CalcAir Employee Benefits Systems

If these General Terms and Conditions (“GTCs”) are incorporated by reference into an Order Form or Statement of Work, then these GTCs are binding as of the date the Order Form or Statement of Work takes effect (the “Effective Date”) between the customer identified on the Order Form or Statement of Work in which these GTCs are referenced (the “Customer”), and CalcAir Employee Benefit Systems Inc. (the “Supplier”), each of whom may be referred to herein as a “Party” and collectively as the “Parties.”

If these GTCs are presented electronically independent of an Order Form or SOW, then By clicking on the “I Accept” button, or by taking similar action which indicates assent to these GTCs (“acceptance”), these GTCs become binding on the date of acceptance (the “effective date”) between Supplier and (1) the legal entity on whose behalf the individual is accepting these GTCs in their capacity as an authorized representative of that legal entity, or (2) in the event the individual accepting these GTCs is a sole proprietor, then that individual (in either case, the “Customer”). Upon Acceptance of these GTCs, Customer (a) acknowledges that they have read and understand these GTCs; (b) represents and warrants that the individual who Accepts these GTCs has the right, power, and authority to enter into these GTCs on behalf of Customer and can bind Customer hereto; and (c) agrees that Customer is legally bound by its terms. If Customer does not agree to these GTCs, the individual shall not accept these GTCs, and Customer may not access or use the Products.

