Terms of use for empower Express
These Terms become effective once you book one or more empower express products.
Summary
-
This is an auto-renewal subscription. You can terminate at the end of any term (annual / monthly) with 1 week notice before the renewal.
-
Right Aligned Limited acts as reseller, performs Customizing and Support and operates the cloud environment from a functional side. Additionally Right Aligned offers discounted design & presentation assistance for you if needed.
-
empower GmbH (German corporation) is the developer and owner of the Software and operates the cloud environment from a technical side.
-
Both Right Aligned and empower have access to your cloud data but will not access your cloud data for any other activity other than technical installation, maintenance and support activities.
-
GDPR regulations apply and are observed.
-
You receive the usage rights to the Software empower express for the booked individual products, for the number of users specified in your booking. Within the scope of these usage rights, you will not only be granted the usage rights to empower express, but you will also receive new versions on a regular basis as well as our customer support.
-
The following services are included depending on the empower express product you have booked;
Customizing for empower express Full
-
Kick-Off call to coordinate further steps.
-
Customizing of the Software: initial setup of empower slides-specific elements based on the documents provided, integration of your master template(s) with possible updates to ensure compatibility with empower, configuration of approved colors and fonts and construction of an agenda template.
-
Installation: we provide the necessary installation files and accompanying information material for the installation.
-
Training: for users (as required). Follow up training will consist of online, group and scheduled town-hall type sessions if required.
Customizing for empower express Lite
-
Installation: we provide the necessary installation files and accompanying information material for the installation.
-
Training: for users (as required). Follow up training will consist of online, group and scheduled town-hall type sessions if required.
Customizing for empower express Mac
-
Kick-Off call to coordinate further steps.
-
Customizing of the Software: integration of your master template(s) with possible updates to ensure compatibility with empower.
-
Installation: we provide the necessary installation files and accompanying information material for the installation.
-
Training: for users (as required). Follow up training will consist of online, group and scheduled town-hall type sessions if required.
The detailed terms and conditions are defined in the following appendices;
-
Appendix A (Software License Agreement)
-
Appendix B (Cloud Service Agreement)
-
Appendix C (NDA)
-
Appendix D (DPA)
Appendix A - Software License Agreement
for Lease between
Right Aligned Limited
17 Gresse Street
London, W1T 1QL
United Kingdom
As - Licensor -
and
“Company or Person as defined in the confirmed offer or online booking”
As - Licensee -
Licensor and Licensee are also referred to individually as a “party” and collectively as the “parties”.
Preamble
Licensor is an authorized reseller, that may offer, license and customize software products of the owner (empower GmbH). The Licensee intends to use software products offered by Licensor for a limited time and a limited number of users. Under the terms of this Agreement, the Licensor offers to adapt the software products to the Licensee’s corporate design (according to customizing services offered). Further, the Licensor shall also grant the Licensee the use of the offered software products on the basis of this Agreement for a limited time and lease the most current version of the corresponding software products to the Licensee for a limited number of users.
1. Definitions
1.1 “Software” is a collective term for one or more computer programs (depending on the booking). These are extensions to Microsoft Office with the group name "empower express" (the individual products are listed in the booking). All computer programs are provided in the object code including the associated documentation. The Licensor is entitled to grant the Licensee the right to use the Software in accordance with this contract. The owner of all copyrights and property rights to the Software is empower GmbH, Im Mediapark 8, 50670 Cologne, Germany (the "Software Provider").
1.2 "Customizing" is a service in which the software is adapted to the Licensee as specified in the offer (for example, the software may be adapted to the licensee's corporate design and further customer-specific settings may be made).
1.3 “Agreement” is the offer including this License Agreement including appendices once the booking is confirmed.
“Start of license” is the day where the Software has been provided to Licensee. The Software can be used immediately. The client specific customizing will be added usually within 1 week free of charge.
2. Subject of the Agreement
2.1 The subject of this Agreement is, on the one hand, the customizing of the Software. Details on this are defined in Section 3.
2.2 A further subject of this Agreement is the lease of the Software, limited to the term of the Agreement, as well as the granting of the rights necessary to use said Software according to this Agreement against payment of a fee as per Sections 5 through 12.
3. Customizing of the Software
3.1 After the order has been confirmed (booking has been confirmed), the Software shall be customized according to the offer (usually within 1 week).
3.2 If the Licensor is required to perform additional services that exceed the scope of customizing as specified in the offer, the Licensor shall draw up an offer for the implementation of these requirements on the basis of time spent. Such fees shall be approved by Licensee before any additional work commences.
3.3 The Licensee may request changes to the customizing even after the customizing is complete. The Licensor shall offer to carry out the adjustments on the basis of time spent. Such fees shall be approved by Licensee before any additional work commences.
4. Installation of the Software
4.1 Licensee shall be provided with the Software via a download link. The Software can be installed by double-clicking the installation package. Licensor will provide assistance with any questions or problems that arise. The Software can be used right away with a generic customizing.
