- Home
- /
- Terms of Use
Terms of Use
Welcome To Azira
The General Terms and Conditions (collectively (“T&Cs”)) are the terms and conditions for the Customer’s use of the Services (as defined below) and constitute a legally binding agreement between the corporate entity, LLP, corporation, LLC, partnership, sole proprietorship, or other business entity signing the Service Order (“Customer”) and AZIRA LLC, in case the Customer is registered in the territorial limits of North America; or (ii) AZIRA PTE. LTD., in case the Customer is registered outside of North America; and their affiliates (“Company”). In case the Customer has signed any agreement with the Company that captures the description of Services, Fees (as defined below) and any other specific terms and conditions (“Service Order”), such Service Order together with these T&Cs, shall be collectively referred to as the “Agreement”. In the event of a conflict or ambiguity between these T&Cs and the applicable Service Order, the terms of the Service Order shall prevail. In the event of an inconsistency between the Agreement and the EU SCCs and/or the UK Approved Addendum, the EU SCCs and/or the UK Approved Addendum shall prevail.
1. DEFINITIONS
- “Adequate Country” means a country or territory recognized as providing an adequate level of protection for Personal Data under an adequacy decision or regulations made, from time to time, by (as applicable) (i) the European Commission and/or (ii) the UK Secretary of State.
- “Allspark” means the Company’s identity, enrichment, audience curation, activation products which form Company’s marketing intelligence solution.
- “Applicable State Privacy Laws” means, as applicable: (a) the CCPA; (b) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.; (c) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., together with all implementing regulations; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; (e) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq; and (f) any other relevant U.S. state law regarding the privacy of personal information as applicable to the Underlying Agreement.
- “CCPA” means the California Consumer Privacy Act of 2018, as it may be amended from time to time, and any further final implementing regulations.
- “Company Data” means any data (including reports) either derived from Azira Platform by the Customer or curated and provided to the Customer by the Company as part of the Services including but not limited to (i) aggregated dataset created and customized from the Azira Platform and based upon the Company’s analysis of the Customer Data; or (ii) Pseudonymised Data.
- “Compass” means the Company’s measurement product, and part of the Company’s marketing intelligence solution.
- “Customer Data” means any data provided by Customer in connection with the provision of Services, including any data received by or on behalf of Customer from websites, mobile sites, mobile applications, or other digital media owned and/or operated by Customer, its affiliates, customers or other partners, wherein reference to ‘Customer’ includes, without limitation, its Users, but excluding all Company Data.
- “Data Protection Laws” means, as applicable, the EU GDPR, the UK GDPR, the European e-Privacy Directive (Directive 2002/58/EC) and all national implementations (including but not limited to the Privacy and Electronic Communications (EC Directive) Regulations 2003), Applicable State Privacy Laws, and any other data protection and privacy laws applicable to any Personal Data processed under the Agreement, each as amended or replaced from time to time.
- “Data Subject Request” means a request from or on behalf of a data subject to exercise any rights in relation to their Personal Data under Data Protection Laws.
- “Derivative Data” shall mean all works and output created by the Customer through its usage of the Company Data for the applicable Permitted Purpose and which does not contain any Company Data in its raw and unmodified form.
- “EEA” means the European Economic Area.
- “Engage” means the Company’s in-house demand side or activation platform (DSP), and part of the Company’s marketing intelligence solution.
- “Enrichment” means the Company’s service which appends Company Data to Customer Data.
- “Enquiry” means a complaint or request in relation to either party’s obligations under Data Protection Laws relevant to the Agreement, including but not limited to any compensation claim from a data subject or any notice, investigation or other action from a supervisory authority.
- “EU GDPR” means the EU’s Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
- “EU SCCs” means the standard contractual clauses for international transfers of personal data to third countries set out in the European Commission’s Decision 2021/914 of 4 June 2021 (at http://data.europa.eu/eli/dec_impl/2021/914/oj) incorporating Module One for controller to controller transfers.
- “Fees” shall mean all fees payable by the Customer for the provision of Services in accordance with these T&Cs, and as specified in the applicable Service Order.
- “Industry Standards” means any of the following to which Customer is subject from time to time: (a) the IAB Transparency and Consent Framework; and (b) any applicable self-regulatory codes, rules or guidelines, including the rules, codes and guidelines of the European Interactive Digital Advertising Alliance, the Network Advertising Initiative.
- “Intellectual Property Rights” means patents, patentable rights, copyright, design rights, utility models, trade marks (whether or not any of the above are registered), trade names, rights in domain names, rights in inventions, rights in data, database rights, rights in know-how and trade secrets, and all other intellectual and industrial property and similar or analogous rights existing under the laws of any country and all pending applications for and right to apply for or register the same (present, future and contingent, and including all renewals, extensions, revivals and all accrued rights of action).
- “Marketing Material” means the creative, artwork, copy or active URLs of advertisement provided by the Customer to the Company or otherwise approved by the Customer for running it through the platform that interfaces with a publisher platform (i.e., mobile application on which Company has a right to serve advertisements including the Azira Platform) to enable the Company to serve advertisements (including by running Marketing Materials) on such publisher platform.
- “Azira Platform” means the Company’s proprietary operational intelligence and marketing intelligence solutions through which the Services are provided.
- “Permitted Purpose” has the meaning given to it in Section 4.1.
- “Personal Data” means any information processed in connection with the Services which relates to an identified or identifiable natural person or household (“data subject”); an “identifiable natural person” being one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Personal Data Breach” means a breach of security leading to the accidental or unauthorized destruction, loss, alteration, disclosure of, or access to, Personal Data processed in connection with the Agreement.
- “Pinnacle” means the Company’s operational intelligence solution.
- “Company Privacy Policy” means Company’s privacy policy available at: https://dev.azira.com/privacy-policy/.
- “Pseudonymised Data” means such pseudonymised data forming part of the Company Data, which includes identifiers (such as unique mobile advertising identifiers, cookie identifiers, location data such as latitude and longitude coordinates) such that the data no longer relates to an identified or identifiable household or living individual.
- “Restricted Transfer” means an EU Transfer and/or UK Transfer (as those terms are defined in Sections 9.9 and 9.10 of these T&Cs).
- “Sensitive Personal Data” means Personal Data revealing a data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, financial information, sex life or sexual preferences, medical or health information (including any such information protected under any health data protection laws), genetic or biometric data (for purposes of uniquely identifying an individual), personal information of children protected under any child protection laws (including the personal information defined under the US Children’s Online Privacy Protection Act (“COPPA”)), criminal conviction or offence data and any additional types of information included within this term or any similar term (such as “sensitive personal information” or “special categories of personal data”) as used in applicable Data Protection Laws.
