THIS AGREEMENT GOVERNS YOUR ORGANIZATION’S ACQUISITION AND USE OF SOFTWARELOCATED AT WWW.GETPROVEN.COM (HEREAFTER THE “SERVICE”).
IF YOU REGISTER FOR A FREE TRIAL FOR OUR SERVICE, THIS AGREEMENTWILL ALSO GOVERN THAT FREE TRIAL.
BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATINGYOUR ACCEPTANCE OR BY EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT,YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THISAGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOUHAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS ANDCONDITIONS. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITHTHESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USETHE SERVICES. BOTH YOU, AND/OR THE LEGALENTITY YOU MAY REPRENTS ARE REFERRED TO AS “CUSTOMER”.
You may not access the Services if you are our direct competitor,except with our prior written consent. In addition, you may not access theService, except with our prior written consent, for purposes of monitoringtheir availability, performance or functionality.
Your use of the Service constitutes your agreement to these terms.It is effective between you (or the legal entity you represent) and ProvenSoftware, LLC as of the date you sign an Order or you first use the Service,whichever is earlier.
This Agreement sets forth the terms under whichProven will provide the Service to Customer. Capitalized terms in thisAgreement are defined in Appendix 2. The Agreement incorporates the followingcomponents: (a) the Proven Service Level Agreement (Appendix 1), (b) the definitionscontrolling the Agreement (Appendix 2), (c) the Proven Data ProtectionAgreement (Appendix 3), and (d) the applicable transaction document such as an Orderor Statement of Work (“SOW”).
2.1. Subscriptions. Customer mayadd additional Subscriptions during a Subscription Term at the same price asfound in the applicable Order. AddedSubscriptions will be co-terminated with existing subscriptions and fees foradded Subscriptions pro-rated.
2.2. Usage Limits. Subscriptions for the Service are limited to the quantities specified in the applicable Order. Each Subscription refers to an individual Customer. Customer may not use the Service in a way which exceeds the applicable Subscription limitations reflectedin the applicable Order. If Customer exceeds the limitations of its Subscriptions to the Service, Customer will, upon Proven’s request, promptly execute an Order for sufficient additional entitlementsto comply with the Agreement. Customer will pay Proven’s invoice for the excess usage according to the Agreement.
3.1. Access to the Service. During the Term Proven will: (a) make the Serviceavailable to Customer according to the Agreement and applicable Order(s), (b)maintain appropriate safeguards to protect the security, confidentiality andintegrity of Customer Data, (c) remain responsible for the performance of Proven’spersonnel (including Proven’s subcontractors) and their compliance with Proven’sobligations under this Agreement.
4.1. Limitations. Customer will not: (a) resell, sublicense, rent,loan, lease, time share or otherwise make the Service available to any partynot authorized to use the Service under the Agreement or an applicable Order; (b)modify, adapt, alter, translate, copy, or create derivative works based on the Service;(c) reverse-engineer, decompile, disassemble, or attempt to derive the sourcecode for the Service (unless such right is granted by applicable law and then onlyto the minimum extent required by law); (d) access the Services in order to:(i) build a competitive product or service; or (ii) copy any ideas, features,functions or graphics of the Service; (e) merge or use the Service with anysoftware or hardware for which they were not intended (as described in theDocumentation); (f) allow Users to shareaccess credentials; (g) use the Service for unlawful purposes or to storeunlawful material; (h) use the Service to send or store material containingsoftware viruses, worms, Trojan horses or other harmful computer code, files,scripts, or agents; (i) disrupt the integrity or performance of the Service; (j)remove, alter, or obscure in any way the proprietary rights notices (includingcopyright, patent, and trademark notices and symbols) of Proven or itssuppliers contained on or within any copies of the Service, (k) bypass anysecurity measure or access control measure of the Service, (k) use the Serviceother than as described in the Documentation, or (l) perform or disclose any benchmarkingor testing of the Service itself or of the security environment or associatedinfrastructure without Proven’s prior written consent.
4.2. Remedies for Violation of Customer Limitations. Provenmay, without limiting its other rights and remedies, suspend Customer’s and/orapplicable Users’ access to the Service at any time if: (i) required byapplicable law, (ii) Customer or any User is in violation of the terms of thisAgreement, or (iii) Customer’s, or a User’s use disrupts the integrity oroperation of the Service or interferes with use of the Service by others. Provenwill use reasonable efforts to notify Customer prior to any suspension, unlessprohibited by applicable law or court order, and Proven will promptly restoreCustomer’s access to the Service upon resolution of any violation under thissection. If Proven is notified that anyCustomer Data violates applicable law or third-party rights, Proven may sonotify Customer and in such event Customer will promptly remove such CustomerData from the Service. If Customer does not take required action, Proven maydisable the applicable Customer Data until the potential violation is resolved.
4.3. Customer Responsibilities. Customer will: (a) use commerciallyreasonable efforts to prevent, and remain responsible for Users’ compliancewith the Agreement and will promptly notify Proven of any unauthorized accessto the Service arising from a compromise or misuse of Customer’s or its User’saccess credentials, (b) use the Services only in accordance with theDocumentation, applicable laws, this Agreement, and government regulations, (c)comply with terms of service of any Non-Proven Applications Customer uses inconjunction with the Service, and (d) remain responsible for any action inviolation of the Agreement by Customer’s Affiliates or Users
5.1. Compliance With Applicable Laws. Customer is exclusively responsible for: a) determiningwhat data Customer submits to the Service, b) for obtaining all necessaryconsent and permissions for submission of Customer Data and related data processinginstructions to Proven, c) for the accuracy, quality and legality of CustomerData, and d) that Customer complies in all respects with applicable dataprivacy and protection regulations. Customer shall ensure that it is entitled totransfer the relevant Customer Data to Proven so that Proven and its serviceproviders may lawfully use, process, and transfer the Customer Data inaccordance with this Agreement on Customer’s behalf. No rights to the Customer Data are granted toProven hereunder other than as expressly set forth in this Agreement.
5.2. Excluded Data. Customer shall not provide Proven with anyCustomer Data that is subject to heightened security requirements by law, regulationor contract (examples include but are not limited to the Gramm–Leach–Bliley Act(GLBA), Health Insurance and Portability and Accountability Act (HIPPA), FamilyEducational Rights and Privacy Act (FERPA), the Child’s Online PrivacyProtection Act (COPPA), the standards promulgated by the PCI Security StandardsCouncil (PCI-DSS), and their international equivalents (such Customer Datacollectively, “Excluded Data”). Proven shall have no responsibility orliability for Excluded Data.
6.1. Reservations of Rights. Access to the Service is sold on asubscription basis. Except for thelimited rights expressly granted to Customer hereunder, Proven reserves allrights, title, and interest in and to the Service, the underlying software, theProven Materials and any and all improvements (including any arising fromCustomer’s feedback), modifications and updates thereto, including withoutlimitation all related intellectual property rights inherent therein. Where Customer purchases ProfessionalServices hereunder, Proven grants to Customer a non-sublicensable,non-exclusive license to use any materials provided by Proven as a result ofthe Professional Services (the “Proven Materials”) solely in conjunction withCustomer’s authorized use of the Service and in accordance with this Agreement.No rights are granted to Customer hereunder other than as expressly set forthin this Agreement. Nothing in thisAgreement will impair Proven’s right to develop, acquire, license, market,promote or distribute products, software or technologies that perform the sameor similar functions as, or otherwise compete with, any products, software ortechnologies that Customer may develop, produce, market, or distribute.
6.2. Ownership and Processing ofCustomer Data. Customer and/or its licensors shallretain all right, title and interest in all Customer Data stored in theService, including any revisions, updates or other changes made to thatCustomer Data. Customer grants Proven a nonexclusive, worldwide, royalty-freeright to reproduce, display, adapt, modify, transmit, distribute and otherwiseuse the Customer Data: (a) solely for the purpose of providing the Service andProfessional Services under this Agreement; (b) to prevent or address technicalor security issues and resolve support requests; (c) at Customer's direction orrequest, enable integrations between Customer’s Connected Applications and theService; and (d) as otherwise required by applicable law.
6.3. Use of Aggregate Information. Provenmay collect, anonymize, and aggregate data derived from the operation of the Service(“Aggregated Data”), and Provenmay use such Aggregated Data for purposes of operating Proven’s business,monitoring performance of the Service, and/or improving the Service. Proven’s useof Aggregated Data as described in this section shall not result in anyunauthorized disclosure of CustomerData, Customer Confidential Information, or personally identifiable informationof Authorized Users. Aggregated Datawill not be capable of re-identification. Aggregated Data belongs to Proven.
6.4. Ownership of Deliverables. With respect to any deliverables or workproduct (“Deliverables”) resulting from any of the Professional Services, Provenowns all right title and interest in and to the intellectual property rightspertaining to such Deliverables and grants to Customer a non-exclusive,worldwide right and license to use such Deliverable in connection withCustomer’s permitted use of the Service.
