      8. Taxes. You agree to pay all applicable taxes levied by any tax authority on the Service or on Your use thereof, which may be separately invoiced, excluding any and all taxes based on the net income of BrainStorm.
   3. Additional BrainStorm Obligations.
      1. Updates and Maintenance. BrainStorm will support, maintain, upgrade, and update the Service as appropriate and in BrainStorm’s sole determination in order to fulfill its obligations under this Agreement. By way of information, BrainStorm scheduled maintenance window is from 12:00 am to 4:00 am Mountain Time. Except as provided elsewhere in this Section 2.3, BrainStorm shall have no other maintenance or support obligations to Customer
      2. Changes. BrainStorm reserves the right to change, deprecate, or remove BrainStorm Content or certain features or functionality of the Service from time to time. Brainstorm will, in its sole discretion, continue supporting prior versions of the BrainStorm Platform for up to twelve (12) months after BrainStorm provides notice of its intent to deprecate the prior version(s), except where doing would (a) pose a security risk or intellectual property issue, (b) be economically or technically burdensome, or (c) violate applicable law. BrainStorm will notify Customer of any material change to or discontinuation of a prior version of the BrainStorm Platform.
      3. Support. In addition to the ongoing customer service support that BSI will provide, BSI will provide technical support to Customer during the Term during normal business hours of 8:00 AM - 6:00 PM MST, Monday through Friday, excluding holidays. Support is limited to the designated admins within the Cloud Services and is generally not available to Customer’s Users. Customer’s point of contact may reach the support helpdesk at support@quickhelp.com.

