MASTER SaaS AGREEMENT
THIS MASTER AGREEMENT (“AGREEMENT”) GOVERNS THE ACQUISITION AND USE OF VERINT PRODUCTS AND SERVICES. CAPITALIZED TERMS HAVE THE DEFINITIONS SET FORTH HEREIN.
Who is a “Customer” in this Agreement? The term Customer refers to any party (whether end customer or partner) that is consuming products or services from Opkey or a Opkey affiliate, and/or is conducting activities with Opkey, Opkey affiliates or other Opkey customers and partners through use of products, portal services or other services made available by Opkey.
When do these terms and conditions apply? The terms and conditions of this Agreement apply with respect to any of the following: If incorporated by reference on or attached to an order made effective between Customer and Opkey, a Opkey affiliate, or a Opkey authorized reseller for a Opkey product or service, provided if the order will co-terminate with Opkey offerings or is for the same Opkey offering on a prior order subject to a prior version of this Master Agreement, that prior version shall continue to apply until the next renewal; and
For any other products or services provided by Opkey or a Opkey affiliate, where the product or service is not directly and expressly contracted for under a separate agreement between Opkey and Customer.
BY ACCEPTING THIS AGREEMENT, BY (1) CLICKING A BOX INDICATING ACCEPTANCE, (2) EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT, OR (3) USING TRIAL OR PORTAL SERVICES, CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS ACCEPTING ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, SUCH INDIVIDUAL REPRESENTS THAT THEY HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITSAFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERM “CUSTOMER” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT DOES NOT HAVE SUCH AUTHORITY, OR DOES NOT AGREE WITH THESE TERMS AND CONDITIONS, SUCH INDIVIDUAL MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE PRODUCTS AND SERVICES MADE AVAILABLE HEREUNDER.
IN THE EVENT CUSTOMER PURCHASES OPKEY PRODUCTS OR SERVICES THROUGH A OPKEY AUTHORIZED RESELLER, CUSTOMER AGREES TO PROCURE ANY SUBSEQUENT PRODUCTS AND SERVICES CONSUMED HEREUNDER FROM SUCH RESELLER. IN THE EVENT SUCH RESELLER IS NO LONGER CUSTOMER’S VENDOR OR AUTHORIZED BY OPKEY, NOT WITHSTANDING ANY OTHER TERMS AND CONDITIONS IN THIS AGREEMENT, AMOUNTS DUE TO OPKEY REMAIN THE RESPONSIBILITY OF CUSTOMER, AND CUSTOMER SHALL EITHER (I) ARRANGE TO TRANSACT THROUGH ANOTHER OPKEY AUTHORIZED RESELLER, OR (II) ESTABLISH A DIRECT CREDIT APPROVED RELATIONSHIP WITH OPKEY.
Opkey products and services may not be accessed for purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes.
Opkey’s direct competitors are prohibited from accessing Opkey’s products and services, except with Opkey’s prior written consent. This Agreement was last updated on August 30,2023, and is effective between Customer and Opkey (as defined in Schedule A) as of the date of Customer acceptance of this Agreement.
Who is a “Customer” in this Agreement? The term Customer refers to any party (whether end customer or partner) that is consuming products or services from Opkey or a Opkey affiliate, and/or is conducting activities with Opkey, Opkey affiliates or other Opkey customers and partners through use of products, portal services or other services made available by Opkey.
When do these terms and conditions apply? The terms and conditions of this Agreement apply with respect to any of the following: If incorporated by reference on or attached to an order made effective between Customer and Opkey, a Opkey affiliate, or a Opkey authorized reseller for a Opkey product or service, provided if the order will co-terminate with Opkey offerings or is for the same Opkey offering on a prior order subject to a prior version of this Master Agreement, that prior version shall continue to apply until the next renewal; and
For any other products or services provided by Opkey or a Opkey affiliate, where the product or service is not directly and expressly contracted for under a separate agreement between Opkey and Customer.
BY ACCEPTING THIS AGREEMENT, BY (1) CLICKING A BOX INDICATING ACCEPTANCE, (2) EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT, OR (3) USING TRIAL OR PORTAL SERVICES, CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT IS ACCEPTING ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, SUCH INDIVIDUAL REPRESENTS THAT THEY HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITSAFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERM “CUSTOMER” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF THE INDIVIDUAL ACCEPTING THIS AGREEMENT DOES NOT HAVE SUCH AUTHORITY, OR DOES NOT AGREE WITH THESE TERMS AND CONDITIONS, SUCH INDIVIDUAL MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE PRODUCTS AND SERVICES MADE AVAILABLE HEREUNDER.
IN THE EVENT CUSTOMER PURCHASES OPKEY PRODUCTS OR SERVICES THROUGH A OPKEY AUTHORIZED RESELLER, CUSTOMER AGREES TO PROCURE ANY SUBSEQUENT PRODUCTS AND SERVICES CONSUMED HEREUNDER FROM SUCH RESELLER. IN THE EVENT SUCH RESELLER IS NO LONGER CUSTOMER’S VENDOR OR AUTHORIZED BY OPKEY, NOT WITHSTANDING ANY OTHER TERMS AND CONDITIONS IN THIS AGREEMENT, AMOUNTS DUE TO OPKEY REMAIN THE RESPONSIBILITY OF CUSTOMER, AND CUSTOMER SHALL EITHER (I) ARRANGE TO TRANSACT THROUGH ANOTHER OPKEY AUTHORIZED RESELLER, OR (II) ESTABLISH A DIRECT CREDIT APPROVED RELATIONSHIP WITH OPKEY.
Opkey products and services may not be accessed for purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes.
Opkey’s direct competitors are prohibited from accessing Opkey’s products and services, except with Opkey’s prior written consent. This Agreement was last updated on August 30,2023, and is effective between Customer and Opkey (as defined in Schedule A) as of the date of Customer acceptance of this Agreement.
SCHEDULE A
GENERAL TERMS AND CONDITIONS
This Schedule A is made a part of the Agreement signed by the parties to which this Schedule A is attached. The following general terms and conditions shall apply to the Agreement:
1.
DEFINITIONS. All capitalized terms shall have the meaning ascribed to them, including the following:
1.1
“Affiliate” means with respect to a party, any entity which is directly or indirectly controlled by such party. "Control" for purposes of this definition, means ownership or control, directly or indirectly, of more than 50% of the voting interests of the subject entity.
1.2
“Confidential Information” means all confidential and proprietary information of a party ("Disclosing Party") disclosed to the other party ("Receiving Party"), whether orally or in writing, that is designated as “confidential” or the like, or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including the terms and conditions of the Agreement (including pricing and other terms reflected in a Purchase Order), the Opkey Products business and marketing plans, technology and technical information, product designs, and business processes. "Confidential Information" shall not include information that (i) is or becomes amatter of public knowledge through no act or omission of the Receiving Party;(ii) was in the Receiving Party’s lawful possession prior to the disclosure without restriction on disclosure;(iii) is lawfully disclosed to the Receiving Party by a third party that lawfully and rightfully possesses such information without restriction on disclosure; (iv) the Receiving Party can document resulted from its own research and development, independent .of receipt of the disclosure from the Disclosing Party; or (v) is disclosed with the prior written approval of the Disclosing Party.
1.3
“Customer Data” means the Customer specific configurations and rules implemented in the Opkey Products, and any Customer content processed by the Opkey Products (e.g., email text and attachments) that is not Personal Data.
1.4
“Customer Environment” means the computing environment separately procured, prepared, and maintained by Customer for the access and use of the Opkey Product(s), as further specified below in Section 3.1.2.
1.5
“Customer Equipment” means Customer’s computer hardware, software and network infrastructure used to access Software.
1.6
“Data Subject(s)” means any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person's physical, physiological, genetic, mental, economic, cultural, or social identity.
1.7
“Documentation” means Opkey’s technical description of the Opkey Product(s) describing the specifications and use of the Opkey Products, including any Software provided, as updated from time to time.
1.8
“Error” means a failure of the Opkey Product(s) to substantially conform to the Documentation, that Opkey can replicate, or Customer can duplicate.
1.9
“Error Correction” means revisions, modifications, alterations, and additions to the Opkey Product(s), installed by Opkey in the Hosted Environment as bug fixes or workarounds to resolve Errors.
1.10
“Extension Term(s)” means each additional one-year (or other agreed upon period) Subscription Term for which the Subscription Term for an Opkey Product is extended pursuant to Section 7.
1.11
“Hosted Environment” means Opkey, or its third party’s technical environment required to operate and provide access to the relevant Opkey Product(s), as further specified below in Section 3.1.2.
1.12
“Initial Term” means the initial Subscription Term for an Opkey Product that is defined on the Order and applicable Purchase Order.
1.13
“Licenses” means the type and quantity of the Opkey license identified in Opkey’s sales quote; Customer needs a License in order to legally use an Opkey Product.
1.14
“Managed Services” means on-going active management provided by Opkey to Customer on a subscription basis to manage either Opkey Products or third-party products licensed separately by Customer, as specifically set forth in an applicable Opkey managed services document corresponding to such Managed Services.
1.15
“Opkey Intellectual Property” means all Intellectual Property Rights in the Services, Software, Documentation, Hosted Environment, and all other Confidential Information provided by Opkey hereunder
1.16
“Opkey Product(s)” means the Service or Software licensed and/or purchased by Customer pursuant to an Order and Purchase Order.
1.17
“Order” means the details of a Customer order (i) on anorder form or schedule provided by Opkey and signed by Customer, (ii) on Customer’s purchase order provided to and accepted by Opkey, or (iii) placed on Customer’s behalf by an authorized Opkey reseller and accepted by Opkey. For the purposes of (iv), all terms and conditions of this Agreement shall apply as between Customer and Opkey, except with respect to invoicing and payment terms.