4.2 Once the Customizing is complete the client will be informed. For empower slides the Customizing will be added to the cloud services of the Licensee.
5. Granting of rights
5.1 The Licensor shall provide the Licensee with a copy of the Software in digital form on a suitable data medium or by electronic data transmission (e.g. e-mail or as a download).
5.2 The quality of the Software to be supplied shall be defined solely in the documentation relating to the offered product edition. The documentation is integrated directly into the Software of the relevant version and edition in electronic form (website).
5.3 The Licensee shall be granted the non-exclusive, non-transferable and non-sublicensable right, limited to the term of the Agreement, to use the Software as per Agreement. Use as per the terms of the Agreement includes installing, loading, displaying and running the installed Software.
5.4 The Licensee shall be entitled to make back-ups of the provided Software.
5.5 In addition, the Licensee shall be entitled to make copies of the Software to give to a limited number of users for use. The maximum number of users in this regard is specified in the offer.
5.6 The Licensee shall not be entitled to forward to third parties (other than defined in Section 5.5) the copy of the Software provided to it or any copies made by it. In particular, it shall not be permitted to sell, loan or rent the Software, sublicense it in any other manner, or make it accessible to the general public.
5.7 The Licensee shall not be entitled to make copies of the Software in such cases not covered in Sections 5.4 and 5.5.
5.8 The Licensee shall not be entitled to edit or decompile the Software.
5.9 If the Licensee violates one of the above provisions (5.4 through 5.8), the Licensor can, in its sole discretion, decide to either charge e.g. for extra usage or (in case of willful intent or repeated violation) to immediately terminate the contract. In case of termination all usage rights granted within the scope of this Agreement shall become invalid with immediate effect and shall revert automatically to the Licensor. In such cases the Licensee must immediately and completely refrain from using the Software, delete all copies of the Software installed on its systems and, if applicable, delete any back-ups or hand them over to the Licensor.
5.10 The Software contains an activation logic component (copy protection). By way of a short connection to an activation server of the Software Provider, the Software will at regular intervals verify the validity of the license used. No other data is transmitted, the connection is made solely to validate the license.
5.11 Only relevant for the Software empower slides - the Licensee receives access to a “Template Library” (containing many slides, shape, image and chart templates). The Licensee receives the non-exclusive, non-transferable (apart from the provisions of Section 5.5) right, unlimited in terms of time, to utilize and edit the templates in all known types of use.
5.12 The Licensor assures the Licensee,
5.12(a) that the Software does not infringe any patent rights, trademark rights, copyrights, brand names, corporate secrets, licenses or other industrial property rights of third parties.
5.12(b) that it is in possession of the necessary rights and the power of disposition to grant the Licensee the licenses to the intellectual property (in particular, patent rights, trademarks, copyrights, brand names, corporate secrets, licenses and other industrial property rights) with regard to each individual component of the Software.
5.13 The Licensor shall indemnify the Licensee against all damage, claims and costs, and any reasonable expenses in connection with this Agreement, and hold it harmless from any allegations by third parties that the Software infringes any patent rights, trademark laws, copyrights, trade names, operational or corporate secrets, trademarks or other rights or industrial property rights of any third party.
5.14 The Licensee shall inform the Licensor immediately in writing of any such claim. The Licensor shall avert any such demands and claims at its own expense. The Licensee shall provide every reasonable assistance requested by the Licensor in connection with such a claim.
5.15 If the Licensee fails to inform the Licensor in time, such failure shall release the Licensor from its duties under Section 5.13 only to the extent that it has suffered a disadvantage as a result.
5.16 If it should be determined that the Software provided under the terms of this Agreement constitutes an infringement and the use of such is prohibited, the Licensor shall, at its own expense, either:
5.16(a) obtain a license for the use of the contested components; or
5.16(b) either replace the contested components with a functional equivalent that is not subject to any industrial property rights or alter the Software accordingly.
6. Servicing, maintenance and future development
6.1 The Licensee shall report any queries or defects in the Software to the Licensor. Defects shall be reported by describing the defect and the specific circumstances (for the purpose of reproducing the error) as precisely as possible.
6.2 The Licensor shall guarantee that the contractually agreed quality of the Software is maintained during the term of this Agreement and that the use of the Software as per Agreement does not conflict with any third-party rights. The Licensor shall rectify any material defects or defects of title with regard to the leased Software within a reasonable time.
6.3 The Licensor shall ensure that the Software is regularly updated on a technical level (maintenance) and, in doing so, ensure that new versions of Microsoft Windows, Microsoft Office, Mac OS are promptly supported. At the same time, the Licensor shall ensure that older versions of the above-mentioned Microsoft products are also supported, as long as they are within Microsoft’s “Extended Support”.
7. Support
7.1 The Licensor shall investigate and remedy all problems that occur on Licensee side and that are related to the Software. The Licensor will prioritize and solve problems by priority (defined by Licensor).