DEFINITIONS.
Capitalized terms not otherwise defined in the Agreement have the meaning ascribed to them below:
1. “Affiliate” means any entity that now or hereafter (i) directly or indirectly owns or controls, is owned or controlled by, or is under common ownership or control with a given Party, and (ii), for Supplier, is under common management with Supplier.
2. “Agreement” means these GTCs, including any appendices attached hereto, as they exist on the date that they are incorporated into any fully executed Order Form or SOW, by reference or otherwise, and as these GTCs may be modified in accordance with Section 15(g), together with the additional terms and conditions set forth in any Order Form, SOW, or addenda which incorporates the GTCs by reference.
3. “Authorized User” means those individuals who are authorized by Customer to access and use the Software or Cloud Services, including any third parties that are authorized pursuant to Section 2(a)(iv) below, subject to the limitations and obligations of Customer under the Agreement. An individual cannot be an Authorized User if that individual, or class of individuals to which it belongs, is otherwise ineligible per the terms of the Agreement.
4. “Cloud Services” means any on-demand, subscription-based solution or technology enabled service that is hosted, supported, and operated by Supplier and provided to Customer pursuant to an Order Form, along with and as further described in any related Documentation, Embedded Third-Party Content, and Supplier Materials necessary for Customer to make use of the Cloud Services in accordance with the terms of the Agreement. Cloud Services does not include Third-Party Content.
5. “Customer Data” means all information, data, and other content that is provided by Customer or its Authorized Users to Supplier, or Supplier’s Affiliates or Personnel, through Customer’s or its Authorized Users’ use of the Software and Cloud Services, as well as all information, data, and other content created specifically for Customer as a result of processing the same through the Software and Cloud Services, but only to the extent that any such information, data, and other content does not contain any Supplier Materials. Customer Data includes Personal Information to the extent that Personal Information is provided to Supplier by Customer or collected by Supplier on behalf of the Customer.
6. “Documentation” means the technical and functional documentation that Supplier distributes in connection with its Products, as revised by Supplier from time to time, and which may include end user manuals, operation instructions, installation guides, release notes, and on-line help files regarding the use of the Products.
7. “End User” means those individuals that are not Customer Personnel who are either authorized by Customer to access the Products or whose personal data is otherwise shared with Supplier by Customer.
8. “Hardware” means the equipment, hardware, and accessories supplied or sold by Supplier pursuant to an Order Form.
9. “Hosting Services” means any service or combination of services provided by Supplier, either directly or through a third-party, that host Customer Data or applications, which may be Products, third-party applications, or otherwise. Hosting Services do not include any of the same which are procured by Customer directly from a third-party.
10. “IP Rights” means any and all registered and unregistered rights granted, applied for, or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, database protection, design rights, or other intellectual property rights laws, and all similar or equivalent rights or forms of protection, in any part of the world.
11. “Marks” means a Party’s logos, tradenames, trademarks, service marks, design marks, word marks, and trade dress, whether registered or otherwise.
12. “Order Form” means an ordering document, quotation, or online order entered into by the Parties, which (i) incorporates these GTCs by reference or otherwise, and (ii) specifies the Products to be provided pursuant to the Agreement.
13. “Personal Information” means any information that: (i) relates to an identifiable individual and identifies or can be used to identify that individual, directly or indirectly, either alone or in combination with other personal or identifying information that is or can be associated with that specific individual; or (ii) the applicable data privacy laws otherwise define as protected personal information.
14. “Personnel” means any employee, director, officer, or subcontractor for a given Party or that Party’s Affiliate.
15. “Products” means, collectively, the Cloud Services, Software, Services, and Hardware.
16. “Professional Services” means the implementation, integration, configuration, training, and other professional services performed by Supplier as described in an Order Form or SOW.
17. “Pro Rata Refund” means a refund of the amounts pre-paid to Supplier by Customer for the portion of a Product, or any related costs or expenses, that will not be provided or consumed by Supplier as of the date that Customer is entitled to receive any such refund, calculated (i) for any subscription-based Fees, based on the number of whole months that remain on the portion of the Term (as hereinafter defined) to which the pre-paid Fees applied, (ii) for any fixed Fees, based on the amount that can be reasonably attributed to the portion of the Product that was pre-paid but not delivered, and (iii) for any costs or expenses, a refund of the amounts pre-paid by Customer for anticipated costs or expenses which were not actually incurred by Supplier as of the date that Customer is entitled to receive any such refund.
18. “Services” means, collectively, the Professional Services, Support Services, and Hosting Services.
19. “Software” means the object code version of a computer program that is developed by or for Supplier and/or one of its Affiliates, and delivered to Customer pursuant to an Order Form, along with and as further described in any related Documentation, Embedded Third-Party Content, Updates made available to Customer via Support Services, and Supplier Materials necessary for Customer to make use of the Software in accordance with the terms of the Agreement. Software does not include Third-Party Content.
20. “Statement of Work” or “SOW” means a written document, entered into by the Parties, which (i) incorporates these GTCs by reference or otherwise, and (ii) describes the Professional Services to be performed by Supplier pursuant to the Agreement.
21. “Supplier Materials” means any and all information, data, documents, materials, works, content, methods, processes, technical or functional descriptions, database structures, requirements, plans, reports, devices, hardware, software, websites, technologies, and inventions that are developed, provided, or used by Supplier or its Personnel in connection with the Products, or otherwise comprise or relate to the Supplier Materials include Usage Data and Deliverables, but do not include Customer Data or Third-Party Content.
22. “Support Services” means Supplier’s standard and premium customer support services and maintenance that are provided to Customer by Supplier in support of its Products pursuant to the Agreement.
23. “Territory” means the geographic area in which Customer is permitted to use the Products, as may be specified in an Order Form, or if no such geographic area is specified in an Order Form, then Territory means the country where Supplier is domiciled.
24. “Update” means any update, upgrade, release, or other adaptation or modification of the Software, including any updated Documentation, that Supplier may provide to Customer from time to time during the Term, which may contain, among other things, error corrections, enhancements, improvements, or other changes to the user interface, functionality, compatibility, capabilities, performance, efficiency, or quality of the Software.
25. “Usage Data” means data created by Supplier or its Products utilizing information derived from Customer’s use of the Products, including, but not limited to, any End User profile, visit, session, impression, clickthrough or clickstream data, and any statistical or other analysis, information, or data based on or derived from any of the foregoing. The aforementioned data shall be deidentified to the extent that it contains attributes that can be used to identify a natural person.
26. “Usage Metric” means the standard of measurement and quantity for determining the permitted use or calculating the Fees due for the Products.
Usage Rights; License
1. Rights Granted & Permitted Use.
  1. Cloud Services. Subject to and conditioned on Customer’s and its Authorized Users’ compliance with the terms and conditions of the Agreement, including but not limited to payment of any Fees set forth on the applicable Order Form, Supplier hereby grants to Customer a limited, non-exclusive, non-transferable (except in compliance with Section 12) right to access and use the Cloud Services set forth in the applicable Order Form, during the Term, solely for use by Authorized Users in the Territory, in a manner that does not exceed the Usage Metrics and any other restrictions or limitations stated in an Order Form, for use in connection with its internal business purposes. All rights not expressly granted to Customer hereunder are reserved by Supplier. Customer acknowledges that internal controls in the Cloud Services do not necessarily restrict usage and deployment of the Cloud Services to comply with the Usage Metrics set forth in an Order Form. Customer is responsible for its Authorized Users’ compliance with the Agreement and shall be liable to Supplier for the actions of its Authorized Users.
  2. Software. Subject to and conditioned on Customer’s and its Authorized Users’ compliance with the terms and conditions of the Agreement, including but not limited to payment of any Fees set forth on the applicable Order Form, Supplier hereby grants to Customer, for use in connection with its internal business purposesa limited, non-exclusive, non-transferable (except in compliance with Section 12) license to use the compiled or object-code version (not source code) of the Software set forth in the applicable Order Form, during the Term, solely for use by Authorized Users in the Territory and in a manner that does not exceed the Usage Metrics and any other restrictions or limitations stated in an Order Form. All duplication and reproduction of the Software is expressly prohibited without Supplier’s prior written authorization. All rights not expressly granted to Customer hereunder are reserved by Supplier. Customer acknowledges that the Software may require activation by way of an activation key on initial installation and from time to time based on certain events, including, without limitation, Updates and changes to hardware on which the Software is installed. Customer acknowledges that the activation keys and internal controls in the Software do not necessarily restrict usage and deployment of the Software to comply with the Usage Metrics set forth in an Order Form. For any Software that is installed on Customer’s infrastructure, including any cloud infrastructure that is managed or controlled by Customer, Customer is responsible for securing access to the Software and Customer’s infrastructure. Any guidance provided by Supplier Personnel with respect to the security of the Software or Customer’ infrastructure is for informational purposes only, unless any such guidance is explicitly defined in the scope of an SOW.
  3. Product Specific Terms. To the extent an Order Form or these GTCs incorporate any appendices, addenda, or other supplementary terms which set out terms and conditions that apply only to specific Products (“Product Specific Terms” or “PSTs”), any such PSTs shall apply only to the extent that a Product that is listed in the PSTs is purchased by Customer.
  4. Third-Party Authorized Users.
    1. Affiliate Use. Customer shall not authorize its Affiliates to use the Software or Cloud Services except as and to the extent specified in an Order Form. Any authorized use of the Software or Cloud Services by Customer Affiliates is subject to the following: (i) Customer warrants that it has the authority to, and by executing an Order Form with permitted Affiliate use does, bind Affiliates and their Authorized Users to the terms of the Agreement, including, where reasonably appropriate, those terms that do not expressly identify Affiliates as obligors; (ii) Customer must be appropriately licensed for any and all increased usage of the Software or Cloud Services attributable to Affiliates and their Authorized Users; (iii) Customer and Affiliates shall remain jointly and severally liable to Supplier for its Affiliates’ and their Authorized Users’ use of the Software or Cloud Services; (iv) a breach of the Agreement terms by an Affiliate or its Authorized Users shall be considered a breach by Customer hereunder; and (v) use by any Affiliate that is in market competition with Supplier is prohibited. The Affiliate use rights set forth herein may only be exercised pursuant to a valid Order Form executed by Customer for only as long as that Order Form is in effect. In instances where Supplier has permitted Affiliate use of the Software or Cloud Services, Customer must request additional prior written approval to expand any such Affiliate use beyond the originally defined Territory.
    2. Service Provider Use. Customer may authorize its third-party service providers and contractors (collectively “Service Providers”) to use the Software or Cloud Services, but only to the extent necessary for Customer to make use of the Software or Cloud Services as intended by and in accordance with the Agreement. Any authorized use of the Software or Cloud Services by Service Providers is subject to the following: (i) these rights will continue only while Customer and Service Providers have in place a written agreement that gives Customer the authority to compel any such Service Providers’ compliance with terms that are not materially different than those portions of the Agreement that govern the use of the Software and Cloud Services, including without limitation license grants and restrictions, and non-disclosure of Supplier Confidential Information; (ii) Customer must be appropriately licensed for any and all increased usage of the Software or Cloud Services attributable to Service Providers; (iii) Customer shall remain jointly and severally liable to Supplier for its Service Providers’ use of the Software or Cloud Services; (iv) a breach of the Agreement terms by a Service Provider shall be considered a breach by Customer hereunder; and (v) under no circumstances may Service Providers use the Software or Cloud Services to operate or provide services to any other party, or in connection with Service Providers’ own business operations.
2. Restrictions. Customer shall not, and shall not permit any other person to, use the Products to prepare employee benefit plan documents for which it does not also provide ongoing administrative, consulting, or counseling services (beyond preparation of the plan document). Customer shall not, and shall not permit any other person to, access or use the Software or Cloud Services except as expressly permitted by the Agreement. For purposes of clarity and without limiting the generality of the foregoing, Customer shall not, except as the Agreement expressly permits: (i) subject to any non-waivable rights Customer may enjoy under applicable law, decompile, disassemble, reverse engineer, or otherwise attempt to derive the Software’s or Cloud Services’ source code; (ii) modify, alter, disable, enhance, change the data structures for, or create derivative works from, the Software or Cloud Services, (iii) rent, lease, sell, sublicense or otherwise transfer the Software or Cloud Services to third parties; (iv) make the Software or Cloud Services available in any form to any person other than Authorized Users who require such access; (v) input, upload, transmit, or otherwise provide to or through the Software or Cloud Services, any information or materials that are unlawful or injurious, or contain, transmit, or activate any virus, worm, malware, ransomware, or other malicious computer code (“Harmful Code”); (vi) access or use the Software or Cloud Services in any manner or for any purpose that infringes, misappropriates, or otherwise violates any IP Rights or other right of any third party, or that violates any applicable law; (vii) access or use the Software or Cloud Services for purposes of competitive analysis of the Software or Cloud Services or to develop competing products; (viii) access or use the Software or Cloud Services to distribute (or facilitate the distribution of) Customer Data that contains, or links to, material that could be considered unlawful, harmful, threatening, defamatory, obscene, harassing, or is otherwise objectionable to Supplier; and (ix) access or use the Software or Cloud Services to facilitate spam, excessive or unlawfully sourced data transfers, or engage in activity that results in spam warnings from industry spam monitors. In the event that Customer becomes aware of any access or use of the Software or Cloud Services in a manner that is not permitted by the Agreement, Customer shall notify Supplier and make best efforts to stop or mitigate the non-permitted use.
