Software Terms and Conditions

SOFTWARE SUBSCRIPTION & SERVICES TERMS & CONDITIONS

These Software Subscription & Services Terms & Conditions (“Terms & Conditions”), including the exhibits hereto, form part of an agreement (this “Agreement”) by and between ProSymmetry, LLC, an Ohio Limited Liability Company (“PROSYMMETRY”) and each customer (“Customer”) that has executed and/or is subject to one or more ProSymmetry order forms (each an “Order”).  This Agreement is comprised of such Order and these Terms & Conditions, which are incorporated therein, and is effective as of the date the former has been executed by both Customer and PROSYMMETRY or otherwise takes effect (“Effective Date”).    Each of PROSYMMETRY and Customer is a “Party,” and are together the “Parties,” to this Agreement.

    1. LICENSE. Pursuant to the terms of this Agreement, the PROSYMMETRY proprietary software referenced in an Order, including related user guide, manuals and updates provided by PROSYMMETRY to Customer (collectively, the “Software”) and the use thereof is licensed to Customer and not sold.  Except as otherwise expressly provided, and consistent with each Order, PROSYMMETRY and/or its service providers will provide access to the Software via the Internet to Customer’s Authorized Users, which may be used solely for Customer’s internal business purposes.
      1. Only those officers, directors, employees, vendors and agents of Customer designated by Customer to use the Software, up to but not exceeding the number of users duly authorized and paid for pursuant to an Order, may access and use the Software (“Authorized Users”), provided that; Customer shall at all times be and remain responsible and liable for the actions of Authorized Users, including their strict compliance with the terms of this Agreement.
      2. The rights granted hereunder are non-exclusive, non-transferable and terminable as provided herein.
      3. This Agreement is a subscription that contemplates one or more Orders, each of which incorporates and is subject to these Terms & Conditions.  In the event of any conflict between these Terms & Conditions and the terms of an Order, the terms of such Order shall prevail only if they expressly identify the provision hereof to be modified or overridden and recite the Parties’ express intention to do so.
    2. RESTRICTIONS.  Except as expressly authorized herein, Customer may not, directly or indirectly:
      1. copy, modify, distribute or publicly display the Software, in whole or in part;
      2. assign, sublicense, rent, lease, lend, transfer or otherwise make available the Software to any other party or in any type of environment not directly related to Customer’s internal business purposes;
      3. use the Software in excess of the levels (by resources and users) agreed to and paid for by Customer pursuant to an Order;
      4. cause or permit reverse engineering (except to the extent expressly permitted by applicable law despite this limitation), decompilation, disassembly, modification, translation, or any attempt to extract or reproduce the source code of the Software or create derivative works of the Software; or
      5. benchmark, evaluate or use the Software for the purpose of competing with PROSYMMETRY.
    3. FEES & TAXES.  Customer will pay to PROSYMMETRY all fees set forth in each Order, on such terms as prescribed therein (“Fees”), provided that; in the absence of a different payment schedule in an Order, such Fees will be due and payable by Customer on an annual basis in advance. Customer will pay the appropriate government agency (or reimburse PROSYMMETRY) any taxes or charges imposed in connection with the Fees under this Agreement, including, but not limited to, sales, use, VAT, excise, customs duties and other similar taxes (other than taxes based on PROSYMMETRY’s net income or property), to the extent that Customer is not exempt from such taxes or charges. PROSYMMETRY will collect all such taxes and charges, as it is required, unless Customer provides PROSYMMETRY with proof of exemption.
    4.  INTELLECTUAL PROPERTY.  PROSYMMETRY or its licensors retain all right, title and interest in and to the Software and all related patents, patent rights, copyrights, trademarks, trade secrets and other proprietary rights (collectively, “Intellectual Property”) therein, which is protected by applicable Intellectual Property laws. Customer may not remove any product identification, copyright, trademark or other Intellectual Property notices from the Software.  PROSYMMETRY reserves all rights not expressly granted hereunder.
    5. MUTUAL CONFIDENTIALITY. Each Party (for purposes of this provision, “Recipient”) agrees that it will not disclose Confidential Information of the other Party (for purposes of this provision, “Discloser”) to any third party, or use Discloser’s Confidential Information for any purpose other than performing under this Agreement.
      1. ”Confidential Information” means proprietary or confidential  information, including, among other things (i) such information relating to products or services provided by  a Discloser, financial information, software, flow charts, techniques, designs, specifications, development and marketing plans, strategies, and forecasts; (ii) as to PROSYMMETRY and its licensors, the Software; (iii) as to Customer, all data uploaded to the Software by or on behalf of Customer (“Customer Data”); and (iv) the terms of this Agreement, including without limitation, Software pricing information.
      2. Exclusions. Confidential Information excludes information that is: (i)  rightfully in Recipient’s possession without any obligation of confidentiality; (ii) or becomes a matter of public knowledge through no fault of Recipient; (iii) received by Recipient from a third party without violation of any duty of confidentiality; (iv) independently developed by or for Recipient without use of the Confidential Information; or (v)required to be disclosed by applicable law or court order, provided that; before any disclosure thereof, Recipient will notify Discloser of such requirement and cooperate fully with Discloser (at the latter’s expense) in seeking to protect the confidentiality of such information.
      3. Customer Data. For the avoidance of doubt, PROSYMMETRY asserts no proprietary rights to Customer Data and Customer has the right to remove Customer Data from the Software at any time or request its deletion therefrom.  Customer is solely responsible to secure proper authorization (by consent or otherwise) to process any Customer Data, for the accuracy thereof and for the selection and implementation of controls on access to and use of such Customer Data, including that stored or residing in the Software.  All processing of Customer Data hereunder is subject to the Data Processing Addendum attached hereto as Exhibit A.
    6. WARRANTIES.
      Subject to Customer’s fulfillment of its obligations under this Agreement, PROSYMMETRY hereby represents and warrants as follows:

