Podquat

Media | Music | Film | Web

Terms of Service Agreement

Podquat Terms

This Podquat Terms of Service Agreement (the "Agreement") is entered into by and between Podquat, with offices at 512 W. MLK Jr Blvd, Austin, Texas 78701 ("Podquat") and the entity agreeing to the terms herein ("Customer"). This Agreement governs Customer's access to and use of the Services and will be effective as of the Effective Date. This Agreement is effective as of the date Customer clicks the "I Accept" button below (the "Effective Date"). If you are accepting on behalf of Customer, you represent and warrant that: (i) you have full legal authority to bind your employer, or the applicable entity, to these terms and conditions; (ii) you have read and understand this Agreement; and (iii) you agree, on behalf of the party that you represent, to this Agreement. If you do not have the legal authority to bind Customer, please do not click the "I Accept" button below. This Agreement governs Customer's access to and use of the Services.

  • 1. Services.
    • 1.1 Facilities and Data Transfer. All facilities used to store and process Customer Data will adhere to reasonable security standards no less protective than the security standards at facilities where Podquat stores and processes its own information of a similar type. Podquat has implemented at least industry standard systems and procedures to ensure the security and confidentiality of Customer Data, protect against anticipated threats or hazards to the security or integrity of Customer Data, and protect against unauthorized access to or use of Customer Data. As part of providing the Services, Podquat may transfer, store and process Customer Data in the United States or any other country in which Podquat or its agents maintain facilities. By using the Services, Customer consents to this transfer, processing and storage of Customer Data.
    • 1.2 Modifications.
      • a. To the Services. Podquat shall have the right to change, suspend or discontinue any aspect of the Service at any time, without notice. If Podquat makes a material change to the Services, Podquat will inform Customer, provided that Customer has subscribed with Podquat to be informed about such change.
      • To this Agreement. Podquat reserves the right to change or modify any of the terms and conditions contained in this Agreement or any policy governing the Service, at any time, by posting the new agreement at http://www.podquat.com/terms-of-service or such URL as Podquat may provide. Customer is responsible for regularly reviewing any updates to this Agreement. Any changes or modifications to this Agreement will become binding (i) by Customer's online acceptance of updated terms, or (ii) after Customer's continued use of the Service after such terms have been updated by Podquat.
    • 1.3 Customer Domain Name Ownership. Prior to providing the Services Podquat may verify that Customer owns or controls the Customer Domain Names. If Customer does not own or control the Customer Domain Names, then Podquat will have no obligation to provide Customer with the Services.
    • 1.4 Ads. Customer agrees that Podquat may serve Ads in connection with the Service.
  • 2. Customer Obligations.
    • 2.1 Compliance. Customer will use the Services in accordance with the Acceptable Use Policy. Podquat may make new applications, features or functionality for the Services available from time to time, the use of which may be contingent upon Customer's agreement to additional terms. In addition, Podquat will make other Non-Podquat Products (beyond the Services) available to Customer and its End Users in accordance with the Non-Podquat Product Terms and the applicable product-specific Podquat terms of service. If Customer does not desire to enable any of the Non-Podquat Products, Customer can enable or disable them at any time through the Admin Console.
    • 2.2 Customer Administration of the Services. Customer may specify one or more Administrators through the Admin Console who will have the rights to access Admin Account(s) and to administer the End User Accounts. Customer is responsible for: (a) maintaining the confidentiality of the password and Admin Account(s); (b) designating those individuals who are authorized to access the Admin Account(s); and (c) ensuring that all activities that occur in connection with the Admin Account(s) comply with the Agreement. Customer agrees that Podquat's responsibilities do not extend to the internal management or administration of the Services for Customer and that Podquat is merely a data-processor. Customer agrees that End Users may add or purchase third-party applications (subject to separate terms and conditions) from the Podquat Marketplace for use in their specific End User Accounts.
    • 2.3 Aliases. Customer is solely responsible for monitoring, responding to, and otherwise processing emails sent to the "abuse" and "postmaster" aliases for Customer Domain Names but Podquat may monitor emails sent to these aliases for Customer Domain Names to allow Podquat to identify Services abuse.
    • 2.4 End User Consent. Customer's Administrators may have the ability to access, monitor, use, or disclose data available to End Users within the End User Accounts. Customer will obtain and maintain all required consents from End Users to allow: (i) Customer's access, monitoring, use and disclosure of this data and Podquat providing Customer with the ability to do so and (ii) Podquat to provide the Services.
    • 2.5 Unauthorized Use. Customer will use commercially reasonable efforts to prevent unauthorized use of the Services and to terminate any unauthorized use. Customer will promptly notify Podquat of any unauthorized use of, or access to, the Services of which it becomes aware.
    • 2.6 Restrictions on Use. Unless Podquat specifically agrees in writing, Customer will not, and will use commercially reasonable efforts to make sure a third party does not: (a) sell, resell, lease, or the functional equivalent, the Services to a third party (unless expressly authorized in this Agreement); (b) attempt to reverse engineer the Services or any component; (c) attempt to create a substitute or similar service through use of, or access to, the Services; (d) use the Services for High Risk Activities; or (e) use the Services to store or transfer any Customer Data that is controlled for export under Export Control Laws. Customer is solely responsible for any applicable compliance with HIPAA.
    • 2.7 Third Party Requests. Customer is responsible for responding to Third Party Requests. Podquat will, to the extent allowed by law and by the terms of the Third Party Request: (a) promptly notify Customer of its receipt of a Third Party Request; (b) comply with Customer's reasonable requests regarding its efforts to oppose a Third Party Request; and (c) provide Customer with the information or tools required for Customer to respond to the Third Party Request. Customer will first seek to obtain the information required to respond to the Third Party Request on its own, and will contact Podquat only if it cannot reasonably obtain such information.
    • 2.8 Usage Policies and Limits. Customer is permitted 1 End User Account. Customer shall comply with any additional usage policies and limits concerning use of the Service as imposed by Podquat from time to time.
    • 2.9 End Users. Customer agrees that End Users will comply with the Acceptable Use Policy and the End User Terms.
  • 3. Fees. The Service is provided at no charge to Customer provided that Customer agrees that Podquat may (a) offer additional optional services to Customer or its End Users for a fee or (b) offer a premium version of the Service for a fee. Podquat may, at any time, discontinue the no-charge version of the Service and only offer a premium version. In this event, Podquat will provide notice consistent with Section 10 of this Agreement and Customer will have the opportunity to convert to the premium version.
