SaaS Terms and Conditions
Effective as of February 2, 2023.
1. Your Access or Use Binds You
These Terms and Conditions, together with the terms and conditions contained in the SaaS Service Order, which together form the Agreement, governs Your access and use of the Services. Please read these carefully, and know, these Terms and Conditions may be modified from time-to-time. By signing a SaaS Service Order, you accept these Terms and Conditions. These Terms and Conditions are also located on Our website at www.lineup.ai/TC. These Terms and Conditions may be modified from time-to-time on Our Website, and by continuing to access or use the Services after being notified that the these Terms and Conditions have been modified, You (a) acknowledge and confirm that You have read, understand, and agree to be bound by the most recent version of the Terms and Conditions without qualification or limitation and (b) agree to comply with, and be bound by, all applicable laws and regulations, including those concerning Your access and use of the Services. If You do not agree to be bound by any modified Terms and Conditions and to comply with all applicable laws, You are not authorized to access or use the Services.
2. Let’s Talk Definitions
While We’ve already introduced one another, You, in addition to being referred to herein as Customer, are also referred to as “Your” while Lineup LLC is also referred to herein as “We” or “Us.” Also, You and Us together may be referred to as the “Parties” and individually as a “Party”.
“Access Credentials” means any username, identification number, password, license or security key, security token, PIN or other security code, method, technology or device used, alone or in combination, to verify an individual’s identity and authorization to access and use the Services.
“Affiliate” means any current or future company that controls, is controlled by, or is under common control with a Party or any Party’s Parent, where ownership and control means the right to direct the affairs of the Affiliate by means of voting control.
“Authorized Users” means Your employees and third parties that are performing professional services specifically for You.
“Effective Date” is the date both Parties have executed this Agreement.
“Your Data” means information, data and other content, in any form (structured or unstructured) or medium, that is collected, downloaded or otherwise received, directly or indirectly, from You by or through the Services.
“Parent” means any current or future company that directly or indirectly owns and controls either Party, where ownership and control means the right to direct the affairs of the Party by means of voting control.
“Services” means the websites, mobile applications, materials and other services and information developed, operated, and maintained by Us, accessible via https://app.lineup.ai or another designated web site or IP address, the content contained therein, any offline components provided by Us for use in connection therewith, and any professional services, support services or other services identified on the Order Form. Services includes Our Software.
“Systems” means a respective Party’s information technology infrastructure, including computers, software, hardware, databases, electronic systems (including database management systems) and networks, whether operated directly by the respective Party or through the use of third-party services.
“Our Software” means Our software application or applications and any third-party or other software, and all new versions, updates, revisions, improvements and modifications of the foregoing, that We provide remote access to, and use of, as part of the Services.
“Our Systems” means Systems used by or on behalf of us in performing the Services.
3. Our Services; Your Limitations & Obligations
(a) Our Services. We agree to provide You, the Customer, the Services purchased under a Service Order Form, by configuring, hosting, managing, operating, optimizing, and maintaining Our Software for remote electronic access and use by Your Authorized Users solely for Your own internal use as permitted herein. In doing so, We grant You a non-exclusive, non-sublicensable, and non-assignable right to access and use the Services solely for Your business purposes.
(b) Authorized Users. You will limit and restrict access and use of the Services to Authorized Users and ensure Authorized Users comply with the terms of this Agreement. You are responsible for any misconduct or breach of this Agreement by or through Your Authorized Users. We will provide the functionality to allow You and Your Authorized Users to implement Access Credentials, but You and Your Authorized Users are solely responsible for maintaining and restricting use and access to Access Credentials outside the custody of Our Services, Our Software, and Our Systems.
(c) Our Services are for Your Use Only. We request, and You agree not to sell, resell, sublicense, or lease the Services or otherwise allow or fail to take reasonable steps to prevent any unauthorized third party to access or use the Services. You will notify Us immediately if You become aware of any unauthorized access or use of the Services or any threat to do so, and will take reasonable steps to stop or mitigate such threat or unauthorized activity.
(d) What You Can’t Do With Our Stuff. Sorry to sound so legal, but You also agree not to take, copy, alter, harm, access, or use the Services for any unlawful purpose or any other purpose detrimental to us and Our Services (which by definition includes Our Software), and Our Systems. You will also not circumvent any security feature limiting access to Our Services or reverse engineer, disassemble, decompile, decode, adapt or otherwise attempt to derive or gain access to the source code of the Services. You will also not access or use the Services for purposes of competitive analysis of the Services or the development of a competing software service or product.
