Master Subscription Agreement ("MSA") & Data Processing Agreement ("DPA")
Master Subscription Agreement
THIS MASTER SUBSCRIPTION AGREEMENT (“MSA”) (in the version dated 2024-05-09) GOVERNS THE USE BY ANY PERSON OR ENTITY (“CUSTOMER”) OF THE SERVICES (AS DEFINED BELOW) PROVIDED BY ADVERITY GMBH (“ADVERITY”) WITH COMPANY REGISTRATION NUMBER 448481 g. BY ENTERING A COMMERCIAL AGREEMENT (AS DEFINED BELOW) THAT REFERENCES THIS MSA, CUSTOMER AGREES TO THE TERMS AND CONDITIONS OF THIS MSA.
Customer and Adverity may be referred to herein individually as a “Party” and collectively as the “Parties”. The MSA shall enter into force upon conclusion of the Commercial Agreement.
The plain language descriptions in this MSA are for reference purposes only, and shall not in any way define, limit, or extend the scope of this Agreement.
Table of Contents
Business Matters
I. SaaS Description and Subscription
II. The Parties’ Roles and Responsibilities
III. Fees and Payment
IV. Term and Termination
Legal Matters
V. Intellectual Property Rights
VI. Warranties
VII. Indemnification
VIII. Liability
IX. Sub-contractors
X. Mutual Confidentiality Clauses
XI. Miscellaneous
XII. Definitions
Business Matters
|
Our MSA in plain language |
Talk legal to me - here is the full text of our MSA |
I. SaaS Description and Subscription
|
Adverity’s Integrated Data Platform is a SaaS solution that streamlines data integration and governance processes. |
1. SaaS Description Adverity’s Integrated Data Platform is a SaaS (Software-as-a-Service) data Platform for connecting, managing, and using data at scale. Adverity automates complex data integration and governance processes, before transferring data to the destination selected by the Customer. Adverity only processes the following personal data by default on behalf of the Customer: login credentials (name, email, IP-address and time-stamp) belonging to the User(s) of Adverity. Adverity`s DPA stipulates the mutual rights and obligations with regards to data protection. |
|
Access to the SaaS is obtained through Subscriptions. Services and features can be added during the Term upon mutual Agreement. |
2. SaaS Subscription Adverity will provide Customer with access to the SaaS as per this Master Subscription Agreement (“MSA”) and the terms outlined in the Commercial Agreement and the Data Processing Agreement (“DPA”) for each Subscription Term. Unless otherwise specified in the Commercial Agreement: a. Adverity's SaaS is Subscription-based; b. additional Services can be added during the applicable Subscription Term, subject to mutual Agreement; c. any added Services will terminate on the same date as the pre-existing Subscriptions, unless agreed otherwise. |
II. The Parties' Roles and Responsibilities
|
Adverity aims for 24/7 availability, except for planned downtime and uncontrollable events, and will provide support as needed during the Subscription Term. Issues reported by Customer are resolved within timeframes as specified in the Commercial Agreement. |
1. Adverity's Responsibilities a. Adverity's obligations include the following: i. Providing Customer Technical and User Support for the SaaS at no extra cost, or upgraded support if purchased. ii. Use commercially reasonable efforts to ensure the SaaS is available 24/7, except for planned downtime or unavailability due to circumstances beyond Adverity's reasonable control, such as acts God, acts of government, floods, fires, earthquakes, civil unrest, acts of terror, pandemic or widespread illness as identified by the World Health Organization, strikes or other labor problems, failures, downtime or delays by an Internet service provider, hosting provider, or third-party platform, or "denial of service attacks". b. Technical and User Support: i. Adverity will provide Technical and User Support as defined in the Commercial Agreement during the Subscription Term. Issues reported by Customer will be resolved within the restoration time specified in the Commercial Agreement, starting from Adverity's awareness of the issue. ii. Customer Support does not cover Implementation/Professional Services/Managed Services/Premium Services, programming, detailed or specialized maintenance, provision of enhancements, or support in different components that are not part of the SaaS. |
|
Here are some Do’s and Don’ts to ensure Customer’s full enjoyment of our Services:
Don'ts:
If necessary, Adverity may check if Customer is following the terms at Adverity’s expense. |
2. Customer Responsibilities a. Customer is responsible for: i. Complying with the Agreement ii. Ensuring the accuracy, quality, and legality of Customer Data and how it is obtained and shared with Adverity. iii. Using all reasonable efforts to prevent unauthorized access to /or use of the SaaS and promptly notifying Adverity of any such incidents. iv. Using the SaaS in line with the Documentation and applicable laws and regulations. v. Ensuring that each registration and User-Account is used exclusively by one User; sharing or transferring accounts is forbidden. b. Customer must not: i. Make the SaaS available to anyone other than its employees or contractors who are authorized by Customer to use them. ii. Sell, resell, rent, or lease the SaaS or the right to use them. iii. Modify, reverse engineer, or use the SaaS to build competitive products. iv. Use the SaaS to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party rights. v. Use the SaaS to store or transmit Malicious Code. vi. Interfere with or disrupt the integrity or performance of the SaaS or third-party data contained therein. vii. Attempt to gain unauthorized access to the SaaS. viii. Use the SaaS beyond the scope permitted in writing. c. Adverity may verify Customer's compliance at its own cost. If Customer breaches any provision of this section, Adverity may, in addition to any other rights that Adverity may have under this MSA or by law, suspend Customer’s access to the SaaS. |
|
Customer subscribes to the SaaS for their own use. However, sharing SaaS-generated data with third parties through the SaaS features created to that effect may be allowed with mutual written consent. |
3. Transfer of SaaS a. Customer subscribes to the SaaS for its own use and shall not enable access to any third party (e.g. Customer’s Clients, Customer’s Affiliates, etc.), either against payment or free of charge. For such purposes, a separate Commercial Agreement or an extension of the Subscription is necessary and can be provided. b. However, nothing in this MSA shall prevent the Customer from making any data and information obtained from the SaaS available to third parties via the data provisioning features or the dashboard sharing and export functionalities of the SaaS, if this is mutually agreed by the Parties in writing. Additional Fees may apply. |
III. Fees and Payment
|
Customer is responsible for paying specified Fees based on Services purchased. Fees may increase annually, and Queries exceeding limits may incur higher Fees. |
