Last updated: May 16, 2021
PLEASE NOTE THAT THE AGREEMENT IS SUBJECT TO CHANGE BY VENDOR IN ITS SOLE DISCRETION AT ANY TIME.
When changes are made, Vendor may make a new copy of this Agreement available prior to the submission of Jobs. We may also update the “Last Updated” date at the top of this Agreement. If we make any material changes, and you have registered with us to create an account we may also send an e-mail to you at the last e-mail address you provided to us pursuant to the Agreement. Any changes to the Agreement will be effective immediately for new Jobs. If you do not agree to any change(s) after receiving a notice of such change(s), do not submit new Jobs.
Capitalized terms shall have the meanings set forth in this section, or in the section where they are first used or otherwise defined.
1.1 Access Protocols
“Access Protocols” means the credentials, passwords, access codes, or other relevant procedures provided by Vendor to Customer to access the Services, which may include, without limitation use of the IonQ API.
“Affiliate(s)” means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a party.
“Circuit” means the sequence, code, and/or routine to be executed through the Services.
1.4 Compute Services/Services
“Compute Services” or “Services” means IonQ’s execution of Customer’s Jobs using the Technology.
“Control” control of greater than fifty percent of the voting rights or equity interests of a party.
“Customer” means the person or entity that submits a Job to Vendor.
“Documentation” means the technical materials provided by Vendor to Customer in hard copy or electronic form, including via online URL or link, describing the use and operation of the Services.
“Job” means: (a) for Circuits to be run on the IonQ Quantum Technology, the Circuit to be run by the Services for the number of Shots specified by the Customer; and (b) for Circuits to be run in the IonQ simulator technology the Circuits to be run.
1.9 Job Guidelines
“Job Guidelines” means the Vendor guidelines about the type of Jobs that may be submitted through the Services that are made available at https://ionq.com/guidelines, as may be amended from time to time by Vendor in its sole discretion.
1.10 Job Request
“Job Request” means the Job request form submitted by Customer and accepted by Vendor regarding the Services.
“Shots” means the number of times the Circuit submitted by Customer will be run by the Services.
"Technology means the IonQ quantum computer, and all software, interfaces, tools, utilities and other technologies relating thereto (and any related intellectual property) that is provided by or on behalf of Vendor and used to provide the Services (the “IonQ Quantum Technology”).
2. Provision of Services
Subject to Customer’s compliance with the terms of this Agreement, including payment of applicable fees, Vendor will provide Customer with the ability to submit Jobs for execution through the Services using the Access Protocols made available by Vendor.
All Jobs are subject to acceptance or rejection by Vendor in its sole discretion. Neither entering into this Agreement nor receiving access to the Services guarantees that any particular Job, or any Job at all, will be accepted for execution by Vendor.
2.3 Provision of Compute Services
Once a Job is accepted by Vendor, Vendor will provide the Compute Services for the Job. Vendor makes no guarantees as to how long a Job will take to run or when a Job will be completed. Once a Job is completed, Vendor will promptly provide the results back to Customer.
Customer agrees that it will not, and will not permit any other party to: (a) allow any third party to access the Services or Documentation; (b) sublicense, lease, sell, resell, rent, loan, distribute, transfer, or otherwise allow the use of the Services or Documentation for the benefit of any third party except as expressly allowed herein; or (c) access or use the Services or Documentation for the purpose of developing or creating a competitive service or product.
3. Proprietary Rights
3.1 Customer Materials
Customer hereby grants Vendor a non-exclusive, worldwide, royalty-free, and fully-paid license to use all code, algorithms, data, instructions, and other materials provided by Customer (“Customer Data”) in connection with the provisions of the Services. As between the parties, Customer owns all right, title, and interest in the Customer Data.
3.2 Customer Responsibility and Obligations
Customer may not share any Access Protocols issued to or on behalf of Customer or access the Services for any other party. Customer (not Vendor) will be liable for any activities undertaken, or omissions made, by anyone using its Access Protocols. Customer will immediately notify Vendor of any unauthorized use of its Access Protocols or any breach of security relating to the Services known to Customer. Furthermore, Customer shall ensure that all Jobs, Customer Data, and applications used by Customer in connection with the Services comply with this Agreement, all applicable laws, the Documentation, and Job Guidelines. Customer is also responsible for obtaining and maintaining any required consents necessary to permit the processing of Customer Data under this Agreement. Customer will not disclose to any third party the results of any survey, benchmark test or other evaluation of the Services or the Technology except with Vendor’s prior written consent. Vendor is not obligated to back up any Customer Data, and Customer is solely responsible for creating backup copies of any Customer Data and any results of the Services obtained by Customer, at Customer’s sole cost and expense. Customer shall have the sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data. Vendor makes no guarantees as to which version of the Technology any given Job will be run on.