3. Software Updates. Supplier may provide Updates to the Software and Documentation in its sole discretion; provided, however, that notwithstanding the foregoing, Supplier shall use commercially reasonable efforts to provide Updates as necessary for the Products to materially comply with any changes to applicable law, rules, and regulations. Customer agrees to install all Updates to the Software made available by Supplier within ninety (90) days following such availability. If Customer fails to install any such Update, Supplier reserves the right to suspend all implementation, training, and Support Services until Customer installs such Update. Support Services for Software that has not been updated within ninety (90) days following the availability of such Update may be subject to additional Support Services Fees. Supplier is not liable to Customer for any damages that result from, or could have been avoided but for, Customer’s failure to install Updates. Updates are provided at no additional cost to only those Customers that are current on their Support Services Fees. Supplier may offer to Customer for license, either under or separately from the Agreement, programs which provide new functionality or materially expand the function of the Software (“New Products”). New Products are not Updates and may be subject to additional Fees. Supplier shall, in its sole discretion, resolve any ambiguity with regard to whether any given program is an Update or a New Product. For the avoidance of doubt, new functionality or materially expanded functions required due to changes in applicable law, rules, and regulations may be subject to additional Fees.
4. Changes. Supplier reserves the right, in its sole discretion, to make any changes to the Software or Cloud Services it deems necessary or useful to: (i) maintain or enhance: (A) the quality or delivery of Supplier’s services to its customers; (B) the competitive strength of or market for Supplier’s Products; or (C) the cost efficiency or performance of the Software or Cloud Services; or (ii) to comply with applicable law.
5. Evaluation Licenses. During the Term, Supplier may provide Software or Cloud Services to Customer on a free trial or evaluation basis (an “Evaluation License”), as indicated either in (i) an Order Form, or (ii) some other communication to Customer which incorporates these GTCs by Reference, in which case the Customer’s use of the Evaluation License shall be deemed acceptance of these GTCs. Evaluation Licenses are subject to the terms and conditions of the Agreement, except, notwithstanding any other provision in the Agreement, all Evaluation Licenses are provided by supplier AS IS without ANY indemnification, support, or warranty of any kind, and without any liability to customer WHATSOEVER OR ANY LIMITATIONS ON CUSTOMER’S LIABILITY TO SUPPLIER. At the end of the Evaluation License Term, the Evaluation License will convert to a prospective twelve (12) month Initial Term for the Software or Cloud Services, subject to the same Usage Metrics allotted during the Evaluation License and at Supplier’s then-current list Fees for the Software or Cloud Services, which shall be invoiced immediately, unless, prior to the end of the Evaluation Term, Customer either enters into a different arrangement with Supplier, as memorialized in an Order Form, or notifies Supplier of its intent to opt out of any such Evaluation License conversion.
Services
1. Support Services.
  1. Subject to the terms and conditions set forth in the Agreement, Supplier, through its Personnel, will provide the Support Services set forth in an Order Form. The Support Services shall also be provided as specified in the applicable Documentation, subject to any other terms and conditions set forth in the applicable Order Form. Customer acknowledges and agrees that Support Services are intended to address specific problems experienced by Customer relating to the Software or Cloud Services and are not intended to train Customer’s employees or to support third party products. Updates are included as part of the Support Services.
  2. Supplier shall not be obligated to provide Support Services to the extent a particular request for Support Services arises from any of the following conditions: (A) Customer’s failure to use the Software or Cloud Services in accordance with the terms and conditions of the Agreement, including but not limited to any applicable Documentation; (B) Customer’s modification or alteration of the Software or Cloud Services, except where expressly permitted by Supplier; (C) Customer’s use of any third party components to interface with the Software or Cloud Services, whether by Application Programming Interface (“API”) or otherwise, without the express prior written consent of Supplier; (D) Customer’s failure to maintain any equipment on which the Software is operated in accordance with the Documentation or other commercially reasonable standards; (E) Customer’s failure to implement all available Updates and any updates to third party programs that are necessary for the proper operation of the Software; and (F) Customer’s failure to provide reasonable access to its systems as Supplier deems necessary to provide the Support Services, including, but not limited to, by way of telecommunications, internet or other remote access to the server environment in which the Software All time and materials expended by Supplier resulting from Customer’s breach of such conditions shall be billed to Customer at Supplier’s standard time and materials rates. Support provided pursuant to this Section relates to the Software and Cloud Services only. Unless, and only to the extent that, Supplier and Customer have expressly agreed for Supplier to provide hardware support pursuant to the Order Form, should the problems that arise be the result of hardware malfunction or misconfiguration, Supplier will advise Customer to have the hardware/network repaired. Support resulting from such hardware/network problems will be billed to Customer at Supplier’s then-current hourly rates.
  3. On at least one hundred twenty (120) days prior written notice to Customer, Supplier may declare any Software or Hardware, or any particular version or component of any Software or Hardware, “End of Life.” Upon an End-of-Life declaration, Supplier may, in its sole discretion, either decline to offer End of Life Support Services or continue offering End of Life Support Services on a limited basis. Supplier reserves the right to charge additional Fees for any End-of-Life Support Services and offer any length of term that it sees fit. Notwithstanding any other provision in the Agreement, all End of Life Products are provided by supplier AS IS without ANY indemnification or warranty of any kind, and without any liability to customer WHATSOEVER OR ANY LIMITATIONS ON CUSTOMER’S LIABILITY TO SUPPLIER.
2. Professional Services.
  1. Scope. Supplier, through its Personnel, will provide the Professional Services to Customer as specified in an Order Form or SOW, subject to the terms of the Agreement.
  2. Project Change Requests. Either Party may request a modification to any material provision of the SOW by submitting a Project Change Request (“PCR”). Upon receipt of a PCR, Supplier will determine whether such modifications are in its sole discretion commercially feasible and, if so, estimate its financial and schedule impacts, if any. The Parties will review these estimates to determine whether the PCR would be mutually acceptable. Supplier may not unreasonably refuse to accept a PCR initiated by Customer, if Customer agrees to bear the pricing and schedule impacts. If the Parties agree on the PCR, the Parties will execute the PCR. If the Parties are unable to agree within five (5) business days after the PCR is submitted, then the submitting Party may either withdraw the PCR or terminate the SOW for convenience; provided that in the event that any such SOW is terminated for convenience, Customer shall remain obligated to pay any Fees for Professional Services that were provided prior to the effective date of any such termination for convenience. Additional services that are required as a result of Customer’s action, inaction or failure to meet its obligations, including delays or wait time caused by issues related to hardware or software not provided by Supplier, shall be billable to Customer and will be invoiced at Supplier’s then-current
  3. Deliverables and Acceptance. As part of the Professional Services, some SOWs may specify particular “Deliverables” which shall mean all documents, work product, and other materials, expressly identified as Deliverables in an SOW, that are prepared by or on behalf of Supplier specifically for Customer. Supplier hereby grants to Customer a nonexclusive, irrevocable, transferrable, sublicensable, perpetual license to use any such Deliverable to the extent necessary for Customer to make use of the Deliverable for its own internal business purposes. For the sake of clarity, the aforementioned license does not (A) apply to any custom programming services for new software development or software modifications, which, as stated in Section 3(b)(v) below, are Supplier Materials, or (B) permit the use of any underlying Supplier Materials contained in a given Deliverable independent of the Deliverable as a whole. If Customer reasonably believes that Supplier did not perform the Deliverables in material conformance with the SOW, Customer will notify Supplier, in writing, within ten (10) business days of delivery of the Deliverable (the “Acceptance Period”). Customer’s notice must specifically identify and explain each alleged non-conformance. For those Deliverables that do not conform to the SOW, Supplier will use commercially reasonable efforts to correct the non-conformity at no cost to Customer. If Supplier does not receive Customer’s acceptance or rejection within the Acceptance Period, the Deliverables will be deemed accepted by Customer.
  4. Personnel. Supplier will determine the Supplier Personnel assigned to perform the Professional Services. Supplier shall remain fully responsible for the performance of all Supplier Personnel and for their compliance with all of the terms and conditions of the Agreement, regardless of whether the Supplier Personnel in question is an employee of Supplier or otherwise. Nothing contained in the Agreement shall create any contractual relationship between Customer and any Supplier Personnel. Should Customer require rescheduling of booked Professional Services, Supplier will make commercially reasonable efforts to accommodate Customer’s request, which may be subject to additional cost to Customer.
  5. Custom Development and Enhancement Requests. Any programming services for new software development or software modifications are Professional Services and shall be provided to the Customer as set forth in an SOW. At a minimum, the Fees, payment terms and delivery schedules related to such work shall be as outlined in such SOW. Customer acknowledges that Supplier is not a contract development organization, but rather Supplier is a software developer that licenses its Software and Cloud Services within specified industries. As such, Customer further acknowledges that the Software and Cloud Services are a major and valuable asset of Supplier’s business and, as such, Supplier shall have complete control of the design and development of the Software and Cloud Services. Therefore, Supplier has the right, and sole discretion, to reject any request for enhancement or modification to the Software or Cloud Services by Should Customer require modification of any aspect of the Software or Cloud Services, any such customization work shall be contracted for separately at Supplier’s then-current rates. Any custom developments or enhancements to the Software or Cloud Services shall become Supplier Materials.
3. Hosting Services. Hosting Services are subject to the Agreement and shall be provided in accordance with the Hosting Services Addendum attached to an Order Form for Hosting Services.
Payment
1. Fees. Customer will pay all fees for Products as set out in an Order Form or SOW (the “Fees”) in accordance with the Agreement and any additional terms set out in, and in the currency specified in, an Order Form or SOW. Except as otherwise expressly permitted by the Agreement, payment obligations are non-cancellable and Fees paid are non-refundable. Fees shall remain fixed for the Initial Term, unless (i) Customer requests an increase in Usage Metrics, Product upgrades, or new Products, or (ii) Customer otherwise agrees to Fee fluctuations in an Order Form. Quantities purchased cannot be decreased during any given Initial Term or Renewal Term. Supplier may adjust the Fees prior to the start of any Renewal Term, provided that Fee adjustments shall be no more frequent than once each year. Supplier reserves the right to impose additional per-plan fees associated with performing its responsibilities to collect, maintain, and report plan sponsorship data and/or communicate with adopting plan sponsors under applicable regulations.
2. Expenses. All travel and expenses necessitated by the provision of any Product by Supplier hereunder will be reimbursed by Customer to Supplier, provided that the necessity of such travel and expenses is generally agreed to by the Parties. The Parties may, but are not required, to document any such agreement in the form of a travel or expense budget in an Order Form or SOW.
3. Invoicing and Payment. Fees will be invoiced as set forth in the Order Form or SOW. Unless otherwise set forth on an Order Form or SOW, all invoices are due within twenty-five (25) days of receipt by Customer, with no right to set-off, and overdue accounts will be subject to interest at a rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, and may also be subject to any collection costs actually incurred by Supplier, including reasonable attorneys’ fees, court costs, and collection agency fees. If Supplier offers to accept payment by Credit Card, as indicated in an invoice, Order Form, or SOW, then Customer hereby authorizes Supplier to use a third party to process payments in accordance with the schedule and/or frequency set forth in an invoice, Order Form, or SOW, and consents to the disclosure of Customer payment information to such third party.
4. Taxes. Each Party will be responsible, as required under applicable law, for identifying and paying all taxes and other governmental fees and charges (and any penalties, interest, and other additions thereto) that are imposed on that Party upon or with respect to the transactions and payments under the Agreement. All Fees payable by Customer are exclusive of taxes or duties that Supplier is required to collect and pay on Customer’s behalf, including, without limitation, VAT, Service Tax, GST, HST, QST, excise taxes, sales and transactions, and gross receipts tax (“Indirect Taxes”), except where applicable law requires otherwise. Supplier may charge and Customer will pay applicable Indirect Taxes that Supplier is legally obligated or authorized to collect from Customer. Customer will provide such information to Supplier as reasonably required to determine whether Supplier is obligated to collect Indirect Taxes from Customer. Supplier will not collect, and Customer will not pay, any Indirect Tax for which Customer furnishes Supplier a properly completed exemption certificate or a direct payment permit certificate for which Supplier may claim an available exemption from such Indirect Tax, which must be provided to Supplier at least five (5) business days prior to the due date of the applicable Supplier invoice. All payments made by Customer to Supplier under the Agreement will be made free and clear of any deduction or withholding, as may be required by law. If any such deduction or withholding (including but not limited to cross-border withholding taxes) is required on any payment, Customer will pay such additional amounts as are necessary so that the net amount received by Supplier is equal to the amount then due and payable under the Order Form or SOW. Supplier will provide Customer with such tax forms as are reasonably requested in order to reduce or eliminate the amount of any withholding or deduction for taxes in respect of payments made under the Agreement. If Supplier pays any costs or expenses incurred in relation to any import duties, customs, formalities, permissions or other requirements, then Customer shall promptly reimburse Supplier for all such amounts in
5. Disputes. Any invoice disputes must be initiated by Customer in good faith and in writing within thirty (30) days following the date of the applicable invoice, after which time the invoice shall be deemed to be accepted by If Customer initiates a dispute with regard to a particular invoice, any undisputed amounts charged on such invoice will continue to be due and payable. Supplier and Customer agree to use reasonable efforts to address and attempt to resolve any invoice dispute within thirty (30) days after Supplier’s receipt of Customer’s notice to Supplier regarding such dispute.
Third party content
1. Third parties, or Supplier on behalf of third parties, may make available to Customer software, APIs, documents, data, content, specifications, products, equipment, components, websites, advertisements, or professional services licensed by third parties that are (i) interoperable with or accessible through the Software or Cloud Services, and (ii) not embedded in or inseparable from the Software and Cloud Services (“Third-Party Content”) for use in conjunction with or support of the Software or Cloud Services. Except as otherwise specified in an Order Form or SOW, Supplier shall have no responsibility for the licensing, implementation, or operation of Third-Party Content, and in any case Supplier is not liable to Customer for any loss, costs, or damages that arise from a Third-Party Content provider’s actions or inactions, including but not limited to, any disclosure, transfer, modification, or deletion of Customer Data.