1. Service Fees Customer is responsible for paying the Fees specified in the Commercial Agreement. Except as otherwise specified in the Commercial Agreement, Fees are based on the Services purchased and not actual usage. The Services purchased cannot be decreased during the relevant Subscription Term. If a discounted Subscription Fee is agreed for an initial Subscription Term, the List Price applies thereafter. Additional Services purchased separately during the initial Subscription Term are billed separately and are not part of the List Price. |
|
2. Price Increase At any time after the initial 12 months, maximum once per calendar year, Adverity may, at its own discretion, increase the Fees by either 7% or the official inflation rate (based on the Consumer Price Index published in Austria by STATISTIK AUSTRIA Bundesanstalt Statistik Österreich in the month preceding Adverity’s notice of increase), whichever is higher, to support Adverity's continual efforts to expand and enhance its SaaS. Adverity will notify the Customer about an increase in Fees 60 days in advance. |
|
|
3. Query Limit The number of Queries allowed for each calendar month is subject to Adverity’s Fair Use Limit, which is calculated at 50 times the monthly Subscription Fee, translated into Queries (for example, EUR/GBP/USD 3000 monthly Subscription Fee = up to 150k Queries). If Customer exceeds the said monthly Fair Use Limit, Adverity will not immediately increase Customer’s Subscription Fee or limit access to the SaaS. Adverity will evaluate Customer's requirements and assess Customer´s specific needs regularly and reserves the right to increase Fees in case of consistent overuse. |
|
|
Adverity provides its Services remotely. In the event that Customer requests Adverity’s consultants to be on-site, Customer will have to reimburse Adverity for all the travel and out-of-pocket expenses. |
4. Expenses Customer must reimburse Adverity for reasonable travel and other expenses related to Implementation Services, Professional Services, Managed Services or Premium Services. Travel costs shall be agreed with the Customer in advance. |
|
Adverity invoices the Customer for all Services with payment due as agreed in the Commercial Agreement. Late payments may incur interest and debt collection costs, and suspension of Services may occur if payments are 30 days overdue. |
5. Invoicing and Payment Adverity will invoice Customer for all Services in the Commercial Agreement for the initial Subscription Term and renewals as specified in the Commercial Agreement. Customer is responsible for providing complete and accurate billing and contact information to Adverity and notifying Adverity of any changes to such information. |
|
6. Overdue Charges If any amounts invoiced are not received by Adverity by the due date, then, without limiting Adverity’s rights or remedies, a. such charges may accrue late interest at the statutory commercial interest rate; b. Adverity is entitled to a no-fault and no-damage lump-sum compensation of 40 EUR/GBP/USD for reimbursement of debt collection costs for each outstanding debt; and c. Adverity may condition future Subscription renewals and Commercial Agreements on payment terms different than those specified in Section III.5. |
|
|
7. Suspension and Acceleration If Customer is 30 days or more overdue on any payments, Adverity may, without limiting Adverity’s other rights and remedies, accelerate unpaid Fees and suspend Services until payment is received. Customer will receive at least 7 days' notice before Services are suspended. |
|
|
8. Payment Disputes Adverity will not exercise its rights under Sections III.6. and III.7. if Customer is disputing charges reasonably and in good faith and cooperating to resolve the dispute. However, Customer is not entitled to offset its claims against any claim of Adverity under this MSA (or to claim any right of retention) unless Customer’s counterclaim is: a. undisputed by Adverity; or b. confirmed by a binding court decision that cannot be appealed. |
|
|
9. Litigation Costs In case of litigation regarding overdue charges, the prevailing Party is entitled to reasonable legal Fees and court costs. |
|
|
Adverity's Fees don't include taxes. Customer is responsible for paying all relevant taxes. |
10. Taxes Unless otherwise stated, Adverity’s Fees do not include any taxes, levies, duties, or similar governmental assessments of any nature, including but not limited to value-added, sales, use, or withholding taxes, assessable by any local, state, provincial, federal or foreign jurisdiction (collectively, “Taxes”). Customer is responsible for paying all taxes associated with Customer’s purchases hereunder. If Adverity has the legal obligation to pay or collect taxes for which Customer is responsible, the appropriate amount shall be invoiced to and paid by Customer in addition, unless Customer provides Adverity with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, Adverity is solely responsible for taxes assessable against Adverity based on Adverity’s income, property, and employees. |
IV. Term and Termination
|
The Agreement's duration depends on the Subscription Term agreed in the Commercial Agreement. |
1. Term of Agreement The Term of the Agreement is governed by the Subscription granted by the Commercial Agreement. The Agreement commences on the Effective Date and remains in effect until all Subscriptions granted under the Commercial Agreement have either expired or been terminated ("Term"). |
|
The Agreement automatically renews for equal periods unless either Party provides at least 90 days' notice before the end of a Subscription Term. |
2. Term of Subscriptions Subscriptions for the SaaS start on the specified Subscription Start Date in the relevant Commercial Agreement and continue for the specified Subscription Term. Unless stated otherwise in the Commercial Agreement, all Subscriptions automatically renew for additional periods equal to the expiring Subscription Term or one year (whichever is longer), unless either Party gives the other notice of non-renewal at least 90 days before the end of the relevant Subscription Term. |
|
The Agreement can be terminated for cause at any time upon 30 days written notice. |
3. Termination for Cause Either Party can terminate the Agreement for cause at any time, in particular: a. upon 30 days written notice to the other Party of a material breach if such breach remains uncured at the expiration of such period; or b. if the assets of the other Party become the subject of a petition in bankruptcy or any other similar proceeding. |
|
4. Refund or Payment upon Termination Upon Termination for Cause by Customer, Adverity refunds prepaid Fees covering the remainder of the Term after the Effective Date of Termination. Upon Termination for Cause by Adverity, Customer must pay unpaid Fees covering the remainder of the Term of all Commercial Agreements after the Effective Date of Termination. Termination never exempts Customer from paying Fees incurred before Termination. |