- “Services” shall mean the Company’s provision of access to the Azira Platform, the Company Data (either via the Azira Platform or as downloaded by the Customer from the Azira Platform or shared with the Customer directly by the Company, as applicable) to be used as set out in this Agreement, and Allspark, Compass, Engage, Enrichment, Pinnacle, or any combination thereof, or any other solutions or products specified as being purchased by the Customer in the applicable Service Order.
- “Term” shall mean the term of this Agreement as specified in the respective Service Order.
- “UK” means the United Kingdom.
- “UK Approved Addendum” means the template Addendum B.1.0 and the accompanying mandatory clauses as issued by the UK’s Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and in force on 21 March 2022.
- “UK GDPR” means the EU GDPR as implemented into the law of the United Kingdom by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the Data Protection Act 2018.
- “User” means any individual who uses the Services on Customer’s behalf or through Customer’s login accounts or passwords, whether authorized or not.
- “controller“, “processor“, “process“, “processing“, “supervisory authority” and “data subject” shall have the meaning as set out in the Data Protection Laws.
2. PAYMENT TERMS
- Fees. Customer shall pay the Company all Fees as set out in the Service Order. The Customer agrees that all invoices will only be delivered electronically to Customer at the email address specified in the Service Order. All payments must be made free and clear of any set-off or credits within 30 days of receipt of the applicable invoice in accordance with this Section 2.1. In the event of any dispute as to the amount of an invoice, the Customer shall pay the amount in full pending the resolution of any dispute and the Company shall make any adjustment due immediately upon such resolution. Late payments bear interest at the rate of 12% per annum (or the highest rate permitted by law, if less). All amounts payable hereunder are exclusive of any sales, use, other taxes or duties or other deductions and withholdings, however designated, for which Customer is solely responsible. Any Fees that are unpaid as of the date of termination or expiration of the Agreement will be immediately due and payable.
- Fee Review. The Fees in respect of Service Orders with a Term longer than 12 months are subject to review and increase by the Company on every anniversary of the effective date of the Service Order, until the termination or expiry of the Agreement.
- Taxes. The Fees payable under the Service Order must be paid to the Company without deduction and are net of any applicable tax, tariff, duty, or assessment imposed by any governmental authority (national, state, provincial, or local), including without limitation any goods and services, sales, use, excise, ad valorem, property, withholding, or value added tax withheld at the source. Customer will be solely responsible for paying all applicable taxes which may be levied or assessed in connection with the Services. If applicable law requires withholding or deduction of such taxes or duties, Customer will separately pay Company the withheld or deducted amount. However, this Section does not apply to taxes based on Company’s net income.
3. INTELLECTUAL PROPERTY RIGHTS
- Ownership. Company and/or its licensors (as applicable) retain all right, title, and interest in and to the Company’s brands, trade marks and logos, in each of the Allspark, Compass, Engage, Enrichment, Pinnacle services, the Services, including associated methods, processes, designs, analyses, materials and information used in connection with the Services, and all Intellectual Property Rights thereto. Except for the licenses described herein, nothing herein shall be construed to assign or transfer any Intellectual Property Rights of one party to the other. Customer shall (a) not remove notices and notations on Company Data that refer to copyrights, trademark rights, patent rights and other intellectual property rights, (b) promptly bring to the attention of the Company any improper or wrongful use of any of the Company’s Intellectual Property Rights which comes to the Customer’s notice, and provide all assistance as may be reasonably requested by the Company in defending its Intellectual Property Rights. As between Company and Customer, Customer owns (or where applicable, must ensure it has a valid license to) the Customer Data and the Derivative Data.
- Feedback. All suggestions or contributions for improving or otherwise modifying any of Company’s products or services (“Feedback”) provided by Customer will be owned by Company, and Customer assigns all rights in such Feedback to the Company. Nothing in the Agreement will restrict Company’s right to use, profit from, disclose, publish, keep secret, or otherwise exploit the Feedback, without compensating or crediting Customer or the User in question. Notwithstanding anything to the contrary, Feedback will not be considered as Confidential Information.
- Trademarks. Customer authorizes the Company to use its trade name, trademark and logo for the purpose of listing Customer in its general list of customers. Additionally, Customer permits Company to bring out press releases, create case studies on anonymized basis and will be open to provide quotes from time to time solely for Company’s marketing purposes, provided Company obtains Customer’s prior written approval specific to such quotes, which approval shall not be unreasonably withheld or delayed. Company will comply with Customer’s guidelines regarding use of Customer’s trademarks.
4. GRANT OF LICENCE AND SCOPE OF USE
- Subject to full payment of the Fees and subject to the other provisions of this Agreement, the Customer is granted a fixed-term, non-transferable, non-exclusive, revocable, and non-sublicensable licence, for the Term, to access and use the Services for the applicable Permitted Purpose and as set out in this Agreement. The Customer and its Users may for the duration of the Term, use each Service as detailed below, except for where otherwise specified within the applicable Service Order:
- Allspark Services, where the Service Order specifies that device ID data (“MAID”) exports are not included, may only be used for the Customer’s own advertising and/or marketing purposes by running specific advertisement campaigns by the Customer in connection with which the Company Data has been provided to the Customer and for analysing the efficacy of that specific advertising campaign in the marketing channel identified in the Service Order;
- Compass Services may be used for analysing the efficacy of specific advertising campaigns;
- Engage Services may be used for advertising/ marketing purposes only;
- Enrichment Services may be used for: (i) Customer’s internal operational purposes; (ii) analyses that Customer may provide to its third party clients; and
- Pinnacle Services may be used for extraction of information from the Company Data for: (i) analyses that Customer may provide to its third party clients, (ii) creating reports, statements or other work output by combining the Company Data with the Customer’s own or any third party data; (iii) drawing conclusions or making business decisions; and (iv) conducting market research.
each, a “Permitted Purpose“.
- Subject to full payment of the Fees and subject to the other provisions of this Agreement, the Customer is granted a fixed-term, non-transferable, non-exclusive, revocable, and non-sublicensable licence, for the Term, to access and use the Company Data for the applicable Permitted Purpose (of the Service pursuant to which such Company Data is made available to the Customer) and as set out in this Agreement. The Customer and its Users may for the duration of the Term
- access, view, combine or aggregate the Company Data (wholly or in part) with other data or information or to adapt the Company Data (wholly or in part), and create Derivative Data;
- store the Company Data on the Customer systems; and
- make the Company Data accessible (including the provision of access through a database or other application populated with the Company Data, reselling, sub-licensing, transferring or disclosing the Company Data) by any means, including any electronic means) to third parties as set out in the applicable Permitted Purpose only,
provided that in no circumstance shall the Customer, share, resell, or permit or enable any third party to have access to any Company Data in its raw form (i.e., as-is).