2. Third-Party Content does not include any third-party software, libraries, or code that (i) are embedded in or form an inseparable part of the Software or Cloud Services, and (ii) have been licensed by Supplier for use in Software or Cloud Services (“Embedded Third-Party Content”). Customer agrees to comply with any additional terms and conditions which are flowed down from Embedded Third-Party Content providers, as further specified in the applicable PSTs. To the extent that Embedded Third-Party Content is open-source software, any such open-source software is made available under the applicable open-source licenses. The Embedded Third-Party Content, including any improvements, enhancements, updates, or upgrades thereto, are, and at all times will remain, the sole and exclusive property of the Embedded Third-Party Content provider or its licensors.
Intellectual Property
1. Ownership of Products and Supplier Materials. Subject to any rights expressly granted by the Agreement, as between Supplier and Customer, Supplier retains all right, title, and interest, including but not limited to IP Rights, in the Products and Supplier Materials, including all enhancements and modifications thereto. Customer acknowledges and agrees that it is only licensing the right to use the Products and Supplier Materials and that no sale or other transfer of any title or ownership or any proprietary interest of any kind to such Products and Supplier Materials is contemplated hereunder, other than the grant of the limited licenses as expressly set forth herein. Customer covenants, on behalf of itself and its successors and assigns, not to assert against Supplier, its Affiliates, or licensors, any rights, or any claims of any rights, in any Products or Supplier Materials.
2. Ownership of Customer Data. Subject to any rights expressly granted by the Agreement, as between Supplier and Customer, Customer retains any and all right, title, and interest, including but not limited to IP Rights, in the Customer Data.
3. Consent to Use Customer Data. Customer grants to Supplier a non-exclusive, world-wide, royalty-free, fully paid up, perpetual and irrevocable license to access and use Customer Data as necessary for Supplier, its Affiliates, and their respective Personnel, to (i) enforce the Agreement, (ii) exercise their respective rights under the Agreement, and (iii) perform their respective obligations under the Agreement. Customer further grants to Supplier, and its Personnel working in an official capacity on behalf of Supplier, a non-exclusive, world-wide, royalty-free, fully paid up, irrevocable license to use Customer Data to create Usage Data. Usage Data, once created, shall become Supplier Materials. In the event that Usage Data, or any portion thereof, is ever deemed Customer Data, Customer shall grant to Supplier a nonexclusive, irrevocable, transferrable, sublicensable, perpetual license to use Customer Data to the extent necessary for Supplier to make use of any such Usage Data in any manner suitable to Supplier. Customer may grant to Supplier additional rights to use Customer Data as set forth in an Order Form. Supplier shall not use Customer Data except as permitted by this Section 6(c).
4. Customer Feedback. Supplier shall own all right, title, and interest to any suggestions, ideas, enhancement requests, feedback, recommendations, or other information provided by Customer to Supplier relating to the improvement of the Products (“Customer Feedback”). Supplier shall have no obligation to Customer with regard to the Customer Feedback. Customer shall have no obligation to provide Customer For the sake of clarity, Customer Feedback is not Customer Data.
5. Use of Marks. Subject to any rights expressly granted by the Agreement, each party retains all right, title, and interest in its Marks. Customer shall not use Supplier’s Marks without prior written consent.
Confidentiality; Data Privacy
1. Customer Responsibilities.
  1. Compliance with Applicable Laws. Customer will comply with all applicable anti-spam and data privacy laws as necessary for it to meet its obligations under the Agreement. Upon request by Supplier, Customer will provide reasonable assistance to Supplier in order for Supplier to meet Supplier’s obligations under any such laws that are applicable to Supplier. To the extent that any such assistance is necessary due to a breach of the Agreement by Customer, Customer shall bear the costs associated with any such assistance; otherwise, Supplier shall compensate Customer for any such assistance.
  2. Data Privacy and Security. Customer shall be responsible for securing all rights, consents and permissions to collect, use, and disclose to Supplier, or allow Supplier to collect, use, retain, and disclose, any Customer Data that Customer provides to Supplier or authorizes Supplier to collect in conjunction with the Agreement. As may be required by applicable law, Customer is responsible for disclosing to its Personnel, End Users, and other Authorized Users that Supplier may receive and process Customer Data pertaining to its Personnel, End Users, and other Authorized Users for the purposes permitted by the Agreement.
  3. Customer shall be responsible for (A) the integrity of the Customer Data, (B) the selection and implementation of controls to restrict access and use of the Software and Cloud Services to only Authorized Users, and (C) implementing all commercially reasonable measures to secure and protect the Customer Data from unauthorized access and loss, to the extent that it is possible for Customer to do so based on a given Product’s available features, functionality, configuration settings, or implementations methods. The responsibilities of Customer set forth in this Section 7(a) are not shared with Supplier unless, and only to the extent that, any such responsibilities are expressly borne by Supplier pursuant to the Agreement.
2. Supplier Responsibilities.
  1. Compliance with Applicable Laws. Supplier will comply with all applicable anti-spam and privacy laws as necessary for it to meet its obligations under the Agreement. Upon request by Customer, Supplier will provide reasonable assistance to Customer in order for Customer to meet Customer’s obligations under any such laws that are applicable to Customer. To the extent that any such assistance is necessary due to a breach of this Agreement by Supplier, Supplier shall bear the costs associated with any such assistance; otherwise, Customer shall compensate Supplier for any such assistance.
  2. Data Privacy and Security. Supplier’s Privacy Policy, located at www.calcairebs.com/privacy, describes the extent to which Supplier will collect, use, share, or otherwise process the Personal Information it will collect from Customer’s Personnel, End Users, and other Authorized Users, and further provides any opt-out mechanisms available to Customer’s Personnel, End Users, and other Authorized Users. Customer hereby acknowledges that it has read Supplier’s Privacy Policy and gives its consent for Supplier to collect, use, share, or otherwise process the Personal Information of Customer’s Personnel, End Users, and other Authorized Users in accordance with Supplier’s Privacy Policy. The Data Processing Agreement attached hereto as Schedule A is also hereby incorporated into the Agreement by this reference. The Privacy Agreement shall apply to the extent that Supplier processes any data that is governed by the Privacy Agreement, as determined in accordance with the terms of the Privacy Agreement. Supplier’s Privacy Policy and the Privacy Agreement may be updated by Supplier at any time as necessary to comply with changes to applicable law. The Privacy Agreements can be further amended pursuant to the amendment process set forth in Section 15(g) of these GTCs.
3. Mutual Nondisclosure Obligations.
  1. By virtue of the Agreement, the parties may have access to the other Party’s “Confidential Information”, which shall mean any information disclosed under the Agreement that (A) if tangible, is clearly marked as “Confidential” or with a similar designation; (B) if intangible, is identified as “Confidential” by discloser at the time of disclosure and confirmed in writing to recipient as being Confidential Information; or (C) from the relevant circumstances should reasonably be known by recipient to be confidential (e.g. pricing, non-public Personal Information, Products, etc.). Confidential Information does not include any portion of the information that recipient can prove (V) was rightfully known to recipient before receipt from discloser; (W) was generally known to the public on the date the Agreement takes effect; (X) becomes generally known to the public after the Agreement takes effect, through no fault of recipient; (Y) was received by recipient from a third party without breach of any obligation owed to discloser; or (Z) was independently developed by recipient without breach of the Agreement.
  2. The Parties will hold each other’s Confidential Information in confidence and will treat it with the same degree of care with which it would treat its own Confidential Information of a like nature, and in no case less than a reasonable degree of care. With respect to all Confidential Information other than Products and Documentation provided by Supplier and Personal Information provided by either Party, such obligation shall terminate three (3) years after termination of the With respect to Products and Documentation provided by Supplier and Personal Information provided by either Party, such obligation is perpetual.
  3. Except as otherwise expressly stated in the Agreement, Confidential Information may only be disclosed to the receiving Party’s and its Affiliates’ employees, subcontractors, consultants, agents, and other service providers who are required to access it to carry out the obligations or exercise the rights of the receiving Party and its Affiliates under the Agreement, provided that those to whom the receiving Party and its Affiliates disclose the Confidential Information are contractually obligated to protect such Confidential Information in a manner that is no less restrictive than the requirements set forth in the Agreement. Customer Confidential Information may also be disclosed to Supplier’s Affiliates or Customer’s Service Providers as necessary to facilitate work performed under an agreement that Customer may have directly with that Affiliate or Customer Service Provider, provided that any such Confidential Information shall be deemed Confidential Information, or the equivalent thereof, under that agreement. Each Party shall be responsible for any acts or omissions of its or its Affiliates’ employees, subcontractors, consultants, agents, and other representatives which, if they were acts or omissions of that Party, would be deemed a breach of that Party’s obligations of this Section 7. Supplier may also disclose Customer’s Confidential Information to a Third-Party Content provider to the extent necessary to facilitate Customer’s relationship with that Third-Party Content provider.
  4. It shall not be a breach of this Section 7(c) if Confidential Information is disclosed pursuant to subpoena or other compulsory judicial or administrative process, provided that the Party served with such process promptly notifies, to the extent legally permissible, the other Party and provides reasonable assistance so that the other Party may seek, at its own cost and expense, a protective order against
  5. The parties recognize and agree that monetary damages are an inadequate remedy for breach of the obligations set forth in this Section 7(c) and further recognize that any breach would result in irreparable harm to the non-breaching In the event of such a breach or threatened breach, the non-breaching Party may seek injunctive relief from a court of competent jurisdiction to pursue those remedies available to it.
4. Sensitive Personal Information. “Sensitive Personal Information” means any Personal Information that, due to its intimate nature or the context of its use or communication, entails a high level of reasonable expectation of privacy, including government identifiers, medical records, biometric data, financial account details, and any additional types of information encompassed within this term or any similar term as used in applicable data protection or privacy laws (such as “sensitive personal information” or “special categories of personal data”). To the extent that applicable law requires the Parties to execute a separate agreement or addendum to an agreement which governs the use of any such Sensitive Personal Information (e.g. a Data Processing Agreement which expressly covers Sensitive Personal Information), Customer shall not collect, process, or store any Sensitive Personal Information using the Products unless and until the Parties execute such an agreement or addendum.
5. Return and Destruction of Confidential Information. Except to the extent that the continued use of a Party’s Confidential Information is necessary for the other Party to exercise rights granted under the Agreement that are intended to survive the Agreement, upon the termination or expiration of the Agreement: (i) all rights granted by the disclosing Party with respect to its Confidential Information will automatically terminate and the receiving Party shall immediately cease (and cause its and its Affiliates employees, subcontractors, consultants, agents, and other representatives to cease) any access to and use of the disclosing Party’s Confidential Information; and (ii) the receiving Party shall securely delete or destroy the disclosing Party’s Confidential Information in a manner consistent with the sensitivity of the Confidential Information. Upon request of the disclosing Party, an officer of receiving Party shall certify to all such deletion or destruction in writing. Following termination or expiration of the Agreement, upon Supplier’s written request, Customer shall promptly and in any case within thirty (30) days of such written request, delete any copies of the Software in its possession and shall certify to such deletion in writing. Notwithstanding the foregoing, the receiving Party may retain a copy of Confidential Information for archival purposes if permitted by law or in accordance with receiving Party’s bona fide records retention policies, provided that the receiving Party continues to abide by the restrictions set forth in this Section 7 for as long it retains such Confidential Information. Supplier is under no obligation to retain data for more than thirty (30) days beyond the expiration or termination of the Agreement or any given Order Form.
Indemnification
1. By Supplier. Supplier will, at its expense, defend Customer against any claim, demand, suit, or proceeding made or brought against Customer, or any Affiliates authorized to use the Products pursuant to Section 2(a)(iv)(A) of these GTCs, by a third party alleging that Customer’s use of a Product within the scope of the Agreement infringes or misappropriates the IP Rights of such a third party (a “Claim Against Customer”), and will indemnify Customer for any damages, attorney fees and costs finally awarded against Customer, or for amounts paid by Customer under a settlement approved by Supplier in writing, as a result of a Claim Against Customer; provided that Customer notifies Supplier promptly in writing of the Claim Against Customer, provides Supplier with the sole control and authority to defend or settle the Claim Against Customer, and gives Supplier the authority, information and assistance necessary to settle or defend the Claim Against Customer. If any of the Products are, or in Supplier’s opinion are likely to be, claimed to infringe, misappropriate, or otherwise violate any third-party IP Rights, Supplier may in its discretion and at no cost to Customer (i) modify or replace the Products, in whole or in part, to make the Products (as so modified or replaced) non-infringing, while providing materially similar features and functionality, (ii) obtain the right for Customer to continue to use the Products as contemplated by the Agreement, or (iii) by written notice to Customer, terminate the Agreement with respect to all or part of the Products, and require Customer to immediately cease any use of the Products, or any specified part or feature thereof, provided that Customer shall be entitled to a Pro Rata Refund for any Products that are terminated pursuant hereto. Notwithstanding the foregoing, Supplier shall have no obligation to defend against or indemnify for any Claims Against Customer to the extent they arise from: (A) use of a version of the Software that was not, at the time that the Claim Against Customer arose, the current unaltered version of the Software made available by Supplier hereunder; (B) combination, operation, integration or interfacing of the Software or Cloud Services with Third-Party Content, if such Claim Against Customer would not have arisen but for such combination, operation, integration or interfacing; (C) use of the Products in a manner other than as authorized by the Agreement; (D) use of Customer Data in conjunction with the Products; or (E) modifications to the Software or Cloud Services by any person other than Supplier or its authorized agents or subcontractors.