(e) The Suspension or Even Termination of Our Services. You agree - We may lawfully suspend, terminate or otherwise deny any Authorized Users’ access to or use of the Services if: (a) We reasonably believe any Authorized User has failed to comply with any material term of this Agreement or is, was, or is likely to be involved in any unlawful activities in association with the Services; (b) required by law or judicial order; or (c) this Agreement expires or is terminated.
(f) We Control Our Services and Maintain Our Stuff. We have, and will retain, sole and exclusive control over the operation, provision, maintenance, and management of the Services, and the methods and means of doing so. We reserve the right, in Our sole discretion, to make any changes to the Services, Our Software, and Our Systems that We deem necessary or useful to maintain or improve Our Services or to comply with any applicable law.
(g) Access to Your Systems. To the extent We need access to Your Systems to perform the Services, You will provide us access to Your Systems for the sole and limited purpose of performing the Services.
4. Accessibility & Performance
(a) Maintenance Periods. There will be periods when the Services are unavailable, such as during: (i) system maintenance periods scheduled in advance by us; and, (ii) during emergency updates and maintenance. We are not responsible for any problems You may experience with Your own Internet connectivity, with Your Systems (except to the extent caused by Our access pursuant to Section 3(g)), and with any third-party Systems, including matters of compatibility and functionality.
(b) We’re Here For You. Customer support is available via online chat, email, and phone during normal business hours (Monday through Friday, 9 AM to 5 PM Eastern Time (ET)).
(c) Training Anyone? In addition to any non-customized online training We may make available to customers and their Authorized Users, We will provide You the training services as selected in a corresponding Service Order Form in exchange for Your payment of the designated “Training Fees”.
(d) Data Backup. Our Systems perform routine backups of Your Data. In the event of any loss, destruction, damage or corruption of Your Data caused by Our Systems or Services, We will, as Our sole obligation and liability and as Your sole remedy, use commercially reasonable efforts to restore the Your Data from Our then-most current backup of Your Data.
5. Your Information – It’s Yours, and We’ll Protect It
(a) Your Data. For You to use, and for us to provide, the Services, You will need to provide us information (“Your Data”) or access to Your Data for Our storage and use pursuant to this Agreement. To that end, in providing us Your Data, You may: transmit data to Us directly or for Us to capture and persist or otherwise store the data; or You may provide Us access to Your Data through Your Systems, such as through an application programming interface (“API”) so We can access, capture and persist or otherwise store Your Data, for which You have the lawful rights, authority, and permissions to do so. Of course, You retain ownership of Your Data, and may request deletion of Your Data at any time. However, we will not be required to delete Your Data on our back up data systems or data that we are instructed by legal counsel to maintain.
(c) Custodians. As custodians of Your Data, We will exercise commercially reasonable care to prevent unauthorized access to Your Data that is persisted and integrated or otherwise stored on Our Systems, which will not be less than the care We take with Our own data.
(d) License. You grant to us and Our agents, contractors, consultants, service providers, advisors, and Affiliates a limited, non-exclusive, non-assignable, and non-transferable license to use Your Data for the sole purpose of providing the Services and for the other uses permitted in this Agreement, including for the purposes of storing, recording, transmitting, maintaining, and displaying Your Data, which includes creating derivative works, and those purposes provided in Sections 5(f)-5(g) below. You agree that We will de-identify Your Data when it is combined or aggregated before sharing with others as provided under Section 5(f) below.
(e) We Can Report On The Service’s Performance. We can de-identify, aggregate, and combine data about Your usage of the system to produce statistics that We are allowed to freely use and publicly disclose. Without Your permission, We will not identify You as a source of the disclosed information.
(f) We Use Your Data and Prepare and Share Your De-Identified Data. We won’t disclose Your Data to anyone other than Our employees, agents, contractors, consultants, service providers, Affiliates, and Your Authorized Users, unless it has been de-identified (the “De-Identified Data”) and aggregated, and You authorize us and our employees, agents, contractors, consultants, service providers, and Affiliates to use Your Data, with or without de-identification and alone or together with other data, for providing support to You, improvement in production models, product performance optimization and improvement, product testing, research, product development, product performance analysis, statistical analysis, or for any other business purposes . You agree that any De-Identified Data and its derivatives are exclusively Our property and are not Confidential Information subject to confidentially requirements.