      1. Availability.  Except as otherwise provided herein or in an Order, PROSYMMETRY will employ commercially reasonable efforts to maintain the availability of the Software at least 99.7% of the time in any given month, excluding maintenance outages (which PROSYMMETRY will undertake to schedule reasonably in advance), provided that; PROSYMMETRY’s sole liability and Customer’s exclusive remedy for failure to maintain that level of availability, as documented in writing by Customer within ten (10) days following the end of the relevant month and confirmed by PROSYMMETRY, will be an equitable adjustment (e.g., credit) in the Fees otherwise due to PROSYMMETRY for the succeeding month;
      2. Performance.  Except as otherwise provided herein or in an Order, for a period of ninety (90) days following commencement of Customer’s access to the Software in connection with the applicable Order, the Software will perform in substantial conformity with its user guide, provided that; (i) this warranty will not apply to any non-conformity caused by factors other than the Software (including, e.g., Authorized Users’ incompatible browsers, other non-PROSYMMETRY software, Customer’s hardware, misuse of the Software, etc.) or that cannot be replicated by PROSYMMETRY, and (ii) PROSYMMETRY’s sole liability and Customer’s exclusive remedy for any asserted breach of such warranty will be for PROSYMMETRY to modify the Software and/or user guide to correct such non-conformity;
      3. Services. PROSYMMETRY shall perform such consulting, development, implementation, support or other professional services as Customer has purchased pursuant to an Order (collectively, “Services”) in a timely and workmanlike manner using qualified personnel, consistent with generally-accepted industry standards and terms of the applicable Order and any related statement of work executed by the Parties (“Statement of Work”), provided that; Customer acknowledges that PROSYMMETRY’s performance of such Services depends directly on Customer’s timely commitment, cooperation and participation and agrees to appoint a project manager to serve as Customer’s point of contact for the Services, with authority to act on behalf of the Customer in all matters regarding the Services, including (a) managing Customer personnel and responsibilities; (b) serving as the interface between PROSYMMETRY and all participating Customer  personnel and departments; (c) participating in project status meetings; (d) promptly securing and providing any necessary information, data, and/or decisions reasonably requested by PROSYMMETRY; (e) resolving schedule deviations caused by Customer; (f) resolving  (or escalating to resolution, as necessary) project issues; (g) addressing any special invoice or billing requirements associated with the Services; and (h) approving any adjustments to Fees for Services; and
      4. Malware. PROSYMMETRY has used commercially reasonable efforts consistent with industry standards (i) to scan for and remove any known viruses from the Software, and (ii) to avoid incorporating into the Software any computer code not reflected in its documentation that is designed to delete, interfere with, or disable the normal operation of the Software (excluding PROSYMMETRY license keys).

EXCEPT FOR THE FOREGOING WARRANTIES, PROSYMMETRY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED AND STATUTORY, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.  CUSTOMER EXPRESSLY ACKNOWLEDGES THAT THE SOFTWARE MAY NOT BE ERROR FREE NOR ITS USE UNINTERRUPTED.

