Terms & Conditions

Introduction

These Terms and Conditions (“Terms”) together with the order form (the “Order”) in which these Terms are referenced and any documents referenced below (such as our Privacy Policy), copies of which are attached hereto, collectively constitute the “Agreement.” This Agreement governs the use of the Rising Team online platform designed to assist managers and team leaders to support, develop, and connect their teams and includes (but is not limited to) training and tools related to leadership development, team assessments, and guided team building workshops (collectively, the “Platform”). This Agreement is a legally binding contract between Rising Team, Inc. (“Rising Team”, “we”, “us”, or “our”) and the customer specified in the Order (referred to throughout the Agreement as “Customer,” “you” “your”, “yours” or “yourself”).  By executing an Order, you acknowledge that you have read and understood the Agreement and agree to be bound by its terms.  If you do not agree to be bound by the terms of the Agreement, you must not accept the Agreement or access or use the Platform.

IMPORTANT INFORMATION ABOUT THE CUSTOMER AND TEAM MEMBERS

As used in these Terms, “Customer” (or “you” or “your”) may be either your employer (or other organization that you represent) or you as an individual. If you are signed up using your corporate email domain or are otherwise entering into an Order on behalf of a business entity or other organization (e.g., to manage a team for your employer), the business entity or other organization on whose behalf you signed up is the Customer. By signing up on behalf of a business entity or other organization, you represent and warrant that you have all right, power, and authority to bind such entity or organization to the Agreement. If you signed up for a subscription to the Platform and are not formally affiliated with a business entity or other organization (e.g., to use the Platform for your own, personal purposes unaffiliated with your work for your employer), you, as an individual, are the Customer.

The Platform is intended to support a specific group of individuals working together (a “Team”).  Each Team will have a team leader (“Team Leader”) and also individual team individuals.  The Team Leader and each individual on the Team are considered “Team Members.”  The Team Leader will have the ability to invite the individual team individuals to join the Team and the use of the Platform by all Team Members shall be subject to these Terms.

If you received an invitation to be a Team Member, you understand and agree that your use of the Platform will be governed by the Customer that subscribed to the Platform and initiated the invitation.  In such case, all materials, information, data, and other content you provide through the Platform will be owned by such Customer under the terms of such Customer’s agreement with us.

1. THE PLATFORM

1.1 Subscriptions.  Specific details regarding your subscription to the Platform (such as cost, duration, and limitations) will be identified in the Order.  Once you purchase a subscription to the Platform, we will provide you with the necessary information to access the Platform.  Your subscription will start on the Subscription Start Date specified in the Order and continue for the period specified in the Order (“Subscription Period”). You agree that you will use the Platform in accordance with the limitations specified on the Order (such as the authorized number of Teams or number of Team Members if designated on the Order).

1.2 Support. Rising Team will use commercially reasonable efforts to provide basic technical support for the Platform to Customer via email.   We will respond to support inquiries (a) made via email within 24 hours, Monday through Friday, between the hours of 9:00 AM and 5:00 PM PST and (b) made via Slack within 3 hours, Monday through Friday, between the hours of 9:00 AM and 7:00 PM PST.  You can make support inquiries at  support@risingteam.com.  Our Frequently Asked Questions page available at https://risingteam.com/faq may address some of your questions.

1.3 Administrators.  Customer may designate an individual to be the account administrator (“Administrator”).  The Administrator will serve as the authorized representative of the Customer and will have certain permissions to set-up and manage the Platform.

1.4 Team Member Information. Team Members may upload, submit, post, create, share, or otherwise make available through the Platform data, information, comments, documents, files, and any other content or materials (“Team Member Information”). Customer has the sole right and responsibility for managing its and its Team Members access to the Platform and use of the Team Member Information. For example, Customer may provision or deprovision access to the Platform, manage permissions of Team Members (e.g., designating a Team Member to be the Team Leader) and organizing Team Members. Customer will also (i) inform Team Members of all of Customer’s own policies and practices that are relevant to the Team Members’ use of the Platform; and (ii) obtain all rights, permissions and consents from Team Members and other Customer personnel or contractors that are necessary (a) to grant the rights and licenses set forth in this Agreement, and (b) for the lawful use and transmission of Team Member Information and operation of the Platform. Customer is responsible for the security of all Team Members’ login credentials. Accordingly, Customer is responsible for all resulting damages, losses, or liability if usernames and passwords are disclosed, whether intentionally or not, to unauthorized third parties, including for actions taken on the Platform by such unauthorized third-parties logging into and accessing the Platform through Team Members’ accounts.

‍

2. USE AND RESTRICTIONS

2.1 Platform Use.  For the duration of the Subscription Period and subject to these Terms, Rising Team will make available to Customer and Team Members access and use of the Platform for the Customer's own internal business purposes. To the extent that we make any content, templates, articles or other documentation available as part of the Platform (“Content”), we grant to Customer a sub-licensable, non-transferable, non-exclusive, limited license for Customer and its Team Members to use the Content provided that the use is only for the benefit of Customer and there is no further distribution of such Content. In some cases, certain Content may be available to download and, in such case, Customer has the right to download such Content.  All Content will be deemed to be part of the Platform.  There are no implied licenses granted to the Platform, all of our rights not expressly granted by the license in this Section are retained by us.

2.2 Acceptable Use Policy. Customer agrees, and will ensure that all Team Members agree, to comply with Rising Team’s acceptable use policy, the current version of which is attached hereto as Annex 1 (“Acceptable Use Policy”). We may update our Acceptable Use Policy from time to time by posting an updated version to the forgoing URL and notifying you of any material changes. However, we agree that such changes will not have the effect of materially altering any limitations on liability, indemnities, or warranties made under this Agreement or functionality of the Platform.

2.3 Restrictions on Team Member Information. Customer is responsible for the content of any Team Member Information and the way Customer and its Team Members choose to use the Platform to store or process any Team Member Information. Except for Rising Team’s own obligations of confidentiality, data security and data protection hereunder, Customer is therefore solely responsible for ensuring compliance with all applicable laws that may apply to Team Member Information, including but not limited to privacy laws. Unless otherwise agreed to in writing by both parties, Customer may not submit any Team Member Information that includes a social security number, passport number, driver’s license number, or similar identifier, credit card or debit card data, or any other information which may be subject to data privacy and security laws intended to protect sensitive personal information including, but not limited to, the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HiTECH), the Family Educational Rights and Privacy Act of 1974 (FERPA), the Children's Online Privacy Protection Act (COPPA) or similar state laws and the provisions of the General Data Protection Regulation as applicable in the United Kingdom and European Union (GDPR) to sensitive categories of data (as defined therein). The Platform is also not intended for and should not be used by anyone under the age of 16. Customer must ensure that all Team Members are over 16 years old. We do not make any representations as to the adequacy of the Platform to process information which may be subject to data privacy and security laws intended to protect sensitive personal information or to satisfy any legal or compliance requirements which may apply to your Team Member Information, other than as described herein.  