1.18
“Personal Data” means data about an identifiable individual that is protected by privacy laws where the individual resides. Examples of personal data include name, religion, gender, financial information, national identifier numbers, health information, email addresses, IP addresses, online identifiers, and location data. Opkey’s protection of Personal Data is described in Section 5.
1.19
“Personnel” means, with respect to Customer, each of Customer’s and/or Customer’s Affiliate’s employees and independent contractor(in each case, not a competitor of Opkey) under obligations (a) of confidentiality and nondisclosure, and (b) to protect Opkey Intellectual Property, and any other individuals with access to components of the Service designated for external use, which Customer authorizes to use the Services purchased; with respect to Opkey, each Opkey employee or subcontractor under obligations of confidentiality and nondisclosure which performs on behalf of Opkey hereunder. For the avoidance of doubt, each party shall be responsible for its Personnel’s compliance with this Agreement.
1.20
“Privacy Laws” means laws, as applicable to Personal Data in the context and jurisdiction of the Processing, concerning the regulation of the collection, retention, processing, data security, disclosure, trans-border dataflows, use of website cookies, email communications, use of IP addresses and metadata collection.
1.21
“Process(ing)(ed)” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction, as described in this Agreement.
1.22
“Professional Services” means the installation, implementation, data migration, configuration, or advisory services provided by Opkey to Customer.
1.23
“Professional Service Fees” means, in U.S. dollars, the fees identified on each Order on a fixed fee or time and material basis for Professional Services to be performed.
1.24
“Purchase Order” means an ordering document for an Opkey Product issued by Customer or Reseller that contains at least the following information: product name, license quantity, Subscription Term, price, and billing contact, all corresponding to the Opkey or reseller quote.
1.25
“Reseller” means a third-party authorized by Opkey to resell Opkey Products directly to Customer.
1.26
“Scheduled Downtime” means any downtime scheduled to perform system maintenance, backup and upgrade functions for the Hosted Environment, and any other downtime incurred as a result of a Customer request.
1.27
“Service” means any Opkey Product licensed on a hosted basis as software-as-a-service.
1.28
“Service Levels” means the service level commitments from Opkey with respect to the maintenance and support of the Service.
1.29
“Total Time” means the total number of minutes in the applicable month.
1.30
“Software” means any Opkey software programs licensed by Opkey to Customer, together with all the Software Updates.
1.31
“Software Update(s)” means each Software update and enhancement that Opkey generally makes available at no additional charge to its customers who are current in payment of applicable Fees, or otherwise provides to Customer under the Agreement.
1.32
“SOW” means each statement of work, engagement letter or other writing signed by Opkey and Customer that describes the Professional Services and/or Managed Services provided by Opkey. Each SOW shall reference the Agreement and will be subject to the terms and conditions hereof.
1.33
“Subscription Term” means the term during which Customer receives a license to use the applicable Opkey Product(s).
1.34
“Taxes” means any direct or indirect local, state, federal or foreign taxes, levies, duties, or similar governmental assessments of any nature, including value-added, sales, use or withholding taxes.
1.35
“Term” means the Initial Term and any Extension Term applicable to each Order and Purchase Order.
1.36
“Unscheduled Downtime” means any time outside of the Scheduled Downtime when the Service is not available to perform operations. Unscheduled Downtime is measured in minutes.
1.37
“Uptime Percentage” means Total Time minus Unscheduled Downtime, divided by Total Time.
1.38
“User” means Customer's and its Affiliates' employees, agents, subcontractors, consultants, or other individuals authorized hereunder to use the Opkey Product.
1.39
“Work Product” means all work product developed or created by Opkey during the course of providing support, Managed Services or Professional Services to Customer. Notwithstanding anything herein to the contrary, Work Product shall not include any Customer Confidential Information, Customer Data, or Personal Data
2.
LICENSE TERMS
2.1
Customer License: Subject to the terms of the Agreement, Opkey grants to Customer a worldwide, royalty-free, non-exclusive, time-limited, non-transferable (except to a successor-in-interest as permitted hereunder),limited license to access and/or use (as applicable) the Opkey Products during the Term in the quantities of Licenses specified in the applicable Purchase Order and subject to any limitations set forth in the corresponding applicable quote, solely for Customer’s own internal business purposes. Customer may authorize subcontractors and/or Affiliates to access and/or use the Opkey Products, subject to the number of Licenses authorized by the Agreement and the terms and conditions of the Agreement; provided Customer is liable for all acts and omissions of the subcontractors and/or Affiliates. Customer may use the Documentation in connection with the License granted hereunder.
2.2
Warranties, Remedies and Disclaimers.
2.2.1
Party Warranty: Each party warrants that (i) it has the legal power to enter into, and perform under, the Agreement; and (ii) it shall comply with all applicable laws in its performance hereunder.
2.2.2
Performance Warranty: Opkey warrants that during the Subscription Term the applicable Service (“SaaS Warranty”)and Software (“Software Warranty”) will substantially conform in all material respects to the Documentation. Customer will provide prompt written notice of any non-conformity. Opkey may modify the Documentation in its sole discretion, provided the functionality of the Service or Software, as applicable, will not be materially decreased during the Term. The Software Warranty does not apply to: (a) Software that has been modified by any party other than Opkey; or (b) Software that has been improperly installed or used in a manner other than as authorized under the Agreement.
2.2.3
SaaS and Software Warranty Remedy: As Customer’s sole and exclusive remedy and Opkey’s entire liability for any breach of the SaaS Warranty or the Software Warranty, Opkey will (a) use reasonable efforts to fix, provide a work around, or otherwise repair or replace the Service or Software, as applicable, or if Opkey is unable to do so, (b) terminate the license to use such component of the Service or the applicable Software and return a pro rata refund of any remaining prepaid Fees paid to Opkey for such allegedly defective Service or Software, as applicable, for the period commencing from Customer’s notice of nonconformity through the remainder of the Initial Term or Extension Term, as applicable.
2.2.4
Disclaimer: THE WARRANTIES AND EXCLUSIVE REMEDY SET FORTH ABOVE IN SECTION 2.2 ARE MADE FOR THE BENEFIT OF CUSTOMER ONLY, AND ARE EXPRESSLY SUBJECT TO CUSTOMER’S PAYMENT OBLIGATIONS HEREUNDER. EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH ABOVE, OPKEY AND OPKEY LICENSORS DISCLAIM ANY AND ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AS WELL AS ANY WARRANTIES OF REGULATORY COMPLIANCE, PERFORMANCE, ACCURACY, RELIABILITY, AND NONINFRINGEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THE AGREEMENT. WITHOUT LIMITING THE FOREGOING, Opkey DOES NOT WARRANT THAT ALL ERRORS CAN BE CORRECTED OR THAT OEPRATION OF THE Opkey PRODUCTS SHALL BE UNINTERRUPTED OR ERROR-FREE.
2.2.5
Service Level Agreement: Opkey provides a Service Level Agreement (“SLA”)as set forth on the attached Schedule B. In the event of a breach of an SLA, as Customer’s sole and exclusiveremedy, Opkey shall provide the remedy set forth in the applicable SLA.
3.
RESPONSIBILITIES
3.1
Opkey Responsibilities.
3.1.1
Procedures and Technical Protocols: Opkey will specify to Customer procedures according to which Customer may establish and obtain access and use the features and functions of the Services.
3.1.2
Services: Opkey, at its own cost and expense, will be responsible for the procurement, preparation, hosting, operation and maintenance of the Hosted Environment, including all facilities, hardware, software, telecommunication services, and all other technical requirements necessary to provide access to and use of the Services; provided Customer will be responsible for procuring and/or operating the Customer Environment, including computer systems, software and telecommunications services meeting such minimum technical requirements and, unless otherwise specified on an Order, for the installation and configuration of the on-premise components in that Customer Environment, each as Opkey may specify in the Documentation.
3.1.3
Support; Managed Services; Professional Services.
3.1.3.1
Opkey shall provide support and/or Managed Services provided Customer is current in payment of the applicable Fees and any additional fees for support and/or Managed Services, if applicable.
3.1.3.2
Opkey shall provide Professional Services and/or Managed Services, if any, specified in one or more SOWs. All Professional Services shall be billed as stated in the applicable SOW and Customer agrees that, if Customer has not used Professional Services within one (1) year of paying for such Professional Services, then Opkey has no further obligations and Customer shall not been titled to a refund except as set forth expressly in the applicable SOW.
3.1.3.3
Opkey warrants it will provide Managed Services and/or Professional Services in a professional and workmanlike manner consistent with reasonable industry standards and practices. As Customer’s sole and exclusive remedy and Opkey’s entire liability for any breach of the foregoing warranty, Opkey will use reasonable efforts to re-perform the Managed Services and/or Professional Services, as applicable, or, if Opkey is unable to do so, terminate the applicable Managed Services and/or SOW and return a pro-rata refund of that portion of any Fees paid to Opkey that correspond to the allegedly defective Managed Services and/or Professional Services.
3.2
Customer Responsibilities.
3.2.1
Customer agrees that Customer is solely responsible for: (i)obtaining any Customer Data and other information Customer provides while using the Services, (ii) obtaining all rights and consents necessary to collect, retain, use and/or disclose the Customer Data, (iii) ensuring the Processing, collection, retention and other processing of Personal Data in connection with the use and delivery of the Services does not violate the rights of Data Subjects or the Privacy Laws, and (iv) the accuracy, completeness, quality, integrity, legality, reliability, appropriateness and copyright of all Customer Data. By providing any Customer Data or other information, Customer represents and warrants that such information does not (x) violate any intellectual property rights, publicity rights, confidentiality, or trade secret rights, or any other legal or equitable rights; (y) violate any law, rule, order, judgment or regulation to which Customer or the Customer Data may be subject; and (z) violate in any way Customer’s obligations in this Section below. Customer acknowledges and agrees that Opkey is not responsible or liable for any unlawful, harassing, defamatory, privacy invasive, abusive, threatening, offensive, harmful, vulgar, obscene, tortuous, hateful, racially, ethnically, or otherwise objectionable information, or content, or information or content that infringes or may infringe any copyright, patent, moral right, trade secret, confidential information, trademark right or any other right of a third party. Opkey may remove any violating content posted on the Services or transmitted through the Services, without notice to Customer.