1. 1. Term and Termination.
      1. Term and Renewal. Your initial Subscription Term will be specified in Your Order Form (the “Initial Term”). Immediately following the Initial Term, Your subscription to the Service will automatically renew for an additional, successive one (1) year terms (each, a“Renewal Term”), unless either Party provides written notice of its intent not to automatically renew at least sixty (60) days prior to the end of the Initial Term or the then-current Renewal Term. You may notify BrainStorm of Your intent not to renew by sending such notice to renewals@brainstorminc.com.
      2. No Early Termination; No Refunds. Unless renewed as provided in Section 2.4.1 above, the Subscription Term cannot be cancelled early and will end on the expiration date established in the Order Form. BrainStorm will not provide refunds if You decide to stop using the Service during Your Subscription Term.
      3. Termination for Cause. Either Party may terminate this Agreement for cause (i) upon thirty (30) days’ written notice to the other Party of a material breach if such breach remains uncured at the expiration of such period, or (ii) immediately if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. BrainStorm may also terminate this Agreement for cause on thirty (30) days’ notice if We determine that You are acting, or have acted, in a way that has or may negatively reflect on or affect Us, Our prospects, or Our customers. This Agreement may not otherwise be terminated prior to the end of the Subscription Term.
      4. Effects of Termination. If You terminate this Agreement for cause, BrainStorm will refund any prepaid fees covering the unused portion of the Subscription Term. If BrainStorm terminates this Agreement for cause, without limiting any other available remedies, You will pay any unpaid fees covering the remainder of the Subscription Term after the effective date of termination. In no event will any termination relieve You of Your obligation to pay any Fees payable to BrainStorm for the period prior to the effective date of termination.
      5. Survival. Sections 1, 2.4.4, 3, 4, 5 and 6 and any other terms in this Agreement which by their nature must survive after the Subscription Term to give their intended effect will survive any termination or expiration of this Agreement.
2. General Legal Terms
   1. Service Data
      1. Customer Data. As between the Parties, You own and retain all rights to Customer Data. BrainStorm will use Customer Data only in order to provide the Service to You and only as permitted by applicable law, this Agreement, and Our Privacy Policy, available at https://info.brainstorminc.com/legal#privacy-policy
      2. . By importing or processing Customer Data in the Service, You grant BrainStorm a worldwide, non-exclusive, royalty-free, license to reproduce, distribute, modify, and adapt Customer Data for the purpose of providing the Service and otherwise performing under this Agreement, including the right to disclose Customer Data to BrainStorm’s sub-processors as necessary to provide the Service. BrainStorm will not use, display, disclose or transfer Customer Data in any manner that specifically identifies Customer or its Users without Your prior written consent, except as otherwise set forth in Section 4 herein, or in Our Privacy Policy.
      3. De-Identified Data. BrainStorm monitors its Customers’ use of the Service and uses the information gathered for internal purposes in an aggregated and anonymous manner to improve the Service and BrainStorm Content. Notwithstanding any provision of this Agreement to the contrary, You hereby grant to BrainStorm an irrevocable, non-exclusive, royalty-free, fully paid up, perpetual, worldwide right and license, with the right to sublicense, use, reproduce, publish, distribute, perform, anonymize, and display, both during and after the Subscription Term, any usage statistics, usage data, or metadata We derive from Your or Your Users’ use of the Service, including any reports You share with Us from Your use of Microsoft Graph API, in order (i) to improve the Service, (ii) to produce and share aggregated insights from the usage statistics or usage data, or (iii) compare usage and adoption rates of Yours and others organizations; provided that BrainStorm will only use such usage statistics and usage data in an anonymized, de-identified or aggregated form (“De-Identified Data”), but only so long as the De-Identified Data is not individually identifiable and is used in accordance with any applicable laws (without limitation, data privacy laws). To be clear, Customer Data does not include De-Identified Data. In no event will BrainStorm disclose or provide Customer Data or Your identity to third parties, except as provided in this Agreement or BrainStorm’s Privacy Policy.
      4. Safeguards. BrainStorm will maintain commercially appropriate administrative, physical, and technical safeguards to protect Customer Data. You consent to the processing of Customer Data in the United States.
      5. EU/EEA and Switzerland Data Processing. To the extent that BrainStorm processes any Personal Data (as defined by the BrainStorm Data Processing Agreement) as part of Customer Data that is subject to the General Data Protection Regulation, on Your behalf, in the provision of the Service hereunder, the terms of the BrainStorm Data Processing Agreement, located at https://info.brainstorminc.com/legal#website-data, which are hereby incorporated by reference, will apply. For Customers that are located in the European Union or the European Economic Area, the Standard Contractual Clauses adopted by the European Commission and attached to the BrainStorm Data Processing Agreement, which provide adequate safeguards with respect to the Personal Data processed by Us under this Agreement and pursuant to the provisions of the BrainStorm Data Processing Agreement, will apply. You acknowledge in all cases that BrainStorm acts as the data processor of Customer Data and You are the data controller of Customer Data under all applicable data protection laws or regulations. You agree that, to the extent required, you have a lawful basis for the processing of the Personal Data. You also agree to obtain and maintain any consents necessary to permit the processing or cross-border transfer of Customer Data under this Agreement. To the extent that there is any conflict or discrepancy between this Agreement and the BrainStorm Data Processing Agreement, the latter will control.
   2. BrainStorm’s Proprietary Rights.
      1. Reservation of Rights. This is an Agreement for access to and use of the Service, and You are not granted a license to any software by this Agreement, or any other intellectual property right, other than the limited rights and licenses specified in this Agreement. The Service, and its associated code, content, etc., is protected by intellectual property laws and, as between the Parties, belongs to and is the property of BrainStorm and Our licensors (if any), and We retain all ownership rights therein.
      2. Copyrights, Trademarks, and Patents. The Service is copyrighted and protected by the laws of the United States and other countries, and by international treaty provisions. In no circumstance are You permitted to remove any copyright notice from the Service. “QuickHelp” is either a registered trademark or trademark of BrainStorm in the United States and/or other countries. One or more patents, as well as other patent pending technology, may apply to the Service.
      3. Suggestions. We encourage all Customers to provide comments, feedback, and suggestions to improve, correct, change, or modify the Service or its operation (“Suggestions”). You agree that all such Suggestions will be non-confidential and that BrainStorm will own all rights to use and incorporate such Suggestions into the Service, without payment or attribution to You. Any Suggestions incorporated into the Service shall not contain any Customer Data.
   3. Customer Responsibilities and Restrictions.
      1. You agree that:
         1. You and Your Users will comply with BrainStorm’s Content Submission Policy, which can be accessed at https://info.brainstorminc.com/legal#content-submission, as well as all applicable laws and regulations. You will promptly notify BrainStorm of any suspected or alleged violation of this Agreement by Your Users and will cooperate with BrainStorm in its efforts to (a) investigate any alleged or suspected violation of this Agreement and (b) enforce this Agreement.
         2. You will not attempt or permit others to attempt to gain unauthorized access to or use of the Service, and will notify BrainStorm promptly of any known or suspected unauthorized access or use. You will notify BrainStorm immediately of any known or suspected unauthorized use of Your Users’ identifications and passwords or Your account by contacting support@quickhelp.com.
         3. You will be responsible for Your and Your Users’ use of the Service and any Customer Data, including, without limitation, any use of the Service and/or Customer Data that is in violation of applicable laws, regulations, Your policies, and/or BrainStorm’s Privacy Policy.
         4. You will not make access to or use of the Service and/or Customer Data a condition of any User’s employment if such a requirement would violate any privacy or security law or regulation. If User consents are required for You to provide to Us, or for Us to access or use, any Customer Data, You will be solely responsible for obtaining and documenting such consents and ensuring that such consents are freely and validly provided by each User. You will make such records of consents available to BrainStorm upon request.
         5. You will not (a) make the Service available to anyone other than Your Users, (b) sell, resell, rent or lease the Service, (c) interfere with or disrupt the integrity or performance of the Service or any of its content, or (d) attempt to gain unauthorized access to the Service’s underlying systems or networks.
         6. You may not access and use the Service if You are a direct competitor or are affiliated with a direct competitor of BrainStorm.