6.5. Feedback. Customer grants to Proven a non-exclusive,royalty-free, fully paid up, worldwide, transferable, sublicensable,irrevocable, perpetual license to use or incorporate into the Service anysuggestions, ideas, enhancement requests, feedback, recommendations or otherinformation provided by Customer or its Users relating to the features,functionality or operation of the Service or the Professional Services(“Feedback”). Feedback does not includeCustomer Data. Notwithstanding any otherterm herein, Feedback shall not create any confidentiality obligation for Proven.
7.1. Fees/Payment. Customer will payProven’s invoice for all items identified on an Order regardless of Customer’sactual use of any product. Customer will pay in the currency listed in the Order.All fees are due in advance and must be paid no later than thirty (30) days fromthe date of the invoice. Fees are non-cancelable and non-refundable (except asprovided herein). Customer may not decrease the number of Subscriptions during aSubscription Term. Proven reserves the right to suspend the Service in theevent Customer is more than thirty (30) days past due on any undisputed invoiceand fails to cure the payment deficiency within ten (10) days of receivingwritten notice from Proven. Any latepayments will accrue late charges at the rate of 1.5% of the outstandingbalance per month, or the maximum rate permitted by law, whichever is lower.
7.2. Taxes. All fees are exclusive of taxes,levies, or duties, (“Taxes”), and unless Customer can provide a valid statesales/use/excise tax exemption certificate (or other reasonable evidence ofexemption) to Proven, Customer will be responsible for payment of all such Taxesexcluding taxes based solely on Proven’s income. Proven may invoice Taxes inaccordance with applicable law together on one invoice or a separateinvoice. Proven reserves the right todetermine the Taxes for a transaction based on Customer’s “bill to” or “shipto” address, or other location information for Customer’s use of the Service. Customer will be responsible for any Taxes,penalties or interest arising from inaccurate or incomplete informationprovided by Customer. If Customer is required by any governmental authority todeduct any portion of the amount invoiced by Proven, Customer shall increasepayment by an amount necessary for the total payment to Proven to be equal tothe amount originally invoiced.
8.1. Confidentiality. “ConfidentialInformation” means information and/or materials provided by one party (“Discloser”) to the other party (“Recipient”),which are identified as confidential at the time of disclosure or, under thecircumstances of disclosure, a reasonable person would understand to beconfidential. The following information shall be considered ConfidentialInformation whether or not marked or identified as such: this Agreement, aparty’s pricing, product roadmap, product plans, or strategic marketing plans, algorithms,business plans, customer lists, designs documents, drawings, engineeringinformation, financial analysis, forecasts, formulas, hardware configurationinformation, know-how, ideas, inventions, market information, processes,products, research, specifications, software, source code, trade secrets or anyother non-public information relating to the Service including the Documentation.Recipient may disclose Discloser’s Confidential Information only to Recipient’sAffiliates, employees, officers, directors, advisors or contractors who need toknow such Confidential Information and who are under a duty of confidentialityno less restrictive than Recipient’s duty hereunder.
8.2. Exclusions. “Confidential Information” does not includeinformation that: (a) is independently developed by or for the Recipientwithout access or reference to, or use of, Confidential Information; (b) islawfully received free of restriction from another source having the right tofurnish such information; (c) is or becomes lawfully in the public domain otherthan through a breach of this Agreement; (d) was known by the Recipient priorto disclosure; (e) Discloser agrees in writing is free of such restrictions; or(f) is generally disclosed by the Discloser to third parties without a duty ofconfidentiality.
8.3. Duties Regarding ConfidentialInformation. At all times during andafter the term of this Agreement, Recipient shall (a) keep Discloser’sConfidential Information confidential and not disclose Discloser’s ConfidentialInformation to a third party without the Discloser’s written consent or asexpressly permitted in this Agreement, and (b) not use the ConfidentialInformation for purposes other than the performance of this Agreement. Wheredisclosure is required by law, such disclosure shall not constitute a breach ofthis Agreement provided Recipient gives Discloser reasonable advance notice (iflegally permissible) to enable Discloser to seek appropriate protection of theConfidential Information and discloses only that portion of the ConfidentialInformation that the Recipient is legally compelled or is otherwise legallyrequired to disclose. Any priornon-disclosure agreement executed among the parties is terminated in favor ofthese confidentiality terms.
8.4. Unauthorized Disclosures. The parties agreethat Recipient’s threatened or actual unauthorized disclosures of ConfidentialInformation may result in irreparable injury for which a remedy in moneydamages may be inadequate. The parties therefore agree the Discloser may beentitled to seek an injunction to prevent a breach or threatened breach of thisSection without posting a bond. Any suchinjunction shall be additional to other remedies available to Discloser at lawor in equity.
9.1. General Representations and Warranties. Each partyrepresents and warrants that it has the power and authority to enter into thisAgreement and the performance by such party of its obligations and dutieshereunder will not violate any agreement to which such party is bound.
9.2. Proven Warranties. Proven representsand warrants that: (a) if it Professional Services it will use reasonable skilland care, (b) the Service will perform materially in accordance with theDocumentation under normal use and circumstances, and (c) it has takencommercially reasonable measures to ensure the Service is free from, and willnot transmit, any malicious or hidden mechanisms or code designed to damage orcorrupt Customer’s Data or network systems.
9.3. Customer Warranties. Customer represents and warrants that: (a) ithas the right to provide Proven with access to all Customer Data, (b) it shallobtain from its Users all consents required under law regarding the use of theCustomer Data and Feedback as described in this Agreement.
9.4. Warranty Claims. Except forthe Customer’s right to terminate in accordance with Section 12.3, Proven’s soleresponsibility and Customer’s exclusive remedy in the event of any materialfailure to the warranties expressly stated in Section 9, shall be that Provenshall make commercially reasonable efforts to remedy any resultingdeficiencies.
9.5. Customer Vendors. Customer may invite certain Vendors to offerproducts and services Users via the Services. Proven shall have no responsibility or liability regarding any claimbrought by Customer or any third-party arising from a Vendor’s provision ofproducts or services. Customer shallindemnify and hold Consensus harmless from any claim arising a Vendor’s actionspursuant to the procedure described in Section 10.4.
9.6. Disclaimer of Warranty. EXCEPT FOR THE EXPRESSWARRANTIES SET FORTH IN THIS SECTION 9, TO THE MAXIMUM EXTENT PERMITTED UNDERAPPLICABLE LAW, THE SERVICE, PROFESSIONAL SERVICES ANDDOCUMENTATION ARE PROVIDED “AS IS” WITHOUT OTHER WARRANTYOF ANY KIND, AND PROVEN MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OROTHERWISE, WITH RESPECT TO THE SERVICE AND PROFESSIONAL SERVICES. PROVEN SPECIFICALLYAND EXPLICITLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS AND IMPLIED, INCLUDINGWITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE, NON-INFRINGEMENT, THOSE ARISING FROM A COURSE OF DEALING ORUSAGE OR TRADE, AND ALL SUCH WARRANTIES ARE HEREBY EXCLUDED TO THE FULLESTEXTENT PERMITTED BY LAW. FURTHER, PROVEN DOES NOT WARRANT THE SERVICE WILL BEERROR-FREE OR THAT THE USE OF THE SERVICE WILL BE UNINTERRUPTED. THE SERVICEAND MATERIALS ARE NOT DESIGNED, INTENDED OR WARRANTED FOR USE IN HAZARDOUSENVIRONMENTS REQUIRING FAIL-SAFE CONTROLS.
10.1. Indemnification by Proven. If a third party initiates or threatens alegal action alleging that Customer’s use of the Service directly infringes thethird party’s patent, copyright, or trademark or misappropriates the thirdparty’s trade secret rights (such action, a “Claim”), then Proven will (a)promptly assume the defense of the Claim and (b) pay costs, damages and/orreasonable attorneys’ fees that are included in a final judgment againstCustomer (without right of appeal) or in a settlement approved by Proven thatare attributable to Customer’s use of the Service; provided that Customer: (i)is current in the payment of all applicable fees, or becomes current, prior torequesting indemnification, (ii) notifies Proven in writing of the Claimpromptly after receipt of the Claim (but in no case later than fifteen (15)days), (iii) allows Proven to sole control the defense of the Claim withcounsel of Proven’s choice, and to settle such Claim at Proven’s solediscretion (wherein Customer will have the right to approve the portion of anysettlement which requires payment by Customer or requires Customer to admitliability), and (iv) reasonably cooperates with Proven in defending the Claim. Thisremedy represents Customer’s sole and exclusive remedy under this Section 10.