  1. SUPPORT. PROSYMMETRY will provide such maintenance and support Services for the Software as Customer has purchased under the relevant Order, consistent with PROSYMMETRY’s then-current Support Policy, as presently set forth in Exhibit B (“Support”).  Customer acknowledges that PROSYMMETRY may, from time to time and upon written notice to Customer, modify its Support Policy.
  2. TERM & TERMINATION. Except as otherwise expressly provided in an Order, each Order will have a one (1) year term and will automatically renew on an annual basis, unless either Party provides at least thirty (30) days’ advance notice of non-renewal. Either Party may terminate this Agreement or an Order, upon a material breach by the other Party, which has not been cured within thirty (30) days after written notice of such breach. Customer may also terminate this Agreement for convenience upon thirty (30) days’ advance notice to PROSYMMETRY.  Termination of this Agreement will not change Customer’s payment obligations under any Order, nor entitle Customer to any refund of Fees. Upon termination of this Agreement for any reason, Customer and all Authorized Users must immediately cease use of the Software (whether still accessible to Customer or Authorized Users or not) and PROSYMMETRY will promptly delete, or at Customer’s request and expense, return to Customer all Customer Data in its custody.
  3. INDEMNIFICATION.  
    1. PROSYMMETRY will indemnify, defend and hold harmless Customer from and against any judgment, damage, injury, loss or expense (including reasonable attorney fees) resulting from any claim brought by a third party alleging that the Software infringes or misappropriates such third party’s Intellectual Property rights existing as of the Effective Date, provided that Customer immediately notifies PROSYMMETRY of the assertion of such claim, acknowledges ProSymmetry’s control over the defense and/or settlement thereof and cooperates fully with ProSymmetry in connection with same. This section represents Customer’s sole and exclusive remedy and PROSYMMETRY’s sole liability for any third party Intellectual Property claims.
    2. Customer will indemnify, defend and hold harmless PROSYMMETRY from and against any judgment, damage, injury, loss or expense (including reasonable attorney fees) resulting from any claim brought by any third party based upon PROSYMMETRY’s possession, storage or processing of any Customer Data or other data provided to PROSYMMETRY by Customer, regardless of the grounds or legal theory upon which such claim is based, provided that PROSYMMETRY immediately notifies Customer of the assertion of such claim and communicates regularly with Customer in connection with same. This section represents PROSYMMETRY’s sole and exclusive remedy and Customer’s sole liability for any third party claims based on Customer Data or other data provided to PROSYMMETRY in connection with this Agreement.
  4. LIMITATIONS OF LIABILITY. PROSYMMETRY SHALL HAVE NO LIABILITY TO CUSTOMER FOR ANY SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES RELATING TO OR ARISING OUT OF THIS AGREEMENT OR THE SUBJECT MATTER HEREOF (INCLUDING, WITHOUT LIMITATION, LOST PROFITS, OR DAMAGE TO OR LOSS OR DISCLOSURE OF DATA), REGARDLESS OF WHETHER ARISING UNDER CONTRACT OR TORT LAW OR OTHER LEGAL THEORY AND EVEN IF ADVISED OF THE POSSIBILITY THEREOF.   UNDER NO CIRCUMSTANCE WILL PROSYMMETRY’S TOTAL, CUMULATIVE LIABILITY FOR ALL DAMAGES ARISING FROM OR IN CONNECTION WITH THIS AGREEMENT OR THE SUBJECT MATTER HEREOF, WHETHER RESULTING FROM ONE OR MORE CLAIMS AND ARISING UNDER ANY LEGAL THEORY, EXCEED THE TOTAL FEES PAID TO PROSYMMETRY DURING THE SIX (6) MONTHS PRECEDING THE EVENT(S) GIVING RISE TO SUCH LIABILITY.
  5. MISCELLANEOUS TERMS.
    1. Survival, Waivers. Sections 2, 4, 5, 8, 9,10 and 11 of these Terms & Conditions shall survive termination hereof.  Any waiver by a Party of any breach of this Agreement will not be construed as a waiver of any continuing or succeeding breach.
    2. Assignment. Customer may not assign or transfer this Agreement, including any Order, or any right or obligation hereunder to any third party without PROSYMMETRY’s prior written consent, except that this Agreement and all Orders may be assigned to the buyer of all, or substantially all, the assets or business of Customer.
    3. Notices. Any notices under this Agreement must be in writing and must be delivered by registered mail (or by courier or overnight service with tracking number) to the receiving Party at the address shown in the latest Order or to such other address as either Party designates by notice as provided herein.
    4. Governing Law and Dispute Resolution. This Agreement is governed by the laws of the State of Ohio, without regard to its choice of law principles. Any dispute between the Parties related to this Agreement must first be addressed by the relevant executives of each Party, who shall meet upon the written request of either Party in a good faith attempt to resolve all outstanding issues before either initiates any adversarial proceeding.  If a resolution has not been reached within ten (10) days after such meeting, either Party may require the dispute to be determined by binding arbitration before a single arbitrator in Cleveland, Ohio, under the then-current Commercial Arbitration Rules of the American Arbitration Association. Notwithstanding the foregoing, nothing in this Agreement will prevent PROSYMMETRY from obtaining injunctive relief in any court of competent jurisdiction, without the necessity of posting bond or demonstrating immediate, irreparable harm, in order to protect its Intellectual Property rights in the Software.
    5. Enforceability. If any term of this Agreement is held invalid or unenforceable, the remaining terms shall remain in effect.
    6. PO Terms.  For the avoidance of doubt, the Parties agree that E.
    7. Entire Agreement and Changes. These Terms & Conditions, including the exhibits hereto, and the Order(s) (including any related Statement of Work), embody the complete and exclusive Agreement of the Parties regarding the subject matter hereof and supersede any prior or contemporaneous communications, negotiations or agreements between the Parties relating to same. This Agreement may not be modified except in writing executed by both Parties.  Similarly, any Statement of Work for Services hereunder may only be modified pursuant to a change request (that describes, at a minimum, the changes requested and the resulting effects on the related Services and Fees for same) submitted in writing by one Party and expressly approved by the other, as reflected in a project change authorization executed by both Parties.
    8. Force Majeure. Neither Party shall be liable for any failure or delay in performance due to events or circumstances beyond its control.

