Stage Exec Limited (T/A PromptPad) Terms & Conditions of Service
Thank you for choosing PromptPad.
The Terms & Conditions of Service below, together with our Services Order Form, set out the terms and conditions on which PromptPad, the Provider, provides its subscription software services and professional services to the Client. Please afford this document due consideration.
Definitions
"Account" means an account enabling a Client User to access and use the Hosted Services (including accounts for different types of Client Administrative User with various access privileges);
"Affiliate" means an entity that Controls or is Controlled by, or is under common Control with a relevant entity;
"Agreement" means the agreement between the Provider and the Client for the provision of our Services, comprising one or more Services Order Forms, these Terms & Conditions of Service, and their respective annexes and schedules;
"Business Day" means any weekday other than a bank or public holiday in Republic of Ireland andUK;
"Business Hours" means the hours of 09:00 to 17:00 GMT/BST on a Business Day;
"CCN" means a change control notice issued in accordance with Clause 10;
"CCN Consideration Period" means the period of 10 Business Days following the receipt by a party of the relevant CCN from the other party;
"Change" means any change to the scope of the Services;
"Charges" means all of the amounts specified in the relevant Services Order Form for the Services;
"Client" means the person, organisation or group identified as such on the Services Order Form;
"Client Administrative User" means any and all persons, whether or not employees of the Client, authorised by the Client to use the Platform and/or Hosted Services via an Account;
"Client Content" means all content (including information, data, articles, documents, presentations, pictures, images, videos, audio visual works, brochures , other informational materials and any comments) provided to the Provider by the Client in connection with the Services; uploaded to or stored on the Platform by the Client; transmitted by the Platform at the instigation of the Client; supplied by the Client to the Provider for uploading to, transmission by or storage on the Platform; or generated by the Platform as a result of the use of the Hosted Services by the Client; "Client Indemnity Event" has the meaning given to it in Clause 17.5;
"Client Personal Data" means any Personal Data that is processed by the Provider as a processor on behalf of the Client in the course of providing the Services, as described more fully in Schedule 6 (Data processing information);
"Client Systems" means the hardware and software systems of the Client that interact with, or may reasonably be expected to interact with, the Hosted Services;
"Confidential Information" means:
any information disclosed directly or indirectly by one party (the "disclosing party") to the other party (the "recipient") at any time before the termination of the Agreement (whether disclosed in writing, orally or otherwise) that at the time of disclosure:
- was marked or described as 'confidential'; or
should have been reasonably understood by the recipient to be confidential; and
the Client Content (which shall be the Confidential Information of the Client; and
the terms of the Agreement (which shall be the Confidential Information of the Provider);
"Control" means the legal power to control (directly or indirectly) the management of an entity (and "Controlled" should be construed accordingly);
"Created App(s)" means any mobile software application(s) created by the Client using the Hosted Services, with or without assistance from the Provider;
"Customization" means a customization of the Hosted Services by the Provider for the Client, whether made through the development, configuration or integration of software or otherwise;
"Data Protection Laws" means all laws under GDPR (EU) 2016/679. applicable to the control and processing of Client Personal Data under the Agreement with the Client;
"Designated Point of Contact" means the individual representative appointed by each party as set out in Clause 7.1 to be responsible for ensuring that its obligations under the Agreement are performed properly and for communicating with the other party in relation to the Agreement;
"Documentation" means the documentation for the Hosted Services produced by the Provider for the Client, including any relevant App Scope and Build Configuration documentation;
"Effective Date" means: (i) in the case of an online Services Order Form, the date on which the Client submitted the Services Order Form; (ii) in the case of a hard-copy Services Order Form, the date expressed on the Services Order Form as the "Agreement Effective Date";
"End User" means any and all persons and organisations who create a PromptPad Account that use a Created App as an end user by downloading it, which may be the personnel and/or customers of the Client and/or any other categories of person;
"Expenses" means any travel, accommodation and subsistence expenses that are incurred by the Provider exclusively in connection with, the performance of the Provider's obligations under it's Agreement with the Client;
"Force Majeure Event" means an event, or a series of related events, that is outside the reasonable control of the party affected (including failures of the internet or any public telecommunications network, hacker attacks, denial of service attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars);
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
"Hosted Services" means: (i) the provision of the Platform to enable the Client to build, publish and edit/update Created Apps; (ii) such Platform being made available by the Provider to the Client as a subscription service via the Internet; and (iii) the provision of such additional software service packs or modules, again as a subscription service via the internet, as may be specified in the relevant Services Order Form;
"Hosted Services Defect" means a defect, error or bug in the Platform having an adverse effect on the appearance, operation, functionality or performance of the Hosted Services, but excluding any defect, error or bug caused by or arising as a result of:
any act or omission of the Client or any User;
any use of the Platform or Hosted Services contrary to the Documentation, whether by the Client or by any User;
a failure of the Client to perform or observe any of its obligations in the Agreement; and/or
an incompatibility between the Platform or Hosted Services and any other system, network, application, program, hardware or software not specified as compatible in the Hosted Services Specification.