2.4 License Restrictions. Customer agrees that it will not, and will not allow Team Members or third parties to, directly or indirectly (a) modify, translate, copy or create derivative works based on the Platform, (b) reverse assemble, reverse compile, reverse engineer, decompile or otherwise attempt to discover the object code, source code, non-public APIs or underlying ideas or algorithms of the Platform, except as and only to the extent this restriction is prohibited by law, (c) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise commercially exploit or make the Platform available to any third party, including members of your organization that are not Team Members, (d) remove or obscure any copyright, trademark or other proprietary notices, legends or Rising Team branding contained in or on the Platform, (e) use the Platform in any way that violates any applicable federal, state, local or international law or regulation, (f) attempt to gain unauthorized access to, interfere with, damage or disrupt any parts of the Platform, (g) use or access the Platform to build or support and/or assist a third party in building or supporting products or platforms competitive to the Platform, (h) share identification or passwords with persons other than authorized Team Members, or (i) use the Platform in any way not expressly provided for in this Agreement. Customer also agrees to comply, and will ensure that its Team Members comply with any usage limitations of the Platform contained in the Order.

2.5 Responsibility. Customer acknowledges and agrees that we are acting only as a passive conduit for Team Member Information. Customer is fully responsible for Team Members’ compliance with this Agreement, though Customer agrees that we may review all conduct of Team Members in the Platform, including the content of Team Member Information, for the purpose of checking compliance with the terms of this Agreement, but we have no obligation to do so. If we believe there is a violation of this Agreement that can be remedied by Customer’s removal of certain Team Member Information, we may ask Customer to take direct action rather than intervene. However, we reserve the right to take further action (including suspending your use of or access to the Platform or removing certain Team Member Information), when we deem it reasonably appropriate if Customer does not take suitable action itself, or if we believe Customer is violating applicable law or there is a credible risk of harm to us, the Platform, Team Members, or any of our other customers.

2.6 Team Member Information.  The Team Member Information originates from Team Members and Rising Team is not responsible for the accuracy, usefulness, safety, or appropriateness of any Team Member Information.  It is possible that other users (including unauthorized users) may post or transmit offensive or obscene materials and that you may be involuntarily exposed to such offensive or obscene materials. You hereby waive any legal or equitable rights or remedies you have or may have against us with respect thereto. It is also possible for others to obtain personal data about you due to your use of the Platform and outside individuals viewing a screen or monitor, including any Team Member Information that you make available through your Team Member profile.  Anyone viewing a Team Member profile may use information provided by a Team Member (such as contact details, location) for purposes other than those you intended. By making any information available through the Platform you acknowledge that you understand and have agreed to such risks.

2.7 Third-Party Platforms. Customer may install or enable third-party platforms for use with the Platform, such as online applications or offline software products (“Third-Party Platforms”). Any acquisition and use by Customer or the Team Members of such Third-Party Platforms is solely the responsibility of Customer and the applicable third-party provider. Customer acknowledges that providers of such Third-Party Platforms may have access to Team Member Information in connection with the interoperation and support of such Third-Party Platforms with the Platform. To the extent Customer authorizes the access or transmission of Team Member Information through a Third-Party Platform, Rising Team shall not be responsible for any use, disclosure, modification, or deletion of such Team Member Information or for any act or omission on the part of the third-party provider or its Platform.

2.8 Third-Party Content. Rising Team is not responsible for third-party content. Third-party content provided through the Platform is provided “AS IS” without warranty of any kind. Rising Team disclaims all representations, warranties and conditions with respect to third-party content, expressed or implied.

‍

3. PAYMENT OBLIGATIONS

3.1 Fees. Customer will pay for access to and use of the Platform as outlined in the Order (“Fees”). All Fees must be paid in U.S. dollars. Payment obligations are non-cancelable and, except as expressly stated in these Terms, non-refundable. We may modify our Fees or introduce new fees in our sole discretion; Customer understands that revised or new fees may be required by changes in our business or offerings. Any new or revised fees will only become effective on the renewal of your Subscription Period. If you agree to other payment terms with us, you will pay for your subscription to the Platform according to the payment terms we (both parties) agree upon. Fees may be based on the number of Teams as specified on the Order.  Payment processing for the Platform may be performed by Stripe. For more information on Stripe’s security practices, please see https://stripe.com/docs/security/stripe.

3.2 Payment.  All Fees are due in advance of using or accessing the Platform. Customer is responsible for keeping its payment instrument and all associated information current at all times.

3.3 Taxes. Fees are exclusive of any taxes, levies, duties, or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction. Customer will be responsible for paying all such taxes associated with its purchases, except for those taxes based on our net income.

3.4 Overdue Fees. If you fail to pay any Fees, we may suspend your access to the Platform pending payment of such overdue Fees. If you believe that we have charged your payment instrument incorrectly, you must contact us no later than ten (10) days after the date of payment, in order to receive an adjustment or credit. If a payment is not successfully settled, due to expiration, insufficient funds, or otherwise, and you do not promptly update your payment instrument information, (a) we reserve the right to suspend your access to the Platform until such time as payment is successfully settled, including past due payments, if any, and (b) you authorize us to continue charging your payment instrument, as it may be updated. If your use of the Platform exceeds the capacities or limits specified in the Order, you authorize Rising Team to charge such additional fees to your payment instrument.

3.5 Adding and Removing Team Members. Team Leaders may add or remove Team Members from a Team at any time through the Platform (provided the number of Team Members in each Team does not exceed the number specified in the Order).

3.6 New Services. During the Subscription Period we may offer new services or modules that are not included in the subscription plan you purchased; you may choose to purchase new Platform or modules through the Platform as they become available but will not be required to do so.

‍

4. TERM AND TERMINATION

4.1 Agreement Term. This Agreement will start on the Subscription Start Date specified in the Order and terminate when your Subscription Period ends (the “Subscription Period”).

4.2 Auto-Renewal. Your subscription to the Platform will automatically renew for additional periods equal to one (1) year or a period equal to your Subscription Period, whichever is shorter. Either party may choose not to renew your subscription to the Platform. If we choose not to renew your subscription, we will notify you and terminate your access to the Platform at the end of your then-current Subscription Period.  You must notify us no less than thirty (30) days prior to the end of your Subscription Period to avoid automatic renewal.

4.3 Termination. Either party may terminate the subscription to the Platform on written notice to the other party if the other party materially breaches the Agreement and such breach is not cured within thirty (30) days after the non-breaching party provides written notice of such breach.

4.4 Effect of Termination. If these Terms terminate for any reason, other than a material breach by Rising Team, you authorize us to charge your payment instrument or bill you for any unpaid Fees covering the remainder of the then-current Subscription Period. In no event will any termination, other than for a material breach by Rising Team, relieve Customer of the obligation to pay any Fees payable to us. Upon any termination of the Agreement, all rights granted hereunder will immediately terminate and you will no longer have the right to access or use the Platform.

4.5 Survival. Sections 3, 4.4, 5, 7.3, 9, 10, 14-21 will survive any termination or expiration of this Agreement.

‍

5. INTELLECTUAL PROPERTY

5.1 Ownership of Rising Team Materials. Rising Team owns the Platform and the Content (collectively the “Rising Team Materials”). Rising Team retains all right, title and interest (including, without limitation, all patent, copyright, trademarks, trade secret and other intellectual property rights) in and to the Rising Team Materials, all related and underlying technology and any updates, enhancements, upgrades, modifications, patches, workarounds, and fixes thereto and all derivative works of or modifications to any of the foregoing. There are no implied licenses under the Agreement and any rights not expressly set forth in the Agreement are hereby expressly reserved by Rising Team.  The Content is licensed, and not sold, to you. This license does not give you any right to resell the Content in any manner

5.2 Ownership of Team Member Information. As between Rising Team and Customer, Customer will own all Team Member Information.