Exhibit A

Data Processing Addendum

to Software Subscription & Services Terms & Conditions

This Data Processing Addendum (the “Addendum”) supplements the ProSymmetry Software Subscription & Services Terms & Conditions (the “Terms & Conditions”) and the agreement of which they are part (the “Agreement”) by and between ProSymmetry, LLC, an Ohio Limited Liability Company (“ProSymmetry”), and the customer identified in an applicable Order (the “Customer”).  This Addendum is dated and effective as of the Effective Date of the Agreement.

BACKGROUND

The Agreement governs access to and use of the Software and related services, pursuant to which data uploaded by the Customer may be stored or processed by ProSymmetry. This Addendum sets out the terms of the Agreement governing data processing.

AGREED TERMS 

  1. Definitions1.1. Capitalized words and phrases not defined in this Addendum have the same meanings as in the Terms & Conditions.1.2. “Compliant Jurisdiction” means (i) the United Kingdom, or (ii) a country within the European Economic Area, or (iii) a country with the benefit of a favorable adequacy decision under Article 45 of Regulation (EU) 2016/679.1.3. “GDPR” means Regulation (EU) 2016/679 (commonly known as the General Data Protection Regulation), as amended from time to time.1.4. References to ‘Controller’, ‘Data Subject, ‘Personal Data’, ‘Data Breach’, Processor’, ‘Processing’ (including ‘Process,’ ‘Processed,’ etc.), ‘Sensitive Data’ and ‘Supervisory Authority’ have the meanings defined in GDPR. References to ‘Sub-Processor’ mean another Processor appointed by a Processor.

    1.5. “Service Data” means aggregated information that is not Personal Data and does not identify the Customer, which arises or results from ProSymmetry’s delivery of the Services pursuant to the Agreement or this Addendum.

  2. Status of this Addendum2.1. This Addendum supplements the Terms & Conditions and forms part of the Agreement.2.2. This Addendum applies only to data of or from Customer that includes or might potentially include Personal Data but which expressly excludes Sensitive Data (“Customer Data”) in circumstances where the Processing of that Personal Data by ProSymmetry is subject to GDPR.2.3. If this Addendum is inconsistent with any other provisions of the Agreement, the Parties intend that the provisions of this Addendum should prevail.
  3. EU Data Protection Legislation3.1. For all Personal Data provided to ProSymmetry by or on behalf of Customer for Processing under the Agreement, the Parties intend and agree that Customer is the Controller and ProSymmetry is the Processor of the Personal Data.3.2. Except for (i) login details of authorized users of the Software; and (ii) Customer Data that includes Personal Data and is supplied to ProSymmetry by Customer other than by uploading it to or through the Software (if any), ProSymmetry and Customer agree as follows:

    3.2.1.   ProSymmetry will have no responsibility to Process, store or retain Customer Data except pursuant to the Agreement or other written instructions received from Customer (as Controller) and acknowledged and agreed to by ProSymmetry;