"Hosted Services Specification" means the specifications or descriptions for the Platform and Hosted Services set out in the Services Order Form and relevant Documentation;
"Intellectual Property Rights" means all intellectual property rights wherever in the world, whether registrable or un-registrable, registered or unregistered, including any application or right of application for such rights (and these "intellectual property rights" include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trademarks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models, semi-conductor topography rights and rights in designs);
"Maintenance Services" means the general maintenance of the Platform, Hardware, Software and Hosted Services, and the application of Updates and Upgrades;
"Maintenance SLA" means the document delivered or made available to the Client setting out the service levels for the Maintenance Services, as amended by the Provider from time to time, the current version of which is set out at Schedule 2;
"Permitted Purpose" means the building of Created Apps on Supported Mobile Operating Systems and Devices to support the internal business purposes of the Client during the Term.
"Personal Data" has the meaning given to it in accordance with GDPR
"Platform" means the software platform developed and managed by the Provider and used by it to provide the Hosted Services, including the application and database software for the Hosted Services (including the content management system), the system and server software used to provide the Hosted Services, and the computer hardware on which that application, database, system and server software is installed;
"Professional Services" means professional services to be provided by the Provider to the Client, such as customization or configuration of the Platform, the development of Customizations, set-up or on-boarding services to enable the Client to access the Hosted Services, training or consultancy, design services and/or the provision of user support not included within the Support Services;
"Provider" means, Stage Exec. Limited (T/A PromptPad), a company incorporated in Ireland (registration number XXXXXXX) having its registered office at XXXXXXXXXXXXXXX;
"Provider Indemnity Event" has the meaning given to it in Clause 15.4;
"Services" means the Software Services and the Professional Services, as described in the applicable Services Order Form;
"Services Order Form" means: (i) an online order form published by the Provider and completed and submitted by the Client; or (ii) a hard-copy order form signed or otherwise agreed by or on behalf of each party, in each case incorporating these Terms of Service by reference and specifying the particular Services to be provided;
"Software Licence Term" means either an Initial Software Licence Term or a Software Licence Renewal Term (in each case as defined in Clause Error! Reference source not found.) during which the Software Services are supplied to the Client by the Provider;
"Software Services" means the provision of: (i) the Hosted Services, (ii) the Maintenance Services; and (iii) the Support Services;
"Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection adopted by the European Commission pursuant to Commission Decision 2010/87/EU, completed with processing detail relevant to the provision of the Services as set out in Schedule 7 but excluding the optional illustrative indemnification clause;
"Support Description" means the support offering referred to in the Services Order Form;
"Support Services" means support in relation to the use of, and the identification and resolution of errors in, the Hosted Services, but shall not include the provision of training or consultancy services;
"Supported Web Browser" means the specific web browsers, and releases thereof, that the Provider agrees shall be supported, and listed on the Provider’s website and updated from time to time by the Provider;
"Supported Mobile Operating Systems and Devices" means specific mobile operating systems and mobile devices that the Provider agrees shall be supported, as listed on the Provider’s website and updated from time to time by the Provider;
"Support SLA" means the document delivered or made available to the Client setting out the service levels for the Support Services, as amended by the Provider from time to time, the current version of which is set out at Schedule 4;
"Term" means the term of the Agreement as defined in Clause Error! Reference source not found.;
"Update" means a hotfix, patch or minor version update to any Platform software;
"Upgrade" means a major version upgrade of any Platform software; and
"User" means a Client Administrative Users or an End Users.
