THIS MASTER SUBSCRIPTION AGREEMENT (“MSA”) (in the version dated October 8, 2021) GOVERNS THE USE BY ANY PERSON OR ENTITY (“CUSTOMER”) OF THE APPLICATION SERVICES (AS DEFINED BELOW) PROVIDED BY ADVERITY GMBH (“ADVERITY”) WITH COMPANY REGISTRATION NUMBER 448481 g. BY ENTERING A COMMERCIAL AGREEMENT (AS DEFINED BELOW) THAT REFERENCES THIS MSA, CUSTOMER AGREES TO THE TERMS AND CONDITIONS OF THIS MSA.
Customer and Adverity may be referred to herein individually as a “Party” and collectively as the “Parties.” The MSA shall enter into force upon conclusion of the Commercial Agreement.
“Account” means the account for the Platform, created by each user to access the Application Services. The Account is strictly limited to the use by one user.
“Affiliate” means an affiliated entity pursuant to Section 189a No. 8 Austrian Commercial Code (Unternehmensgesetzbuch) and/or an associated entity pursuant to Section 189a No. 9 Austrian Commercial Code (Unternehmensgesetzbuch).
“Application Services” means the products and services offered by Adverity, which Customer orders based on a Commercial Agreement and Adverity makes available online via a password-protected customer login.
“Commercial Agreement” means the documents for placing orders for Application Services hereunder that are entered between Customer and Adverity, including addenda and supplements thereto. By entering into a Commercial Agreement, an Affiliate of Customer agrees to be bound by the terms of this Commercial Agreement as if it was an original Party hereto. This MSA forms an integral part of the Commercial Agreement.
“Confidential Information” shall have the meaning set forth in Section VI.
“Customer Data” means all electronic data or information submitted by Customer to the Application Services.
“Customer Support” shall have the meaning set forth in Section III.4.
“Effective Date” means the date on which the Commercial Agreement is concluded between the Parties.
“Malicious Code” means viruses, worms, time bombs, trojan horses and other harmful or malicious code, files, scripts, agents, or programs.
“Platform” refers to a specific URL, provided by Adverity, where the Application Services are operating.
“Services” means the Application Services and Professional Services collectively.
“Subscription” means the provision of the Application Services from Adverity to Customer via the Platform.
“Subscription Start Date” means the date on which Adverity will make the Application Services available to Customer as set forth in an applicable Commercial Agreement.
“Subscription End Date” means the date on which Adverity will withdraw the Application Services from Customer as set forth in an applicable Commercial Agreement.
“Subscription Term” means the subscription period set forth in an applicable Commercial Agreement.
“Term” shall have the meaning set forth in Section X.1.
“User Guide” means online help, training, how-to documents and explanatory materials that assist Customers in using the Application Services (as such materials may be updated from time to time), accessible via log-in to the Application Services or otherwise as made available by Adverity.
II. Application Services
II.1. Provision of Application Services
Adverity shall make the Application Services available to Customer pursuant to this MSA and terms and conditions of the Commercial Agreement during each Subscription Term. Customer agrees that Customer’s purchases hereunder are neither contingent on the delivery of any future functionality or features, nor dependent on any oral or written public comments made by Adverity regarding future functionality or features.
Unless otherwise specified in the Commercial Agreement:
- Application Services are purchased as Subscriptions and may be accessed only in accordance with the Commercial Agreement;
- Additional Application Services may be added during the applicable Subscription Term on terms agreeable to both Parties; and
- The added Application Services shall terminate on the same date as the pre-existing Subscriptions.
III. use of application services
III.1. Use of Application Services
- Provide Customer Support for the Application Services to Customer in accordance with Section III.4. at no additional charge, or upgraded support if purchased;
- Use commercially reasonable efforts to make the Application Services available 24 hours a day, 7 days a week, except for
- planned downtime (of which Adverity shall give at least 24 hours’ notice online via the Application Services or via email), or
- any unavailability caused by circumstances beyond Adverity’s reasonable control, including – without limitation – acts of God, acts of government, floods, fires, earthquakes, civil unrest, acts of terror, pandemic or widespread illness as identified by the World Health Organization, strikes or other labor problems, failures, downtime or delays by an Internet service provider, hosting provider, or third-party platform, or denial of service attacks.
III.2. Customer Responsibilities
- Customer shall:
- be responsible for its compliance with this MSA;
- be responsible for the accuracy, quality and legality of Customer Data and of the means by which Customer acquires the Customer Data;
- use all reasonable efforts to prevent unauthorized access to, or use of, the Application Services, and notify Adverity promptly of any such unauthorized access or use;
- use the Application Services only in accordance with the User Guide and applicable laws and government regulations; and
- use each registration and each user-account exclusively by one user. The joint use of a single user-account by several people or the transfer of the user-account to a third party, either against payment or for free, is forbidden.
- Customer shall not:
- make the Application Services available to anyone other than its employees who are authorized by Customer to use the Application Services;
- sell, resell, rent, or lease the Application Services or the right to use them;
- use the Application Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party rights;
- use the Application Services to store or transmit Malicious Code;
- interfere with or disrupt the integrity or performance of the Application Services or third-party data contained therein;
- attempt to gain unauthorized access to the Application Services or their related systems or networks; or
- use the Services beyond the scope permitted in writing.