3.3
Passwords: All access codes and passwords are personal to the individual to which it is issued. Customer and its Personnel are responsible for maintaining the confidentiality and security of all access codes and passwords issued and ensuring that each access code and password is only used by the individual authorized. To the extent Opkey assigned Customer with administrative rights to create access codes and passwords for its Personnel, Customer shall be responsible for issuing such passwords.
3.4
Use of Services: Customer shall be solely responsible for the actions of its Personnel while using the Services and the contents of its transmissions through the Services (including, without limitation, Customer Data), and any resulting charges. Customer agrees to: (i)abide by all local, state, national, and international laws and regulations applicable to Customer's use of the Services, including without limitation all laws and administrative regulations (including, all U.S. and applicable foreign) relating to the control of exports of commodities and technical and/or Personal Data, and shall not allow any of its Personnel or Data Subjects to access or use the Service in violation of any export embargo, prohibition or restriction, including but not limited to any party on a U.S. government restricted party list; (ii) provide any required notifications to Data Subjects, and obtain all rights and requisite consents from Data Subjects in accordance with all applicable Privacy Laws and other laws in relation to the collection, use, disclosure, creation and processing of Personal Data in connection with this Agreement and the use and delivery of the Services; (iii) not use the Services for illegal purposes; (iv) not knowingly upload or distribute in any way files that contain viruses, corrupted files, or any other similar software or programs that may damage the operation of the Hosted Environment, Services or another's computer; (v) not knowingly interfere with another customer's use and enjoyment of the Services or another entity's use and enjoyment of similar services; (vi) not knowingly engage in contests, chain letters or post or transmit "junk mail," "spam," "chain letters," or unsolicited mass distribution of email through or in any way using the Services; (vii) not interfere or disrupt networks connected to the Hosted Environment or Services; (viii) not post, promote or transmit through the Services any unlawful, harassing, defamatory, privacy invasive, abusive, threatening, offensive, harmful, vulgar, obscene, tortuous, hateful, racially, ethnically or otherwise objectionable information or content of any kind or nature; and (ix) not transmit or post any material that encourages conduct that could constitute a criminal offense or give rise to civil liability. In addition, Customer agrees not to use a Opkey Product, or permit it to be used, for purposes of: (i) product evaluation, benchmarking or other comparative analysis intended for publication outside the Customer organization without Opkey's prior written consent; (ii) infringement of the intellectual property rights of any third party or any rights of publicity or privacy; (iii)violation of any law, statute, ordinance, or regulation (including, but not limited to, the laws and regulations governing export/import control, unfair competition, anti-discrimination, and/or false advertising or misuse of Opkey Products in violation of this subsection (iii)); (iv) propagation of any virus, worms, Trojan horses, or other programming routine intended to damage any system or data; and/or (v) filing copyright or patent applications that include the Opkey Products and/or Documentation or any portion thereof.
3.5
Restrictions: Customer specifically agrees to limit the use of the Opkey Products to those parameters set forth in the applicable Order and an accompanying Purchase Order. Without limiting the foregoing, Customer specifically agrees not to: (i) resell, sublicense, lease, time-share or otherwise make a Opkey Product (including the Documentation)available to any third party (except Affiliates and subcontractors); (ii) attempt to gain unauthorized access to, or disrupt the integrity or performance of, a Opkey Product or the data contained therein (including but not limited to hacking or penetration testing Opkey’s systems); (iii) modify, copy or create derivative works based on a Opkey Product; (iv) decompile, disassemble, reverse engineer or otherwise attempt to derive source code from a Opkey Product, in whole or in part; and/or (v) access a Opkey Product for the purpose of building a competitive product or service or copying its features or user interface.
4.
CONFIDENTIALITY
4.1
Receiving Party shall not (i) disclose any Confidential Information of the Disclosing Party to any third party, except as otherwise expressly permitted herein, or (ii) use any Confidential Information of Disclosing Party for any purpose outside the scope of the Agreement, except with Disclosing Party's prior written consent. The Receiving Party shall not make Confidential Information available to any of its employees or consultants except those that have agreed to obligations of confidentiality at least as restrictive as those set forth herein and have a “need to know” such Confidential Information. The Receiving Party agrees to hold the Disclosing Party’s Confidential Information in confidence and to take all precautions to protect such Confidential Information that the Receiving Party employs with respect to its own Confidential Information of a like nature, but in no case shall the Receiving Party employ less than reasonable precautions. The Agreement will not be construed to prohibit disclosure of Confidential Information to the extent that such disclosure is required to by law or valid order of a court or other governmental authority; provided, however, to the extent permitted by law, the responding party shall give prompt written notice to the other party to enable the other party to seek a protective order or otherwise prevent or restrict such disclosure and, if disclosed, the scope of such disclosure is limited to the extent possible.
4.2
The Receiving Party will return all copies of the Disclosing Party’s Confidential Information upon the earlier of (i) the Disclosing Party’s request, or (ii) the termination or expiration of the Agreement. Instead of returning such Confidential Information, the Receiving Party may destroy all copies of such Confidential Information in its possession; provided, however, the Receiving Party may retain a copy of any Confidential Information disclosed to it solely for archival purposes, provided that such copy is retained in secure storage and held in the strictest confidence for so long as the Confidential Information remains in the possession of the Receiving Party.
4.3
The parties acknowledge and agree that the confidentiality obligations set forth in this Agreement are reasonable and necessary for the protection of the parties’ business interests, that irreparable injury may result if such obligations are breached, and that, in the event of any actual or potential breach of this Confidentiality provision, the non-breaching party may have no adequate remedy at law and shall be entitled to seek injunctive and/or other equitable relief as may be deemed proper by a court of competent jurisdiction.
5.
DATA SECURITY;PRIVACY.
5.1
Limited Use of Personal Data: Opkey and its subsidiaries are authorized to access and process Personal Data solely in accordance with the terms of the Agreement. Opkey and its subsidiaries shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to the Personal Data and will ensure access is strictly limited to those individuals who need to access the relevant Personal Data in the performance of Opkey’s obligations under the Agreement.
5.2
Data Safeguards: Pursuant to the attached Schedule C, Opkey shall, either directly or through its third-party service provider, implement and maintain reasonable administrative, physical, and technical safeguards to guard against unauthorized access to the Customer Data white it is retained within the Hosted Environment. Opkey reviews its security precautions on a regular basis and modifies them as required by legal, regulatory, and other requirements.
5.3
Data Privacy: In addition to all other obligations in this Agreement with respect to Customer Data, each party agrees to comply with its obligations under Privacy Laws, and in the context of any Processing of Personal Data through the provision of the Services, support and/or Professional Services, the parties shall comply with Schedule D. Customer hereby consents to Opkey, its Affiliates, and Personnel of each, Processing Personal Data in relation to Customer’s Personnel and contacting the same for legitimate purposes, including without limitation, the administrative functions connected with Orders and invoices, its contractual rights and obligations under this Agreement, the provision of the Services, support and/or Professional Services. Customer understands and acknowledges that in connection with the Processing of Personal Data pursuant to this Agreement, Opkey may share Personal Data with its Affiliates, and its Personnel, and Opkey and/or its Affiliates may Process such Personal Data in any jurisdiction in which Opkey or its Affiliates or subcontractors maintain facilities.
6.
FINANCIALTERMS; ORDERS.
6.1
Fees: Fees for the Opkey Products will be the Fees and other fees set forth in the Purchase Orders(collectively, the “Fees”). The Fees stated in each Purchase Order shall be effective during the Initial Term specified in that Purchase Order; the Fees and other fees for each Extension Term shall be defined in the applicable Purchase Order or, in the absence of any such terms regarding Fees for Extension Terms, by mutual agreement of the parties.
6.2
Taxes: Customer will be liable for payment of all Taxes that are levied upon and related to the performance of obligations or exercise of rights under the Agreement. Opkey may be required to collect and remit Taxes from Customer, unless Customer provides Opkey with a valid tax exemption certificate. The amounts received by Opkey, after the provision for any Tax or withholding required by any country, will be equal to the amounts specified on the Purchase Order. In no event will either party be responsible for any taxes levied against the other party's net income.
6.3
Order: The details of a Customer order (i) on an order form or schedule provided by Opkey and signed by Customer, (ii) on Customer’s purchase order provided to and accepted by Opkey, or (iii) placed on Customer’s behalf by an authorized Opkey reseller on and accepted by Opkey. For the purposes of (iii), all terms and conditions of this Agreement shall apply as between Customer and Opkey, except with respect to invoicing and payment terms. Order documents may also include terms and conditions for shipments, delivery, title, risk of loss payment if applicable.