2. By Customer. Customer will, at its expense, defend Supplier, its Affiliates, and Personnel against any claim, demand, suit, or proceeding made or brought against Supplier, its Affiliates, or Personnel by a third party (i) arising from or related to Customer’s or its Authorized Users’ failure to use the Products in accordance with the terms of the Agreement or any applicable laws, regulations, or third-party contractual obligations, or (ii) alleging that any Customer Data or Supplier’s use of Customer Data within the scope of the Agreement infringes or misappropriates any rights of such a third party (a “Claim Against Supplier”), and will indemnify Supplier, its Affiliates, and Personnel for any damages, attorney fees and costs finally awarded against Supplier, or for amounts paid by Supplier under a settlement approved by Customer in writing, as a result of a Claim Against Supplier; provided that Supplier notifies Customer promptly in writing of the Claim Against Supplier, provides Customer with the sole control and authority to defend or settle the Claim Against Supplier, and gives Customer the authority, information and assistance necessary to settle or defend the Claim Against Supplier. Notwithstanding the foregoing, Customer may not settle or defend a Claim Against Supplier in a manner that imposes any equitable or other non-monetary remedies or obligations on the Supplier, or includes a finding or admission of wrongdoing or any violation of applicable laws, regulations, or the rights of any third-party by the Supplier.
3. THE FOREGOING STATES THE INDEMNIFYING PARTY’S SOLE AND EXCLUSIVE LIABILITY TO the indemnified party, AND THE INDEMNIFIED PARTY’S SOLE AND EXCLUSIVE REMEDY AGAINST THE INDEMNIFYING PARTY, WITH RESPECT TO ANY THIRD-PARTY CLAIM OF INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS OR PROPRIETARY RIGHTS DESCRIBED IN SECTIONS 8(a) AND 8(b).
Warranty & Warranty Disclaimer
1. Mutual Representations and Warranties. Each Party represents and warrants to the other Party that: (i) it is duly organized, validly existing, and in good standing as a corporation or other entity under the laws of the jurisdiction of its incorporation or other organization; (ii) it has the full right, power, and authority to enter into the Agreement; and (iii) the execution of the Agreement by its representative whose signature is set forth at the end of the Agreement has been duly authorized by all necessary corporate or organizational action of such Party, and when executed and delivered by both parties, the Agreement will constitute the legal, valid, and binding obligation of such Party, enforceable against such Party in accordance with its terms.
2. Additional Supplier Representations, Warranties, and Covenants.
  1. Software and Cloud Services. Supplier warrants that the Software and Cloud Services will perform in material conformance with the current Documentation for each respective Software and Cloud Services Product for a period of ninety (90) days after the Software or Cloud Services in question are made available to Customer for use in a production environment. As Customer’s sole remedy for any breach of this warranty, if Customer provides notice to Supplier of any reproducible material incidence of non-conformance within thirty (30) days from the date of discovery of any such non-conformance, or the date the Customer reasonably should have discovered any such non-conformance, Supplier will use commercially reasonable efforts to correct such non-conformance, provided such non-conformance is not caused by: (A) negligence, gross negligence, or intentional misconduct on the part of Customer or any of its Authorized Users, (B) Customer’s failure to use of the Software or Cloud Services in accordance with the terms of the Agreement, (C) Third Party Content or any other product or service not provided by Supplier, its Affiliates, or its Personnel, or (D) Harmful Code, to the extent that such Harmful Code was not introduced as a result of Supplier’s negligence, gross negligence, or intentional misconduct. For the sake of clarity, upon conclusion of the warranty period, Supplier will continue to provide Support Services to Customer in accordance with Section 3(a) of these GTCs.
  2. Services. Supplier warrants that the Services will be performed in a professional manner consistent with generally accepted industry standards for the Services. As Customer’s sole remedy for any breach of this warranty, if Customer provides notice to Supplier of any documented incidence of non-conformance within thirty (30) days of discovering any such non-conformance, or the date the Customer reasonably should have discovered any such non-conformance, Supplier will use commercially reasonable efforts to correct such non-conformance, provided such non-conformance is not caused by: (A) Customer’s failure to adhere to its obligations under the Agreement, including but not limited to any assumptions set forth in an SOW, or (B) Third-Party Content or any other product or service not provided by Supplier, its Affiliates, or its Personnel.
3. Additional Customer Representations, Warranties, and Covenants. Customer represents, warrants, and covenants to Supplier that Customer (i) complies, and will continue to comply, with all applicable laws and regulations, including but not limited to those applicable to the collection and use of Customer Data in connection with this Agreement, and (ii) owns or otherwise has and will have the necessary rights and consents in and relating to the Customer Data so that, as received by Supplier and processed in accordance with the Agreement, including any Privacy Agreements, Supplier’s use of the Customer Data does not and will not infringe, misappropriate, or otherwise violate any IP Rights, privacy rights, or any other rights of a third party, or violate any applicable law or regulation.
4. DISCLAIMERS. EXCEPT FOR THE WARRANTIES PROVIDED IN THIS SECTION 9 AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, CUSTOMER ACKNOWLEDGES THAT THE PRODUCTS, AND THIRD-PARTY CONTENT ARE PROVIDED “AS IS” AND “WITH ALL FAULTS,” AND SUPPLIER DISCLAIMS ALL OTHER WARRANTIES, REPRESENTATIONS, and covenants, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTY AND CONDITION OF MERCHANTABLE QUALITY, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, OR THE USE OF REASONABLE SKILL AND CARE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING: (i) SUPPLIER DOES NOT WARRANT THAT THE PRODUCTS or the third-party content WILL OPERATE UNINTERRUPTED OR ERROR FREE; (ii) notwithstanding statements to the contrary in any Documentation or Supplier Marketing materials, Supplier does not warrant that the Products or the third-party content WILL MEET ALL OF CUSTOMER’S REQUIREMENTS OR EXPECTATIONS, including any requirements with respect to Customer’s obligations under applicable laws, regulations, or third-party contractual obligations; and (iii) Supplier disclaims all liability arising from a third party’s privacy or data security practices. SUPPLIER’S LIMITED WARRANTIES DO NOT APPLY TO ANY product WHICH HAS BEEN MODIFIED OR ALTERED IN ANY MANNER BY ANYONE OTHER THAN SUPPLIER, ITS AFFILIATES, OR ITS PERSONNEL. Supplier Personnel shall have no authority to make any representations, warranties, or covenants on behalf of Supplier or its Affiliates, and any purported representations, warranties, or covenants to the contrary set forth in any communications from Personnel shall be null and void. Nothing in the Agreement excludes, restricts, or modifies any right or remedy, or any guarantee, representation, warranty, condition or other term, implied or imposed by any applicable law which cannot lawfully be excluded or limited. The Parties agree that it is Customer’s responsibility to determine if the Products are suitable for Customer’s requirements. No other terms, conditions, representations, warranties, covenants, or guarantees, whether written or oral, express or implied, will form a part of the Agreement or have any legal effect whatsoever.
Limitation of Liability.
Supplier’s entire liability under the Agreement in the aggregate or in any way related to the Products will be limited to direct damages in an amount equal to the Fees paid by Customer to Supplier under the Agreement during the twelve (12) month period immediately preceding the first event giving rise to the claim. In no event will Supplier be liable for: (a) any special, indirect, exemplary, punitive, incidental, or consequential damages arising from or related to the Agreement or in any way related to the Products; or (b) any loss of revenue, profits, goodwill or data (including due to a virus or otherwise), business interruption, failure to realize expected savings, corruption of data, or claims against Customer by any third party other than as set out in Section 8, even if Supplier is advised of the possibility of such damages in advance. These limitations will apply regardless of how the claim arises, including for breach of contract, tort, negligence or otherwise, and will apply to all Order Forms, SOWs, and any other document related to THE Agreement. The Parties agree that the limitations and exclusions of liability set forth in this Section of the Agreement will survive and apply even if any limited remedy specified in this Agreement is found to have failed of its essential purpose. The foregoing limitations of liability allocate the risks between Supplier and Customer and form a material basis of the bargain between the Parties. Customer must notify Supplier that it is pursuing a claim under this agreement within one (1) year of the date it knew or should have known of the basis for any such claim. Supplier’s pricing reflects this allocation of risk and the limitation of liability specified herein.
Term and Termination
1. Term.
  1. Initial Term. The initial term of an Order Form or SOW will commence on the effective date set forth in the Order Form or SOW and will continue thereafter for the period as set out in the Order Form or SOW (“Initial Term”), unless terminated earlier by Supplier or Customer in accordance with the terms of the Agreement. If no effective date is specified in an Order Form or SOW, the effective date of such Order Form or SOW shall be the date of final signature.
  2. Renewal Term. Unless otherwise specified in an Order Form, an Order Form will automatically renew at the then-current Usage Metrics for additional recurring periods of one (1) year (each being a “Renewal Term” and, collectively, with the Initial Term, the “Term”), unless either Party provides the other Party with sixty (60) days written notice prior to the conclusion of an Initial Term or any Renewal Term, as applicable, that is one (1) year or greater, or with thirty (30) days written notice prior to the conclusion of an Initial Term or any Renewal Term, as applicable, that is less than one (1) year. All terms and conditions of the Agreement shall remain in effect during any Renewal Term, except as otherwise stated in the Agreement or expressly agreed to by the Parties in writing.
  3. Term of GTCs. The term of these GTCs shall begin on the Effective Date and shall continue for the Term of any then-current Order Form or SOW that incorporates these GTCs by reference, or any post-Evaluation-License Term. If an Order Form or an SOW has not yet been or is never executed, or Customer never enters into an Evaluation License, then the term of these GTCs will be twelve (12) months.
2. Suspension.
  1. Failure to Pay Fees or Provide Requested Information or Certification. Upon fifteen (15) days prior written notice to Customer, including, without limitation, any notice of late or past due payment, Supplier may suspend (A) Customer’s right to use of any Software or Cloud Services, including any Updates thereto, and/or (B) the provision of any Services, for as long as (x) any undisputed Fees are delinquent and remain unpaid, or (y) Customer has not provided, in a manner that is reasonably satisfactory to Supplier in its sole discretion, all information, certification, or other documentation requested by Supplier in connection with an audit by Supplier or self-certification by Customer, in each case with respect to Customer’s use of the Products (including all applicable Usage Metrics) in accordance with this Agreement. An invoice which indicates a past due amount satisfies the notice requirements of this Section 11(b)(i)(x).
  2. Misuse. Upon fifteen (15) days prior written notice to Customer, Supplier may suspend Customer’s right to use any Product which is not being used in conformance with the terms of the Agreement for as long as any such nonconformity remains uncured. Notwithstanding the foregoing, if any such nonconformity is, in Supplier’s sole discretion, likely to cause harm or risk of harm to Supplier, its Affiliates, its Personnel, or the Products, Supplier may suspend Customer’s right to use the Product immediately without notice to Customer.
  3. Additional Terms. In the event of any suspension under this Section 11(b), (A) Supplier shall not be precluded from exercising any additional remedies that might be available to it under the terms of the Agreement or otherwise, (B) the Term will not be extended and no Fees will be refunded to account for any period of suspension, (C) Supplier reserves the right to charge a Fee to reinstate Customer’s access to the Products, and (D) Customer forfeits all right to use the Products and any Supplier Materials, including without limitation Supplier’s Confidential Information, during the period of suspension, except to the extent that Supplier gives Customer its prior written consent to use any of the foregoing to cure the default that led to the suspension. Any written notice provided under this Section 11(b) shall also satisfy the written notice requirements of Section 11(c) below. Any choice by Supplier to forego suspension under this Section 11(b) shall not be construed as a waiver of any rights under the Agreement or otherwise.
3. Termination by Supplier. Supplier has the right to terminate the Agreement, or any portion thereof, if Customer is in default of any material term or condition of the Agreement and fails to cure such default within thirty (30) days after receipt of written notice of such default. Without limitation, it will be deemed a Customer default under the Agreement if Customer fails to pay any amount when due hereunder. Supplier may terminate the Agreement immediately if: (i) Customer uses a Product in a way that violates any law or is causing, or is reasonably expected to cause, material harm to Supplier, its Affiliates, its Personnel, or the Products; or (ii) Customer becomes insolvent, a receiver, administrator, controller or a liquidator is appointed to Customer, Customer assigns any of its property for the benefit of creditors or any class of them or any proceedings have been commenced by or against Customer under any bankruptcy, insolvency or similar laws.
4. Termination by Customer. Customer has the right to terminate the Agreement, or any portion thereof, if Supplier is in default of any material term or condition herein and fails to cure such default within thirty (30) days after receipt of written notice of such default, or if Supplier becomes insolvent or any proceedings are to be commenced by or against Supplier under any bankruptcy, insolvency or similar laws. Notwithstanding anything in these GTCs to the contrary, termination by Customer for material breach by or the insolvency of Supplier shall entitle Customer to a Pro Rata Refund of Fees paid for those Products which are affected by any such termination.
5. Effect of Termination and Expiration. Upon termination or expiration of the Agreement, or any portion thereof, for any reason, any and all amounts owed to Supplier pursuant to the Agreement, or the portion of the Agreement which has terminated or expired, will be immediately due and payable, and all rights, or those rights attributable the portion of the Agreement which has terminated or expired, granted to Customer hereunder will be immediately revoked and terminated. The obligations of the Parties and the provisions of the Agreement which are expressly stated to survive, or may be reasonable expected to survive, shall survive the expiration or termination of the Agreement, including without limitation Sections 6, 7(c), 8, 10, 13 and 14 of the Agreement.
Assignment.
Neither Party may assign or otherwise transfer any of its rights, or delegate or otherwise transfer any of its obligations or performance, under this Agreement, in each case whether voluntarily, involuntarily, by operations of law, or otherwise, without the prior written consent of the other Party, except Supplier may assign or otherwise transfer any of its rights, or delegate or otherwise transfer any of its obligations or performance, under the Agreement to any of its Affiliates without consent of Customer, provided that the Agreement will bind and inure to the benefit of any Supplier successor or assignee. For purposes of the preceding sentence, and without limiting its generality, any change of control, acquisition, amalgamation, arrangement, merger, or reorganization involving Customer will be deemed to be a transfer of rights, obligations, or performance under this Agreement for which Supplier’s prior written consent is required. If Customer is acquired by, sells substantially all of its assets to, or undergoes change of control in favor of, a direct competitor of Supplier, then Supplier may terminate the Agreement with immediate effect upon written notice.

