Last updated January 1, 2021.
Reputation.com (UK) LTD Standard Terms of Service (Data Hosted In United States)
These Standard Terms of Service (the “Terms”) govern the provision by Reputation.com UK Ltd. (the “Company”) of subscription licenses to access and use the SaaS services and any other services provided by Company, including Professional Services (“Pro Services”), (collectively, the “Services”) described in each Order Form or other ordering document (the “Order Form”) to its customer (the “Customer”). These Terms and the related Order Form shall collectively be referred to herein as the “Agreement”.
1. LICENSE GRANT AND RESTRICTIONS
1.1 Service Term. The Agreement is a subscription license to access and use, and not a contract of sale for, the Services. The duration of the Services (“Service Term” or “Subscription Term”) is set forth in the Order Form.
1.2 Proprietary Rights. All intellectual property rights in and to the Services and any user documentation related thereto are owned exclusively by Company, including, but not limited to, all patents, copyrights, trade secrets, and trademarks.
1.3 License Grant. Upon Company’s acceptance of Customer’s Order Form and for the duration of the Services Term defined in the Order Form, Customer shall have a nonexclusive, non-assignable (except as set forth in Section 9.7 below), royalty free, worldwide limited right to access and use the Services solely for its internal business operations and subject to the terms of the Agreement. Customer may allow its employees to use the Services for this purpose and Customer shall be responsible for its employees’ compliance with the Agreement.
1.4 License Restrictions. The licenses granted to Customer in this Agreement do not include any right to: (a) damage, disable, or impair the Services or the network(s) connected thereto; (b) copy a Service or any part, feature, function or user interface thereof; (c) modify, reroute, create derivative works of, derive the source code of, reverse engineer, disassemble or tamper with Services, or attempt to do any of the foregoing; (d) permit direct or indirect access to or use of any Services by a third party, (e) take any action that imposes an unreasonably or disproportionately large burden on Company’s infrastructure; (f) violate applicable consumer privacy regulations or applicable law or violate the rights of any third party (including, without limitation, rights of privacy or proprietary rights); (g) disable or circumvent any security features of the Company’s products or Services; or (h) cause or permit any third party to do any of the foregoing.
1.5 Reservation of Rights. All rights not expressly granted to Customer in this Agreement are reserved to Company. No additional rights whatsoever (including, without limitation, any implied licenses) are granted to Customer by implication, estoppel or otherwise. Customer shall not, by virtue of this Agreement or otherwise, acquire any ownership interest or any rights in the Services, any Company trademarks or service marks, or any other Company technology, software (including third party technology and software) or intellectual property, except for the limited use and access rights described herein.
2. FEES AND PAYMENT FOR SERVICES.
2.1 Fees. Customer agrees to pay all fees specified in the Order Form, which unless otherwise stated are exclusive of VAT. Unless otherwise stated in the Order Form, the full annual fee for the Services shall be invoiced upon execution of the Agreement. Payment of all invoices shall be due not later than thirty (30) days after the date of the invoice.
2.2 Taxes, Late Fees and Penalties. Customer shall be responsible for paying any applicable sales or service taxes (including VAT) related to this Agreement. If any payment is not received by its due date, Customer shall be assessed interest on the overdue amount at the rate of 1.0% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid.
2.3 Suspension of Service and Acceleration. If any amount owed by Customer under this Agreement is thirty (30) or more days overdue, the Company may, without limiting other rights and remedies, accelerate Customer’s unpaid fee obligations under this Agreement so that all such obligations become immediately due and payable, and may suspend Services until all such amounts are paid in full. Company will provide at least ten (10) days’ prior notice that Customer’s account is overdue before suspending Services.
2.4 Future Functionality. Customer agrees that its purchases are not contingent on the delivery of any future functionality or features, or dependent on any oral or written public comments made by Company regarding future functionality or features unless this is expressly stated in the Order Form and the future functionality is described.