(g) Use of Your Data for Insurance Purposes. Consistent with Section 5(f) above, You authorize Our Affiliate to use Your Data to determine insurance policy rates for its customers and to evaluate, develop, and/or improve insurance products and offerings.
6. Fees and Payments
(a) You will pay Us the Fees specified in the Service Order Form, and We shall have the unfettered right to deny and prevent You and any of Your Authorized Users access and use the Services if any undisputed Fees remain unpaid after they have become due.
(b) Fees and Taxes. You shall pay the fees (the “Fees”) detailed in the corresponding Service Order Form to us in accordance with the Payment Terms. The Subscription Fee may change from time-to-time, and We will provide notice of any change thirty (30) days in advance of the date upon which notice of non-renewal is due. The Fees do not include any sales, use or other taxes that may be applicable. You are responsible for the payment of all applicable sales, use, and other taxes, except for taxes on Our income.
(b) Payment Terms. Payment of the Fees shall be subject to the following terms (the “Payment Terms”):
(i) We will invoice You for the Fees on the basis set forth in the Service Order Form;
(ii) You will pay each invoice in full within thirty (30) days after the invoice date;
(iii) We will send invoices to the email address provided as Your billing contact on the Service Order Form;
(iv) You shall pay interest on all late payments at the lesser of the rate of 1.5% per month or, if less than 1.5% per month, the highest rate permissible under applicable law per month, compounded monthly, and You shall reimburse us for all reasonable costs incurred in collecting any late payments, including, without limitation, reasonable attorneys' fees; and,
(v) All amounts owed by You and payable to us shall be paid to us in full and without any setoff, recoupment, counterclaim, deduction, debit or withholding for any reason.
7. Term & Termination
(a) Term. The initial term of this Agreement shall begin on the Effective Date and shall continue from the Effective Date for a period specified in the Service Order Form (the “Initial Term”). Following the Initial Term, this Agreement shall automatically renew for successive periods as specified in the Service Order Form (each being a “Renewal Term”) until one Party provides the other Party written notice of non-renewal at least thirty (30) calendar days prior to the expiration of the Initial Term or any Renewal Term. “Term,” when used alone, shall mean and collectively include both the Initial Term and any Renewal Term(s). The Initial Term and each Renewal Term may also be referred to herein as a “Subscription Term.”
(b) Termination for Cause. If either Party materially breaches this Agreement and fails to cure such breach within thirty (30) days of receiving written notice thereof from the other Party, the other Party shall have the right to terminate this Agreement for cause as of a date specified in such notice. For purposes hereof, two (2) successive failures of You to make payments when due shall be deemed a “material breach” hereof.
(c) Termination During Trial Term. You may terminate this Agreement without cause during any trial period when the Service is offered at no cost.
(d) Payments Upon Termination. Upon the expiration or termination of this Agreement for any reason, You shall pay to us all amounts due and payable hereunder, including, without limitation, the Fees.
(e) Return of Materials. Upon expiration or termination of this Agreement, each Party shall promptly return to the other Party, or cause the destruction of, the other Party’s Confidential Information. Neither Party shall be required to destroy any such Confidential Information, data, programs or materials that are maintained on such Party’s back up data systems nor such Confidential Information that the Party is instructed by legal counsel to maintain. Further, You agree that We may continue to use any de-identified data that We collect and such de-identified data is not required to be returned or destroyed pursuant to this Section.
8. Representations & Warranties
(a) Mutual. You and Us each represent and warrant that: (1) it is a business duly formed, validly existing, and in good standing under the laws of its state of formation; (2) it has all requisite power, financial capacity, and authority to execute, deliver, and perform its obligations under this Agreement; (3) it shall comply with all applicable federal, state, local, international, or other laws and regulations applicable to the performance by it of its obligations under this Agreement and shall obtain all applicable permits, authorizations, permissions, and licenses required of it in connection with its obligations under this Agreement, which includes the sharing of data.