10.2. Other Resolution. If the Service becomes the subject of anyactual or anticipated third party infringement claim, Proven may, at its soleoption and expense, either: (i) procure for Customer the right to continueusing the affected Service consistent with this Agreement, (ii) replace ormodify the affected Service with a functionally equivalent service that doesnot infringe, or, (iii) if neither (i) nor (ii) is available on acommercially-feasible basis, terminate the Agreement and applicable Order andrefund any prepaid fees for all unused portions of the then-currentSubscription Term as of the date of termination.
10.3. Exclusions. Proven will haveno liability for any Claim based upon: (a) any third-party components orservices (including Connected Applications), (b) any unauthorized use of theService in violation of this Agreement or applicable Order, (c) Proven’s compliancewith designs, specifications or instructions provided by Customer where thosedesigns, specifications or instructions cause the infringement, or (d) use byCustomer after notice by Proven to discontinue using all or part of the Service.This section constitutes the entire liability of Proven, and Customer’s soleand exclusive remedy, with respect to any third-party claims of infringement ormisappropriation of intellectual property rights.
10.4. Indemnification ByCustomer. If athird party initiates or threatens legal action against Proven for processingCustomer Data uploaded into the Service by Customer or Users, or for a claimrelating to Customer’s, or a User’s breach of its obligations under Section 5,where such claim arises solely from Proven operating the Service, then Customerwill: (a) promptly assume the defense of the claim and (b) pay costs, damagesand/or reasonable attorneys’ fees that are included in a final judgment againstProven (without right of appeal) or in a settlement approved by Customer thatare attributable to Proven processing of such Customer Data to provide theService; provided that Proven (i) notifies Customer in writing of the claimpromptly after receiving it, (ii) allows Customer to control the defense of theclaim with counsel of its choice, and to settle such claim at Customer’s sole discretion(unless the settlement requires payment by Proven or requires Proven to admitliability, in which case Proven will have the right to approve such payment oradmission, and (iii) reasonably cooperates with Customer in defending the claimat Customer’s expense.
11.1. DISCLAIMER OFINDIRECT DAMAGES. IN NO EVENT SHALL EITHER PARTY, OR ITSAFFILIATES OR ITS LICENSORS BE LIABLE UNDER ANY LEGAL THEORY FOR ANYCONSEQUENTIAL, INCIDENTAL, SPECIAL, INDIRECT, PUNITIVE OR EXEMPLARY DAMAGES,INCLUDING WITHOUT LIMITATION LOST PROFITS, LOSS OF USE, BUSINESS INTERRUPTIONS,REVENUE, GOODWILL, PRODUCTION, ANTICIPATED SAVINGS, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODSOR SERVICES, IN CONNECTION WITH OR ARISING OUT OF THE PERFORMANCE OF OR FAILURETO PERFORM THIS AGREEMENT (INCLUDING ANY CLAIM ATTRIBUTABLE TO ERRORS,OMISSIONS, OR OTHER INACCURACIES IN OR DESTRUCTIVE PROPERTIES OF THE SOLUTION),WHETHER ALLEGED AS A BREACH OF CONTRACT OR TORTIOUS CONDUCT, INCLUDINGNEGLIGENCE, EVEN OF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCHDAMAGES.
11.2. LIMITATION OFLIABILITY. NEITHER PARTY’S(OR ITS AFFILIATES’) AGGREGATE AND CUMULATIVE LIABILITY ARISING FROM ORRELATING TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT, STATUTE OR OTHERWISEWILL EXCEED THE AMOUNTS PAID OR OWED TO PROVEN BYCUSTOMER IN THE AGGREGATE DURING THE SIX (6)MONTHS IMMEDIATELY PRECEDING THE FIRST EVENT GIVING RISE TO LIABILITY. NOTHING IN THIS AGREEMENT IS INTENDED TOEXCLUDE OR LIMIT EITHER PARTY’S LIABILITY FOR DEATH, PERSONAL INJURY, ORPROPERTY DAMAGE CAUSED BY NEGLIGENCE, OR FOR FRAUD. NOTHING IN THIS SECTIONWILL LIMIT THE FEES OWED BY CUSTOMER UNDER THIS AGREEMENT FOR THE SERVICE OR PROFESSIONALSERVICES, OR FOR VIOLATING CUSTOMER’S OBLIGATIONS IN SECTION 4 AND 5. THE PARTIES ACKNOWLEDGE THAT THE FEES PAIDPURSUANT TO THIS AGREEMENT REFLECT THE ALLOCATION OF RISK SET FORTH IN THISAGREEMENT, AND THAT PROVEN WOULD NOT ENTER INTO THIS AGREEMENT WITHOUT THESELIMITATIONS ON ITS LIABILITY.
12.1. Subscription Term. The Subscription Term begins on theSubscription Start Date and remains in effect for the Subscription Term asspecified on the applicable Order. At the end of the Subscription Term, theSubscription will automatically renew for additional Subscription Terms equalto the expiring Subscription Term, unless either party notifies the other ofits intent not to renew such Subscription at least ninety (90) days before theexpiration of the then-current Subscription Term. Non-renewal notice must beprovided by email to support@getproven.com.
12.2. Effective Date andTerm. ThisAgreement commences on the Effective Date and shall remain in effect untilterminated by either Party in accordance with the terms of the Agreement (the“Term”).
12.3. Termination. If either partymaterially breaches the terms of this Agreement and the breach is not cured (orcurable) within thirty (30) days after written notice of the breach, then theother party may terminate this Agreement and/or the applicable Order(s) uponwritten notice to the breaching party. Either party also may terminate thisAgreement upon written notice if the other party: (i) terminates or suspendsits business, (ii) becomes subject to any insolvency proceeding under federalor state statute, (iii) becomes insolvent or subject to direct control by atrustee, receiver or similar authority, (iv) has wound up or liquidated,voluntarily or otherwise, or (v) by ten (10) days’ prior written notice if no Orderis in effect between the Parties.
12.4. Effect of Termination. If this Agreement is terminated by Customer for Proven’suncured breach in accordance with Section 12.3 (Termination), Proven willrefund Customer any prepaid but unused fees covering the remainder of anyterminated Orders as of the effective date of termination. If this Agreement isterminated by Proven for Customer’s uncured breach in accordance with Section 12.3(Termination), Customer will pay within thirty (30) day any fees which are payableto Proven prior to, or after the effective date of termination. Upon termination of this Agreement: (a) Proven’sobligation to provide the Service will terminate, (b) all of Customer’s, ifAffiliate’s, and its Users’ rights to use the Service will terminate, and (c)each party will promptly destroy any data or Confidential Information from theother party in its possession.
12.5. Suspension In Lieu of Termination. If any amount owing by Customer is thirty(30) or more days overdue, Proven may, without limiting its other rights andremedies, and after providing Customer at least 10 days’ prior notice by email,accelerate Customer’s unpaid fee obligations so that all such obligationsbecome immediately due and payable, and suspend Proven’s services to Customeruntil such amounts are paid in full.
Theprovisions of Sections: 8 (“Confidential Information”),10(“Indemnification”),11(“Limitation of Liability and Disclaimer of Damages”),and 14 (“Miscellaneous”), and any other terms and conditions of this Agreementwhich by their nature reasonably should survive the termination or otherexpiration of this Agreement shall survive any expiration or termination ofthis Agreement.
14.1. Assignment. Either party mayassign this Agreement without the consent of the other party to an Affiliate,or in connection with a merger, reorganization, acquisition, or other transferof all or substantially all of such party’s assets (a “Sale”). Assignment will not relieve the assigningparty of its obligations under the assigned Agreement and such assignment willbe binding upon and will inure to the benefit of the parties and theirrespective successors and permitted assigns. If Customer enters into a Salewith a direct competitor of Proven or assigns the Agreement to a directcompetitor of Proven, Proven may, in its sole discretion terminate theAgreement.
14.2. Compliance with Applicable Laws. Each party willcomply with all applicable laws, including without limitation, applicableexport-control restrictions, data privacy laws, and anti-corruption laws.
14.3. Future Features and Functions. Customer agrees that Proven may, from time totime, at its sole discretion, modify and update the Service. Customerunderstands and agrees that any features or functions related to Provenproducts referenced on any Proven website, or in any presentations, verbal orelectronic communications, press releases or public statements, which are notcurrently available as a GA release, may not be delivered on time or at all.The development, release, and timing of any features or functionality describedfor our products and services remains at Proven’s sole discretion. Accordingly,Customer agrees that it is purchasing products and services based solely uponfeatures and functions that are currently available as of the time an Order isexecuted, and not in expectation of any future feature or function.
14.4. Notices. Notices may be sent by first-class, registered mail (return receiptrequested) or private courier to the address of the receiving party identifiedon the first page of this Agreement. Notice will be deemed given five (5) days aftermailing U.S. first class, registered mail, or upon confirmed delivery byprivate courier, whichever is sooner. Customer will address notices to Proven’sLegal Department, with a copy to legal@getproven.com. Either party may from time to timechange its address for notices under this section upon written notice to theother party.