|
|
5. Return of Customer Data For 30 days after Termination, Customer Data remains in the SaaS. After 30 days, Adverity will delete Customer Data and destroy any corresponding documents under its control unless required by law to keep the data. |
|
|
6. Surviving Provisions Sections III (Fees and Payment), IV.4 (Refund or Payment upon Termination), IV.5 (Return of Customer Data), IV.6 (Surviving Provisions), V (Intellectual Proprietary Rights), VI (Warranties), VII (Indemnification), VIII (Liability), X (Mutual Confidentiality Clauses) and XI (Miscellaneous) continue in effect after termination or expiration of this MSA. |
Legal Matters
|
Our MSA in plain language |
Talk legal to me - here is the full text of our MSA |
V. Intellectual Property Rights
|
The SaaS and any improvements to the SaaS belong to Adverity. |
1. Adverity IP Adverity reserves all rights, title, and interest in and to the SaaS, including all related intellectual property rights. |
|
Customer Data and reports generated from Customer Data belong to Customer. |
2. Customer IP Customer owns Customer Data, including all reports, statistics, and other data to the extent generated solely from Customer Data, and all intellectual property rights therein. Notwithstanding the foregoing, Adverity shall have the right to collect and use Customer Data in relation to the provision of the Services to Customer, including in order to improve and enhance the Services. |
|
Adverity can acknowledge Customer in lists (incl. website and press releases) as a customer. Adverity can use Customer's trademarks for the provision of Services. |
3. Publicity; Trademarks During the Term, Adverity may include the name and logo of the Customer in lists (including on its website and press releases) of customers per Customers' standard logo and/or trademark usage guidelines. In addition, Adverity may use the trademarks and trade names of Customer solely in connection with its authorized provision of the Services. Except as set forth herein, neither Party may use the trademarks and trade names of the other Party without the prior written consent of the other Party. |
VI. Warranties
|
1. Representations Each Party represents that it has validly entered into this MSA and has the legal power to do so, that the signatory of the Commercial Agreement that references this MSA has the authority to bind the applicable organization, and the Agreement constitutes the legal, valid, and binding obligation of each Party, enforceable under its terms. |
|
|
Adverity promises that the Services work as Adverity says they will, and there is no Malicious Code in the Services. |
2. Adverity Warranties Adverity warrants that: a. the SaaS shall perform materially following the Documentation and as outlined in the Commercial Agreement; and b. Adverity will not transmit Malicious Code to Customer, provided that Adverity is not in breach of this subpart b. if Customer uploads a file containing Malicious Code into the SaaS and later downloads that file containing Malicious Code. For any breach of a warranty above, Customer’s exclusive remedy shall be as provided in Sections IV.3, IV.4, and IV.5 above. |
|
Customer promises that the data they give Adverity is legit and Customer is not going to do anything illegal with the SaaS. |
3. Customer Warranties Customer represents and warrants that: a. Customer Data shall not infringe on any copyright, patent, trade secret, or other proprietary right held by any third party; and |
|
The reports generated by the SaaS are based on the data Customer provides, and it’s for Customer’s reference only. If Customer makes any business decision based on the reports, they are still responsible for their own decisions. |
4. Disclaimer a. Any (optimization) recommendations, suggestions, or forecasts created by the SaaS and based on the data provided by Customer are not guaranteed to be correct. Adverity makes no warranties or representations, express, implied, or otherwise regarding the accuracy, completeness, or performance of the provided information. Customer acknowledges that Adverity cannot be held liable at any time for any losses due to decisions or transactions made based on this information. b. Except as expressly provided in this MSA, Adverity makes no representations, warranties, terms, conditions, or statements, express or implied, statutory or otherwise regarding any matter, including the merchantability, suitability, or fitness for a particular use or purpose, or that the operations of the SaaS will be uninterrupted or error-free. c. Customer acknowledges that their purchases are not dependent on future features or functionality and are not influenced by any public statements, written or oral, made by Adverity regarding future features or functionality. |
VII. Indemnification
|
Adverity indemnifies Customer for infringement or misappropriation of a third party’s IP by the SaaS. |
1. Indemnification by Adverity Adverity shall defend Customer against any claim, demand, suit, or proceeding made or brought against Customer by a third party alleging that the use of the SaaS as permitted hereunder infringes or misappropriates the intellectual property rights of a third party (a “Claim Against Customer”), and shall indemnify Customer for any damages, attorneys’ fees and other costs finally awarded against Customer as a result of, and for amounts paid by Customer under a court-approved settlement of, a Claim Against Customer; provided that Customer: a. promptly gives Adverity written notice of the Claim Against Customer; b. gives Adverity sole control of the defense or settlement of the Claim Against Customer (provided that Adverity may not settle any Claim Against Customer unless the settlement unconditionally releases Customer of all liability); and c. provides to Adverity reasonable assistance, at Adverity’s expense. If Adverity receives information regarding an infringement, misappropriation, or other claim, Adverity may in Adverity’s discretion, and at no cost to Customer i. modify the SaaS, so that they no longer infringe, misappropriate, or give rise to any other claim, without breaching Adverity’s warranties under Section VI. above; ii. obtain a license for Customer’s continued use of the SaaS under this MSA; or iii. terminate Customer’s Subscriptions for the SaaS upon 30 days written notice and refund to Customer any prepaid Fees covering the remainder of the Term of the terminated Subscriptions. Adverity shall have no obligation to indemnify Customer to the extent any Claim Against Customer arises from Customer’s breach of the terms of the Agreement. |
|
Customer indemnifies Adverity for infringement of third-party IP or violation of the law resulting out of the use of Customer Data or misuse of the SaaS. |