5.3 License to Team Member Information. By submitting, posting, storing, or otherwise making Team Member Information available through the Platform, Customer grants us, and represents and warrants that it has all rights necessary to grant (including without limitation any necessary consents and authorizations from individual persons identified in the Team Member Information and licenses from third-parties whose content is included in the Team Member Information), a royalty-free, sublicensable (as necessary to subprocessors), non-transferable (except permitted under Assignment), non-exclusive, worldwide license to use, host, store, reproduce, modify (e.g., to make sure your Team Member Information displays properly through our Platform), publish, list information regarding, translate, distribute (to Customer’s Team Members), display (to Customer’s Team Members), in any form, media, or technology, whether now known or hereafter developed, solely as necessary to provide you with the Platform and as otherwise specified in Section 5.4.

5.4 Anonymized Data. Rising Team may anonymize the Team Member Information such that no personal identifying information of the Customer or a Team Member is revealed (“Anonymized Data”).  Rising Team is free to use the Anonymized Data to analyze, improve and support the Platform and otherwise for any business purpose during and after the term of this Agreement, including without limitation to generate industry benchmark or best practice guidance, identify trends and/or produce reports for distribution by Rising Team.

5.5 Feedback. You may from time to time provide suggestions, comments or other feedback with respect to the Platform (“Feedback”). For the avoidance of doubt, Feedback will only refer to suggestions, comments or other feedback provided to Rising Team regarding the Platform and will not include your personal data.  Rising Team may want to incorporate this Feedback into its Platform and this clause provides us with the necessary license to do so.  You hereby grant to us and our assigns a royalty-free, fully paid, worldwide, perpetual, irrevocable, fully transferable and sublicensable right and license to use, disclose, reproduce, modify, create derivative works from, distribute, display and otherwise distribute and exploit any Feedback as we see fit, entirely without obligation or restriction of any kind, except that Rising Team will not identify you as the provider of such Feedback.

‍

6. CONFIDENTIALITY AND DATA SECURITY

6.1 Definition. Each party (“Disclosing Party”) may disclose “Confidential Information” to the other party (“Receiving Party”) in connection with this Agreement, which is anything that is marked as “Confidential or Proprietary” or reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure including all Orders, as well as non-public business, product, technology and marketing information. Confidential Information of Rising Team includes the Rising Team Materials. Confidential Information of Customer includes Team Member Information. Notwithstanding the above, Confidential Information does not include information that (a) is or becomes generally available to the public without breach of any obligation owed to the Disclosing Party; (b) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (c) is received from a third party without breach of any obligation owed to the Disclosing Party; or (d) was independently developed by the Receiving Party without use or reference to the Disclosing Party’s Confidential Information.

6.2 Protection and Use of Confidential Information. The Receiving Party will (a) protect the Disclosing Party’s Confidential Information using the same degree of care used to protect its own confidential or proprietary information of like importance, but in any case using no less than a reasonable degree of care, (b) limit access to the Confidential Information to those employees, affiliates, subprocessors, agents, consultants, legal advisors, financial advisors, and contractors (“Representatives”) who need to know such information in connection with this Agreement and who are bound by  confidentiality and non-use obligations just as protective of the Disclosing Party’s Confidential Information as the terms of this Agreement; (c) except as expressly set forth herein, will not disclose any of Disclosing Party’s Confidential Information to any third parties without the Disclosing Party’s prior written consent; and (d) will not use the Disclosing Party’s Confidential Information for any purpose other than to fulfill its obligations under this Agreement. Nothing above will prevent either party from sharing Confidential Information with financial and legal advisors; provided that the advisors are bound to confidentiality obligations at least as restrictive as those in this Agreement.

6.3 Compelled Access or Disclosure. The Receiving Party may access or disclose Confidential Information of the Disclosing Party if it is required by law; provided, however, that the Receiving Party gives the Disclosing Party prior notice of the compelled access or disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the access or disclosure.

6.4 Privacy and Data Protection. Rising Team collects and uses information relating to users of our Platform and performance of our websites and products, including information which identifies or is associated with you or your Team Members (“Personal Information”), in accordance with its privacy policy, the current version of which is located at www.risingteam.com/privacy (“Privacy Policy”).  The parties agree to the terms of the Data Protection Addendum attached hereto as Annex 2 (“DPA”).

‍

7. WARRANTIES.

By Rising Team. Rising Team warrants that during the applicable Subscription Period (a) the Platform shall perform materially in accordance with the applicable documentation; and (b) Rising Team shall not materially decrease the functionality of the Platform.

By Customer. Customer warrants that (a) this Agreement is legally binding upon it and enforceable in accordance with its terms; (b) it has obtained all legally required consents and permissions from Team Members for the submission and processing of Team Member Information personal data through the Platform; and (c) the transfer and processing of Team Member Information under the Agreement is lawful.

7.3 Disclaimer. EXCEPT AS PROVIDED IN SECTION 7.1, THE RISING TEAM MATERIALS AND CONTENT AVAILABLE THROUGH THE PLATFORM ARE PROVIDED “AS IS” AND ON AN “AS AVAILABLE” BASIS, WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED AND RISING TEAM DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, RELATING TO THE PLATFORM AND ALL CONTENT AVAILABLE THROUGH THE PLATFORM, INCLUDING: (A) ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT, OR NON-INFRINGEMENT; AND (B) ANY WARRANTY ARISING OUT OF COURSE OF DEALING, USAGE, OR TRADE. THE RISING TEAM ENTITIES DO NOT WARRANT THAT THE PLATFORM OR ANY PORTION OF THE PLATFORM, OR ANY MATERIALS OR CONTENT OFFERED THROUGH THE PLATFORM, WILL BE UNINTERRUPTED, SECURE, OR FREE OF ERRORS, VIRUSES, OR OTHER HARMFUL COMPONENTS, AND DO NOT GUARANTEE THAT ANY OF THOSE ISSUES WILL BE CORRECTED.

‍

8. INDEMNIFICATION.

8.1 By Customer. Customer shall defend Rising Team, its affiliates, and their employees, officers, and directors (together, the “Rising Team Indemnified Parties”) from and against third-party claims, actions, and demands arising from  Team Member Information, unauthorized use of the Platform by Customer or Team Members, or allegations that Rising Team’s processing of data pursuant to Customer’s instructions or information or data provided by Customer  infringes a third party’s Intellectual Property Right or privacy right (each, a “Claim Against Rising Team”), and Customer shall indemnify and hold the Rising Team Indemnified Parties harmless against any damages, reasonable attorneys’ fees, and costs finally awarded against Rising Team Indemnified Parties as a result of, or for any amounts paid by the Rising Team Indemnified Parties under a Customer-approved settlement of, a Claim Against Rising Team.