- Customer must not retain or permit any third-party to retain any Company Data for longer than the period during which Customer has a legitimate need to retain the Company Data for the applicable Permitted Purposes.
- Upon the earlier of, the completion of the applicable Permitted Purposes or expiry/termination of the Agreement, the Customer must: (i) cease all processing or storage of such Company Data; (ii) securely delete and destroy such Company Data, including any associated backup copies, whether stored or maintained by the Customer or any of its service providers or partners (including its Partners, where relevant); (iii) certify in writing that the Customer has deleted/destroyed or otherwise expunged/purged such Company Data; (iv) update, delete, destroy, segregate, truncate, encrypt, mask, transfer, and/or provide to any third party designated by the Company any Company Data stored or maintained by the Customer, as per Company’s specific instructions.
- Customer is not authorised to use any Services beyond those specifically granted in this Agreement. Without limiting the foregoing, Customer will not:
- resell, sublicense or otherwise commercially exploit or make available to any third party, the Azira Platform, including using the Azira Platform for service bureau or time-sharing purposes;
- share, publish, publicly display, or otherwise disclose or make available the Azira Platform to any third party;
- store, combine, comingle, or otherwise use the Azira Platform, or any element thereof, to develop, enhance, or structure any database, or use the Services for purposes of segmenting, re-targeting, creating or supplementing user profiles or inventory profiles, interest categories, audience segmentations, or syndication;
- copy, translate, decompile, reverse engineer or otherwise modify or make derivative works based upon any parts of the Services in order to build a competitive product or service;
- use the Services and Company Data in an illegal or unethical manner;
- create Internet “links” to the Services or “frame” or “mirror” the Services on any other server or wireless or Internet-based device or interfere with or disrupt Company’s systems used to host the Services;
- engage in web scraping or data scraping, including collection of information through any software that simulates human activity or any bot or web crawler; or
- circumvent the user authentication/login provided to the Customer.
- Without limiting the foregoing Section 4.5, in all cases, Customer will not use the Services for any of the following purposes:
- employment eligibility,
- credit eligibility,
- health care eligibility,
- insurance eligibility, underwriting, or pricing,
- for correlation or generating Personal Data,
- to market or sell to law enforcement agencies, or
- any unlawful or prohibited purposes.
- Where the Customer is using Allspark and Engage Services, if Customer uses any third-party advertisement serving or measurement platform on its behalf (“Partner”), the Partner will receive Pseudonymised Data. Customer agrees that it will not, and will procure that each Partner will not, share any Pseudonymised Data received from Company with third parties and that the Customer’s use of such Pseudonymised Data will be solely as permitted herein, and without limitation, the Customer will not use, transmit, combine, merge, sync, link, or analyse Pseudonymised Data with other Personal Data or make any other attempt to re-identify the individuals.
- Customer must use the Services in a manner that is consistent with Customer’s privacy policy and compliant with all applicable laws, regulations and self-regulatory guidelines (including but not limited to the NAI’s Self-Regulatory Principles).
- Subject to the terms of the Service Order, Customer may use each Service and access, store and otherwise process the Company Data for the applicable Permitted Purpose only, provided always that no more than the number of Users set out in the Service Order may access and use the Service and the Company Data for such Permitted Purpose. The Customer acknowledges and agrees that any use of any Service and/or Customer Data beyond applicable the Permitted Purposes will be considered a material breach of these T&Cs.
- Company may without liability, terminate this Agreement upon notice to the Customer, or suspend Customer’s access to the Services without advance notice, if the Company, in its sole discretion, determines any breach of this Section 4. Company’s right to suspend the Services is in addition to other remedies that Company may have. Customer must notify Company immediately of any known or suspected unauthorized use of the Services or breach of its security and will use best efforts to stop the said breach.
- Customer grants Company and its affiliates free of charge, a non-exclusive, worldwide, royalty-free, irrevocable, perpetual license to use, copy, modify, transmit, sub-license, index, store, validate, integrate, aggregate, sort, analyse and display Customer Data: (i) to the extent necessary for the provision of Services as Company may determine (including creating derivative works from the Customer Data, developing, modifying, improving, supporting, customizing, optimising and operating the Services) or enforcing its rights under the Agreement; or (ii) where required or authorized by law. Customer represents and warrants that it has all rights to grant such license to Company without infringement or violation of any third-party rights.
- Company may use, copy, transmit, index, model, aggregate (including with other customers’ data) Customer Data for the purpose of (i) developing, improving or customizing the Services, and (ii) publishing, displaying and distributing any anonymous information (i.e., information where neither Customer nor its Users are capable of being identified) derived from Customer Data.
- In the event, the Customer is granted a temporary, fixed-term, limited, non-exclusive, revocable, non-sublicensable, non-transferable license to access and use the Azira Platform and Company Data for the Customer’s sole purpose of internal evaluation in a test environment and such license is provided on “as-is” basis without any representations and warranties from the Company. The Customer agrees and understands that it is not authorized to distribute, commercialize, or otherwise use any part of the Company Data provided under this Section.
5. CONFIDENTIALITY
- “Confidential Information” includes (but is not limited to) the following items that either party (“Disclosing Party”) discloses to the other party (“Receiving Party”): (a) any document that the Disclosing Party marks as “Confidential”; (b) any information that the Disclosing Party orally designates as “Confidential” at the time of disclosure, provided the Disclosing Party confirms such designation in writing within fifteen (15) business days; (c) the Company Data and Customer Data, whether or not marked or designated as confidential; and (d) any other non-public, sensitive information that the Receiving Party should reasonably consider a trade secret or otherwise confidential. Notwithstanding the foregoing, Confidential Information does not include information that: (i) is lawfully in the Receiving Party’s possession at the time of disclosure in circumstances in which the Receiving Party is not prevented from disclosing it to others; (ii) is independently developed by the Receiving Party without use of or reference to Confidential Information; (iii) becomes known publicly, before or after disclosure, other than as a result of improper action or inaction; (iv) has been disclosed to the Receiving Party by a third party who, to the Receiving Party’s knowledge, has the right to disclose such information without restriction; or (v) is approved for release in writing by the Disclosing Party. Customer is on notice that the Confidential Information may include Company’s valuable trade secrets. For the purpose of this Section 5, a reference to a “party” means such party and its affiliates.