  • 4. Technical Support Services. Customer is responsible for responding to any questions and complaints by End Users or other third parties relating to Customer or its End Users' use of the Services. Podquat will make available the Help Center to Customer and its End Users.
  • 5. Suspension.
    • 5.1 Of End User Accounts by Podquat. If Podquat becomes aware of an End User's violation of the Agreement, then Podquat may specifically request that Customer Suspend the applicable End User Account. If Customer fails to comply with Podquat's request to Suspend an End User Account, then Podquat may do so. The duration of any Suspension by Podquat will be until the applicable End User has cured the breach which caused the Suspension.
    • 5.2 Emergency Security Issues. Notwithstanding the foregoing, if there is an Emergency Security Issue, then Podquat may automatically Suspend the offending use. Suspension will be to the minimum extent and of the minimum duration required to prevent or terminate the Emergency Security Issue.
  • 6. Confidential Information.
    • 6.1 Obligations. Each party will: (a) protect the other party's Confidential Information with the same standard of care it uses to protect its own Confidential Information; and (b) not disclose the Confidential Information, except to Affiliates, employees and agents who need to know it and who have agreed in writing to keep it confidential. Each party (and any Affiliates, employees and agents to whom it has disclosed Confidential Information) may use Confidential Information only to exercise rights and fulfill its obligations under this Agreement, while using reasonable care to protect it. Each party is responsible for any actions of its Affiliates, employees and agents in violation of this Section.
    • 6.2 Exceptions. Confidential Information does not include information that: (a) the recipient of the Confidential Information already knew; (b) becomes public through no fault of the recipient; (c) was independently developed by the recipient; or (d) was rightfully given to the recipient by another party.
    • 6.3 Required Disclosure. Each party may disclose the other party's Confidential Information when required by law but only after it, if legally permissible: (a) uses commercially reasonable efforts to notify the other party; and (b) gives the other party the chance to challenge the disclosure.
  • 7. Intellectual Property Rights; Brand Features.
    • 7.1 Intellectual Property Rights. Except as expressly set forth herein, this Agreement does not grant either party any rights, implied or otherwise, to the other's content or any of the other's intellectual property. As between the parties, Customer owns all Intellectual Property Rights in Customer Data, and Podquat owns all Intellectual Property Rights in the Services.
    • 7.2 Display of Brand Features. Podquat may display those Customer Brand Features authorized by Customer (such authorization is provided by Customer uploading its Brand Features into the Services) within designated areas of the Service Pages. Customer may specify the nature of this use using the Admin Console. Podquat may also display Podquat Brand Features on the Service Pages to indicate that the Services are provided by Podquat. Neither party may display or use the other party's Brand Features beyond what is allowed in this Agreement without the other party's prior written consent.
    • 7.3 Brand Features Limitation. Any use of a party's Brand Features will inure to the benefit of the party holding Intellectual Property Rights in those Brand Features. A party may revoke the other party's right to use its Brand Features pursuant to this Agreement with written notice to the other and a reasonable period to stop the use.
  • 8. Publicity. Customer agrees that Podquat may include Customer's name or Brand Features in a list of Podquat customers, online or in promotional materials. Customer also agrees that Podquat may verbally reference Customer as a customer of the Podquat products or services that are the subject of this Agreement. This section is subject to Section 7.3 (Brand Features Limitation).
  • 9. Representations, Warranties and Disclaimers.
    • 9.1 Representations and Warranties. Each party represents that it has full power and authority to enter into the Agreement. Each party warrants that it will comply with all laws and regulations applicable to its provision, or use, of the Services, as applicable (including applicable security breach notification law).
    • 9.2 Disclaimers. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, NEITHER PARTY MAKES ANY OTHER WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE AND NONINFRINGEMENT. PODQUAT MAKES NO REPRESENTATIONS ABOUT ANY CONTENT OR INFORMATION MADE ACCESSIBLE BY OR THROUGH THE SERVICES. CUSTOMER ACKNOWLEDGES THAT THE SERVICES ARE NOT A TELEPHONY SERVICE AND THAT THE SERVICES ARE NOT CAPABLE OF PLACING OR RECEIVING ANY CALLS, INCLUDING EMERGENCY SERVICES CALLS, OVER PUBLICLY SWITCHED TELEPHONE NETWORKS.
  • 10. Termination.
    • 10.1 By Customer. Customer may discontinue use of the Service at any time.
    • 10.2 By Podquat. Customer agrees that Podquat may at any time and for any reason terminate this Agreement and/or terminate the provision of all or any portion of the Service. Notwithstanding the foregoing, Podquat will provide at least thirty (30) days notice to Customer prior to terminating or suspending the Service; provided that the Service may be terminated immediately if (i) Customer has breached this Agreement or (ii) Podquat reasonably determines that it is commercially impractical to continue providing the Service in light of applicable laws.
    • 10.3 Effects of Termination. If this Agreement terminates, then: (i) the rights granted by one party to the other will cease immediately (except as set forth in this Section); (ii) Podquat will provide Customer access to, and the ability to export, the Customer Data for a commercially reasonable period of time; and (iii) after a commercially reasonable period of time, Podquat will delete Customer Data by removing pointers to it on Podquat's active servers and overwriting it over time.
  • 11. Indemnification. Customer will indemnify, defend, and hold harmless Podquat from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys' fees) arising out of a third party claim: (i) regarding Customer Data or Customer Domain Names; (ii) that Customer Brand Features infringe or misappropriate any patent, copyright, trade secret or trademark of a third party; or (iii) regarding Customer's use of the Services in violation of the Acceptable Use Policy. The party seeking indemnification will promptly notify the other party of the claim and cooperate with the other party in defending the claim. The indemnifying party has full control and authority over the defense, except that: (a) any settlement requiring the party seeking indemnification to admit liability or to pay any money will require that party's prior written consent, such consent not to be unreasonably withheld or delayed; and (b) the other party may join in the defense with its own counsel at its own expense.
  • 12. Limitation of Liability.
    • 12.1 Limitation on Indirect Liability. NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF DIRECT DAMAGES DO NOT SATISFY A REMEDY.
    • 12.2 Limitation on Amount of Liability. NEITHER PARTY MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR MORE THAN ONE THOUSAND DOLLARS ($1000 USD).
    • 12.3 Exceptions to Limitations. These limitations of liability apply to the fullest extent permitted by applicable law but do not apply to breaches of confidentiality obligations, violations of a party's Intellectual Property Rights by the other party, or indemnification obligations.
  • 13. Miscellaneous.