         7. You will not use the Service if You are legally prohibited from receiving or using the Service under the laws of the country in which You are a resident or from which You access or use the Service. The Service is not designed to comply with industry-specific regulations such as HIPAA, the Gramm-Leach-Bliley Act (GLBA), or the Federal Information Security Management Act (FISMA), so You may not use the Service or upload Customer Data to the Service where Your use would be subject to such laws.
         8. YOU AGREE NOT TO USE THE SERVICE TO COLLECT, MANAGE OR PROCESS SENSITIVE INFORMATION. YOU FURTHER AGREE THAT YOU WILL NOT PROVIDE ANY SENSITIVE INFORMATION TO US. WE WILL NOT HAVE ANY LIABILITY THAT MAY RESULT FROM YOUR USE OF THE SERVICE TO COLLECT OR MANAGE SENSITIVE INFORMATION.
         9. You will only access or use the Service as expressly permitted by this Agreement.
         10. You will not copy, rent, lease, sell, distribute, or create derivative works based on the Service or BrainStorm Content, in whole or in part, by any means and for any reason whatsoever, except as expressly authorized in writing by BrainStorm.
         11. The Service constitutes the proprietary information and trade secrets of BrainStorm or its licensors, and/or suppliers, whether or not any portion thereof is or may be the subject of a valid copyright, trademark or patent.
   4. Confidentiality. Each Party (as a Receiver), agrees to hold the other’s (as a Discloser) Confidential Information in confidence, and not to use or disclose such Confidential Information other than in connection with the performance of its obligations hereunder. Notwithstanding the foregoing, either Party may disclose any of the other Party’s Confidential Information to its employees, subcontractors, advisers, and/or agents that have a need to know such Confidential Information in connection with such Party’s performance under this Agreement and that have agreed to be bound by confidentiality obligations similar to those in this Section. Upon notice to the Discloser, the Receiver may disclose Confidential Information if required to do so under any federal, state, or local law, statute, rule or regulation, subpoena or legal process.
   5. Indemnification.
      1. Indemnification. Each Party (each, an “Indemnifying Party”) agrees to defend the other Party (each, an “Indemnified Party”) from and against any claims, demands, suits, or proceedings (each, a “Claim”) made or brought by a third party against the Indemnified Party alleging that material provided by the Indemnifying Party (the Service, in the case of BrainStorm as the Indemnifying Party, and Customer Data, in the case of Customer as the Indemnifying Party) infringes or misappropriates the intellectual property rights of a third party or arising out of a failure by Customer to comply with Sections 3.3 and BrainStorm’s Content Submission Policy, located at https://info.brainstorminc.com/legal#content-submission and to indemnify the Indemnified Party from any damages finally awarded by a court of competent jurisdiction against the Indemnified Party or amounts agreed to in settlement in connection with any such Claim. The Indemnifying Party’s obligations under this paragraph will only apply to the extent that: (a) the Indemnified Party promptly notifies the Indemnifying Party in writing of the Claim, provided that failure to give or delay in giving such notice to the Indemnifying Party will not relieve the Indemnifying Party of its obligations hereunder except to the extent that the Indemnifying Party demonstrates that the defense of such action is materially prejudiced thereby; (b) the Indemnifying Party has control of the defense and all related settlement negotiations relating to the Claim, provided, however, the settlement of any Claim will not be made without advance written permission of the Indemnified Party, which will not be unreasonably withheld; and (c) the Indemnified Party provides the Indemnifying Party with the assistance, information and authority reasonably necessary to perform the above. In no event will BrainStorm have any obligation or liability under this paragraph for any Claim or action under any legal theory to the extent that the Claim or action is caused by, or results from: (i) Customer’s combination, operation or use of the Service with software or other materials not supplied by BrainStorm, (ii) any alteration or modification of the Service by Customer, (iii) Customer’s continued allegedly infringing activity after being notified thereof or after being provided modifications that would have avoided the alleged infringement, (iv) the actions or omissions of any person or entity other than BrainStorm, or (v) Customer’s failure to comply with Sections 3.3 and BrainStorm’s Content Submission Policy, located at https://info.brainstorminc.com/legal#content-submission.
      2. Indemnification for Unauthorized Use. You agree to defend, indemnify, and hold BrainStorm harmless from and against any and all claims arising out of Your unauthorized use of the Service or other breach of this Agreement.
      3. Remedy for Infringement. Should Your right to use the Service pursuant to this Agreement be subject to a Claim of infringement or if BrainStorm reasonably believes such a Claim of infringement may arise, BrainStorm may, at its option and in its sole discretion, (i) procure for You the right to continue to access and use the Service; (ii) modify the Service to render it non-infringing but substantially functionally equivalent to the Service prior to such modification; or (iii) if the alternatives described in clauses (i) and (ii) of this paragraph are not commercially practicable, then BrainStorm may terminate this Agreement and refund to You any amounts prepaid by You for the Service for the unused portion of the Subscription Term.
   6. Warranties.
      1. BrainStorm Warranties. BrainStorm warrants that the Service will be provided materially in accordance with BrainStorm’s published documentation for the Service, as found on BrainStorm’s websites, www.brainstorminc.com, support.quickhelp.com, and www.quickhelp.com. For any breach of such warranty, Customer’s exclusive remedy will be as provided in the “Termination for Cause” and “Effects of Termination” sections above. BrainStorm will have no liability under this section if the Service has been modified or altered by anyone other than BrainStorm, or if the Service has been abused or misapplied. If You promptly report a reproducible defect under this warranty, BrainStorm shall, in its sole discretion, either use its commercially reasonable efforts to resolve the nonconformity or terminate this Agreement and refund Your prepaid Fees for the unused portion of the Subscription Term.
      2. Customer Warranties. When You share Customer Data with BrainStorm or upload Customer Data to the Service, You represent and warrant that You are the creator and owner of, or that You have the necessary licenses, rights, consents, and permissions to use and to authorize BrainStorm to use and distribute, Customer Data as necessary for BrainStorm to provide You with access to the Service and to otherwise perform its obligations under this Agreement.
      3. Disclaimer. EXCEPT AS EXPRESSLY PROVIDED HEREIN, QUICKHELP IS PROVIDED ON AN “AS IS” BASIS WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. BRAINSTORM DOES NOT WARRANT THAT QUICKHELP WILL SATISFY YOUR REQUIREMENTS OR (WITHOUT PREJUDICE TO THE LIMITED WARRANTY ABOVE) THAT IT IS WITHOUT DEFECT OR ERROR OR THAT YOUR ACCESS THERETO WILL BE UNINTERRUPTED.
   7. LIMITATION OF LIABILITY. IN NO EVENT WILL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER FOR ANY LOST PROFITS OR REVENUES OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER OR PUNITIVE DAMAGES, HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT FOR BRAINSTORM’S INDEMNIFICATION OBLIGATIONS CONTAINED HEREIN, BRAINSTORM’S CUMULATIVE LIABILITY FOR DAMAGES UNDER THIS AGREEMENT FOR ANY CAUSE WHATSOEVER, AND REGARDLESS OF THE FORM OF THE ACTION, WILL BE LIMITED TO NO GREATER THAN THE AMOUNT OF MONEY PAID TO BRAINSTORM FOR QUICKHELP DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE INCIDENT. THE FOREGOING WILL NOT LIMIT YOUR OBLIGATION TO PAY FEES UNDER THIS AGREEMENT AND THE ORDER FORM. YOU ACKNOWLEDGE THAT THE AMOUNT OF FEES PAYABLE BY YOU TO BRAINSTORM HEREUNDER REFLECT THE ALLOCATION OF RISK SET FORTH IN THIS AGREEMENT AND THAT BRAINSTORM WOULD NOT HAVE ENTERED INTO THIS AGREEMENT WITHOUT THE LIMITATIONS ON ITS LIABILITY CONTAINED IN THIS SECTION. THESE LIABILITY LIMITATIONS APPLY EVEN IF CONTRACTUAL REMEDIES FAIL OF THEIR ESSENTIAL PURPOSE.
   8. THIRD-PARTY PRODUCTS. BRAINSTORM DISCLAIMS ALL LIABILITY WITH RESPECT TO THIRD-PARTY PRODUCTS THAT YOU USE. OUR LICENSORS WILL HAVE NO LIABILITY OF ANY KIND UNDER THIS AGREEMENT.
3. Publicity. You agree that BrainStorm may disclose Your company’s name, whether in written or oral form, as a user of the Service in a factual listing of BrainStorm’s Customers to be published within marketing and promotional materials, in presentations, on tradeshow signs and materials, on BrainStorm’s external website and/or to financial and industry analysts.
4. GOVERNING LAW; SUBMISSION TO JURISDICTION AND VENUE. THIS AGREEMENT AND ANY AND ALL CLAIMS ARISING UNDER THIS AGREEMENT WILL BE GOVERNED BY THE LAWS OF THE STATE OF UTAH AND THE UNITED STATES OF AMERICA, EXCLUDING ITS PRINCIPLES OF CONFLICT OR CHOICE OF LAWS. TO THE EXTENT PERMITTED BY APPLICABLE LAW, EACH OF THE PARTIES HERETO HEREBY IRREVOCABLY SUBMITS TO THE EXCLUSIVE JURISDICTION OF ANY UTAH STATE COURT OR UNITED STATES FEDERAL COURT, IN EITHER CASE SITTING IN UTAH OVER ANY SUIT, ACTION OR OTHER PROCEEDING BROUGHT BY ANY PARTY ARISING OUT OF OR RELATING TO THIS AGREEMENT, AND EACH OF THE PARTIES HERETO IRREVOCABLY AGREES THAT ALL CLAIMS WITH RESPECT TO ANY SUCH SUIT, ACTION OR OTHER PROCEEDING WILL BE HEARD AND DETERMINED IN SUCH COURTS. REGARDLESS OF THE APPLICABLE GOVERNING LAW, CUSTOMER AND BRAINSTORM AGREE TO EXCLUDE APPLICATION OF THE UNITED NATIONS CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALE OF GOODS. TO THE EXTENT PERMITTED UNDER APPLICABLE LAW, BRAINSTORM MAY BRING AN ACTION IN ANY JURISDICTION FOR THE PURPOSE OF: (A) ENFORCING A JUDGMENT OR (B) PROTECTING BRAINSTORM’S INTELLECTUAL PROPERTY RIGHTS. In the event that a Party hereto who is required to engage the services of legal counsel to enforce the terms and conditions hereof against the other is successful in doing so, such Party will be entitled to the reimbursement by the other Party of all reasonable attorneys’ fees and court costs incurred by the successful Party.
   
