Terms and conditions
1.1. For the purpose of these Terms and Conditions, the following capitalized terms shall have the meaning assigned to them below:
Documentation Includes, but is not limited to, (where applicable) guides, manuals, materials, and any information appropriate or necessary for use of Responsum.
Responsum Means the compliancy/accountability software tool, developed and owned by Provider, for privacy, security, data management and related services which are specified in Annex 1. This shall include software tools, published specifications and Documentation, as well as any future, updated, improved or otherwise modified version(s) of Responsum delivered by Provider (in its sole discretion) to Customer.
2. License and scope
2.1. As of the Effective Date and subject to the terms of this Agreement, Provider hereby grants to the Customer for the duration stipulated in the Quote a well-defined, non-transferable, non-exclusive, worldwide, revocable right to access and use Responsum and, in so far as necessary for the normal use of Responsum pursuant to this Agreement, the Annexes attached hereto, the IP Rights, and in any case limited to the Scope (as defined and set forth in this Article).
The scope of this License is limited to internal compliancy/accountability management with respect to privacy, security & data management within the normal course of Customer’s Business; when using Responsum, Customer shall respect this Agreement, all applicable laws and regulations including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) , as well as any applicable subsequent or implementing legislation or terms concerning GDPR (all applicable laws, rules and regulations hereinafter: “Applicable Data Protection Law”), hereinafter referred to as the “Scope”.
2.2. Except to the extent expressly permitted in this Agreement or required by law on a non-excludable basis, the license granted by the Provider to the Customer under clause 2.1. is subject to the following prohibitions:
a) The Customer shall not be entitled to sublicense its right to access and use Responsum;
b) Responsum may only be used by the officers, employees, agents and subcontractors of the Customer.
c) Responsum must not be used at any point in time by more than the number of concurrent users specified in the Quote, providing that the Customer may add or remove concurrent user licences upon request.
d) The License shall not extend to companies related to or associated with the Customer. Any extension of the License to companies belonging to the same group as the Customer, shall be subject of an extension of the License at financial terms to be agreed upon. Further, any expanded use of Responsum over and above the use as agreed pursuant to this License and as defined in the Quote, shall be subject to a specific agreement with the Provider.
e) The Customer does not have the right to the Provider’s profiling algorithms but only seeks to obtain a right of use of Responsum. Provider shall ensure that these algorithms shall be held up to date at all times.
f) The License does not include the right for Customer to incorporate the software into other software, applications, systems, websites and other products or to link the software to other products.
g) Except for the prior written approval of the Provider, the Customer shall not use Responsum and - where applicable - the IP Rights outside the Scope. Activities falling outside the Scope include, but are not limited to, any form of commercial exploitation of Responsum, mentioning Responsum in marketing materials and/or any other use of Responsum on behalf of, or, for third parties. Likewise, Customer shall not provide its Responsum User Account or Employee Account information (including but not limited to authorized user name(s), password(s) or other relevant information for access) to another, external or any other not-authorized user for any reason including, without limitation, in order for such other user to access any features of Responsum.
2.3. T he Customer shall use reasonable endeavours, including reasonable security measures relating to User- and Employee Account access details, to ensure that no unauthorised person may gain access to Responsum using a User- and/or Employee Account.
2.4. Nothing in this License Agreement nor any commercial relationship between the Parties is intended or shall be deemed to constitute a partnership, agency, franchise or a joint venture relationship between the Parties.
2.5. The use of specific modules of Responsum shall be operated on the basis of a “credit” system. These credits in your credit wallet (determined per authorized user of Customer for the duration of the Agreement) can be used for e.g. enrolling an Employee Account into an e-learning course. The number of credits required for specific modules of Responsum is set out in the Responsum application. The Quote sets out the number of credits included in the License package. When the credits available in the initial package have been used, additional credits can be purchased by the Customer at a pre-determined price per credit. Credits purchased by the Customer are non-refundable and will be valid for the duration of the Agreement.
3. Specific obligations and warranties
3.1. On the part of the Provider
3.1.1. The License under this Agreement and Responsum are delivered to the Customer without any express, explicit or implicit warranty except as explicitly provided in this Agreement or as may be required by applicable law.