Governing Law

The law that will apply to any question of interpretation regarding the Agreement, any question of the existence of the Agreement, or a lawsuit or dispute arising out of or in connection with the Agreement, and which courts have jurisdiction over any such lawsuit or dispute shall be as follows:

Customer Country of Incorporation:	Governing Law:	Courts Having Jurisdiction:
The United States of America, Mexico or a Country in Central or South America or the Caribbean	The laws of the State of Delaware and the federal laws of the United States applicable in that state.	(a) The United States District Court for the District of Delaware (to the extent it has subject matter jurisdiction), or (b) the Delaware Court of Chancery

Each Party agrees to the applicable governing law above without regard to choice or conflicts of law rules, and, subject to the availability of injunctive relief pursuant to Section 7(c) (Confidentiality) and to Section 14 (Disputes), to the jurisdiction of the applicable courts above. The parties exclude the operation of the United Nations Convention on Contracts for the International Sale of Goods.

Disputes.

Upon any dispute, controversy or claim between the parties, each of the parties will designate a representative from senior management to attempt to resolve such dispute. The designated representatives will negotiate in good faith in an effort to resolve the dispute over a period of thirty (30) days. If the dispute is not resolved in this 30-day period, the parties will submit the dispute to binding arbitration under the applicable arbitration law and rules identified in the table below, by a single arbitrator independent of both parties who is skilled in the legal and business aspects of the software industry. Notwithstanding the foregoing, the Delaware Uniform Arbitration Act shall supplant the Delaware Rapid Arbitration Act in the event that (a) the Delaware Rapid Arbitration Act is not available to the Parties, (b) the subject matter of the dispute includes allegations that Customer has infringed, or has permitted others to infringe, Supplier’s IP Rights, or (c) the amount in dispute is greater than or equal to one million dollars ($1,000,000). The parties agree that the arbitrator’s fee shall be shared equally between the parties and that each Party shall be responsible for its costs, legal and otherwise, in relation to the arbitration, unless the arbitrator decides that the circumstances justify an award of costs. Any award by an arbitrator pursuant to arbitration, whether for costs, expenses, damages, or otherwise, is final and may be entered in and enforceable by the court having jurisdiction over the Agreement, as set forth in Section 13(a) above. The arbitration shall be conducted in the English language and shall take place in accordance with arbitration rules and in the location set forth in the below chart, depending on the country of incorporation or organization, as applicable, of Customer. Nothing in this Section 14 shall limit the ability of a Party to seek injunctive relief. Notwithstanding the foregoing, any Supplier claim which alleges that Customer has not paid an undisputed invoice is not subject to the binding arbitration process set forth in this Section.

Customer Country of Incorporation:	Applicable Arbitration Law and Rules:	Location of Arbitration:
The United States of America, Mexico, or a Country in Central or South America or the Caribbean	Delaware Rapid Arbitration Act and Delaware Rapid Arbitration Rules whenever possible; otherwise, the Delaware Uniform Arbitration Act and Commercial Arbitration Rules of the American Arbitration Association	Wilmington, Delaware

General
1. Export Compliance. The Products, and derivatives thereof, may be subject to export laws and regulations. Customer represents that it is not restricted or prohibited from doing business in the United States of America, Canada, United Kingdom, or European Union, or with any persons or entities therefrom. Customer shall not resell or permit access or use of the Products in any country which has been embargoed by the United States of America, Canada, United Kingdom, European Union, or United Nations, or in violation of any other applicable embargo, export law, or regulation. In the event that Customer is in breach of this Section 15(a), whether such a breach arises from current or future restrictions, prohibitions, or embargos, Supplier shall have the right to suspend or terminate this Agreement immediately upon notice to Customer.
2. Anti-Corruption. Customer represents to Supplier that it has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any of Supplier’s employees or agents in connection with the Agreement. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction. If Customer learns of any violation of the above restriction, Customer will use reasonable efforts to promptly notify Supplier.
3. Subcontractors. Supplier reserves the right to make use of subcontractors to provide or develop any of the Products and to use such means as Supplier, in its sole discretion, considers appropriate. Supplier’s use of subcontractors shall not relieve Supplier of its obligations under the Agreement.
4. Non-Solicitation. During the Term of the Agreement and for a period of one (1) year following the termination of the Agreement, each Party hereto agrees not to solicit, recruit or employ any employee of the other Party without the prior written consent of an authorized representative of the other Party. For purposes of this section, the term “employee,” shall include any person with such status at any time during the six (6) months preceding any solicitation in question. For the avoidance of doubt, the foregoing restriction shall not apply to the following forms of solicitation (and resulting employment): (i) a Party using general bona fide solicitations directed at the public or industry participation in general publications or internet resources not specifically targeted at employees of the other Party, or employing any person who responds to such solicitations; (ii) using search firms, or hiring any persons solicited by such search firms, so long as such firms are not advised by a Party to solicit employees of the other Party; or (iii) soliciting any person who has left the employment of the other Party prior to the date of the Agreement.
5. (e) Notices. All notices will be in writing, and will be deemed to be delivered upon (i) personal delivery; (ii) one business day after being delivered by reputable international shipping service to the address of the applicable Party set forth on the most recent Order Form or SOW, or if no such address exists, the last known address available to the Party providing notice; or (iii) when delivered by electronic mail to the applicable Party at the email address shown on the most recent Order Form or SOW, or if no such email address exists, the last known email address available to the Party providing notice, except for notices of material breach of the Agreement, termination, or an indemnifiable claim (“Legal Notices”) which cannot be delivered electronically. Each Party may modify its recipient of notices by providing notice pursuant to this Section 15(e).
6. Entire Agreement; Order of Precedence; Severability. The Agreement constitutes the entire agreement between the Parties with respect to the subject matter of the Agreement and supersedes all proposals, oral and written, and all previous negotiations and communications between the Parties and their representatives with respect to the subject matter of the Agreement. Each Party acknowledges that, in entering into the Agreement, it does not rely on any statement, representation, assurance or warranty (whether it was made negligently or innocently) of any person (whether a Party to the Agreement or not) other than as expressly set out in the Agreement. The Agreement will prevail over terms and conditions of any Customer-issued purchase order, which will have no force and effect, even if Supplier accepts or does not otherwise reject the purchase order. In the event of conflict between these GTCs and an Order Form or SOW, the terms of the Order Form or SOW shall control, but only as to that Order Form or SOW. In the event of a conflict between the Privacy Agreements and any other component of the Agreement, the Privacy Agreements shall control. If any provision contained herein or part thereof is determined to be void or unenforceable in whole or in part by a court of competent jurisdiction, such invalid provision or part thereof shall be deemed not to affect or impair the validity or enforceability of any other provision or part thereof contained herein, all of which remaining provisions or parts thereof shall be and remain in full force and effect.
7. (g) Amendment. Customer acknowledges and agrees that Supplier may, in its sole discretion, modify these GTCs from time to time, and that any such modifications become effective thirty (30) days after the date that Supplier provides the updated GTCs to Customer, which may be done by providing Customer with a URL that hosts the updated GTCs along with a clear message that these GTCs have been updated. Customer is responsible for reviewing and becoming familiar with the updated GTCs. If, prior to the effective date of the updated GTCs, Customer notifies Supplier of its objection to a modification of the GTCs which would result in a material degradation of Customer’s rights or Supplier’s obligations to Customer under the GTCs, then Supplier shall either conduct good faith negotiations of only those modifications which would result in such a material degradation, or, upon thirty (30) days notice to Customer, terminate the Agreement. Notwithstanding anything in the Agreement to the contrary, the termination right set forth in this Section shall be in addition to any other termination right Supplier may otherwise have under the Agreement. If Supplier exercises its right to terminate pursuant to the terms of this Section, Customer shall be entitled to a Pro-Rata Refund of any Fees already paid by Customer for the affected Products, calculated from the effective date of any such termination. Customer’s failure to object prior to the effective date of the updated GTCs shall be deemed acceptance of the updated GTCs. Except for Supplier’s right to update these GTCs pursuant to this Section, and except as otherwise agreed to in an SOW or Order From, the Agreement may only be modified by written amendment signed by the Parties.
8. Non-Waiver. Except as expressly stated in the Agreement, no term of the Agreement will be deemed waived, and no breach of a term excused, unless the waiver or excuse is provided in writing and signed by the Party issuing it.
9. Force Majeure. Neither Party will be liable for any delay or failure to perform its obligations under the Agreement, except for Customer’s payment obligations, due to any cause beyond the Party’s reasonable control, which may include labor disputes or other industrial disturbances, systemic electrical, telecommunications or other utility (including Internet) outages or failures, earthquakes, storms or other acts of God, pandemic, embargoes, riots, acts or orders of government, acts of terrorism or cyber crime, or war (each a “Force Majeure Event”). The affected Party shall be excused from performance and will not be liable or in breach of the Agreement, but only to the extent that and only for so long as the affected Party’s performance is actually prevented, hindered or delayed by the Force Majeure Event and provided that the affected Party uses commercially reasonable efforts to mitigate the effect of the Force Majeure Event and resume performance as soon as possible.
10. Audit. Supplier may from time to time audit Customer’s use of the Products (e.g., through use of software tools or otherwise) to assess whether Customer’s use of the Products is in accordance with the terms of the Agreement. Customer agrees to cooperate with Supplier’s audit and provide reasonable assistance and access to information. Any such audit shall not unreasonably interfere with Customer’s normal business operations. Customer agrees to pay, within thirty (30) days of written notification to Customer, any fees applicable to Customer’s use of the Products in excess of the applicable Usage Metrics, including all retroactively applied late interest fees. Supplier shall bear all of its own costs of the Audit, and expressly excluding any of Customer’s costs incurred in cooperating with the audit.
11. Independent Contractors. The relationship of the Parties established by the Agreement is that of independent contractors. The Agreement does not establish an agency, joint venture or partnership relationship between Supplier and Customer. Supplier and its Personnel, and other entities which represent Supplier, are acting as independent contractors and not as employees or agents of Customer. Nothing in the Agreement will be construed to permit either Party to bind the other or to enter into obligations on behalf of the other Party.

SCHEDULE A

Data Processing Agreement (DPA)

This Data Processing Agreement including its Attachments (“DPA”) between CalcAir Employee Benefit Systems Inc. (“Supplier”) and the entity that receives any Products from Supplier (“Customer”) pursuant to a written or electronic agreement which governs the provision of those Products (“Agreement”) shall apply to the extent that (i) Supplier Processes Personal Data on behalf of the Customer, and (ii) either the Agreement expressly incorporates this DPA by reference or the parties sign this DPA.

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon the earlier of signature or its incorporation into the Agreement (“Effective Date”), which incorporation may be specified in the Agreement or an executed amendment to the Agreement. In case of any conflict or inconsistency between the terms of the Agreement and this DPA, this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

The term of this DPA shall follow the Term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.

Definitions
“California Personal Information” means Personal Data that is subject to the CCPA.

“Consumer,” “Business,” “Sell” and “Service Provider” shall have the meanings given to them in the CCPA.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Privacy Laws” means all applicable legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation US Privacy Laws; in each case to the extent applicable and as amended, repealed, consolidated or replaced from time to time.

“Data Subject” means the individual to whom Personal Data relates.