- Adverity shall be entitled (but not obliged) to verify at its own cost that Customer is following its responsibilities pursuant to this Section III.2. In the event Customer breaches any provision of this Section III.2, Adverity may, in addition to any other rights which Adverity may have under this MSA or by law, temporarily suspend Customer’s access to the Application Services.
III.3. Transfer of Application Services
- The Customer subscribes to the Application Services for its own use and shall not enable access to any third party (e.g. Customer’s Clients, Customer’s affiliates, etc), either against payment or free of charge. For such purposes a separate Commercial Agreement or an extension of the Subscription are necessary and can be provided.
- Nothing in this MSA shall prevent the Customer from making any data and information obtained from the Application Services available to third parties via the data provisioning features or the dashboard sharing and export functionalities of the Application Services.
III.4. Technical and User Support
- Adverity will provide Customer with Technical and User Support during the Subscription Term as defined in the Commercial Agreement.
- Any problems and/or issues reported by Customer will be resolved within the restoration time specified in the Commercial Agreement. Restoration Time starts from the time Adverity becomes aware of the respective problem/issue.
- Customer Support does not include Implementation/Professional Services, programming, detailed or specialized maintenance, provision of enhancements, or support in different components that are not part of the Application Services.
IV. Fees and Payment
IV.1. Service Fees
Customer shall pay all fees specified in all Commercial Agreements executed hereunder. Except as otherwise specified in the Commercial Agreement, fees are based on the Services purchased and not actual usage. The Services purchased cannot be decreased during the relevant Subscription Term.
Customer shall reimburse Adverity for reasonable travel and other out-of-pocket expenses incurred in conjunction with the Professional Services.
IV.3. Invoicing and Payment
Adverity shall invoice Customer for all Services listed in the Commercial Agreement for the initial Subscription Term and any renewal Subscription Term(s) as set forth in Section X.2. Adverity will invoice Customer in advance and otherwise in accordance with the relevant Commercial Agreement. Unless otherwise stated in the Commercial Agreement, invoiced charges are due net 30 days from the invoice date. Customer is responsible for providing complete and accurate billing and contact information to Adverity and notifying Adverity of any changes to such information.
IV.4. Overdue Charges
If any amounts invoiced are not received by Adverity by the due date, then, without limiting Adverity’s rights or remedies,
- such charges may accrue late interest at the statutory rate; and
- Adverity may condition future Subscription renewals and Commercial Agreements on payment terms shorter than those specified in Section IV.3.
IV.5. Suspension of Application Services and Acceleration
If any amount owed by Customer under this or any other agreement for the Services is 30 days or more overdue, Adverity may, without limiting Adverity’s other rights and remedies, accelerate Customer’s unpaid fee obligations under such agreements so that all such obligations become immediately due and payable, and suspend provision of the Services to Customer until such amounts are paid in full. Adverity will give Customer at least 7 days prior notice that Customer’s account is overdue, in accordance with Section XII.1, before suspending Services to Customer.
IV.6. Payment Disputes
Adverity shall not exercise its rights under Section IV.4. or IV.5. if Customer is disputing the applicable charges reasonably and in good faith and is cooperating diligently to resolve the dispute; provided, however, Customer shall not be entitled to offset its own claims against any claim of Adverity under this MSA (or to claim any right of retention) unless Customer’s counterclaim is:
- undisputed by Adverity; or
- confirmed by a binding court decision that cannot be appealed.
Unless otherwise stated, Adverity’s fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including but not limited to value added, sales, use or withholding taxes, assessable by any local, state, provincial, federal or foreign jurisdiction (collectively, “Taxes”). Customer is responsible for paying all taxes associated with Customer’s purchases hereunder. If Adverity has the legal obligation to pay or collect taxes for which Customer is responsible, the appropriate amount shall be invoiced to and paid by Customer in addition, unless Customer provides Adverity with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, Adverity is solely responsible for taxes assessable against Adverity based on Adverity’s income, property, and employees.
V. Proprietary Rights
V.1. Reservation of Rights
Subject to the limited rights expressly granted hereunder, Adverity reserves all rights, title and interest in and to the Application Services, including all related intellectual property rights. No rights are granted to Customer hereunder other than as expressly set forth herein.
Customer shall not:
- modify, copy, or create derivative works based on the Application Services;
- reverse engineer the Application Services; or
- access the Application Services to
- build a competitive product or service, or
- copy any ideas, features, functions, or graphics of the Application Services.
- The above shall not limit any rights of Customer arising out of mandatory statutory legislation.
V.3. Customer Data
As between Customer and Adverity, Customer shall own all Customer Data, including all reports, statistics, and other data to the extent generated solely from Customer Data, and all intellectual property rights therein.
Adverity shall own all rights, title and interest, including all intellectual property rights, in and to any improvements to the Application Services or any new programs, upgrades, modifications or enhancements developed by Adverity in connection with rendering the Application Services to Customer, even when refinements and improvements result from Customer’s request or suggestion. In the case that the intellectual property rights of such refinements and improvements are not automatically transferred to Adverity by virtue of this MSA or otherwise, Customer hereby transfers and assigns (and, if applicable, shall cause its Affiliates to transfer and assign) to Adverity all rights, title, and interest which Customer or its Affiliates may have in or to such refinements and improvements.