3.3 Vendor Materials
Vendor owns and retains all right, title and interest (including, but not limited to, all copyright and patent rights) in the Services, Technology, and Documentation, and Vendor reserves all rights to the foregoing that are not expressly granted herein. No other license or right of any kind (express or implied) is granted to Customer by Vendor in or to the Services, Documentation, Technology, or any part thereof.
Customer hereby grants Vendor a royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual license to use or incorporate in the Services any suggestions, enhancement requests, recommendations or other feedback provided by Customer relating to the Services (“Feedback”).
3.5 Usage Data
The parties acknowledge and agree that Vendor may collect usage data relating to Customer’s use of the Services. Vendor will own all rights in such data and may use such data for any purpose (including, but not limited to, providing the Services and Technology, and troubleshooting, auditing, and improving the Services and Technology), provided that if Vendor provides such data to a third party it will aggregate and anonymize such data so that Customer cannot be identified as the source of such data. In no event, will such usage data contain the details of the Job (e.g., the code or algorithms sent by Customer or the results thereof).
3.6 Data Processing Addendum
Unless a separate agreement covering the subject matter of this Agreement is entered into by the parties that specifically references the Data Processing Addendum, each party will comply with the Data Processing Addendum attached to this Agreement as Attachment 1. The Data Processing Addendum is incorporated into this Agreement by reference.
Vendor will implement reasonable technical and organizational safeguards designed to protect Customer Data against unauthorized loss, destruction, alteration, access, or disclosure.
3.8 Third Party Materials
As a part of the Services, Customer may have access to materials that are hosted by another party. Customer agrees that it is not possible for Vendor to monitor such materials and that Customer’s access to these materials is at Customer’s risk.
3.9 Open Source Software
Certain items of software may be provided to Customer with the Services and are subject to “open source” or “free software” licenses (“Open Source Software”). Some of the Open Source Software is owned by third parties. The Open Source Software is not subject to the terms and conditions of Sections 3.1 or 6.1. Instead, each item of Open Source Software is licensed under the terms of the end-user license that accompanies such Open Source Software. Nothing in this Agreement limits Customer’s rights under, or grants Customer rights that supersede, the terms and conditions of any applicable end user license for the Open Source Software. If required by any license for particular Open Source Software, Vendor makes such Open Source Software, and Vendor’s modifications to that Open Source Software, available by written request at the notice address set forth below.
Vendor provides information to help copyright holders manage their intellectual property online, but Vendor cannot determine whether something is being used legally without input from the copyright holders. Vendor will respond to notices of alleged copyright infringement and may terminate repeat infringers in appropriate circumstances as required to maintain safe harbor for online service providers under the U.S. Digital Millennium Copyright Act. If Customer believes a person or entity is violating Customer’s copyrights, Customer can notify Vendor at Vendor’s notice address described in Section 10.7 (Notice).
Customer agrees to provide Vendor with a reasonable opportunity to review and comment on any article or other publication, whether in digital or printed form, regarding the Compute Services, Technology or the execution of Customer’s Jobs prior to the publication of such article or other publication. Vendor may object to such publication if Vendor deems such article or publication may: (a) result in the inadvertent disclosure of Vendor’s confidential or trade secret information, and/or (b) includes an inaccuracy relating to the algorithm or the optimization of the algorithm utilized for the Compute Services requested by the Customer. The Customer further agrees that Customer will not publish the results of any Compute Services provided by Vendor for the Customer, without Vendor’s prior written consent, which shall not be unreasonably withheld.
If requested by Vendor, Customer agrees to cooperate in good faith with Vendor on a press release or similar marketing materials following execution of this Agreement and agrees to allow Vendor to list (using Customer’s name and/or Customer’s logo, as determined by Vendor) Customer as a customer on Vendor’s website.