14.5. Non-waiver. Any failure ofeither party to enforce performance by the other party of any of the provisionsof this Agreement, or to exercise any rights or remedies under this Agreement,will not be construed as a waiver of such party's right to assert or rely uponsuch provision, right or remedy in that or any other instance. Neither partywaives any rights or limits its remedies for actions taken outside the scope ofthis Agreement.
14.6. Dispute Resolution. This Agreementwill be governed by the laws of the State of California, U.S.A., without givingeffect to any conflicts of laws provisions. Neither the United Nations Convention on Contracts for the InternationalSale of Goods nor the Uniform Computer Information Transactions Act will applyto this Agreement. Any claim, suit, action or proceedingarising out of or relating to this Agreement or its subject matter will bebrought exclusively in the state or federal courts of San Francisco County, California,and each party irrevocably submits to the exclusive jurisdiction and venue ofsuch courts. No claim or action, regardless of form, arising out of thisAgreement may be brought by either party more than one (1) year after theearlier of the following: a) theexpiration or termination of all Subscriptions, b) the termination of thisAgreement, or c) the time a party first became aware, or reasonably should havebeen aware, of the basis for the claim. To the fullest extent permitted, eachparty waives the right to trial by jury in any legal proceeding arising out ofor relating to this Agreement or the transactions contemplated hereby.
14.7. Severability. If any provisionof this Agreement is held invalid or unenforceable under applicable law by a court of competent jurisdiction,it shall be replaced with the valid provision that most closely reflects theintent of the parties, and the remaining provisions of the Agreement willremain in full force and effect.
14.8. Relationship of the Parties. Nothing in thisAgreement is to be construed as creating an agency, partnership, or jointventure relationship between the parties hereto. Neither party shall have anyright or authority to assume or create any obligations or to make anyrepresentations or warranties on behalf of any other party, whether express orimplied, or to bind the other party in any respect. Each party may identify the other as a customer or supplier, asapplicable.
14.9. Force Majeure. Force majeure events shall excuse the affected party (the"Non-Performing Party")from its obligations under this Agreement so long as the event and its effectscontinue. Force majeure events includeacts which are beyond the reasonable control of a party, including withoutlimitation, Acts of God, natural disasters, pandemic, epidemic, war, riot,network attacks, acts of terrorism, fire, explosion, accident, sabotage,strikes, inability to obtain power, fuel, material or labor, or acts of anygovernment (each, a “Force Majeure Event”).As soon as feasible, the Non-Performing Party shall notify the other party of:(a) its best reasonable assessment of the nature and duration of the Force MajeureEvent, and (b) the steps it is taking to mitigate its effects. If the Force MajeureEvent prevents performance for more than sixty (60) days, and the parties havenot agreed upon a revised basis for performance, then either party mayimmediately terminate the Agreement upon written notice. Proven’s suspension of the Services in orderto comply with laws is a Force Majeure Event.
14.10. U.S. Government Restricted Rights. Ifthe Service is used by the U.S. Government, parties agree the Service is “commercialcomputer software” and “commercial computer documentation” developedexclusively at private expense, and (a) if acquired by or on behalf of acivilian agency, shall be subject solely to the terms of this Agreement asspecified in 48 C.F.R. 12.212 of the Federal Acquisition Regulations and itssuccessors; and (b) if acquired by or on behalf of units of the Department ofDefense (“DOD”) shall be subject to the terms of this commercial computer softwarelicense as specified in 48 C.F.R. 227.7202-2, DOD FAR Supplement and itssuccessors.
14.11. Publicity. During the term of this Agreement,Customer agrees to support Proven’s marketing efforts in the following areas:(i) Customer’s name and logo may be used on Proven’s website and in Proven’s marketingmaterials (subject to Proven’s compliance with any written trademark useguidelines provided by Customer to Proven in advance), (ii) press releaseannouncing Customer’s selection of Proven and/or the Service, and (iii)announcement of Customer’s use of Proven (in a method of Customer’s choosing;blog, press release, email, other channels). If Customer plans to submit or publish any research relative toCustomer’s outcome of using Proven Products and/or Service, Customer agrees toinform Proven prior to such submission or publication.
14.12. Entire Agreement; Execution. This Agreement,together with the Appendices and applicable Order(s) constitute the entireagreement between parties, and supersedes all prior or contemporaneousproposals, quotes, negotiations, discussions, or agreements, whether written ororal, between the parties regarding its subject matter. Revisions to thisAgreement must be made by a separate amendment, signed by each party, and mustbe expressly drafted for that purpose and identify the specific sections thatare being revised. However, if Customeragreed to these terms by reference in another binding instrument (e.g., on anOrder which refers to these terms by URL), Proven may change these terms byposting an updated version at the applicable URL and notifying Customer of thechange. By continuing to access or use the Service after such notice Customeragrees to be bound by the updated terms. Customer click-through terms, preprinted termsin Customer purchase orders or other customer-generated ordering documents, orterms referenced or linked within them, will have no effect on this Agreementand are hereby rejected, regardless of whether they are signed by Proven and/orpurport to take precedence over this Agreement. The order of precedence amongall documents executed among the parties shall be: (1) the applicable Order,(2) this Agreement, (3) fully executed SOWs, (4) the Documentation. ThisAgreement may be executed in counterparts, which taken together shall form onebinding legal instrument. The parties may use of electronic signatures inconnection with the execution of this Agreement, and further agree thatelectronic signatures shall be legally binding with the same effect as manual signatures.
PROVENSERVICE LEVEL TERMS
1. Service LevelAgreement. Proven shall makecommercially reasonable efforts to maintain availability of the Service 99.9%of each calendar month of a Subscription (the “Uptime Goal”). If an instance ofUnavailability exceeds .1% of the monthly Uptime Goal, at the written requestof Customer, Proven will extend Customer’s Subscription Term by 10 times (10X)the period of Unavailability with a minimum extension of one business day. For illustration purposes only, the month ofMarch has a total of 43,200 minutes. Onetenth of one percent (i.e., .1%) is equal to 43.2 minutes.
2. Unavailability. “Unavailability” means the period, measuredin minutes, from when Proven’s monitoring tools confirm Customer’s reportedinability to access the Service, to the time the Service is available totransmit and receive data. Unavailability shall not include or occur due to: a) maintenanceactivities during a scheduled maintenance period; b) beta periods orfunctionality; c) Force Majeure events; d) any failures of Customer to accessthe Service caused by Customer, its employees, agents, subcontractors or End Users; e) an outage in the underlying infrastructure required to provide the Services that is not controlled by Proven, this includes, but is not limited to cloud provider Amazon Web Services (AWS) outages (http://aws.amazon.com and any success or or related site designated by Proven) or internet network or backboneoutages, g) internet DNS outages, or h) Proven’s suspension or termination of Customer’s right to use the Services in accordance with the Agreement.
3. Connection to theService. Customer is solely responsible for procuringand maintaining its network connections and telecommunications links from itssystems to the Internet and to Proven’s cloud provider where the Service ishosted. Customer is responsible for allproblems, delays, failures, and all other loss or damage arising from orrelating to Customer’s network or telecommunications connection to theInternet.
“Affiliate” means, with respect to a party to this Agreement, any entitythat directly or indirectly controls, is controlled by, or is under commoncontrol with such party through the possession of more than fifty percent (50%)of the voting stock of the controlled entity.
“Authorized User” or “User” means: (a) in the case of an individual accepting this Agreementon such individual’s own behalf, such individual; or (b) an employee orauthorized third-party of Customer, who has been authorized by Customer to usethe Service in accordance with the terms and conditions of this Agreement andhas been allocated user credentials.
“Customer Data” means any electronic data or materials provided or submittedby or for Customer to or through the.
“Documentation” means Proven’s published user manual that describes thefunctionality of the Service, as updated by Proven from time to time.
“Order” means thepurchasing document (however so named), signed by a duly authorizedrepresentative of each party, that details the Subscription, pricing, paymentterms, applicable licensing metrics, other applicable commercial terms andcondition, and includes its attachments, schedules, exhibits, addenda, and anyterms and conditions and other products and services purchased by Customer fromProven pursuant to this Agreement.
“Party” means eitherCustomer or Proven and together the “Parties”.
“Professional Services” means TrainingServices, Implementation Services, or other services Customer agrees topurchase as described in a fully executed statement of work.
“Service” means Proven software-as-serviceplatform located at www.getproven.com.
"Subscription"means access to the Service during the Subscription Term. Each Subscription is specific to a uniqueAuthorized User and under no circumstance may an Authorized User Subscriptionbe transferred to, shared among or used by different Authorized Users.
“Subscription Term(s)” means the subscription period(s) during which Customer is authorized touse the Service, as specified in an applicable Order.