V.5. Publicity; Trademarks
Neither Party may issue press releases or any other public announcement of any kind relating to this MSA without the other Party’s prior written consent (email is sufficient). Notwithstanding the foregoing, during the Term, either Party may include the name and logo of the other Party in lists (including on its website) of customers or vendors in accordance with the other Party’s standard logo and/or trademark usage guidelines. In addition, Adverity may use the trademarks and trade names of Customer solely in connection with its authorized provision of the Services. Except as set forth herein, neither Party may use the trademarks and trade names of the other Party without the prior written consent of the other Party.
VI.1. Definition of Confidential information
- As used herein, “Confidential Information” means all information disclosed by a Party (“Disclosing Party”) to the other Party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Customer Confidential Information shall include Customer Data; Adverity Confidential Information shall include the Application Services; and Confidential Information of each Party shall include the terms and conditions of this MSA and all Commercial Agreements.
- Confidential Information also includes:
- technical and business information relating to proprietary ideas, patentable ideas and/or trade secrets, existing and/or contemplated products and services, research and development, production, costs, profit and margin information, finances and financial projections, customers, clients, marketing, and current or future business plans and models, regardless of whether such information is designated as “Confidential Information” at the time of its disclosure;
- any Application Services or product related information of Adverity GmbH platforms as well as data transferred via the platforms;
- in addition to the above, Confidential Information shall also include, and the Parties shall have a duty to protect, other confidential and/or sensitive information which is (I.) disclosed as such in writing and marked as confidential (or with other similar designation) at the time of disclosure; and/or (II.) disclosed by in any other manner and identified as confidential at the time of disclosure and is also summarized and designated as confidential in a written memorandum delivered within thirty (30) days of the disclosure.
- Confidential Information shall not include any information that:
- is in possession of the Receiving Party prior to receipt from the Disclosing Party;
- is or becomes publicly known, otherwise than as a consequence of a breach of this MSA;
- is developed independently by the Receiving Party;
- is disclosed by the Receiving Party to satisfy a legal demand by a competent court of law or governmental body or by any applicable regulatory authority or security exchange; or
- is disclosed to a third party pursuant to written authorization from the Disclosing Party.
VI.2. Protection of Confidential Information
The Receiving party:
- shall use the same degree of care that it uses to protect the confidentiality of its own Confidential Information (but in no event less than reasonable care);
- will not disclose, utilize, employ, exploit or in any other manner use the Confidential Information disclosed by the Disclosing Party for any reason or purpose other than to fulfil its (pre-contractual) obligations arising out of cooperation between the Parties;
- except as otherwise authorized by the Disclosing Party in writing, to limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees, contractors, and agents who need such access for
purposes consistent with this MSA and who have signed agreements with the Receiving Party containing protections no less stringent than those herein. Neither Party shall disclose the terms of this MSA or any Commercial Agreement to any third party, other than its Affiliates and their legal counsel and accountants, without the other Party’s prior written consent.
The obligations under Section VI. of each of the Parties shall continue, even if the contractual relationship between them has ended, without any restriction. Regarding the end of the contractual relationship, reference is made
to Section VI.5.
VI.3. Compelled Disclosure
The Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information.
VI.4. Unintentional Disclosure and Remedies
- If the Receiving Party discloses Confidential Information in violation of the terms of this Section VI., the Disclosing Party shall be promptly notified of such disclosure in writing after such disclosure.
- The Parties each expressly agree that due to the unique nature of the Disclosing Party’s Confidential Information, monetary damages may be inadequate to compensate the Disclosing Party for any breach by the Receiving Party of its covenants and agreements set forth in this Section VI. Accordingly, the Parties each agree and acknowledge that any such violation or threatened violation shall cause irreparable injury to the Disclosing Party and that, in addition to any other remedies that may be available, in law, in equity or otherwise, the Disclosing Party shall be entitled to seek injunctive relief against the threatened breach of this Section VI. or the continuation of any such breach by the Receiving Party.
- Each Party warrants that it has the right to disclose all Confidential Information that it discloses to the other Party. Each Party will indemnify and defend the other from all third-party claims resulting from the negligent or wrongful
disclosure by the indemnifying Party of a third-party’s confidential information.
VI.5. Request for Return
The Disclosing Party may request in writing at any time that any Confidential Information disclosed to the Receiving Party be returned with a written statement to the effect that upon such return it has not retained in its possession or under its control, either directly or indirectly, any Confidential Information. The Receiving Party shall comply with any such request within fourteen (14) days of receipt of such request. If the Receiving Party objects to such request for return, the Confidential Information shall be destroyed upon request by the Disclosing Party. In such case the Receiving Party shall provide the Disclosing Party with a written statement under oath certifying that the respective Confidential Information has been destroyed.
VI.6. Proprietary Rights concerning Confidential Information
Section V. shall apply mutatis mutandis.
VI.7. Right to Control
The Receiving Party will provide the Disclosing Party upon request with a complete and up-dated list of those of its employees and professional advisors, agents and consultants who are or will be provided with the Confidential Information.