In particular, the Provider does not provide any warranty relating to Responsum being fit for a particular use or being sufficient or adequate to address the purpose of Responsum for Customer’s Business, or to the economic profitability of the exploitation by Customer of Responsum.
3.1.2. The Provider shall make available Responsum to the Customer in the most recent and workable version and warrants that the tool will, throughout the life of the License, function substantially as set out in Annex 1, subject to any maintenance, updates/upgrades, improvements or modifications that may be required to be implemented by the Provider from time to time and which may reasonably require a certain downtime or limitation of use. The Provider shall use all reasonable endeavours to maintain the availability of Responsum to the Customer, but does not guarantee 100% availability and will not guarantee a higher level of availability then is provided by its hosting partners. The Provider warrants that it will spend all reasonable efforts to solve any technical or other errors that would impact the due functioning of the tool, as soon as reasonably possible. In case of a detected issue or outage, report can be made to firstname.lastname@example.org . If an outage is detected or reported, the Provider will take reasonable efforts to contact the Customer of this outage if the outage would exceed a duration of 1 hour. The Provider shall be free to determine the method to correct or bypass any potential errors. Any downtime or limitation of use resulting from the need for Provider to correct any technical errors, shall never entitle the Customer to a claim for damage or loss.
3.1.3. The Provider is released from any warranty in relation to Responsum to the extent that an error is attributable to circumstances for which it is not responsible, such as in particular, but not limited to (i) unauthorised interventions into the tool by the Customer, (ii) operating errors by the Customer or its Representatives, or (iii) influences of systems or programs not supplied by the Provider.
The Provider warrants that, to the best of its knowledge, it owns all rights, titles and interests to Responsum
(including the IP Rights). Should it appear that certain IP Rights that have been or are being used for the development and/or operation of Responsum belong to third parties, the Provider shall undertake its best efforts to acquire sufficient rights in such (underlying) intellectual property rights in connection with Responsum for the purpose of providing a valid License under this Agreement. In the event that, despite all efforts made, the Provider is not able to obtain sufficient rights on any relevant third party intellectual property in the framework of Responsum, the Provider shall use all reasonable endeavours to amend or otherwise modify Responsum so as to allow the use of the tool without infringement on third party intellectual property rights. If such attempt is not successful, each Party shall be entitled to terminate the License with immediate effect without any termination compensation or indemnification being due to the other Party, as set out in Article 8.3 (iii).
If legal action is taken by third parties against the Customer on the grounds of breach or alleged breach by the Provider on third party intellectual property rights, then the Customer shall inform the Provider without undue delay and shall enable the Provider to intervene in the legal proceedings, as the case may be, as an interested party and/or to take the lead in conducting defence. In this respect, the Provider and the Customer shall communicate in good faith any information which may be useful or necessary for conducting the defence. Should any liability of the Provider be established in the framework of these legal proceedings, the Provider shall compensate the Customer for the damages suffered, including reasonable legal fees, subject always, however, to the limitations set out in Article 3.5
3.1.5. The entire liability of the Provider under or in connection with this Agreement whether in contract, tort or otherwise, shall at all times be limited in aggregate to an amount equal to the insurance cover provided, or if no insurance cover is provided, to an amount equal to 50% of all license fees paid by the Customer to the Provider prior to the occurrence of the damage.
In no event shall the Provider be liable to the Customer, except as explicitly stated otherwise in this Agreement, for (i) loss or damage incurred by the other as a result of third party claims, or (ii) incidental, indirect or consequential damage, loss of profit, goodwill, data, business opportunity or anticipated savings.
Nothing in this Agreement shall operate to exclude or restrict Provider’s liability in the event of wilful misconduct or fraud.