6.4
Payment: Time is of the essence in all payment terms. Unless otherwise agreed between Customer and Reseller, all Fees due under an Order and Purchase Order shall be due and payable within thirty (30) days of receipt of invoice without reduction, deduction or off-set by Customer for any reason whatsoever. Except as otherwise expressly permitted herein, all Fees owed are non-cancellable and non-refundable for the Term. Any payment not received from Customer by the due date may accrue (except for amounts then under reasonable and good faith dispute pursuant to Section 6.5) interest at the rate of one and one-half percent (1.5%) of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid. Opkey may decline to make any shipments of Opkey Products and/or provide Managed Services and/or Professional Services if, in Opkey’s reasonable opinion, circumstances exist which raise doubt as to Customer’s ability or willingness to pay as provided herein. Failure to make timely payment may result in immediate termination of access to the Opkey Products and/or cessation of provision of Managed Services and/or Professional Services. Upon default by Customer, Opkey will have all remedies available at law or in equity. No refunds will be made except as expressly provided for pursuant to warranties under Section 2.2 herein for the applicable Opkey Product, Managed Services and/or Professional Services and as provided under the intellectual property indemnity under Section 8 herein. Customer shall reimburse Opkey for all costs of collection, including reasonable attorneys' fees. This Section is without prejudice toany other rights and remedies available to Opkey under this Agreement or at law.
6.5
Disputed Invoices: Customer shall have the right to withhold payment of any invoiced amounts that are disputed in good faith until the parties reach agreement with respect to such disputed amounts, and such withholding of disputed amounts shall not be deemed a breach of the Agreement, nor shall any interest be paid thereon. In such case, Customer shall promptly (and in no event more than ten (10) business days from receipt of invoice) provide written notice to Opkey of any such dispute prior to withholding such payment, specifying in reasonable detail the nature of the dispute and the amount withheld, and shall pay all undisputed amounts set forth on such invoice in accordance with this Section. The parties will negotiate in good faith to attempt to resolve such disputes within thirty(30) days of submission of such dispute by Customer.
6.6
Overage: Measured on a monthly basis, any actual usage of the Service which exceeds the number of licenses subscribed to by Customer under an Order or Orders applicable to the Service.
7.
TERM;SUSPENSION; TERMINATION; EXPIRATION.
7.1
Unless otherwise set forth in an Order, the Initial Term applicable to each Order (including follow-on orders) commences on the later of: (i) the date Opkey processes the applicable Purchase Order for a Opkey Product evaluated by the Customer, or (ii) for all other Opkey Product orders, the date Opkey sends to Customer an email indicating that the Opkey Products are available for use (to the extent each of the foregoing applies to Customer’s engagement). Upon expiration of the Initial Term and any Extension Term(s) under each Purchase Order, the Subscription Term applicable to such Order and Purchase Order shall automatically renew for subsequent Extension Terms unless otherwise agreed by the parties or either party gives the other notice of non-renewal at least ninety (90) days prior to the end of the relevant Subscription Term.
7.2
In the event Customer (i) fails to pay Opkey any undisputed amounts past due, or (ii) is in breach of Section 3.2, Opkey shall have the right to immediately suspend without notice any or all related Services provided to Customer hereunder.
7.3
Either party may terminate the Agreement or any Order and Purchase Order (i) immediately upon written notice if the other party commits a non-remediable material breach; or (ii) if the other party fails to cure any remediable material breach within thirty (30)days of being of notified in writing of such breach, unless such breach is for non-payment and then within five (5) days of such notice. If Opkey is the breaching party, any refunds hereunder shall be a pro-rata refund of any remaining prepaid Fees applicable to those Opkey Product(s).
7.4
Either party may terminate this Agreement immediately by written notice if no Order and Purchase Order is in effect.
7.5
Upon termination or expiration of the Agreement, all Software licenses, Service access, Managed Services access and/or Professional Services fulfillment granted under this Agreement shall automatically terminate with immediate effect. In the event of the termination or expiration of the Agreement, the provisions of the Agreement which by their nature extend beyond the expiration or termination of the Agreement shall survive, and any accrued rights to payment shall remain in effect beyond such termination or expiration until fulfilled.
8.
INTELLECTUAL PROPERTY INDEMNITY.
8.1
Opkey Indemnity: Opkey, at its sole expense, shall defend, indemnify, and hold harmless Customer from any action based upon a claim that the Service used as permitted infringes any valid third-party U.S. patent, copyright, trade secret, or other proprietary right, and shall reimburse Customer for all damages, costs, and expenses (including reasonable attorneys’ fees) awarded against Customer pursuant to any such actions (“Claim”). If the Service becomes, or in Opkey’s opinion is likely to become, subject of such a Claim of infringement, Opkey shall been titled, at Opkey’s sole option, to either procure the right for Customer to continue to use the Service or replace or modify it so that it becomes non-infringing. If neither of the fore going is commercially and reasonably available to Opkey, Opkey may terminate the Service and return to Customer a pro rata refund of any remaining prepaid Fees applicable to those Services. Opkey shall have no obligation or liability hereunder for any claim resulting from: (i) modification of the Service(a)by any party other than Opkey, or (b) by Opkey in accordance with Customer’s designs, specifications, or instructions; (ii) use of the Service other than as granted in this Agreement; or (iii) use of the Service in conjunction with other products or services not provided by Opkey or necessary for the operation of the Service, where such infringement would not have occurred but for such use; or (iv) use of a version of the Service other than the then-current version where Customer has requested the prior version remain in use.
8.2
Process: Opkey’s obligations under this Section 9 are conditioned upon the following: (i)Customer first providing written notice of the Claim to Opkey within thirty(30) days after Customer becomes aware of or reasonably should have been aware of the Claim (provided, however, the failure to provide such notice will only relieve Opkey of its indemnity obligations hereunder to the extent Opkey is prejudiced thereby); (ii) Customer tendering sole and exclusive control of the Claim to Opkey at the time Customer provides written notice of such Claim to Opkey; and (iii) Customer providing reasonable assistance, cooperation and required information with respect to defense and/or settlement of the Claim, including Customer providing Opkey with access to documents and personnel at Opkey’s request and expense. Customer may at its sole expense participate in the Claim, except that Opkey will retain sole control of the defense and/or settlement. Opkey shall not agree to any settlement of a Claim that includes an injunction against Customer or admits Customer liability without Customer’s prior written consent, which consent shall not be unreasonably withheld, conditioned, or delayed.
8.3
Customer Indemnity: Customer, at its sole expense, shall defend, indemnify, and hold harmless Opkey from any action based upon a claim resulting from breach of Sections 3.2 by Customer, its Affiliates or Personnel of either, and shall reimburse Opkey for all damages, costs, and expenses (including reasonable attorneys’ fees) awarded against Opkey pursuant to any such actions.
9
INTELLECTUALPROPERTY RIGHTS, LICENSES AND AUTHORIZATIONS.
9.1
Ownership: Customer retains all title, intellectual property and other ownership rights in all Customer’s Confidential Information, Customer Data, and all data that Customer makes available for processing by the Opkey Products. Customer warrants and covenants that Customer has the right to provide Customer Data and Personal Data to Opkey hereunder. Opkey retains all title, intellectual property and other ownership rights throughout the world in and to the Opkey Products, Documentation, any Professional Services and Managed Services and the Work Product and any modifications to, and derivative works of, the foregoing. Opkey hereby grants to Customer anon-exclusive, non-transferable, fully paid-up license to use the Work Product in connection with the Opkey Product licensed under the Agreement and solely for Customer’s internal business purposes. Professional Services and/or Managed Services (and any resulting Work Product from either offering) are not provided on a “work made for hire” basis.
9.2
No Implied Rights: There are no implied rights and all rights not expressly granted herein are reserved. No license, right or interest in any Opkey trademark, copyright, patent, trade name or service mark is granted hereunder. Customer shall not remove from any full or partial copies made by Customer of the Software, Software Updates and Documentation any copyright or other proprietary notice contained in or on the original, as delivered to Customer.
9.3
Injunctive Relief: Each party acknowledges that the Opkey Products contain valuable trade secrets and proprietary information of Opkey, that in the event of any actual or threatened breach of the scope of any of the licenses granted hereunder, such breach shall constitute immediate, irreparable harm to Opkey for which monetary damages would be an inadequate remedy, and that injunctive relief is an appropriate remedy for such breach in addition to whatever remedies Opkey might have at law or under this Agreement.
9.4
Opkey Authorization and License: During the Term of the Agreement, Customer hereby (i) grants to Opkey and its service providers a worldwide, limited term license to collect and process certain Customer’s Confidential Information and Customer Data, and (ii) authorizes Opkey to collect and process certain Personal Data in accordance with this Agreement.
10.
LIMITATION OF LIABILITY.
10.1
EXCEPT FOR (i) INTELLECTUAL PROPERTY INDEMNIFICATION OBLIGATIONS,(ii) DAMAGES RESULTING FROM EITHER PARTY’S GROSS NEGLIGENCE, FRAUD OR WILL FULMISCONDUCT, (iii) DAMAGES RESULTING FROM EITHER PARTY’S MATERIAL BREACH OF THE CONFIDENTIALITY SECTION, (iv) CUSTOMER’S BREACH OF THE CUSTOMER RESPONSIBILITIES SECTION, OR (v) CUSTOMER’S PAYMENT OBLIGATIONS, EACH PARTY’S AGGREGATE LIABILITY UNDER THE AGREEMENT SHALL IN NO EVENT EXCEED THE ANNUALIZED FEES PAID FOR THE APPLICABLE OPKEY PRODUCT.
10.2
EXCEPT FOR (i) DAMAGES RESULTING FROM EITHER PARTY’S MATERIALBREACH OF THE CONFIDENTIALITY SECTION, OR (ii) CUSTOMER’S BREACH OF THE CUSTOMER RESPONSIBILITIES SECTION, IN NO EVENT SHALL EITHER PARTY OR ITSLICENSORS OR SUPPLIERS HAVE ANY LIABILITY TO THE OTHER OR ANY THIRD PARTY FORANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA,BUSINESS INTERRUPTION, OR COVER DAMAGES OR LOSSES, ARISING OUT OF OR INCONNECTION WITH THE AGREEMENT, HOWEVER CAUSED AND WHETHER IN CONTRACT, TORT ORUNDER ANY OTHER THEORY OF LIABILITY AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
10.3
THE LIMITATION OF LIABILITY AND EXCLUSION OF CERTAIN DAMAGES STATED HEREIN WILL APPLY REGARDLESS OF THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. BOTH PARTIES HEREUNDER SPECIFICALLY ACKNOWLEDGE THAT THESE LIMITATIONS OF LIABILITY ARE REFLECTED IN THE PRICING.