    • 13.1 Notices. Unless specified otherwise herein: (a) all notices must be in writing and addressed to the attention of the other party's legal department and primary point of contact; and (b) notice will be deemed given: (i) when verified by written receipt if sent by personal courier, overnight courier, or when received if sent by mail without verification of receipt; or (ii) when verified by automated receipt or electronic logs if sent by facsimile or email.
    • 13.2 Assignment. Neither party may assign or transfer any part of this Agreement without the written consent of the other party, except to an Affiliate, but only if: (a) the assignee agrees in writing to be bound by the terms of this Agreement; and (b) the assigning party remains liable for obligations incurred under the Agreement prior to the assignment. Any other attempt to transfer or assign is void.
    • 13.3 Change of Control. Upon a change of control (for example, through a stock purchase or sale, merger, or other form of corporate transaction): (a) the party experiencing the change of control will provide written notice to the other party within thirty days after the change of control; and (b) the other party may immediately terminate this Agreement any time between the change of control and thirty days after it receives the written notice in subsection (a).
    • 13.4 Force Majeure. Neither party will be liable for inadequate performance to the extent caused by a condition (for example, natural disaster, act of war or terrorism, riot, labor condition, governmental action, and Internet disturbance) that was beyond the party's reasonable control.
    • 13.5 No Waiver. Failure to enforce any provision of this Agreement will not constitute a waiver.
    • 13.6 Severability. If any provision of this Agreement is found unenforceable, the balance of the Agreement will remain in full force and effect.
    • 13.7 No Agency. The parties are independent contractors, and this Agreement does not create an agency, partnership or joint venture.
    • 13.8 No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
    • 13.9 Equitable Relief. Nothing in this Agreement will limit either party's ability to seek equitable relief.
    • 13.10 Governing Law. This Agreement is governed by California law, excluding that state's choice of law rules. FOR ANY DISPUTE ARISING OUT OF OR RELATING TO THIS AGREEMENT, THE PARTIES CONSENT TO PERSONAL JURISDICTION IN, AND THE EXCLUSIVE VENUE OF, THE COURTS IN SANTA CLARA COUNTY, CALIFORNIA.
    • 13.11 Amendments. Any amendment must be in writing and expressly state that it is amending this Agreement.
    • 13.12 Survival. The following sections will survive expiration or termination of this Agreement: Sections 6 (Confidentiality), 7 (Intellectual Property; Brand Features), 9 (Representations, Warranties and Disclaimers), 10 (Termination), 11 (Indemnification), 12 (Limitation of Liability), and 13 (Miscellaneous).
    • 13.13 Entire Agreement. This Agreement, and all documents referenced herein, is the parties' entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject. The terms located at a URL and referenced in this Agreement are hereby incorporated by this reference.
    • 13.14 Interpretation of Conflicting Terms. If there is a conflict between the documents that make up this Agreement, the documents will control in the following order: the Agreement, and the terms located at any URL.
  • 14. Definitions.
    • "Acceptable Use Policy". means the acceptable use policy for the Services available at http://www.podquat.com/terms-of-service or such other URL as may be provided by Podquat.
    • "Admin Account(s)". means the administrative account(s) provided to Customer by Podquat for the purpose of administering the Services. The use of the Admin Account(s) requires a password, which Podquat will provide to Customer.
    • "Admin Console". means the online tool provided by Podquat to Customer for use in reporting and certain other administration functions.
    • "Administrators". mean the Customer-designated technical personnel who administer the Services to End Users on Customer's behalf.
    • "Ads". means online advertisements displayed by Podquat to End Users.
    • "Affiliate". means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
    • "Brand Features". means the trade names, trademarks, service marks, logos, domain names, and other distinctive brand features of each party, respectively, as secured by such party from time to time.
    • "Confidential Information". means information disclosed by a party to the other party under this Agreement that is marked as confidential or would normally be considered confidential under the circumstances. Customer Data is Customer's Confidential Information.
    • "Customer Data". means data, including email, provided, generated, transmitted or displayed via the Services by Customer or End Users.
    • "Customer Domain Names". mean the domain names owned or controlled by Customer, which will be used in connection with the Services.
    • "Emergency Security Issue". means either: (a) Customer's use of the Services in violation of the Acceptable Use Policy, which could disrupt: (i) the Services; (ii) other customers' use of the Services; or (iii) the Podquat network or servers used to provide the Services; or (b) unauthorized third party access to the Services.
    • "End Users". means the individuals Customer permits to use the Services.
    • "End User Account". means a Podquat-hosted account established by Customer through the Services for an End User.
    • "End User Terms". means those terms located at the following URL: http://www.podquat.com/terms-of-service, or such other URL as Podquat may provide.
    • "Export Control Laws". means all applicable export and reexport control laws and regulations, including the Export Administration Regulations ("EAR") maintained by the U.S. Department of Commerce, tradeand economic sanctions maintained by the Treasury Department's Office of Foreign Assets Control, and the International Traffic in Arms Regulations ("ITAR") maintained by the Department of State.
    • "Help Center". means the Podquat help center accessible at http://www.Podquat.com/support/a, or other such URL as Podquat may provide.
    • "High Risk Activities". means uses such as the operation of nuclear facilities, air traffic control, or life support systems, where the use or failure of the Services could lead to death, personal injury, or environmental damage.
    • "HIPAA". means the Health Insurance Portability and Accountability Act of 1996, as may be amended from time to time, and any regulations issued thereunder.
    • "Intellectual Property Rights". means current and future worldwide rights under patent law, copyright law, trade secret law, trademark law, moral rights law, and other similar rights.
    • "Non-Podquat Products". means Podquat products which are not part of the Services, but which may be accessed by End Users using their End User Account login and password.
    • "Notification Email Address". means the email address designated by Customer to receive email notifications from Podquat. Customer may change this email address by notifying Podquat.
    • "SDN List". is the US Treasury Department's List of Specially Designated Nationals.
    • "Service Pages". mean the web pages displaying the Services to End Users.
    • "Services". means those services Podquat may provide.
    • "Suspend". means the immediate disabling of access to the Services, or components of the Services, as applicable, to prevent further use of the Services.
    • "Term". means the term of the Agreement, which will begin on the Effective Date and continue until the earlier of: (i) the end of the last Services Term or (ii) the Agreement is terminated as set forth herein.
    • "Third Party Request". means a request from a third party for records relating to an End User's use of the Services. Third Party Requests can be a lawful search warrant, court order, subpoena, other valid legal order, or written consent from the End User permitting the disclosure.