    3.2.2. ProSymmetry may implement and maintain such technical and organizational measures to protect Customer Data against unauthorized Processing, accidental loss, destruction, damage, theft, alteration or disclosure (including confidentiality obligations on the part of its employees consistent with the Agreement), as are appropriate in light of the nature of the Customer Data and the harm that might result from the foregoing;

    3.2.3. Customer Data may be Processed by ProSymmetry using encryption methods that render such Customer Data unintelligible to ProSymmetry personnel and any software other than for the normal operation of the Software;

    3.2.4. ProSymmetry, as Processor, may engage one or more Sub-Processors to Process Customer Data pursuant hereto;

    3.2.5.  Customer determines and controls the Customer Data to be Processed hereunder and is solely responsible for transferring or providing access to any Personal Data therein, excluding Sensitive Data therefrom, and for complying with GDPR, as Controller thereof;

    3.2.6. Even if the Customer uses the features of the Software to identify Customer Data that contains Personal Data, such attributes of Customer Data may be inaccessible or unintelligible to ProSymmetry personnel and ProSymmetry may therefore be unable to:

    3.2.6.1. ascertain whether Customer Data includes Personal Data (as a result of which ProSymmetry may treat all Customer Data as if it might include Personal Data);

    3.2.6.2.  ascertain whether Customer Data includes any special categories of Personal Data (as a result of which ProSymmetry will not treat any Customer Data any differently);

    3.2.6.3. ascertain whether the Software is used by authorized users to Process Customer Data outside the European Economic Area;

    3.2.6.4. determine when Personal Data ought to be deleted or when Processing of Personal Data ought to cease;

    3.2.6.5. take any steps to comply with the rights of Data Subjects for access to Personal Data, rectification or erasure of Personal Data, data portability, rights to be forgotten, or to act upon any notices from Data Subjects; or

    3.2.6.6. keep a record of Processing with any greater information or detail than that which is expressly required to be kept by ProSymmetry pursuant to the Agreement and this Addendum;

    3.2.7. ProSymmetry will have the right to collect, extract, compile, synthesize and analyze Service Data and, except as otherwise provided in the Agreement or herein, will own all rights in and to the Service Data.

  4. Protection of Personal DataIf Customer uses the Software to Process any Customer Data that includes Personal Data in circumstances where the Processing of that Personal Data is subject to GDPR, for the purpose of ensuring an adequate level of protection as required by Article 45 thereof, either:4.1. ProSymmetry is certified under the Privacy Shield Framework (see www.privacyshield.gov) and shall use commercially reasonable efforts to remain certified for so long as the Framework continues and is generally recognized as satisfying the requirements of Article 45 of GDPR;  or4.2. ProSymmetry and Customer shall execute the Standard Contractual Clauses substantially in the form set out in Schedule 1 to this Addendum.

SCHEDULE 1: STANDARD CONTRACTUAL CLAUSES

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

[The gaps below are populated with details of the relevant party:]

Name of the data exporting organization:

Address:

Tel.:       ; fax:       ; e-mail:

Other information needed to identify the organization

. . . . . . . . . . . . . . . . . . . . . . . . . .

(the data exporter)

Name of the data importing organization: ProSymmetry, LLC

 Address: 25800 Science Park Dr.,  Beachwood, Ohio 44122

Other information needed to identify the organization:
ProSymmetry, LLC is an Ohio limited liability company.

(the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1 hereto.

Background

The data exporter has entered into a data processing addendum (“DPA”) with the data importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.

Clause 1

Definitions

For the purposes of the Clauses:

(a)    ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b)    ‘the data exporter’ means the controller who transfers the personal data;
(c)    ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d)    ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e)    ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f)    ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a)    that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b)    that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c)    that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d)    that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e)    that it will ensure compliance with the security measures;
(f)    that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g)    to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h)    to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i)    that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j)    that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:
(a)    to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b)    that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c)    that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d)    that it will promptly notify the data exporter about:

(i)any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii)any accidental or unauthorised access, and

(iii)any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e)    to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f)    at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g)    to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h)    that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i)    that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j)    to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

    The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
    (a)    to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
    (b)    to refer the dispute to the courts in the Member State in which the data exporter is established.
  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

[Populated with details of, and deemed signed on behalf of, the data exporter:]
Name (written out in full):
Position:
Address:

Other information necessary in order for the contract to be binding (if any):

Signature

On behalf of the data importer:

[Populated with details of, and deemed signed on behalf of, the data importer:]
Name (written out in full):
Position:
Address:

Other information necessary in order for the contract to be binding (if any):

Signature

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES 

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is:

Data importer

The data importer is:

ProSymmetry, LLC

Data subjects

The personal data transferred concern the following categories of data subjects:

  • Names and email addresses for Service Users
  • [Other??]