11.
MISCELLANEOUS.
11.1
Consent: Wherever in this Agreement consensus, approval, acceptance, or other consent is required, such consent shall not be unreasonably withheld, conditioned, or delayed; however, it shall not be considered unreasonable for Opkey to withhold its consent if such consent could jeopardize the confidentiality of or Opkey’s property interests in and to Opkey Intellectual Property or other business interests of Opkey.
11.2
Publicity: Neither party may issue press releases or otherwise publicize the parties’ relationship without the other party’s prior written consent.
11.3
Independent Contractors: Relationship with Third Parties. The parties are independent contractors, and no partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties is created hereby. There are no third-party beneficiaries to this Agreement.
11.4
Notices: All notices or other communications required hereunder shall be made in writing and shall be deemed to be effectively given: (a) if made available to Customer’s Personnel by Opkey posting such notice to the Service, and if emailed, the first business day after sending the notice (provided email shall not be sufficient for notices of termination, alleged breach or an indemnifiable claim); or (b) if hand delivered, when received, and if mailed for overnight delivery, when delivery by the overnight carrier is made, in each instance at the applicable address set forth on the signature page. Such addresses may be updated by a party from time to time by providing notice to the other party in accordance with the terms of this Section. Each party may change its notices address by giving notice in the manner set forth herein.
11.5
Waiver: No failure or delay in exercising any right hereunder shall constitute a waiver of such right. Except as otherwise provided, remedies provided herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, such provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions shall remain in effect.
11.6
Force Majeure: Neither party shall be liable to the other for any delay or failure to perform hereunder (excluding payment obligations) due to circumstances beyond such party's reasonable control, including acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems (excluding those involving such party's employees), service disruptions involving hardware, software or power systems not within such party's possession or reasonable control, and denial of service attacks.
11.7
Assignment: Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other (not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including then-current Orders) upon written notice, without consent of the other party, to its successor in interest in connection with a merger, reorganization, or sale of all or substantially all assets or equity not involving a direct competitor of the other party.
11.8
Export Restrictions: Each party agrees to comply with (a) all applicable regulations of the United States Department of Commerce and (b) the United States Export Administration Act, as amended from time to time, and with all applicable laws and regulations of other jurisdictions with respect to the importation and use of the Opkey Products and Opkey’s Confidential Information and any media.
11.9
Applicable Law.
11.9.1
If Customer is in any country on the American continent, this Agreement will be governed by the laws of the State of New York and the United States of America, without regard to conflict of law principles. The parties here by irrevocably consent to the exclusive jurisdiction and venue of the state and federal courts located in New York, New York, for resolution of any disputes arising out of this Agreement.
11.9.2
If Customer is in any country outside the American continent, this Agreement will be governed by the laws of the England and Wales, without regard to conflict of law principles. The parties hereby irrevocably consent to the exclusive jurisdiction and venue of the High Court of Justice located in London, England, for resolution of any disputes arising out of this Agreement.
11.9.3
The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement.
11.10
Headings: Language. All headings used herein are for convenience of reference only and will not in any way affect the interpretation hereof. The English language version of this Agreement controls. It is the express wish of both parties that this Agreement, and any associated documentation, be written and signed in English. Nothing in this Agreement shall make either party the agent of the other for any purposes whatsoever. No exclusive rights are granted by Opkey under this Agreement. All rights or licenses not expressly granted to Customer herein are reserved to Opkey, including the right to license the use of the Services and any Software to other parties. Any reference to a law or statute in this Agreement shall be deemed to include any amendment, replacement, re-enactment thereof for the time being in force and to include any by-laws, statutory instruments, rules, regulations, orders, notices, directions, consents, or permissions (together with any conditions attaching to any of the foregoing) made in respect thereof.
11.11
Counterparts: This Agreement and any Order hereunder may be executed by facsimile and in counterparts.
11.12
Entire Agreement; Integration: This Agreement constitutes the entire agreement of the parties and supersedes all prior or contemporaneous agreements, proposals, or representations, written or oral, concerning its subject matter. No amendment or waiver of any provision of this Agreement shall be effective unless inwriting and signed by the party against whom the amendment or waiver is to be asserted. Notwithstanding any language to the contrary therein, any purchase order issued by Customer or Reseller shall be deemed a convenient order and payment device only and no terms (other than product name, license quantity, price, subscription term, and billing contact) stated in any purchase order shall be incorporated into this Agreement, and all such other terms shall be void and of no effect.
SCHEDULE B
SERVICE LEVELS
This Schedule B is made a part of the Agreement signed by the parties to which this Schedule B is attached. The following general terms and conditions shall apply to this Agreement:
1.
SERVICE AVAILABILITY.
1.1
Uptime: Opkey will use commercially reasonable efforts to ensure that the Hosted Environment will be available 24 hours per day, 7 days per week, excluding any Scheduled Downtime. In addition to any other notification requirements, Opkey will provide Customer with a minimum of seven (7) days advance notice of Scheduled Downtime, and Opkey may post a notice on the application log-in screen to notify Customer administrator of any Scheduled Downtime that will exceed two (2) hours. The duration of any downtime is measured, in minutes, as the amount of elapsed time from when the Hosted Environment is not accessible or does not permit Customer to log on, to when the SaaS Services permits Customer to log on and access the Hosted Environment.
1.2
Service Level Credits: If Opkey does not meet the Uptime Percentage levels specified below, Customer will be entitled, upon written request, to a service level credit (“Service Level Credit”) tobe calculated, with respect to the applicable Hosted Environment, as follows:
a. If Uptime Percentage is at least 99.95% of the month’s minutes, no Service Level Credits are provided; or
b. If Uptime Percentage is 99.75% to 99.94% (inclusive) of the month’s minutes, Customer will be eligible for a credit of 5% of a monthly average fee derived from one-twelfth (1/12th) of the then-current annual fee paid to Opkey; or
c. If Uptime Percentage is 99.50% to 99.74% (inclusive) of the month’s minutes, Customer will be eligible for a credit of 7.5% of a monthly average fee derived from one-twelfth (1/12th) of the then-current annual fee paid to Opkey; or
d. If Uptime Percentage is less than 99.50% of the month’s minutes, Customer will be eligible for a credit of 10.0% of a monthly average fee derived from one-twelfth (1/12th) of the then-current annual fee paid to Opkey
a. If Uptime Percentage is at least 99.95% of the month’s minutes, no Service Level Credits are provided; or
b. If Uptime Percentage is 99.75% to 99.94% (inclusive) of the month’s minutes, Customer will be eligible for a credit of 5% of a monthly average fee derived from one-twelfth (1/12th) of the then-current annual fee paid to Opkey; or
c. If Uptime Percentage is 99.50% to 99.74% (inclusive) of the month’s minutes, Customer will be eligible for a credit of 7.5% of a monthly average fee derived from one-twelfth (1/12th) of the then-current annual fee paid to Opkey; or
d. If Uptime Percentage is less than 99.50% of the month’s minutes, Customer will be eligible for a credit of 10.0% of a monthly average fee derived from one-twelfth (1/12th) of the then-current annual fee paid to Opkey
1.3
Bug Fixes and Feature Requests.
Note: Time for resolution of any issue reported on phone/chat directly will only be considered once an “official ticket has been logged or an official mail has been sent”.
Customer shall only be eligible to request Service Level Credits if it notifies Opkey in writing within thirty (30) days from the end of the month for which Service Level Credits are due. All claims will be verified against Opkey’s system records. In the event after such notification Opkey determines that Service Level Credits are not due, or that different Service Level Credits are due, Opkey shall notify Customer in writing on that finding. With respect to any Services Level credits due under Orders placed directly by Customer on Opkey, Service Level Credits will be applied to the next invoice following Customer’s request and Opkey’s confirmation of available credits; with respect to any Service Level Credits due for SaaS Services under Orders placed on Opkey by a Opkey authorized reseller on Customer’s behalf, Service Level Credits will be issued by such reseller following Customer’s request and Opkey’s confirmation of available credits and such Services Level Credits may only be used by Customer with respect to subsequent purchases of Opkey offerings through that reseller. Service Level Credits shall be Customer’s sole and exclusive remedy in the event of any failure to meet the Service Levels. Opkey will only provide records of system availability in response to good faith Customer claims.
1.4
Exceptions: Customer’s right to receive Service Level Credits, and the inclusion of any minutes in the calculation of Unscheduled Downtime are conditioned on: (i) prompt payment by Customer of all Fees, (ii)Customer performing all Customer obligations (including, without limitation, establishing and maintaining the Customer Environment), (iii) Customer’s compliance with Section 3 of Schedule A, (iv) Customer agreeing to use of the most current version of the SaaS Service, and (v) the Unscheduled Downtime not being caused by the failure of any non-Opkey third party vendors, the Internet in general, any emergency or force majeure event, or issues caused by the Customer Environment or Customer specific configurations not expressly contemplated in the Documentation.
2.
SUPPORT.
2.1
Generally for Services: During any Term, Customer shall have access to technical support through Opkey’s standard telephone, email and/or web support services during the support hours applicable to the specific Services subscribed to by Customer. The contact information for technical support Personnel, support hours applicable to the Services, and Error type classifications and response times will be provided to Customer by Opkey.