   
5. Miscellaneous.
   1. Entire Agreement. This Agreement, each Order Form, the BrainStorm Privacy Policy, and the BrainStorm Content Submission Policy together constitute the entire agreement between the Parties for the provision of and access to the Service, and supersede all other proposals and agreements, whether electronic, oral or written, between the Parties. We object to and reject any additional or different terms proposed by You, including those contained in Your purchase order, acceptance or website.
   2. Amendment; No Waiver. BrainStorm may update and change any part or all of this Agreement, including the fees and charges associated with the use of the Service (but, Your Fees and charges won’t change during the Subscription Term except as explained in the Fees section above). If We update or change these terms and conditions, the updated terms and conditions will be posted to this page and We will let You know via email and/or in-app notification. The updated Agreement will become effective and binding on the effective date indicated at the top of the updated Agreement. If You do not agree with a modification to this Agreement, You must notify Us in writing within thirty (30) days after receiving notice of the modification. If You give Us this notice, Your subscription will continue to be governed by the terms and conditions of this Agreement prior to modification for the remainder of Your current Subscription Term. Upon renewal, the updated Agreement, as published on BrainStorm’s website, will apply. No delay in exercising any right or remedy or failure to object will be a waiver of such right or remedy or any other right or remedy. A waiver on one occasion will not be a waiver of any right or remedy on any future occasion.
   3. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement will remain in effect.
   4. Assignment. You may not assign, sublicense, or transfer this Agreement, Your access to the Service, any right to maintenance and/or support, or any rights or obligations hereunder without prior written consent of BrainStorm. Any such purported assignment, sublicense, or transfer will be null and void. BrainStorm may terminate this Agreement in the event of any such attempted assignment, sublicense, or transfer by providing You written notice.
   5. Authority. Each Party represents and warrants to the other that it has full power and authority to enter into this Agreement and that it is binding upon such Party and enforceable in accordance with its terms.
   6. No Third-Party Beneficiaries. Unless otherwise specifically agreed to in the Order Form, You agree that there will be no third-party beneficiaries to this Agreement.
   7. Precedence. In the event of a conflict between the terms of this Agreement and an Order Form, the terms of the Order Form will control, but only as to that Order Form.
   8. Force Majeure. Neither Party will be responsible for failure or delay of performance if caused by: an act of war, hostility, or sabotage; act of God; electrical, Internet, or telecommunication outage that is not caused by the obligated Party; government restrictions; or other event outside the reasonable control of the obligated Party. Each Party will use reasonable efforts to mitigate the effect of a force majeure event.
   9. Relationship of the Parties. The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties.
   10. Notice. Notice will be sent to the contact address set forth herein, and will be deemed delivered as of the date of actual receipt.