“Confidential Information” means any nonpublic information of a party (the “Disclosing Party”), whether disclosed orally or in written or digital media, that is identified as “confidential” or with a similar legend at the time of such disclosure or that the receiving party (the “Receiving Party”) knows or should have known is the confidential or proprietary information of the Disclosing Party. The Services, Documentation, and Technology, and all enhancements and improvements thereto will be considered Confidential Information of Vendor. The Jobs and Customer Data will be considered the Confidential Information of Customer.
4.2 Protection of Confidential Information
The Receiving Party agrees that it will not use or disclose to any third party any Confidential Information of the Disclosing Party, except as expressly permitted under this Agreement. The Receiving Party will limit access to the Confidential Information to those employees or contractors who have a need to know, who have confidentiality obligations no less restrictive than those set forth herein, and who have been informed of the confidential nature of such information. In addition, the Receiving Party will protect the Disclosing Party’s Confidential Information from unauthorized use, access, or disclosure in the same manner that it protects its own proprietary information of a similar nature, but in no event with less than reasonable care. At the Disclosing Party’s request or upon termination or expiration of this Agreement, the Receiving Party will return to the Disclosing Party or destroy (or permanently erase in the case of electronic files) all copies of the Confidential Information of the Disclosing Party, and the Receiving Party will, upon request, certify to the Disclosing Party its compliance with this sentence.
The confidentiality obligations set forth in Section 4.2 will not apply to any information that (a) is at the time of disclosure or becomes generally available to the public through no fault of the Receiving Party; (b) is rightfully provided to the Receiving Party without restriction by a third party who is free of any confidentiality duties or obligations; (c) was already rightfully known to the Receiving Party at the time of disclosure free of any confidentiality duties or obligations; or (d) the Receiving Party can demonstrate, by clear and convincing evidence, was independently developed by employees and contractors of the Receiving Party who had no access to the Confidential Information. In addition, the Receiving Party may disclose Confidential Information to the extent that such disclosure is necessary for the Receiving Party to enforce its rights under this Agreement or is required by law or by the order of a court or similar judicial or administrative body, provided that (to the extent legally permissible) the Receiving Party promptly notifies the Disclosing Party in writing of such required disclosure and cooperates with the Disclosing Party if the Disclosing Party seeks an appropriate protective order.
5.1 Fees and Payment
Unless otherwise agreed to in a Job Request, Customer shall pay Vendor the fees for Jobs and Shots as set forth in the Vendor pricing identified when placing the Jobs (the “Fees”). Non-payment or late payment of undisputed fees are material breaches of this Agreement. If any amount is past due more than thirty (30) days, Customer shall pay interest on the overdue balance at the rate of 1% per month or the maximum permitted by law, whichever is less, plus all expenses of collection. Vendor shall be entitled to withhold performance and discontinue service until all amounts due are paid in full.
The Fees are exclusive of all applicable sales, use, value-added and other taxes, and all applicable duties, tariffs, assessments, export and import fees, or other similar charges, and Customer will be responsible for payment of all such taxes (other than taxes based on Vendor’s income), fees, duties, and charges and any related penalties and interest, arising from the payment of the Fees or the provision of the Services to Customer. Customer will make all payments of Fees to Vendor in USD and free and clear of, and without reduction for, any withholding taxes; any such taxes imposed on payments of Fees to Vendor will be Customer’s sole responsibility, and Customer will provide Vendor with official receipts issued by the appropriate taxing authority, or such other evidence as the Vendor may reasonably request, to establish that such taxes have been paid. Customer shall indemnify and defend Vendor in connection with any proceedings brought by any taxing authorities in connection with this Agreement.
6. Warranty; Disclaimer
6.1 Vendor Warranty
Vendor represents and warrants that it will provide the Services in a professional and workmanlike manner and that the Services will conform with the Documentation provided for that Services. Vendor does not guarantee that a given Job will return any results or expected results. Customer is responsible for creating the Job and Vendor is only responsible for running the accepted Jobs as submitted by Customer on Vendor Technology as part of the Services.
6.2 Customer Warranty
By submitting a Job and/or any Customer Data to the Services, Customer represents and warrants that (a) Customer has all necessary rights (including the necessary rights from any end users) to grant Vendor the licenses set forth herein with respect to such Job and Customer Data; (b) the Job and Customer Data shall not (i) misappropriate any trade secret; (ii) be deceptive, libelous, obscene, unlawful, or otherwise objectionable; (iii) contain any viruses, worms or other malicious computer programming codes intended to damage Vendor’s system or data; or (iv) violate any applicable laws; and (c) the Job and Customer Data comply with all applicable laws, rules, regulations, and Job Guidelines in effect at the time of such submission.