2.2
On-Premise Components: With respect to on-premise components, if any, except as may be specified in an Order, Customer shall be responsible for the installation and configuration of any on-premise components in the Customer Environment. Opkey shall provide technical support for such on-premises components through standard telephone, email and/or web support services during the support hours applicable to the on-premise components, which will be provided to Customer by Opkey.
SCHEDULE C
INFORMATION SECURITY
This Schedule C is made a part of the Agreement signed by the parties to which this Schedule C is attached.
1.
DEFINITIONS: In addition to the capitalized terms in Schedule A, all capitalized terms shall have the meaning ascribed to them here in this Schedule, and for the purposes of this Schedule, shall govern and control in the event of any conflict, including the following:
1.1
Encryption Standards: Encryption algorithms that are publicly or commercially available, with key lengths sufficient to prevent commercially reasonable attempts to decrypt through brute force the encrypted information.
1.2
Hosted Services: Any Service or hosting services subscribed toby Customer from Opkey.
1.3
Industry Standard(s): Are the generally accepted standards applicable to the performance obligations of a party with respect to a product or service. Industry Standards can include in part or in whole frameworks published by the National Institutes for Standards and Technology (NIST), International Organization for Standardization, ISACA, Payment Card Industry Security Standards Council and other internationally recognized standards organizations.
1.4
Opkey Personnel: Each Opkey employee or subcontractor under obligations of confidentiality and nondisclosure performing on behalf of Opkey hereunder.
2.
GENERAL SECURITY TERMS: Opkey is committed to helping protect the security of Customer Data, and has implemented, and will maintain and follow appropriate technical and organizational measures that conform to Industry Standards intended to protect Customer Data against accidental, unauthorized, or unlawful access, disclosure, alteration, loss, or destruction. Opkey may modify any of its policies, process, or procedures at any time and with out obligation to notify or update this Schedule, provided such modifications provide substantially similar or greater protections than those provided for herein. Except as otherwise specified in Section 3, the following terms and conditions in this Section 2 apply to all performance obligations under the Agreement.
2.1
Access Controls: Opkey implements Industry Standard access control methodologies, which rely on policy, process, and logical controls to help prevent unauthorized access to systems and data under Opkey’s control. These access controls include no less than the following:
a.
Opkey uses the “Principle of Least Privilege” model for restricting access to systems and data, and regularly reviews access rights granted to Opkey Personnel.
b.
Opkey Personnel each have a unique user ID and personal secret password for accessing internal networks, equipment, and data. Opkey shall maintain policies concerning the maintenance of password secrecy. Opkey Personnel access rights must be suspended within twenty-four (24) hours of employment termination and modified within forty-eight (48) hours when Opkey Personnel roles and/or responsibilities are changed.
c.
Opkey maintains a password policy which, at a minimum, complies with the following standards: (i) passwords must not employ any structure or characteristic that results in a password that is predictable or easily guessed; (ii) passwords must include at least three (3) of the following character sets, in accordance with password policy settings: (a) an English uppercase character (A – Z); (b) an English lowercase character (a – z); (c) a westernized Arabic numeral; and (d) a non-alphanumeric special character from the following character set: !, $, #, %;(iii) passwords must be changed at least every one hundred and eighty(180) days; and (iv) account lockout must occur after a maximum of five (5) failed password entry attempts. Re-enabling of locked accounts must require extended time-based delay, or interaction with a security administrator or help desk function. All password changes must be accomplished through secure procedures.
d.
Multi-factor authentication processes must be utilized for any access to systems containing Customer Data. All passwords must be stored and transmitted using Encryption Standards.
e.
User sessions must expire and require the re-entry of a password if idleby more than (i) twenty (20) minutes for administrator consoles, and(ii)sixty (60) minutes for all other systems and session types.
f.
For any facilities hosting Customer Data, such facilities shall have implemented electronic access controls to enter such facilities, and further access controls for entering specific areas where such Customer Data is physically resident. Opkey shall maintain processes to validate the identify of individuals prior to issuing identification and access badges, and shall maintain processes for issuing visitor badges, logging such issuance, and escort requirements for such visitors. Such logs shall be maintained by Opkey for no less than six (6) months from issuance.
2.2
Data Controls: In its performance obligations, Opkey does not require access to Customer systems or data, and Customer shall take commercially reasonable efforts to prevent Opkey from accessing Customer systems and data. Where Customer provides Customer Data to Opkey for Professional Services or Support purposes, Customer shall take commercially reasonable efforts to redact or remove Personal Data prior to providing that Customer Data to Opkey. Where possible, such services shall be delivered via screen share or telephone with no data transferred to Opkey. If it is necessary to transfer Customer Data to Opkey, the following shall apply:
a.
Customer shall only use Opkey approved communication channels for providing Customer Data to Opkey. With respect to the storage of such Customer Data by Opkey and any further transmission of that Customer Data by Opkey, Opkey shall ensure such Customer Data is protected using Encryption Standards.
b.
In the event Opkey makes backups of such Customer Data, all backups of Customer Data shall be encrypted on backup media using Encryption Standards.
c.
Customer Data may only be stored on portable media, including laptops, DVD, CD, magnetic tape media, removable hard drives, USB drives or similar portable storage, if Encryption Standards are used on that portable media.
d.
Except as specified otherwise in the Agreement, or applicable Order or statement of work, Customer Data may be transferred by Opkey to, and stored and Processed in, the United States or any other country in which Opkey or its affiliates or subcontractors maintain facilities. Customer appoints Opkey to perform any such transfer of Customer Data to any such country and to store and Process Customer Data in order to provide services to Customer.
e.
Opkey shall: (1) Process such Customer Data only in accordance with the reasonable instructions of Customer, (2) treat such Customer Data as the Confidential Information of Customer, (3)promptly notify Customer of any unauthorized or unlawful Processing of that Customer Data of which it becomes aware, and (4) not knowingly place Customer in breach of any Privacy Laws.
2.3
Operational Controls: Opkey shall maintain operational controls sufficient to enable Opkey’s satisfaction of its performance obligations in this Section 2, including, without limitation, the following:
a.
Maintain a dedicated information security function to design, maintain and operate security in line with Industry Standards. This function shall focus on system integrity, risk acceptance, risk analysis and assessment, risk evaluation, and risk management.
b.
Conduct vulnerability assessments and/or penetration tests of networks, systems, applications, and databases where Customer Data is located at rest, in transit and in use. Opkey shall triage identified vulnerabilities and remediate or mitigate vulnerabilities in accordance with Industry Standards.
c.
Maintain appropriate authentication system(s) to authenticate and restrict access to Opkey systems and networks to valid users.
d.
Install and maintain antivirus software on all servers and computing devices involved with Processing activities and use other malware detection techniques where reasonably required. Such antivirus software shall be updated on a daily basis, or as otherwise provided by the antivirus software manufacturer.
e.
Maintain physical security measures with respect to Opkey facilities to help prevent and detect physical compromise, including, without limitation, use of identification badges, smart card or other electronic or physical identity verification systems, alarms on external doors. Opkey shall periodically review access records and CCTV video to ensure access controls are being enforced effectively, with any discrepancies or unauthorized access investigated immediately.
f.
With respect to Opkey internal networks, ensure perimeter networks are physically or logically separated from internal networks containing Customer Data, establish and configure firewalls in accordance with Industry Standards, use network intrusion detection systems as a part of network security, and restrict and control remote network access.
g.
Complete diligent review of any Opkey subcontractors that will have access to Customer Data, and require such subcontractors contractually commit to substantially similar terms and conditions as those specified in this Schedule, or terms and conditions that Opkey reasonably determines as providing substantially similar protection. With respect to any performance subcontracted by Opkey, Opkey remains responsible for its subcontractors’ compliance with Opkey’s performance obligations in the Agreement.
2.4
Availability Controls: Opkey will maintain contingency planning policies and procedures defining roles and responsibilities on proper handling of contingency events. This shall include a business continuity and disaster recovery plan intended to facilitate the restoration of critical operations and processes which would allow for Opkey’s continued performance of its obligations hereunder. Such plan shall be periodically reviewed, updated, and tested by Opkey.
2.5
Application Controls: Opkey shall implement and conform its software development practices to applicable Industry Standards relative to the functionality to be performed by the specific Opkey product offering. Opkey shall maintain software development practices which satisfy the following:
a.
Use commercially reasonable measures to detect product vulnerabilities prior to release. These measures may include manual test scripts, test automation, dynamic code analysis, static code analysis, penetration testing, or other measures chosen by Opkey. Opkey shall update procedures and processes from time to time to improve detection of vulnerabilities within its products.
b.
Opkey’s developers shall not intentionally write, generate, compile, copy, collect, propagate, execute, or attempt to introduce any computer code designed to self-replicate, damage or otherwise hinder the performance of any systems or network.
c.
Opkey’s developers shall receive regular training on coding and design with respect to application security.
3.
SAAS AND HOSTING SECURITY TERMS. In addition to the terms and conditions in Section 2, the following terms and conditions shall apply to Opkey’s performance obligations with respect to any Hosted Services procured by Customer under this Agreement. To the extent of any conflict between the terms and conditions in this Section 3 and in Section 2, the terms and conditions in this Section 3 shall control solely with respect to Hosted Services.
3.1
Access Controls: Customer shall have access to Customer Data maintained within their applicable production instance. Customer shall be responsible for maintaining user access and security controls for users accessing the Hosted Services. Opkey shall be responsible for restricting all other access to Customer Data residing within the production instance. For the avoidance of doubt, Opkey has no obligation to verify that any user using Customer’s account and password has Customer’s authorization. Opkey shall provide access on a need to know basis and shall review access rights of Opkey Personnel at least annually. Opkey’s access controls shall include no less than the following:
a.
Opkey shall enforce complex passwords using built in system settings of at least 8 characters. Opkey shall require password changes at least every ninety (90) days. Opkey administrators shall use multi-factor authentication for access to the production environment(s).
b.