VII. Warranties; Disclaimers
Each Party represents that it has validly entered into this MSA and has the legal power to do so, that the signatory of the Commercial Agreement that references this MSA has the authority to bind the applicable organization, and this MSA constitutes the legal, valid, and binding obligation of each party, enforceable in accordance with its terms.
VII.2. Adverity Warranties
Application Services. Adverity warrants that:
- the Application Services shall perform materially in accordance with the User Guide and as outlined in the Commercial Agreement; and
- Adverity will not transmit Malicious Code to Customer, provided that Adverity is not in breach of this subpart (b.) if Customer uploads a file containing Malicious Code into the Application Services and later downloads that file containing Malicious Code.
For any breach of a warranty above, Customer’s exclusive remedy shall be as provided in Sections X.3.; X.4. and X.5. below.
VII.3. Customer Warranties
Customer represents and warrants that:
- the Customer Data shall not infringe on any copyright, patent, trade secret, or other proprietary right held by any third party; and
- Customer shall not use the Application Services in a manner that violates any applicable legislation or any regulation relating to individual privacy.
VII.4. Beta Services
From time to time, Adverity may invite Customer to try, at no charge, Adverity products or services that are not generally available to Adverity customers (“Beta Services”). Any Beta Services will be clearly designated as beta, pilot, limited release, developer preview, non-production, or by a description of similar import. Beta Services are provided for evaluation purposes and not for production use, are not supported, may contain bugs or errors, are subject to change in Adverity’s sole discretion, and may be subject to additional terms. Customer shall immediately inform Adverity of any bugs or errors experienced, and otherwise provide its feedback to, and cooperate with, Adverity on Beta Services as reasonably requested by Adverity. Beta services are provided “as is” with no express or implied warranty, and Adverity disclaims any and all liability for beta services, except in cases of section IX.4. Adverity may discontinue Beta Services at any time in Adverity’s sole discretion and may never make them generally available.
- Any (optimization) recommendations, suggestions or forecasts created by the Application Services and based on the data provided by Customer are not guaranteed to be correct. Adverity makes no warranties or representations, express, implied, or otherwise regarding the accuracy, completeness, or performance of the provided information. Customer acknowledges that Adverity cannot be held liable at any time for any losses due to decisions or transactions made based on this information.
- Except as expressly provided in this MSA, Adverity makes no representations, warranties, terms, conditions, or statements, express or implied, statutory or otherwise regarding any matter, including the merchantability, suitability, or fitness for a particular use or purpose, or that the operations of the Application Services will be uninterrupted or error-free.
VIII.1. Indemnification by Adverity
Adverity shall defend Customer against any claim, demand, suit, or proceeding made or brought against Customer by a third party alleging that the use of the Application Services as permitted hereunder infringes or misappropriates the intellectual property rights of a third party (a “Claim Against Customer”), and shall indemnify Customer for any damages, attorneys’ fees and other costs finally awarded against Customer as a result of, and for amounts paid by Customer under a court approved settlement of, a Claim Against Customer; provided that Customer:
- promptly gives Adverity written notice of the Claim Against Customer;
- gives Adverity sole control of the defense or settlement of the Claim Against Customer (provided that Adverity may not settle any Claim Against Customer unless the settlement unconditionally releases Customer of all liability); and
- provides to Adverity reasonable assistance, at Adverity’s expense. If Adverity receives information regarding an infringement, misappropriation, or other claim, Adverity may in Adverity’s discretion, and at no cost to Customer
- modify the Application Services, so that they no longer infringe, misappropriate, or give rise to any other claim, without breaching Adverity’s warranties under Section VII.2 above;
- obtain a license for Customer’s continued use of the subject Application Services in accordance with this MSA; or
- terminate Customer’s Subscriptions for such Application Services upon 30 days’ written notice and refund to Customer any prepaid fees covering the remainder of the term of the terminated Subscriptions.
Adverity shall have no obligation to indemnify Customer to the extent any Claim Against Customer arises from Customer’s breach of the terms of this MSA.
VIII.2. Indemnification by Customer
Customer shall defend Adverity against any claim, demand, suit or proceeding made or brought against Adverity by a third party alleging that Customer Data, or Customer’s use of the Application Services in breach of this MSA, infringes or misappropriates the intellectual property rights of a third party or violates applicable law (a “Claim Against Adverity”), and shall indemnify Adverity for any damages, attorneys’ fees and other costs finally awarded against Adverity as a result of, or for any amounts paid by Adverity under a court-approved settlement of, a Claim Against Adverity; provided that Adverity:
- promptly gives Customer written notice of the Claim Against Adverity;
- gives Customer sole control of the defense or settlement of the Claim Against Adverity (provided that Customer may not settle any Claim Against Adverity unless the settlement unconditionally releases Adverity of all liability); and
- provide to Customer all reasonable assistance, at Customer’s expense.
VIII.3. Exclusive Remedy
This Section VIII. defines the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any type of claim described in this Section.