3. WARRANTIES AND DISCLAIMER.
3.1 Company. The Company represents and warrants that: (a) the Services will be provided in a professional and workmanlike manner consistent with generally accepted industry standards; (b) the Services as delivered to Customer will materially conform to the product descriptions and any specifications set forth in the applicable Order Form; and (c) the Services do not infringe upon the intellectual property rights of any third party.
3.2 Customer. Customer represents and warrants that: (a) all information it provides to Company to perform the Services is accurate; (b) Customer is authorized to provide Company with the customer, patient or end-user information and/or other personal data that it provides in connection with the Services; (c) the Company’s possession and/or use of such customer, patient or end-user personal data will not violate any contract, statute, or regulation; and (d) Customer and persons acting on its behalf, including Company, are authorized and have consent to make or send communications (including emails, SMS and MMS messages) to customers, patients or other end-users at any telephone number, email address, physical address, or other contact source provided by Customer.
3.3 Google Seller Ratings Disclaimer. If Customer is purchasing any Google Seller Rating Service, then this disclaimer applies. Customer understands that the achievement of Seller Ratings on Google is entirely dependent upon the receipt by Google of a required number of brand and/or location level reviews during a twelve month period that meet a minimum star rating threshold (subject to change at any time by at discretion of Google, but currently 100 reviews received within the prior 12 months with a composite rating of at least 3.5 stars). Company cannot warrant or promise that such thresholds can be met and/or that Seller Ratings will be achieved for any specific domain.
3.4 Disclaimers. To the maximum extent permitted by law and except for the express warranties in this section, the Services are provided “as is” and the Company specifically disclaims any and all warranties of any kind with respect to the subject matter of this agreement, whether express, implied, or statutory, including without limitation warranties of quality, performance, merchantability, or fitness for a particular purpose. Company does not warrant that the Services will meet Customer’s needs or be free from errors.
4. LIMITATION OF LIABILITY.
4.1 Limitation on Types of Damages. SUBJECT TO CLAUSE 4.3 AND WITHOUT PREJUDICE TO CLAUSE 4.2, IN NO EVENT SHALL EITHER PARTY EVER BE LIABLE TO THE OTHER UNDER OR IN CONNECTION WITH THIS AGREEMENT, WHETHER BASED ON A CLAIM OR ACTION OF CONTRACT, WARRANTY, NEGLIGENCE, STRICT LIABILITY, OR OTHER TORT, BREACH OF ANY STATUTORY DUTY, OR CLAIM FOR CONTRIBUTION, OR OTHERWISE, FOR ANY: (I) INDIRECT, SPECIAL, PUNITIVE, CONSEQUENTIAL, OR INCIDENTAL LOSS OR DAMAGES, OR (II) ANY LOST PROFITS, LOSS OF GOODWILL, LOSS OF OR CORRUPTION OF DATA, LOSS OF REVENUE, LOSS OF ANTICIPATED SAVINGS, OR LOSS OF BUSINESS (IN EACH CASE, WHETHER DIRECT OR INDIRECT), EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LIABILITY OR DAMAGE.
4.2 Limitation on Amount of Damages. Subject to clause 4.3, the Company’s maximum liability arising out of or in any way connected to this Agreement shall not exceed the fees paid by Customer to Company pursuant to the Agreement that is the subject of the claim during the twelve (12) months immediately preceding the claim.
4.3 Liability not Excluded or Limited. Nothing in this Agreement will in any way exclude or limit a party’s liability to the other party for losses or damages arising from: (i) death or personal injury caused by that party’s negligence; (ii) fraud or fraudulent misrepresentation; or (iii) any other matter for which it would be illegal to exclude or attempt to exclude or limit its liability.
5.1 Term of Engagement, Renewals and Price Adjustments. The Term of the Agreement shall be stated in the Order Form (the “Initial Term”). Unless otherwise stated in the Order Form, at the end of each term, the Agreement shall automatically renew for successive terms equal in duration to the Initial Term (each a “Renewal Term”) unless either party provides written notice to the other party of its election to terminate the Agreement at least thirty (30) days prior to the end of the then-current term. After the Initial Term, the fee for Services purchased shall be subject to an annual increase at a rate of seven (7%) percent per annum to be calculated at the time of renewal.