 

 

Data Processing Amendment

The Customer agreeing to these terms (“Customer”) and Podquat, LLC (as applicable, “Podquat”) have entered into the Agreement (as amended to date, the "Agreement"). This amendment (the “Data Processing Amendment”) is entered between Customer and Podquat as of the Effective Date and amends the Agreement. The “Effective Date” is the date Customer accepts this Data Processing Amendment by clicking to accept these terms.

If you are accepting on behalf of Customer, you represent and warrant that: (i) you have full legal authority to bind your employer, or the applicable entity, to these terms and conditions; (ii) you have read and understand this Amendment; and (iii) you agree, on behalf of the party that you represent, to this Amendment. If you do not have the legal authority to bind Customer, please do not click the “I Accept” button below.

  • 1. Introduction
    • This Data Processing Amendment reflects the parties’ agreement with respect to terms governing the processing of Customer Data under the Agreement, including with respect to personal data in accordance with the Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and the member countries’ national implementation.
  • 2. Definitions
    • 2.1 Capitalized terms used but not defined in this Data Processing Amendment will have the meaning provided in the Agreement. In this Data Processing Amendment, unless expressly stated otherwise:
    • “Additional Products” means products, services and applications (whether made available by Podquat or a third party) that are not part of the Services.
    • “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
    • “Agreement” means the Podquat Terms of Service Agreement and this Data Processing Amendment.
    • “Customer Data” means data (including personal data) provided, generated, transmitted or displayed via the Services by Customer or End Users.
    • “Data Protection Legislation” means the national provisions adopted pursuant to the Directive, in the country in which the Customer is established.
    • “Directive” means Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.
    • “Podquat Group” means those Podquat Affiliates that may be used to provide the Services to Customer.
    • “Instructions” means instructions provided by Customer via correspondence, instructions initiated by the Customer and End Users in their use of the Services, the written instructions of the Customer specified in this Agreement (as amended or replaced) and any subsequent written instructions from the Customer to Podquat and acknowledged by Podquat.
    • “Model Contract Clauses” means the standard contractual clauses (processors) for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
    • “Safe Harbor Privacy Principles” means the U.S. Department of Commerce Safe Harbor framework requirements as set out at the following URL: http://export.gov/safeharbor/eu/eg_main_018475.asp, or any replacement framework or URL from time to time.
    • “Security Incident” means accidental or unlawful distribution or accidental loss, alteration, or unauthorised disclosure or access to Customer Data by Podquat, its Subprocessors or any third party, provided that such incident is not directly or indirectly caused by Customer’s or End User’s act or omission.
    • “Security Measures” has the meaning given in Section 6.1 of this Data Processing Amendment.
    • “Subprocessors” means the Podquat Group and Third Party Suppliers.
    • “Services” means, for purposes of this Data Processing Amendment, those services defined as the “Podquat Core Services” under the Agreement which are more fully described at the following URL: http://www.podquat.com/services, as such URL may be updated from time to time by Podquat.
    • “Third Party Suppliers” means the third party suppliers engaged by the Podquat Group for the purposes of processing Customer Data in the context of the provision of the Services.
  • 2.2 The terms “personal data”, “processing”, “controller” and “processor” shall have the meanings ascribed to them in the Directive.
  • 3. Term
    • This Data Processing Amendment shall automatically terminate upon the expiry or termination of the Agreement.
  • 4. Data Protection Legislation
    • The parties agree and acknowledge that the Data Protection Legislation applies to the processing of Customer Data.
  • 5. Processing of Customer Data
    • 5.1. Processor. With respect to Customer Data under this Agreement, the parties acknowledge and agree that Customer shall be the controller and Podquat shall be a processor. Customer shall comply with its obligations as a controller and Podquat shall comply with its obligations as a processor under the Agreement. Where a Customer Affiliate is the controller (either alone or jointly with the Customer) with respect to certain Customer Data, Customer represents and warrants to Podquat that it is authorized to instruct Podquat and otherwise act on behalf of such Customer Affiliate in relation to the Customer Data in accordance with the Agreement, as amended.
    • 5.2 Scope of Processing. Customer instructs Podquat to process Customer Data for the following purposes: (a) to comply with Instructions, (b) to provide the Services (as selected by the Customer via the Admin Console); (c) to provide product features to facilitate Customer’s use of Services and tools for the Customer to create content; (d) to operate, maintain and support the infrastructure used to provide the Services; and (e) to respond to customer support requests. Podquat will only process Customer Data in accordance with this Agreement and will not process Customer Data for any other purpose.
    • 5.3 Other Services. Customer acknowledges that if it installs, uses, or enables Additional Products that interoperate with the Services but are not part of the Services itself, then the Services may allow such Additional Products to access Customer Data as required for the interoperation of those Additional Products with the Services. The Agreement does not apply to the processing of data transmitted to and from such other Additional Products. Such separate Additional Products are not required to use the Services and may be restricted for use as determined by Customer’s system administrator in accordance with the Agreement.
  • 6. Data Security