IX. Limitation of Liability
IX.1. General Limitation of Liability
In case of material or pecuniary damages caused by not more than ordinary negligence, Adverity and its assistants shall only be liable for breaches of essential contractual obligations, but limited to an amount of damages which could have been anticipated upon signing and which are typical for the contract. Nothing in this MSA shall limit or exclude either Party’s liability for death or personal injury caused by its negligence; or for fraud or fraudulent misrepresentation; or any other liability that may not be excluded or limited by law.
IX.2. Limitation of Amount of Liability
Irrespective of Section IX.1 Adverity’s total liability for Customer’s claims arising in any contract year under or in connection with this MSA shall be limited to:
- the total of all fees paid by Customer to Adverity in a 12-month period preceding the damaging event; or
- 50,000 EUR, whichever is higher.
IX.3. Indirect Damages
Adverity’s liability for indirect damages, consequential damages and loss of profit shall be fully excluded in any case.
IX.4. Application of Limitations of Liability
The limitations of liability contained in Sections IX.1 through IX.3 shall not apply to contractual guarantees, damages caused intentionally or by gross negligence, or damages to life or limb. Other than that, they shall apply to any and all damage claims under or in connection with this MSA, irrespective of the legal theory on which they are based (including tort claims).
IX.5. Loss of Data
Adverity shall not be liable for any loss of, or damage to, data or programs to the extent that such loss or damage would have been avoided or mitigated by adequate preventative measures of Customer.
IX.6. Application of Direct Claims
The foregoing limitations of liability shall also apply to any direct damage claims which Customer may have against employees or representatives of Adverity.
Adverity undertakes to maintain adequate insurance cover for potential liability claims which may arise under or in connection with this MSA.
X. Term and Termination
X.1. Term of Agreement
The term of this MSA is governed by the Subscription granted by the Commercial Agreement. The Commercial Agreement commences on the Effective Date and continues until all Subscriptions granted in accordance with the Commercial Agreement have expired or been terminated (“Term”).
X.2. Term of Subscriptions
Subscriptions to the Application Services commence on the Subscription Start Date specified in the applicable Commercial Agreement and continue for the Subscription Term specified therein. Except as otherwise specified in the applicable Commercial Agreement, all Subscriptions shall automatically renew for additional periods equal to the expiring Subscription Term or one year (whichever is higher), unless either party gives the other notice of non-renewal at least 90 days before the end of the relevant Subscription Term. The per-unit pricing during any such renewal term is based on the highest Subscription Fee previously paid unless Adverity has given Customer written notice of a pricing increase at least 90 days before the end of the last possible termination date for the renewal term, in which case, if Customer does not terminate, the pricing increase shall be effective upon renewal and thereafter. Any such pricing increase shall not exceed 7% of the pricing for the relevant Application Services in the immediately prior Subscription Term, unless the pricing in such prior term was designated in the relevant Commercial Agreement as promotional or one-time and an increase is already stated in the Commercial Agreement.
X.3. Termination for Cause
A party may terminate this MSA for cause any time, in particular:
- upon 30 days’ written notice to the other party of a material breach if such breach remains uncured at the expiration of such period; or
- if the assets of the other party become the subject of a petition in bankruptcy or in any other similar proceeding.
X.4. Refund or Payment upon Termination
Upon any termination for cause by Customer, Adverity shall refund Customer any prepaid fees covering the remainder of the Term after the Effective Date of termination. Upon any termination for cause by Adverity, Customer shall pay any unpaid fees covering the remainder of the term of all Commercial Agreements after the Effective Date of termination. In no event shall any termination relieve Customer of the obligation to pay any fees payable to Adverity for the period prior to the Effective Date of termination.
X.5. Return of Customer Data
For a period of 7 days after termination of this MSA, Customer Data remains stored in the Application Services. At the conclusion of the 7-day period, Adverity shall delete the Customer Data from the Application Services and shall destroy any corresponding documents under its control, except to the extent that Adverity is bound by law to continue storing such Customer Data.
X.6. Surviving Provisions
Section IV (Fees and Payment), Section V (Proprietary Rights), Section VI (Confidentiality), Section VII (Warranties; Disclaimers), Section VIII (Indemnification), Section IX (Limitation of Liability), Section X.4 (Refund or Payment upon Termination), Section X.5 (Return of Customer Data), Section X.6 (Surviving Provisions), and Section XII (Miscellaneous) shall survive any termination or expiration of this MSA.
Adverity may use subcontractors to perform the Services, if:
- Customer agrees thereto in advance; or
- Adverity executes a written agreement with such subcontractor that obligates such subcontractor to protect Customer and Customer Data to the same extent as is required of Adverity hereunder. Upon request, Adverity shall disclose such subcontractors to Customer.
Adverity shall be responsible for all acts and omissions of any such subcontractor to the same extent as if Adverity had performed the Services.
Except as otherwise specified in this MSA, all notices, permissions and approvals hereunder shall be in writing. Billing-related notices to Customer shall be addressed to the relevant billing contact designated by Customer, and legal notices, such as notices of termination or an indemnifiable claim, to Customer shall be addressed to Customer. All other notices to Customer shall be addressed to the relevant administrator designated by Customer.
XII.2. Relationship of the Parties
The Parties are independent contractors. This MSA does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties.