2. Indemnification by Customer Customer shall defend Adverity against any claim, demand, suit or proceeding made or brought against Adverity by a third party alleging that Customer Data, or Customer’s use of the Services in breach of this MSA, infringes or misappropriates the intellectual property rights of a third party or violates applicable law (a “Claim Against Adverity”), and shall indemnify Adverity for any damages, attorneys’ fees and other costs finally awarded against Adverity as a result of, or for any amounts paid by Adverity under a court-approved settlement of, a Claim Against Adverity; provided that Adverity: a. promptly gives Customer written notice of the Claim Against Adverity; b. gives Customer sole control of the defense or settlement of the Claim Against Adverity (provided that Customer may not settle any Claim Against Adverity unless the settlement unconditionally releases Adverity of all liability); and c. provide to Customer all reasonable assistance, at Customer’s expense. |
|
3. Exclusive Remedy This Section VII. defines the indemnifying Party’s sole liability to, and the indemnified Party’s exclusive remedy against, the other Party for any type of claim described in this Section. |
VIII. Liability
|
Adverity limits its liability to (1) the total of fees you have paid to us in the previous 12 months or (2) EUR 50,000, whichever is higher.
Adverity is not liable for indirect damages or loss of Data that Customer could have prevented. |
1. Limitation of Liability a. General Limitation of Liability: In case of material or pecuniary damages caused by not more than ordinary negligence, Adverity and its assistants shall only be liable for breaches of essential contractual obligations, but limited to an amount of damages which could have been anticipated upon signing and which are typical for the contract. b. Limitation of Amount of Liability: Irrespective of Section VIII.1.a., Adverity's total liability in any contract year under this MSA is limited to the Fees paid by Customer in the preceding 12 months or 50,000 EUR/GBP/USD, whichever is higher. c. Indirect Damages: Adverity is not liable for indirect, consequential damages, or loss of profit. |
|
2. Application of Limitations of Liability The limitations contained in Section VIII.1. do not apply to: a. contractual guarantees; b. damages caused by intentional or gross negligence; c. damages to life or limb; d. either Party’s liability for fraud, fraudulent misrepresentation, or any other liability not excludable or limitable by law. |
|
|
3. Loss of Data Adverity shall not be liable for any loss of, or damage to, data or programs to the extent that such loss or damage would have been avoided or mitigated by adequate preventative measures of Customer. |
|
|
4. Application of Direct Claims These limitations also apply to direct damage claims against Adverity's employees or representatives. |
|
|
Adverity is adequately covered by insurance. |
5. Insurance Adverity undertakes to maintain adequate insurance cover for potential liability claims that may arise under or in connection with the Agreement. |
IX. Subcontractors
|
Adverity may engage subcontractors while providing Services to the Customer either with Customer’s consent or a written Agreement safeguarding Customer Data. |
Adverity may use subcontractors to perform the Services if: a. Customer agrees in advance; or, b. Adverity has a written Agreement with the subcontractor to protect Customer and Customer Data to the same extent as required by Adverity. Adverity will disclose such subcontractors to Customer upon request. Adverity is responsible for the subcontractor's actions as if Adverity performed the Services. |
X. Mutual Confidentiality Clauses
|
This confidentiality section includes a customary definition of Confidential Information, encompassing typical exceptions. |
1. Definition of Confidential Information a. “Confidential Information” means all information disclosed by a Party (“Disclosing Party”) to the other Party (“Receiving Party”) that reasonably should be understood to be confidential. Customer Confidential Information shall include Customer Data; Adverity Confidential Information shall include the SaaS; and Confidential Information of each Party shall include the terms and conditions of this MSA and all Commercial Agreements. b. Confidential Information also includes: i. technical and business information of any kind, regardless of whether such information is designated as “Confidential Information” at the time of its disclosure; ii. any SaaS or product-related information of Adverity Platforms as well as data transferred via the Platforms. c. Confidential Information shall not include any information that: i. is in possession of the Receiving Party prior to receipt from the Disclosing Party; ii. is or becomes publicly known, otherwise than as a consequence of a breach of this MSA; iii. is developed independently by the Receiving Party; iv. is disclosed by the Receiving Party to satisfy a legal demand by a competent court of law or governmental body or by any applicable regulatory authority or security exchange; or v. is disclosed to a third party pursuant to written authorization from the Disclosing Party. |
|
Both parties commit to safeguarding the Confidential Information of the other Party as if it were their own, restricting access to a need-to-know basis and to achieve the purpose of this Agreement. |
2. Protection of Confidential Information The Receiving Party: a. shall use the same degree of care that it uses to protect the confidentiality of its own Confidential Information (but in no event less than reasonable care); b. will not disclose, utilize, employ, exploit, or in any other manner use the Confidential Information disclosed by the Disclosing Party for any reason or purpose other than to fulfill its (pre-contractual) obligations arising out of cooperation between the Parties; c. except as otherwise authorized by the Disclosing Party in writing, to limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees, contractors, and agents who need such access for purposes consistent with this MSA and who have signed agreements with the Receiving Party containing protections no less stringent than those herein. Neither Party shall disclose the terms of this MSA or any Commercial Agreement to any third party, other than its Affiliates and their legal counsel and accountants, without the other Party’s prior written consent. The obligations under Section X. of each of the Parties shall continue, even if the contractual relationship between them has ended, without any restriction. Regarding the end of the contractual relationship, reference is made to Section X.5 below. |
|
Compelled disclosure is explicitly excluded. |
3. Compelled Disclosure The Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information. |
|
