Montague Law | Free Legal Form Template
10.1 Processor Assistance. The Processor shall provide reasonable assistance to the Controller with any Data Protection Impact Assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities which the Controller reasonably considers to be required by Article 35 or Article 36 of the GDPR (or equivalent provisions under applicable Data Protection Laws), in each case solely in relation to Processing of Personal Data by the Processor on behalf of the Controller and taking into account the nature of the Processing and the information available to the Processor.
10.2 Information to be Provided. The Processor’s assistance pursuant to Section 10.1 shall include, without limitation, providing to the Controller: (a) a description of the Processing operations to be carried out by the Processor; (b) information regarding the Technical and Organizational Measures implemented by the Processor; (c) an assessment of the risks to the rights and freedoms of Data Subjects arising from the Processing, as reasonably known to the Processor; (d) any measures envisaged by the Processor to address identified risks; and (e) such other information as may be reasonably requested by the Controller to enable the Controller to complete a Data Protection Impact Assessment.
10.3 Prior Consultation. Where the Controller determines, following the completion of a Data Protection Impact Assessment, that prior consultation with a Supervisory Authority is required pursuant to Article 36 of the GDPR (or equivalent provisions under applicable Data Protection Laws), the Processor shall cooperate with the Controller and the relevant Supervisory Authority in connection with such prior consultation and shall provide such additional information regarding the Processing as may be requested by the Supervisory Authority.
10.4 Costs. The Controller shall reimburse the Processor for the reasonable costs and expenses incurred by the Processor in providing assistance under this Section 10, to the extent that such assistance requires material effort beyond the Processor’s standard service offering, provided that the Processor has obtained the Controller’s prior written approval of such costs.
11.1 Term. This DPA shall become effective on the Effective Date and shall remain in force until the earlier of: (a) the termination or expiration of the Main Agreement; or (b) the date on which the Processor ceases all Processing of Personal Data on behalf of the Controller. The provisions of this DPA that by their nature are intended to survive termination or expiration, including, without limitation, Sections 4.7 (Deletion and Return of Personal Data), 4.8 (Audit Rights), 8 (Data Breach Notification), 12 (Liability and Indemnification), and 13 (Miscellaneous), shall survive termination or expiration of this DPA.
11.2 Effect of Termination on Personal Data. Upon termination or expiration of this DPA, the Processor shall, at the Controller’s written election and instruction, either: (a) return all Personal Data to the Controller in a structured, commonly used, and machine-readable format, together with any copies thereof, within thirty (30) days following the effective date of termination; or (b) securely delete or destroy all Personal Data in the Processor’s possession or control, including all copies, backups, and archives, within sixty (60) days following the effective date of termination, using methods that render the Personal Data unrecoverable. If the Controller does not provide instructions within thirty (30) days following termination, the Processor shall securely delete or destroy all Personal Data in accordance with clause (b) of the preceding sentence.
11.3 Certification of Deletion. Following the completion of the return, deletion, or destruction of Personal Data pursuant to Section 11.2, the Processor shall provide written certification to the Controller, signed by an authorized officer of the Processor, confirming that all Personal Data has been returned, deleted, or destroyed in accordance with this DPA.
11.4 Retention Exception. Notwithstanding Sections 11.2 and 11.3, the Processor may retain Personal Data to the extent required by applicable law, provided that: (a) the Processor shall inform the Controller of such retention requirement, including the legal basis for and the period of such retention; (b) the Processor shall continue to comply with its obligations under this DPA with respect to any retained Personal Data; (c) the Processor shall limit Processing of such retained Personal Data to the purposes required by applicable law; and (d) the Processor shall securely delete or destroy such retained Personal Data promptly upon the expiration of the applicable retention period.