- that statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and
- any subordinate legislation made under that statute or statutory provision.
- provide the Hosted Services to the Client in accordance with this Clause Error! Reference source not found.;
- provide the Maintenance Services to the Client in accordance with the Maintenance SLA; and
- provide the Support Services to the Client in accordance with the applicable Support Description, or if no Support Description is specified in the relevant Services Order Form, in accordance with the Support SLA,
- the Client must not sub-license its right to access and use the Hosted Services;
- the Client must not permit any unauthorized person to access or use the Hosted Services;
- the Client must not use the Hosted Services to provide services to third-parties;
- the Client must not republish or redistribute any content or material from the Hosted Services; and
- the Client must not make any alteration to the Platform.
- in any way that is unlawful, illegal, fraudulent or harmful; or
- in connection with any unlawful, illegal, fraudulent or harmful purpose or activity.
- not attempt to duplicate, modify or distribute any portion of the Platform;
- not reverse engineer, decompile, disassemble, or adapt any portion of the Platform, except as specifically permitted by the Agreement and/or applicable law;
- not attempt to obtain, or assist others in obtaining, unauthorised access to the Platform;
- not remove any proprietary notices from the Platform; and
- abide by all local and international laws and regulations applicable to the Client’s use of the Platform.
- each Client Administrative User, and any other person using the Hosted Services with the authority of the Client, uses the Platform and Hosted Services in accordance with the licence terms and prohibitions set out in this Clause Error! Reference source not found. and the Client’s obligations under the Agreement relating to use of the Platform and Hosted Services;
- End Users do not use the Platform or Hosted Services, unless the Provider has granted prior written consent; and each End User is provided with, agrees to and complies with suitable terms of use for the Created Apps.
Professional Services
- the description, scope, and estimate of times for performance of the Professional Services, together with the specification for any particular deliverables;
- the parties’ respective obligations and responsibilities in relation to the Professional Services to be provided (and in particular any dependencies to be provided by the Client, such as access to its premises, systems or personnel);
- the Charges payable by the Client for the Professional Services together with a schedule of invoicing and payment details;
- any assumptions on which Charges, specifications or timings are based;
- any specific provisions which will be applicable to the Services Order Form and which deviate from the standard position set out in these Terms of Service (for example, any particular treatment of the ownership and exploitation of Intellectual Property Rights).
- use reasonable endeavours to meet any agreed time-table;
- perform the Professional Services with reasonable skill and care using suitably skilled personnel;
- comply with the Client’s internal policies and procedures relating to activities conducted at the Client’s premises, provided such policies and procedures have been provided to the Provider in advance and are referred to in the relevant Services Order Form; and
- take reasonable steps to keep the Client appraised of the progress of the Professional Services and of any delays which are reasonably anticipated by the Provider.
- all Intellectual Property Rights in the Customisation shall, as between the parties, be the exclusive property of the Provider;
- the Customisation shall form part of the Platform (and the Client's rights to use the Customization shall be governed by Clause Error! Reference source not found.).
Client obligations
- co-operation, support and advice;
- Client Content and other information as may reasonably be required by the Provider for the purpose of performance of the relevant Services;
- governmental, legal and regulatory licenses, consents and permits, as are reasonably necessary to enable the Provider to perform its obligations under the Agreement
- the Provider will be relieved from the performance of its obligations to the extent they are prevented or delayed as a result; and
- if as a result the Provider incurs additional time or costs in performing the Services, the Provider may invoice the Client for any additional time agreed in writing at its standard rates and/or for the relevant costs at the same time as the Provider next invoices the Client for any Charges payable under the Agreement.