3.2. On the part of the Customer
b) The Customer shall not use Responsum as a Data Repository/Directory. All files uploaded to the system are to be considered as a secondary source of data. The licensee remains responsible for management of the data in its systems and thus for the provision of an authentic source of its data.
c) The Customer shall not use Responsum in any way that is unlawful, illegal, fraudulent or harmful or in connection with any unlawful, illegal, fraudulent or harmful purpose or activity.
d) The Customer shall not use Responsum and shall not create Customer applications, for the purpose of “spamming.” Provider reserves the right, in its sole discretion, to determine what actions constitute “spamming”.
e) The Provider does not provide for an interface, if Customer wishes to make use of links within Responsum, Customer remains responsible for updating those links.
f) The Customer shall not use the licensed materials in any manner that does or could potentially undermine or harm the security or operating of Responsum or any other services of the Provider, or that could in any way be detrimental to the image, reputation or any other material or non-material interests of the Provider. In addition, Customer shall not interfere with, modify or disable any features, functionality or security controls of Responsum or any other services of the Provider The Customer should also not try to defeat, avoid, bypass, remove, deactivate or otherwise circumvent any protection mechanisms for Responsum or any other services or materials of Provider, or reverse engineer, decompile, disassemble or derive source code, underlying ideas, algorithms, structure or organizational form from Provider’s services, products or any parts or components thereof.
g) Customer will immediately report to the Provider (i) any technical errors experienced by the Customer in using Responsum via email@example.com and (ii) any security flaws the Customer discovers in Responsum or in any other Provider’s services or materials. The Provider reserves the right, in its sole discretion, to determine what constitutes a security flaw. The Customer will also immediately report any actual or suspected unauthorized access to Responsum using Customer’s User Account or Employee Account credentials. Failure to report such flaws or unauthorized access, particularly prior to public disclosure, will be considered a material breach of this Agreement. The Customer will provide appropriate and reasonable support to the Provider in analysing the causes and conditions of any program or functional error and/or of any security flaws.
h) The Customer will comply with any other limitations reasonably imposed by the Provider on the use of Responsum and will at all times uphold a general due care standard. The Customer will respect the letter and the spirit of the programmatic limitations of Responsum and the restrictions of this Agreement. For example, the Customer shall refrain from working around or circumventing any explicit or implicit Responsum limitations.
i) Provider holds the right to temporarily block the Customer’s access to Responsum in case of abuse.
3.2.2. Specific terms regarding phishing simulations
a) The Customer gives the Provider the approval to carry out phishing simulations against all email addresses and mobile phone numbers as inserted by the Customer (User Accounts) in Responsum, for the duration of the License in accordance with this Agreement. The Provider agrees that all the inserted domains are fully under the Customer’s control and ownership. The Customer confirms that he has got sufficient authority to approve phishing simulations and that he is authorized to and will safeguard the Provider against any accusations that would condemn this approval. The Customer acknowledges that every specific simulation will be presented first for validation and that the Customer will test and approve every phishing scenario before it is being executed. To the greatest extent permitted by applicable law, the Provider can never be held responsible for direct or indirect damage of the Customer or third parties as a consequence of this phishing simulation. The Customer will safeguard the Provider against all types of Customer or third party claims, whether direct or indirect claims, as a consequence of an executed phishing simulation via Responsum.
b) The Customer warrants to respect all third-party rights and is solely responsible for the opted phishing scenario. The Customer acknowledges that only logo’s and images of fictitious companies can be used in the phishing scenario or template and is solely responsible for including logo’s, images or any other references (directly or indirectly) to existing companies or companies reasonably known to be established in the near future.
3.2.3. Audit, insurance and liability
3.2.4. The Customer shall take out sufficient insurances to cover any risks associated with the use of Responsum.
3.2.5. The Provider cannot be held liable in any way with regard to any and all damages, suits or proceedings, losses, expenses or (legal) costs incurred or suffered by the Customer as a result of the use of Responsum by the Customer (except in relation to alleged breach by Responsum on third party intellectual property rights, as set out in Article 3.4). The Customer shall compensate and hold harmless the Provider in respect of any and all damages, suits or proceedings, losses, expenses or (legal) costs incurred or suffered by the Provider as a result of use of Responsum and (if applicable) the IP Rights by Customer or any security flaws in the Customer’s environment.