7.2 The Licensee can report problems that are related to the Software at any time to the Licensor, but only via this support channel:
Channel: E-mail: express@empowersuite.com
Availability: Possible to submit problems: 24 hours per day, 7 days per week, 365 days per year.
Expected response time: 1-3 business days.
8. Term
8.1 The term of license starts on “Start of license”, as defined in section 1.4.
8.2 The Software can be installed and used after receipt of a download link from the Licensor.
8.3 The parties will coordinate the timing of the Customizing phase. Both Licensor and Licensee shall try to perform the tasks during the Customizing phase in a timely manner.
8.4 For the entire term of Agreement the Licensee shall be entitled to maintenance or rectification of defects in accordance with Section 6..
8.5 The Agreement shall be concluded for an indefinite period. It may be terminated by either party with a notice period of one (1) week to the end of any month/year of term (as agreed in the offer).
8.6 The Agreement can also be terminated without notice by the Licensor in writing for good cause. Good cause entitling the Licensor to terminate the Agreement shall be deemed to exist, in particular, if the Licensee violates any usage rights of the Licensor by using the Software above and beyond the scope of the usage permitted under the terms of the Agreement and fails to cease said violation within a reasonable time after receiving a warning from the Licensor to that effect. A pro rata reimbursement of the license fee shall be excluded in such cases. Excessive cloud usage (if applicable) is also deemed a good cause for termination.
8.7 If the Licensor refuses to remedy a problem relating to the Software or, after being granted a reasonable time to perform remedy, such remedy ultimately fails, the Licensee may terminate the Agreement in writing with a notice period of 30 days. If the Licensor also fails to remedy the problem within this 30-day period, the termination shall be effective. The Licensee shall then be entitled to reimbursement of the license fee from the moment the problem occurred.
8.8 If the Licensor fails to resolve an existing infringement of industrial property rights by the Software in accordance with Section 5.16 within a reasonable time, the Licensee may terminate the Agreement in writing with a notice period of 30 days. If the Licensor also fails to resolve the infringement of industrial property rights within this 30-day period, the termination shall be effective. The Licensee shall then be entitled to reimbursement of the license fee from the moment the Software could no longer be used. The obligation on the part of the Licensor to indemnify and hold harmless as per Section 5.13 shall remain hereby unaffected.
8.9 Notice of termination must be given in writing.
8.10 If the Agreement is terminated, the Licensee shall cease using the Software at the end of the license term or upon the termination becoming effective and shall remove all installed copies of the program from its computers.
9. Remuneration
9.1 The fees for using the Software are specified in the booking.
9.2 The term of the Agreement shall be indefinite as per Section 8.5. Invoices for the license fee shall be issued at the beginning of each term (monthly/annual as agreed). Payments will be charged as agreed.
9.3 Invoices for additional services (if agreed) shall be issued following approval of the respective results.
10. Liability
10.1 The Licensor and the Software Provider shall not be liable, irrespective of the legal basis, for indirect, non-foreseeable or special damage, or for consequential damages or damages of a punitive nature; it shall, in particular, not be liable for loss of revenue or loss of profit, loss of business opportunity, loss of image or loss of data, even if the Licensor was warned about such risks.
10.2 In no event shall the Licensor or Software Provider be liable to the Licensee or its successors and assignees for damages that are higher than the annual license fee.
10.3 The above-mentioned limitations of liability shall not apply in the case of liability for death, injury or impaired health, for gross negligence, intent or deceit or if liability can be neither excluded nor limited by law (e.g. Product Liability Law).
11. Confidentiality
11.1 The parties hereby agree not to disclose any confidential information. Further details are defined in a separate NDA (Appendix B).
12. Miscellaneous
12.1 Notices Licensor sends to Licensee under this Agreement must be in writing and sent by email to an email address defined by Licensee. Licensee is responsible for keeping the email address current and accurate at all times. Any notice Licensor sends to the then-current email address will be deemed to be received when it is sent even if Licensee does not actually receive it.
12.2 Notices Licensee sends to Licensor under this Agreement must be in writing and sent by email to express@empowersuite.com. An email notice under this Agreement will be deemed received when sent.
12.3 The Licensee may transfer rights or obligations arising from or in connection with this Agreement to third parties solely with the written approval of the Licensor.
12.4 Payments may be offset only against claims that are undisputed or have been legally established.
12.5 Any alterations or amendments to the Agreement must be made in writing. This shall also apply for the alteration or cancellation of this clause. Electronic documents in text form do not fulfill the written form requirement.
12.6 General Terms and Conditions of Business of the Licensee and the Licensor shall not apply.
12.7 English law shall apply exclusively to this Agreement, excluding the United Nations Convention on Contracts for the International Sale of Goods from 11 April 1980.
12.8 Should individual provisions of this Agreement be ineffective, the validity of the remaining provisions shall remain hereby unaffected. The contracting parties shall endeavor to replace the invalid provision with one that best meets the objective of the Agreement both legally and economically.