4. Unintentional Disclosure and Remedies a. If the Receiving Party discloses Confidential Information in violation of the Terms of this Section X., the Disclosing Party shall be promptly notified of such disclosure in writing after such disclosure. b. The Parties each expressly agree that due to the unique nature of the Disclosing Party’s Confidential Information, monetary damages may be inadequate to compensate the Disclosing Party for any breach by the Receiving Party of its covenants and Agreements outlined in this Section X. Accordingly, the Parties each agree and acknowledge that any such violation or threatened violation shall cause irreparable injury to the Disclosing Party and that, in addition to any other remedies that may be available, in law, in equity, or otherwise, the Disclosing Party shall be entitled to seek injunctive relief against the threatened breach of this Section X. or the continuation of any such breach by the Receiving Party. c. Each Party warrants that it has the right to disclose all Confidential Information that it discloses to the other Party. Each Party will indemnify and defend the other from all third-party claims resulting from the negligent or wrongful disclosure by the indemnifying Party of a third party’s Confidential Information. |
|
|
At the request of the Disclosing Party, the Receiving Party will either return or destroy the Confidential Information. |
5. Request for Return The Disclosing Party may request in writing at any time that any Confidential Information disclosed to the Receiving Party be returned with a written statement to the effect that upon such return it has not retained in its possession or under its control, either directly or indirectly, any Confidential Information. The Receiving Party shall comply with any such request within thirty (30) days of receipt of such request. If the Receiving Party objects to such request for return, the Confidential Information shall be destroyed upon request by the Disclosing Party. In such case, the Receiving Party shall provide the Disclosing Party with a written statement under oath certifying that the respective Confidential Information has been destroyed. |
|
6. Proprietary Rights concerning Confidential Information Section V. shall apply mutatis mutandis. |
|
|
Additionally, upon request, the Receiving Party will furnish the Disclosing Party with a roster of personnel who have access to the Confidential Information. |
7. Right to Control The Receiving Party will provide the Disclosing Party upon request with a complete and updated list of those of its employees and professional advisors, agents, and consultants who are or will be provided with the Confidential Information. |
XI. Miscellaneous
|
All notices will be made in writing (email suffice). |
1. Notice Except as otherwise specified in this MSA, all notices hereunder shall be in writing (email suffice). If to Customer, billing-related notices to Customer shall be addressed to the relevant billing contact designated by Customer, and legal notices, such as notices of termination or an indemnifiable claim, to Customer shall be addressed to Customer. All other notices to Customer shall be addressed to the relevant Administrator designated by Customer. |
|
2. Relationship of the Parties The Parties are independent contractors. This MSA does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between them. |
|
|
Governing law will be Austrian law with forum in Vienna, Austria. |
3. Agreement to Governing Law and Jurisdiction This MSA and the Commercial Agreement are governed by Austrian law (without regard to its conflict of law rules and to CISG), and disputes are resolved in the courts of Vienna, Austria, except for dunning proceedings and cases with mandatory statutory venues. |
|
Adverity complies with all relevant export control and anti-corruption laws. |
4. Export Control The SaaS may be subject to export control laws. Both Parties confirm they are not on any US government or EU denied-party list. Customer must not use the SaaS or permit Users to access the SaaS in US- or EU-embargoed countries or in violation of export control laws. |
|
5. Anti-Corruption Adverity commits to complying with all applicable laws, including anti-corruption laws. No illegal bribes, kickbacks, or gifts have been offered to Customer in connection with this MSA. |
|
|
6. No Third-Party Beneficiaries There are no third-party beneficiaries to this MSA. |
|
|
7. Waiver No failure or delay in exercising any right under this MSA constitutes a waiver of that right. |
|
|
8. Severability Clause If any provision of this MSA is or becomes invalid, the other clauses remain unaffected. The Parties will replace the invalid provision with one that aligns with their original intent. This also applies if there is an unintentional contractual gap. |
|
|
Customer can assign this Agreement to another entity with Adverity’s consent. This is important for data protection purposes. |
9. Assignment Customer can assign its rights or obligations with Adverity's written consent, which shall not be unreasonably withheld. Adverity may assign this Agreement in its entirety without consent to its Affiliate or as part of a merger, acquisition, reorganization, or sale of assets not involving a direct competitor of the other Party. |
|
This MSA, the Commercial Agreement, and the DPA cover the entire Agreement between the Parties. |
10. Entire Agreement This MSA and connected Commercial Agreements and DPA constitute the entire Agreement regarding Customer's use of the Services, replacing all prior Agreements, written or oral. The application of any terms and conditions of Customer deviating from or exceeding these provisions is excluded. This applies even if Adverity accepts a Commercial Agreement which refers to the terms and conditions of Customer and/or the terms and conditions of Customer are attached to the Commercial Agreements, even if Adverity does not explicitly contradict such terms and conditions of Customer. |
|
11. Amendments No changes to this MSA are effective unless made in writing. |
|
|
12. Written Form Statements that must be in writing can be transmitted as scanned, personally signed documents by fax or email attachment, or digitally signed using a system such as DocuSign or the like. Either Party may subsequently request a personally signed paper document. |
|
|
13. Order of Precedence In the event of any conflicts between the Commercial Agreement and this MSA, the Commercial Agreement prevails unless required by law. |
XII. Definitions
|
Document Information |
|
|
Document Owner |
VP Legal & Compliance |
|
Version |
V3.0 |
|
Date of Version |
2024-05-09 |
View outdated Master Subscription Agreements
v2.0 (2020-06-01)
v2.1 (2021-04-26)
v2.2 (2021-06-22)
v2.3 (2021-10-08)
v2.4 (2022-09-02)
v2.5 (2023-01-23)
v2.6 (2023-09-11)
Data Processing Agreement
THIS DATA PROCESSING AGREEMENT (“DPA”) (in the version dated 2024.05.09) GOVERNS THE DATA PROCESSING OPERATIONS BETWEEN THE CUSTOMER (“DATA CONTROLLER”) AND ADVERITY GMBH (“DATA PROCESSOR”) WITH COMPANY REGISTRATION NUMBER 448481 g. BY ENTERING A COMMERCIAL AGREEMENT THAT REFERENCES THIS DPA, THE CUSTOMER AGREES TO THE TERMS AND CONDITIONS OF THIS DPA.