4. M odifications & alterations
4.1. The Customer acknowledges and agrees that the Provider may modify or alter these Terms and Conditions, and/or the Responsum application from time to time – e.g. based on insights gained during the course of this Agreement, or, based on insights that the Provider has gained through other activities (each a “Modification” ).
4.2. Modifications consisting of “updates” to Responsum can comprise qualitative textual modifications to Responsum, e.g. wording of the questions or certain items within Responsum, qualitative functional updates to Responsum applications which may impact usability, as well as quantitative adaptions. Updates to Responsum are at the exclusive authority and privilege of the Provider.
4.3. The Provider will not make use of the Customer’s data in the system for other purposes than providing the services mentioned under this Agreement.
4.4. The Customer will be notified of a Modification through notifications or posts on the Provider website or through a form of direct communication from Provider to Customer.
4.5. If the Customer does not accept a Modification to the Terms and Conditions, it shall notify the Provider within 15 calendar days. The Parties shall try to reach an agreement in good faith. In case of failure to reach an agreement on the Modification to the Terms and Conditions proposed, the Customer shall be entitled to terminate the Agreement by respecting the one month notice period. Any license fees already paid for the running license period shall, however, not be refunded.
4.6. The Customer acknowledges that a Modification of Responsum may have an adverse effect on its functionality. The Provider shall have no liability of any kind to the Customer or any user of Responsum with respect to such Modifications or any adverse effects resulting from such Modifications to the extent that they do not materially affect the basic functionality as defined under this Agreement. Customer’s continued access to or use of Responsum shall constitute a binding acceptance of the Modification(s).
5.1. The Provider and its third party subcontractors/licensors own and retain all IP Rights in and to the Responsum application and other related services, this includes but is not limited to the frameworks it has been built on, and/or any corrections, bug fixes, enhancements, updates, improvements, or modifications thereto and Licensee hereby irrevocably transfers, conveys and assigns to the Provider and its third party subcontractors/licensors all of its right, title, and interest therein. The Provider and its third party subcontractor/licensor shall have the exclusive right to apply for or register any patents, mask work rights, copyrights, and such other proprietary protections with respect thereto. The Customer acknowledges that the License granted under this Agreement does not provide it with any title or ownership to Responsum or the frameworks it has been built on, but only a right of limited use under the terms and conditions of this Agreement.
6. Subscription Fee
6.1. As consideration for the License granted herein, the Customer agrees to pay to the Provider a subscription fee as determined in the Quote. Any subscription fee paid shall not be refundable. All fee amounts mentioned in the Quote, unless otherwise stated, do not include any value added tax or other taxes, which, if required by law, shall be added to the amount due and which shall be payable by the Customer to the Provider. Where applicable, the Customer shall be responsible for payment of all federal, state or local import, usage, value added, withholding or other taxes or duties associated with the supply or use of Responsum or which may be levied or based on the use of Responsum. If the Provider is required to pay any such taxes or fees related to the License, the Customer agrees to promptly reimburse Provider for any such taxes or duties payable by Provider.
6.2. The subscription fee set out in the Quote includes the number of credits available to the Customer to make use of specific modules of Responsum, such as online learning. Additional credits beyond the credits awarded as part of the license package can be purchased from the Provider upon request. The price per credit is specified in the Quote.
6.3. The Customer shall pay the subscription fee and any additional credit purchases, as the case may be, in accordance with the payment terms set out in Article 7
7.1. All payments must be made in EURO in immediately available funds and net of any bank charges.
7.2. Unless otherwise provided in a Quote, all payments must be made no later than 30 calendar days from the Invoice Date. Any late payment by the Customer will be subject to a late payment interest by force of law and without the need for prior notice, calculated as from the day after the due date and at an interest rate of 10% per year. In the event that the Provider is compelled to start collection proceedings, an additional penalty equalling 10% on the principal amount outstanding, shall be payable by the Customer to the Provider.
7.3. If the Customer is delinquent on a payment of fees for fifteen (15) days or more, the Provider may suspend its access to Responsum. Complaints concerning invoices must be made in writing within thirty (30) days from the date of the invoice. Invoices will be sent by electronic delivery unless requested otherwise by the Customer.