Access to Opkey’s production environment(s) is controlled at four distinct hierarchical levels: the hosting partner level, the Hosted Services operations team level, the Opkey network security level, and the application level. Access control is required for each of these levels to provide the optimal level of security for the solution.
c.
Any Customer Data accessed by authorized Opkey Personnel is subject to the aforementioned access controls and is encrypted at rest and in transit.
d.
A Opkey hosting partner’s role is to design, deploy, secure, make available, and support the infrastructure upon which Hosted Services operate. The hosting partners have primary control over the infrastructure upon which Hosted Services operate but such control does not extend to access to Customer Data or Opkey solutions processing Customer Data. The hosting partner provides Opkey’s operations teams with the initial credentials required to access the infrastructure and associated support portals to enable Opkey to operate and manage the Hosted Services.
3.2
Data Controls: In its performance obligations with respect to Hosted Services, Opkey does require access to Customer Data, and the following additional terms and conditions shall apply:
a.
Opkey’s security procedures shall require that any Customer Data stored by Opkey only be stored using secure data encryption algorithms and key strengths of 128-bit symmetric and 1024-bit asymmetric or greater. Opkey shall monitor Industry Standards and implement an action plan if key lengths in use can be compromised through commercially reasonable means.
b.
Opkey will maintain a key management process that includes appropriate controls to limit access to private keys and a key revocation process. Private keys, and passwords shall not be stored on the same media as the data they protect.
c.
Opkey will prohibit Opkey Personnel from the download, extraction, storage, or transmission of Customer Data through personally owned computers, laptops, tablet computers, cell phones, or similar personal electronic devices except where enrolled in Opkey’s Mobile Device Management (MDM), Information Rights Management (IRM), or other security programs. If personal computers or mobile devices are used to perform any part of the Hosted Services, Opkey will encrypt all Customer Data on such mobile devices.
d.
Opkey agrees that any and all Opkey initiated electronic transmission or exchange of Customer Data stored as part of the Hosted Services shall be protected by a secure and encrypted means (e.g., HTTPS, PGP, S/MIME, SSH, SMTP encryption using TLS on gateway while sending emails).
e.
Customer Data stored as a part of the Hosted Services shall reside only on Opkey production systems housed in Opkey hosting partner data centers, unless noted in an Order or statement of work or required with respect to professional service engagements or performance of support services. Any storage of Customer Data on Opkey premises is temporary and is used strictly for support and services engagements. Once Customer Data on Opkey premise has served its purpose, it shall be promptly destroyed in accordance with Opkey’s confidential data destruction procedures.
3.3
Operational Controls: In its performance of Hosted Services, Opkey shall maintain operational controls sufficient to enable Opkey’s satisfaction of its performance obligations in this Section 3, including, without limitation, the following:
a.
Opkey will utilize up-to-date and comprehensive virus and malware protection capabilities, and commercially reasonable practices, including detection, scanning and removal of known viruses, worms, and other malware on the Opkey’s hosting systems. These virus protection capabilities will be in force on all computers and/or devices utilized in connection with the technology services, as well as on all datafiles or other transfers that have access or are connected to Opkey’s hosting system.
b.
If a virus, worm, or other malware causes a loss of operational efficiency or loss of data, Opkey will mitigate losses and restore data from the last virus free backup to the extent practicable.
c.
Opkey shall obligate its hosting partners to provide a multiple layered security approach. This shall include perimeter firewalls, DMZ, one or more internal network segments, and network intrusion detection monitors for attempted intrusion to the production environment. Network vulnerability scans shall be conducted regularly, and issues addressed according to Industry Standard change control processes.
d.
Opkey shall mitigate security vulnerabilities through the use of perimeter and host countermeasures such as intrusion prevention, web application firewall, IP address shunning, and other measures designed to prevent successful exploitation of vulnerabilities.
e.
Opkey and its hosting partners shall proactively address security risks by applying released security patches, including, as example, Windows security patching and updates to patch known vulnerabilities in an applicable operating system. Patches shall be deployed to production via Opkey’s change management process. Opkey shall test all patches in its test environment prior to release to production. If a patch degrades or disables the production environment, Opkey shall continue to mitigate vulnerabilities until a patch is provided by the software or operating system manufacturer that does not degrade or disable production. Such mitigation efforts may include intrusion prevention, web application firewall, and other measures chosen by Opkey to reduce likelihood or prevent successful access to Customer Data by an unauthorized party.
f.
Each month, Opkey and its hosting partners shall schedule maintenance windows to perform data center, system, and application maintenance activities. Opkey shall notify Customer in advance of any scheduled maintenance activity that is expected to disrupt the Hosted Services functionality.
g.
Opkey shall retain security logs for a minimum of thirty (30) days online and ninety (90) days archived. Opkey may retain logs for a longer period at its sole discretion.
3.4
Availability Controls: With respectto Hosted Services:
a.
Opkey shall maintain business continuity and disaster recovery plans specific to its Hosted Services and shall include data center fail over configurations.
b.
Opkey shall maintain a backup of all Customer Data that Opkey is required to retain as a part of the Hosted Services. In the event the Customer Data becomes destroyed or corrupt, Opkey shall use commercially reasonable efforts to restore all available data from backup and remediate and recover such corrupt data.
4.
ATTESTATION OF COMPLIANCE: Upon Customer’s reasonable request, (i) Opkey shall provide an attestation of compliance to the terms inthis Schedule, and/or (ii) Opkey shall provide its Industry Standard security assessment questionnaire responses applicable to the services provided to Customer. Requests shall be made in writing through the Account Executive assigned to Customer unless otherwise specified by Opkey.
SCHEDULE D
DATA PROCESSING
This Schedule D is made a part of the Agreement signed by the parties to which this Schedule D is attached.
1.
DEFINITIONS: In addition to the capitalized terms in Schedule A, all capitalized terms shall have the meaning ascribed to them here in this Schedule, and for the purposes of this Schedule, shall govern and control in the event of any conflict, including the following:
1.1
“Adequacy Decision” means, for a jurisdiction with Privacy Laws that have data transfer restrictions, a country that the Supervisory Authority or other body in such jurisdiction recognizes as providing an adequate level of data protection as required by such jurisdiction’s Privacy Laws such that transfer to that country shall be permitted without additional requirements.
1.2
“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, and in the context of this Schedule shall mean the Customer.
1.3
“Data Processing Instructions” means this Agreement and any additional instructions provided by Customer and accepted by Opkey during the Term of the Agreement
1.4
“Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller, and in the context of this Schedule shall mean Opkey and references in this Schedule to Opkey include references to Opkey Affiliates where such Opkey Affiliates are Subprocessors.
1.5
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
1.6
"Restricted Transfer" means: (i) a transfer of Personal Data from Customer to Opkey; or (ii) an onward transfer of Personal Data from Opkey to a Subprocessor, in each case, where such transfer outside of jurisdiction of Customer would be prohibited by Privacy Laws in the absence of an approved method of transfer, including through (a) an Adequacy Decision, (b) Standard Contractual Clauses, or (c) by the terms of other recognized forms of data transfer agreements or processes.
1.7
"Standard Contractual Clauses" means the contractual clauses approved by a Supervisory Authority pursuant to Privacy Laws which provides for multi-jurisdictional transfer of Personal Data from one jurisdiction to another where such transfer would otherwise be a Restricted Transfer.
1.8
"Subprocessor" means any third party (including any third party and any Opkey Affiliate) appointed by or on behalf of Opkey to undertake Processing in connection with the services.
1.9
“Supervisory Authority” means anindependent public authority which is established in a jurisdiction underPrivacy Laws with competence in matters pertaining to data protection.
2.
PROCESSING OF PERSONAL DATA
2.1
Opkey will not (a) Process Personal Data other than on Customer’s documented instructions (set out in this Schedule or as otherwise set forth in the Agreement or an Order) unless Processing is required by a Supervisory Authority; or (b) sell Personal Data received from Customer or obtained in connection with the provision of the services to Customer.
2.2
Customer on behalf of itself and each Customer Affiliate instructs Opkey: (a) to Process Personal Data; and (b) in particular, transfer Personal Data to any country or territory; in each case as reasonably necessary for the provision of the services and consistent with this Schedule.
2.3
The Data Processing Instructions set out the subject matter and other details regarding the Processing of the Personal Data contemplated as part of the services, including Data Subjects, categories of Personal Data, special categories of Personal Data, Subprocessors and description of Processing.
3.
OPKEY PERSONNEL
3.1
Opkey shall ensure that persons authorized to undertake Processing of the Personal Data have (a) committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in respect of the Personal Data; and (b) undertaken appropriate training in relation to protection of Personal Data.
4.
SECURITY
4.1
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Opkey shall in relation to the Personal Data implement appropriate technical and organizational measures designed to provide a level of security appropriate to that risk in the provision of the services, such technical and organizational measures are set out in Schedule D.
4.2
In assessing the appropriate level of security, Opkey shall take account in particular of the risks that are presented by Processing.
5.
SUBPROCESSING
5.1
Opkey shall only appoint Subprocessors which enable Opkey to comply with Privacy Laws. Customer authorizes Opkey to appoint Subprocessors in accordance with this Section 5 subject to any restrictions or conditions expressly set out in this Agreement. Subprocessors appointed as at the effective date of this Schedule are set out in the Data Processing Instructions or as otherwise specified in an Order. Opkey shall remain liable to Customer for the performance of that Subprocessor’s obligations subject to this Agreement.