       If to BrainStorm: BrainStorm, Inc.
       Ten South Center Street
       American Fork, Utah 84003
       Attn: Legal Department

       To You: Your address as You have provided to Us. We may give electronic notices by general notice via the Service Admin Portal to the emails You provide, via email to Your e-mail address(es) on record in Our account information for You, or as otherwise agreed. We may give notice to You by telephone calls to the telephone numbers on record in Our account information for You. You must keep all of Your account information current.

   11. Injunctive Relief. You hereby expressly agree that BrainStorm, in addition to any other rights or remedies that BrainStorm may possess, will be entitled to seek injunctive and other equitable relief (including specific performance) without having to post bond or other security to prevent a material breach or continuing material breach of this Agreement.
   12. Audit. You will permit BrainStorm or its agents, at BrainStorm’s expense, to conduct audits to verify Your compliance with this Agreement. Such audits will be conducted during normal business hours and after reasonable advance notice from BrainStorm to You.
   13. Service Supplied to the Government. The Service is a “commercial item,” “commercial computer software” and/or “commercial computer software documentation.” Consistent with DFAR section 227.7202 and FAR section 12.212, any use, modification, reproduction, release, performance, display, disclosure or distribution of the Service by the U.S. government will be governed solely by the terms of this Agreement and will be prohibited except to the extent expressly permitted herein.
   14. Export Law Assurances. You will not export or re-export or allow the export or re-export of the Service or any copy, portion or direct product of the foregoing, in violation of any export laws, restrictions, national security controls or regulations of the United States or other applicable foreign agency or authority.
   15. Waiver. No action taken pursuant to this Agreement, including any investigation by or on behalf of any Party, will be deemed to constitute a waiver by such Party of any representation, warranty, covenant or agreement contained herein. The waiver by any Party hereto of a breach of any provision of this Agreement or failure to perform by the other Party will not operate or be construed as a further or continuing waiver of such breach or failure to perform or as a waiver of any other or subsequent breach or failure to perform. No failure on the part of any Party to exercise, and no delay in exercising, any right, power or remedy hereunder will operate as a waiver thereof, nor will any single or partial exercise of such right, power or remedy by such Party preclude any other or further exercise thereof or the exercise of any other right, power or remedy. All remedies hereunder are cumulative and are not exclusive of any other remedies provided by applicable law.

 

DATA PROTECTION ADDENDUM

This BrainStorm, Inc. Data Protection Addendum (“DPA”) is between the parties with respect to the terms governing the Processing of Personal Data under the BrainStorm QuickHelp Subscription Agreement (the “Master Agreement”).  This DPA sets out the additional terms, requirements and conditions on which BrainStorm, as Provider (defined below), will obtain, handle, process, disclose, transfer, or store Personal Information (defined below) when providing services under the Master Agreement.  This DPA serves as an addendum to the Master Agreement and is effective upon its incorporation into the Master Agreement, which incorporation may be specified in the Master Agreement, the Order Form (as defined in the Master Agreement), or as otherwise agreed to between the parties. 

BrainStorm will periodically update the terms and conditions of this DPA.  You will be notified of any material updates or changes via email or through the Admin Portal.

Terms not otherwise defined in this DPA shall have the meaning as set forth in the Master Agreement.

1. Definitions and Interpretation

• The following definitions and rules of interpretation apply in this DPA.

“Business Purpose” means the services described in the Master Agreement or any other purpose specifically identified in Appendix A.

“Customer” shall mean the Customer defined in the Master Agreement or Order Form, and who shall determine the purpose and means of the Processing of Personal Information. 

“Data Subject” means an individual who is the subject of Personal Information.