“Vendor”means a person or legal entity Customer invites to offer or market the Vendor’sproducts and/or services via the Services.
PROVEN DATA PROCESSING ADDENDUM (DPA)
This DataProcessing Addendum, including its Schedules, (“DPA”) forms part of the MasterSubscription Agreement between Proven and Customer for the purchase of the Service(the “Agreement”) to reflect the Parties’ agreement with regard to theProcessing of Personal Data.
Customerenters into this DPA on behalf of itself and, to the extent required underapplicable Data Protection Laws and Regulations, in the name and on behalf ofits Authorized Affiliates. For the purposes of this DPA only, and except whereindicated otherwise, the term “Customer” shall include Customer and AuthorizedAffiliates. All capitalized terms not defined herein shall have the meaning setforth in the Agreement.
In the courseof providing the Service to Customer pursuant to the Agreement, Proven mayProcess Personal Data on behalf of Customer and the Parties agree to complywith the following provisions with respect to any Personal Data, each actingreasonably and in good faith.
For theavoidance of doubt, signature of the DPA on page 8 shall be deemed toconstitute signature and acceptance of the Standard Contractual Clauses,including Schedule 2. Where Customer wishes to separately execute the StandardContractual Clauses and its Appendix, Customer should also complete theinformation as the data exporter and sign on page 14 (Schedule 2).
HOW THIS DPA APPLIES
If theCustomer entity signing this DPA is a party to the Agreement, this DPA is anaddendum to and forms part of the Agreement. In such case, the Proven entitythat is party to the Agreement is party to this DPA.
If theCustomer entity signing this DPA has executed an Order with Proven or itsAffiliate pursuant to the Agreement, but is not itself a party to theAgreement, this DPA is an addendum to that Order and applicable renewal Order(s),and the Proven entity that is party to such Order is party to this DPA.
“Affiliate” means any entity that directly or indirectly controls, is controlledby, or is under common control with the subject entity. “Control,” for purposesof this definition, means direct or indirect ownership or control of more than50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the dataprotection laws and regulations of the European Union, the European EconomicArea and/or their member states, Switzerland and/or the United Kingdom, and (b)is permitted to use the Service pursuant to the Agreement between Customer and Proven,but has not signed its own Order with Proven and is not a “Customer” as definedunder this DPA.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 etseq., as amended by the California Privacy Rights Act, and its implementingregulations.
“Controller” means the entity which determines the purposes and means of theProcessing of Personal Data.
“Customer” means the entity that executed the Agreement together with itsAffiliates (for so long as they remain Affiliates) which have signed Orders.
“Customer Data” means what is defined in the Agreement as “Customer Data”, providedthat such data is electronic data and information submitted by or for Customerto the Service. This DPA does not apply to Non-Proven Applications as definedin the Agreement.
“Customer DataIncident” means the accidental or unlawful destruction,loss, alteration, unauthorized disclosure of, or access to Customer Data,including Personal Data, transmitted, stored or otherwise Processed by Provenor its Sub-processors.
“Data Protection Lawsand Regulations” means all laws and regulationsapplicable to the Processing of Personal Data under the Agreement, includingthose of the European Economic Area, Switzerland, the United Kingdom and theUnited States and its states.
“Data Subject” means the identified or identifiable person to whom Personal Datarelates.
“Data SubjectRequest” means, a Data Subject’s legal right of access, right to rectification,restriction of Processing, erasure (“right to be forgotten”), data portability,object to the Processing, or its right not to be subject to an automatedindividual decision making as set out in applicable Data Protection Laws andRegulations.
“Europe” means the European Economic Area, Switzerland and the United Kingdom.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of theCouncil of 27 April 2016 on the protection of natural persons with regard tothe processing of personal data and on the free movement of such data, andrepealing Directive 95/46/EC (General Data Protection Regulation), including asimplemented or adopted under the laws of the United Kingdom.
“Personal Data” means any information relating to (i) an identified or identifiablenatural person and, (ii) an identified or identifiable legal entity (where suchinformation is protected similarly as Personal Data or personally identifiableinformation under applicable Data Protection Laws and Regulations), where foreach (i) or (ii), such data is Customer Data.
“Processing” or “Process” means any operation or set of operations which isperformed upon Personal Data, whether or not by automatic means, such ascollection, recording, organization, structuring, storage, adaptation oralteration, retrieval, consultation, use, disclosure by transmission,dissemination or otherwise making available, alignment or combination,restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of theController, including as applicable any “service provider” as that term isdefined by the CCPA.
“Public Authority” means a government agency or law enforcement authority, includingjudicial authorities.
“Proven” means Proven Software, LLC, a company incorporated in Delaware, US.
“Standard ContractualClauses” means Standard Contractual Clauses for thetransfer of Personal Data to third countries pursuant to Regulation (EU)2016/679 of the European Parliament and the Council approved by EuropeanCommission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently setout at https://eur- lex.europa.eu/eli/dec_impl/2021/914/oj.
“Sub-processor” means any Processor engaged by Proven.
2.1. Roles of theParties. The parties acknowledge and agree that with regardto the Processing of Personal Data, Customer is a Controller or a Processor, Provenis a Processor and that Proven will engage Sub-processors pursuant to therequirements set forth in section 5 “Sub-processors” below.
2.2. Customer’sPersonal Data Obligations. Customer’s instructions for theProcessing of Personal Data shall comply with Data Protection Laws andRegulations and where Customer is a processor, the instructions of itsController. Customer confirms that its instructions do not conflict with theinstructions of its Controller. Customer shall have sole responsibility for theaccuracy, quality, and legality of Personal Data, the means by which Customeracquired Personal Data. Customer acknowledges that any Processing governed bythis DPA is lawful on the basis that Data Subjects have given consent. WhereCustomer is required by applicable Data Protection Laws and Regulations toevidence Data Subjects’ consent, it may request a copy of the consent logcaptured by Proven. Customer specifically acknowledges and agrees that its useof the Service will not violate the rights of any Data Subject, including thosethat have opted-out from sales or other disclosures of Personal Data, to theextent applicable under Data Protection Laws and Regulations.
2.3. Proven’s Processingof Personal Data. Proven shall Process Personal Data onbehalf of and only in accordance with applicable Data Protection Laws andRegulations and Customer’s documentedinstructions for the following purposes: (i) Processing in accordance with theAgreement and applicable Order(s); (ii) Processing initiated by Users in theiruse of the Service; and (iii) Processing to comply with other documentedreasonable instructions provided by Customer (e.g., via email) where suchinstructions are consistent with the terms of the Agreement. Where Customer isa processor, Customer confirms that its instructions to Proven are consistentwith the terms of the agreement between the Customer and the Controller.
2.4. Details of theProcessing. The subject-matter of Processing ofPersonal Data by Proven is the performance of the Service pursuant to theAgreement. The duration of the Processing, the nature and purpose of theProcessing, the types of Personal Data and categories of Data SubjectsProcessed under this DPA are further specified in Schedule 2 (Description ofProcessing/Transfer) to this DPA.
2.5. CustomerInstructions. Proven shall inform Customer if, inits opinion, Customer’s instructions for the Processing of Personal Datainfringes GDPR. Where this relates to instructions from the Customer’s Controller,Customer agrees to immediately inform its Controller.
3.1. Notification. Proven shall, to the extentlegally permitted, promptly notify Customer of any complaint, dispute or DataSubject Request it has received from a Data Subject. Where Customer is aprocessor, Customer agrees to forward any notification it receives from Provenwithout undue delay, to its Controller. Proven shall not respond to acomplaint, dispute or Data Subject Request itself, and shall redirect thecomplaint, dispute or Data Subject Request as necessary to allow Customer torespond directly. Taking into account the nature of the Processing, Provenshall assist Customer by appropriate technical and organizational measures,insofar as this is possible, for the fulfillment of Customer’s obligation torespond to a Data Subject Request under Data Protection Laws and Regulations.
3.2. Assistance. In addition, to the extentCustomer, in its use of the Service, does not have the ability to address aData Subject Request, Proven shall upon Customer’s request provide commerciallyreasonable efforts to assist Customer in responding to such Data SubjectRequest, to the extent Proven is legally permitted to do so and the response tosuch Data Subject Request is required under Data Protection Laws andRegulations. Customer shall be responsible for any reasonable costs arisingfrom Proven’s provision of such assistance.
4.1. Confidentiality. Proven shall ensure that its personnel engaged in the Processing ofPersonal Data are informed of the confidential nature of the Personal Data,have received appropriate training on their responsibilities and have committedthemselves to confidentiality or are under an appropriate statutory obligationof confidentiality. Proven shall ensure that such confidentiality commitmentssurvive the termination of the personnel engagement.
4.2. Reliability. Proven shall take commercially reasonable steps to ensure thereliability of any Proven personnel engaged in the Processing of Personal Data.