5.2
Not with standing the notice requirements set out in Section 15.5 of Schedule B, before Opkey engages any new Subprocessor, Opkey shall give Customer notice of such appointment, including details of the Processing to be undertaken by the proposed Subprocessor. In addition to any other notifications, Opkey may provide such notice by updating the list of Subprocessors in the Data Processing Instructions. Customer may notify Opkey of any objections (on reasonable grounds related to Privacy Laws) to the proposed Subprocessor or Data Processing Instructions (“Objection”), then Opkey and Customer shall negotiate in good faith to agree to further measures including contractual or operational adjustments relevant to the appointment of the proposed Subprocessor or operation of the services to address Customer’s Objection. Where such further measures cannot be agreed between the parties within forty-five (45) days from Opkey’s receipt of the Objection (or such greater period agreed by Customer in writing), Customer may by written notice to Opkey with immediate effect terminate that part of the services which require the use of the proposed Subprocessor.
5.3
With respect to each Subprocessor which is the subject of Section 5.2 above, Opkey or the relevant Opkey Affiliate shall: (a)carry out adequate due diligence before the Subprocessor first Processes Personal Data, to ensure that the Subprocessor is capable of providing the level of protection for Personal Data required by the Agreement;(b) ensure that the Subprocessor is subject to a written agreement with Opkey that includes appropriate data protection provisions; and (c) if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses or other appropriate method of transfer are at all relevant times incorporated into the agreement executed between Opkey and the Subprocessor.
5.3
Opkey shall ensure that each Subprocessor performs the obligations under this Schedule as they apply to Processing of Personal Data carried out by that Subprocessor, as if such Subprocessor were party to this Schedule in place of Opkey.
6.
DATA SUBJECT RIGHTS
6.1
Opkey shall (a) upon becoming aware, promptly notify Customer if Opkey receives a request from a Data Subject relating to an actionable Data Subject right under any Privacy Law in respect of Personal Data; (b) not respond to that request except on the documented instructions of Customer or as required by a Supervisory Authority; and (c)upon request from Customer where required by Privacy Laws and in the context of the services, reasonably assist Customer in dealing with an actionable Data Subject rights request to the extent Customer cannot fulfil this request without Opkey’s assistance. Opkey may fulfil this request by making available functionality that enables Customer to address such Data Subject rights request without additional Processing by Opkey. To the extent such functionality is not available, in order for Opkey to provide such reasonable assistance, Customer must communicate such request in writing to Opkey providing sufficient information to enable Opkey to pinpoint and subsequently amend, export or delete the applicable record.
7.
PERSONAL DATA BREACH
7.1
Opkey shall notify Customer without undue delay upon Opkey or any Subprocessor becoming aware of a Personal Data Breach, providing Customer with sufficient information to allow Customer to meet its obligations to report or inform Data Subjects of the Personal Data Breach under the Privacy Laws. Subject to Section 7.3 below, such notification shall as a minimum: (a) describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;(b) communicate the name and contact details of Opkey's data protection officer or other relevant contact from whom more information may be obtained; (c)describe the likely consequences of the Personal Data Breach in so far as Opkey is able to ascertain having regard to the nature of the services and the Personal Data Breach; and (d) describe the measures taken or proposed to betaken to address the Personal Data Breach.
7.2
Opkey shall co-operate with Customer and take such reasonable commercial steps as are necessary to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
7.3
Where and in so far as, it is not possible to provide the information referred to in Section 7.1 at the same time,the information may be provided in phases without undue further delay.
8.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
8.1
To the extent necessary, Opkey shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Privacy Laws, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, Opkey. To the extentthat such impact assessment and/or prior consultation requires assistance beyond Opkey providing the applicable Opkey processing record(s) and Documentation, Opkey shall reserve the right to charge Customer such engagement at Opkey’s then current daily rates.
9.
DELETION OR RETURN OF PERSONAL DATA
9.1
Following Opkey’s receipt of Customer’s written request during the Return Period, Opkey will either delete or return available Customer Data in accordance with Section 13.3(b) of Schedule B.
9.2
Opkey may retain Personal Data to the extent required by Privacy Laws or any other statutory requirement to which Opkey is subject and only to the extent and for such period as required by Privacy Laws or any other statutory requirement to which Opkey is subject and always provided that (a) during such retention period the provisions of this Schedule will continue to apply, (b) Opkey shall ensure the confidentiality of all such Personal Data, and (c) Opkey shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Privacy Laws requiring its storage or any other statutory requirement to which Opkey is subject and for no other purpose.
10.
REVIEW, AUDIT AND INSPECTION RIGHTS
10.1
Upon Customer’s reasonable request, Opkey shall provide all relevant and necessary material, documentation and information in relation to Opkey’s technical and organizational security measures used to protect the Personal Data in relation to the services provided in order to demonstrate Opkey’s compliance with Privacy Laws.
10.2
Opkey shall ensure a security audit of its technical and organizational security measures is carried out at least annually in compliance with Privacy Laws. Such security audit will be performed in accordance ISO 27001 standards by an internal qualified auditor within Opkey. The results of such security audit will be documented in a summary report. Opkey shall promptly provide Customer upon request with (i) a confidential summary of such report; and (ii)evidences of appropriate remediation of any critical issues within four (4)weeks from date of issuance of the audit report.
10.3
If, following the completion of the steps set out in Sections 10.1 and 10.2 Customer reasonably believes that Opkey is non-compliant with Privacy Laws, Customer may request that Opkey make available, either by webinar or in a face-to-face review, extracts of all relevant information necessary to further demonstrate compliance with Privacy Laws.
10.4
In the event that Customer reasonably believes that its findings following the steps set out in Section 10.3 do not enable Customer to comply materially with Customer’s obligations mandated under the Privacy Laws in relation to its appointment of Opkey, then Customer may give Opkey not less than thirty (30) days prior written notice of its intention, undertake an audit which may include inspections of Opkey to be conducted by Customer or an auditor mandated by Customer (not being acompet it or of Opkey). Such audit and/or inspection shall (i) be subject to confidentiality obligations agreed between Customer (or its mandated auditor)and Opkey, (ii) be undertaken solely to the extent mandated by, and may not be further restricted under applicable Privacy Laws, (iii) not require Opkey to compromise the confidentiality of security aspects of its systems and/or data processing facilities (including that of its Subprocessors), and (iv) not be undertaken where it would place Opkey in breach of Opkey’s confidentiality obligations to other Opkey customers vendors and/or partners generally or otherwise cause Opkey to breach laws applicable to Opkey. Customer (or auditor mandated by Customer) undertaking such audit or inspection shall avoid causing any damage, injury or disruption to Opkey’s premises, equipment, personnel and business in the course of such a review. To the extent that such audit performed in accordance with this Section 10.4 exceeds one (1) business day, Opkey shall reserve the right to charge Customer for each additional day at its then current daily rates.
10.5
If following such an audit or inspection under Section 10.4, Customer, acting reasonably, determines that Opkey is non-compliant with Privacy Laws then Customer will provide details there of to Opkey upon receipt of which Opkey shall provide its response and to the extent required, a draft remediation plan for the mutual agreement of the parties (such agreement not to be unreasonably withheld or delayed; the mutually agreed plan being the “Remediation Plan”). Where the parties are unable to reach agreement on the Remediation Plan or, in the event of agreement, Opkey materially fails to implement the Remediation Plan by the agreed dates which in either case is not cured within forty-five (45) days following Customer’s notice or another period as mutually agreed between the Parties, Customer may terminate the services in part or in whole which relates to the non-compliant Processing and the remaining services shall otherwise continue unaffected by such termination.
10.6
The rights of Customer under this Section 10 shall only be exercised once per calendar year unless Customer reasonably believes Opkey to be in material breach of its obligations under either this Schedule or Privacy Laws.
11.
RESTRICTED TRANSFERS
11.1
Customer (as "data exporter") and Opkey, as appropriate, (as "data importer") hereby agree that the Standard Contractual Clauses shall apply in respect of any Restricted Transfer from Customer to Opkey. Each Party agrees to execute the Standard Contractual Clauses upon request of the other Party and further agrees that absent of execution the terms and conditions of the Standard Contractual Clauses shall in any event apply to any Restricted Transfer. Where such Standard Contractual Clauses must be fully executed to take effect and Customer has not executed such Standard Contractual Clauses as set out in this Section 11, Customer authorizes Opkey to enter into the Standard Contractual Clauses for and on behalf of Customer as data exporter with each applicable data importer.
11.2
For the purposes of appendix 1 to the Standard Contractual Clauses or other relevant part of the Standard Contractual Clauses, the Data Processing Instructions sets out the Data Subjects, categories of Personal Data, special categories of Personal Data, Subprocessors and description of Processing (processing operations).
11.3
For the purposes of appendix 2 to the Standard Contractual Clauses or other relevant part of the Standard Contractual Clauses, Schedule D sets out the description of the technical and organizational security measures implemented by Opkey (the data importer) in accordance with clauses 4(d) and 5(c) of the Standard Contractual Clauses.
12.
OTHER PRIVACY LAWS
12.1
To the extent that Processing relates to Personal Data originating from a jurisdiction which has any mandatory requirements in addition to those in this Schedule, both Parties may agree to any additional measures required to ensure compliance with applicable Privacy Laws and any such additional measures agreed to by the Parties will be documented in a duly executed written addendum or amendment to this Agreement or in an Order.
12.2
If any variation is required to this Schedule as a result of a change in Privacy Laws, including any variation which is required to the Standard Contractual Clauses, then either party may provide written notice to the other party of that change in law. The parties will discuss and negotiate in good faith any necessary variations to this Schedule, including the Standard Contractual Clauses, to address such changes.
13.
GENERAL TERMS
13.1
The applicable law provisions of this Agreement are without prejudice to clauses 7 (Mediation and Jurisdiction) and 10 (Governing Law) of the Standard Contractual Clauses where applicable to Restricted Transfers of Personal Data from the European Union (including the United Kingdom) to a third country.