“Personal Information” means any information the Provider processes for the Customer that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider’s possession or control or that the Provider is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.

“Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

“Privacy and Data Protection Requirements” means all applicable federal, state, and international laws and regulations relating to the processing, protection, or privacy of Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

“Provider” shall mean BrainStorm, Inc., a Delaware corporation with offices located at Ten South Center Street, American Fork, Utah 84003, who shall process Personal Information on behalf of the Customer.

“Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.

• This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.
• The Appendices form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Appendices.
• A reference to writing or written includes email but not messages sent via fax.
• In the case of conflict or ambiguity between:
  • any provision contained in the body of this DPA and any provision contained in the Appendices, the provision in the body of this DPA will prevail;
  • the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Appendices, the provision contained in the Appendices will prevail;
  • any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail; and
  • any of the provisions of this agreement and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.

2. Personal Information Types and Processing Purposes
   • The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.
   • Appendix A describes the general Personal Information categories and Data Subject types the Provider may process to fulfill the Business Purposes of the Master Agreement.
3. Provider’s Obligations
   • The Provider will only process the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s instructions. The Provider will not process the Personal Information for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements. The Provider will promptly notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Privacy and Data Protection Requirements.
   • The Provider shall promptly comply with any Customer request or instruction requiring the Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.
   • The Provider will maintain the confidentiality of all Personal Information and will not disclose Personal Information to third parties unless the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires the Provider to process or disclose Personal Information, the Provider shall first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
   • The Provider will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Provider’s processing and the information available to the Provider.
   • The Provider will promptly notify the Customer of any changes to Privacy and Data Protection Requirements that may adversely affect the Provider’s performance of the Master Agreement.
   • The Customer acknowledges that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from Authorized Persons or the Personal Information other than as required under the Privacy and Data Protection Requirements.
   • The Provider will only collect Personal Information for the Customer in accordance with the Agreement, the Privacy Policy, and this DPA. 
4. Provider’s Employees
   • The Provider will limit Personal Information access to:
     • those employees who require Personal Information access to meet the Provider’s obligations under this DPA and the Master Agreement; and
     • the part or parts of the Personal Information that those employees strictly require for the performance of their duties.
   • The Provider will ensure that all employees:
     • are informed of the Personal Information’s confidential nature and use restrictions;
     • have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and
     • are aware both of the Provider’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.
   • The Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of the Provider’s employees with access to the Personal Information.
5. Security
   • The Provider will maintain appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage. These shall include any security measures set out in Appendix . The Provider will periodically review these measures at least annually to ensure they remain current and complete.
   • The Provider will immediately notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.
   • The Provider will take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.
6. Security Breaches and Personal Information Loss
   • The Provider will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Information at its own expense.
   • The Provider will immediately notify the Customer if it becomes aware of:
     • any unauthorized or unlawful processing of the Personal Information; or
     • any Security Breach.
   • Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. The Provider will reasonably co-operate with the Customer in the Customer’s handling of the matter, including:
     • assisting with any investigation;
     • providing the Customer with physical access to any facilities and operations affected;
     • facilitating interviews with the Provider’s employees, former employees and others involved in the matter; and
     • making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer.
   • The Provider will not inform any third party of any Security Breach without first obtaining the Customer’s prior written consent, except when law or regulation requires it.
   • The Provider agrees that the Customer has the sole right to determine:
     • whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and
     • whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
   • The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 2 and 6.3, unless the matter arose from the Customer’s specific instructions, negligence, willful default, or breach of this DPA, in which case the Customer will cover all reasonable expenses.
   • The Provider will also reimburse the Customer for actual reasonable expenses the Customer incurs when responding to and mitigating damages, to the extent that the Provider caused a Security Breach, including all costs of notice and any remedy as set out in clause 5.
7. Cross-Border Transfers of Personal Information
   • If the Privacy and Data Protection Requirements restrict cross-border Personal Information transfers, the Customer will only transfer that Personal Information to the Provider under the following conditions:
     • the Provider, either through its location or participation in a valid cross-border transfer mechanism under the Privacy and Data Protection Requirements, as identified in Appendix A, may legally receive that Personal Information, however the Provider will immediately inform the Customer of any change to that status;
     • the Customer obtained valid Data Subject consent to the transfer under the Privacy and Data Protection Requirements; or
     • the transfer otherwise complies with the Privacy and Data Protection Requirements for the reasons set forth in Appendix A.
   • The Provider will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements. In Appendix A, the Provider shall identify the legal basis supporting any transfers it makes and will promptly inform the Customer of any change to that status.
8. Subcontractors
   • The Provider may only authorize a third party (subcontractor) other than those set forth in Appendix A to process the Personal Information if:
     • the Customer is given an opportunity to object within 14 days after the Provider supplies the Customer with details regarding the subcontractor’s proposed role with respect to the Personal Information, contact information for the subcontractor’s data protection officer or other data-protection point-of-contact, and the terms on which the subcontractor shall be able to process the Personal Information;
     • the Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA and, upon the Customer’s written request, provides the Customer with copies of such contracts;
     • the Provider maintains control over all Personal Information it entrusts to the subcontractor; and
     • the subcontractor’s contract terminates automatically on termination of this DPA for any reason.
   • The Provider shall list all subcontractors that it anticipates using to carry out the Business Purposes in Appendix A and include each subcontractor’s name and location and contact information for the person responsible for privacy and data protection compliance. The Customer’s agreement to this DPA shall authorize the Provider to use the subcontractors as described in Appendix A.
   • If a subcontractor fails to fulfill its obligations under such written agreement, the Provider remains responsible to the Customer for the subcontractor’s performance of its obligations.
   • Upon the Customer’s written request, the Provider will audit a subcontractor’s compliance with its obligations regarding the Customer’s Personal Information and provide the Customer with a summary of the audit results.
9. Complaints, Data Subject Requests, and Third-Party Rights
   • The Provider shall notify the Customer promptly if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party’s compliance with the Privacy and Data Protection Requirements.
   • The Provider will notify the Customer within 5 working days if it receives a request from a Data Subject regarding their Personal Information unless the Provider is able to fully handle and respond to such request.
   • The Provider will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.
   • The Provider shall not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer’s request or instruction, permitted by this DPA, or is otherwise required by law.
10. Term and Termination
    • This DPA will remain in full force and effect so long as:
      • the Master Agreement remains in effect; or
      • the Provider retains any Personal Information related to the Master Agreement in its possession or control (the “Term”).
    • Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Information will remain in full force and effect.
    • If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirement within a reasonable time, they may terminate the Master Agreement upon written notice to the other party.
11. Data Return and Destruction
    • At the Customer’s request, the Provider will give the Customer a copy of or access to all or part of the Customer’s Personal Information in its possession or control in the format and on the media reasonably specified by the Customer.
    • On termination of the Master Agreement for any reason or expiration of its term, the Provider will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control, except for one copy that it may retain and use for audit purposes only.
    • If any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. The Provider may only use this retained Personal Information for the required retention reason or audit purposes.
    • If Customer requests, the Provider will certify in writing that it has destroyed the Personal Information within 14 days after receiving the Customer’s request.
12. Records
    • The Provider will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).
    • The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this DPA.
    • The Customer and the Provider shall review the information listed in the Appendices to this DPA annually to confirm its current accuracy and update it if required to reflect current practices.
13. Audit
    • At least annually, the Provider will audit its Personal Information processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices.
    • Upon the Customer’s written request, the Provider will make the relevant audit reports available to the Customer for review. The Customer will treat such audit reports as the Provider’s confidential information under this Agreement.
    • The Provider will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider’s management.