Categories of data

The personal data transferred concern the following categories of data:

  • ProSymmetry maintains Log-in credentials for authorized users as authorized/permitted/recognized by the Customer.
  • Additional types and categories of Personal Data and Data Subjects which the Customer may process are as follows: _____________________________

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data:

  • None

Processing operations

The personal data transferred will be subject to the following basic processing activities:

  • ProSymmetry verifies that only credentials authorized by the Customer are authenticated for access to the Software
  • Storing, indexing, retrieving, searching and distributing emails and documents generated in the course of the Data Exporter’s business for the purpose of providing the Data Exporter with a document management system
  • Encrypting data at rest or in transit and decrypting the data to render underlying files in their original machine and human readable format upon the instructions of Service Users

Sub-processors

The Data Importer has subcontracted some processing of personal data as follows:

_________________________________________________________________

DATA EXPORTER

[Populated with details of, and deemed to be signed on behalf of, the data exporter:]

Name:

Authorized Signature

DATA IMPORTER

[Populated with details of, and deemed to be signed on behalf of, the data importer:]

Name:

Authorized Signature

 

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

In this Appendix 2:

“Agreement” means the Software Subscription & Services Agreement between Customer and ProSymmetry

“Customer” means the Data Exporter.

“ProSymmetry” means the Data Importer.

1.1. Except for (i) login details of authorized users; and (ii) Customer Data that happens to include personal data and is supplied to ProSymmetry personnel by Customer otherwise than by uploading it to or through the Software (there being no obligation or expectation of such supply), ProSymmetry represents and Customer agrees as follows:

1.1.1. Customer Data is processed by ProSymmetry using encryption methods that render the Customer data unintelligible to ProSymmetry personnel and any software other than for the normal operation of the Software;

1.1.2. even if the Customer uses the features of the Service to identify Customer data that contains personal data, such attributes of Customer data are unintelligible to ProSymmetry personnel;

1.1.3. ProSymmetry is therefore unable to:

1.1.3.1. ascertain whether Customer data includes personal data (and ProSymmetry therefore treats all Customer data as if it might include personal data);

1.1.3.2. ascertain whether Customer data includes any special categories of personal data (and ProSymmetry will not treat any such Customer data any differently);

1.1.3.3. ascertain whether the Software is used by authorized users to process outside the European Economic Area;

1.1.3.4. determine when personal data ought to be deleted or when processing of personal data ought to cease;

1.1.3.5. take any steps to comply with the rights of data subjects for access to personal data, rectification or erasure of personal data, data portability, rights to be forgotten, or to act upon any notices from data subjects; or

1.1.3.6. keep a record of processing with any greater information than that which is required to be kept by ProSymmetry pursuant to the Agreement and Standard Contractual Clauses.

1.2. ProSymmetry further agrees to:

1.2.1. if there is a personal data breach in relation to any Customer data, notify the Customer without undue delay and, where practicable, within 48 hours and thereafter assist the Customer with its obligations to notify the personal data breach to a supervisory authority;

1.2.2. provide the Customer with reasonable assistance to undertake data protection impact assessments in relation to processing of personal data pursuant to the Agreement and reasonable assistance requested by Customer in relation to any consultation with a supervisory authority that the Customer carries out in relation to such assessment, provided Customer bears the cost of ProSymmetry preparing data protection impact assessments for the Customer or providing reasonable assistance in consultation with a supervisory authority; and

1.2.3. make available to the Customer its standard Due Diligence Response (DDR) package which contains all information necessary to demonstrate compliance with the obligations in the Agreement and the Standard Contractual Clauses. Additionally, ProSymmetry will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, provided Customer bears the cost of the audit and auditors

1.3. To the extent that ProSymmetry uses another processor to process any Customer data, it is agreed that:

1.3.1. the Sub-Processors at the date of these Standard Contractual Clauses are as set out in Appendix 1;

1.3.2. the Software and such sub-processor are common to all ProSymmetry customers;

1.3.3. ProSymmetry is responsible for the acts and omissions of its sub-processors;

1.3.4. from time to time and in its sole discretion, ProSymmetry may appoint different sub-processors;