Appendix B - Cloud Service Agreement
Licensor and Licensee are defined in the License Agreement and also referred to individually as a “party” and collectively as the “parties”.
Preamble
Licensor is an authorized reseller, that may offer, license and customize software products of the Software Provider (empower GmbH). Further Licensor and Software Provider operate a cloud environment that serves as backend and database for some of the software products. Licensee intends to use one or more of software products of the Software Provider. For this purpose, a license contract is concluded. One or more of these products require a central database including central services (e.g. search service). The Cloud Services include hosting the central database and other central services by the Licensor and the Software Provider to enable operation of the licensed software products at the Licensee. This additional service is agreed in this appendix.
1. AGREEMENT: This Agreement is defined by the the terms and conditions described in this document but also by the terms referenced in the sections: legal terms of use of the Microsoft Azure Cloud, legal terms of the license agreement.
2. CLOUD SERVICES: Licensor offers to Licensee to use managed online services that Licensor makes available to the Licensee through the Microsoft Azure platform at https://azure.microsoft.com. These managed online services, including any related support services (in case of issues or in case of software updates) that Licensor provides, are collectively referred to in this Agreement as the “Cloud Services”. Licensor reserves the right to modify the Cloud Services at any time after reasonable advance notice. In case of changes to Cloud Services Licensor will inform and support Licensee, so that the Cloud Services can be used without or with minimal impact regarding its availability.
3. USAGE RESTRICTION: The Cloud Services may only be used by Licensee though the empower products. The Cloud Services may not be used directly by the Licensee or through other applications.
4. TERM: The term of this supplementary contract starts when the license term for the associated empower products has started. This Agreement will end once the license term for the associated empower products is terminated.
5. SUSPENSION AND TERMINATION BY LICENSOR FOR CAUSE: The Licensor may, in justified exceptional cases, immediately (and without prior notice) suspend or terminate all or part of the Cloud Services if one or more of the following occurs: (i) Licensor determines that Licensee‘s use of the Cloud Services poses a severe threat to the security of the Cloud Services; (ii) Licensor determines that Licensee‘s use of the Cloud Services is illegal (based on Microsoft regulations); (iii) Licensor terminates the empower license agreement for good cause, e.g. usage right violation or excessive cloud usage; (iv) Licensee fails to make a payment when due for more than 14 days.
6. TERMINATION BY LICENSOR WITH CAUSE: The Licensor may terminate the Cloud Services including the license agreement with good cause (e.g. excessive cloud usage) by providing Licensee within 14 days’ advance notice of the termination.
7. EFFECT OF SUSPENSION AND TERMINATION
(a) SUSPENSION. The Cloud Services will be unavailable in whole or in part during any suspension, and Licensee may not have access to its data. Fees may continue to accrue during a suspension.
(b) TERMINATION. Effective immediately upon the termination of this Agreement, the Cloud Services will no longer be available to the Licensee. The Licensee will receive an export of his data. As soon as the Licensee agrees to the deletion of his data, the Licensor will carry out the irrevocable deletion of the data (including backups).
8. FEES: All fees for cloud services are included in the fees described in the booking.
9. AZURE LEGAL REGULATIONS: Licensee is required to use the Cloud Services in accordance with the Azure Legal Regulations as defined at https://azure.microsoft.com/en-us/support/legal/
10. SERVICE LEVEL AGREEMENT / SUPPORT: Licensor will use commercially reasonable efforts to make the Cloud Services as available as the Microsoft Azure Platform is available (99.95% of a year). However only the service credits / refunds that are offered by Microsoft (https://azure.microsoft.com/de-de/support/legal/sla/virtual-machines/v1_6/) can be provided in case the target availability is not met. The Cloud Services will be provided without 24/7 support. Technical support will be limited to the support Licensor makes available to Licensee via the software support of the empower products. In case support is needed the e-mail address express@empowersuite.com shall be used.
11. ASSIGNMENT; RESALE: Licensee may not assign this Agreement or resell the right to use the Cloud Services without prior written consent.
12. FORCE MAJEURE: If the performance of any part of this Agreement, is prevented or delayed by reason of an act of God, act of war, act of terrorism, fire, governmental action, labor dispute or other cause beyond the performing party’s control, then that party will be excused from performance for the length of that prevention or delay.
Appendix C – Non Disclosure Agreement
MUTUAL NONDISCLOSURE AGREEMENT
This MUTUAL NONDISCLOSURE AGREEMENT (the “Agreement”) is made effective as of the date the booking including the license agreement and its appendicies are signed by both parties (“Effective Date”).