8.2 By Rising Team. Rising Team shall defend Customer, its affiliates, and their employees, officers, and directors (together the “Customer Indemnified Parties”) from and against third-party claims, actions, and demands alleging that Customer’s authorized use of the Platform infringes or misappropriates any copyright, trade secret, U.S. patent, or trademark right of that third party (each, a “Claim Against Customer”), and Rising Team shall indemnify and hold the Customer Indemnified Parties harmless against any damages, reasonable attorneys’ fees, and costs finally awarded against Customer Indemnified Parties as a result of, or for any amounts paid by the Customer Indemnified Parties under an Rising Team-approved settlement of, a Claim Against Customer; provided, however, in no event will Rising Team have any obligations or liability under this Section 8.2 to the extent a Claim Against Customer arises from: (a) Customer or any Team Member’s use of the Platform other than as permitted under this Agreement; (b) Customer specifications, or (c) use of the Platform in a modified form or in combination with products, services, content, or data not furnished to Customer by Rising Team.

8.3 Potential Infringement. If the Platform becomes, or in Rising Team’s reasonable judgment is likely to become, the subject of a claim of infringement, then Rising Team may in its sole discretion: (a) obtain the right, at Rising Team’s expense, for Customer to continue using the Platform; (b) provide a non-infringing functionally equivalent replacement; or (c) modify the Platform so that it is no longer infringing. If Rising Team, in its sole and reasonable judgment, determines that none of the above options are commercially reasonable, then Rising Team may suspend or terminate Customer’s use of the Platform, in which case Rising Team’s sole liability (in addition to its obligations under Section 8.2) shall be to provide Customer with a prorated refund of any prepaid, unused fees applicable to the remaining portion of the Subscription Period. Sections 8.2 and 8.3 state Rising Team’s sole liability and the Customer Indemnified Parties’ exclusive remedy for infringement claims.

8.4 Indemnification Process. The party seeking indemnification shall provide prompt notice to the indemnifying party concerning the existence of an indemnifiable claim and shall promptly provide the indemnifying party with all information and assistance reasonably requested and otherwise cooperate fully with the indemnifying party in defending the claim. Failure to give prompt notice shall not constitute a waiver of a party’s right to indemnification and shall affect the indemnifying party’s obligations under this Agreement only to the extent that the indemnifying party’s rights are materially prejudiced by such failure or delay. As a condition to the indemnification obligation, the indemnified party shall provide the indemnifying party with full control and authority over the defense and settlement of any claim; provided, however, that any settlement requiring the party seeking indemnification to admit liability or make any financial payment shall require such party’s prior written consent, not to be unreasonably withheld or delayed.

‍

9. LIABILITY.

9.1 Limitation of Liability. EXCEPT FOR (A) AMOUNTS PAID TO A THIRD-PARTY CLAIMANT PURSUANT TO A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 8 (“INDEMNIFICATION”), (B) BREACH BY CUSTOMER OF SECTION 2.4 (“LICENSE RESTRICTIONS”), (C) MISAPPROPRIATION OF THE INTELLECTUAL PROPERTY OF THE OTHER PARTY, (D) BREACH BY A PARTY OF SECTION 6.1 THROUGH 6.3 (“CONFIDENTIALITY”) OTHER THAN WITH RESPECT TO TEAM MEMBER INFORMATION OR (E) ENHANCED LIABILITY AS PROVIDED IN SECTION 9.3, , IN NO EVENT SHALL EITHER PARTY’S AND ITS AFFILIATES’ AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID OR PAYABLE BY CUSTOMER HEREUNDER IN THE 12 MONTHS IMMEDIATELY PRECEDING THE FIRST EVENT GIVING RISE TO LIABILITY (“GENERAL CAP”).

9.2  Exclusion of Consequential and Related Damages. EXCEPT FOR (A) AMOUNTS PAID TO A THIRD-PARTY CLAIMANT PURSUANT TO A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 8, (B) BREACH BY CUSTOMER OF SECTION 2.4 (“LICENSE RESTRICTIONS”), (C) MISAPPROPRIATION OF THE INTELLECTUAL PROPERTY OF THE OTHER PARTY, (D) BREACH BY A PARTY OF SECTION 6.1 THROUGH 6.3 (“CONFIDENTIALITY”) OTHER THAN WITH RESPECT TO TEAM MEMBER INFORMATION OR (E) ENHANCED LIABILITY AS PROVIDED IN SECTION 9.3, , IN NO EVENT SHALL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT FOR ANY LOST PROFITS, REVENUES, OR LOSS OF USE, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES HOWEVER CAUSED. THE FOREGOING DISCLAIMER SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.  

9.3 Limitation of Enhanced Liability.  THE LIMITS IN SECTIONS 9.1 AND 9.2 SHALL NOT APPLY TO LIABILITY FOR A PARTY’S BREACH OF ITS OBLIGATIONS UNDER THE DPA AND/OR SECTION 6.1 THROUGH 6.3 (“CONFIDENTIALITY”) WITH RESPECT TO TEAM MEMBER INFORMATION (COLLECTIVELY, “ENHANCED LIABILITY”). A PARTY’S AND ITS AFFILIATES’ AGGREGATE ENHANCED LIABILITY SHALL NOT EXCEED TWO TIMES THE GENERAL CAP.

9.4 Limits Apply. THE WAIVERS AND LIMITATIONS IN THIS SECTION 9 APPLY REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR UNDER ANY OTHER THEORY OF LIABILITY AND WHETHER OR NOT A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF THE DAMAGES LIMITED BY SUCH WAIVERS AND LIMITATIONS, AND EVEN IF ANY LIMITED REMEDY IN THIS AGREEMENT FAILS OF ITS ESSENTIAL PURPOSE. The provisions of this Section 9 allocate the risks under this Agreement between the parties, and the parties have relied on these limitations in determining whether to enter into this Agreement.

‍

10. EXPORT COMPLIANCE. The Platform may be subject to export laws and regulations of the United States and other jurisdictions. Customer represents that neither it nor any of the Team Members are named on any U.S. government denied-party list. Customer shall not permit any Team Member to access or use any Platform in a U.S.-embargoed country or region or in violation of any U.S. export law or regulation. Customer and the Team Members shall not use the Platform to export, re-export, transfer, or make available, whether directly or indirectly, any regulated item or information to anyone outside the U.S. in connection with this Agreement without first complying with all export control laws and regulations that may be imposed by the U.S. Government and any country or organization of nations within whose jurisdiction Customer operates or does business.

‍

11. PUBLICITY. For corporate customers, Customer grants us the right to use the Customer name and logo as a reference for marketing or promotional purposes on our website and in other public or private communications with our existing or potential customers, subject to Customer’s standard trademark usage guidelines as provided to us from time-to-time.

‍

12. MODIFICATION OF THESE TERMS.  We reserve the right, at our discretion, to change these Terms on a going-forward basis at any time. If a change to these Terms materially modifies your rights or obligations, you will be notified of the changes, and may be required to accept the modified Terms in order to continue to use the Platform. Material modifications are effective upon your acceptance of the modified Terms.   Immaterial modifications are effective upon publication. Disputes arising under these Terms will be resolved in accordance with the version of these Terms that was in effect at the time the dispute arose.