1.3.5. ProSymmetry shall notify the Customer in advance of any changed or new sub-processors or any material change to the processing done by sub-processors, thereby giving the Customer an opportunity to object to such changes;

1.3.6. ProSymmetry shall ensure that each sub-processor agrees to contractual obligations and restrictions consistent with the provisions of the Standard Contractual Clauses;

and the parties agree that:

1.3.7. if ProSymmetry notifies the Customer of any changes to sub-processors and the Customer objects to such changes, the Customer will be entitled to terminate the Agreement (without liability for either party, and such termination will be deemed to be a no-fault termination) if the Customer has reasonable grounds for objecting to such changes on the grounds that the changes would cause the Customer to be in breach of EU data protection legislation (i.e., GDPR).

The measures deployed at any one time by ProSymmetry are set out at Appendix 3–ProSymmetry Security Summary. Without limiting ProSymmetry’s obligations in the Standard Contractual Clauses, ProSymmetry may change the measures so that they adapt to reflect changes in the Software and its services and the state of the art as regards information security.

 

APPENDIX 3 TO THE STANDARD CONTRACTUAL CLAUSES
ProSymmetry Security Summary

ProSymmetry employs a comprehensive range of procedures, tools, and independent services to provide industry-leading security for documents within its Document Management Service. Below is a summary overview of many of the security features used by ProSymmetry as of the date of this Addendum:

  1. Network Perimeter Defense
    – Internal, redundant, stateful firewalls
    – Load balancers (stateless firewalls)
    – Intrusion Detection System (IDS)
    – DMZ hosting all webservers
    – Inward-facing load balancers (stateless firewalls)
  2. Server Security
    – Real-time Monitoring
    – Activity Logging with log review and extended log retention
    – Strong passwords
    – Two-factor authentication access
    – Automated Deployment including scheduled destroy-and-replace
  3. Data Center Security
    – Physical perimeter barriers
    – Gated, monitored and controlled access
    – Visitation by pre-authorized appointment only, validated by government-issued photo ID
    – All guests accompanied by data center employees at all times
    – Internal and external 24×7 CCTV on all entries and key access areas, monitored and logged
    – Live security guards with regular security patrols
    – Segregated security zones requiring authorized access
    – On-site redundant backup power generation with extended fuel supplies
    – Redundant ISP access connections
  4. Application Security
    – Multi-Layer: Documents, Containers, Profile/Metadata
    – Customer-administered Permissions: ACLs, Ethical Firewalls
    – Authentication: Single Sign-on or Multi-factor Sign-on using Federated Identity with SAML 2.0, ADFS, RSA
    – Static and dynamic code reviews prior to each release
    – Ongoing developer training on OWASP security best practices
    – Audit Trails
  5. Data Protection
    – At Rest: Documents encrypted with AES-256 encryption by the Application using fully-entropic random keys
    – In Transit: Documents encrypted using https (SSL 128 with 2048 handshake) using TLS security protocols
    – All data obfuscated within an Object Store using a non-enumerated storage architecture
  6. Best Practices
    – Defective Media Retention (DOD 5520)
    – Hardened Operator Access (Two-Factor, VPN Tunnel, Removable Media Disablement)
    – Annual Penetration Tests
    – Monthly Vulnerability Scans
    – Regular Training
    – Annual Background Checks for all employees
    – Password Complexity Requirements
    – Mandatory Password Change required every 90 days
    – Internet acceleration (Akamai)
    – Annual SOC 2 Type 2 audits for security and availability
    – ISO 27001 Certification
  7. Internal I.T. Staff
    – Segregation of Responsibilities and Access
    – Hardware – Datacenter Operators
    – Application – Engineering and QA
    – Network – I.T. Staff
    – Servers & Storage – I.T. Staff
    – Security – Two-Factor I.T. Staff with audit by Compliance Team
    – Compliance and Audits – Independent Compliance Team
  8. Advanced Security
    – All documents are saved in a highly-secure object store infrastructure with erasure coding which, depending on the size of the document, either synchronously writes the documents to multiple, geographically dispersed data centers or mathematically slices documents into multiple data slices which are distributed across multiple, geographically dispersed data centers
    – Randomization of individual metadata files in over one million logical directories using a non-enumerated file structure within a fast-transaction, highly-secured SAN
    – Each document individually encrypted by the Service (not hardware encrypted)
    – Each document is encrypted using its own, unique AES-256 encryption key
    – Optional Customer Managed Encryption applied at the matter level, with customer owning and managing the Customer Managed Encryption Keys
  9. Planning for the Future
    – Expanding security protocols and policies
    – Integrated Cloud email management
    – Active development of additional functions and features

Exhibit B

Support Policy

This Support Policy is governed by the and incorporated into the PROSYMMETRY Software Subscription & Services Terms & Conditions (the “Terms & Conditions”) and the agreement of which they are part (the “Agreement”).  Capitalized terms not defined herein shall have the same meanings as in the Terms & Conditions.  Consistent with the terms of each applicable Order,  ProSymmetry shall employ commercially reasonable efforts to meet or exceed the standards set forth in this Support Policy.