5.2 Termination for Breach. Either party may terminate this Agreement at any time upon written notice to the other if the other: (a) is in material or persistent breach of this Agreement and the breaching party fails to remedy the breach within thirty (30) days after receiving written notice identifying the material breach to be cured; or (b) is subject to an order or a resolution for its liquidation, administration, winding-up or dissolution (otherwise than for the purposes of a reconstruction), or has an administrative or other receiver, trustee, liquidator, administrator or similar officer appointed over all or any substantial part of its assets.
5.3 Effect of Termination. Upon termination: (a) all rights granted to Customer under this Agreement, including Customer’s license to use the Services, shall immediately cease; (b) the Company shall stop performing all Services; (c) Customer shall immediately pay any fees due through the date of termination and (d) each party, shall immediately, upon receipt of a written request from the other party, destroy or return all Confidential Information. Sections 4 through 9 shall survive any termination or expiration of this Agreement.
6. CONFIDENTIALITY, PRIVACY, DATA OWNERSHIP, and PUBLICITY
6.1 Definition of Confidential Information. As used herein, Confidential Information (“CI”) means all confidential information disclosed by a party (“Disclosing Party“) to the other party (“Receiving Party“), whether orally or in writing, that is designated as confidential or that reasonably should be understood as confidential given the nature of the information and the circumstances of disclosure. CI shall include, without limitation, technical product information, product designs, techniques, methods, or strategies used in connection with the Services, user names, passwords and other log-in information, Company pricing information, the specific terms of this Agreement, and all Customer Data. “Customer Data” means any personal data that is provided by Customer in the normal course of the Services. As between Company and Customer, all Customer Data is Customer’s property. Customer grants Company a non-exclusive, license to process, reproduce, display, copy, communicate, and otherwise use Customer Data solely to the extent necessary to perform its obligations under the Agreement. CI shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party; (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (iii) is received from a third party without breach of any obligation owed to the Disclosing Party; or (iv) was independently developed by the Receiving Party.
6.2 Protection of Confidential Information. The parties each agree to collect, store, and use all CI provided to it or obtained by it as a result of this Agreement, in a manner that: (i) protects the security, confidentiality and integrity of the CI; (ii) ensures against reasonably anticipated threats or hazards to the security or integrity of the CI; and (iii) protects against unauthorized access to or use of the CI that could result in harm or inconvenience to the other party. Each party shall use at least the same degree of care in protecting the CI as the party uses to protect its own CI of like kind (but in no event less than reasonable care). The parties agree that CI shall not be used for any purpose outside the scope of this Agreement and that neither party shall disclose any CI to any third party without the other party’s prior written consent other than to: (i) its legal counsel and accountants; (ii) to potential investors, lenders, purchasers of either party’s business, or underwriters in connection with their due diligence in future financings, acquisitions mergers or public offerings of either party; or (iii) as required by law.
6.5 Publicity. Customer hereby acknowledges and agrees that Company may use Customer’s name and logo for the purposes of identifying Customer as a Company customer.
7. SUPPORT AND SERVICE LEVEL AGREEMENTS
7.1 Provisioning. Tenant provisioning is included as part of your subscription, provisioning includes enabling all licensed products purchased in the order form.
7.2 Basic Training. The Company will provide basic product training to the Customer to enable them to use the purchased Services. The training will be provided via Reputation Help Center(help.reputation.com), a cloud-based resource for training videos and frequently asked questions. All training material will be available in English.
7.3 Maintenance. The Company shall maintain the SaaS reputation management platform and related modules (the “Platform”) as necessary to ensure the proper delivery of the Services. All licenses include bug fixes, patches and new version releases.