‍

13. FORCE MAJEURE. Except for Customer’s payment obligations hereunder, neither Rising Team nor Customer will be liable by reason of any failure or delay in the performance of its obligations on account of events beyond the reasonable control of a party, which may include denial-of-service or other cyber-attacks, a failure by a third-party hosting provider or utility provider, strikes, shortages, pandemics, riots, fires, acts of God, war, terrorism, and governmental action.

‍

14. RELATIONSHIP OF THE PARTIES. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties.

‍

15. EMAIL COMMUNICATIONS. All notices under the Agreement will be provided by email, although we may instead choose to provide notice to Customer through the Platform. Notices to us must be sent to support@risingteam.com except for legal notices, such as notices of termination, which must be sent to the address shown in the last paragraph below. Notices will be deemed to have been duly given (a) the business day after it is sent, in the case of notices through email; and (b) the same day, in the case of notices through the Platform.

16. AMENDMENT AND WAIVERS. Subject to Section 12, we may change these Terms and the other components of the Agreement except the terms of your subscription to the Platform from time to time. If we make a material change to the Agreement, we will provide you with reasonable notice prior to the change taking effect, either by emailing the email address associated with your account or by messaging you through the Platform. You can review the most current version of the Terms at any time by visiting this page and by visiting the most current versions of the other pages that are referenced in the Agreement. The materially revised Agreement will become effective on the date set forth in our notice, and all other changes will become effective upon posting of the change. If you (or any Authorized User) accesses or uses the Platform after the effective date, that use will constitute Customer’s acceptance of any revised terms and conditions.

‍

17. SEVERABILITY. This Agreement will be enforced to the fullest extent permitted under applicable law. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement will remain in effect.

‍

18. GOVERNING LAW.  These Terms are governed by the laws of the State of California without regard to conflict of law principles. If a lawsuit or court proceeding is permitted under these Terms, then you and Rising Team agree to submit to the personal and exclusive jurisdiction of the state courts and federal courts located within Santa Clara County, California for the purpose of litigating any dispute. We operate the Platform from our offices in California, and we make no representation that the Content included in the Platform is appropriate or available for use in other locations.

‍

19. ASSIGNMENT. Neither party will assign or delegate any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety, without consent of the other party, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of such party’s assets. Any purported assignment in violation of this section is void. Subject to the foregoing, the Agreement will bind and inure to the benefit of the parties, their respective successors and permitted assigns.

‍

20. ENTIRE AGREEMENT.  This Agreement, including the applicable Orders and all documents referenced therein, constitutes the entire agreement between the parties with respect to its subject matter and replaces any prior understandings, written or oral. No terms, provisions or conditions of any purchase order, invoice or other business form or written authorization used by Customer will have any effect on the rights, duties or obligations of the parties under, or otherwise modify, this Agreement or an Order regardless of any failure of Rising Team to object to such terms, provisions or conditions, even if such document is signed by the parties.

‍

21.   CONTACT INFORMATION

The Platform is offered by Rising Team, Inc., located at 700 El Camino Real, Suite 120 PMB 1402, Menlo Park, CA 94025. You may contact us by sending correspondence to that address or by emailing us at support@risingteam.com.

‍

ANNEX 1

ACCEPTABLE USE POLICY

This Acceptable Use Policy applies to Rising Team’s (a) websites (including without limitation app.risingteam.com, www.risingteam.com and any successor URLS, mobile or localized versions and related domains and subdomains) and (b) the Rising Team enterprise platform offering ((a) and (b) collectively, “Services”). To keep the Services running safely and smoothly, we need our users to agree not to misuse them. Specifically, you agree not to:

1. use the Services for any illegal purpose or in violation of any laws (including without limitation data, privacy and export control laws);
2. use the Services to violate the privacy of others, or to collect or gather other users’ personal information (including account information) from our Services other than as necessary to use the Services;
3. sell or share any information you receive from the Services (including any personal information of Team Members) other than as necessary to use the Services in normal operation
4. use the Services to stalk, harass, bully or post threats of violence against others;
5. submit (or post, upload, share or otherwise provide) data, content or other information that (i) infringes Rising Team’s or a third party’s intellectual property, privacy or other rights or that you don’t have the right to submit (including confidential or personal information you are not authorized to disclose); (ii) that is deceptive, fraudulent, illegal, obscene, defamatory, libelous, threatening, harmful to minors, pornographic, indecent, harassing, hateful, religiously, racially or ethnically offensive, that encourages illegal or tortious conduct or that is otherwise inappropriate in Rising Team’s discretion; (iii) contains viruses, bots, worms, scripting exploits or other similar materials; or (iv) that could otherwise cause damage to Rising Team or any third party;
6. probe, scan, or test the vulnerability of any system or network used with the Services;
7. tamper with, reverse engineer or hack the Services, circumvent any security or authentication measures of the Services or attempt to gain unauthorized access to the Services (or any portion thereof) or related systems, networks or data;
8. modify or disable the Services or use the Services in any manner that interferes with or disrupts the integrity or performance of the Services or related systems, network or data;
9. access or search the Services by any means other than our publicly supported interfaces, or copy, distribute, or disclose any part of the Service (including any content of the Service) in any medium, including without limitation by any automated or non-automated “scraping”;
10. overwhelm or attempt to overwhelm our infrastructure by imposing an unreasonably large load on the Services that consume extraordinary resources, such as by: (i) using “robots,” “spiders,” “offline readers” or other automated systems to send more request messages to our servers than a human could reasonably send in the same period of time using a normal browser; or (ii) going far beyond the use parameters for any given Service as described in its corresponding documentation;
11. use the Services to generate or send unsolicited communications, advertising or spam;
12. misrepresent yourself or disguise the origin of any data, content or other information you submit (including by “spoofing”, “phishing”, manipulating headers or other identifiers, impersonating anyone else, or falsely implying any sponsorship or association with Rising Team or any third party) or access the Services via another user’s account without their permission;
13. permit or encourage anyone else to commit any of the actions above;
14. Use any artificial intelligence features of the Services or their outputs (i) in a manner that may result in unlawful discrimination, including any unlawful differential treatment or impact that disfavors an individual or group of individuals on the basis of their membership in a protected class under applicable law, (ii) without giving all disclosures required by law that such outputs were not generated by humans, (iii) without human review of such outputs, including for accuracy and to ensure they are appropriate, (iv) for automated decisions that have legal or other significant effects on individuals on individuals, including with respect to the provision or denial to the individual, or the cost or terms of, education enrollment/opportunities, employment or employment opportunities, financial or lending services, essential government services, health care services, housing, insurance or legal services, or (v) in a manner that would cause such features or the Services to be classified as a “high risk” artificial intelligence system or with a similar designation under laws regulating artificial intelligence systems.

Without affecting any other remedies available to us, Rising Team may permanently or temporarily terminate or suspend a user’s account or access to the Services without notice or liability if Rising Team (in its sole discretion) determines that a user has violated this Acceptable Use Policy.

‍

ANNEX 2

Data Protection Addendum

DPA Setup Page

The Bonterms Data Protection Addendum (DPA) (Version 1.0) available at µhttps://bonterms.com/forms/data-protection-addendum-v1/ (“Bonterms Data Protection Addendum”) is incorporated by this reference and forms part of the Agreement. A reference copy of the Bonterms Data Protection Addendum is attached as Exhibit A to this Annex 2 (Data Protection Addendum). The DPA includes the contents of this DPA Setup Page, including the Key Terms, any Additional Terms, and the Schedules set forth below. Capitalized terms not defined in this DPA Setup Page have the meanings given in the Bonterms Data Protection Addendum.