1. CONFIDENTIAL INFORMATION: “Confidential Information” shall mean materials and information provided by the disclosing party (the “Disclosing Party”) to the receiving party (the “Receiving Party”) which relate to the Disclosing Party’s business or technology, including, without limitation, any data stored in the cloud services of Licensor / Software Provider. Further any materials or information provided to the Receiving Party which are clearly designated as “confidential” or “proprietary” (or contains other similar designations) shall be presumed to be Confidential Information, but the absence of any such designation shall not preclude the same from being deemed Confidential Information.
2. RESTRICTIONS/OBLIGATIONS: The Receiving Party shall: (i) only disclose the Disclosing Party’s Confidential Information to those of its officers, directors, employees and or applicable attorneys, accountants or other professional advisors having a specific need to know such information for the purposes described in subpart (iii) of this Section 2, provided such personnel are bound by confidentiality restrictions no less protective than those set forth in this Agreement; (ii) not disclose any Confidential Information to any third party, including without limitation any parent, subsidiary or other affiliated companies, without the Disclosing Party’s prior written consent (Software Provider is hereby explicitly approved as Receiving Party but also bound to this Agreement); (iii) use such Confidential Information only to the extent required for the purpose of evaluating a potential business relationship or performing services agreed to by the parties in a separate writing; (iv) not reproduce Confidential Information in any form except as required to accomplish such purposes; (v) not reverse engineer, decompile, or disassemble any software disclosed by the Disclosing Party; (vi) not directly or indirectly export or transmit any Confidential Information to any country to which such export or transmission is restricted by regulation or statute; and (vii) promptly provide the Disclosing Party with notice of any actual or threatened breach of the terms of this Agreement. The Receiving Party may use, without restriction, all information it receives from the Disclosing Party that does not meet the definition of Confidential Information, above. In addition, the Receiving Party may disclose Confidential Information in accordance with a judicial or other governmental order, provided that such party shall have given the Disclosing Party written notice and the opportunity to seek confidential treatment of the information prior to such disclosure. The restrictions herein shall apply to all Confidential Information disclosed by one party to the other under this Agreement, whether disclosed prior to or after the Effective Date.
3. EXCLUSIONS: The foregoing restrictions on disclosure shall not apply to Confidential Information which: (a) is now or hereafter becomes generally known through no act or failure to act on the Receiving Party’s part; (b) the Receiving Party independently knows at the time of receiving such information, as evidenced by its written records; (c) a third party hereafter furnishes to the Receiving Party without breaching any obligation of confidentiality and without restriction on disclosure; (d) the Receiving Party has independently developed without using the Disclosing Party’s Confidential Information or breaching this Agreement; or (e) the Disclosing Party gives written permission to the Receiving Party to disclose.
4. OWNERSHIP: All Confidential Information (including copies thereof) shall remain the property of the Disclosing Party and shall be returned (or, at the Disclosing Party’s option, destroyed) upon written request or upon termination of this Agreement. No rights or licenses to trademarks, inventions, copyrights or patents are implied or granted under this Agreement. The Receiving Party shall also destroy all records prepared by it which incorporate Confidential Information received pursuant to this Agreement.
5. TERM: This Agreement shall continue for so long as the parties continue to exchange Confidential Information and is terminated once the lincense agreement is terminated.. The provisions of Sections 1 through 7 shall survive the termination of this Agreement.
6. EQUITABLE REMEDIES: The parties acknowledge that monetary damages may not be a sufficient remedy for unauthorized use or disclosure of Confidential Information and that each party may, without waiving any other rights or remedies, seek injunctive or equitable relief as may be deemed proper by a court of competent jurisdiction, without obligation to post any bond.
7. GENERAL: This Agreement constitutes the entire agreement regarding the subject matter hereof. If any provision of this Agreement is held unenforceable, that provision shall be severed and the remainder of this Agreement will continue in full force and effect.
Appendix D – Data Processing Agreement (DPA)
pursuant to art. 28 General Data Protection Regulation (GDPR)
by and between
“Customer / Licensee” as - the Controller (within this Appendix)
and
Right Aligned Limited
17 Gresse Street
London, W1T 1QL
United Kingdom
&
empower GmbH
Im Mediapark 8
50670 Köln
Germany
Collectively as - the Processor (within this Appendix)
1. Subject matter, term, personal data processed and categories of data subjects
1.1 Subject matter. The subject matter of this DPA consists of the appointment of the Processor by the Controller and the provision of instructions for the processing of personal data. The processing activities that the Processor shall carry out are strictly limited to those necessary to fulfil the scope of the offer, including license agreement and cloud service agreement (“Main Contract”).
For the avoidance of doubt, here a summary of the relevant activities that the Processor shall carry out on behalf of the Controller:
1.1(a) Regular commercial processes such as storing contracts including contact details, storing support tickets, sending invoices and receiving payments.
1.1(b) Installation, maintenance and support activities for a cloud-based database that stores PowerPoint data (presentations, slides etc.) of the Controller. The Processor will not access the database or its content for any other activity other than technical installation, maintenance and support activities.