(b) By Us. We warrant that: (1) the Services will be performed in a professional, workmanlike and timely manner, subject to Section 3.2; and (2) We will not knowingly infringe any third-party United States copyright, patent, or other intellectual property right. THE WARRANTIES MADE BY SERVICE PROVIDER IN THIS SECTION 8 ARE THE ONLY WARRANTIES MADE BY SERVICE PROVIDER, AND SERVICE PROVIDER HEREBY DISCLAIMS ANY AND ALL OTHER WARRANTIES, EXPRESS OR IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THOSE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SERVICE PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL OPERATE AT ALL TIMES, UNINTERRUPTED, OR ERROR-FREE.
9. Confidential Information; Proprietary Rights
(a) Non-Disclosure of Confidential Information. Each Party (as a “Discloser”) may disclose or make available to the other Party (as a “Recipient”) information that is confidential or proprietary and that is to remain confidential and not intended to be disclosed to any third party (“Confidential Information”), which includes any Your Data (as a substantial whole) and any Personal Information. Each Party agrees to maintain in confidence and not disclose or sell the other Party’s Confidential Information, except that a Recipient may share Confidential Information with its employees, directors, agents, consultants, contractors, consultants, service providers, and Affiliates for any purpose or use permitted in this Agreement, provided they have agreed in writing to keep such information confidential. Each Recipient agrees to safeguard the confidentiality of the Discloser’s Confidential Information with at least the same degree of care as the Recipient would protect its own Confidential Information, but in no event with less than a commercially reasonable degree of care in protecting Confidential Information and in preventing any unauthorized use or disclosure of Confidential Information. Discloser agrees to only share information that it has the lawful right to share. The obligations of confidentiality and nondisclosure set forth herein shall not apply to information that: (a) was publicly known at the time of disclosure; (b) becomes publicly known through no fault of Recipient; (c) was known to Recipient without restriction before receipt from Discloser; (d) is rightfully received by Recipient from a third party without a duty of confidentiality; or (e) is independently developed by Recipient without reliance on Discloser’s Confidential Information. A Recipient may disclose Confidential Information when compelled to do so by law if it gives the Discloser reasonable prior written notice and an opportunity to limit or prevent such compelled disclosure. We may also transfer Confidential Information to an acquiring third party as part a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding. The provisions of this Section shall survive the termination or expiration of this Agreement for a period of five (5) years.
(b) Proprietary Rights. All software and related processes, instructions, methods, and techniques that have been previously developed or obtained by Us for performing the Services (collectively, the “Pre-existing Materials”) shall remain the sole and exclusive property of Lineup LLC. Except as otherwise provided in this Agreement, neither Party grants to the other Party any ownership in or license to the other Party’s Confidential Information or Your Data. The provisions of this Section shall indefinitely survive the termination of this Agreement.
10. Indemnification – for Both of Us
(a) General Indemnity. Each Party agrees to indemnify, defend, and hold the other Party and its officers, directors, agents, employees, and Affiliates (each, an “Indemnitee” and collectively, the “Indemnitees”) harmless from and against any and all liabilities, damages, losses, expenses, claims, demands, suits, fines, and judgments (collectively “Claims”), including reasonable attorneys' fees, costs, and expenses incidental thereto, which may be suffered by, accrued against, charged to, or recoverable from any Indemnitee, by reason of any Claim arising out of or relating to any grossly negligent act or omission or willful misconduct of the indemnifying Party, its officers, directors, agents, employees, and Affiliates during the Term of this Agreement, including, without limitation, Claims arising out of or relating to: (a) actual or alleged infringement of a third party’s patent, copyright, trademark, trade secret or other intellectual property rights, or (b) violation of any applicable law or regulation, including any data privacy law or regulation; provided, however, that the foregoing indemnity shall not apply to the extent that the applicable Claim resulted from the acts or omissions of an Indemnitee. Notwithstanding anything herein to the contrary, obligations to indemnify an Indemnitee for breach of the provisions of the Sections herein that specifically survive termination of this Agreement shall also survive the termination of this Agreement.
(b) Promptly after receipt of a threat of any action, or a notice of the commencement, or filing of any action against the Indemnitee, the Indemnitee shall give notice to the other Party.