XII.3. Agreement to Governing Law and Jurisdiction
This MSA as well as the Commercial Agreement shall be governed exclusively by the laws of Austria (without regard to its conflict of law rules and to CISG). Exclusive legal venue for all disputes under or in connection with this MSA shall be with the courts of Vienna, Austria, having subject matter and territorial jurisdiction. This does not apply to dunning proceedings and to cases of mandatory statutory venues which may not be derogated by party agreement.
XII.4. Export Control
The Application Services, other technology Adverity makes available, and derivatives thereof may be subject to export control laws. Each Party represents that it is not named on any US government or EU denied-party list. Customer shall not permit Users to access or use the Application Services in a US or EU-embargoed country or in violation of any other applicable export control laws.
Adverity guarantees, in general and for the duration of this contract, that it complies with all applicable laws, regulations and rules, including (but not limited to) all anti-corruption laws and regulations. Customer has not received or been offered any illegal bribe, kickback, payment, gift, or thing of value from any of Adverity employees or agents in connection with this MSA. Reasonable gifts and entertainment provided in the ordinary course of business do not violate the above restriction.
XII.6. No Third-Party Beneficiaries
There are no third-party beneficiaries to this MSA.
No failure or delay by either Party in exercising any right under this MSA shall constitute a waiver of that right.
XII.8. Severability Clause
Should individual provisions of this MSA be or become invalid, the remaining clauses of this MSA shall not be affected. The Parties shall replace the invalid provision with a replacement provision which would have been agreed by the Parties pursuant to their original economic intentions. This principle shall also apply in case of any unintentional contractual gaps.
Customer may not assign any of its rights or obligations hereunder without the prior written consent of Adverity. If the assignment of a monetary claim is valid in spite of the prohibition of assignment, Customer shall reimburse all additional costs triggered by the assignment to Adverity; Adverity may provide the Service at its choice with full discharge to Customer or the assignee. Notwithstanding the foregoing, either party may assign this MSA and all rights and obligations arising therefrom in its entirety (including all Commercial Agreements), without consent of the other party, to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets not involving a direct competitor of the other party. Subject to the foregoing, this MSA shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.
XII.10. Entire Agreement
No modification, amendment, or waiver of any provision of this MSA shall be effective unless made in writing. This applies also to waivers of this requirement of written form.
XII.12. Written Form
Where this MSA provides that statements of a Party must be made in writing it is sufficient to transmit a scanned copy of the statement as a personally signed paper document by fax or email attachment (but not the transmission of the statement as a mere email text), or to digitally sign the statement using the system of the service provider DocuSign or similar. In such a case either Party can subsequently demand that the statement is documented in a personally signed paper document.
XII.13. Order of Precedence
In the event of any conflict between the Commercial Agreement and this MSA, the provisions of the Commercial Agreement shall be prevailing, unless otherwise required by law.
|Document Owner||VP Legal & Compliance|
|Date of Version||2021/10/08|
View outdated Master Subscription Agreements
THIS DATA PROCESSING AGREEMENT (“DPA”) (in the version dated October 8, 2021) GOVERNS THE DATA PROCESSING OPERATIONS BETWEEN THE CUSTOMER (“DATA CONTROLLER”) AND ADVERITY GMBH (“DATA PROCESSOR”) WITH COMPANY REGISTRATION NUMBER 448481 g. BY ENTERING A COMMERCIAL AGREEMENT THAT REFERENCES THIS DPA, CUSTOMER AGREES TO THE TERMS AND CONDITIONS OF THIS DPA.
- The Data Controller and the Data Processor have entered into the above-mentioned Commercial Agreement (“Agreement”) under which the Data Processor shall provide certain services to the Data Controller. Within the scope and for the purpose of the performance of the services defined in the Agreement, the Data Processor will process beside other data potentially Personal Data on behalf of the Data Controller.
- The Data Controller and the Data Processor have entered into this DPA in order to fulfill the requirement of a written agreement between a data controller and a data processor of Personal Data as set out in Applicable Data Protection Legislation. In addition to what may be set out in the Agreement, the following shall apply in relation to the Data Processor’s processing of Personal Data on behalf of the Data Controller. Data Subjects, data categories as well as the extent, nature and purpose of data processing are determined by the Agreement, Appendix 1 to this DPA and the Data Controller’s instructions.
All terms used in this DPA are to be understood in accordance with the EU General Data Protection Regulation ((EU) 2016/679 “GDPR”), unless otherwise expressly agreed. The following terms and expressions in this DPA shall have the meaning set out below:
“Applicable Data Protection Legislation” means any national or internationally binding data protection laws or regulations (including but not limited to the GDPR and the Austrian Data Protection Act (“DSG”)) including any requirements, guidelines and recommendations of the competent data protection authorities applicable at any time during the term of this DPA to, as the case may be, the Data Controller or the Data Processor;
“Data Controller” means the legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data under this DPA;
“Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller under this DPA;
“Sub-processor” means any legal or natural person, including any agents and intermediaries, processing Personal Data on behalf of the Data Processor as set forth in Art 28 (2) and (4) GDPR and section 4.1 below;
“Personal Data” means any information relating to an identified or identifiable living, natural person
(“data subject”) as set forth in Art 4 (1) GDPR;
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means as set forth in Art 4 (2) GDPR.