WHEREAS, [COMPANY NAME], a [STATE] corporation with its principal place of business at [ADDRESS] ("Provider"), is engaged in the business of providing cloud-based software-as-a-service solutions and related services;
WHEREAS, [CUSTOMER NAME], a [STATE] [entity type] with its principal place of business at [ADDRESS] ("Customer"), desires to obtain access to and use of the Service (as defined below) for its internal business operations;
WHEREAS, Provider desires to grant Customer a limited, non-exclusive right to access and use the Service, and Customer desires to obtain such access and use, in each case subject to the terms and conditions set forth in this SaaS Subscription Agreement (this "Agreement");
WHEREAS, the parties intend this Agreement to govern all aspects of Customer’s subscription to and use of the Service, including without limitation the rights and obligations of each party with respect to access, data, payment, confidentiality, intellectual property, and liability; and
WHEREAS, Provider and Customer each acknowledge that they have had the opportunity to review this Agreement and to negotiate the terms contained herein;
NOW, THEREFORE, in consideration of the mutual covenants, representations, warranties, and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
12.1 Allocation of Liability. Each Party shall be liable for its own acts and omissions in connection with its respective obligations under this DPA and applicable Data Protection Laws. The Processor shall be liable for damage caused by Processing only where it has not complied with obligations of applicable Data Protection Laws specifically directed to processors, or where it has acted outside of or contrary to the Controller’s lawful instructions.
12.2 Indemnification by the Processor. The Processor shall defend, indemnify, and hold harmless the Controller and its officers, directors, employees, agents, successors, and assigns from and against any and all claims, actions, demands, losses, damages, liabilities, costs, and expenses (including reasonable attorneys’ fees and court costs) arising out of or relating to: (a) the Processor’s breach of this DPA or applicable Data Protection Laws; (b) any act or omission of a Sub-processor engaged by the Processor; (c) any Personal Data Breach caused by the Processor’s failure to comply with its obligations under this DPA; or (d) any fines, penalties, or sanctions imposed by a Supervisory Authority directly attributable to the Processor’s breach of this DPA or applicable Data Protection Laws.
12.3 Indemnification by the Controller. The Controller shall defend, indemnify, and hold harmless the Processor and its officers, directors, employees, agents, successors, and assigns from and against any and all claims, actions, demands, losses, damages, liabilities, costs, and expenses (including reasonable attorneys’ fees and court costs) arising out of or relating to: (a) the Controller’s breach of this DPA or applicable Data Protection Laws; (b) the Controller’s unlawful or unauthorized instructions to the Processor; or (c) any claim that the Personal Data provided by the Controller to the Processor was collected or Processed by the Controller in violation of applicable Data Protection Laws.
12.4 Limitations on Liability. The aggregate liability of each Party under this DPA shall be subject to any limitations of liability set forth in the Main Agreement, provided that: (a) no limitation of liability shall apply to the extent prohibited by applicable Data Protection Laws; (b) the limitations of liability set forth in the Main Agreement shall not limit either Party’s liability for breaches of its obligations under applicable Data Protection Laws to the extent that such limitations would be inconsistent with applicable Data Protection Laws; and (c) nothing in this DPA shall be construed to limit a Data Subject’s rights against either Party under applicable Data Protection Laws.
12.5 Mitigation. Each Party shall take commercially reasonable steps to mitigate any damages for which the other Party may be liable under this DPA. Neither Party shall be liable for any indirect, incidental, consequential, special, punitive, or exemplary damages arising under or in connection with this DPA, except to the extent that such limitation is prohibited by applicable Data Protection Laws or to the extent that such damages are owed to a Data Subject.
13.1 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the State of [STATE], without regard to its conflicts of law principles, except to the extent that applicable Data Protection Laws require the application of the laws of another jurisdiction. Notwithstanding the foregoing, to the extent that the GDPR applies to the Processing of Personal Data under this DPA, issues of interpretation arising from the GDPR shall be resolved in accordance with the law of the European Union and the applicable Member State.
13.2 Dispute Resolution. Any dispute arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions of the Main Agreement, provided that Data Subjects who are beneficiaries of the Standard Contractual Clauses shall have the rights specified therein, including the right to lodge a complaint with a Supervisory Authority and to seek judicial remedies.
13.3 Amendments. This DPA may not be modified, amended, or supplemented except by a written instrument duly executed by authorized representatives of both Parties. Notwithstanding the foregoing, the Processor may update Annex 2 (Technical and Organizational Security Measures) from time to time in accordance with Section 7.7 of this DPA, provided that such updates do not materially decrease the overall level of security.
13.4 Severability. If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such invalidity, illegality, or unenforceability shall not affect any other provision of this DPA, and this DPA shall be construed as if such invalid, illegal, or unenforceable provision had never been contained herein. The Parties shall negotiate in good faith to replace any invalid, illegal, or unenforceable provision with a valid, legal, and enforceable provision that achieves, to the greatest extent possible, the economic, business, and other purposes of the invalid, illegal, or unenforceable provision.