THE PARTIES ACKNOWLEDGE THAT THE SERVICES AND TECHNOLOGY ARE EXPERIMENTAL IN NATURE AND THAT THE DOCUMENTATION, TECHNOLOGY, AND SERVICES ARE PROVIDED “AS IS.” VENDOR MAKES NO (AND HEREBY DISCLAIMS ALL) REPRESENTATIONS AND WARRANTIES, WHETHER WRITTEN, ORAL, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. IONQ DOES NOT WARRANT THAT ANY ERRORS CAN BE CORRECTED, OR THAT OPERATION OF THE SERVICES SHALL BE UNINTERRUPTED OR ERROR-FREE. SOME STATES AND JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SOME OF THE ABOVE LIMITATIONS MAY NOT APPLY TO CUSTOMER.
7. Limitation of Liability
7.1 Limits on Liability
IN NO EVENT WILL (A) EITHER PARTY BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, OR OTHER INDIRECT DAMAGES (INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOST DATA) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR ITS PERFORMANCE HEREUNDER; AND (B) EITHER PARTY’S LIABILITY TO THE OTHER AS A RESULT OF ANY CLAIM ARISING UNDER THIS AGREEMENT, REGARDLESS OF WHETHER SUCH CLAIM IS BASED ON BREACH OF CONTRACT, TORT, STRICT LIABILITY, OR ANY OTHER THEORY OF LIABILITY, EXCEED THE AMOUNT PAID BY CUSTOMER IN THE TWELVE (12) MONTHS PRIOR TO THE OCCURRENCE OF THE ACT OR OMISSION GIVING RISE TO SUCH CLAIM. SOME STATES AND JURISDICTIONS DO NOT ALLOW FOR THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO CUSTOMER.
7.2 Basis of the Bargain
The parties agree that the limitations of liability set forth in this section shall survive and continue in full force and effect despite any failure of consideration or of an exclusive remedy. The parties acknowledge that the Fees have been set and the Agreement entered into in reliance upon these limitations of liability and that all such limitations form an essential basis of the bargain between the parties.
8. Term and Termination
This Agreement shall apply to any Jobs submitted to Vendor until such time as the terms have changed as contemplated above (“Term”).
9. Governing Law and Venue
This Agreement and any action related thereto will be governed and interpreted by and under the laws of the State of Maryland, without reference to conflicts of laws principles. Both parties expressly agree that any action relating to this Agreement shall exclusively be brought in Maryland, and both parties irrevocably consent to the jurisdiction of the state and federal courts located in Maryland. Each party expressly waives any objection that it may have based on improper venue or forum non-conveniens to the conduct of any such suit or action in any such court. The United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement. Customer shall always comply with all international and domestic laws, ordinances, regulations, and statutes that are applicable to its use of the Services hereunder.
10.1 Independent Contractors
The parties are independent contractors and nothing in this Agreement shall be deemed to create any partnership, joint venture or agency relationship between the parties. Neither party is, nor will either party hold itself out to be, vested with any power or right to bind the other party contractually or act on behalf of the other party as a broker, agent or otherwise.
10.2 Entire Agreement
This Agreement, together with all Job Requests, contains the entire agreement of the parties with respect to its subject matter and supersedes any prior or contemporaneous understandings or communications (oral or written) regarding such subject matter. This Agreement, and any order, may be modified only by a written amendment executed by an authorized representative of each party. In the event of a conflict between the terms in an order and this Agreement, the terms contained in this Agreement shall control unless otherwise expressly stated in the order.
In the event any provision of this Agreement is held by a court of law or other governmental agency to be void or unenforceable, such provision shall be changed and interpreted so as to best accomplish the objectives of the original provision to the fullest extent allowed by law, and the remaining provisions shall remain in full force and effect.
Neither party shall assign this Agreement without the other party’s prior written consent, which shall not be unreasonably withheld. Notwithstanding the foregoing, either party may assign this Agreement without the other party’s consent to a successor of its business or assets to which this Agreement relates pursuant to a merger, consolidation, reorganization or sale of substantially all of its assets or stock related to this Agreement. This Agreement shall be binding upon and inure to the benefit of the parties and their successors and permitted assigns.