4.3. Limitation ofAccess. Proven shall ensure that Proven’s access toPersonal Data is limited to those personnel performing Service in accordancewith the Agreement.
4.4. DataProtection Officer. Proven has appointed a data protectionofficer. The appointed person may be reached at privacy@getproven.com.
5.1. Appointment ofSub-processors. Customer acknowledges and agrees that(a) Proven’s Affiliates may be retained as Sub-processors; and (b) Proven and Proven’sAffiliates respectively may engage third-party Sub-processors in connectionwith the provision of the Service. Proven or a Proven Affiliate has enteredinto a written agreement with each Sub-processor containing, in substance, thesame data protection obligations than those in the Agreement with respect tothe protection of Customer Data to the extent applicable to the nature of the Serviceprovided by such Sub-processor.
5.2. List ofCurrent Sub-processors and Notification of New Sub-processors. The current list of Sub-processors engaged in Processing Personal Datafor the performance of each applicable Purchased Service, including a descriptionof their processing activities and countries of location, is listed on Proven’sprivacy webpage at (INSERT HYPERLINK). Customer hereby consents to theseSub-processors, their locations and processing activities as it pertains totheir Personal Data. The Infrastructure and Sub-processor Documentationcontains a mechanism to subscribe to notifications of new Sub-processors foreach applicable Purchased Service.
5.3. ObjectionRight for New Sub-processors. Customer mayreasonably object to Proven’s use of a new Sub-processor by notifying Provenpromptly in writing within thirty (30) days of receipt of Proven’s notice of anew Sub-processor. Proven may, but is not obligated to, make reasonable effortsto make available to Customer a change in the Service or recommend acommercially reasonable change to Customer’s configuration or use of theService to avoid Processing of Personal Data by the objected-to newSub-processor. If Proven is unable, to resolve Customer’s objections, Customer may terminate the applicable Order(s) with respect only to those Services whichcannot be provided by Proven without the use of the objected-to newSub-processor by providing written notice to Proven. Proven will refundCustomer any prepaid but unused Fees covering the remainder of the term of such Order(s) following the effective date of termination with respect to such terminated Service, without imposing a penalty for such termination on Customer.
5.4. Liability. Proven shall be liable for the acts and omissions of its Sub-processors to the same extent Proven would be liable if performing the services of each Sub-processor directly under the terms of this DPA. Where the performance ofthe Service requires Proven to contract with Sub-processors who only offer click-wrap data protection agreements, namely third party cloud hosting providers, Proven shall not be liable for any Sub-processors’ acts of omissions that are not recoverable under the terms of such data protection agreements because of the Sub-processors’ decision to impose their terms on anon-negotiable basis.
6.1. Controls forthe Protection of Customer Data. Proven shallmaintain appropriate technical and organizational measures for protection ofthe security (including protection against unauthorized or unlawful Processingand against accidental or unlawful destruction, loss or alteration or damage,unauthorized disclosure of, or access to, Customer Data), confidentiality andintegrity of Customer Data, as set forth in Schedule 3 attached hereto. Provenregularly monitors compliance with these measures. Proven will not materiallydecrease the overall security of the Service during a subscription term.
6.2. Audit. Proven shall maintain an audit program to help ensure compliance withthe obligations set out in this DPA and shall make available to Customerinformation to demonstrate compliance with the obligations set out in this DPA,including those obligations required by applicable Data Protection Laws andRegulations, as set forth in this section 6.2. Where Customer is a processor,Customer agrees to provide the information demonstrating compliance provided byProven in this section 6.2, to its Controller.
6.2.1. Third-Party Certifications and Audits. Proven hasobtained the third-party certifications and audits set forth in Schedule 3 foreach applicable Purchased Service. Upon Customer’s written request, and with aleast thirty days’ notice, and subject to the confidentiality obligations setforth in the Agreement, Proven shall make available to Customer (or Customer’sThird-Party Auditor) information regarding Proven’s compliance with theobligations set forth in this DPA in the form of a copy of Proven’s then mostrecent SOC II report and an executive summary of its most recent penetrationtest. Such third-party audits or certifications may also be shared withCustomer’s competent supervisory authority on its request. Where Proven hasobtained a SOC 2 report, Proven agrees to maintain these certifications orstandards, or appropriate and comparable successors thereof, for the durationof the Agreement. Customer acknowledges that any information provided underthis Section 6.2 shall be considered Confidential Information.
6.2.2. LegallyMandated On-Site Audits. Where applicable Data Protection Laws andRegulations mandate that Proven must submit to an on-site audit by theCustomer, Proven will permit Customer (or its Third-Party Auditor) to conductan audit of the Processing undertaken by Proven in respect of the provision ofthe Service. Such on-site audits shall take place on reasonable notice and nomore than annually, or if there are indications of non-compliance with this DPAfrom the third party certifications provided in accordance with section 6.2.1above, more frequently.
6.3. DataProtection Impact Assessment. UponCustomer’s request, Proven shall provide Customer with reasonable cooperationand assistance needed to fulfill Customer’s obligation under Data ProtectionLaws and Regulations to carry out a data protection impact assessment relatedto Customer’s use of the Service, to the extent Customer does not otherwisehave access to the relevant information, and to the extent such information isavailable to Proven.
7. CUSTOMER DATA INCIDENT MANAGEMENTAND NOTIFICATION
7.1. Notification. Proven maintains securityincident management policies and procedures. Proven shall notify Customer without undue delay after becoming aware ofa “Customer Data Incident”.
7.2. ProvenResponsibilities. In respect of such Customer Data Incident, Proven shall: (i) makereasonable efforts to identify the cause; (ii) take such steps as Proven deemsnecessary and reasonable to remediate the cause to the extent the remediationis within Proven’s reasonable control; (iii) cooperate reasonably with theCustomer and provide Customer with the information needed to fulfil its databreach obligations under Data Protection Laws and Regulations; (iv) take otherfurther measures and actions that Proven determines are necessary to remedy ormitigate the effects of the security incident, and (v) except as required bylaw, Proven will not take action to notify Data Subjects of any securityincident.
7.3. Exclusions. The obligations imposed on Provenand set out in section 7.2, shall not apply to incidents that are caused byCustomer or Customer’s Users.
8.1. Customer Data. Customer may download CustomerData at any time during the term of the Agreement and for thirty (30) daysafter termination of the Agreement or this Addendum. After the thirty (30) daysafter termination of the Agreement or this Addendum have expired, and to theextent allowed by applicable law, Proven shall destroy the Customer Data.Customer acknowledges that Customer Data may be stored by Proven after theTermination Date pursuant to Proven’s data retention rules and back-upprocedures until it is eventually deleted. To the extent that any portion ofCustomer Data remains in the possession of Proven following the TerminationDate, Proven’s obligations set forth in this DPA shall survive termination ofthe Agreement or this DPA with respect to that portion of the Customer Datauntil it is deleted.
9.1. ContractualRelationship. The parties acknowledge and agreethat, by executing the Agreement, Customer enters into this DPA on behalf ofitself and, as applicable, in the name and on behalf of its AuthorizedAffiliates, thereby establishing a separate DPA between Proven and each suchAuthorized Affiliate subject to the provisions of the Agreement and thissection 9 and section 10. Each Authorized Affiliate agrees to be bound by theobligations under this DPA and, to the extent applicable, the Agreement. Forthe avoidance of doubt, an Authorized Affiliate is not and does not become aparty to the Agreement, and is a party only to this DPA. All access to and useof the Service by Authorized Affiliates must comply with the terms andconditions of the Agreement and any violation of the terms and conditions ofthe Agreement by an Authorized Affiliate shall be deemed a violation byCustomer.
9.2. Communication. The Customer that is the contracting party to the Agreement shallremain responsible for coordinating all communication with Proven under thisDPA and be entitled to make and receive any communication in relation to thisDPA on behalf of its Authorized Affiliates.
9.3. Rights of AuthorizedAffiliates. Where an Authorized Affiliate becomesa party to this DPA with Proven, it shall to the extent required underapplicable Data Protection Laws and Regulations be entitled to exercise therights and seek remedies under this DPA, subject to the following: Except whereapplicable Data Protection Laws and Regulations require the AuthorizedAffiliate to exercise a right or seek any remedy under this DPA against Provendirectly by itself, the parties agree that (i) solely the Customer that is thecontracting party to the Agreement shall exercise any such right or seek anysuch remedy on behalf of the Authorized Affiliate, and (ii) the Customer thatis the contracting party to the Agreement shall exercise any such rights underthis DPA, not separately for each Authorized Affiliate individually, but in acombined manner for itself and all of its Authorized Affiliates together.