13.5 Order of Precedence. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail to the extent of such conflict or inconsistency with respect to the Processing of Personal Data. In the event of any conflict between this DPA and any Standard Contractual Clauses entered into between the Parties, the Standard Contractual Clauses shall prevail to the extent of such conflict.
13.6 Entire Agreement. This DPA, together with the Main Agreement, the Standard Contractual Clauses (where applicable), and the Annexes hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, representations, warranties, and understandings of the Parties, whether written or oral, relating to such subject matter.
13.7 Notices. All notices required or permitted to be given under this DPA shall be in writing and shall be deemed given: (a) when delivered personally; (b) when sent by confirmed electronic mail; (c) one (1) business day after being sent by nationally recognized overnight courier; or (d) three (3) business days after being mailed by registered or certified mail, return receipt requested, postage prepaid, to the addresses specified in the Main Agreement or such other address as may be designated by a Party in writing.
13.8 Assignment. Neither Party may assign or transfer this DPA, in whole or in part, without the prior written consent of the other Party, except that either Party may assign this DPA without consent in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets, provided that the assignee agrees in writing to be bound by the terms of this DPA.
13.9 Waiver. No waiver of any provision of this DPA shall be effective unless made in writing and signed by the waiving Party. The failure of either Party to enforce any provision of this DPA shall not constitute a waiver of such provision or of the right to enforce it at a later time.
13.10 Counterparts. This DPA may be executed in one or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed to be original signatures for all purposes.
"Affiliate" means, with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with such party, where "control" means ownership of more than fifty percent (50%) of the voting securities or equivalent ownership interest of such entity.
"Authorized Users" means the individuals who are authorized by Customer to access and use the Service under the rights granted to Customer pursuant to this Agreement, subject to any limitations on the number of such users as set forth in the applicable Order Form.
"Confidential Information" means all non-public information disclosed by one party (the "Disclosing Party") to the other party (the "Receiving Party"), whether orally, in writing, or by any other means, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including without limitation technical data, trade secrets, business plans, financial information, customer lists, pricing information, product roadmaps, source code, algorithms, and the terms and conditions of this Agreement. Confidential Information shall not include information that: (a) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party; (b) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (c) is received from a third party without breach of any obligation owed to the Disclosing Party; or (d) was independently developed by the Receiving Party without reference to or use of the Disclosing Party’s Confidential Information.
"Customer Data" means all electronic data, information, content, records, and files that are uploaded, submitted, stored, transmitted, or otherwise provided by or on behalf of Customer or its Authorized Users to the Service or collected and processed by the Service on Customer’s behalf, excluding any Provider Technology.
"Documentation" means the user manuals, technical specifications, help files, API documentation, and other written or electronic materials made available by Provider to Customer that describe the features, functions, and operation of the Service, as updated by Provider from time to time.
"Effective Date" means [DATE], the date on which this Agreement is executed by both parties.
"Feedback" means any suggestions, enhancement requests, recommendations, corrections, or other feedback provided by Customer or its Authorized Users to Provider regarding the Service or any Provider Technology.
"Initial Term" has the meaning set forth in Section 4.1.
"Intellectual Property Rights" means all patent rights, copyrights, trademark rights, rights in trade secrets, database rights, moral rights, rights of publicity, and any other intellectual property rights (whether registered or unregistered) throughout the world, including all applications and registrations relating to any of the foregoing.
"Laws" means all applicable federal, state, provincial, municipal, local, and foreign laws, statutes, regulations, rules, codes, ordinances, orders, decrees, directives, and governmental requirements, including without limitation all applicable data protection and privacy laws and regulations.
"Losses" means any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, the costs of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers.
"Order Form" means any ordering document, statement of work, or online registration form executed or completed by the parties that references this Agreement and specifies, among other things, the Service plan selected, the number of Authorized Users, the Subscription Fees, the Subscription Term, and any other terms applicable to Customer’s subscription.
"Permitted Use" means use of the Service by Authorized Users solely for Customer’s internal business operations in accordance with this Agreement, the Documentation, and any applicable Order Form, and not for the benefit of any third party other than Customer’s Affiliates as expressly authorized herein.