Table of Contents
Data Controller's Processing Instructions
Data Processor's Processing Obligations
I. Background
II. Processing of Personal Data
III. Sub-processors
IV. Transfer to Third Countries
V. Security of Processing
VI. Audit Rights
VII. Indemnification
VIII. Term
IX. Notices
X. Measures Upon Completion of Processing Personal Data
XI. Definitions
XII. Final provisions
Appendix I - Technical and Organizational Measures (TOMs)
Data Controller's Processing Instructions
|
Purposes |
Provide access to and enable the use of the Data Processor’s Software-as-a-Service (SaaS) and additional services as agreed between the Data Controller and the Data Processor. |
|
Categories of Personal Data to be Processed by Default (If the Data Controller intends to process other categories of Personal Data with the Data Processor’s SaaS, the Data Controller must notify the Data Processor and an additional agreement must be concluded.) |
|
|
Special Categories of Personal Data (If the Data Controller instructs the Data Processor to process special categories of Personal Data on its behalf, the Data Controller shall ensure that all legal requirements for the processing of such special categories of Personal Data by the Data Processor (esp. those outlined in art. 9 (2) GDPR) are met at all times.) |
The Data Controller does not intend to and will not instruct the Data Processor to process any special categories of Personal Data. |
|
Data Subjects by Default (If the Data Controller intends to process Personal Data of additional Data Subjects with the Data Processor’s SaaS, the Data Controller must notify the Data Processor and an additional agreement must be concluded.) |
|
|
Processing Operations |
Collect, store, and process data to enable access to and use of the Data Processor’s SaaS. |
|
Sub-processor(s) |
Applicable in case of SaaS hosting by Data Processor:
If the Data Controller processes personal data of additional Data Subjects or additional Categories of Personal Data with the SaaS, the following Sub-processor is mutually agreed between the Parties:
Applicable in case of SaaS hosting by Data Controller: If the Data Controller processes personal data of additional Data Subjects or additional Categories of Personal Data with the SaaS, the following Sub-processor is mutually agreed between the Parties:
|
|
Location of Processing Operations |
Applicable in case of SaaS hosting by Data Processor:
At the request of the Data Controller, the specific location will be communicated to the Data Controller. Applicable in case of SaaS hosting by Data Controller:
|
Data Processor's Processing Obligations
|
Our DPA in plain language |
Talk legal to me - here is the full text of our DPA |
I. Background
|
As provided under the Commercial Agreement, the Data Processor will process certain Personal Data while providing services to the Data Controller. This DPA will govern the Data Processor’s data processing activities. |
1. Within the scope and for the performance of the services defined in the Commercial Agreement, the Data Processor will process certain Personal Data on behalf of the Data Controller. |
II. Processing of Personal Data
|
The Data Processor will comply with all relevant requirements under Applicable Data Protection Legislation while following the Data Controller’s instructions, including assisting the Data Controller in meeting legal obligations, refraining from actions that could breach Applicable Data Protection Legislation, and promptly notifying the Data Controller of any relevant communications or requests received from competent authorities.
The Parties will update “Data Controller’s Processing Instructions” to reflect any changes if needed. |
1. The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors, and persons acting under the Sub-processor’s authority) undertake to only process Personal Data as instructed in writing by the Data Controller (see the “Data Controller’s Processing Instructions” above). The Data Processor shall only process Personal Data to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation.