10.1. Limitations. Each party’s and all of itsAffiliates’ liability, taken together in the aggregate, arising out of orrelated to this DPA, and all DPAs between Authorized Affiliates and Proven,whether in contract, tort or under any other theory of liability, is subject tothe ‘Limitation of Liability’ section of the Agreement, and any reference insuch section to the liability of a party means the aggregate liability of thatparty and all of its Affiliates under the Agreement and all DPAs together.
10.2. Aggregate andSeveral Liability. For the avoidance of doubt, Proven’s and its Affiliates’ total liabilityfor all claims from Customer and all of its Authorized Affiliates arising outof or related to the Agreement and all DPAs shall apply in the aggregate forall claims under both the Agreement and all DPAs established under theAgreement, including by Customer and all Authorized Affiliates, and, inparticular, shall not be understood to apply individually and severally toCustomer and/or to any Authorized Affiliate that is a contractual party to anysuch DPA.
11.1. Definitions. For the purposes of this section 11 and Schedule 1 these terms shall bedefined as follows:
"EUC-to-P Transfer Clauses" means Standard Contractual Clauses sections I,II, III and IV (as applicable) to the extent they reference Module Two(Controller-to-Processor).
"EUP-to-P Transfer Clauses" means Standard Contractual Clauses sections I,II, III and IV (as applicable) to the extent they reference Module Three(Processor-to-Processor).
11.2. Transfermechanisms for data transfers. If, in theperformance of the Service, Personal Data that is subject to the GDPR or anyother law relating to the protection or privacy of individuals that applies inEurope is transferred out of Europe to countries which do not ensure anadequate level of data protection within the meaning of the Data ProtectionLaws and Regulations of Europe, the transfer mechanisms listed below shallapply to such transfers and can be directly enforced by the Parties to theextent such transfers are subject to the Data Protection Laws and Regulationsof Europe:
11.2.1. The EU C-to-P Transfer Clauses. WhereCustomer and/or its Authorized Affiliate is a Controller and a data exporter ofPersonal Data and Proven is a Processor and data importer in respect of thatPersonal Data, then the Parties shall comply with the EU C-to-P TransferClauses, subject to the additional terms in Schedule 1.
11.2.2. The EU P-to-P Transfer Clauses. WhereCustomer and/or its Authorized Affiliate is a Processor and a data exporter ofPersonal Data and Proven is a Processor and data importer in respect of thatPersonal Data, then the Parties shall comply with the EU P-to-P TransferClauses, subject to the additional terms in Schedule 1.
12.1. CCPA. To provide the Service Customermay disclose Personal Information to Proven. The parties agree that to providethe Service, Proven is acting as a “Service Provider” pursuant to §1798.140 ofthe California Consumer Protection Act (“CCPA”). Proven shall not retain, use, or disclosePersonal Information provided by Customer pursuant to this Agreement except asnecessary for the specific purpose of providing the Service and theProfessional Services, as applicable, pursuant to this Agreement or asotherwise set forth in this Agreement or as permitted by the CCPA. Proven willnot sell Personal Information. Customer is responsible for responding toConsumer requests using Customer’s own access to the relevant PersonalInformation. Upon Customer’s written request, and subject to and in accordancewith all applicable laws, Proven will provide assistance, as required underCCPA, to Customer for the fulfillment of Customer’s obligations to respond torequests to exercise Consumer’s rights under CCPA with respect to PersonalInformation provided by Customer pursuant to this Agreement, to the extentCustomer is unable to access the relevant Personal Information itself. To theextent legally permitted, Customer shall be responsible for any costs arisingfrom Proven’s provision of such assistance.
Schedule 1:Transfer Mechanisms for European Data Transfers
Schedule 2:Description of Processing/Transfer
Schedule 3:Technical and Organizational Security Measures.
The parties’authorized signatories have duly executed this DPA:
Signature:
Customer LegalName:
Print Name:
Title:
Date:
PROVEN SOFTWARE, LLC
Signature: Print Name:
Title:____________________________________
Date:___________________________________
SCHEDULE 1 -– TRANSFER MECHANISMS
FOR EUROPEAN DATA TRANSFERS
For thepurposes of the EU C-to-P and EU P-to-P Transfer Clauses, Customer is the dataexporter and Proven is the data importer and the Parties agree to thefollowing. If and to the extent an Authorized Affiliate relies on the EU C-to-Por the EU P-to-P Transfer Clauses for the transfer of Personal Data, anyreferences to ‘Customer’ in this Schedule, include such Authorized Affiliate.Where this section 2 does not explicitly mention EU P-to-P Transfer Clauses itapplies to both EU C-to-P and EU P-to-P.
1.1. Reference tothe Standard Contractual Clauses. The relevantprovisions contained in the Standard Contractual Clauses are incorporated byreference and are an integral part of this DPA. The information required forthe purposes of the Appendix to the Standard Contractual Clauses are set out inSchedule 2.
1.2. Docking clause. The option under clause 7 shall not apply.
1.3. Instructions. This DPA and the Agreement are Customer’s complete and final documentedinstructions at the time of signature of the Agreement to Proven for theProcessing of Personal Data. Any additional or alternate instructions must beconsistent with the terms of this DPA and the Agreement. For the purposes ofthis DPA, the instructions by Customer and where Customer is a processor, it’s Controller,to Process Personal Data are set out in section 2.3 of this DPA and includeonward transfers to a third party located outside Europe for the purpose of theperformance of the Service.
1.4. Certificationof Deletion. The parties agree that thecertification of deletion of Personal Data that is described in clause 8.5 and16(d) of the Standard Contractual Clauses shall be provided by Proven toCustomer only upon Customer's written request or where Customer is a processor,its Controller’s written request.
1.5. Security ofProcessing. For the purposes of clause 8.6(a),Customer is solely responsible for making an independent determination as towhether the technical and organizational measures set forth in Schedule 3 meetCustomer’s, or where Customer is a processor, its Controller’s requirements andagrees that (taking into account the state of the art, the costs ofimplementation, and the nature, scope, context and purposes of the Processingof its Personal Data as well as the risks to individuals) the security measuresand policies implemented and maintained by Proven provide a level of securityappropriate to the risk with respect to its or its Controller’s Personal Data.For the purposes of clause 8.6(c), personal data breaches will be handled inaccordance with section 7 (Customer Data Incident Management and Notification)of this DPA.
1.6. Audits of theSCCs. The parties agree that the audits described inclause 8.9 of the Standard Contractual Clauses shall be carried out inaccordance with section 6.2 of this DPA.
1.7. Generalauthorization for use of Sub-processors. Option 2under clause 9 shall apply. For the purposes of clause 9(a), Proven hasCustomer’s general authorization to engage Sub-processors in accordance withsection 5 of this DPA. Proven shall make available to Customer the current listof Sub-processors in accordance with section 5.2 of this DPA.
1.8. Notificationof New Sub-processors and Objection Right for new Sub-processors. Pursuant to clause 9(a), Customer acknowledges and expressly agreesthat Proven may engage new Sub-processors as described in sections 5.2 and 5.3of this DPA. Proven shall inform Customer of any changes to Sub-processorsfollowing the procedure provided for in section 5.2 of this DPA and whereCustomer is a processor, Customer shall bear the responsibility of informingits Controller of any changes to Sub-processors by Proven.
1.9. Complaints -–Redress. For the purposes of clause 11, and subject tosection 3 of this DPA, Proven shall inform data subjects on its website of acontact point authorized to handle complaints. Proven shall inform Customer ifit receives a complaint by, or a dispute from, a Data Subject with respect toPersonal Data and shall without undue delay communicate the complaint ordispute to Customer. Proven shall not otherwise have any obligation to handlethe request (unless otherwise agreed with Customer). The option under clause 11shall not apply.
1.10. Liability. Proven’s liability under clause 12(b) shall be limited in aggregate bythe “Limitations of Liability” section of the Agreement and shall be restrictedwith respect to any damage caused by its Processing where Proven has notcomplied with its obligations under the GDPR specifically directed toProcessors, or where it has acted outside of or contrary to lawful instructionsof Customer, as specified in Article 82 GDPR.
1.11. Supervision. Clause 13 shall apply as follows:
1.11.1. Where Customeris established in an EU Member State, the supervisory authority withresponsibility for ensuring compliance by Customer with Regulation (EU)2016/679 as regards the data transfer shall act as competent supervisoryauthority.
1.11.2. Where Customeris not established in an EU Member State, but falls within the territorialscope of application of Regulation (EU) 2016/679 in accordance with its Article3(2) and has appointed a representative pursuant to Article 27(1) of Regulation(EU) 2016/679, the supervisory authority of the Member State in which therepresentative within the meaning of Article 27(1) of Regulation (EU) 2016/679is established shall act as competent supervisory authority.