- The Receiving Party will treat Confidential Information with same care as it exercises in respect of its own information, which shall not be less than ‘reasonable care’ and disclose only on a need-to-know basis or as permitted under the Agreement. The Receiving Party will only use Confidential Information for the purposes of performing its obligations or as permitted under the Agreement. However, the Receiving Party may disclose Confidential Information: (a) if approved by the other party in writing; (b) if required by law or regulation; (c) in the event of dispute between the parties, as necessary to establish the rights of either party; or (d) as necessary to provide the Services to the Customer. In the case of (b) and (c), the Receiving Party will, to the extent lawful to do so, provide reasonable advance notice to the Disclosing Party and provide reasonable assistance to limit the scope of the disclosure unless prohibited by law or regulation. The Receiving Party is responsible for ensuring that its representatives and affiliates fully comply with the obligations of the Receiving Party under this Section. Upon termination of the Agreement, Disclosing Party shall return all copies of Confidential Information to the Receiving Party or certify, in writing, the destruction thereof. Customer shall return all Confidential Information of the Company within ten (10) days of termination or expiry of the Service Order.
- Notwithstanding the foregoing, Company Data and the terms and pricing in the Service Order are considered Confidential Information of the Company and Customer must use the same care and protection it affords to its own Confidential Information (but not less than reasonable care). Customer will be responsible for any breach of confidentiality by its employees, consultants, agents and representatives. Customer must keep the Company Data distinct and separate from all other data and information retained by the Customer. Customer agrees to maintain reasonable and appropriate technical and organizational measures to protect the Company Data from unauthorized access, misuse, or disclosure.
6. WARRANTIES
- Company’s Warranties. Company represents and warrants that it is the owner of the Azira Platform and the components thereof, or the recipient of a valid license thereto, and that it maintains the full power and authority to grant the rights to use the Services. Company’s representations and warranties in the preceding sentence do not apply to the extent any infringement arises out of any of the conditions listed in Sub-sections 7.2(a) through 7.2(d) below. In the event of a breach of the warranty in this Section 6.1, Company shall, within a reasonable time period and at its own expense: (i) secure for Customer the right to continue using the Azira Platform; (ii) modify the Services to make them non-infringing, or provide a reasonable solution that is not materially detrimental to the Customer; or (iii) terminate the infringing features of the Services, and refund to Customer any prepaid Fees for such features, in proportion to the portion of the Term left after such termination, in which case Customer shall cease all use of the affected Services and erase any copies of Company Data in relation thereto. In conjunction with Customer’s right to terminate for breach, where applicable, the preceding sentence states Company’s sole obligation and liability, and Customer’s sole and exclusive remedy, for breach of the warranty in this Section 6.1 and for potential or actual intellectual property infringement by the Azira Platform.
- Customer’s Warranties. Customer represents and warrants that: (i) it has the full right and authority to enter into, execute, and perform its obligations under the Agreement; (ii) it is an entity authorized to do business pursuant to applicable law; (iii) it has the right, power and authority to provide Customer Data and Marketing Material to the Company as envisaged by this Agreement; (iv) the Customer Data and Marketing Material are complete, accurate, in the agreed format, and will not infringe or misappropriate the Intellectual Property Rights of any third party, breach any duty towards or rights of any third party, including rights of publicity or privacy; (v) the Marketing Materials are not false, deceptive, misleading, obscene, defamatory, illegal (including without limitation, in violation of applicable advertising laws and other applicable laws, rules and regulations), harmful, threatening, abusive, obscene, hateful, libellous, invasive of any individual’s privacy rights, unethical or racially or politically objectionable; (vi) the Marketing Materials will be in accordance with the then existing advertising guidelines of the Company; (vii) Customer shall accurately identify each User and shall not provide any inaccurate information about a User to Company; (viii) the performance of its obligations under these T&Cs will not cause Company to infringe the rights of any third party (including privacy rights of individuals); and (ix) it will comply with all laws, rules and regulations applicable to its use of the Services.
- IMPLIED WARRANTIES. THE CUSTOMER AGREES THAT IT IS SOLELY RESPONSIBLE FOR ITS SELECTION OF THE SERVICE AND FOR ALL USE IT MAKES OF THEM, AND ALL RELIANCE IT CHOOSES TO PLACE ON THE SERVICES AND ANY COMPANY DATA. EXCEPT FOR THE EXPRESS WARRANTIES IN THE AGREEMENT, CUSTOMER ACCEPTS THAT THE SERVICES ARE PROVIDED ON AN “AS-IS” AND AS AVAILABLE BASIS, WITH NO REPRESENTATION OR WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, ACCURACY, COMPLETENESS, CURRENCY, CORRECTNESS, RELIABILITY, INTEGRITY, USEFULNESS, QUALITY, NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, ACCURACY OR ANY IMPLIED WARRANTY ARISING FROM STATUTE, COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE. CUSTOMER ACKNOWLEDGES THAT (A) NEITHER COMPANY, ITS AFFILIATES NOR ITS THIRD-PARTY PROVIDERS CONTROLS CUSTOMER EQUIPMENT OR THE TRANSFER OF DATA OVER COMMUNICATIONS FACILITIES (INCLUDING THE INTERNET); (B) THE SERVICES MAY BE SUBJECT TO LIMITATIONS, INTERRUPTIONS, DELAYS, CANCELLATIONS, AND OTHER PROBLEMS INHERENT IN THE USE OF THE COMMUNICATIONS FACILITIES; AND (C) IT IS FULLY RESPONSIBLE TO INSTALL APPROPRIATE SECURITY UPDATES AND PATCHES. COMPANY, ITS AFFILIATES, AND ITS THIRD-PARTY PROVIDERS ARE NOT RESPONSIBLE FOR ANY INTERRUPTIONS, DELAYS, CANCELLATIONS, DELIVERY FAILURES, DATA LOSS, CONTENT CORRUPTION, PACKET LOSS, OR OTHER DAMAGE RESULTING FROM THESE PROBLEMS. COMPANY IS NOT RESPONSIBLE FOR ANY COMPUTER VIRUSES, WORMS, SOFTWARE BOMBS, BUGS OR SIMILAR ITEMS THAT AFFECT THE CUSTOMER’S COMPUTERS, COMPUTER SYSTEMS, SOFTWARE, INFRASTRUCTURE OR DATA AS A RESULT OF THE CUSTOMER’S ACCESS TO OR USE OF SERVICES. THERE MAY BE PERIODS WHEN THE SERVICES ARE UNAVAILABLE AND CANNOT BE ACCESSED AND COMPANY ACCEPTS NO LIABILITY FOR ANY LOSS OR DAMAGE THAT CUSTOMER MAY SUFFER OR INCUR AS A RESULT OF SUCH UNAVAILABILITY AT ANY TIME.