1.1(c) Remote Support services in case of issues with the software products of the Processor. During such remote support services the Processor will request and (if approved by Controller) get access to local computers of the Controller to analyze issues. The Processor could potentially see personal data of the Controller. Both parties will try to avoid this.
1.2 Term
1.2(a) The term of this DPA corresponds to the term of the Main Contract.
1.3 Categories of personal data
1.3(a) The categories of personal data processed are:
- personally identifiable information (e.g. name, surname, email)
- statistical or other technical usage data observed
- customer history
- billing, invoicing and payment data
- other data that the Controller stores within PowerPoint
1.4 Categories of Data Subjects
1.4(a) The personal data collected and processed related to:
- employees, associates, staff members
- customers, suppliers
- potential customers, suppliers
2. Data Transfer Abroad
2.1 The Processor undertakes not to transfer or store any personal data in other countries other than the UK and Germany without the prior written authorization of the Data Controller.
2.2 Any data transfer or storage abroad, and processing activities thereof, will be carried out (on request by Controller) in strict compliance with the Controller's documented and specific instructions.
3. Technical and Organizational Measures
3.1 The Processor undertakes to adopt all the necessary technical and organizational security measures described in Section 12.
3.2 Such measures are subject to the Controller's scrutiny and to its approval. Upon the Controller's approval, such security measures, documented as above, will become an integral and substantial part of this agreement and are hereby incorporated. Insofar as an inspection/audit by the Controller shows the necessity for amendments, such amendments shall be implemented by mutual agreement.
3.3 The Processor warrants that it has taken all the security measures in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. Such measures shall guarantee data security and a protection level adequate to the level of risk concerning confidentiality, integrity, availability, and resilience of the systems. According to Article 32, par. 1 GDPR the following must be taken into account when assessing the appropriateness of the security measures adopted: whether or not the measures can be reasonable considered to be state-of-the-art, the implementation costs, the nature, scope and purposes of processing as well as the likelihood of data breaches and the severity of risks to the rights and freedoms of natural persons.
3.4 The technical and organizational measures are subject to technical and technological progress and development. Hence, the Processor may adopt alternative adequate measures which are up to date with the changed technological environment. When doing so, the processing security level may not be reduced. Substantial changes must be documented.
4. Data subjects rights
4.1 The Processor undertakes to provide full cooperation and assistance, as it may be reasonably possible, in order to assist the Controller in responding to data subjects' requests for the exercising of their rights.
4.2 In particular, the Processor undertakes to (i) immediately communicate to the Controller any request received by data subjects concerning the exercising of their rights and, if feasible and appropriate, to (ii) enable the Controller to design and deploy all the technical and organizational measures necessary to answer the data subjects' requests.
4.2 Notwithstanding the fact that the Controller bears the responsibility to respond to the data subjects' requests, the Processor can accept to be tasked with the fulfilment of some specific requests, provided that such tasks do not require disproportionate efforts from the Processor and that the Controllers provides detailed instructions in writing.
5. Further duties of the Processor
In addition to complying with the provisions of this DPA, the Processor commits to meet all applicable statutory requirements set forth at Articles 28 to 33 GDPR. To this end, the Processor warrants compliance with the following sections 5.1 to 5.4
5.1 Appointment of a Data Protection Officer (DPO)
The contact details of the current DPO:
empower GmbH
Data Protection Officer
Im Mediapark 8
50670 Cologne
Germany
data-privacy@empowersuite.com
The Processor shall inform the Controller about any changes of Data Protection Officer.
5.2 Confidentiality
Processing activities under this DPA shall only be performed by individuals (such as employees, agents, or staff members) that have been instructed by the Processor on the appropriate way to process data and have been contractually subjected to confidentiality pursuant to art. 28 par. 3 (b) and art. 32 GDPR. The Processor, and any person acting under its authority who has access to the personal data, shall not process that data unless acting upon instructions given by the Controller — including the powers granted under this DPA - unless they are required to do so by statutory law.
5.3 Implementation of Technical and Organizational Measures
Implementation of, and compliance with, all appropriate technical and organizational measures in the framework of this DPA, in particular as set forth at art. 32 GDPR. The Processor shall periodically monitor the internal processes and the technical and organizational measures to ensure that processing activities pertaining to it are carried out in accordance with the requirements of applicable data protection law and the protection of data subjects' rights. The Processor shall grant verifiability of the technical and organizational measures to the Controller as part of the Controller’s supervisory powers referred to in sec. 7 of this contract.
5.4 Cooperation with Supervisory Authorities
The Controller and the Processor shall cooperate, on request, with the supervisory authority. The Controller shall be informed immediately of any inspections and measures executed by the supervisory authority, insofar as they relate to the activities under this DPA. This also applies insofar as the Processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any provision regarding the processing of personal data in connection with the processing of this DPA. Insofar as the Controller is subject to an inspection by the supervisory authority, an administrative fine, a preliminary injunction or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the processing of data by the Processor as of this DPA, the Processor shall make every effort to support the Controller.