“Instructions” means the written, documented instructions issued by Customer to Supplier and directing the same to perform a specific or general action with regard to Personal Data.

“Permitted Affiliates” means any of Customer’s Affiliates (as defined under the Agreement):
1. That are permitted to use the Products pursuant to the Agreement, but have not signed their own separate agreement with Supplier;
2. For whom Supplier Processes Personal Data; and
3. That are subject to Data Privacy Laws.
“Personal Data” means any information provided by or collected on behalf of Customer relating to an identified or identifiable individual where such information is protected under applicable Data Privacy Laws as personal data, personal information, personally identifiable information, or any equivalent thereof.

“Personal Data Breach” means an event that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Supplier and/or its Sub-Processors in connection with the provision of the Products, subject to any limitations, exclusions, exceptions, or safe harbors provided for by applicable Data Privacy Laws. “Personal Data Breach” shall not include (a) any such events for which notification is not required pursuant to applicable Data Privacy Laws, or (b) unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems, except to the extent that any such unsuccessful attempts or activities must be disclosed pursuant to applicable Data Privacy Laws.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

“Products” means the goods and services provided by Supplier to Customer under the Agreement.

“Sub-Processor” means any third-party engaged by Supplier to carry out specific Processing activities in accordance with the Instructions and subject to further limitations set forth in this DPA.

“US Privacy Laws” means the applicable legislation of the United States of America that are in effect as of the Effective Date relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, in each case as hereinafter amended, superseded, or replaced, including the following:
1. In California: the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the “CCPA”);
2. In Colorado: the Colorado Privacy Act (the “CoPA”);
3. In Connecticut: the Connecticut Personal Data Privacy and Online Monitoring Act (the “CPDP”);
4. In Delaware: the Delaware Personal Data Privacy Act (the “DPDPA”);
5. In Iowa: the Iowa Consumer Data Protection Act (the “ICDPA”);
6. In Montana: the Montana Consumer Data Privacy Act (the “MCDPA”);
7. In Nebraska: the Nebraska Data Privacy Act (the “NDPA”);
8. In New Hampshire: the New Hampshire Data Privacy Act (the “NHDPA”);
9. In New Jersey: the New Jersey Data Privacy Act (the “NJDPA”);
10. In Oregon: the Oregon Consumer Privacy Act (the “OCPA”);
11. In Texas: the Texas Data Privacy and Security Act (the “TDPSA”);
12. In Utah: the Utah Consumer Privacy Act (the “UCPA”); and
13. In Virginia: the Virginia Consumer Data Protection Act (the “VCDPA”).
Roles of the Parties
1. Under the CCPA. To the extent that CCPA applies to the Processing activities under the Agreement, the parties acknowledge and agree that Supplier is a Service Provider and Customer is either a (i) Business or (ii) a Service Provider acting on behalf of a Business that is not a party to this DPA. Notwithstanding the foregoing, in the event that Attachment 1, Section A identifies any purposes for which Supplier Processes Personal Data as a ‘third party’ as that term is defined under the CCPA (“CCPA Third Party”), in which case Supplier is a CCPA Third Party.
2. Under US Privacy Laws, except the CCPA. To the extent that US Privacy Laws other than the CCPA apply to the Processing activities under the Agreement, the parties acknowledge and agree that Supplier is a Processor and Customer is either (i) a Controller, or (ii) a Processor acting on behalf of a Controller that is not a party to the Agreement or this DPA.
Customer Responsibilities
1. Compliance with Laws. Customer shall be responsible for complying with all its obligations under applicable Data Privacy Laws and shall inform Supplier without undue delay if it is not able to comply with its responsibilities under this sub-section (a) or applicable Data Privacy Laws. In particular but without prejudice to the generality of the foregoing, Customer acknowledges and agrees that it shall be solely responsible for:
  1. the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data;
  2. complying with all necessary transparency and lawfulness requirements under applicable Data Privacy Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes);
  3. ensuring it has the right to transfer, or provide access to, the Personal Data to Supplier for Processing in accordance with the terms of the Agreement (including this DPA);
  4. ensuring that its Instructions to Supplier regarding the Processing of Personal Data comply with applicable laws, including Data Privacy Laws; and
  5. complying with all laws (including Data Privacy Laws) applicable to any content created, sent or managed through the Products, including those relating to obtaining consents (where required) to send communications, the content of the communications, and its communication deployment practices.
2. Instructions. The parties agree that the following constitutes Customer’s complete and final Instructions to Supplier in relation to the Processing of Personal Data: (i) the terms of the Agreement and this DPA, including the Attachments hereto, (ii) direction from Customer through its use of the Products in accordance with the Agreement, and (iii) this general authorization by Customer which hereby permits Supplier to use Personal Data for any business operations incident to providing the Products to Customer. Additional instructions outside the scope of the Instructions must be agreed to according to the process for amending the Agreement or this DPA, where applicable.
3. Security. Customer is responsible for independently determining whether the data security provided for in the Products adequately meets its obligations under applicable Data Privacy Laws. Customer is also responsible for its secure use of the Products, including protecting account access to the Products and the security of Personal Data in transit to and from the Products (including the secure backup or encryption of any such Personal Data).
Supplier Obligations
1. Compliance with Instructions. Supplier shall only Process Personal Data for the purposes described in this DPA, including Attachment 1, or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise permitted by applicable law. Supplier is not responsible for compliance with any Data Privacy Laws applicable to Customer or Customer’s industry that are not generally applicable to Supplier.
2. Conflict of Laws. If Supplier becomes aware that it can no longer meet its obligations under the applicable Data Privacy Laws or Process Personal Data in accordance with Customer’s Instructions due to a legal requirement under any applicable law, Supplier will:
  1. promptly notify Customer of that legal requirement to the extent permitted by the applicable law; and
  2. where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Customer issues new Instructions with which Supplier is able to comply. If this provision is invoked, Supplier will not be liable to Customer under the Agreement for any failure to provide the applicable Products until such time as Customer issues new lawful Instructions with regard to the Processing.
3. Technical and Organizational Measures. Supplier shall implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Attachment 2 (Technical and Organizational Measures) of this DPA. Notwithstanding any provision to the contrary, Supplier may modify or update the contents of Attachment 2 at its discretion provided that such modification or update does not result in a material degradation in the technical and organizational measures set forth therein.
4. Confidentiality. Supplier shall ensure that any personnel whom Supplier authorizes to Process Personal Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.
5. Personal Data Breaches. In the event that Supplier becomes aware of any Personal Data Breach, Supplier will notify Customer without undue delay, and in any case within any time period set forth in applicable Data Privacy Laws. Customer hereby agrees that Supplier may, in its discretion, provide any legally required notices of Personal Data Breaches to applicable authorities and/or affected Data Subjects, provided that Customer shall have the right to propose commercially reasonable edits to any such notices; otherwise, if Supplier defers to Customer to provide any such notices then Supplier shall provide Customer with such reasonable assistance as necessary to enable Customer to provide any such notices. Customer may, at its own effort and expense, send any notices that are not required by applicable law.
6. Deletion or Return of Personal Data. Supplier will Process Personal Data for the duration of the Agreement only, unless otherwise agreed in writing. Supplier will delete or return all Personal Data (including copies thereof) Processed pursuant to this DPA on termination or expiration of the Products in accordance with the procedures and timeframes set out in the Agreement. Notwithstanding the foregoing and subject to applicable Data Privacy Laws, Supplier may continue to retain Customer’s Personal Data for as long as necessary to comply with Supplier’s legal and regulatory obligations; to enable fraud monitoring, detection and loss prevention activities; to comply with Supplier’s tax, accounting, and financial reporting obligations; and where required by Supplier’s contractual commitments to third-parties. Any such processing that extends beyond the term of the Agreement shall be done in accordance with the terms of this DPA and any applicable Data Privacy Laws.
7. Demonstration of Compliance. Supplier shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Privacy Laws and shall allow for and contribute to audits, including inspections by Customer, in order to assess compliance with this DPA and applicable Data Privacy Laws. Customer acknowledges and agrees that it shall exercise its audit and inspection rights under this DPA by instructing Supplier to supply, on a confidential basis, (i) a summary copy of an independently validated report of its security programs (e.g. SOC 2, Type II Report), along with copies of any related policies and other documentation, or its hosting provider’s security programs and related policies and documentation if Supplier does not host the Personal Data itself, or (ii) if Supplier does not have such a report, written responses to all reasonable requests for information made by Customer necessary to confirm Supplier’s compliance with this DPA, along with copies of any related policies and other documentation. Customer shall not exercise this right to audit and inspect more than once per calendar year.
8. Supplier Assistance to Customer. To the extent required by applicable Data Privacy Laws, Supplier shall assist Customer with Customer’s obligations under those applicable Data Privacy Laws. Such assistance may be provided through Product functionality, in which case Customer agrees to utilize such functionality before asking Supplier for further assistance.
Data Subject Requests
As part of Supplier’s obligation under Section 4(f) above, where required by applicable Data Privacy Laws, Supplier will assist Customer with Customer’s obligation to respond to requests from data protection authorities and Data Subjects that seek to exercise their rights under applicable Data Privacy Laws (“Data Subject Requests”). All Data Subject Requests must provide sufficient information for Supplier to verify the identity of the Data Subject. Customer shall reimburse Supplier for any commercially reasonable costs that arise from any such assistance that is in addition to that which Supplier normally provides to its customers.

If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Supplier, Supplier will, to the extent that Supplier can identify Customer as the source of the Personal Data in question through its standard due diligence processes, promptly inform Customer of such Data Subject Request and will advise the Data Subject to submit their request to Customer. Customer shall otherwise be solely responsible for responding to any Data Subject Requests.
Data Protection Assessments
To the extent required by applicable law, Supplier will provide reasonable assistance to Customer to enable Customer to conduct and document data protection assessments, provided that the required information is reasonably available to Supplier, and Customer does not otherwise have access to the required information.
Sub-Processors
Customer agrees that Supplier may engage Sub-Processors to Process Personal Data on Customer’s behalf.

Where Supplier engages Sub-Processors, Supplier will execute a written agreement with any Sub-Processor that imposes data protection and privacy terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA and that requires the Sub-Processor to meet the obligations of the Supplier with respect to the Personal Data, to the extent applicable to the nature of the services provided by such Sub-Processors. Supplier will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Supplier to breach any of its obligations under this DPA.