7.4 Platform Uptime. The Platform will be available to customer at least 99.9% of the time calculated on a monthly basis, excluding Scheduled Downtime. “Scheduled Downtime” means the downtime required by Reputation.com for upgrading or maintaining the Platform, provided that such scheduled downtime shall be performed after business hours (after 6:00 p.m. weekdays PST), in a manner designed to minimize service interruption and shall not take longer than four (4) hours per month. In most cases, scheduled maintenance and upgrades are seamless and will not disrupt service. For major releases and upgrades, there may be short periods of downtime. The Company will provide at least 24 hours’ notice of Schedule Downtime via in-platform notifications.
7.5 Customer Support. Technical Support is available by email via [email protected] Customer Support hours are from 9:00 a.m. and 5:30 p.m. GMT, Monday through Friday, except for Bank Holidays. All emails to customer support will be responded to within eight (8) business hours during support hours.
8. PROFESSIONAL SERVICES
8.1 Professional Services and Work for Hire. The Company does not provide any custom deliverables or services under this Agreement or any Pro Services agreement that would qualify as a work for hire.
8.2 Performance. The Company represents and warrants that the Pro Services will be provided in a professional and workmanlike manner consistent with the standards in the industry for similar services. All Pro Services will be performed remotely from the Company offices unless otherwise specified in writing.
9. ARBITRATION, FORUM AND GOVERNING LAW. Any dispute arising out of or in connection with this contract, including any question regarding its existence, validity or termination, shall be referred to and finally resolved by arbitration before the London Court of International Arbitration (“LCIA”) under the LCIA Rules, which Rules are deemed to be incorporated by reference into this clause. The arbitration shall be conducted by and submitted to a single arbitrator (“Arbitrator”). The final arbitration hearing shall take place in London, England, but the parties agree that all proceedings and hearings prior to the final hearing may be handled via telephone or video conference. This Agreement and any dispute arising out of or in connection with it or its subject matter, whether of a contractual or non-contractual nature shall be governed by and construed under the laws of England. Each party shall bear its own attorneys’ fees, cost and disbursements arising out of the arbitration, and shall pay an equal share of the fees and costs of the Arbitrator. Nothing in this clause will prevent either party from instigating legal proceedings to seek any interim or emergency measures, including the remedies of injunction, specific performance or other equitable relief in any court of competent jurisdiction.
10. GENERAL PROVISIONS
10.1 Notices. Except as otherwise specified in this Agreement, all notices, permissions and approvals hereunder shall be in writing and shall be deemed to have been given upon: (i) personal delivery; (ii) the second business day after mailing by overnight carrier; (iii) the first business day after sending by confirmed facsimile or email (provided email shall not be sufficient for notices of termination). All notices shall be sent to the addresses set forth in the applicable Order Form, which may be updated by written notice to the other party.
10.2 Product Modifications. The Company continues to innovate and develop its Services and reserves the right from time-to-time to make modifications to the Services and/or to particular components of the Services to improve the Services and/or to address market changes, including, but not limited to, making changes to the particular third party review, social media and/or business listing sites that the Services monitor and/or manage and are included within the Services. The Company does not warrant or promise that any specific third party review, social media and/or business-listing site will be included within the scope of the Services. Company will use commercially reasonable efforts to notify Customer of any material modifications to its Services.
10.3 Force Majeure. The Company shall be excused from performance hereunder to the extent that its performance is prevented, delayed or obstructed by causes beyond its reasonable control such as Internet outages, strikes, riots, insurrection, fires, floods, explosions, war, governmental action, labor conditions, earthquakes, and natural disasters.