Client Systems
Client Content
No assignment of Intellectual Property Rights
Governance and Management
- may treat all such instructions as the fully authorized instructions of the Provider; and
- may decline to comply with any other instructions in relation to that subject matter.
- may treat all such instructions as the fully authorized instructions of the Client; and
- may decline to comply with any other instructions from someone other than the Client’s Designated Point of Contact in relation to that subject matter.
Change Control
- accept the CCN, in which case that party must countersign the CCN and return it to the other party before the end of the CCN Consideration Period;
- reject the CCN, in which case that party must inform the other party of this rejection before the end of the CCN Consideration Period; or
- issue an amended CCN to the other party before the end of the CCN Consideration
Charges
Expenses
Payments
Confidentiality Obligations
- keep the Confidential Information strictly confidential;
- not disclose the Confidential Information to any person without the disclosing party’s prior written consent;
- use the same degree of care to protect the confidentiality of the Confidential Information as the recipient uses to protect its own confidential information of a similar nature, being a reasonable degree of care
- act in good faith at all times in relation to the Confidential Information; and
- not use the Confidential Information for any purpose other than performance of the recipient’s obligations and exercise of the recipient’s rights under the Agreement.
- is known to the recipient before disclosure under the Agreement and is not subject to any other obligation of confidentiality
- is or becomes publicly known through no act or default of the recipient; or
- is obtained by the recipient from a third party in circumstances where the recipient has no reason to believe that there has been a breach of an obligation of confidentiality.
Publicity
Data protection
- the Standard Contractual Clauses are hereby incorporated into the Agreement by reference, with Appendices 1 and 2 deemed to be completed with the processing detail relevant to the provision of the Services as set out in Schedule 6;
- the Client agrees to be bound by the Standard Contractual Clauses as the data exporter and comply with the obligations applicable to the data exporter under the Standard Contractual Clauses;
- the Provider agrees to be bound by the Standard Contractual Clauses as the data importer and comply with the obligations applicable to the data importer under the Standard Contractual Clauses;
- the Client acknowledges and agrees that the authorisation to engage third party processors granted pursuant to Clause 14.8 above shall constitute the Client's prior written consent to sub-processing for the purposes of clauses 5(h) and 11(1) of the Standard Contractual Clauses and that the Provider’s compliance with its obligations under Clause 14.8 above shall constitute compliance with its obligations under clauses 5(h) and 11(1) of the Standard Contractual Clauses in respect of obtaining the Client's prior written consent to sub-processing;
Warranties
- each party has the legal right and authority to enter into the Agreement and to perform its obligations under the Agreement; and
- each party will comply with all applicable legal and regulatory requirements applying to the exercise of the party’s rights and the fulfilment of the party’s obligations under the Agreement.
- modify the Hosted Services in such a way that they no longer infringe the relevant Intellectual Property Rights; or
- procure for the Client the right to use the Hosted Services in accordance with the Agreement, provided that, if neither (a) nor (b) is possible, the Client may terminate the Agreement by giving written notice to the Provider and the Provider shall promptly refund all Charges for Services not provided as a result of such termination and/or Provider Indemnity Event.
Acknowledgements and warranty limitations
Indemnities
- upon becoming aware of an actual or potential Client or Provider Indemnity Event (as applicable), notify the indemnifying party; (b) provide to the indemnifying party all such assistance as may be reasonably requested by the indemnifying party in relation to the Indemnity Event;
- allow the indemnifying party the exclusive conduct of all disputes, proceedings, negotiations and settlements with third parties relating to the Indemnity Event (provided that the indemnifying party shall not agree any settlement that would have a material adverse effect on the indemnified party without the prior written consent of the indemnified party); and
- not admit liability to any third party about the Indemnity Event or settle any disputes or proceedings involving a third party and relating to the Indemnity Event without the prior written consent of the indemnifying party,and the indemnifying party’s obligations to indemnify the indemnified party under this Clause 17 shall not apply unless the indemnified party complies with the requirements of this Clause 17.3.