8. Free trial, upgrading and downgrading terms
8.1. Subscriptions to the Services may begin with a free trial period during which the Customer can try out the Services of Responsum for 30 days from the date of registration (‘Free Trial Period’). When the Free Trial Period has ended, the Customer will only be able to continue using the Services by upgrading to a paid subscription plan. If the Customer does subscribe to a paid subscription plan, access to the Services will be blocked until an upgrade to a paid subscription plan is made.
8.2. Any upgrade or downgrade in plan level will result in the new rate being charged as from the next billing cycle. There will be no prorating for downgrades in between billing cycles.
8.3. Downgrading your subscription plan may cause the loss of features, Loss of prior inputted information in certain parts of Responsum or the number of licenses for access to Responsum (User Accounts). The Provider does not accept any liability for such loss.
9. S upport
9.1. The Provider will provide the Customer with Documentation regarding Responsum. This Documentation is to be considered by the Customer as its primary support tool.
9.2. In addition, the Provider will make available its e-mail based support services for Responsum in order to assist in troubleshooting and answering questions of a specific nature regarding Responsum. These support services will always be provided from within the EEA. For the purpose of soliciting support from the Provider, the Customer shall appoint within its organisation one person of contact (and one replacement person of contact in the event that the primary person of contact is not available). All support queries and answers shall be channelled through the Customer’s person of contact. The Customer, in turn, represented by its appointed person of contact, as the case may be, shall provide all support and/or technical assistance to its proper end-users regarding the use of Responsum (including any issues related to the content of the tool). For the avoidance of doubt, The Provider shall not provide support and/or technical assistance directly to the Customer’s end users.
9.3. E-mail support can be requested by the Customer via firstname.lastname@example.org or the support form to be found in the tool. The Provider will use its best efforts to provide the Customer with the requested support within 5 business days. Support shall be delivered during normal business hours. Any specific support and service level beyond the standards set out above, may be the subject of specific terms and a support plan between the Parties, which shall then be added to this Agreement as a Quote.
9.4. In case of any issues with the system and only with the consent of the Customer, the Provider can make use of the Customer’s data in the system in order to reconstruct the problem and to be able to provide a suitable solution.
10. Term and termination
10.1. The Agreement enters into force as of the Effective Date. Unless a Party provides notice of termination at least three (3) months prior to the end of the initial term, the Agreement shall be automatically renewed for successive one year periods. As from the first renewal term, notice of termination can be given respecting a three months’ notice to be given by the end of the then current term.
10.2. The Customer may terminate the Agreement respecting the one month notice period in the event that, following a Modification of the terms of the Agreement by Provider, the Parties have failed to reach an amicable solution after the objection made by the Customer to the Provider in accordance with Article 4.4.
10.3. A Party may terminate this Agreement at any time with immediate effect, upon written notice to the other Party in the event that:
a) the other Party commits a material breach of any of its obligations under this Agreement which breach is not capable of remedy, or which, if capable of remedy, is not remedied within thirty days after receiving written notice thereof;
b) a competent court ruled that the IP Rights are infringing upon the intellectual property right of a third party and no work-around or license with the third party could be obtained by the Provider;
c) the other Party files a petition for bankruptcy or is otherwise insolvent and unable to pay its debts, enters into voluntary or judicial winding up and liquidation (except in the context of group restructuring or reorganisation where the activity is continued), applies for a judicial reorganisation or enters into a global arrangement with its creditors;
d) a Force Majeure invoked by a Party has continued for a period exceeding 1 month and the Parties have not been able to reach an equitable solution, as set forth in Article 11; or
e) the other Party ceases or threatens to cease to carry on its business.
Nothing in this Article shall prevent the Provider from seeking compensation for damage from the Customer in the event of breach by the Customer.
10.4. The Provider may terminate this Agreement at any time with immediate effect and without any termination compensation being due, upon written notice to the Customer in the event that a change of control occurs with respect to the Customer, meaning the direct or indirect change of ownership, i.e. the acquisition by a company, partnership or any other (legal) entity or a person of the Customer, whether by merger, consolidation, sale or otherwise, in one transaction or any related series of transactions, of control of the Customer, whereby control is defined as the (beneficial) ownership of any shares or other equity interest that represents fifty percent or more of the voting power of all such outstanding shares or equity interest of such company, partnership or any other (legal) entity.