10.4 Anti-bribery. Each party must: (a) comply with all applicable laws, statutes, regulations and codes relating to anti-bribery and anti-corruption including the UK’s Bribery Act 2010, the OECD Convention on Combating Bribery in International Business Transactions, and the Foreign Corrupt Practices Act of the United States (“Bribery Requirements”); (b) have in place and maintain an anti-bribery policy (“Bribery Policy”), or if none is in place as at the date of this Agreement, implement a Bribery Policy promptly following entry into this Agreement; (c) enforce compliance with the Bribery Requirements and the Bribery Policy where appropriate; and (d) promptly report to the other party any request or demand for any undue financial or other advantage of any kind received by it in connection with the performance of this Agreement to the extent permitted by applicable law. Each party must, if requested, provide the other party with any reasonable assistance, at the other party’s cost, to enable the other party to perform any activity required by any relevant government or agency in any relevant jurisdiction for the purpose of compliance with the Bribery Requirements.
10.5 Relationship of the Parties. The parties are independent contractors. The relationship between the parties shall not constitute a partnership, joint venture or agency. Neither party shall have the authority to make any statements, representations or commitments of any kind, or to take any action, which shall be binding on the other party, without the prior consent of such other party.
10.6 Third Parties. Nothing in this Agreement confers any right on any person (other than the parties) pursuant to the Contracts (Rights of Third Parties) Act 1999.
10.7 Amendment and Assignment. Any amendment, waiver or variation of this Agreement shall not be binding on the parties unless set out in writing and signed by or on behalf of each of the parties. Neither party shall assign this Agreement or any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party; provided that either party may, without consent, assign this to any purchaser of all or substantially all of its assets or equity or to any successor by way of merger, consolidation or similar transaction.
10.8 Entire Agreement. This Agreement, including all exhibits and addenda hereto, constitutes the entire agreement between the parties and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. To the extent of any conflict or inconsistency between the provisions in the body of this Agreement and any exhibit or addendum executed by both parties, the terms of such exhibit or addendum shall prevail. Notwithstanding any language to the contrary therein, no terms or conditions stated in any document not executed by both parties (including any Customer purchase order) shall be incorporated into or form any part of this Agreement, and all such terms or conditions shall be null and void. This Agreement may be executed in counterparts. Facsimile, .pdf. and electronic signatures shall all be binding.
REPUTATION.COM DATA PROCESSING ADDENDUM
(updated August 25, 2020)
This Data Processing Addendum (the “Addendum”) is incorporated into the Order Form and Terms of Service (the “Agreement”) and applies in respect of the provision of the Services to the Customer if the Customer is subject to the European Data Protection Laws and only to the extent the Customer is a Controller of Customer Personal Data (as defined below) that Company Processes on behalf of the Customer. This Addendum shall be effective for the term of the Agreement.
- For the purposes of the Addendum:
- “Customer Personal Data” means Personal Data submitted, stored, uploaded or otherwise provided by Customer through its use of the Services, in respect of which the Customer is the Controller, as further described under Section 3 of this Addendum;
- “EEA” means the European Economic Area;
- “European Data Protection Laws” means the GDPR together with any national implementing laws in any Member State of the EEA and, to the extent applicable, the UK Data Protection Act 2018, as amended, repealed, consolidated or replaced from time to time;
- “GDPR” means the General Data Protection Regulation (EU) 2016/679;
- “Personal Data”, “Data Subject”, “Data Protection Authority”, “Data Protection Impact Assessment”, “Process”, “Processor” and “Controller” will each have the meaning given to them in the European Data Protection Laws; and
- “Standard Contractual Clauses” means the agreement executed by and between the parties and attached hereto as Schedule 1 pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
- Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
- Details Of The Processing
- Categories of Data Subjects. This Addendum applies to the Processing of Customer Personal Data relating to Customer’s customers or patients or prospects and other end users, the extent of which is determined and controlled by Customer in its sole discretion.
- Types of Personal Data. Customer Personal Data includes the following types of Personal Data: names, title, position, contact information (including email addresses and phone numbers), purchase or services information, and other data, the extent of which is determined and controlled by Customer in its sole discretion.
- Subject-Matter and Nature of the Processing. The subject-matter of Processing of Customer Personal Data by Company is the provision of the Services to the Customer. Customer Personal Data will be subject to those Processing activities which Company needs to perform in order to provide the Services pursuant to the Agreement.