·         

    • 6.1. Security Measures. Podquat will take and implement appropriate technical, administrative and organizational measures designed to protect Customer Data against a Security Incident ("Security Measures"). As of the Effective Date Podquat has implemented the Security Measures in Appendix 2. Podquat may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the material degradation of the Security of the Services.
    • 6.2. Podquat Staff. Podquat will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance.
    • 6.3. Security Incident. If Podquat becomes aware of a Security Incident, Podquat will notify Customer of such Security Incident as soon as reasonably practicable, having regard to the nature of such Security Incident. Podquat will use commercially reasonable efforts to work with Customer in good faith to address any known breach of Podquat’s security obligations under the Agreement. Customer is solely responsible for fulfilling any third party notification obligations.
    • 6.4. Security Certification. During the Term, Podquat will maintain its ISO/IEC 27001:2005 Certification or a comparable certification (“ISO Certification”) for the Services.
    • 6.5. Security Audit. During the Term, Podquat will maintain its Statement on Standards for Attestation Engagements (SSAE) No. 16 Type II / International Standards for Assurance Engagements (ISAE) No. 3402 report (or a comparable report) on Podquat’s systems examining logical security controls, physical security controls, and system availability (“Audit Report”) as related to the Services.
    • 6.6. Distribution of Audit Report. Podquat will update the Audit Report, at least every eighteen (18) months. A summary of the Audit Report is available on Podquat’s website.
    • 6.7. Audit Rights. Podquat has included the security certification and audit obligations in Sections 6.4, 6.5 and 6.6 of this Data Processing Amendment at the request of the Customer, and where Customer or a Customer Affiliate has entered into the Model Contract Clauses with a Podquat Group entity as described under Section 10.3 (Model Contract Clauses), Customer agrees that the security certification and audit obligations of this Data Processing Amendment will be deemed to fully satisfy the audit rights granted under clauses 5(f) and 12(2) of such Model Contract Clauses with respect to Customer and any applicable authorized Customer Affiliate.
  • 7. Data Correction, Blocking and Deletion
    • For the term of the Agreement Podquat will provide Customer or End Users with the ability to correct, block, export and delete Customer Data in a manner consistent with the functionality of the Services. After termination or expiry of the Agreement, Podquat will delete Customer Data in accordance with the terms of the Agreement.
  • 8. Access to Data
    • Podquat will make available to Customer the Customer Data in accordance with the terms of the Agreement in a manner consistent with the functionality of the Services, including the applicable SLA. To the extent Customer, in its use and administration of the Services, does not have the ability to amend or delete Customer Data, (as required by applicable law) or migrate Customer Data to another system or service provider, Podquat will comply with any reasonable requests by Customer to assist in facilitating such actions to the extent Podquat is legally permitted to do so and has reasonable access to the Customer Data.
  • 9. Data Privacy Officer

·         

    • The Data Privacy Officer of Podquat can be contacted at: enterprise-dpo@Podquat.com
  • 10. Data Transfers

·         

    • 10.1 Data Transfers. As part of providing the Services, Podquat may transfer, store and process Customer Data in the United States or any other country in which Podquat or its Group Companies maintain facilities.
    • 10.2 Safe Harbor. During the Term, Podquat Inc., will remain enrolled in the U.S Department of Commerce Safe Harbor Program (“Safe Harbor”) or will adopt an alternative compliance solution which achieves compliance with the terms of the Directive. While Podquat Inc. remains enrolled in Safe Harbor: (i) the scope of Podquat Inc.'s Safe Harbor certification will include Customer Data; and (ii) the Podquat Group’s processing practices in respect of Customer Data will remain consistent with those described in Podquat Inc.'s Safe Harbor certification and the Safe Harbor Privacy Principles.
    • 10.3 Model Contract Clauses. During the Term Customer (or an authorized Customer Affiliate established in in the European Economic Area) may enter into Model Contract Clauses with Podquat Inc., regarding the processing and transfer of Customer Data to third countries.
  • 11. Subprocessors

·         

    • 11.1 Subprocessors. Podquat may engage Subprocessors to provide limited parts of the Services (including customer support services).
    • 11.2 Processing Restrictions. Podquat will ensure that Subprocessors only access and use Customer Data in accordance with the terms of the Agreement and that they are bound by written obligations that require them to provide at least the level of data protection required by the Safe Harbor Privacy Principles.
    • 11.3 Customer Consent to Subprocessing. Customer consents to Podquat subcontracting the processing of Customer Data to Subprocessors in accordance with the terms of the Agreement.
  • 12. Third Party Beneficiary

·         

    • Notwithstanding anything to the contrary in the Agreement, where Podquat Inc., is not a party to the Agreement, Podquat Inc. will be a third party beneficiary of Section 6.7 of this Data Processing Amendment.
  • 13. Effect of Amendment.