For those Customers that provide Personal Data of Data Subjects who are subject to CoPA, Customer has the right to object to the use of any particular Sub-Processor, in which case Customer may request a list of Supplier’s Sub-Processors.
International Processing
Customer acknowledges and agrees that Supplier may Process Personal Data on a global basis as necessary to provide the Products in accordance with the Agreement. Supplier shall ensure such transfers are made in compliance with the requirements of applicable Data Privacy Laws.
Additional Provisions for California Personal Information
1. Scope. This Section 9 (Additional Provisions for California Personal Information) shall apply only with respect to California Personal Information. In the event that the terms and conditions in this Section 9 conflict with those in the other sections of this DPA, the terms and conditions in this Section 9 shall take precedence.
2. Responsibilities as a Service Provider. The parties agree that when Supplier is acting as a Service Provider (see Section 2(a)) Supplier will process California Personal Information strictly for the limited purposes set forth in Attachment 1 of this DPA and as otherwise permitted by the CCPA, including the permitted purposes set forth in the ‘business purpose’ definition in Section 1798.140(e) (the “Business Purposes”).
  1. As Service Provider, Supplier shall not:
    1. combine the California Personal Information that the Supplier receives from, or on behalf of, the Customer with California Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a consumer, provided that the Supplier may combine California Personal Information to perform any Business Purposes permitted under the CCPA, and may also aggregate, deidentify, or anonymize California Personal Information so it no longer meets the California Personal Information definition, and may use such aggregated, deidentified, or anonymized data for its own research and development purposes or for any other purpose that is not prohibited under the CCPA;
    2. sell or share (as those terms are defined in the CCPA) California Personal Information;
    3. retain, use, or disclose California Personal Information for any purpose, including any commercial purpose, other than for the Business Purposes or as otherwise permitted by the CCPA; or
    4. retain, use, or disclose California Personal Information outside of the direct business relationship between Customer and Supplier, unless otherwise permitted by the CCPA.
  2. As a Service Provider, Supplier shall:
    1. comply with all applicable obligations imposed by the CCPA;
    2. provide the same level of privacy protection as is required by the Customer under the CCPA;
    3. implement reasonable security procedures and practices appropriate to the nature of the California Personal Information received to protect the California Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure;
    4. promptly comply with any Customer request or instruction requiring the Supplier to provide, amend, transfer, or delete California Personal Information, or to stop, mitigate, or remedy any unauthorized processing;
    5. provide the Customer with reasonable and appropriate steps to (1) stop and remediate unauthorized use of California Personal Information and (2) ensure that Supplier uses the California Personal Information in a manner consistent with the Customer’s obligations under the CCPA; and
    6. notify Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates either party’s compliance with the CCPA; specifically, the Supplier must notify the Customer within seven (7) business days if it receives a verifiable consumer request under the CCPA.
3. Responsibilities as a CCPA Third Party. The parties agree that when Supplier is acting as a CCPA Third Party (see Section 2(a)) Supplier will process California Personal Information strictly for the limited purposes set forth in Attachment 1 of this DPA, including any Business Purposes and any CCPA Third Party purposes as identified therein, and as otherwise permitted by the CCPA (the “CCPA Third Party Purposes”).
  1. As a CCPA Third Party, Supplier shall:
    1. Only use the California Personal Information for the CCPA Third Party Purposes;
    2. Comply with all applicable obligations imposed by the CCPA;
    3. Provide the same level of privacy protection as is required by the Customer under the CCPA;
    4. Implement reasonable security procedures and practices appropriate to the nature of the California Personal Information received to protect the California Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure;
    5. Permit the Customer to take reasonable and appropriate steps to (1) stop and remediate unauthorized use of California Personal Information and (2) ensure that the Supplier uses the California Personal Information in a manner consistent with the Customer’s obligations under the CCPA; and
    6. Notify Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates either party’s compliance with the CCPA, including any request to opt out of the sale or sharing of Personal Data; specifically, the Supplier must notify the Customer within seven (7) business days if it receives a verifiable consumer request under the CCPA.
4. Certification. Supplier certifies that it understands and will comply with the restrictions set out in Section 9(b) (Responsibilities as a Service Provider) and Section 9(c) (Responsibilities as a CCPA Third Party).
General Provisions
1. Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to Section 4(a) (Compliance with Instructions), or Section 4(c) (Technical and Organizational Measures), Supplier reserves the right to make any updates and changes to this DPA or list of Sub-Processors, and that any such modifications become effective thirty (30) days after the date that Supplier either (1) notifies Customer that the updated DPA or list of Sub-Processors has been posted to a particular URL, or (2) where applicable pursuant to CoPA, distributes the updated DPA or list of Sub-Processors to any known point-of-contact for Customer. Customer is responsible for reviewing and becoming familiar with the updated DPA or list of Sub-Processors. If, prior to the effective date of the updated DPA or list of Sub-Processors, Customer notifies Supplier of its objection to any modification of the DPA or list of Sub-Processors, then Supplier shall either (i) negotiate with Customer in good faith to resolve any such objection, or (ii) upon thirty (30) days’ notice to Customer, terminate the DPA and any portion of the Agreement that governs Products which are dependent upon its execution. If Supplier exercises its right to terminate pursuant to the terms of this Section, Customer shall be entitled to a pro-rata refund of any Fees already paid by Customer for the affected Products, calculated from the effective date of any such termination.
2. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
3. Limitation of Liability. Each party’s liability, and where applicable, each of Customer’s Affiliates’ liability, taken in aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability set out in the Agreement. In no event shall either party’s liability be limited with respect to any individual Data Subject’s data protection and privacy rights under this DPA or otherwise.
4. Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Privacy Laws.
5. Aggregate, Deidentified, and Anonymized Data. Supplier may aggregate, deidentify, or anonymize Personal Data so it no longer meets the Personal Data definition under applicable Data Privacy Laws, and may use such aggregated, deidentified, or anonymized data for its own research and development purposes or for any other purpose that is not prohibited under applicable Data Privacy Laws. Supplier shall take reasonable measures to ensure that the data cannot be associated with a Data Subject and shall not attempt to re-identify the data. Supplier shall contractually obligate any recipients of the data to comply with the requirements of this Section 10(e).
Parties to this DPA
1. Permitted Affiliates. Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Privacy Laws, in the name and on behalf of its Permitted Affiliates, thereby establishing a separate DPA between Supplier and each such Permitted Affiliate. Each Permitted Affiliate agrees to be bound by the obligations under this DPA. For each separate DPA that is established, the Permitted Affiliate shall be the “Customer.”
2. Authorization. The legal entity entering into this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.
3. Remedies. Except where applicable Data Privacy Laws require a Permitted Affiliate to exercise a right or seek any remedy under this DPA against Supplier directly by itself, the parties agree that: (i) solely the Customer entity that is the contracting party to the Agreement shall exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all communication with Supplier under the DPA and shall be entitled to make and receive any communication related to this DPA on behalf of its Permitted Affiliates.

Attachment 1 – Details of Processing

Nature and Purpose of Processing
Supplier will Process Personal Data for the limited and specific purposes identified in the Agreement, including as necessary to provide the Products pursuant to the Agreement, as further specified in an Order Form or SOW, and as further instructed by Customer in its use of the Products. Without limiting the generality of the foregoing, Personal Data may be subject to the following Processing activities: (a) storage and other Processing as necessary to provide, maintain and improve the Products provided to Customer; and/or (b) disclosure to third-parties in accordance with the Agreement, this DPA, or as compelled by applicable laws, which may include sending Personal Data to Customer’s partners and service providers on Customer’s behalf and at their direction.
Duration of Processing
Subject to Section 4(f) (Deletion or Return of Personal Data) of this DPA, Supplier will Process Personal Data for the duration of the Agreement only, unless otherwise agreed in writing.
Categories of Personal Data
Customer may provide the following categories of Personal Data to Supplier in the course of using the Products, or incident to the use thereof, the extent of which is determined and controlled by Customer in its sole discretion:
- Contact Information, including name, mailing address, email address, online user name(s), telephone number, user agent, and similar information.
- Gender
- IP Address
- Social Security Numbers, government identification numbers, and other similar information
- Trade Union Membership
- Employee data, date of hire/termination, job title, place of work, date of birth, compensation, and other similar information as requires to process retirement plans and other related plans.
- Any other Personal Data submitted by, sent to, or received by Customer, or Customer’s end users, via the Products.

Attachment 2 – Technical and Organizational Measures

Supplier shall comply with its obligations as a Processor under the Data Privacy Laws to keep all Personal Data secure. Without limiting the foregoing, Supplier shall: (a) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to applicable Data Privacy Laws; and (b) in assessing the appropriate level of security, taking into account in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. Such measures include (as applicable), without limitation:

Access Control
Outsourced Processing: Supplier Processes Customer’s Personal Data, including Personal Data that is used in conjunction with its hosted Software and Cloud Services, using industry-leading, reputable cloud infrastructure vendors. Supplier maintains contractual relationships with these infrastructure vendors which obligates them to provide their infrastructure services in accordance with standards which conform to the requirements of applicable Data Privacy Laws and that are no less restrictive than this Data Processing Agreement.

Physical and environmental security: Supplier hosts its Cloud Services in multi-tenant environments and deploys industry best practices with respect to isolating each tenant from one another. Supplier hosts its hosted Software in separate virtual environments for each Customer, each controlled in accordance with industry best practices. All of Customer’s Personal Data that is not Processed in the hosted Software or Cloud Services is Processed in a virtual environment inaccessible to Customers controlled in accordance with industry best practices.

Authentication: Supplier has implemented strong password policies for all systems that Process Customer’s Personal Data. Customers who interact with the Products via the user interface must authenticate before accessing non-public Personal Data.

Authorization: For Cloud Services, Personal Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces, and Customers are not allowed direct access to the underlying application infrastructure. For all systems that Process Customer’s Personal Data, the authorization model in each of Supplier’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Access controls: Supplier implements industry standard access controls for all systems that Process Customer’s Personal Data. Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: Supplier implements industry standard intruder detection capabilities for all systems that Process Customer’s Personal Data.

Static code analysis: Security reviews of code stored in Supplier’s source code repositories are regularly performed, checking for logical errors, security flaws, and performance flaws.

Vulnerability testing: Supplier conducts regular vulnerability testing of systems that Process Customer’s Personal Data. These vulnerability tests are intended to identify and resolve foreseeable attack vectors and potential abuse scenarios.

Product access: A subset of Supplier’s employees have access to the Products and other systems that Process Customer’s Personal Data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents, and implement data security measures. Access is enabled through “just in time” requests for access, and all such requests are logged. Employees are granted access by role, and reviews of high-risk privilege grants and roles are conducted regularly.

External access to Supplier systems that Process Customer’s Personal Data is restricted, following the same least privilege model, and requires two-factor authorization and authentication. External access controls are configured and monitored by Supplier IT and Security personnel.

Background checks: All Supplier employees who access systems that Process Customer’s Personal Data undergo a background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

Access control to premises and facilities: In addition to the access control measures stated above in this subsection (a), Supplier’s third-party infrastructure provider utilizes industry best practices with respect to access control to premises and facilities.
Transmission Control
In-transit: For Supplier Products that are accessible via the Internet, Supplier makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. Supplier’s HTTPS implementation uses industry standard algorithms and certificates.

At-rest: Supplier stores user passwords following policies that follow industry standard practices for security.  Supplier has implemented technologies to ensure that stored data is encrypted at rest.
Input Control
Detection: Supplier designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Supplier personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: Supplier maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, legal, operations, or support personnel, and appropriate resolution steps are identified and documented. For any confirmed incidents, Supplier will take appropriate steps to respond and notify Customer in accordance with the terms of this DPA.
Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99% uptime. The infrastructure providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer’s Personal Data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups:: All databases are backed up and maintained using at least industry standard methods.

Measures to ensure that personal data are protected from accidental destruction or loss: Supplier has business continuity, incident response, data backup, and disaster recovery procedures designed to maintain business operations and redundancy of systems that Process Customer’s Personal Data. Supplier performs regular testing to ensure that availability supporting systems function properly.
Certifications
Upon request of Customer, Supplier will provide either (i) a copy of any available independently validated report of its security programs (i.e. SOC 2, Type II, ISO 27001, etc.), or (ii) written responses to all reasonable requests for information, along with copies of any related policies and other documentation.

License

SCHEDULE A

Attachment 1 – Details of Processing

Attachment 2 – Technical and Organizational Measures