- Purpose of the Processing. Customer Personal Data will be Processed by Company for purposes of providing the Services set out into the Agreement.
- Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 11 of this Addendum.
- Processing Of Customer Personal Data
- Each of the Customer and the Company will comply with their respective obligations under the European Data Protection Laws, to the extent applicable to the Processing of any Customer Personal Data in the context of the provision of the Services.
- Company will only Process Customer Personal Data as a Processor on behalf of and in accordance with the Customer’s prior written instructions and for no other purpose. Company is hereby instructed to Process Customer Personal Data to the extent necessary to enable Company to provide the Services in accordance with the Agreement.
- If for any reason (including a change in applicable law) Company becomes unable to comply with any instructions of the Customer regarding the Processing of Customer Personal Data, Company will promptly:
- notify the Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and
- cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as the Customer issues new instructions with which Company is able to comply (and if this provision applies, Company will not be liable to the Customer under the Agreement in respect of any inability to perform the Services until such time as the Customer issues new instructions).
- As a part of providing the Services, Company may transfer, store and process Customer Personal Data in the United States, where Company’s parent Reputation.com, Inc. is established. In connection with the performance of the Agreement, the Standard Contractual Clauses as attached to this Addendum as Schedule 1 will apply to Customer Personal Data that is transferred outside the EEA and the UK, either directly or via onward transfer, to Reputation.com, Inc. in the United States.
- Company will ensure that any person whom Company authorises to Process Customer Personal Data on its behalf is subject to confidentiality obligations in respect of that Customer Personal Data.
- Security Measures
- Company will implement appropriate technical and organisational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
- Appointment Of Subprocessors
- Customer authorises Company to appoint Subprocessors to perform specific services on Company’s behalf which may require such Subprocessors to process Customer Personal Data. A current list of the Company Subprocessors may be found at https://www.reputation.com/legal/subprocessors (“Subprocessor Page”). Customer acknowledges and agrees to the engagement of the third parties listed on the Subprocessor Page as Subprocessors in connection with the provision of the Services under this Agreement. For the avoidance of doubt, the above authorization constitutes Customer’s prior written consent to the sub-Processing by the Company for purposes of Clause 11 of the Standard Contractual Clauses.
Where Company engages a Subprocessor, Company will enter into a Data Processing Agreement with the Subprocessor that imposes on the Subprocessor at least the same level of protections that apply to Company under this DPA. Where a Subprocessor fails to fulfill its data protection obligations, Company will remain liable to the Customer for the performance of such Subprocessor’s obligations.
If the Company engages a Subprocessor in a country outside the EEA and the UK that is not recognized by the European Commission as providing an adequate level of protection for personal data, then Company shall, in advance of any transfer of personal data to Subprocessor, take steps to ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.
- Notification of New Subprocessors. If the Company retains new Subprocessors other than the companies listed on the Subprocessor Page, the Company will notify the Customer by updating the Subprocessor Page and will give the Customer the opportunity to object to the engagement of the new Subrocessors within 30 days after being notified. The objection must be based on reasonable legal grounds. If the Company and Customer are unable to resolve such objection, then either party may terminate the Agreement by providing written notice to the other party. If a Customer terminates, then Customer shall receive a refund of any prepaid but unused fees for the period following the effective date of termination.
- For the purposes of this provision, the Company’s parent Reputation.com, Inc. based in the United States is deemed to have been authorised to Process Customer Personal Data
- Data Subject Rights
- Company will, at the Customer’s request and subject to the Customer paying all of Company’s fees at prevailing rates, and all expenses, provide the Customer with assistance necessary for the fulfilment of the Customer’s obligation to respond to requests for the exercise of Data Subjects’ rights. Customer shall be solely responsible for responding to such requests.