·         

    • To the extent of any conflict or inconsistency between the terms of this Data Processing Amendment and the remainder of the Agreement, the terms of this Data Processing Amendment will govern. Subject to the amendments in this Data Processing Amendment, the Agreement remains in full force and effect.

Appendix 1: Categories of Data and Data Subjects

Categories of Data

Personal data transmitted or displayed by Customer or End Users via the Services may include user IDs, email, documents, presentations, images, calendar entries, tasks and other electronic data.

Data Subjects

Personal data transferred or displayed via the Services may concern End Users including employees, contractors and the personnel of customers, suppliers and subcontractors. Data subjects may also include individuals collaborating and communicating with End Users.

Appendix 2: Security Measures

As of the Effective Date, Podquat abides by the Security Measures set out in this Appendix to the Data Processing Amendment. During the Term of the Agreement, the Security Measures may change but Podquat agrees that any such change shall not cause a material degradation in the security of the Services.

  • 1. Data Center & Network Security

·         

    • (a) Data Centers.

o    

      • Infrastructure. Podquat maintains geographically distributed data centers. Podquat stores all production data in physically secure data centers.
      • Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to allow Podquat to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.
      • Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.
      • Server Operating Systems. Podquat servers use a Linux based implementation customized for the application environment. Data is stored using proprietary algorithms to augment data security and redundancy. Podquat employs a code review process to increase the security of the code used to provide the Services and enhance the security products in production environments.
      • Businesses Continuity. Podquat replicates data over multiple systems to help to protect against accidental destruction or loss. Podquat has designed and regularly plans and tests its business continuity planning/disaster recovery programs.
    • (b) Networks & Transmission.

o    

      • Data Transmission. Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Podquat transfers data via Internet standard protocols.
      • External Attack Surface. Podquat employs multiple layers of network devices and intrusion detection to protect its external attack surface. Podquat considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.
      • Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Podquat intrusion detection involves:

§   

        • 1. Tightly controlling the size and make-up of Podquat’s attack surface through preventative measures;
        • 2. Employing intelligent detection controls at data entry points; and
        • 3. Employing technologies that automatically remedy certain dangerous situations.
      • Incident Response. Podquat monitors a variety of communication channels for security incidents, and Podquat’s security personnel will react promptly to known incidents.
      • Encryption Technologies. Podquat makes HTTPS encryption (also referred to as SSL or TLS) available.
  • 2. Access and Site Controls

·         

    • (a) Site Controls.

o    

      • On-site Data Center Security Operation. Podquat’s data centers maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor Closed Circuit TV (CCTV) cameras and all alarm systems. On-site Security operation personnel perform internal and external patrols of the data center regularly.
      • Data Center Access Procedures. Podquat maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made through e-mail, and requires the approval of the requestor’s manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations (iii) and reference an approved data center access record identifying the individual as approved.
      • On-site Data Center Security Devices. Podquat’s data centers employ an electronic card key and biometric access control system that are linked to a system alarm. The access control system monitors and records each individual’s electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and data centers is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centers are alarmed. CCTV cameras are in operation both inside and outside the data centers. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data center building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for up to 90 days based on activity.
    • (b) Access Control.

o    

      • Infrastructure Security Personnel. Podquat has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Podquat’s infrastructure security personnel are responsible for the ongoing monitoring of Podquat’s security infrastructure, the review of the Services, and for responding to security incidents.
      • Access Control and Privilege Management. Customer’s administrators and end users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Services. Each application checks credentials in order to allow the display of data to an authorized End User or authorized Administrator.
      • Internal Data Access Processes and Policies – Access Policy. Podquat’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Podquat aims to design its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. Podquat employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and a proprietary system utilizing RSA keys are designed to provide Podquat with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Podquat requires the use of unique user IDs, strong passwords; two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; a need to know basis; and must be in accordance with Podquat’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include password expiry, restrictions on password reuse and sufficient password strength. For access to extremely sensitive information (e.g., credit card data), Podquat uses hardware tokens.
  • 3. Data

·         

    • (a) Data Storage, Isolation & Authentication.
    • Podquat stores data in a multi-tenant environment on Podquat-owned servers. Data, the Services database and file system architecture are replicated between multiple geographically dispersed data centers. Podquat logically isolates data on a per end user basis at the application layer. Podquat logically separates Customer’s data, including data from different end users, from each other, and data for an authenticated end user will not be displayed to another end user (unless the former end user or administrator allows the data to be shared). A central authentication system is used across all Services to increase uniform security of data.
    • The Customer will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable Customer to determine the product sharing settings applicable to end users for specific purposes. Customer may choose to make use of certain logging capability that Podquat may make available via the Services, products and APIs. Customer agrees that its use of the APIs is subject to the API Terms of Use.
    • (b) Decommissioned Disks and Disk Erase Policy.
    • Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving Podquat’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Disk Erase Policy.
  • 4. Personnel Security

·         

    • Podquat personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Podquat conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
    • Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Podquat’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling customer data are required to complete additional requirements appropriate to their role (eg., certifications). Podquat’s personnel will not process customer data without authorization.
  • 5. Subprocessor Security

·         

    • Prior to onboarding Subprocessors, Podquat conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Podquat has assessed the risks presented by the Subprocessor, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

Podquat Data Processing Amendment, Version 1.1

Standard Contractual Clauses (processors)
for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to
processors established in third countries which do not ensure an adequate level of data protection

the non-Podquat legal entity accepting the Clauses (the “Data Exporter”)

And

Podquat, LLC.
(the “Data Importer”)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the personal data specified in Appendix 1.