Limitations and exclusions of liability
- limit or exclude any liability for death or personal injury resulting from negligence;
- limit or exclude any liability for fraud or fraudulent misrepresentation;
- limit any liabilities in any way that is not permitted under applicable law;
- or exclude any liabilities that may not be excluded under applicable law.
- are subject to Clause 18.1; and
- govern all liabilities arising under the Agreement or relating to the subject matter of the Agreement, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty, except to the extent expressly provided otherwise in the Agreement.
- £1,000; and
- an amount equal to 150% of the total amount paid and payable by the Client to the Provider under the Agreement in the 12 months period immediately preceding the event or events giving rise to the claim.
Force Majeure Event
- promptly notify the other; and
- inform the other of the period for which it is estimated that such failure or delay will continue.
Termination
- the other party commits any material breach of the Agreement, and the breach is not remediable;
- the other party commits a material breach of the Agreement, and the breach is remediable but the other party fails to remedy the breach within the period of 30 days following the giving of a written notice to the other party requiring the breach to be remedied; or
- the other party persistently breaches the Agreement (irrespective of whether such breaches collectively constitute a material breach);
- the other party is dissolved, ceases to conduct all (or substantially all) of its business, is or becomes unable to pay its debts as they fall due, is or becomes insolvent or is declared Insolvent or convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;
- an administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party;
- an order is made for the winding up of the other party, or the other party passes a resolution for its winding up (other than for the purpose of a solvent company reorganization where the resulting entity will assume all the obligations of the other party under the Agreement); or
- that other party is an individual and dies, becomes incapable of managing his or her own affairs as a result of illness or incapacity or is the subject of a bankruptcy petition or order.
- any amount due to be paid by the Client to the Provider under the Agreement is unpaid by the due date and remains unpaid upon the date that that written notice of termination is given (except where such amounts are the subject of a bona fide dispute between the parties that is being negotiated in good faith); and
- the Provider has given to the Client at least 30 days' written notice, following the failure to pay, of its intention to terminate the Agreement in accordance with this Clause 20.4.
Effects of termination
- any and all licenses granted by the Provider to the Client will terminate with immediate effect;
- Client Content will no longer be retained in the Platform and/or any Created App (save to the extent that the Provider is obliged to retain the same by operation of any law or regulatory body or to the extent that the parties agree in writing to an extended retention period).
- the Client must pay to the Provider any Charges in respect of Services provided to the Client before the termination of the Agreement; and
- the Provider must refund to the Client any Charges paid by the Client to the Provider in respect of Services that were to be provided to the Client after the termination of the Agreement.
Non-solicitation of personnel
Notices
- notices sent to the Provider must be addressed to the Provider’s Designated Point of Contact using the email or postal address of the Designated Point of Contact or the Provider’s postal address, in either case as shown on the relevant Services Order Form;
- notices sent to the Client must be addressed to the Client’s Designated Point of Contact using the email or postal address of the Designated Point of Contact shown on the relevant Services Order Form.
- at the time of the sending of the email (providing that the sending party retains written evidence that the email has been sent);
- in the case of notices sent by post, 48 hours after posting.
Subcontracting
Assignment
No waivers
Severability
Third party rights
Variation
Entire agreement
Law and jurisdiction
Dispute resolution
Schedule 1 (Availability SLA)
Introduction to availability SLA
Availability
Exceptions
- a Force Majeure Event;
- a fault or failure of the internet or any public telecommunications network;
- a fault or failure of the Client's computer systems or networks;
- any breach by the Client of the Agreement; or
- scheduled maintenance of up to 4 hours per month carried out in accordance with the Agreement.
Schedule 2 (Maintenance SLA)
Introduction
Scheduled Maintenance Services
Updates
- third party security Updates shall be applied to the Platform promptly following release by the relevant third party, providing that the Provider may acting reasonably decide not to apply any particular third-party security Update;
- the Provider's security Updates shall be applied to the Platform promptly following the identification of the relevant security risk and the completion of the testing of the relevant Update; and
- other Updates shall be applied to the Platform in accordance with any timetable notified by the Provider to the Client or agreed by the parties from time to time.