"Provider Technology" means the Service, the Documentation, and all technology, software, algorithms, user interfaces, trade secrets, techniques, designs, inventions, works of authorship, and other tangible and intangible materials and intellectual property made available or used by Provider in connection with the Service, together with all improvements, modifications, enhancements, derivative works, and updates thereto, regardless of whether such improvements, modifications, enhancements, derivative works, or updates are made by Provider, Customer, or any third party.
"Renewal Term" has the meaning set forth in Section 4.2.
"Service" means Provider’s proprietary cloud-based software-as-a-service platform and any related applications, tools, and functionality as described in the applicable Order Form and Documentation, including all updates, upgrades, new versions, and enhancements thereto made generally available by Provider during the Subscription Term.
"Service Level" means the performance standards and uptime commitments for the Service as set forth in Section 7 of this Agreement.
"Subscription Fees" means the fees payable by Customer for access to and use of the Service during the Subscription Term, as set forth in the applicable Order Form.
"Subscription Term" means, collectively, the Initial Term and any Renewal Term(s), as set forth in Section 4.
"Users" or "User" means the individual persons (whether employees, contractors, or agents of Customer or its Affiliates) who are registered to access and use the Service under Customer’s account, each of whom must qualify as an Authorized User.
13A.1 Annual Review. The parties shall conduct a review of this Agreement at least once per calendar year (or more frequently if required by changes in applicable Data Protection Laws) to assess whether the terms remain adequate in light of: (a) changes to applicable Data Protection Laws; (b) guidance or decisions issued by Supervisory Authorities; (c) changes to the nature, scope, or purpose of processing activities; (d) changes to the types of Personal Data processed or categories of Data Subjects; and (e) developments in data protection best practices and standards.
13A.2 Updates. If either party determines that amendments to this Agreement are necessary as a result of the annual review, the parties shall negotiate in good faith to agree upon appropriate amendments within sixty (60) days. If the parties cannot agree on necessary amendments, either party may terminate this Agreement upon ninety (90) days written notice.
13A.3 Records of Review. The parties shall maintain records of each annual review, including the date of review, participants, findings, and any agreed actions or amendments.
This Annex 1 forms part of the DPA and describes the details of the Processing of Personal Data by the Processor on behalf of the Controller.
Subject Matter of Processing: The Processing of Personal Data by the Processor is necessary for the Processor to provide the Services to the Controller pursuant to the Main Agreement. The subject matter of the Processing is the provision of [description of services] as further described in the Main Agreement.
Duration of Processing: The Processor will Process Personal Data for the duration of the Main Agreement, unless otherwise agreed in writing or required by applicable law. Personal Data shall be deleted or returned in accordance with Section 11 (Term and Termination) of the DPA upon termination or expiration of the Main Agreement.
Nature and Purpose of Processing: The Processor will Process Personal Data for the purpose of providing the Services under the Main Agreement, which may include, without limitation: (a) receiving, storing, and organizing Personal Data provided by or on behalf of the Controller; (b) processing, transforming, and analyzing Personal Data as necessary to deliver the Services; (c) transmitting, displaying, or making Personal Data available to the Controller and its authorized users; (d) creating backups and copies of Personal Data for disaster recovery and business continuity purposes; and (e) such other Processing activities as are reasonably necessary to perform the Services.
Types of Personal Data Processed: The following types of Personal Data may be Processed by the Processor in connection with the Services: (a) contact information, including names, email addresses, telephone numbers, mailing addresses, and job titles; (b) account and profile information, including usernames, user IDs, and account preferences; (c) transactional data, including records of transactions, orders, and interactions; (d) usage data, including log data, device information, IP addresses, browser type, and clickstream data; (e) communications data, including the content of messages, emails, and other communications; (f) financial data, including billing information and payment records (excluding full payment card numbers); and (g) such other categories of Personal Data as may be provided by the Controller to the Processor in connection with the Services from time to time.
Categories of Data Subjects: The Personal Data Processed under this DPA may relate to the following categories of Data Subjects: (a) the Controller’s employees, contractors, and other personnel; (b) the Controller’s customers and prospective customers; (c) the Controller’s vendors, suppliers, and business partners; (d) end users of the Controller’s products or services; and (e) such other categories of Data Subjects as may be identified by the Controller from time to time in connection with the Services.