6. Sub-processors
6.1 The Controller authorizes the Processor to outsource part of the processing activities pursuant to this DPA to sub-processors. The sub-processors shall, as legally required, be subject to the same contractual obligations resulting from this agreement, pursuant to art. 28 par. 4 GDPR.
6.2 At the date of signature of this agreement, the parties mutually acknowledge and agree that the Processor currently commissions the following sub-processors on the condition of a contractual agreement in accordance with Article 28 paragraph 4 GDPR:
Company: Microsoft Corporation
Link for GDPR information: Microsoft Online Services Terms (https://www.microsoftvolumelicensing.com/Downloader.aspx?DocumentId=14943)
Purpose: Outsourced cloud storage and processing activity
6.3 It is understood between the parties that the communication of personal data to any sub-processor shall only take place after all conditions set out in paragraph (1) for the appointment of sub-processors have been met.
6.4 The Processor must maintain and keep an updated a list of sub-processors. The Controller shall be notified of any change to such list without undue delay, giving the Controller the option to object. In case of objection, the Processor retains the right to terminate the contract in place with the Controller.
6.5 The Processor shall bear full responsibility and liability for the activities of its sub-processors vis a vis the Controller.
6.6 Should a sub-processor provide its services outside the EU/EEA, the Processor shall ensure compliance with the rules regarding data transfer abroad, as described under sec. 2 of this DPA.
7. Audits
7.1 The Controller has the right to carry out reasonable inspections or to have them carried out by an auditor appointed on a case-by-case basis. The auditor may assess Processor's compliance with this DPA in its business operations by means of checks, of which the Processor will be notified in advance.
7.2 The Processor shall allow the Controller to verify compliance with its obligations as provided by Article 28 GDPR. The Processor undertakes to give the Controller the necessary information on request and to demonstrate the implementation of the technical and organizational measures but may protect its own IT Security as well as other clients data.
7.3 Evidence of the implementation of such measures, which may not only concern the activities under this DPA, may also be provided by;
- compliance with approved Codes of Conduct pursuant to Article 40 GDPR;
- certification according to an approved certification procedure in accordance with Article 42 GDPR;
- current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, data protection officer, IT security department, data protection auditor);
- a suitable certification by IT security or data protection auditing.
7.4 The Processor may charge a reasonable fee to the Controller for enabling inspections.
8. Assistance to the Controller
8.1 The Processor shall assist the Controller in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations set forth at Articles 32 to 36 of the GDPR, including;
- ensuring adequate protection standards through technical and organizational measures, taking into account the type, circumstances and purposes of processing, the likelihood of data breaches and the severity of the risk to natural persons possibly resulting thereof
- ensuring immediate detection of infringements
- reporting data breaches without undue delay to the Controller
- assisting the Controller in answering to data subjects' requests for the exercising of their rights
The Processor may charge the Controller a reasonable fee for support services which are not included in the description of the services and which are not attributable to the Processor's misconduct, mistakes or infringements.
9. Directive powers of the Controller
9.1 The Processor shall not process any personal data under this DPA except on the Controller's documented instructions, unless required to do so by Union or Member State law.
9.2 In case the Controller should require any change in the processing of personal data set forth by the documented instructions mentioned at sec. 2, the Processor shall immediately inform the Controller if it considers such changes likely to result in infringements to data protection provisions. The Processor may refrain from carrying out any activity that may result in any such infringement.
10. Liability
10.1 Each party to this DPA commits to indemnify the other party for damages or expenses resulting from its own culpable infringement of this DPA, including any culpable infringement committed by its legal representative, subcontractors, employees or any other agents. Furthermore, each party commits to indemnify the other party against any claim exerted by third parties due to, or in connection with, any culpable infringement by the respectively other party.
10.2 Art. 82 GDPR stays unaffected.
11. Deletion and return of personal data
11.1 The Processor shall not create copies or duplicates of the data without the Controller's knowledge and consent, except for backup copies, insofar as they are necessary for ensuring that data is processed correctly or built-in of used services (e.g. Microsoft Azure), and where the retention of such data is required by law.
11.2 After conclusion of the provision of services, the Processor shall, at the Controller's choice, either delete in a data-protection compliant manner or return to the Controller, all the personal data collected and processed under this DPA, unless any applicable legal provision requires further storage of the personal data.
11.3 In any case, the Processor may retain beyond termination of the contract all the information necessary to demonstrate the compliance of the processing activities carried out.
11.4 The documentation referred to under point (3) above, shall be stored by the Processor in accordance with the applicable retention periods, statutory or otherwise determined. The Processor may hand the documentation over to the Controller upon termination of the agreement. In such case, the Processor is relieved from any obligation to keep such documentation.