1.11.3. Where Customeris not established in an EU Member State, but falls within the territorialscope of application of Regulation (EU) 2016/679 in accordance with its Article3(2) without however having to appoint a representative pursuant to Article27(2) of Regulation (EU) 2016/679, the Data Protection Commission – 21Fitzwilliam Square South, Dublin 2, DO2 RD28, Ireland shall act as competentsupervisory authority.
1.11.4. Where Customeris established in the United Kingdom or falls within the territorial scope ofapplication of the Data Protection Laws and Regulations of the United Kingdom(“UK Data Protection Laws and Regulations”), the Information Commissioner'sOffice (“ICO”) shall act as competent supervisory authority.
1.11.5. Where Customeris established in Switzerland or falls within the territorial scope ofapplication of the Data Protection Laws and Regulations of Switzerland (“SwissData Protection Laws and Regulations”), the Swiss Federal Data Protection andInformation Commissioner shall act as competent supervisory authority insofaras the relevant data transfer is governed by Swiss Data Protection Laws andRegulations.
1.12. Notificationof Government Access Requests. For thepurposes of clause 15(1)(a), Proven shall notify Customer (only) and notCustomer’s Controller nor the Data Subject(s) in case of government accessrequests. Customer shall be solely responsible for promptly notifying its Controllerand the Data Subject as necessary.
1.13. Governing Law. The governing law for the purposes of clause 17 shall be the laws ofIreland.
1.14. The choice ofForum and Jurisdiction. The courts under clause 18 shall beIreland
1.15. Appendix. The Appendix shall be completed as follows: (i) the contents of section1 of Schedule 2 shall form Annex I.A to the Standard Contractual Clauses; (ii)the contents of sections 2 to 9 of Schedule 2 shall form Annex I.B to theStandard Contractual Clauses; (iii) The contents of section 10 of Schedule 2shall form Annex I.C to the Standard Contractual Clauses; (iv) the contents ofsection 11 of Schedule 2 to this Exhibit shall form Annex II to the StandardContractual Clauses.
1.16. Data Exportsfrom the United Kingdom under the Standard Contractual Clauses. For data transfers governed by UK Data Protection Laws and Regulations,the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid beforeParliament in accordance with s119A of the Data Protection Act 2018 on 2February 2022, as revised under Section 18 of those Mandatory Clauses("Approved Addendum") as may be modified, updated or replaced fromtime to time, shall apply. The information required for Tables 1 to 3 of PartOne of the Approved Addendum is set out in Schedule 2 of this DPA (asapplicable). For the purposes of Table 4 of Part One of the Approved Addendum,neither party may end the Approved Addendum when it changes.
1.17. Data Exportsfrom Switzerland under the Standard Contractual Clauses. For data transfers governed by Swiss Data Protection Laws, the StandardContractual Clauses also apply to the transfer of information relating to anidentified or identifiable legal entity where such information is protectedsimilarly as Personal Data under Swiss Data Protection Laws until such laws areamended to no longer apply to a legal entity. In such circumstances, generaland specific references in the Standard Contractual Clauses to GDPR or EU orMember State Law shall have the same meaning as the equivalent reference inSwiss Data Protection Laws. The governing law for the purposes of clause 17shall be Switzerland and the Swiss courts shall have jurisdiction under clause18.
1.18. Conflict. The Standard Contractual Clauses are subject to this DPA and theadditional safeguards set out hereunder. The rights and obligations afforded bythe Standard Contractual Clauses will be exercised in accordance with this DPA,unless stated otherwise. In the event of any conflict or inconsistency betweenthe body of this DPA and the Standard Contractual Clauses, the StandardContractual Clauses shall prevail.
DESCRIPTION OF PROCESSING/TRANSFER
Dataexporter(s): Identity and contact details of the data exporter(s) and, whereapplicable, of its/their data protection officer and/or representative in theEuropean Union
Name: Customerand its Authorized Affiliates. Address:
Contact person’sname, position and contact details:
Activitiesrelevant to the data transferred under these clauses: Performance of the Servicepursuant to the Agreement and as further described in the Documentation.
Signature anddate:
Role: For thepurposes of the EU C-to-P Transfer Clauses Customer and/or its AuthorizedAffiliate is a Controller.
For thepurposes of the EU P-to-P Transfer Clauses Customer and/or its AuthorizedAffiliate is a Processor.
Dataimporter(s): Identity and contact details of the data importer(s), includingany contact person with responsibility for data protection
Name: ProvenSoftware, LLC
Address: 68Harriet Street, Unit 10, San Francisco, CA 94103, USA Contact person’s name,position and contact details: Phil McNamara, privacy@getproven.com
Activitiesrelevant to the data transferred under these clauses: Performance of the Servicepursuant to the Agreement and as further described in the Documentation.
Signature anddate:
Role:Processor
Customer maysubmit Personal Data to the Service, the extent of which is determined andcontrolled by Customer in its sole discretion, and which may include, but isnot limited to Personal Data relating to the following categories of datasubjects:
●Portfolio company users, customers,and business partners of Customer (who are natural persons)
●Employees or contact persons ofCustomer’s portfolio companies, customers, and business partners
●Employees, agents, advisors, freelancersof Customer (who are natural persons)
●Customer’s Users authorized byCustomer to use the Service
Customer maysubmit Personal Data to the Service, the extent of which is determined andcontrolled by Customer in its sole discretion, and which may include, but isnot limited to the following categories of Personal Data:
●First and last name
●Title
●Position
●Employer
●Contactinformation (company, email, phone, physical business address)
●ID data
●Geolocation data
Sensitive datatransferred (if applicable) and applied restrictions or safeguards that fullytake into consideration the nature of the data and the risks involved, such asfor instance strict purpose limitation, access restrictions (including accessonly for staff having followed specialized training), keeping a record ofaccess to the data, restrictions for onward transfers or additional securitymeasures:
None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off OR continuous basis):
Continuousbasis depending on the use of the Service by Customer.
The nature ofthe Processing is the performance of the Service pursuant to the Agreement.
Proven willProcess Personal Data as necessary to perform the Service pursuant to theAgreement, as further specified in the Documentation, and as further instructedby Customer in its use of the Service.
The period forwhich the personal data will be retained, or, if that is not possible, thecriteria used to determine that period:
Subject tosection 8 of the DPA, Proven will Process Personal Data for the duration of theAgreement, unless otherwise agreed upon in writing.
For transfersto (sub-) processors, also specify subject matter, nature and duration of theprocessing:
As per 7above, the Sub-processor will Process Personal Data as necessary to perform theService pursuant to the Agreement. Subject to section 8 of this DPA, theSub-processor will Process Personal Data for the duration of the Agreement,unless otherwise agreed in writing.
Identities ofthe Sub-processors used for the provision of the Service and their country oflocation are listed under on Proven’s website at www.getproven.com.
Identify thecompetent supervisory authority/ies in accordance with clause 13: thesupervisory authority specified in section 12.11 of Schedule 1 shall act as thecompetent supervisory authority.
Data importerwill maintain administrative, physical, and technical safeguards for protectionof the security, confidentiality and integrity of Personal Data uploaded to theService, as described in Schedule 3 applicable to the specific Servicepurchased by data exporter. Data Importer will not materially decrease theoverall security of the Service during a subscription term. Data SubjectRequests shall be handled in accordance with section 3 of the DPA.
TECNHOLOGY AND ORGANIZATIONAL SECURITY CONTROLS
Proven shallundertake appropriate technical and organizational measures for theavailability and security of Customer Personal Data and to protect it againstunauthorized or unlawful Processing and against accidental or unlawful loss,destruction, alteration or damage, and against unauthorized disclosure oraccess. These measures, listed below, shall take into account the nature,scope, context and purposes of the Processing, available technology as well asthe costs of implementing the specific measures and shall ensure a level ofsecurity appropriate to the harm that might result from a Security Incident.
A) AES 256 bit encryption at rest and intransit
B) Redundancy, HA/DR, and Proven segmentsdata within our platform per customer so confidentiality, and integrity isensured.
C) Full backups weekly and incrementalbackups daily. Proven retains this data for a rolling period in order tomaintain restoration ability fully.
D) Full internal infrastructure audits, aswell as 3rd party audits.
E) Proven offers SSO functionality as wellas full role based authentication. All user activity and transactions arelogged internally.
F) AES 256 bit encryption via AWS intransit
G) AES 256 encryption at rest using AWSstandards
H) Proven leverages AWS for all dataprocessing and Proven can provide AWS physical security documentation ifrequested.
I) Proven logs all events in platform at atransactional level. Proven also log all internal events, changes, and updatesfor both production and sandbox environments.
J) Proven maintains a full changemanagement policy and procedures policy. This tracks Proven’s default “knowngood” config as well as documenting all changes, updates and fixes made outsideof the default config.
K) Proven has a full IT/IS Security policythat is reviewed and updated regularly per SOC2 guidelines.
Outsideaudits:
Penetrationtesting
SOC 2, Type Icertification