14. Warranties
    • The Provider warrants and represents that:
      • its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to the Personal Information; and
      • it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this DPA and all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and
      • it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Master Agreement’s contracted services; and
      • considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:
        • the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and
        • the nature of the Personal Information protected; and
        • comply with all applicable Privacy and Data Protection Requirement and its information and security policies, including the security measures required in clause 1.
      • The Customer warrants and represents that the Provider’s expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.

15. Indemnification
    • The Provider agrees to indemnify the Customer against all costs, claims, damages, or expenses incurred by the Customer or for which the Customer may become liable due to any failure by the Provider or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.
    • The limitations on liability set forth in the Master Agreement shall apply to this DPA’s indemnity or reimbursement obligations.
16. Notice
    • Any notice or other communication given to a party under or in connection with this DPA shall be in writing and delivered to:

For the Customer: (i) to the points of contact Customer designates in the Master Agreement or Order Form, or (ii) to the Customer’s Admins such as Customer may identify in the QuickHelp Admin Portal;

For the Provider: BrainStorm, Inc. Ten South Center Street, American Fork, Utah 84003, security@brainstorminc.com.

• Clause 1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

 

 

Appendix A

Personal Information Processing Purposes and Details

Business Purposes:  To provide Customer with the Service, as set forth in the Master Agreement. 

Personal Information Categories:  The personal data transferred includes the name, work email, title, department, IP address, and other data in an electronic form in the context of Provider’s Service. 

Data Subject Types:  The data subjects include Customer’s representatives and end-users, primarily Customer’s employees, but also, potentially, contractors, affiliates and their affiliate’s employees and contractors, and collaborators thereof. 

Approved Subcontractors:  Microsoft Azure (hosting services); Google Analytics (data analytics); HubSpot (communications platform within the Service), and SendGrid (email messaging tool within the Service)

Provider’s legal basis for receiving Personal Information with cross-border transfer restrictions:  EU/US Privacy Shield Certified

 

Appendix B

Security Measures

Provider will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of the data uploaded to the service, as described in the Master Agreement or in this DPA, or otherwise made reasonably available by Provider. The security practices described int his Appendix B are currently observed by Provider.  Although it reserves the right to modify or update these practices, Provider will not materially decrease the overall security of the Service during a subscription term.

PHYSICAL ACCESS CONTROLS:  QuickHelp is hosted in Microsoft Azure, a multi-tenant environment.  The physical and environmental security controls are audited for SOC 2 Type II compliance, among other certifications.

SYSTEM ACCESS CONTROLS:  Access controls within the Service are designed to permit role-based access control using least privileged access principals.  Provider utilizes multi-factor authentication for access to management system portals. 

DATA ACCESS CONTROLS:  Users of the Service have access to non-public data via the application.  Customers and their users are not allowed direct access to the underlying infrastructure of the Service.  Only Provider has direct access to Customer data and Customer’s Personal Information.  The authorization protocols is designed to permit only designated individuals access to the underlying infrastructure.  Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

TRANSMISSION CONTROLS:  Provider encrypts all QuickHelp data and Personal Information at rest and in-transit using HTTPS encryption.