The Clauses (including appendices 1 and 2) are effective from the date the non-Podquat entity has both: (i); executed a valid Podquat Terms of Service Agreement with Data Processing Amendment (collectively the “Services Agreement”) or is otherwise an authorized customer affiliate under such Services Agreement; and (ii) has clicked to accept these Clauses.

If you are accepting on behalf of the Data Exporter, you represent and warrant that: (i) you have full legal authority to bind your employer, or the applicable entity, to these terms and conditions; (ii) you have read and understand the Clauses; and (iii) you agree, on behalf of the party that you represent, to the Clauses. If you do not have the legal authority to bind the Data Exporter, please do not click the “I Accept” button below. The Clauses shall automatically expire on the termination or expiry of the Services Agreement. The parties agree that where Data Exporter has been presented with these Clauses and clicked to accept these terms electronically, such acceptance shalServicesl constitute execution of the entirety of the Clauses by both parties, subject to the effective date described above.

 

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘Data Subject’ and ‘Supervisory Authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the Data Exporter’ means the controller who transfers the personal data;

(c) ‘the Data Importer’ means the processor who agrees to receive from the Data Exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25 (1) of Directive 95/46/EC;

(d) ‘the Subprocessor’ means any processor engaged by the Data Importer or by any other subprocessor of the Data Importer who agrees to receive from the Data Importer or from any other subprocessor of the Data Importer personal data exclusively intended for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the Data Exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The Data Subject can enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The Data Subject can enforce against the Data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity.

3. The Data Subject can enforce against the Subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the Data Exporter and the Data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the Data Subject can enforce them against such entity. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the Data Exporter

The Data Exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the Data Exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation.

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any Subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the Data Exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the Data Subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the personal data and the rights of Data Subject as the Data Importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the Data Importer

The Data Importer agrees and warrants:

(a) to process the personal data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the Data Exporter about:

  • (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
  • (ii) any accidental or unauthorised access; and
  • (iii) any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the Data Exporter relating to its processing of the personal Data Subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the Data Exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the Data Subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter;

(h) that, in the event of sub-processing, it has previously informed the Data Exporter and obtained its prior written consent;

(i) that the processing services by the Subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any Subprocessor agreement it concludes under the Clauses to the Data Exporter.

Clause 6

Liability

1. The parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Subprocessor is entitled to receive compensation from the Data Exporter for the damage suffered.

2. If a Data Subject is not able to bring a claim for compensation in accordance with paragraph 1 against the Data Exporter, arising out of a breach by the Data Importer or his Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The Data Importer may not rely on a breach by a Subprocessor of its obligations in order to avoid its own liabilities.

3. If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in paragraphs 1 and 2, arising out of a breach by the Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Subprocessor agrees that the Data Subject may issue a claim against the data Subprocessor with regard to its own processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Subprocessor shall be limited to its own processing operations under the Clauses.

4. Without prejudice to paragraphs 1, 2 and 3 of Clause 6, each party’s aggregate liability to the other under or in connection with these Clauses (whether in contract, tort or otherwise) is limited to the amount paid for the services by the non-Podquat entity which is party to the Services Agreement in the 12 months immediately preceding the event (or first in a series of connected events) giving rise to the liability.

Clause 7

Mediation and jurisdiction

1. The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject;

  • (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
  • (b) to refer the dispute to the courts in the Member State in which the Data Exporter is established.

2. The parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The Data Exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the Data Importer, and of the Subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the applicable data protection law.

3. The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Subprocessor preventing the conduct of an audit of the Data Importer, or any Subprocessor, pursuant to paragraph 2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-Processing

1. The Data Importer shall not subcontract any of its processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor as are imposed on the Data Importer under the Clauses. Where the Subprocessor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Subprocessor’s obligations under such agreement.

2. The prior written contract between the Data Importer and the Subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Data Exporter is established.

4. The Data Exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Data Exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the Data Importer and the Subprocessor shall, at the choice of the Data Exporter, return all the personal data transferred and the copies thereof to the Data Exporter or shall destroy all the personal data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The Data Importer and the Subprocessor warrant that upon request of the Data Exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

 

Appendix 1

to the Standard Contractual Clauses
This Appendix forms part of the Clauses



Data Exporter

The Data Exporter is the non-Podquat legal entity that is a party to the Clauses.

Data Importer

The Data Importer is Podquat Inc., a global provider of a variety of technology services for individuals and businesses.

Data Subjects

The personal data transferred concern the Data Exporter’s end users including employees, contractors and the personnel of customers, suppliers and subcontractors. Data Subjects also includes individuals collaborating and communicating with the Data Exporter’s end users.

Categories of data

The personal data transferred concern users IDs, email, documents, presentations, images, calendar entries, tasks and other electronic data transmitted or displayed by end users via the Services (defined below).

Processing operations

The personal data transferred will be subject to the following basic processing activities:

Scope of Processing

The Clauses reflect the parties’ agreement with respect to the processing and transfer of personal data specified in this Appendix pursuant to the provision of the “Services” as defined under the Data Processing Amendment.

Personal data will be processed for the following purposes: (a) to provide the Services; (b) to operate, maintain, enhance and support the infrastructure used to provide the Services; and (c) to comply with the Data Exporter’s instructions (as documented in the Services Agreement) and processing instructions initiated by end users in their use, management and administration of the Services; (d) to respond to customer support requests.

The Data Exporter instructs the Data Importer to process personal data in countries in which the Data Importer or its Subprocessors maintain facilities as necessary for it to provide the Services.