‍

Key Terms

DPA Effective Date: Subscription Start Date identified in the Order.  

Subprocessor List: https://risingteam.com/subprocessor-list 

Additional Terms

The following additions to or modifications of the Bonterms Data Protection Addendum are agreed by the parties and control in the event of any conflicts: 

1. “Agreement” means the Agreement into which this Annex 2 is incorporated.
2. “Cloud Service” means Rising Team’s provision of the Platform (as defined in the Agreement). 
3. “DPA Effective Date” means the Subscription Start Date specified in the Order (as defined in the Agreement) or the date of online registration.
4. “Customer Data” means Team Member Information (as defined in the Agreement).
5. “Provider” means Rising Team (as defined in the Agreement).
6. “Specified Notice Period” is the later of 2 business days or 72 hours.  
7. "Subscription Term” means the Subscription Period (as defined in the Agreement).
8. The terms of this DPA apply solely with respect to Rising Team’s Processing of Customer Personal Data subject to Data Protection Laws expressly requiring data protection terms to be included in this Agreement  

‍

Schedules

The following Schedules are incorporated into this DPA and attached hereto: 

Schedule 1: Subject Matter and Details of Processing

Schedule 2: Technical and Organizational Measures

Schedule 3: Cross-Border Transfer Mechanisms 

Schedule 4: Region-Specific Terms 

‍

Schedule 1 to DPA Setup Page

Subject Matter and Details of Data Processing

Name, contact details for data protection, and main address: Each party’s name, contact details, and main address are as set out in the Order (as defined in the Agreement) or online registration.

Activities: See the Customer/Data Exporter website identified in the Order or associated with Customer’s email address domain,  and the Provider/Data Importer website at risingteam.com for descriptions of their respective activities

Role: Customer/Data Exporter is Controller and Provider/Data Importer is Processor. 

‍Categories of Data Subjects: Team Members (as defined in the Agreement) 

Categories of Customer Personal Data: Team Member Information (as defined in the Agreement)

Sensitive Categories of Data and additional associated restrictions/safeguards: None

Frequency of transfer: Continuous

‍Nature of the Processing: Provision of cloud-based leadership development and team building platform 

Purpose of the Processing: Provision of the Platform (as defined in the Agreement)

Duration of Processing / retention period: Duration of the Subscription Period (as defined in the Agreement)

Transfers to Subprocessors: To Subprocessors identified in Subprocessor List in the DPA Setup Page

‍

Schedule 2 to DPA Setup Page

Technical and Organizational Measures

1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Rising Team’s information security program.

2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Rising Team’s organization, monitoring and maintaining compliance with Rising Team’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

3. Data security controls that include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Customer Personal Data.

4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.

5. Password controls designed to manage and control password strength, expiration and usage.

6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.

7. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Rising Team’s possession.

8. Change management procedures and tracking mechanisms designed to test, approve, and monitor all material changes to Rising Team’s technology and information assets.

9. Incident management procedures designed to allow Rising Team to investigate, respond to, mitigate, and notify of events related to Rising Team’s technology and information assets.

10. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.

11. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disaster.

‍

Schedule 3 to DPA Setup Page 

Cross-Border Transfer Mechanisms

1. Definitions. Capitalized terms not defined in this Schedule are defined in the DPA.some text
   1. “EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
   2. “UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force as of March 21, 2022.
   3. In addition:

“Designated EU Governing Law” means Laws of Ireland

“Designated EU Member State” means Ireland

2. EU Transfers. Where Customer Personal Data is protected by EU GDPR and is subject to a Restricted Transfer, the following applies:some text
   1. The EU SCCs are hereby incorporated by reference as follows:some text
      1. Module 2 (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and Provider is a Processor of Customer Personal Data;
      2. Module 3 (Processor to Processor) applies where Customer is a Processor of Customer Personal Data (on behalf of a third-party Controller) and Provider is a Processor of Customer Personal Data;
      3. Customer is the "data exporter" and Provider is the "data importer"; and
      4. by entering this DPA, each party is deemed to have signed the EU SCCs (including their Annexes) as of the DPA Effective Date.  
   2. For each Module, where applicable the following applies:some text
      1. the optional docking clause in Clause 7 does not apply;
      2. in Clause 9, Option 2 will apply, the minimum period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA;
      3. in Clause 11, the optional language does not apply;
      4. in Clause 13, all square brackets are removed with the text remaining;
      5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Designated EU Governing Law;
      6. in Clause 18(b), disputes will be resolved before the courts of the Designated EU Member State;
      7.  Schedule 1 (Subject Matter and Details of Processing) to this DPA contains the information required in Annex 1 of the EU SCCs; and
      8. Schedule 2 (Technical and Organizational Measures) to this DPA contains the information required in Annex 2 of the EU SCCs.
   3. Where context permits and requires, any reference in this DPA to the EU SCCs shall be read as a reference to the EU SCCs as modified in the manner set forth in this Section 2.  

3. Swiss Transfers. Where Customer Personal Data is protected by the FADP and is subject to a Restricted Transfer, the following applies:some text
   1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:some text
      1. in Clause 13, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner;
      2. in Clause 17 (Option 1), the EU SCCs will be governed by the laws of Switzerland;
      3. in Clause 18(b), disputes will be resolved before the courts of Switzerland;
      4. the term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c); and
      5. all references to the EU GDPR in this DPA are also deemed to refer to the FADP.
4. UK Transfers. Where Customer Personal Data is protected by the UK GDPR and is subject to a Restricted Transfer, the following applies:some text
   1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:some text
      1. each party shall be deemed to have signed the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under section 119 (A) of the Data Protection Act 2018;
      2. the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of Customer Personal Data; 
      3. in Table 1 of the UK Addendum, the parties’ key contact information is in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
      4. in Table 2 of the UK Addendum, information about the version of the EU SCCs, modules and selected clauses which this UK Addendum is appended to are located above in this Schedule 3;
      5. in Table 3 of the UK Addendum:

1. the list of parties is in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
2. the description of transfer is in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
3. Annex II is in Schedule 2 (Technical and Organizational Measures) to this DPA; and
4. the list of Subprocessors is in Schedule 1 (Subject Matter and Details of Processing) to this DPA. 

6. in Table 4 of the UK Addendum, both the Importer and the Exporter may end the UK Addendum in accordance with its terms (and the respective box for each is deemed checked); and
7. in Part 2: Part 2 - Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119 (A) of the Data Protection Act 2018 on 2 February 2022, as it is revised under section ‎‎18 of those Mandatory Clauses. 

5. Data Privacy Framework.  For clarity, a transfer of Customer Personal Data from the EU, UK or Switzerland to Provider in the United States subject to the EU-U.S. Data Privacy Shield Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Shield Framework, as applicable (collectively, the "DPF"), shall not constitute a Restricted Transfer so long as Provider maintains an active certification to the DPF and certification to the DPF remains a legal basis for transfer of Personal Data to the United States under the GDPR, UK GDPR or FADP, as applicable. 