11. Limitation of Liability
NOTWITHSTANDING ANY OTHER PROVISION, NO PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, AND/OR CONSEQUENTIAL DAMAGES, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOST BUSINESS, PROFITS, DATA, OR USE OF ANY SERVICE, INCURRED BY EITHER PARTY OR ANY THIRD PARTY ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT. A PARTY SHALL BE LIABLE TO THE OTHER ONLY FOR ANY DIRECT DAMAGES TO THE EXTENT ARISING OUT OF OR RELATING TO ITS PERFORMANCE OR FAILURE TO PERFORM UNDER THIS AGREEMENT; PROVIDED, HOWEVER, THAT THE LIABILITY OF A PARTY, WHETHER BASED ON AN ACTION OR CLAIM IN CONTRACT, EQUITY, NEGLIGENCE, TORT, OR OTHERWISE FOR ALL EVENTS, ACTS, OR OMISSIONS UNDER THIS AGREEMENT SHALL NOT EXCEED THE FEES PAID OR PAYABLE UNDER THIS AGREEMENT FOR THE TWELVE (12) MONTH PERIOD PRECEDING THE CLAIM OR ACTION, PROVIDED THAT THE FOREGOING LIMITATION OF LIABILITY SHALL NOT APPLY TO DAMAGES ARISING OUT OF A PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS IN THIS AGREEMENT, GROSS NEGLIGENCE, WILLFUL MISCONDUCT, OR FRAUD, OR TO ANY THIRD-PARTY CLAIMS FOR WHICH A PARTY OWES THE OTHER A DUTY OF INDEMNITY HEREUNDER. This Section 11 shall indefinitely survive the expiration or termination of this Agreement.
(a) Relationship of the Parties; No Assignment. Each Party is an independent contractor with no authority to contract for or bind the other Party. This Agreement does not create any agency or partnership relationship and is not assignable or transferable unless otherwise agreed to in writing by the Parties.
(b) Governing Law; Venue. This Agreement is governed by the laws of the State of Ohio, excluding its conflict-of-laws principles. The exclusive venue for any dispute relating to this agreement shall be any state or Federal court located in Cuyahoga County, Ohio.
(c) Force Majeure. Neither Party will be in default or liable for delays and shall be excused from performance for any period during which, and to the extent that, such Party or any agent, contractor, or service provider of such Party is prevented from performing any obligation or Service hereunder, in whole or in part, as a result of causes beyond its reasonable control and without its fault or negligence, including without limitation, acts of God, strikes, lockouts, riots, acts of terrorism or war, epidemics, communication line failures, and power failures.
(d) Notices. Any notice given pursuant to this Agreement shall be in writing (which includes email and facsimile) and shall be given by personal service, electronic mail, facsimile, or by overnight courier (e.g., FedEx or UPS) to the addresses provided herein.
(e) Section Headings. Section headings are for reference purposes only, and do not affect the construction, interpretation, or meaning of any provision of this Agreement.
(f) Miscellaneous. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same agreement. The Parties agree that a facsimile signature or signature delivered by other electronic delivery (e.g., by PDF) will substitute for and have the same legal effect as the original signature. The failure of any Party to require performance by the other Party of any provision will in no way affect that Party's right to enforce such provisions, and the waiver by any Party of any breach of any provision of this Agreement will not be taken or held to be a waiver of any further breach of the same provision. This Agreement constitutes the entire agreement between the Parties and supersedes any and all previous representations, understandings, or agreements between You and Us as to the subject matter hereof. If any part of this Agreement shall be held to be unenforceable, the rest of the Agreement will nevertheless remain in full force and effect.
Survival. All provisions of this Agreement that by their nature extend beyond the expiration or termination of this Agreement, such as, without limitation, those concerning defense and indemnification, confidential information and intellectual property rights, shall survive and remain enforceable and shall apply to either Party’s successors and permitted assigns.
(End of Document)
Data Processing Addendum
This Data Processing Addendum (“DPA”) applies to the extent that we have access to, or otherwise Processes, Customer Personal Data for, or on the behalf of, Customer. This DPA is intended to supplement the Agreement and in the event of a conflict between this DPA and the Agreement, the terms and conditions set forth in this DPA shall supersede and control with respect to the conflict. For the avoidance of doubt, the terms or conditions set forth in the Agreement that are not otherwise addressed herein shall remain in full force and effect. Each capitalized term that is used, but not defined in this DPA, shall be ascribed the meaning in the Agreement.