3. Processing of Personal Data
- The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake to only process Personal Data in accordance with documented instructions communicated by the Data Controller (Appendix 1). The Data Processor shall only process Personal Data to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation.
- If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change.
- When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation.
- The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject’s rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation.
- The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.
- The Data Controller authorizes the Data Processor to engage the Sub-processors. All Sub-processors authorized by the Data Controller are acting under the authority and subject to direct instructions of the Data Controller. A list of the current Sub-processors is set out in Appendix 1 for the purposes specified therein. The Data Processor shall notify the Data Controller in writing in advance of any changes, in particular before engaging other Sub-processors in which event the Data Processor shall without undue delay and at the latest 8 weeks prior to transferring any Personal Data to a Sub-processor, inform the Data Controller in writing of the identity of such Sub-processor as well as the purpose for which it will be engaged.
- The Data Controller at its own discretion may object to any such changes within 8 weeks after the Data Processor’s notice.
- The Data Processor shall impose by written agreement, which includes an electronic form, on all Sub-processors processing Personal Data under this DPA (including inter alia its agents, intermediaries and sub-contractors) the same obligations as apply to the Data Processor, in particular the obligations defined in section 4.1 (in particular, procedure of notification to Data Controller and Data Controller’s right to issue direct instructions to Sub-processors) and section 4.2 of this DPA.
5. Transfer to Third Countries
- The location(s) of intended or actual processing of Personal Data is set out in Appendix 1. The Data Processor must not transfer or otherwise directly or indirectly disclose Personal Data outside the European Economic Area without the prior written consent of the Data Controller (which may be refused or granted at its own discretion) and ensure that the level of protection of natural persons guaranteed by the GDPR and as set forth in this DPA is not undermined. Unless otherwise agreed between the Parties, adequate protection in the receiving country shall be secured through an agreement incorporating the European Commission’s Standard Contractual Clauses.
6. Security of Processing
- As set forth in Appendix 2, the Data Processor guarantees to implement and uphold appropriate technical and organizational measures according to the current state of the art to ensure an appropriate level of security for the Personal Data and shall continuously review and improve the effectiveness of its security measures. The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful loss, alteration or access. The Personal Data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, the technical and organizational measures to be implemented by the Data Processor shall include, as appropriate:
- the pseudonymization and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Personal Data;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- The Data Processor shall without undue delay notify the Data Controller of any accidental or unauthorized access or supposed access to Personal Data or any other actual or supposed, threatened or potential security incidents (Personal Data Breach) after becoming aware of such incidents. The notification shall be in written form and shall at least:
- describe the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the Personal Data Breach;
- describe the measures taken or proposed to be taken by the controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
- include any other information available to the Data Processor which the Data Controller is required to notify the Data Protection Authorities and/or the data subjects.
- The Data Processor will furthermore provide reasonable assistance requested by the Data Controller for the Data Controller to investigate the Personal Data Breach and notify it to the Data Protection Authorities and/or the data subjects as required by Applicable Data Protection Legislation.
- In addition, the Data Processor shall at its own expense immediately take necessary measures to restore and/or reconstruct Personal Data that has been lost, damaged, destroyed or corrupted as a result of the Personal Data Breach.
- The Data Processor undertakes to not disclose or otherwise make the Personal Data processed under this DPA available to any third party, without the Data Controller’s prior written approval. This section 6.5 shall not apply if the Data Processor is required by applicable laws and regulations to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, in which case what is set out in section 3.5 shall apply.
- The Data Processor undertakes to ensure that access to Personal Data under this DPA is restricted to those of its personnel who directly require access to the Personal Data in order to fulfill the Data Processor’s obligations in accordance with this DPA and the Agreement. The Data Processor shall ensure that such personnel (whether employees or others engaged by the Data Processor) (i) has the necessary knowledge of and training in the Applicable Data Protection Legislation to perform the contracted services; and (ii) is bound by a confidentiality obligation concerning the Personal Data to the same extent as the Data Processor in accordance with this DPA.
- The Data Processor requires all of its personnel (employees and Sub-processors) authorized to process Personal Data not to process Personal Data for any other purpose, except on instructions from the Data Controller or unless required by applicable law. The Data Processor shall ensure that this confidentiality obligation extends beyond the termination of employment contracts, Sub-processor contracts, service contracts or the termination of this DPA. This confidentiality obligation shall remain in force after the expiry or termination of the DPA.
- The Data Processor appoints the following person responsible for data protection matters: Mr. Michael Pilz (email@example.com).
7. Audit Rights
- The Data Processor shall allow the Data Controller or an external auditor mandated by the Data Controller to conduct audits, investigations and inspections on data protection and/or data security (“audit”) in order to ensure that the Data Processor or Sub-processors are able to comply with the obligations under this DPA and Applicable Data Protection Legislation and that the Data Processor or Sub-processors have undertaken the required measures to ensure such compliance.
- The Data Processor makes available all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Legislation and assists the Data Controller in the performance of audits.