‍

Schedule 4 to DPA Setup Page

Region-Specific Terms

1. CALIFORNIA

1. Definitions. CCPA and other capitalized terms not defined in this Schedule are defined in the DPA.some text
   1. “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” have the meanings given in the CCPA.
   2. The definition of “Data Subject” includes “consumer” as defined under the CCPA.
   3. The definition of “Controller” includes “business” as defined under the CCPA.
   4. The definition of “Processor” includes “service provider” as defined under the CCPA.
2. Obligations. some text
   1. Customer is providing the Customer Personal Data to Provider under the Agreement for the limited and specific business purposes of providing the Cloud Service as described in Schedule 1 (Subject Matter and Details of Processing) to this DPA and otherwise performing under the Agreement. 
   2. Provider will comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Customer Personal Data as is required by the CCPA.
   3. Provider acknowledges that Customer has the right to: (i) take reasonable and appropriate steps under Section 9 (Audits) of this DPA to help to ensure that Provider’s use of Customer Personal Data is consistent with Customer’s obligations under the CCPA, (ii) receive from Provider notice and assistance under Section 7 (Data Subject Requests) of this DPA regarding consumers’ requests to exercise rights under the CCPA and (iii) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data. 
   4. Provider will notify Customer promptly after it determines that it can no longer meet its obligations under the CCPA.
   5. Provider will not retain, use or disclose Customer Personal Data: (i) for any purpose, including a commercial purpose, other than the business purposes described in Section 2.1 of this Section A (California) of Schedule 4 or (ii) outside of the direct business relationship between Provider with Customer, except, in either case, where and to the extent permitted by the CCPA. 
   6. Provider will not sell or share Customer Personal Data received under the Agreement.
   7. Provider will not combine Customer Personal Data with other personal information except to the extent a service provider is permitted to do so by the CCPA. 

Exhibit A to Annex 2 (Data Protection Addendum)

Reference Copy

Bonterms Data Protection Addendum 

(Version 1.0)

This Data Protection Addendum (“DPA”) is an Attachment to the Agreement. Customer and Provider enter into this DPA by executing a DPA Setup Page. Capitalized terms not defined in this DPA are defined in the Agreement or DPA Setup Page.

1. Definitions.

1.1.  “Agreement” means the Agreement between Customer and Provider incorporating the Bonterms Cloud Terms which is specified on the DPA Setup Page.

1.2.  “Audit” and “Audit Parameters” are defined in Section 9.3 below.

1.3.  “Audit Report” is defined in Section 9.2 below.

1.4.  “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.

1.5.  “Customer Instructions” is defined in Section 3.1 below.

1.6.  “Customer Personal Data” means Personal Data in Customer Data (as defined in the Agreement).

1.7.  “Data Protection Laws” means all laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable: (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder (“CCPA”), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (iii) the Swiss Federal Act on Data Protection (“FADP”), (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) and (v) the UK Data Protection Act 2018; in each case, as updated, amended or replaced from time to time.

1.8. “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

1.9. “DPA Effective Date” is specified on the DPA Setup Page.

1.10. “DPA Setup Page” means a separate document executed by Customer and Provider which causes this DPA to become an Attachment to their Agreement.

1.11. “EEA” means European Economic Area.

1.12. “Key Terms” means Agreement, DPA Effective Date and Subprocessor List as specified by the parties on the DPA Setup Page.

1.13. “Personal Data” means information about an identified or identifiable natural person or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Data Protection Laws.

1.14. “Processing” and inflections thereof refer to any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.15. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

1.16. “Restricted Transfer” means: (i) where EU GDPR applies, a transfer of Customer Personal Data from the EEA to a country outside the EEA that is not subject to an adequacy determination, (ii) where UK GDPR applies, a transfer of Customer Personal Data from the United Kingdom to any other country that is not subject to an adequacy determination or (iii) where FADP applies, a transfer of Customer Personal Data from Switzerland to any other country that is not subject to an adequacy determination.

1.17. “Schedules” means one or more schedules incorporated by the parties in their DPA Setup Page. The default Schedules for this DPA are:

Schedule 1 Subject Matter and Details of Processing

Schedule 2 Technical and Organizational Measures

Schedule 3 Cross-Border Transfer Mechanisms

Schedule 4 Region-Specific Terms

1.18. “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by Provider.

1.19. “Specified Notice Period” is 48 hours.

1.20. “Subprocessor” means any third party authorized by Provider to Process any Customer Personal Data.

1.21. “Subprocessor List” means the list of Provider’s Subprocessors as identified or linked to on the DPA Setup Page.

2. Scope and Duration.

2.1.  Roles of the Parties. This DPA applies to Provider as a Processor of Customer Personal Data and to Customer as a Controller or Processor of Customer Personal Data.

2.2.  Scope of DPA. This DPA applies to Provider’s Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This DPA is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.

2.3.  Duration of DPA. This DPA commences on the DPA Effective Date and terminates upon expiration or termination of the Agreement (or, if later, the date on which Provider has ceased all Processing of Customer Personal Data).

2.4.  Order of Precedence. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) any Standard Contractual Clauses or other measures to which the parties have agreed in Schedule 3 (Cross-Border Transfer Mechanisms) or Schedule 4 (Region-Specific Terms), (2) this DPA and (3) the Agreement. To the fullest extent permitted by Data Protection Laws, any claims brought in connection with this DPA (including its Schedules) will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations, set forth in the Agreement.

3. Processing of Personal Data.

3.1.  Customer Instructions.

(a) Provider will Process Customer Personal Data as a Processor only: (i) in accordance with Customer Instructions or (ii) to comply with Provider’s obligations under applicable laws, subject to any notice requirements under Data Protection Laws.

(b) “Customer Instructions” means: (i) Processing to provide the Cloud Service and perform Provider’s obligations in the Agreement (including this DPA) and (ii) other reasonable documented instructions of Customer consistent with the terms of the Agreement.

(c) Details regarding the Processing of Customer Personal Data by Provider are set forth in Schedule 1 (Subject Matter and Details of Processing).

(d) Provider will notify Customer if it receives an instruction that Provider reasonably determines infringes Data Protection Laws (but Provider has no obligation to actively monitor Customer’s compliance with Data Protection Laws).

3.2.  Confidentiality.

(a) Provider will protect Customer Personal Data in accordance with its confidentiality obligations as set forth in the Agreement.

(b) Provider will ensure personnel who Process Customer Personal Data either enter into written confidentiality agreements or are subject to statutory obligations of confidentiality.

3.3.  Compliance with Laws.

(a) Provider and Customer will each comply with Data Protection Laws in their respective Processing of Customer Personal Data.

(b) Customer will comply with Data Protection Laws in its issuing of Customer Instructions to Provider. Customer will ensure that it has established all necessary lawful bases under Data Protection Laws to enable Provider to lawfully Process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA), including, as applicable, by obtaining all necessary consents from, and giving all necessary notices to, Data Subjects.

3.4.  Changes to Laws. The parties will work together in good faith to negotiate an amendment to this DPA as either party reasonably considers necessary to address the requirements of Data Protection Laws from time to time.

4. Subprocessors.

4.1.  Use of Subprocessors.

(a) Customer generally authorizes Provider to engage Subprocessors to Process Customer Personal Data. Customer further agrees that Provider may engage its Affiliates as Subprocessors.