1. Definitions. For purposes of this DPA, the following terms shall apply:
1.1. California Consumer Privacy Act (CCPA) means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and other applicable amendments and regulations thereto.
1.2. Customer Personal Data means Personal Data, in any form or format, that we have access to, or otherwise Processes, for, or on the behalf of, Customer pursuant to the Agreement and Services rendered thereunder.
1.3. Data Protection Law means all laws, statutes, and regulations applicable to the Processing of Customer Personal Data, including the CCPA.
1.4. Data Subject means the natural person whose Personal Data is Processed by us.
1.5. Documented Instructions means the Processing terms and conditions set forth in the Agreement and this DPA.
1.6. Information System means any information or telecommunication system, network, equipment, hardware, or software employed or otherwise used with respect to the Processing of Customer Personal Data.
1.7. Personal Data means any information or data that, alone or in combination with other information or data, can be used to reasonably identify a particular individual or device, and is subject to, or otherwise afforded protection under, an applicable Data Protection Law.
1.8. Process means any action performed on Customer Personal Data, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transfer or otherwise making available, alignment or combination, restriction, deletion, or destruction.
1.9. Sale or Sell shall be ascribed the meaning set forth in the CCPA.
1.10. Share or Sharing shall be ascribed the meaning set forth in the CCPA.
1.11. Security Event means a breach of security of an Information System leading to a compromise to the security, confidentiality, availability, or integrity of Customer Personal Data.
1.12. Services means the professional, technology, or consulting services, or other products, goods, or services that we furnish to Customer pursuant to the Agreement.
1.13. Subprocessor means any third party engaged by us to Process Customer Personal Data on our behalf.
2. Data Protection.
2.1. General Obligations. Each party acknowledges and agrees that Customer Personal Data may contain Personal Data concerning Customer’s employees and staff. Customer retains all rights, title, and interest in Customer Personal Data, and Customer will be solely responsible for the accuracy, quality, and legality of Customer Personal Data. Customer hereby appoints us to Process Customer Personal Data on Customer’s behalf and grants us a limited, revocable, nonexclusive right to Process Customer Personal Data in accordance with the Documented Instructions. In the event we are compelled by law to Process Customer Personal Data beyond, or in conflict with, the Documented Instructions, we shall notify Customer of the same prior to such Processing, unless such prior notification is expressly prohibited by law. We shall, promptly and without delay, notify Customer if, in our reasonable judgment, the Documented Instructions infringe upon any applicable Data Protection Law.
2.2. CCPA/CPRA Disclaimer. Each party acknowledges and agrees that the disclosure of Customer Personal Data to the other does not constitute, and is not the intent of either party for such disclosure to constitute, a Sale or Sharing of Customer Personal Data, and if valuable consideration, monetary or otherwise, is being provided by either party, such valuable consideration, monetary or otherwise, is being provided for the rendering of Services and not for the disclosure of Customer Personal Data. We (i) shall not collect, retain, use, or disclose Customer Personal Data for any purpose (including for any commercial purpose) other than for the specific purpose of performing the Services, unless otherwise required by law, (ii) shall not Sell or Share Customer Personal Data, except as necessary to satisfy its obligations under the Agreement, (iii) shall not collect, retain, use, or disclose Customer Personal Data outside the direct business relationship between Company and Customer, unless expressly permitted by law, and (iv) shall, at Customer’s reasonable request, cease any unauthorized Processing of Customer Personal Data and grant Customer authorization to assess and remediate any such unauthorized Processing. This DPA is our certification, to the extent the CCPA or any other applicable Data Protection Law requires such a certification, that we understand and will comply with the Processing limitations with respect to Customer Personal Data that are set forth in the Documented Instructions. The parties acknowledge and agree that the “business purpose” for which we Process Customer Personal Data is to assist Customer create employee staffing models and undertake business development opportunities.
3. Confidentiality and Information Security.
3.1. Confidentiality. We shall (i) maintain the confidentiality of all Customer Personal Data and ensure that all individuals who are authorized to Process Customer Personal Data on its behalf have committed themselves to confidentiality, (ii) limit access to Customer Personal Data to only those individuals who have a business need for such access, and (iii) take reasonable steps to ensure the reliability of all individuals who have access to Customer Personal Data.
3.2. Information Security. We shall implement and maintain commercially reasonable technical, physical, and administrative security controls to protect and safeguard Customer Personal Data, including written policies that describe such security controls and set forth responsibilities and obligations applicable to individuals who have access to an Information System.