- Company Data. Company Data is based upon data which is provided by third parties, the accuracy and/or completeness of which is not guaranteed by the Company. Services involve models and techniques based on aggregate statistical analysis, probability and predictive behaviour. Company is therefore not able to accept any liability for any inaccuracy, incompleteness or other error in the Services and any failure of Company Data to achieve any particular result for the Customer. While Company strives to provide reliable information, the Company Data may become stale and less dependable for a number of reasons, including, but not limited to, changes over time, market conditions and/or technological changes. Except where expressly provided in the Service Order, Company undertakes no obligation to update the Company Data and may discontinue offering Company Data. If Company provides support or updates for the Company Data under a Service Order, such updates shall be included in the definition of “Company Data” for purposes of the Agreement.
7. INDEMNITIES
- Customer’s Indemnities. Customer will indemnify, defend and hold Company, its parent, subsidiaries, affiliates, shareholders, licensors, customers, officers, and employees harmless, including costs, expenses and attorneys’ fees and other legal costs, from any and all losses, damages, penalties and/ or fines liability imposed by judicial or regulatory authorities, claim or demand made by any third party due to or arising out of: (a) Company’s receipt, use or possession of Customer Data or Marketing Materials; (b) any violation of the Agreement by Customer including without limitation breach of representations and warranties and/or obligations related to confidentiality and Customer Data; (c) infringement of any third party intellectual property rights or other right of any person or entity by the Customer; (d) wilful misconduct or gross negligence by the Customer; (e) fraudulent or unlawful act of the Customer; and (f) the Customer Data, Marketing Materials, or the Customer’s use of the Services not complying with all applicable laws, rules and regulations, including applicable data privacy laws, or causing an infringement of any third party intellectual property rights or other right of any person or entity. Additionally, Customer will be responsible for the retention and payment of attorneys and court costs, as well as settlement and payment of judgments and its own cost and expense. Company will have the right, not to be exercised unreasonably, to reject any settlement or compromise that requires that it admit wrongdoing or liability or subjects it to any ongoing affirmative obligations. Customer must not settle or compromise any such claim, subject to an indemnity under this Section, without Company’s prior written consent. Customer acknowledges and agrees that it is responsible and liable for: (a) all of its Users’ use of the Services; and (b) any use of the Services through the Customer’s account, whether authorized or unauthorized.
- Company’s Indemnities. Company will defend, at its expense, any third-party claim, suit, or proceeding against Customer made during the Term to the extent such claim alleges that: (i) the Azira Platform directly infringes the third-party’s patent, copyright, or trademark; or (ii) Company has misappropriated the third-party’s trade secret (“Infringement Claim”). Company will pay any damages finally awarded by a court of competent jurisdiction (or settlement amounts agreed to in writing by Company). Company’s obligations set forth in this Section do not apply to the extent that the Infringement Claim arises out of: (a) Customer’s breach of the Agreement; or (b) modifications to the Services made without Company’s written consent; or (c) the Customer Data; or (d) third-party products, services, hardware, software, or other materials, or combination of these with the Services, if the Services would not be infringing without this combination. In the event of an Infringement Claim, Company may exercise the remedies in Sub-sections 6.1(i) through 6.1(iii) above, including without limitation its right therein to terminate the Service Order and require erasure of the Company Data. Company will have no liability for any Infringement Claim under this Section that arises from the Customer’s failure to: (i) notify Company in writing of the Infringement Claim promptly upon the earlier of learning of or receiving a notice of it, to the extent that Company is prejudiced by this failure; (ii) provide Company with reasonable assistance requested by Company for the defense or settlement (as applicable) of the Infringement Claim; (iii) provide Company with the exclusive right to control and the authority to settle the Infringement Claim; or (iv) refrain from making admissions or statements about the Infringement Claim without Company’s prior written consent. The remedies in this Section are the Customer’s sole and exclusive remedy and Company’s sole liability regarding the subject matter giving rise to the Infringement Claim.
8. LIMITATION OF LIABILITY
- Under no circumstances shall Company be liable for any (a) indirect, incidental, special, consequential or punitive damages (even if it has been advised of the possibility of such damages), arising from or related to the Agreement, (b) loss of revenue or profits or lost business, (c) loss of or damage to reputation or goodwill, (d) loss of any software or data, or (e) use of the Services in a manner which is not consistent with terms of this Agreement.
- Company’s cumulative liability for all losses, claims, action, demands, and expenses arising out of or related to the Agreement in any 12 month period will not exceed the greater of (a) the Fees paid by the Customer to the Company, under the Service Order, during that twelve (12) months period, or (b) US$ 20,000 (United States Dollars Twenty Thousand), notwithstanding the failure of essential purpose of any remedy.
- The liabilities limited by this Section 8 apply regardless of the form of action, whether in contract, tort, negligence, strict product liability, breach of statutory duty or otherwise, even if Company is advised in advance of the possibility of the damages in question and even if such damages were foreseeable; and Customer’s remedies fail their essential purpose. If applicable law limits the application of this Section 8, Company’s liability will be limited to the maximum extent permissible. For the avoidance of doubt, Company’s liability limits and other rights set forth in this Section 8 apply likewise to Company’s affiliates, licensors, suppliers, agents, directors, officers, employees, consultants, and other representatives.
- Nothing in this Agreement limits or excludes either party’s liability for anything which may not lawfully be excluded or limited.
9. DATA PRIVACY
- The parties agree that both Company and Customer act as independent controllers when processing Personal Data. Customer will comply with applicable Data Protection Laws in respect of performance and/or exercise of rights under the Agreement and only process Personal Data in accordance with the Permitted Purposes. Customer shall notify Company no later than five (5) business days following any determination by Customer that it or its subcontractor(s) cannot meet its or their obligations under applicable Data Protection Laws.
- Each of Company and Customer shall notify each other of an individual within its organization authorized to respond from time to time to enquiries regarding Personal Data and each of Company and Customer shall deal with such enquiries within a reasonable time.
- Customer will not collect, transmit, process, store or make available any Sensitive Personal Data through its use of the Services. Customer will not transmit, disclose, or make available any Sensitive Personal Data to Company or its affiliates or third-party partners.