The Data Processor shall indemnify and hold harmless the Data Controller upon the Data Controller’s first demand insofar as third parties (Data subjects in particular) make claims against the Data Controller on the grounds of an infringement of their personal rights or of data protection law where such infringement is caused by actions of the Data Processor in intentional or gross negligent violation of this DPA. The obligation to indemnify is – except in cases of willful intent or in relation to personal injuries or death – capped with the amount of fees paid by the Controller in the 12 months immediately before the infringing incidence.
- The term of this DPA follows the above-mentioned Agreements.
- In case of a termination of the Agreement, this DPA shall remain in force as long as the Data Processor processes Personal Data for the Data Controller.
- The Data Controller may terminate the Agreement without notice as a result of a breach of the obligations under this DPA by the Data Processor or one of its Sub-processors.
- A notice or other communication to be provided by one party to the other party under this DPA, shall be provided in accordance with the notices provision of the Agreement.
- In case the Data Processor determines that any instruction to process data of the Data Controller violates Applicable Data Protection Legislation or substantial provisions of this DPA (including technical and organizational
measures), it will immediately inform the Data Controller thereof.
11. Measures upon Completion of Processing of Personal Data
- Upon expiration or termination of this DPA, the Data Processor shall delete or return all Personal Data (including any copies thereof) to the Data Controller, as instructed by the Data Controller, and shall ensure that any Sub-processors do the same, unless otherwise required by applicable law. When returning the Personal Data, the Data Processor shall provide the Data Controller with all necessary assistance.
- Upon request by the Data Controller, the Data Processor shall provide a written notice of the measures taken by itself or its Sub-processors with regard to the deletion or return of the Personal Data upon the completion of the
12. Final Provisions
- If the Data Controller and the Data Processor have entered into additional agreements in conflict with this DPA, the provisions of this DPA regarding the processing of Personal Data shall take priority, except where such provision is included in the Agreement for the purpose of supplementing this DPA. All other conflicting provisions shall be governed by the provisions of the Commercial Agreement.
- This DPA is governed by the law of the Republic of Austria to the exclusion of the conflict law rules under private international law and the UN Convention on the International Sale of Goods. In the event of all disputes arising from a contract – including disputes about its existence or non-existence – the courts with subject-matter jurisdiction at the registered seat of the Data Processor shall be the exclusive forum.
- If a provision or parts of a provision in this DPA is or becomes ineffective under applicable legislation, this will not affect the effectiveness and validity of the remaining provisions. The contracting parties will replace it by a provision which, in terms of content, is as close as possible to the ineffective provision.
Appendix 1 – Data Processing Instructions
Specify all purposes for which the personal data will be processed by the Data Processor.
|Provide access to Data Processor’s marketing data reporting and analytics Application Services.|
Categories of data
Specify the different types of Personal Data that will be processed by the Data Processor
The following Personal Data is processed by default. If the Data Controller intends to process other categories of Personal Data with the Application Services of the Data Processor, the latter must be notified
Special categories of Personal Data
Specify the different special categories of Personal Data that will be processed by the Data Processor.
|The Controller does not intend to and will not instruct the Processor to process any special categories of Personal Data.
In the event that the Data Controller instructs the Data Processor to process special categories of Personal Data on its behalf, the Data Controller shall ensure that all legal requirements for the processing of such special categories of Personal Data by the Data Processor (esp. those set forth in art. 9 (2) GDPR) are met at all times.
Specify the categories of data subjects whose personal data will be processed by the Data Processor.
The following categories of data subjects are affected by the data processing operations by default. If the Data Controller intends to process Personal Data of other categories of data subjects with the Application Services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded.
Specify all processing activities to be conducted by the Data Processor
|Collect, store, and process data to enable access to the Data Processor’s Application Services.|
Specify the Sub-processors engaged by the Data Processor (if any) and the purposes for which the personal data is processed by such Sub-processor
Applicable in case of Application Services hosting by Data Processor:
Applicable in case of Application Services hosting by Data Controller:
Location of Processing Operations
Specify all locations where the Personal Data will be processed by the Data Processor and any Sub-processor (if applicable)
Applicable in case of Application Services hosting by Data Processor:
At the request of the Data Controller, the specific location will be communicated to the Data Controller.
Applicable in case of Application Services hosting by Data Controller:
At the request of the Data Controller, the specific location will be communicated to the Data Controller.
Appendix 2 – Technical and Organizational Measures (“TOMs”)
The Data Processor confirms that the implemented technical and organizational measures provide an appropriate level of protection for the Data Controller’s Personal Data considering the risks associated with the processing.
General Description of Measures
Description of Measures Implemented
Access Control (premises)
Preventing unauthorized persons from gaining access to data processing systems
Used hosting provider complies:
Access Control (systems)
Preventing data processing systems from being used without authorization
Access Control (data)
Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization
Ensuring that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to review and establish which bodies are to receive the Personal Data
Ensuring that it is possible to review and establish whether and by whom Personal Data have been input into data processing systems, modified, or removed
Ensuring that the Personal Data is processed exclusively in accordance with the instructions
Ensuring that Personal Data is protected from accidental destruction and loss
Ensuring that data collected for different purposes can be processed separately
|Document Owner||VP of Legal & Compliance|
|Date of Version||2021/10/08|