Special Categories of Data: The Parties do not anticipate the Processing of special categories of Personal Data (as defined in Article 9 of the GDPR) or Personal Data relating to criminal convictions and offences (as defined in Article 10 of the GDPR) under this DPA. If the Controller intends to instruct the Processor to Process any such data, the Controller shall notify the Processor in advance and the Parties shall agree on any additional safeguards or measures required by applicable Data Protection Laws prior to the commencement of such Processing.
2.1 Grant of Access. Subject to and conditioned upon Customer’s compliance with the terms and conditions of this Agreement, including the timely payment of all Subscription Fees, Provider hereby grants to Customer a limited, non-exclusive, non-transferable (except as set forth in Section 16.4), non-sublicensable right to access and use the Service during the Subscription Term, solely for the Permitted Use, and solely in accordance with the terms and conditions set forth in this Agreement, the applicable Order Form, and the Documentation.
2.2 Authorized Users. Customer may permit its Authorized Users to access and use the Service, provided that the number of Authorized Users does not exceed the maximum number specified in the applicable Order Form. Customer shall ensure that each Authorized User is assigned a unique user identification and password, and Customer shall be responsible for maintaining the confidentiality of all user identification credentials. Customer shall not permit any Authorized User to share login credentials with any other individual, and Customer shall promptly notify Provider if Customer becomes aware of any unauthorized access to or use of the Service or any Authorized User’s account.
2.3 Customer Responsibilities. Customer is responsible for all activities that occur under its account and the accounts of its Authorized Users, regardless of whether such activities are authorized by Customer. Customer shall: (a) ensure that all Authorized Users comply with the terms and conditions of this Agreement; (b) use commercially reasonable efforts to prevent unauthorized access to or use of the Service; (c) promptly notify Provider of any unauthorized access or use of which Customer becomes aware; and (d) use the Service only in compliance with all applicable Laws. Any act or omission of an Authorized User that would constitute a breach of this Agreement if committed by Customer shall be deemed a breach by Customer.
2.4 Usage Limitations. Customer’s use of the Service shall be subject to any usage limitations specified in the applicable Order Form, including without limitation limitations on the number of Authorized Users, storage capacity, bandwidth, API call volumes, transaction volumes, and any other quantitative or qualitative restrictions. If Customer exceeds any usage limitation, Provider may: (a) notify Customer and require Customer to purchase additional capacity or subscriptions at Provider’s then-current rates; (b) throttle or restrict Customer’s access to the affected features or functionality until such time as Customer’s usage falls within the applicable limitations; or (c) invoice Customer for the excess usage at Provider’s then-current overage rates as published on its website or as otherwise communicated to Customer.
2.5 Restrictions on Use. Customer shall not, and shall not permit any Authorized User or third party to: (a) copy, modify, adapt, translate, or create derivative works of the Service or any component thereof; (b) reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code, object code, underlying structure, algorithms, or ideas of the Service, except to the extent that such restriction is expressly prohibited by applicable Law; (c) sublicense, sell, rent, lease, lend, distribute, transfer, or otherwise make available the Service to any third party, except as expressly permitted under this Agreement; (d) use the Service for the benefit of any third party, including without limitation by operating a service bureau, timesharing, outsourcing, or application service provider arrangement; (e) remove, alter, or obscure any proprietary notices, labels, or marks on or in the Service or Documentation; (f) use the Service in any manner that violates any applicable Law or regulation or the rights of any third party; (g) use the Service to transmit any viruses, malware, worms, Trojan horses, or other harmful or malicious code; (h) interfere with or disrupt the integrity or performance of the Service or any third-party data contained therein; (i) gain or attempt to gain unauthorized access to the Service, its related systems or networks, or any accounts of other customers of Provider; (j) use the Service to perform competitive analysis, benchmarking, or for the purpose of building a competitive product or service; (k) use any automated means, including robots, crawlers, or data mining tools, to access or collect data from the Service, except through Provider’s published API in compliance with this Agreement; or (l) use the Service in any manner that could damage, disable, overburden, or impair the Service or interfere with any other party’s use of the Service.