(b) Provider will: (i) enter into a written agreement with each Subprocessor imposing data Processing and protection obligations substantially the same as those set out in this DPA and (ii) remain liable for compliance with the obligations of this DPA and for any acts or omissions of a Subprocessor that cause Provider to breach any of its obligations under this DPA.

4.2.  Subprocessor List. Provider will maintain an up-to-date list of its Subprocessors, including their functions and locations, as specified in the Subprocessor List.

4.3.  Notice of New Subprocessors. Provider may update the Subprocessor List from time to time. At least 30 days before any new Subprocessor Processes any Customer Personal Data, Provider will add such Subprocessor to the Subprocessor List and notify Customer through email or other means specified on the DPA Setup Page.

4.4. Objection to New Subprocessors.

(a) If, within 30 days after notice of a new Subprocessor, Customer notifies Provider in writing that Customer objects to Provider’s appointment of such new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith.

(b) If the parties are unable to reach a mutually agreeable resolution to Customer’s objection to a new Subprocessor, Customer, as its sole and exclusive remedy, may terminate the Order for the affected Cloud Service for convenience and Provider will refund any prepaid, unused fees for the terminated portion of the Subscription Term.

5. Security.

5.1.  Security Measures. Provider will implement and maintain reasonable and appropriate technical and organizational measures, procedures and practices, as appropriate to the nature of the Customer Personal Data, that are designed to protect the security, confidentiality, integrity and availability of Customer Personal Data and protect against Security Incidents, in accordance with Provider’s Security Measures referenced in the Agreement and as further described in Schedule 2(Technical and Organizational Measures). Provider will regularly monitor its compliance with its Security Measures and Schedule 2 (Technical and Organizational Measures).

5.2.  Incident Notice and Response.

(a) Provider will implement and follow procedures to detect and respond to Security Incidents.

(b) Provider will: (i) notify Customer without undue delay and, in any event, not later than the Specified Notice Period, after becoming aware of a Security Incident affecting Customer and (ii) make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Provider’s reasonable control.

(c) Upon Customer’s request and taking into account the nature of the applicable Processing, Provider will assist Customer by providing, when available, information reasonably necessary for Customer to meet its Security Incident notification obligations under Data Protection Laws.

(d) Customer acknowledges that Provider’s notification of a Security Incident is not an acknowledgement by Provider of its fault or liability.

(e) Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

5.3.  Customer Responsibilities.

(a) Customer is responsible for reviewing the information made available by Provider relating to data security and making an independent determination as to whether the Cloud Service meets Customer’s requirements and legal obligations under Data Protection Laws.

(b) Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals or others relating to any Security Incidents.

6. Data Protection Impact Assessment. 

Upon Customer’s request and taking into account the nature of the applicable Processing, to the extent such information is available to Provider, Provider will assist Customer in fulfilling Customer’s obligations under Data Protection Laws to carry out a data protection impact or similar risk assessment related to Customer’s use of the Cloud Service, including, if required by Data Protection Laws, by assisting Customer in consultations with relevant government authorities.

7. Data Subject Requests.

7.1.  Assisting Customer. Upon Customer’s request and taking into account the nature of the applicable Processing, Provider will assist Customer by appropriate technical and organizational measures, insofar as possible, in complying with Customer’s obligations under Data Protection Laws to respond to requests from individuals to exercise their rights under Data Protection Laws, provided that Customer cannot reasonably fulfill such requests independently (including through use of the Cloud Service).

7.2.  Data Subject Requests. If Provider receives a request from a Data Subject in relation to the Data Subject’s Customer Personal Data, Provider will notify Customer and advise the Data Subject to submit the request to Customer (but not otherwise communicate with the Data Subject regarding the request except as may be required by Data Protection Laws), and Customer will be responsible for responding to any such request.

8. Data Return or Deletion.

8.1.  During Subscription Term. During the Subscription Term, Customer may, through the features of the Cloud Service or such other means specified on the DPA Setup Page, access, return to itself or delete Customer Personal Data.

8.2.  Post Termination.

(a) Following termination or expiration of the Agreement, Provider will, in accordance with its obligations under the Agreement, delete all Customer Personal Data from Provider’s systems.

(b) Deletion will be in accordance with industry-standard secure deletion practices. Provider will issue a certificate of deletion upon Customer’s request.

(c) Notwithstanding the foregoing, Provider may retain Customer Personal Data: (i) as required by Data Protection Laws or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Provider will (x) maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Customer Personal Data and (y) not further Process retained Customer Personal Data except for such purpose(s) and duration specified in such applicable Data Protection Laws.

9. Audits.

9.1.  Provider Records Generally. Provider will keep records of its Processing in compliance with Data Protection Laws and, upon Customer’s request, make available to Customer any records reasonably necessary to demonstrate compliance with Provider’s obligations under this DPA and Data Protection Laws.

9.2.  Third-Party Compliance Program.

(a) Provider will describe its third-party audit and certification programs (if any) and make summary copies of its audit reports (each, an “Audit Report”) available to Customer upon Customer’s written request at reasonable intervals (subject to confidentiality obligations).

(b) Customer may share a copy of Audit Reports with relevant government authorities as required upon their request.

(c) Customer agrees that any audit rights granted by Data Protection Laws will be satisfied by Audit Reports and the procedures of Section 9.3 (Customer Audit) below.

9.3.  Customer Audit.

(a) Subject to the terms of this Section 9.3, Customer has the right, at Customer’s expense, to conduct an audit of reasonable scope and duration pursuant to a mutually agreed-upon audit plan with Provider that is consistent with the Audit Parameters (an “Audit”).

(b) Customer may exercise its Audit right: (i) to the extent Provider’s provision of an Audit Report does not provide sufficient information for Customer to verify Provider’s compliance with this DPA or the parties’ compliance with Data Protection Laws, (ii) as necessary for Customer to respond to a government authority audit or (iii) in connection with a Security Incident.

(c) Each Audit must conform to the following parameters (“Audit Parameters”): (i) be conducted by an independent third party that will enter into a confidentiality agreement with Provider, (ii) be limited in scope to matters reasonably required for Customer to assess Provider’s compliance with this DPA and the parties’ compliance with Data Protection Laws, (iii) occur at a mutually agreed date and time and only during Provider’s regular business hours, (iv) occur no more than once annually (unless required under Data Protection Laws or in connection with a Security Incident), (v) cover only facilities controlled by Provider, (vi) restrict findings to Customer Personal Data only and (vii) treat any results as confidential information to the fullest extent permitted by Data Protection Laws.

10. Cross-Border Transfers/Region-Specific Terms.

10.1.  Cross-Border Data Transfers.

(a) Provider (and its Affiliates) may Process and transfer Customer Personal Data globally as necessary to provide the Cloud Service.

(b) If Provider engages in a Restricted Transfer, it will comply with Schedule 3(Cross-Border Transfer Mechanisms).

10.2.  Region-Specific Terms. To the extent that Provider Processes Customer Personal Data protected by Data Protection Laws in one of the regions listed in Schedule 4(Region-Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.

Bonterms Data Protection Addendum (DPA) (Version 1.0) © 2022 Bonterms, Inc. Free to use under CC BY 4.0.