Upgrades
Schedule 3 (Support SLA)
Introduction
Helpdesk
Response and resolution
- critical: the Hosted Services are inoperable or a core function of the Hosted Services is unavailable;
- serious: a core function of the Hosted Services is significantly impaired;
- moderate: a core function of the Hosted Services is impaired, where the impairment does not constitute a serious issue; or a non-core function of the Hosted Services is significantly impaired; and
- minor: any impairment of the Hosted Services not falling into the above categories; and any cosmetic issue affecting the Hosted Services.
- critical: 2 Business Hours;
- serious: 4 Business Hours;
- moderate: 1 Business Day; and
- minor: 5 Business Days.
- critical: 4 Business Hours;
- serious: 8 Business Hours;
- moderate: 4 Business Days; and
- minor: 10 Business Days or by agreement (typically next release of the Platform).
Provision of Support Services
Limitations on Support Services
- the improper use of the Hosted Services by the Client; or
- any alteration to the Hosted Services made without the prior consent of the Provider.
- any modifications made by or on behalf of the Client by any person other than the Provider:
- minor defects which do not significantly affect or impair the use of the Platform;
- any incorrect or improper use of the Platform, or any use of the Platform for any purpose for which it was not designed;
- an issue has been reported only on devices which are not currently supported by the Provider
- the Client has prevented the Provider from performing required maintenance and update tasks;
- the failure by the Client to implement recommendations in respect of any solutions to faults previously advised by the Provider; or
- in a situation where the Client is in breach of its contract with the Provider for any reason (e.g. late payment of fees).
Schedule 4 (Form of CCN)
Introduction
Title of Change: [insert title]
CCN number: [insert number]
Change proposed by: [insert individual name(s)]
Date of issue of CCN: [insert date]
Summary details of proposed Change: [insert details]
Change details
[Insert full details of proposed Chance]
Impact of Change
Impact upon resources: [insert details]
Impact upon timetable: [insert details]
Impact upon Charges: [insert details]
Other effects of Change: [insert details]
Agreement to Change
The parties have indicated their acceptance of the Change described in this CCN by signing below
SIGNED BY [[individual name] on [...............], the Provider / [individual name] on [...............], duly authorized for and on behalf of the Provider]:....................
SIGNED BY [[individual name] on [...............], the Client / [individual name] on [...............], duly authorized for and on behalf of the Client]:....................
Schedule 5 (Data Processing Information)
Categories of data subject
- End Users
- Anyone else to whom any Personal Data contained within Client Content accessible via the Created App(s) relate
Types of Personal Data
The types of Personal Data comprised in the Client Personal Data depends largely on the nature of the relevant Created App and the Client’s use of the relevant Created App.
Usernames and passwords for End Users are required to enable End Users to access and use the Created App, so will always form part of Client Personal Data.
The Client may also choose to collect or upload the following types of Personal Data using the Hosted Services:
- contact details: emails and phone numbers
- role
- postal business addresses
- unique identifiers relating to End User devices (to the extent that the Client has opted to use push notification tools and End Users have opted to allow notifications)
- tracking/analytics/usage data relating to End Users (to the extent that the Client has opted to use usage statistics tools)
- any other types of Personal Data that the Client chooses to collect from End Users via the Created App(s) or that may be contained within Client Content accessible via the Created App(s)
Purposes of processing
To provide the Services that the Client has requested the Provider to provide in the Agreement, which may include:
- enabling the Client to use the Created Apps in accordance with the Agreement
- enabling End Users to access content on the Created Apps
- enabling End Users to access other Client systems where the Platform acts as a portal and to authenticate End Users onto other software of the Client
- enabling the Client to send push notifications relating to the Created App(s) to End Users (where the Client has opted to use push notification tools and where the End User has opted to allow notifications)
- enabling the Client to collect usage statistics relating to the Created App(s) (where the Client has opted to use usage statistics tools)
Security measures for Personal Data
The Provider is ISO27001 accredited, meaning that the Provider implements the security measures required in order to achieve such accreditation.