  1. SERVICE
    1. Access. Except for Scheduled Maintenance or any unscheduled downtime due to failures beyond ProSymmetry’s reasonable control (such as errors or malfunctions due to Authorized Users’ browsers, computer systems, local networks or internet connectivity), ProSymmetry and/or its service providers (e.g., Amazon Web Services, Microsoft Azure) shall strive to make the Software available twenty-four (24) hours per day, seven (7) days a week with a minimum uptime level of ninety-nine and seven-tenths of a percent (99.7%) measured on an monthly basis. Such service availability does not, however, include periods of planned downtime.
    2. Scheduled Maintenance, Upgrades. ProSymmetry shall strive to conduct scheduled maintenance of the Software (“Scheduled Maintenance”) outside normal business hours (8:00AM EST – 8:00PM EST, Monday-Friday, excluding U.S. holidays).  Customer shall provide to ProSymmetry in writing (and update as necessary) the names and all relevant contact information of its primary and secondary system administrators responsible for Customer’s use of the Software (each a “SysAd”).  ProSymmetry shall attempt to give Customer’s SysAd at least twenty-four (24) hours prior notice of the exact date and time of such Scheduled Maintenance via e-mail or other timely means of communications.
    3. Monitoring and Notification. ProSymmetry shall monitor (i) network connectivity, (ii) application uptime, (iii) database uptime and (iv) security. In the event of (i) loss of network connectivity, (ii) application outage, (iii) database outage or (iv) security event, ProSymmetry shall promptly notify Customer’s SysAd  and provide an estimate to of time to resolve.
  2. DATA RETENTION AND RECOVERYProSymmetry shall back up Customer’s data on a daily basis and employ measures intended to ensure that the backup data is accessible and maintained in a manner to enable restoration of the backup version of End Users’ databases in the event of a system malfunction or outage. ProSymmetry shall retain such daily backups of Customer’s data for no more than thirty (30) days.
  3. SUPPORT REQUESTS ProSymmetry service representatives shall be available to respond to Customer’s technical support requests sent by SysAd by email to Support@ProSymmetry.com (“Support Requests”) during the hours of 8:00am – 8:00pm Eastern Standard Time, Monday through Friday, excluding U.S. holidays (the “Support Hours”).
  4. ISSUE TRACKINGSupport Requests submitted to ProSymmetry shall be classified as (i) Level 1 Critical, (ii) Level 2 High, (iii) Level 3 Medium or (iv) Level 4 Low. Customers shall classify such Support Requests in a reasonable manner, based on the severity of the underlying issue. Each Support Request shall be accompanied by (i) a thorough description of the underlying issue (including all information necessary to replicate it) and (ii) the primary point of contact and, if the latter is not a SysAd, (iii) the phone number and (iv) the e-mail address of the primary point of contact.Upon verifying the severity Level of the Support Request, ProSymmetry will use commercially reasonable efforts to respond to same, as follows:

    • Level 1 Critical – ProSymmetry will respond in 2 business hours.

    • Level 2 High – ProSymmetry will respond in 4 business hours.

    • Level 3 Medium – ProSymmetry will respond in 8 business hours.

    • Level 4 Low – ProSymmetry will respond in 16 business hours.

Customer acknowledges and agrees that ProSymmetry cannot guarantee uninterrupted access to or use of the Software or resolution of every issue affecting same and that ProSymmetry shall not be deemed to have breached any provision of the Agreement as a result of failing to resolve any issue within the foregoing response times or otherwise.  Customer further acknowledges and agrees that ProSymmetry shall have no liability for any failure or delay in performance resulting directly or indirectly from events or circumstances beyond its control, including acts of God, natural disasters, other catastrophes, acts of civil or military authority, civil disturbance, war, strikes or other labor disputes or disturbances, fire, transportation interruptions, shortages of facilities, fuel, energy, labor or materials, telecommunications disruptions, including interruptions of the Internet, or laws, regulations, acts or orders of any government agency or official thereof.

 

4813-8122-5145, v.9