10.5 Force Majeure
Vendor shall not be deemed to be in breach of this Agreement for any failure or delay in performance caused by reasons beyond its reasonable control, including, but not limited to, any failure, disruptions or issues related to any third party services or acts, or any acts of God, war, terrorism, strikes, failure of suppliers, fires, floods or earthquakes.
10.6 Export Control
The use of the Services is subject to U.S. export control laws and may be subject to similar regulations in other countries. Customer agrees to comply with all such laws.
Any notice given under this Agreement shall be in writing and shall be effective (i) upon receipt or refusal if (a) delivered by hand or (b) sent via overnight mail by a nationally recognized express delivery service; or (ii) sent via U.S. mail, postage prepaid, certified mail return receipt requested, when addressed to the address set forth below (or to such other address that a party may specify in a notice given under this Section).
No delay or omission to exercise any right or remedy accruing to either party hereunder shall impair that right or remedy or be construed to be a waiver of any breach or default. No waiver of any provision of this Agreement shall be valid unless in writing and signed by the waiving party.
Attachment 1: Data Processing Addendum
This Data Processing Addendum (this “Addendum”) forms part of the Agreement between Vendor and Customer. This Addendum applies where and only to the extent that Vendor processes Customer Personal Data on behalf of Customer in the course of providing the Service or support to Customer under the Agreement. This Addendum does not apply where Vendor determines the purpose and means of the processing of personal data.
Customer and Vendor agree, based on their current and intended use and provision of the Service and Vendor’s commitments under this Addendum, as applicable, (a) meet each party’s needs as applicable, including with respect to any security obligations of Customer under European Data Protection Law and/or Non-European Data Protection Law, as applicable, and (b) provide a level of security appropriate to the risk of the Customer Data.
1.1 Terms defined in the Agreement apply to this Addendum. In addition, in this Addendum:
- “Alternative Transfer Solution” means a solution, other than the Model Contract Clauses, that enables the lawful transfer of personal data to a third country in accordance with European Data Protection Law.
- “Customer Personal Data” means the personal data contained within the Customer Data.
- “Data Incident” means a breach of Vendor’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Vendor.
- “EEA” means the European Economic Area.
- “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- “European Data Protection Law” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
- “European or National Law” means, as applicable: (a) EU or EU Member State law (if the EU GDPR applies to the processing of Customer Personal Data); and/or (b) the law of the UK or a part of the UK (if the UK GDPR applies to the processing of Customer Personal Data).
- “GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.
- “Model Contract Clauses” mean the Standard Contractual Clauses for Processors approved by the European Commission for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
- “Non-European Data Protection Law” means data protection or privacy laws in force outside the European Economic Area, Switzerland and the UK.
- “Subprocessor” means a third party authorized as another processor under this Addendum to have logical access to and process Customer Data to provide parts of the Service and support.
- “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, if in force.
1.2 The terms “personal data”, “data subject”, “processing”, “controller” and “processor” as used in this Addendum have the meanings given in the GDPR irrespective of whether European Data Protection Law or Non-European Data Protection Law applies.
This Addendum will, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Data by Vendor as described in this Addendum.
3. Scope of Data Protection Law
3.1 Application of European Law.
The parties acknowledge that European Data Protection Law will apply to the processing of Customer Personal Data if, for example:
- the processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA or the UK; and/or
- the Customer Personal Data is personal data relating to data subjects who are in the EEA or the UK and the processing relates to the offering to them of goods or services in the EEA or the UK, or the monitoring of their behavior in the EEA or the UK.
3.2 Application of Non-European Law
The parties acknowledge that Non-European Data Protection Law may also apply to the processing of Customer Personal Data.
3.3 Application of Terms
Except to the extent this Addendum states otherwise, this Addendum will apply irrespective of whether European Data Protection Law or Non-European Data Protection Law applies to the processing of Customer Personal Data.
4. Processing of Data
4.1 Roles and Regulatory Compliance; Authorization
4.1.1 Processor and Controller Responsibilities
If European Data Protection Law applies to the processing of Customer Personal Data: (a) the subject matter and details of the processing are described in Appendix 1; (b) Vendor is a processor of that Customer Personal Data under European Data Protection Law; (c) Customer is a controller or processor, as applicable, of that Customer Personal Data under European Data Protection Law; and (d) each party will comply with the obligations applicable to it under European Data Protection Law with respect to the processing of that Customer Personal Data.