2.6 API Access. To the extent that Provider makes available application programming interfaces ("APIs") for the Service, Customer may access and use such APIs solely for the Permitted Use and in compliance with the Documentation and any published API usage policies. Provider reserves the right to limit, throttle, or revoke API access at any time in its sole discretion if Provider reasonably determines that Customer’s use of the API adversely affects the performance, stability, or security of the Service. Customer shall not use the API to develop, offer, or operate a competing service or product.
Provider shall publish and maintain documentation specifying the applicable rate limits, quotas, and usage restrictions for API access (collectively, "API Limits"). API Limits shall be set at levels sufficient to support Customer’s Permitted Use as reasonably anticipated based on the applicable Order Form. Provider shall provide Customer with at least sixty (60) days prior written notice of any material reduction in API Limits. If Customer requires API capacity in excess of the published API Limits, Customer may request increased capacity, and Provider shall offer such increased capacity at commercially reasonable rates. Provider shall implement reasonable mechanisms to alert Customer when Customer’s API usage approaches the applicable API Limits, including usage dashboards and threshold notifications at seventy-five percent (75%) and ninety percent (90%) of applicable limits.
2.7 Third-Party Products. The Service may integrate with or provide access to certain third-party applications, products, services, or content (collectively, "Third-Party Products"). Customer’s use of any Third-Party Products is subject to the applicable third-party terms of service and privacy policies, and Provider makes no representations or warranties regarding any Third-Party Products. Provider shall have no liability for any Third-Party Products or for any loss or damage arising from Customer’s use thereof.
This Annex 2 forms part of the DPA and describes the Technical and Organizational Measures implemented by the Processor to protect Personal Data in accordance with Section 7 (Security Measures) of the DPA. The Processor may update these measures from time to time in accordance with Section 7.7, provided that such updates do not materially decrease the overall level of security.
1. Encryption. (a) Encryption in transit: All Personal Data transmitted over public networks shall be encrypted using TLS 1.2 or higher. (b) Encryption at rest: All Personal Data stored at rest shall be encrypted using AES-256 encryption or equivalent. (c) Key management: Encryption keys shall be generated, stored, rotated, and destroyed in accordance with industry-standard key management practices. Encryption keys shall be stored separately from the encrypted data and access to encryption keys shall be restricted to authorized personnel on a need-to-know basis.
2. Access Controls. (a) Authentication: Multi-factor authentication (MFA) shall be required for all access to systems and applications that Process Personal Data. (b) Authorization: Access to Personal Data shall be granted on a least-privilege and need-to-know basis, with role-based access controls (RBAC) implemented across all systems. (c) Password management: Passwords shall meet minimum complexity requirements, shall be changed at regular intervals, and shall be stored using strong, salted, one-way hashing algorithms. (d) Access reviews: Access rights shall be reviewed at least quarterly and promptly revoked upon termination of employment or change of role. (e) Privileged access: Administrative and privileged access shall be subject to enhanced monitoring, logging, and approval workflows.
3. Network Security. (a) Firewalls: Network firewalls shall be configured to restrict inbound and outbound traffic to authorized services and protocols. (b) Intrusion detection and prevention: Intrusion detection systems (IDS) and intrusion prevention systems (IPS) shall be deployed to monitor network traffic for suspicious activity. (c) Network segmentation: Networks shall be segmented to isolate systems that Process Personal Data from other systems and to limit lateral movement in the event of a compromise. (d) VPN: Remote access to the Processor’s network shall require the use of a virtual private network (VPN) or equivalent secure connection.
4. Physical Security. (a) Data center security: The Processor’s data centers (including third-party hosting providers) shall maintain physical security controls, including, without limitation, perimeter security, 24/7 monitoring (including CCTV), access controls (badge readers, biometric authentication), visitor management, and environmental controls (fire suppression, climate control, power redundancy). (b) Workstation security: Workstations used to access Personal Data shall be protected by full-disk encryption, automatic screen locks, and endpoint protection software. (c) Media disposal: Physical media containing Personal Data shall be securely destroyed or degaussed when no longer needed.
5. Data Minimization and Retention. (a) The Processor shall Process only the minimum amount of Personal Data necessary to provide the Services. (b) Personal Data shall be retained only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by applicable law. (c) Upon expiration of the applicable retention period, Personal Data shall be securely deleted or destroyed in accordance with the DPA.