- Security Breaches
- Company will:
- notify the Customer as soon as practicable after it becomes aware of any loss, compromise or any unauthorised access to, or breach of the security of, any Customer Personal Data; and
- at the Customer’s request and promptly provide the Customer with all reasonable assistance necessary to enable the Customer to notify relevant security breaches to the relevant Data Protection Authorities and/or affected Data Subjects.
- Data Protection Impact Assessment; Prior Consultation
- Company will, at the Customer’s request provide the Customer with reasonable assistance to facilitate:
- conducting Data Protection Impact Assessments if the Customer is required to do so under the European Data Protection Laws; and
- consultation with Data Protection Authorities, if the Customer is required to engage in consultation under the European Data Protection Laws,
in each case solely to the extent that such assistance is necessary and relates to the Processing by the Company of the Customer Personal Data, taking into account the nature of the Processing and the information available to the Processor.
- Return or Deletion of Customer Personal Data
- Company will permanently and securely delete (or, at the election of the Customer, return, in such format as Company may reasonably elect and subject to the Customer paying all of Company’s fees at prevailing rates, and all expenses, for transferring the Customer Personal Data to such format) all Customer Personal Data in the possession or control of Company or any of its sub-Processors, within 90 days after Company ceases to provide the Services, unless the applicable law of the EEA or EEA Member State or of the UK requires otherwise. Company will procure that its sub-Processors do likewise.
- The Company will, at Customer’s request provide the Customer with all information necessary to enable the Customer to demonstrate compliance with its obligations under the European Data Protection Laws, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, to the extent that such information is within Company’s control and Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party. Company shall immediately inform the Customer if, in its opinion, an instruction infringes the European Data Protection Laws
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation:
(the data exporter)
Name of the data importing organisation: Reputation.com, Inc. 1400A Seaport Blvd. Suite 401, Redwood City, CA 94063, Tel.: (877) 553-0616; e-mail: [email protected]
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
Name (written out in full): _______________________________________________
On behalf of the data importer: Reputation.com, Inc.
Name (written out in full): Christopher Sundermeier
Position: Chief Privacy Officer
Address: 1400A Seapport Blvd., Suite 401, Redwood City, CA 94063
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The data exporter is the entity identified as “Customer” in the Addendum.
The data importer is Reputation.com, Inc., Reputation.com UK Ltd’s parent in the United States.
The personal data transferred concern the following categories of data subjects (please specify):
- Data subjects are defined in Section 3 of the Addendum. The data subjects are: (i) the end customers of the Customer whose feedback will be solicited; and (ii) employees and agents of the Customer who may have access to the platform and have been issued log in credentials
Categories of data
The personal data transferred concern the following categories of data (please specify):
- Categories of personal data are defined in Section 3 of the Addendum. The categories of personal data are: (i) name, email address and/or phone number of the customers of the Customer whose feedback is solicited by way of a review request or survey; and (ii) names and log in informaiton for employees and agents of the Customer who may have access to the platform and have been issued log in credentials.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The personal data transferred will be subject to the following basic processing activities (please specify):
- The processing activities defined in Section 3 of the Addendum and in the Agreement.
Name: Reputation.com, Inc.
Authorised Signature: _________________________________
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Reputation.com, Inc. Technical and Organizational Measures
(updated August 25, 2020)
Reputation.com and all of its affiliates place a very high importance on the security of its organization and all customer data. The following is an outline of the extensive Technical and Organizational Measures (“TOMs) that Reputation.com undertakes to protect its customers’ data and all personal data from unauthorized access or disclosure. More detailed information is available upon request
Compliance Program. Reputation.com is SOC2 Type II compliant as attested by a third-party auditor and is HIPAA compliant to ensure all customer PII and PHI are properly handled. Reputation.com will share the latest SOC2 Type II report and our HIPAA Business Associates Agreement upon request and under NDA.
Customer Data. The Company maintains stringent datastore specifications for all customer data and personal data. All customer data and personal data is encrypted at rest using the AES symmetric block cipher and data is encrypted in transit using TLS. The Company does not disclose or sell the data and personal data that you provide to Reputation.com about your customers. The Company does not use the data you provide us about your customers only to provide your services and for no other purpose.