The Data Processor shall not carry out or omit any act that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable it to respond to such request, complaint, message, or other communication following Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements, or press releases in the event of a breach of data protection as defined in Section XI. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately unless prohibited by law. |
III. Sub-processors
|
The Data Controller authorizes the Data Processor to engage Sub-processors to operate under the Data Controller's instructions. If the Data Processor intends to make changes to the current list outlined in the "Data Controller’s Processing Instructions”, it will notify the Data Controller in advance and the Data Controller can object within 8 weeks. |
1. The Data Controller authorizes the Data Processor to engage Sub-processors. All Sub-processors authorized by the Data Controller are acting under the authority and subject to direct instructions of the Data Controller. A list of the current Sub-processors is set out in the “Data Controller’s Processing Instructions” for the purposes specified therein. The Data Processor shall notify the Data Controller in writing in advance of any changes, in particular before engaging other Sub-processors in which event the Data Processor shall without undue delay and no less than 8 weeks before transferring any Personal Data to a Sub-processor, inform the Data Controller in writing of the identity of such Sub-processor as well as the purpose for which it will be engaged. 2. The Data Controller at its discretion may object with good cause to any such changes within 8 weeks after the Data Processor’s notice. 3. The Data Processor shall impose by written agreement, which includes an electronic form, on all Sub-processors processing Personal Data under this DPA (including inter alia its agents, intermediaries, and sub-contractors) the same obligations as apply to the Data Processor, in particular the obligations defined in Section III.1 (especially the procedure of notification to Data Controller and Data Controller’s right to issue direct instructions to Sub-processors) and Section III.2 of this DPA. |
IV. Transfer to Third Countries
|
The Data Processor must obtain prior written consent from the Data Controller before transferring Personal Data outside the EU/EEA. Further, it will ensure compliance with Applicable Data Protection Legislation and incorporate the European Commission's Standard Contractual Clauses for adequate protection. |
1. The location(s) of intended or actual processing of Personal Data is set out in the “Data Controller’s Processing Instructions”. The Data Processor must not transfer or otherwise directly or indirectly disclose Personal Data outside the European Economic Area (“EU/EEA”) without the prior written consent of the Data Controller (which may be refused or granted at its discretion) and ensure that the level of protection of Data Subjects guaranteed by the GDPR and as outlined in this DPA is not undermined. Unless otherwise agreed between the Parties, adequate protection in the receiving country shall be secured through an agreement incorporating the European Commission’s Standard Contractual Clauses. 2. If the Data Controller is located in a country, which is not a member of the EU/EEA and in case no Adequacy Decisions exist, the Standard Contractual Clauses (Module 4: Processor-to-Controller) shall apply to the transfer of Personal Data between the Data Processor and Data Controller and incorporated into this DPA by reference, and can be shared with the Data Controller upon request. |
V. Security of Processing
|
The Data Processor ensures the security of Personal Data through specified technical and organizational measures (see Appendix 1). Further, the Data Processor will notify the Data Controller of any security incidents, restrict access to authorized personnel bound by confidentiality obligations, and appoint a designated contact person for data protection matters without undue delay. |
1. The Data Processor guarantees to implement and uphold appropriate technical and organizational measures according to the current state of the art to ensure an appropriate level of security for Personal Data and shall continuously review and improve the effectiveness of its security measures (See Appendix 1 hereunder). The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful loss, alteration, or access. The Personal Data shall also be protected against all other forms of unlawful processing. With regard to the state of the art and the costs of implementation and taking into account the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, the technical and organizational measures to be implemented by the Data Processor shall include, as appropriate: a. the pseudonymization and encryption of Personal Data; 2. The Data Processor shall without undue delay notify the Data Controller of any Personal Data Breach after becoming aware of such incidents. The notification shall be in written form and shall at least: a. describe the nature of the Personal Data Breach including where possible, the categories and the approximate number of Data Subjects concerned and the categories and the approximate number of Personal Data records concerned; b. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; d. describe the measures taken or proposed to be taken by the Data Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and 3. The Data Processor shall provide reasonable assistance requested by the Data Controller for the Data Controller to investigate the Personal Data Breach and notify the Data Protection Authorities and/or the Data Subjects as required by Applicable Data Protection Legislation. 4. The Data Processor shall at its own expense immediately take necessary measures to restore and/or reconstruct Personal Data that has been lost, damaged, destroyed, or corrupted as a result of any Personal Data Breach. 5. The Data Processor shall not disclose or otherwise make the Personal Data processed under this DPA available to any third party, without the Data Controller’s prior written approval. For clarity, if the Data Processor is required by applicable laws and regulations to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, section II.5 shall apply. 6. The Data Processor shall ensure that access to Personal Data under this DPA is restricted to those of its personnel who directly require access to the Personal Data to fulfill the Data Processor’s obligations under this DPA and the Commercial Agreement. The Data Processor shall ensure that such personnel (whether employees or others engaged by the Data Processor): a. has the necessary knowledge of and training in the Applicable Data Protection Legislation to perform the contracted services; and b. is bound by a confidentiality obligation concerning the Personal Data to the same extent as the Data Processor under this DPA. 7. The Data Processor shall ensure that this confidentiality obligation extends beyond the termination of employment contracts, Sub-processor contracts, service contracts, or the termination of this DPA. This confidentiality obligation shall remain in force after the expiry or termination of the DPA. 8. The Data Processor appoints the following person as a contact point for data protection matters: Mr. Michael Pilz (dpo@adverity.com). |
VI. Audit Rights
|
The Data Processor grants the Data Controller (or an external auditor of the Data Controller’s choice) the right to conduct audits on data protection and security to ensure compliance with this DPA and relevant data protection laws, and will provide all necessary information and assistance to demonstrate compliance. |
1. The Data Processor shall allow the Data Controller or an external auditor appointed by the Data Controller to conduct audits, investigations, and inspections on data protection and/or data security (“audit”) to ensure that the Data Processor or Sub-processors comply with the obligations under this DPA and Applicable Data Protection Legislation and that the Data Processor or Sub-processors have undertaken the required measures to ensure such compliance. 2. The Data Processor makes available all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Legislation and assists the Data Controller in the performance of audits. |