12. Definition of Technical and Organizational Measures
12.1 Confidentiality (Art. 32 Sec. 1 lit. b GDPR)
12.1(a) Control of admission
Measures that prevent unauthorized access to data processing systems dealing with personal data:
- Predefined security sections
- Safeguarding of point of access
- Setup of admission modalities for internal and external employees (e.g. custodial staff)
- Legitimization of admission authorization and inspection of admission
- Components for implementation: personal monitoring, electronic keycards, door locking systems, technical monitoring systems, and distribution of security keys in individual cases
12.1(b) Control of physical access
Measures that prevent unauthorized use of data processing systems and procedures:
- Setup of access modalities for internal and external employees (e.g. maintenance personnel, visitors, etc.)
- Legitimization of access authorization, and inspection of access
- Access to PC workstations and laptops, including general access to data storage devices
- Components for implementation: password protected user master record, personal user account, dedicated application and approval procedure and technically assisted adherence to password standards
12.1(c) Control of accessibility
Measures that exclusively permit access to personal data to approved users of data processing systems within the limitation of their access authorization:
- Setup and legitimization of access modalities and user authorization for access to data, esp. personal data
- Execution of access and user monitoring
- Physical and logical security of data processing systems
- Components for implementation: deployment of “need-to-know” and “need-to-do”, demand actuated authorization policies and profiles, dedicated application and approval procedures, technically assisted adherence and record.
12.1(d) Control of isolation
Measures that ensure that data compiled for different purposes is processed separately:
- Systems and applications that are logically and/or physically separated by client, as well as physically separate production and development systems
- Provided that storage of client databases is a requirement: completely separate environments for each individual client
12.1(e) Pseudonymization (Art. 32 Sec. 1 lit. a GDPR; Art. 25 Sec. 1 GDPR)
Processing of personal data in a manner that does not allow allocation of specific entities and their connected personal data without additional information, provided this additional information is stored separately and technical and organizational measures are required to be taken.
In our circumstances of data processing the above has thus far proven to be irrelevant
12.2 Integrity (Art. 32 Abs. 1 lit. b GDPR)
12.2(a) Control of transfer
Measures that ensure that personal data cannot be read, copied, altered or deleted during electronic transfer or during transportation, as well as when saving to data storage devices without authorization. Further it will be ensured and determined which entities are to receive personal data via facilities for data transfer:
- Determination of approved sites of receipt
- Determination and legitimization of approved entities for transport and/or transfer/forwarding and holding of documentation verifiable by third parties
- Determination of authorized entities who may administer data storage devices and of domains that are permitted to contain data storage devices, DP-facilities, etc. Also, physical safeguarding of these determined domains
- Determination and safeguarding of procedures and transport routes
- Components for implementation: integrity during storage of internal and external data forwarding with validity checks and verification procedures, graded safety and encryption procedures, firewall systems, virus inspection software, SSL encryption, VPN and use of “closed” networks.
12.2(b) Control of data entry
Measures that ensure that it is verifiable if personal data in data processing systems was entered, altered or deleted, and by whom:
Documentation of entry procedures (write and read, if required)
Ensure possibilities for later inspection of data entries and transactions (if required)
Components for implementation: documentation von entries in systems and applications as well as their output (if required), primarily automated coordination procedures and inspections
12.3 Availability and capacity (Art. 32 Sec. 1 lit. b GDPR)
12.3(a) Availability check
Measures that allow protection of personal data against unintentional loss or destruction:
Extensive backup concept available, which will not be detailed due to data security regulations. General description: setup and implementation of data securing and emergency concept as well as its regular updating and testing (backup and/or disaster management).
12.3(b) Quick recovery (Art. 32 Sec. 1 lit. c GDPR)
Is provided. Details will not be disclosed due to data security regulations.
12.4 Procedures for regular review, assessment and evaluation (Art. 32 Sec. 1 lit. d GDPR; Art. 25 Sec. 1 GDPR)
12.4(a) Data protection management
Annual review or technical and organizational measures.
12.4(b) Incident-Response-Management
An Incident-Response-Plan has been developed and established which contains 6 stages:
1. Preparation
2. Identification: establishment to determine if an occurrence is a security concern.
3. Containment: The damage caused by the occurrence is to be contained, affected systems will be isolated to avoid further damage.
4. Eradication: The cause of the occurrence is to be identified; the affected systems will be removed from the productive environment.
5. Recovery: Affected systems are to be reintegrated into the productive environment once it has been ensured that no further threats persist.
6. Acquired insights: extension of incident documentation and analysis to transfer knowledge to team or company. This way it will be ensured that future occurrences can be dealt with more effectively.
12.4(c) Data protection by design and by default (Art. 25 Sec. 2 GDPR)
Currently not relevant in our cases of data processing.
12.4(d) Control of assignment
Measures to ensure that personal data processed in the course of an assignment can only be handled in accordance to the guidelines set by the client:
- Setup of explicit terms of contract
- Setup of inspection of contract implementation or fulfilment
- Processing exclusively within the limitations of contractual stipulation, competence and inspection measures integrated in operating procedures in agreement with the client