The Platform is subject to regular penetration testing by an external body to ensure it has an appropriate level of control against intrusion.
The Platform meets and exceeds the L1 Mobile Application Security Verification Standard (MASVS).
Sub-processors of Personal Data
The Provider uses the following category of third-party processors in connection with the processing of Client Personal Data:
- Platform hosting service provider is XXXXXXXXXXXXXXXX
Transfers outside the European Economic Area
The Client authorises transfers of Client Personal Data to the Provider and the subprocessors authorised by the Client pursuant to Clause 14.8.
The Client’s use of any of the third-party tools made available via the Hosted Services may involve transfers of Client Personal Data outside the EEA. Use of these third-party tools is governed by legal agreements directly between the Client and the providers of the third-party tools and subject to the privacy notices made available by the providers of the third-party tools. Any transfers of Client Personal Data that occur as a result of the Client’s use of the third-party tools will be deemed to be made by the Client to the provider of the third-party tools. However, if any such transfers are routed via the Hosted Services and/or if any such transfers occur as a result of the Provider assisting the Client in using the third party tools in connection with the provision of the Services, the Client agrees that the Provider may transfer Client Personal Data as reasonably necessary to enable the Client to use the third party tools via the Hosted Services or to enable the Provider to assist the Client in using the third party tools in connection with the provision of the Services.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
Data exporter
The data exporter is a client of the data importer, who has purchased various software-related services from the data importer under a contract for the supply of services (the “Agreement”).
Data importer
The data importer is a provider of a communications platform, hosted subscription software services and related professional services that enable its clients to create mobile apps to connect, communicate and engage with their workforces and provide access to company-wide information.
Data subjects
The personal data transferred concern the following categories of data subjects:
- any and all persons that use the data exporter’s mobile app as an end user by downloading it, which may be the personnel and/or customers of the data exporter and/or any other category of person, depending on the intended user audience for the data exporter’s mobile app (“End Users”)
- anyone else to whom any personal data contained within content accessible via the data exporter’s mobile app relate
Categories of data
The personal data transferred concern the following categories of data:
The types of personal data transferred depends largely on the nature of the data exporter’s mobile app and the data exporter’s use of its mobile app.
Usernames and passwords for End Users are required to enable End Users to access and use the data exporter’s mobile app, so will always form part of the transferred personal data.
The data exporter may also choose to collect or upload the following types of personal data using the data importer’s platform and software services:
- contact details: emails and phone numbers
- role
- postal business addresses
- unique identifiers relating to End User devices (to the extent that the data exporter has opted to use push notification tools and End Users have opted to allow notifications)
- tracking/analytics/usage data relating to End Users (to the extent that the data exporter has opted to use usage statistics tools)
- any other types of personal data that the data exporter chooses to collect from End Users via the data exporter’s mobile app or that may be contained within content accessible via the data exporter’s mobile app
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
It is not expected that the transferred personal data will contain any special categories of data.
Processing operations
The personal data transferred will be subject to the following basic processing activities:
The transferred personal data will be processed by the data importer in order to provide the services that the data exporter has requested the data importer to provide in the Agreement, which may include:
- enabling the data exporter to use the data exporter’s mobile app in accordance with the Agreement
- enabling End Users to access content on the data exporter’s mobile app
- enabling End Users to access other data exporter systems where the data importer’s platform acts as a portal and to authenticate End Users onto other software of the data exporter
- enabling the data exporter to send push notifications relating to the data exporter’s mobile app to End Users (where the data exporter has opted to use push notification tools and where the End User has opted to allow notifications)
- enabling the data exporter to collect usage statistics relating to the data exporter’s mobile app (where the data exporter has opted to use usage statistics tools)
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
The data importer is ISO27001 accredited, meaning that the data importer implements the security measures required in order to achieve such accreditation.
The data importer’s platform is subject to regular penetration testing by an external body to ensure it has an appropriate level of control against intrusion.
The data importer’s platform meets and exceeds the L1 Mobile Application Security Verification Standard (MASVS).