4.1.2 Authorization by Third Party Controller
If European Data Protection Law applies to the processing of Customer Personal Data and Customer is a processor, Customer warrants that its instructions and actions with respect to that Customer Personal Data, including its appointment of Vendor as another processor, have been authorized by the relevant controller.
4.1.3 Responsibilities under Non-European Law
If Non-European Data Protection Law applies to either party’s processing of Customer Personal Data, the relevant party will comply with any obligations applicable to it under that law with respect to the processing of that Customer Personal Data.
4.2 Scope of Processing
4.2.1 Customer’s Instructions
Customer instructs Vendor to process Customer Personal Data only in accordance with applicable law: (a) to provide the Service and support; (b) as further specified via Customer’s use of the Service (including account administration portals and other functionality of the Service) and support; (c) as documented in the Agreement, including this Addendum; and (d) as further documented in any other written instructions given by Customer and acknowledged by Vendor as constituting instructions for purposes of this Addendum.
4.2.2 Vendor’s Compliance with Instructions
Vendor will comply with the instructions described in Section 4.2.1 (Customer’s Instructions) (including with regard to data transfers) unless European or National Law to which Vendor is subject requires other processing of Customer Personal Data by Vendor, in which case Vendor will notify Customer (unless that law prohibits Vendor from doing so on important grounds of public interest) before such other processing.
5. Data Deletion
5.1 Deletion by Customer
Vendor will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Service. If Customer uses the Service to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to Vendor to delete the relevant Customer Data from Vendor’s systems in accordance with applicable law.
5.2 Deletion on Termination
On expiry of the Term, Customer instructs Vendor to delete all Customer Data (including existing copies) from Vendor’s systems in accordance with applicable law. This requirement will not apply: (a) to the extent Vendor is required by applicable law to retain some or all of the Customer Data, or (b) to Customer Data that Vendor has archived on back-up systems, which Customer Data Vendor will securely isolate and protect from any further processing, except to the extent required by law.
6. Data Security
6.1 Vendor’s Security Measures, Controls and Assistance
6.1.1 Vendor’s Security Measures
Vendor will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). Vendor may update the Security Measures from time to time if such updates do not result in the degradation of the overall security of the Service.
6.1.2 Security Compliance by Vendor Staff
Vendor will: (a) take appropriate steps to ensure compliance with the Security Measures by its employees and contractors to the extent applicable to their scope of performance, and (b) ensure that all persons authorized to process Customer Personal Data are under an obligation of confidentiality.
6.1.3 Vendor’s Security Assistance
Vendor will (taking into account the nature of the processing of Customer Personal Data and the information available to Vendor) assist Customer in ensuring compliance with its obligations under Articles 32 to 34 of the GDPR, by: (a) implementing and maintaining the Security Measures in accordance with Section 6.1.1 (Vendor’s Security Measures); (b) complying with the terms of Section 6.2 (Data Incidents); (c) providing Customer with the Security Documentation in accordance with Section 6.4 (Customer’s Audit Rights) and the information contained in the Agreement including this Addendum; and (d) if subsections (a)-(c) above are insufficient for Customer to comply with such obligations, upon Customer’s request, providing additional reasonable assistance.
6.2 Data Incidents
Vendor will notify Customer promptly and without undue delay after becoming aware of a Data Incident, and promptly take reasonable steps to minimize harm and secure Customer Data. Vendor’s notification of a Data Incident will describe, to the extent possible, the nature of the Data Incident, the measures taken to mitigate the potential risks and the measures Vendor recommends Customer take to address the Data Incident.
6.3 Customer’s Security Responsibilities
Without prejudice to Vendor’s obligations under Sections 6.1 (Vendor’s Security Measures, Controls and Assistance) and 6.2 (Data Incidents), and elsewhere in the Agreement, Customer is responsible for its use of the Service and its storage of any copies of Customer Data outside Vendor’s or its Subprocessors’ systems, including: (a) protecting the security of Customer Data when in transit to and from the Service; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; and (c) backing up its Customer Data as appropriate.