2A.1 General Restrictions. In addition to the restrictions set forth in Section 2.5, Customer and its Authorized Users shall comply with this Acceptable Use Policy (this "AUP") at all times when accessing or using the Service.
2A.2 Prohibited Activities. Customer and its Authorized Users shall not use the Service to: (a) store, transmit, or distribute content that is illegal, defamatory, obscene, threatening, invasive of privacy, or otherwise objectionable; (b) transmit unsolicited bulk communications (spam) or engage in phishing; (c) impersonate any person or entity or falsely claim an affiliation with any person or entity; (d) engage in any activity that constitutes a violation of the privacy rights or other rights of third parties; (e) introduce viruses, malware, worms, or other malicious code; (f) attempt to gain unauthorized access to systems, accounts, or data not belonging to Customer; (g) use the Service for cryptocurrency mining or similar resource-intensive computation not authorized by Provider; (h) circumvent or disable security features of the Service; or (i) use the Service in a manner that could harm minors.
2A.3 Resource Usage. Customer shall not consume computational, storage, or network resources in a manner that disrupts or degrades the Service for other customers. Provider may implement fair use policies and notify Customer of excessive usage patterns.
2A.4 Enforcement. Provider may, upon reasonable notice (or immediately in the case of urgent security threats), suspend Customer’s access to the Service for violations of this AUP. Provider shall notify Customer promptly of any suspension and cooperate with Customer to resolve the issue.
2A.5 Updates. Provider may update this AUP from time to time upon thirty (30) days prior written notice to Customer. Material changes to the AUP that restrict Customer’s previously-permitted uses shall not take effect during the then-current Subscription Term without Customer’s consent.
6. Availability and Resilience. (a) Business continuity: The Processor shall maintain a business continuity plan that includes procedures for ensuring the continued availability and security of Personal Data in the event of a disruption. (b) Disaster recovery: The Processor shall maintain a disaster recovery plan that includes procedures for the timely restoration of availability and access to Personal Data in the event of a physical or technical incident. (c) Backups: Personal Data shall be backed up at regular intervals using encrypted backup media, and backups shall be tested at least annually to verify their integrity and recoverability. (d) Redundancy: Critical systems and infrastructure shall be designed with appropriate redundancy to minimize the risk of single points of failure.
7. Vulnerability Management and Patch Management. (a) Vulnerability scanning: Systems that Process Personal Data shall be subject to regular vulnerability scanning (at least monthly) and remediation. (b) Penetration testing: Independent third-party penetration testing shall be conducted at least annually. (c) Patch management: Security patches and updates shall be applied in a timely manner, with critical patches applied within the timeframe recommended by the vendor or within seventy-two (72) hours of release, whichever is shorter. (d) Secure development: The Processor shall follow secure software development practices, including code reviews, static analysis, and security testing.
8. Incident Response. (a) The Processor shall maintain a documented incident response plan that includes procedures for detecting, reporting, investigating, containing, and remediating security incidents. (b) The incident response plan shall designate an incident response team with clearly defined roles and responsibilities. (c) The incident response plan shall be tested at least annually through tabletop exercises or simulations, and the results of such tests shall be documented and used to improve the plan.
9. Logging and Monitoring. (a) Audit logs: Access to systems containing Personal Data shall be logged, including the identity of the user, the date and time of access, and the action performed. (b) Log retention: Audit logs shall be retained for a minimum of twelve (12) months, or such longer period as required by applicable law. (c) Log protection: Audit logs shall be protected against unauthorized access, modification, and deletion. (d) Monitoring: The Processor shall implement continuous monitoring of systems that Process Personal Data to detect security events and anomalous activity.
10. Employee and Contractor Security. (a) Background checks: The Processor shall conduct background checks on personnel with access to Personal Data, to the extent permitted by applicable law. (b) Security training: All personnel with access to Personal Data shall receive data protection and information security training upon hiring and at least annually thereafter. (c) Acceptable use policies: The Processor shall maintain and enforce acceptable use policies governing the use of systems, networks, and data by personnel. (d) Separation of duties: Critical functions shall be separated among different individuals to reduce the risk of fraud, error, or misuse.
This template is provided by Montague Law for informational purposes only and does not constitute legal advice. Consult a qualified attorney before using this document.