Platform Secure. The Company’s proprietary SaaS reputation management platform and all customer data are maintained on secure servers at Google Cloud Services in the United States. The Google cloud infrastructure has been designed and is managed in alignment with key security and best practices, including, but not limited to: ISO 27001, SOC 1/SSAE 16/ISAE 3402(formerly SAS70); SOC 2, SOC 3, PCI DSS Level 1, FedRAMP(SM), DIACAP, FISMA, ITAR, FIPS 140-2, CSA, and MPAA.
Personal Data is Encrypted at Rest. Personal Data is encrypted in the Reputation Management Platform using Advanced Encryptions Standard (AES) algorithms.
Data in Transit is encrypted. Data in Transit is enforced encrypted via TLS 1.2 cryptographic protocol.
Password Security. The Company securely encrypts passwords. Passwords are one-way encrypted using the bcrypt algorithm, with a random salt for each password. This means that only the original creator of the password knows its value. When passwords must be retrieved, public/private key encryption is used, with a key length of 4096 or greater. Access and retention of passwords are strongly controlled and logged. Password policy with a minimum of 8 characters with at least 1 upper, 1 lower, 1 numeric and 1 special character is required.
Penetration Testing. Penetration tests are conducted by an independent third-party assessor at least annually. Reputation.com will share the latest Penetration Test report upon request and under NDA.
No Sensitive Information Collected or Stored. The Company does not collect or store sensitive information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. We also do not collect or store personal financial data, Social Security Numbers, National Insurance numbers, government-issued ID numbers.
Access Control. Reputation.com subscribes to least privilege access as a part of our access control and conducts quarterly audits of our accounts to validate this control. Physical access to Reputation.com locations is controlled by card access readers, monitored by security cameras and all guest access is logged and monitored.
Business Continuity and Disaster Recovery We have a full Business Continuity Plan as well as a Disaster Recovery Plan. We maintain separate regions in our public cloud that are used for the purpose of disaster recovery with a full synchronization of platform data baked in. In addition, we maintain separate instances of our proprietary reputation management t platform in the United States and the European Union to ensure compliance with the General Data Protection Regulation (‘GDPR’). With this separation, no personal data will ever leave the geographical region a customer has been assigned per their contract.
Penetration Testing. Penetration tests are conducted by an independent third-party assessor at least annually..
Threat Protection. The Company deploys the latest in threat detection/threat protection and monitors its infrastructure and application on a continuous basis for anomalous behavior and attacks. Additionally, the Company has built security into the SDLC and perform Application Security Testing on its code.
Security Breach Reporting. The Company has a formal Incident Response Plan which is maintained and reviewed on an annual basis. The Company has a process in place to quickly notify Customer of any security incidents involving personal data when a material incident is confirmed. The Company will provide Customer with reasonable assistance necessary to help meet GDPR obligations.
Security Awareness Training. All employees undergo training on security in the workplace as well as HIPAA training. Awareness education on security and data privacy topics are provided to employees on an ongoing basis. Employees must also renew the completion of Security Awareness training modules annually as well as adhere to our information security policies including our Information Security Policy as well as our Data Security Policy and Customer Confidentiality Policy.
Background Checks. All offers of employment at Reputation.com are contingent on the completion of a background screening and reference check. Employees and contractors must sign a confidentiality agreement and an agreement to abide by Company security policies and procedures.
Customer Personal Data Deletion Practices. Customer Personal Data is securely stored in the Platform only. Customer Personal Data is stored only for the duration of the Customer’s engagement with the Company. The Company permanently and securely deletes all Customer Personal Data in the possession or control of Company or any of its sub-processors, provided that Company has no legal obligation to maintain the Customer Personal Data, within 90 days after (i) Company ceases to provide the Services to Customer or (ii) the Customer has instructed the Company to delete any Customer Personal Data. Company shall also procure that its sub-Processors do likewise.