6.4 Customer’s Audit Rights
Upon Customer’s request, and subject to the confidentiality obligations of the Agreement, Vendor will make available to Customer (or Customer’s independent, third-party auditor) information regarding Vendor’s compliance with the security obligations specified in this Addendum in the form of third-party certifications and audit reports (such certifications and reports the “Security Documentation”). Customer agrees that Vendor’s compliance with Section 6.1 (Vendor’s Security Measures, Controls and Assistance) will fulfil any audit cooperation responsibilities that may apply to Vendor under Data Protection Laws.
7. Impact Assessments and Consultations
Vendor will (taking into account the nature of the processing and the information available to Vendor) assist Customer in ensuring compliance with its obligations under Articles 35 and 36 of the GDPR, by: (a) providing the Security Documentation in accordance with Section 6.4 (Customer’s Audit Rights); (b) providing the information contained in the Agreement including this Addendum; and (c) if subsections (a) and (b) above are insufficient for Customer to comply with such obligations, upon Customer’s request, providing additional reasonable assistance.
During the Term, Vendor will enable Customer, in a manner consistent with the functionality of the Service, to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by Vendor as described in Section 5.1 (Deletion by Customer), and to export Customer Data.
8.2 Customer Responsibility for Data Subject Requests
During the Term, if Vendor receives a request from a data subject relating to Customer Personal Data, and the request identifies Customer, Vendor will advise the data subject to submit their request to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Service.
8.3 Vendor’s Data Subject Request Assistance
Vendor will (taking into account the nature of the processing of Customer Personal Data) assist Customer in fulfilling its obligations under Chapter III of the GDPR to respond to requests for exercising the data subject’s rights by: (a) complying with Sections 8.1 (Access) and 8.2 (Customer’s Responsibility for Data Subject Requests); and (b) if subsections (a) and (b) above are insufficient for Customer to comply with such obligations, upon Customer’s request, providing additional reasonable assistance.
9. Data Transfers
9.1 Data Storage and Processing Facilities
Vendor may store and process Customer Data anywhere Vendor or its Subprocessors maintain data processing operations.
9.2 Transfers of Data
9.2.1 Vendor’s Transfer Obligations
If the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EEA, Switzerland or the UK, and European Data Protection Law applies to the transfers of such data (“Transferred Personal Data”), Vendor will:
- ensure that Vendor complies with the Model Contract Clauses, which are incorporated into this Addendum by reference, and ensure that the transfers are made in accordance with such Model Contract Clauses; and/or
- offer an Alternative Transfer Solution for such data, ensure that the transfers are made in accordance with such Alternative Transfer Solution, and make information available to Customer about such Alternative Transfer Solution.
9.2.2 Customer’s Transfer Obligations
For Transferred Personal Data, Customer will:
- comply with the Model Contract Clauses as the exporter of such data, if European Data Protection Law Vendor reasonably requires Customer to do so; and
- use an Alternative Transfer Solution offered by Vendor for such data and take any action (which may include execution of documents) strictly required to give full effect to such solution if under European Data Protection Law Vendor reasonably requires Customer to do so.
9.3 Disclosure of Confidential Information Containing Personal Data
If the Model Contract Clauses apply as described in Section 9.2 (Transfers of Data), Vendor will, notwithstanding any term to the contrary in the Agreement, ensure that any disclosure of Customer’s Confidential Information containing personal data, and any notifications relating to any such disclosures, will be made in accordance with such Model Contract Clauses.
10.1 Consent to Subprocessor Engagement
Customer authorizes the engagement as Subprocessors of: (a) those entities listed at URL provided by the Vendor on the Listing, as may be updated by Vendor from time to time in accordance with this Addendum; and (b) all other Vendor Affiliates from time to time. In addition, without prejudice to Section 10.3 (Opportunity to Object to Subprocessor Changes), Customer generally authorizes the engagement as Subprocessors of any other third parties (each, a “New Third Party Subprocessor”).
10.2 Requirements for Subprocessor Engagement
When engaging any Subprocessor, Vendor will:
- ensure via a written contract that: (i) the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this Addendum) and any Model Contract Clauses entered into or Alternative Transfer Solution adopted by Vendor as described in Section 9.2 (Transfers of Data); and (ii) if the GDPR applies to the processing of Customer Personal Data, the data protection obligations described in Article 28(3) of the GDPR, as described in this Addendum, are imposed on the Subprocessor; and
- remain fully liable for all obligations subcontracted to the Subprocessor, and all acts and omissions of the Subprocessor, in each case relating to Vendor’s obligations under this Addendum.