- Customer will ensure that, at all times in compliance with Data Protection Laws, it shall: (a) only input lawfully collected Personal Data into the Azira Platform; (b) conspicuously display (and comply with) a privacy policy that complies with applicable Data Protection Law and discloses the Customer’s privacy practices in relation to the collection, use and sharing of Personal Data; (c) ensure that such privacy policy provides sufficiently clear, meaningful and prominent notice to relevant data subjects; (d) where required by applicable Data Protection Laws and/or Industry Standards (i) obtain consent from relevant data subjects to the processing of their Personal Data by Company and its affiliates for the purposes of the Services and/or (as appropriate) the use of cookies and other technologies used in connection with the Services to store or access information stored on data subjects’ devices (ii) provide relevant data subjects with persistent and easy to use opt-out mechanisms for processing Personal Data and legally sufficient consumer choices (including, where applicable, to disallow interest-based advertising or further sale of Personal Data); and (e) in respect of Customer Data provided for Allspark and/ or Enrichment, always obtain opt-in consent as per applicable Data Protection Laws, from the relevant data subjects whose Personal Data is provided to Company with consent prompts including information identifying (i) the purposes for which Personal Data can be used by Customer (including sharing such Personal Data with Company) (ii) Company’s processing of such Personal Data for the provision of the Services (including data enrichment activity), which includes, but is not limited to, identifying the behaviour of such data subjects and profiling them based on their physical/digital world behaviour to create an enriched dataset from such Personal Data (“Enriched Data“) and sharing of such Enriched Data with Customer.
- Customer will, within 5 days of Company’s request, provide Company with copies of screenshots of its proposed data subject consent flow, opt-out process and the privacy policy which relate(s) to the processing of Personal Data, and a brief written explanation of how it proposes to achieve required consents and transparency in accordance with applicable Data Protection Laws. The parties will discuss in good faith within a reasonable time any comments or concerns Company may have in this regard. If Company reasonably believes at any time that Customer’s notification or consent wording or mechanism, opt-out process, privacy policy or related documentation does not allow Company to process Personal Data and/or use cookies or other technologies in accordance with Industry Standards and Data Protection Laws, Company may notify Customer of its concerns and/or provide a reasonable alternative method. The parties will discuss subsequent amendments to this Agreement prompted by Data Protection Laws and/or Industry Standards in good faith.
- Each party may respond directly to Data Subject Requests addressed to it relating to its processing of Personal Data as a controller. At the request of a party receiving a Data Subject Request, the other party shall provide any cooperation reasonably requested to enable the other party’s compliance with such request.
- Customer will notify Company if it receives any Enquiry in relation to Personal Data in respect of which Company is responsible, in whole or in part, for the processing of such Personal Data under Data Protection Laws or relevant Industry Standards. Customer will provide Company with reasonable cooperation and assistance to allow Company to assess and respond to such Enquiry.
- Each party will implement appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data in connection with the Services as set out in Annex II, Schedule 1 of the T&Cs.
- If Customer becomes aware of any Personal Data Breach involving Personal Data processed in connection with the Services, it will promptly notify Company of the Personal Data Breach and, if requested, provide reasonable cooperation to Company to take measures to record, report and address the Personal Data Breach in accordance with Customer’s obligations under Data Protection Laws.
- To the extent Personal Data is transferred to Company outside the EEA (except if in an Adequate Country) in circumstances where such transfer would be prohibited by EU GDPR in the absence of a transfer mechanism (“EU Transfer“), the parties agree that the EU SCCs are incorporated by reference into this Agreement and will apply in respect of that processing as follows:
- the information required in relation to the list of parties, the description of transfer and the competent supervisory authority is set out in Annex I, Schedule 1 of the T&Cs and the technical and organizational measures are set out in Annex II, Schedule 1 of the T&Cs;
- clause 7 (Docking Clause) shall be deemed as included;
- in relation to clause 11 (Redress), the optional clause shall not apply;
- in relation to clause 17 (Governing law), the parties agree that this shall be the law of Ireland;
- in relation to clause 18 (Choice of forum and jurisdiction), the parties agree that this shall be the courts of Ireland;
- the parties’ signatures in the applicable Service Order shall be construed as the parties’ signature to the EU SCCs.
- To the extent Personal Data is transferred to Company outside the UK (except if in an Adequate Country) in circumstances where such transfer would be prohibited by UK GDPR in the absence of a transfer mechanism (“UK Transfer“), the parties agree that the EU SCCs and the UK Approved Addendum are incorporated into this Agreement and will apply in respect of that processing as follows:
- the information required for Table 1 is contained in Annex I, Schedule 1 of the T&Cs and the start date shall be deemed the same date as the EU SCCs;
- in relation to Table 2, the version of the EU SCCs to which the UK Approved Addendum is Module 1 for controller to controller transfers;
- in relation to Table 3, the list of parties and description of the transfer is set out in Annex I, Schedule 1 of the T&Cs and the technical and organizational measures are set out in Annex II, Schedule 1 of the T&Cs; and
- in relation to Table 4, neither party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Approved Addendum’s mandatory clauses.
- In the event that another data transfer mechanism other than the EU SCCs and/or UK Approved Addendum (as applicable) is available in respect of any Restricted Transfer in accordance with Data Protection Laws, including any further alternative standard contractual clauses approved from time to time, the parties will, on the request of either party, work in good faith to determine if such data transfer mechanism is sufficient in respect of any or all Restricted Transfer(s) and, if the parties agree that it is sufficient, the parties will discuss subsequent amendments to this Agreement in good faith.
- Customer shall make available to Company such information in Customer’s possession or control as may be necessary to demonstrate compliance with its obligations relating to Personal Data under this Agreement or in order for Company to respond to an Enquiry. Company may require Customer to attest that it treats the Personal Data processed in the same manner that Company is obligated to treat such Personal Data under the applicable Data Protection Laws. Company may itself, or commission a third party auditor to conduct, an audit of Customer’s data privacy practices. Audits will: (a) be on no less than fourteen days’ prior written notice to Customer; (b) be conducted during normal business hours; (c) not unreasonably interfere with Customer’s business activities; and (d) not take place more than once in any year except when agreed between the parties.
- Customer agrees and acknowledges that the Company does not require any Personal Data, for the provision of Services. Customer will ensure that it reviews all Customer Data provided to Company and scrub any Personal Data from the same before providing it to the Company. In the event the Customer determines that disclosure of Personal Data is crucial, for the performance of Services, Customer will provide Company with a prior written notice of its intent to disclose Personal Data. Such data shall be disclosed upon Company’s written acceptance of such notice and subject to any documentation that the Company requires the Customer to execute, and the Customer must specify Company’s name in its privacy policy as one of the third-parties with whom Customer will be sharing Personal Data.