INPUT CONTROLS:  Provider logs information regarding system behavior, system authentication, and other application requests.  Utilizing Azure Threat Detection, Provider is able to monitor and be responsive to malicious, unintended, or anomalous activities. Provider also maintains a record of security incidents.  Any suspected or confirmed security incident is investigated by Provider’s personnel, who then identify appropriate steps to resolve the incident and minimize damage or unauthorized disclosure (if any). 

DATA BACKUPS.  By hosting the Service in Azure, Provider is able to ensure redundancy and fail-over protections, including geo-redundancy.  All databases are backed up and maintained using industry standard methods. 

 

Appendix C

STANDARD CONTRACTUAL CLAUSES

Controller to Processor

SECTION I

Clause 1

Purpose and scope

(a)        The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of data to a third country.

(b)       The Parties:

(i)        the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii)       the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c)        These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d)       The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a)        These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b)       These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a)        Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i)        Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii)       Clause 8 – Module 2: Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii)      Clause 9 - Module 2: Clause 9(a), (c), (d) and (e);

(iv)      Clause 12 – Module 2: Clause 12(a), (d) and (f);

(v)       Clause 13;

(vi)      Clause 15.1(c), (d) and (e);

(vii)     Clause 16(e);

(viii)    Clause 18 – Module 2: Clause 18(a) and (b).

(b)       Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a)        Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b)       These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c)        These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

(a)        An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b)       Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c)        The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1   Instructions

(a)        The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b)       The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

 8.2   Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3   Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4   Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5   Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6   Security of processing

(a)        The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b)       The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c)        In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d)       The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

 8.7   Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8   Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i)        the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)       the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii)      the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv)      the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9   Documentation and compliance

(a)        The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b)       The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c)        The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d)       The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e)        The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

 Clause 9

Use of sub-processors

MODUEL TWO: Transfer controller to processor

(a)        GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least [Specify time period] in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b)       Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c)        The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d)       The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e)        The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

 Clause 10

Data subject rights

MODUEL TWO: Transfer to processor

(a)        The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b)       The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c)        In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

 Clause 11

Redress

(a)        The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

MODULE TWO: Transfer controller to processor

(b)      In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c)        Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i)        lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii)       refer the dispute to the competent courts within the meaning of Clause 18.

(d)       The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e)        The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f)        The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

MODUEL TWO: Transfer controller to processor

(a)        Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b)       The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c)        Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d)       The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e)        Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f)        The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g)       The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

• [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b)       The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

 

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

MODUEL TWO: Transfer controller to processor

(a)       The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)       The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i)        the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii)       the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii)      any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c)        The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d)       The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e)        The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f)        Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

MODUEL TWO: Transfer controller to processor

15.1     Notification

(a)        The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i)        receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii)       becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b)      If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c)        Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d)       The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e)        Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2     Review of legality and data minimisation

(a)        The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b)       The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c)        The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

 

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a)        The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b)       In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)        The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i)        the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii)       the data importer is in substantial or persistent breach of these Clauses; or

(iii)      the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d)       Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e)        Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights.

Clause 18

Choice of forum and jurisdiction

MODUEL TWO: Transfer controller to processor

(a)        Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b)       The Parties agree that those shall be the courts of the Member State in which the data exporter is established.

(c)        A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d)       The Parties agree to submit themselves to the jurisdiction of such courts.

 

ANNEX I

1. LIST OF PARTIES

Data exporter(s): 

Name: Customer as identified in the Agreement

Address: Address of Customer as listed in the Agreement

Contact person’s name, position and contact details: Customer’s contact information as listed in the Agreement

Activities relevant to the data transferred under these Clauses: Processing data in connection with the Agreement entered between the parties.

Signature and date: By executing the Agreement and using the Services (as defined in the Agreement) and transfer Personal Data outside of the EEA or the United Kingdom (UK), the data exporter will be deemed to have singed this Annex I.

Role (controller/processor): Controller

 

Data importer(s): 

Name: BrainStorm, Inc.

Address: Ten South Center Street, American Fork, Utah 84003

Contact person’s name, position and contact details: Andrew Wojciechowski, Associate Vice President, Legal; awojciecowski@brainstorminc.com

Activities relevant to the data transferred under these Clauses: Processing data in connection with the Agreement entered between the parties.

Signature and date: By transferring Persona Data outside of the EEA or the UK on Customer’s instructions, the data importer will be deemed to have signed this Annex I.

Role (controller/processor): Processor

1. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

See Appendix A of the DPA

Categories of personal data transferred

See Appendix A of the DPA

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing

See Appendix A of the DPA

Purpose(s) of the data transfer and further processing

See Appendix A of the DPA

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The personal data will be retained for as long as necessary to complete any processing necessary to provide the Services under the Agreement executed by the data exporter and the data importer.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Processing data in connection with the Processor’s provision of the Services.

1. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses.

 

 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

See Appendix B of the DPA

 

 

ANNEX III

LIST OF SUB-PROCESSORS

Subject to General Authorization. A current List of Sub-processors is found below:

 

ANNEX III

LIST OF SUB-PROCESSORS

Subject to General Authorization. A current List of Sub-processors is found below:

  

Name	Location	Contact (if available)	Description of Processing
Microsoft Azure	USA		Hosting services provider
SendGrid	USA		In-application email messaging
Aha!	USA		Customer feedback portal
HubSpot	USA		Email campaign management
Snowflake	USA		Data warehouse