10.3 Opportunity to Object to Subprocessor Changes
When any New Third Party Subprocessor is engaged during the Term, Vendor will, at least 30 days before the New Third Party Subprocessor starts processing any Customer Data, notify Customer of the engagement (including the name and headquartered location of the relevant Subprocessor and the activities it will perform), such as by updating the URL provided by the Vendor on the Listing.
10.3.2 Opportunity to Object
Customer may object in writing to Vendor’s engagement of a New Third Party Subprocessor, but only if such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Customer may, as its sole and exclusive remedy, suspend or terminate the Agreement.
11.1 Liability Cap
The total combined liability of either party and its Affiliates towards the other party and its Affiliates under or in connection with the Agreement, including this Addendum and the Model Contract Clauses as applicable, combined will be subject to any limitation of liability provisions (including any agreed aggregate financial cap) that apply under the Agreement.
11.2 Liability Cap Exclusions
Nothing in Section 11.1 (Liability Cap) will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
12. Effect of this Addendum
Notwithstanding anything to the contrary in the Agreement, in the event of any conflict or inconsistency between this Addendum and the remaining terms of the Agreement, this Addendum will govern.
Appendix 1: Subject Matter and Details of the Data Processing
- Subject Matter: Vendor’s provision of the Service and Support to Customer.
- Duration of the Processing: The Term plus the period from the expiry of the Term until deletion of all Customer Data by Vendor in accordance with the Agreement.
- Nature and Purpose of the Processing: Vendor will process Customer Personal Data for the purposes of providing the Service and Support to Customer in accordance with the Agreement, including this Addendum.
- Categories of Data: Data relating to individuals provided to Vendor via the Service, by (or at the direction of) Customer.
- Data Subjects: Data subjects include the individuals about whom data is provided to Vendor via the Service by (or at the direction of) Customer.
Appendix 2: Security Measures
As from the effective date of the Agreement, Vendor will implement and maintain the Security Measures described in this Appendix 2.
1. Data Access and Storage
1.1 Access Controls
Customer’s administrators and end users must authenticate themselves via a central authentication system or via a single sign on system to use the Service.
Vendor makes encryption available.
1.3 Storage and Sharing
Vendor stores data in a multi-tenant environment. Subject to any Customer instructions to the contrary, Vendor replicates Customer Data between multiple geographically dispersed data centers. Vendor also logically isolates Customer Data, and logically separates each end user’s data from the data of other end users, and data for an authenticated end user will not be displayed to another end user (unless the former end user or an administrator allows the data to be shared). Customer will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Service, will enable Customer to determine the product sharing settings applicable to end users for specific purposes.
1.4.1 Data Transmission
Vendor transfers data via Internet standard protocols.
1.4.2 External Attack Surface
Vendor employs multiple layers of network devices and intrusion detection to protect its external attack surface. Vendor considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems. Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Vendor’s intrusion detection involves:
- tightly controlling the size and make-up of Vendor’s attack surface through preventative measures;
- employing intelligent detection controls at data entry points; and
- employing technologies that automatically remedy certain dangerous situations.
1.5 Incident Response
Vendor monitors a variety of communication channels for security incidents, and Vendor’s security personnel will react promptly to known incidents.
2.1 Infrastructure Security Personnel
Vendor has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Vendor’s infrastructure security personnel are responsible for the ongoing monitoring of Vendor’s security infrastructure, the review of the Service, and responding to security incidents.
2.2 Vendor Personnel
Vendor personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Vendor conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Vendor’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Data are required to complete additional requirements appropriate to their role (e.g., certifications). Vendor’s personnel will not process Customer Data without authorization.
2.3 Internal Data Access Processes and Policies – Access Policy
Vendor’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Vendor designs its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing. The systems are designed to detect any inappropriate access. Vendor employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. Vendor’s authentication and authorization systems are designed to provide Vendor with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Vendor requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Vendor’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength.
3. Subprocessor Security
Before onboarding Subprocessors, Vendor conducts appropriate due diligence of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Vendor has assessed the risks presented by the Subprocessor, then subject to the requirements described in Section 10.2 (Requirements for Subprocessor Engagement) of this Data Processing Addendum, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.
4. Business Continuity
Vendor has designed and regularly plans and tests its business continuity planning/disaster recovery programs.