VII. Indemnification
|
The Data Processor is responsible for indemnifying the Data Controller against claims from third parties arising from breaches caused by the Data Processor's intentional or grossly negligent actions under this DPA up to the fees paid by the Data Controller in the 12 months preceding the incident, except for willful intent, personal injuries, or death. |
The Data Processor shall indemnify and hold harmless the Data Controller upon the Data Controller’s first demand insofar as third parties (Data Subjects in particular) make claims against the Data Controller on the grounds of an infringement of their rights or of data protection law where such infringement is caused by actions of the Data Processor in intentional or grossly negligent violation of this DPA. The obligation to indemnify is – except in cases of willful intent or concerning personal injuries or death – capped with the amount of fees paid by the Data Controller in the 12 months immediately before the infringing incidence. |
VIII. Term
|
This DPA is in effect as long as the Data Processor handles Personal Data on behalf of the Data Controller. |
1. This DPA shall remain in force as long as the Data Processor processes Personal Data on behalf of the Data Controller. 2. The Data Controller may terminate the Agreement without notice as a result of a breach of the obligations under this DPA by the Data Processor or one of its Sub-processors. |
IX. Notices
|
In addition to other notice obligations provided hereunder, in case the Data Processor determines that any instruction to process data of the Data Controller violates Applicable Data Protection Legislation or substantial provisions of this DPA (including technical and organizational measures), it will immediately inform the Data Controller thereof. |
X. Measures Upon Completion of Processing of Personal Data
|
Personal data will be deleted or returned after contract fulfillment unless storage is required by law. Written notice of measures taken can be provided to the Data Controller upon request. |
1. Upon expiration or termination of this DPA, the Data Processor shall delete or return all Personal Data (including any copies thereof) to the Data Controller, as instructed by the Data Controller, and shall ensure that any Sub-processors do the same unless otherwise required by applicable law. When returning the Personal Data, the Data Processor shall provide the Data Controller with all necessary assistance. 2. Upon request by the Data Controller, the Data Processor shall provide written notice of the measures taken by itself or its Sub-processors concerning the deletion or return of the Personal Data upon the completion of the processing. |
XI. Definitions
|
For clarification purposes, the GDPR definitions of the relevant terms are used. |
All terms used in this DPA are to be understood following the EU General Data Protection Regulation ((EU) 2016/679 “GDPR”), unless otherwise expressly agreed. The following terms and expressions in this DPA shall have the meaning set out below: “Adequacy Decision” means a formal decision made by the EU Commission that recognizes that another country, territory, sector, or international organization provides an equivalent level of protection for personal data as the EU does. “Applicable Data Protection Legislation” means any national or internationally binding data protection laws or regulations (including but not limited to the GDPR and the Austrian Data Protection Act (“DSG”)) including any requirements, guidelines, and recommendations of the competent data protection authorities applicable at any time during the term of this DPA to, as the case may be, the Data Controller or the Data Processor. “Data Controller” means the legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data under this DPA. “Data Processing Agreement” (or “DPA”) refers to this agreement which governs the data processing operations between the Data Controller and the Data Processor. “Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller under this DPA. “EU/EEA” means European Union and/or European Economic Area. “Personal Data” means any information relating to an identified or identifiable living, natural person (“Data Subject”). “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Software-as-a-Service” (or “SaaS”) shall have the meaning as defined in Section I. of Adverity’s Master Subscription Agreement. “Standard Contractual Clauses” mean standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). “Sub-processor” means any legal or natural person, including any agents and intermediaries, processing Personal Data on behalf of the Data Processor. |
XII. Final Provisions
|
In the event of a conflict with additional agreements, this DPA shall prevail regarding Personal Data processing, and be governed by Austrian law, with disputes subject to the jurisdiction of the Data Processor's registered seat; ineffective provisions will be replaced. |
1. If the Data Controller and the Data Processor have entered into additional agreements in conflict with this DPA, the provisions of this DPA regarding the processing of Personal Data shall take priority, except where such provision is included in the Commercial Agreement to supplement this DPA. All other conflicting provisions shall be governed by the provisions of the Commercial Agreement. 2. This DPA is governed by the law of the Republic of Austria to the exclusion of the conflict law rules under private international law and the UN Convention on the International Sale of Goods. In the event of all disputes arising from a contract – including disputes about its existence or non-existence – the courts with subject-matter jurisdiction at the registered seat of the Data Processor shall be the exclusive forum. 3. The plain language descriptions in this DPA are for reference purposes only, and shall not in any way define, limit, or extend the scope of this DPA. If a provision or parts of a provision in this DPA is or becomes ineffective under applicable legislation, this will not affect the effectiveness and validity of the remaining provisions. The contracting parties will replace it with a provision which, in terms of content, is as close as possible to the ineffective provision. |
Appendix 1 – Technical and Organizational Measures (“TOMs”)
The Data Processor confirms that the implemented technical and organizational measures provide an appropriate level of protection for the Data Controller’s Personal Data considering the risks associated with the processing.
|
General Description of Measures |
Description of Measures Implemented |
|
Physical Access and Environmental Control Suitable physical security and environmental controls are in place and designed to protect, control, and restrict physical access for systems and servers |
Used hosting providers comply with:
|
|
Logical Access Control (systems) Preventing data processing systems from being used without authorization |
|
|
Access Control (data) Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization |
|
|
Transmission Control Ensuring that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to review and establish which bodies are to receive the Personal Data |
|
|
Input Control Ensuring that it is possible to review and establish whether and by whom Personal Data have been input into data processing systems, modified, or removed |
|
|
Job Control Ensuring that the Personal Data is processed exclusively in accordance with the instructions |
|
|
Availability Control Ensuring that Personal Data is protected from accidental destruction and loss |
Used hosting provider comply with:
Additional managed by Data Processor:
|
|
Separation Control Ensuring that data collected for different purposes can be processed separately |
|
|
Document Information |
|
|
Document Owner |
VP Legal & Compliance |
|
Version |
V6.0 |
|
Date of Version |
2024-05-09 |
View outdated Data Processing Agreements
v2.0 (2020-06-01)
v2.1 (2020-12-11)
v3.0 (2021-04-26)
v4.0 (2021-10-08)
v4.1 (2022-02-18)
v4.2 (2022-04-07)
v4.3 (2022-09-02)
v5.0 (2023-01-23)
v5.1 (2023-04-21)
v5.2 (2023-10-16)