- Customer warrants that it will not use Company Data in combination with any third-party data (including other Personal Data) that may lead to identification or disclosure of the data subject(s)/ individual(s).
- By using the Services, Customer acknowledges Company’s processing, use and disclosure of Customer Data in accordance with the Company’s Privacy Policy. The Company Privacy Policy applies only to the Azira Platform and does not apply to any third-party website or service linked to the Azira Platform or recommended or referred to through the Azira Platform.
10. TERMINATION
- Termination by Company. Company reserves the right to terminate this Agreement (i) anytime with or without cause; (ii) by giving fifteen (15) days’ notice if the Customer (a) is in breach of this Agreement and which breach is not cured within fifteen (15) days of receipt of a written notice from the Company or if such breach is incapable of remedy or (b) has repeatedly or persistently breached any terms of this Agreement.
- Termination by Customer. Customer may terminate this Agreement, if the Company is in material breach of its obligations hereunder, which breach is not cured within thirty (30) days of receipt of a written notice or which breach is incapable of remedy.
- Effect of Termination. Upon termination (for any reason) or expiry of the Service Order, (i) all payments due till the date of termination or expiry shall be immediately paid by Customer on or prior to the date of termination or expiry (as applicable); and (ii) all license rights granted herein shall terminate; and (iii) Customer shall cease all use of the Services and delete, destroy, or return all copies of the Company Data in its possession or control, and certify such deletion or destruction through an authorised officer of the Customer. Termination or expiration of the Service Order shall not affect any rights, obligations or liabilities, arising out of the Service Order, which have accrued before termination or expiry or which are intended to continue to have effect beyond termination or expiry.
- Survival. The termination or expiration of the Agreement will not affect any provisions of the Agreement which by their nature survive termination or expiration, including the provisions that deal with payment obligations, confidentiality, data security, term and termination, effect of termination, intellectual property rights, permitted use, license compliance, indemnities, limitation of liability, privacy, usage analytics and Section 12 (Miscellaneous).
11. COMPLIANCE AUDIT
- Customer will maintain accurate records of its use of the Services throughout the Term. In the event any third party authorised under applicable law asks Company for information or audits Company’s records in respect of Customer Data or Customer’s use of Company Data (“Third Party Request”), Customer will permit, the applicable third party, the Company or an independent external auditor approved by Company or such third party to inspect and audit Customer’s records pertaining to the scope of such Third Party Request. The audit rights provided herein shall be valid for the Term and a period of two (2) years thereafter.
- Such audits shall be conducted at Company’s sole expense. All audits conducted under this Section will be subject to the following requirements: (i) Company shall provide at least two (2) business days’ notice to Customer before such audit, unless applicable law requires otherwise; and (ii) any such inspection and audit shall be conducted during regular business hours of Customer in such a manner as to not interfere with normal business activities of Customer. Customer will, at its own expense, promptly correct any non-compliance detected by such audit, but not exceeding (i) fifteen (15) days from the release of such audit results identifying such non-compliance; or (ii) the period as may be required under applicable law, whichever is lower. If any audit under this Section reveals any material breach of the Agreement by Customer (including a material underpayment of Fees, as determined by the Company), the Customer will reimburse Company for the reasonable costs of the audit.
12. MISCELLANEOUS
- Third Party Products. The Services may contain certain third-party products, services and/or data licensed to the Company (“Third-Party Products”). Such Third-Party Products may be available to the Customer in an embedded, integrated or linked form on the Services. The Agreement does not govern the use and access of such Third-Party Products and the same shall be governed by the terms and conditions specific to such Third-Party Products (“Third-Party Product Terms”). By way of using the Third-Party Products, or consenting to the Third-Party Product Terms, the Company will assume that the Customer has read, agreed, and accepted the Third-Party Product Terms. The Company will not be liable for the disputes arising out of or related to the Third-Party Product Terms or the breach of such Third-Party Product Terms by the third-party service providers.
- Insurance. Without prejudice to its obligations under these T&Cs, the Customer shall affect and maintain, commercial general liability insurance policy with a limit of USD five (5) million, with a reputable insurance company. Upon receipt of a written request from Company, the Customer shall submit a certificate to confirm that Customer maintains the required insurance policy.
- Force Majeure. Except for the Customer’s payment obligations under the Service Order, neither party will be responsible for any failure or delay in its performance under these T&Cs due to causes beyond its reasonable control, including, but not limited to, labour disputes, strikes, lock-outs, internet or telecommunications failures, shortages of or inability to obtain labour, energy, or supplies, war, terrorism, riot, acts of God or governmental action, acts by hackers or other malicious third parties and problems with the Internet generally, and such performance shall be excused to the extent that it is prevented or delayed by reason of any of the foregoing.
- Assignment. Customer shall not have the right to assign, transfer, resell or sublicense Customer’s rights or obligations hereunder. Any attempt to assign, transfer, resell or sub-license such rights or obligations without Company’s prior written approval will be null and void.
- Governing Law and Jurisdiction. If the Customer is registered in North America, these T&Cs will be governed by the laws of the State of California. If the Customer is registered outside of North America, these T&Cs will be governed by and construed in accordance with the laws of Singapore. The Company and the Customer agree that any claims, legal proceedings, or litigation arising in connection with these T&Cs, will be brought solely in the courts of Pasadena, California or Singapore based on the jurisdiction where the Customer is registered. If any provision herein is held to be unenforceable, the remaining provisions will remain in full force and effect. All rights and remedies hereunder are cumulative.
- Injunctive Relief. Actual or threatened breach of the Agreement (such as, without limitation, provisions on intellectual property (including ownership), license, privacy, data protection and confidentiality) may cause immediate, irreparable harm that is difficult to calculate and cannot be remedied by the payment of damages alone. Either party will be entitled to seek preliminary and permanent injunctive relief and other equitable relief for any such breach.
- Notices. Any notice required to be delivered hereunder will be deemed delivered: (a) upon delivery, if delivered by courier or by hand (against receipt); or (b) three (3) days after posting, if sent by electronic mail, fax, or certified or registered mail, return receipt requested. All notices to the Company and the Customer will be sent to the addresses set forth in the Service Order or to such other address as a party may designate by written notice to the other.