Term of Data Processing

Data processing will be for the term specified in the Services Agreement. For the term of the Services Agreement, and for a reasonable period of time after the expiry or termination of the Services Agreement, the Data Importer will provide the Data Exporter with access to, and the ability to export, the Data Exporter’s personal data processed pursuant to the Services Agreement.

Data Deletion

For the term of the Services Agreement, the Data Importer will provide the Data Exporter with the ability to delete the Data Exporter’s personal data from the Services. After termination or expiry of the Services Agreement, the Data Importer will delete the Data Exporter’s personal data in accordance with the Services Agreement.

Access to Data

For the term of the Services Agreement, the Data Importer will provide the Data Exporter with the ability to correct and delete the Data Exporter’s personal data from the Services.

Subprocessors

The Data Importer may engage Subprocessors to provide limited parts of the Services. The Data Importer will ensure Subprocessors only access and use the Data Exporter’s personal data to provide the Services and not for any other purpose.

 

Appendix 2

to the Standard Contractual Clauses
This Appendix forms part of the Clauses.

Description of the technical and organisational security measures implemented by the Data Importer in accordance with Clauses 4(c) and 5(c) (or document/legislation attached):

The Data Importer currently abides by the security standards in this Appendix 2. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a material degradation in the security of the Services during the term of the Services Agreement.

1. Data Center & Network Security.

  • (a) Data Centers

·         

    • Infrastructure. The Data Importer maintains geographically distributed data centers. The Data Importer stores all production data in physically secure data centers.
    • Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to allow the Data Importer to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.
    • Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.
    • Server Operating Systems. The Data Importer servers use a Linux based implementation customized for the application environment. Data is stored using proprietary algorithms to augment data security and redundancy. The Data Importer employs a code review process to increase the security of the code used to provide the Services and enhance the security products in production environments.
    • Businesses Continuity. The Data Importer replicates data over multiple systems. The Data Importer has designed and regularly plans and tests its business continuity planning/disaster recovery programs.
  • (b) Networks & Transmission.

·         

    • Data Transmission. Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. The Data Importer transfers data via Internet standard protocols.
    • External Attack Surface. The Data Importer employs multiple layers of network devices and intrusion detection to protect its external attack surface. The Data Importer considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.
    • Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. The Data Importer intrusion detection involves:

o    

      • 1. Tightly controlling the size and make-up of the Data Importer’s attack surface through preventative measures;
      • 2. Employing intelligent detection controls at data entry points; and
      • 3. Employing technologies that automatically remedy certain dangerous situations.
    • Incident Response. The Data Importer monitors a variety of communication channels for security incidents, and The Data Importer’s security personnel will react promptly to known incidents.
    • Encryption Technologies. The Data Importer makes HTTPS encryption (also referred to as SSL or TLS) available.

2. Access and Site Controls.

  • (a) Site Controls.

·         

    • On-site Data Center Security Operation. The Data Importer’s data centers maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor Closed Circuit TV (CCTV) cameras and all alarm systems. On-site Security operation personnel perform internal and external patrols of the data center regularly.
    • Data Center Access Procedures. The Data Importer maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made through e-mail, and requires the approval of the requestor’s manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations (iii) and reference an approved data center access record identifying the individual as approved.
    • On-site Data Center Security Devices. The Data Importer’s data centers employ an electronic card key and biometric access control system that are linked to a system alarm. The access control system monitors and records each individual’s electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and data centers is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centers are alarmed. CCTV cameras are in operation both inside and outside the data centers. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data center building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for up to 90 days based on activity.
  • (b) Access Control.

·         

    • Infrastructure Security Personnel. The Data Importer has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. The Data Importer’s infrastructure security personnel are responsible for the ongoing monitoring of the Data Importer’s security infrastructure, the review of the Services, and for responding to security incidents.
    • Access Control and Privilege Management. The Data Exporter’s administrators and end users must authenticate themselves via a central authentication system or via a single sign on system in order to use the Services. Each application checks credentials in order to allow the display of data to an authorized End User or authorized Administrator.
    • Internal Data Access Processes and Policies – Access Policy. The Data Importer employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and a proprietary system utilizing RSA keys are designed to provide the Data Importer with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. The Data Importer requires the use of unique user IDs, strong passwords; two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; a need to know basis; and must be in accordance with The Data Importer’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include password expiry, restrictions on password reuse and sufficient password strength. For access to extremely sensitive information (e.g., credit card data), the Data Importer uses hardware tokens.

3. Data.

  • (a) Data Storage, Isolation & Authentication.
  • The Data Importer stores data in a multi-tenant environment on the Data Importer-owned servers. Data, the Services database and file system architecture are replicated between multiple geographically dispersed data centers. Podquat logically isolates data on a per end user basis at the application layer. The Data Importer also logically isolates the Data Exporter’s data, and the Data Exporter will be given control over specific data sharing policies. The Data Importer logically separates data from different end users from each other, and data for an authenticated end user will not be displayed to another end user (unless the former end user or administrator allows the data to be shared). A central authentication system is used across all Services to increase uniform security of data.
  • (b) Decommissioned Disks and Disk Erase Policy.
  • Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving the Data Importer’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Disk Erase Policy.

4. Personnel Security

The Data Importer personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. The Data Importer conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, the Data Importer’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling customer data are required to complete additional requirements appropriate to their role (eg., certifications). The Data Importer’s personnel will not process customer data without authorization.

5. Subprocessor Security

Prior to onboarding Subprocessors, the Data Importer conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once the Data Importer has assessed the risks presented by the Subprocessor, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

6. Data Privacy Officer

The Data Privacy Officer of the Data Importer can be contacted at:

Podquat, LLC
Attn: Data Privacy Officer
512 West MLK Jr Blvd #286

Austin Texas 78701

Email: info@podquat.com