4. Cooperation and Assistance; Return of Customer Personal Data.
4.1. General Assistance. We shall provide reasonable assistance to Customer to enable Customer to (i) comply with its obligations and responsibilities under any applicable Data Protection Law, including with respect to Data Subjects exercising their rights and privileges under applicable Data Protection Laws, (ii) undertake data protection impact assessments, and (iii) comply with requests or demands from supervisory authorities.
4.2. Data Notice and Response. We shall, immediately and without delay, refer to Customer any correspondence, inquiry, complaint, request, or demand (collectively or individually, a “Data Notice”) concerning the Processing of Customer Personal Data and shall not respond to any such Data Notice unless otherwise required by law. Notwithstanding the foregoing, in response to any such Data Notice, we may furnish Customer’s email contact information and request the Data Notice be submitted directly to Customer. Upon written request from Customer, we shall promptly (and in any event within thirty (30) business days) provide access to, amend, correct, delete, or cease Processing, Customer Personal Data in its custody or control.
4.3. Return or Destruction of Customer Personal Data. Upon termination of the Services, we shall, within a maximum period of sixty (60) calendar days and at Customer’s choice: (i) return to Customer all Customer Personal Data and all copies thereof by secure file transfer in such a format as required by Customer, or (ii) destroy, and certify the destruction of, all other copies of Customer Personal Data, unless storage of such data is required by law. Notwithstanding the foregoing, we may destroy Customer Personal Data that is stored in a back-up or archived format in accordance with its normal retention schedule, provided such Customer Personal Data is otherwise retained in accordance with this DPA.
5. Security Event Procedures. We shall, to the extent legally required, provide written notice to Customer of any Security Event, and this written notification shall, to the greatest extent possible, include a description of (i) the nature of the Security Event, (ii) the categories of Customer Personal Data affected by the Security Event, (iii) the approximate number of individuals affected by the Security Event, (iv) any potential legal or regulatory consequences that may arise from the Security Event, and (v) the measures taken or proposed to be taken to address the Security Event. In the event of a Security Event, we will designate a senior employee to serve as Company’s single point of contact from whom Customer can obtain more information about the Security Event. We shall provide reasonable assistance to Customer to investigate or otherwise respond to a Security Event, and enable Customer to meet any legal obligation it may have to give notice of the Security Event to any affected Data Subject, a governmental or regulatory authority, or any other individual or entity. Any and all assistance furnished by Company pursuant to this Section 5 of this DPA shall not be construed or otherwise interpreted as an admission of fault, negligence, or liability by us.
6. Audits. We (i) shall upon request (but not more frequently than annually) respond to questionnaires and similar requests for information provided by Customer to demonstrate our compliance with our obligations under this DPA, (ii) may use (in Company’s sole discretion) independent external auditors to verify the adequacy of its written information security program and, at least annually, provide (if available) Customer with its most recent third-party attestations, certifications, and reports relevant to the establishment, implementation, and effectiveness of Company’s information security program. If the information and reports described in the foregoing (i) and (ii) do not demonstrate, in Customer’s reasonable judgment, our compliance with our obligations and responsibilities set forth in this DPA, Customer may, where required by law, conduct an inspection, test, or audit of our business operations, or have the same conducted by a qualified third party subject to a nondisclosure agreement, provided (i) Customer furnishes us at least thirty (30) days’ advance written notice, (ii) the inspection, test, or audit is conducted during our regular business hours, and (iii) the inspection, test, or audit is conducted in a manner that does not materially interrupt our business operations. Customer shall be solely responsible for all reasonable costs and fees associated with the inspection, test, or audit described herein. Customer shall immediately provide the results or conclusions of any inspection, test, or audit conducted to us.
7. Subprocessors. Customer hereby acknowledges and agrees that we may authorize the use of Subprocessors to assist with its provision of Services to Customer, provided Company executes with any such Subprocessor a written agreement that contains terms and conditions that are substantially similar to the terms and conditions set forth in this DPA. Company shall undertake all reasonable efforts to ensure that any such Subprocessor can comply, and is in compliance, with the terms and conditions set forth in this DPA. We shall, at any and all times, remain liable to Customer for any and all acts or omissions of a Subprocessor.