- Entire Agreement; Severability; No Waiver; Conflicts; Independent Contractors. This is the entire agreement between the parties relating to this subject matter and supersedes all other commitments, negotiations and understandings. If one or more of the provisions contained in these T&Cs is found by a court of competent jurisdiction to be invalid, illegal or unenforceable in any respect, the validity, legality and enforceability of the remaining provisions will not be affected. The provisions will be revised only to the extent necessary to make them enforceable. The failure of either party to enforce its rights under the Agreement at any time for any period shall not be construed as a waiver of such rights. Nothing herein will constitute either party as the employer, employee, agent or representative of the other party, or both parties as joint venturers for any purpose. Except as provided herein, neither party will have the authority to obligate or bind the other in any manner.
SCHEDULE I
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: As set out in the Agreement.
Address: As set out in the Agreement.
Contact person’s name, position and contact details: As set out in the Agreement.
Activities relevant to the data transferred under these Clauses:
As set out in the Agreement.
Signature and date: signed and dated through execution of the Addendum.
Role (controller/processor): Controller
Data importer(s):
Name: AZIRA LLC/ AZIRA PTE. LTD., and their affiliates as set out in the applicable Service Order
Address: As set out in the Agreement.
Contact person’s name, position and contact details: As set out in the Agreement.
Activities relevant to the data transferred under these Clauses:
As set out in the Agreement.
Signature and date: signed and dated through execution of the Addendum.
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individuals who use mobile or electronic devices
Categories of personal data transferred
Device ID (IFDA or AAID (MAIDs)), hashed email address, home address, timestamp, latitude-longitude, IP address, country code, users agent string (mobile device information derived from UA string: device type, manufacturer, model, screen size, browser and version), ISP/Carrier, GPS source, App ID, App Name, Publisher ID, Publisher Name, Postal Code, OS, OS Version, Ad Height/Width, IAB Category, Keywords, GDPR Device (whether the device is in the EEA), Gender, Year of Birth, audience codes, HTTP referrer, HTTP cookies, language preference, census data.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
As set out in the Agreement.
Nature of the processing
The collection, analysis, storage, duplication, deletion and disclosure as necessary in the provision of the services under the Agreement.
Purpose(s) of the data transfer and further processing
The provision of the services under the Agreement and Company’s use of such Personal Data for the provision of its own services to its customers.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement or until the processing is otherwise no longer necessary for the purposes for which it was shared between the Parties.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
N/A
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority shall be the UK or EU Supervisory Authority responsible for ensuring compliance by the data exporter.
ANNEX II
Technical and Organisational Measures including Technical and Organisational Measures to ensure the Security of the Data
- Information Security; Information Security Policies and Standards. Company shall maintain a corporate Information Security function that is responsible for managing its information security program. The Information Security function shall be responsible for:
- Performing periodic onsite security risk assessments of Company’s information processing facilities, systems, and applications.
- Advising Company’s executive management team about Company’s information security program, potential risks, and mitigation plans.
- Promulgating and maintaining reasonable and appropriate information security policies, procedures and standards that are designed to adequately provide for the confidentiality, integrity and availability of information including Personal Data processed by Company.
- Periodically reviewing and updating Company’s information security policies, procedures and standards to address new and emerging threats and changes to legal requirements and industry standards.
- Providing management direction and support for information security in accordance with business requirements and relevant laws and regulations.
- Personnel Security.
- Company shall take steps to educate and inform its employees, contractors, and other third-party users of its network, systems and applications about (i) information security threats and concerns; (ii) the requirements of the information security program; and (iii) their responsibilities and obligations with respect to the processing of Personal Data.
- Unless Company uses Company-provided computing equipment, application and network access to provide the Services, Company shall equip its employees with systems and applications and with appropriate tools and equipment that support the implementation of the information security program requirements in the course of their normal work.
- Company shall maintain procedures to terminate access to Personal Data when employees or contractors exit the organization or change roles.
- Asset management. Company shall maintain reasonable and appropriate controls that are designed to protect organizational assets that process data.
- Physical and environmental security. Company shall take reasonable and appropriate steps designed to prevent unauthorized physical access and damage to and interference with its premises, and the loss, damage, theft or compromise of assets and interruption to its activities related to the processing of Personal Data.
- Communications and operations management.
- Company shall implement processes designed to provide for the correct and secure operation of information processing facilities, including by use of appropriate firewall and encryption technologies; and, as far as possible, the logging and monitoring of all data transmissions.
- Company shall implement and maintain appropriate levels of information security and service delivery designed to facilitate compliance with relevant agreements.
- System Planning and Acceptance. Company shall maintain processes and procedures designed to minimize the risk of systems failures and maintain appropriate backup facilities as a control to support the integrity and availability of information and information processing facilities.
- Network security management.
- Company employs reasonable and appropriate controls to protect both the Personal Data in its networks, and the supporting network infrastructure.
- Company shall maintain protections (including anti-virus software) against malicious and mobile code.
- Media handling. Company shall maintain appropriate processes and procedures designed to prevent unauthorized disclosures, modifications, removals or destruction of assets, and interruptions to business activities. When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of the information stored on them before they are withdrawn from the inventory.
- Access Controls.
- Company shall maintain appropriate access control procedures to prevent unauthorized access to, or theft or loss of Personal Data from information systems, including networks, applications, and operating systems.
- Company shall implement access controls for networks, systems, and applications based on a “least privilege” basis.
- Company shall implement procedures to limit the ability to grant, modify or revoke user access to an information system to a limited set of authorized privileged users.
- Information systems acquisition, development and maintenance. Company shall incorporate privacy and information security as an integral part of information systems acquisition development and maintenance, and shall develop appropriate policies, processes and procedures to prevent the erroneous processing of Personal Data and the loss, unauthorized modification or misuse of such data in applications.
- Cryptographic Controls. Company shall implement suitable measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during its transmission or during the transport of the data media. Specifically, where it is feasible to do so, Company shall protect the confidentiality, authenticity or integrity Personal Data at rest and in transit by use of cryptographic means.
- Technical Vulnerability Management. Company has bug-bounty and vulnerability management programs which reduces risks resulting from exploitation of technical vulnerabilities. Further, Company maintains an independent platform accessible to all that facilitates safe disclosures.
- Data Incident Management. Company shall maintain a consistent and effective approach to the management of Security Incidents, and shall take timely corrective action to address such incidents.
- Business Continuity Management. Company shall take appropriate measures designed to counteract interruptions to business activities and protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
- Information Systems Audit Considerations. Company shall conduct periodic audits of systems and processes involved in the processing of Personal Data.