10.5. Upon termination of this Agreement the Provider will return Customer’s data in a machine readable format. Customer considers this format being self-explanatory for people with a certain knowledge of the system. If additional explanation or support is required, this will be provided by the Provider at the rate determined in the Quote.
10.6. Upon termination of this Agreement, and without prejudice to any rights and remedies of Provider under applicable law, and except as otherwise provided herein, the Customer is no longer entitled to use Responsum and agrees to return to the Provider any Confidential Information in the Customer’s possession and shall provide - upon the first request of Provider - evidence of the disposal.
11. Data Protection & Privacy
11.1. In the execution of this Agreement, the Customer and the Provider will adhere to Applicable Data Protection Law.
11.2. Except for certain specific modules, Responsum has not been designed for the processing of personal data. Consequently, Responsum will not actively look for any personal data that might have been uploaded and the Customer will refrain from doing so. Nonetheless, Responsum has been set up in a manner compliant to the Applicable Data Protection Law.
11.3. In case Responsum has been installed on premise at the Customer, the Customer will be responsible for adhering to the Applicable Data Protection Law. Provider thus presumes that the measures taken to that end are considered by the Customer as being sufficient.
11.4. The Customer acknowledges to have received, read and understood the Privacy Statement of the Provider for the processing of the Customer’s Personal Data (including but not limited to processing for contract management or billing purposes).
11.5. Parties agree that the Customer shall comply with all obligations under Applicable Data Protection Law for the processing of personal data in its capacity of controller and, as the case may be, processor. Parties agree that the Provider acts as a data processor for the Customer in the context of the Services provided under this Agreement (i.e. the processing of personal data on behalf of the Customer in the context of Responsum); to this extent the Customer has entered into a Data Processing Agreement with the Provider as set forth in Annex 4.
12.1 Each Party agrees to maintain secret and confidential all Confidential Information that it may acquire from the other Party in the course of this Agreement.
12.2 The Parties may disclose such Confidential Information only to those of their Representatives who need to know such information in order to enable the respective Parties to perform their obligations under this Agreement.
12.3 Each Party shall ensure that all its Representatives who have access to any information of the other Party shall be made aware of and be subject to the same obligation of confidentiality.
12.4 If there is any unauthorized access to, disclosure or loss of, or inability to account for, any Confidential Information of the disclosing Party, the receiving Party will promptly (i) notify the disclosing Party; (ii) take such actions as may be necessary or reasonably requested by the disclosing Party to minimize the disclosure or loss; and (iii) cooperate in all reasonable respects with the disclosing Party to minimize the impact of the disclosure or loss and any damage resulting therefrom.
12.5 The Provider can disclose data stored in the system to the data protection authority or another judicial authority in context of an investigation. Data will only be disclosed upon the Customer’s consent, unless this is prevented by the secrecy of the investigation.
12.6 The provisions of this article 12 shall survive after the termination of this Agreement and continue for a period of 7 years after its termination.
13. Data storage and hosting
13.1. Responsum has adopted state of the art security controls and practices for the systems used for processing (personal) data, designed to protect the confidentiality, integrity and availability of the Customer’s content. However, zero day exploits are hard to detect. Therefore the Customer has the obligation to report to the Provider any potentially suspicious behavior of the system. Such reports can be made at any time via email@example.com.
13.2. Responsum servers are hosted in a data center operated by a vendor located within the EEA. Responsum maintains complete administrative control over the servers and no third parties have logical access to the Customer’s data. Only in the event of maintenance, updates and upgrades to the application or its dependencies, Customer data can be visible by third parties assisting in this process. With these third parties, agreements are in place to safeguard the confidentiality of any information that might be visible to this third party.
14.1. Force Majeure shall mean any unforeseeable event which is beyond the reasonable control of the Parties or any foreseeable occurrence of which the consequences may not be reasonably avoided and which arises after the date of signature of this Agreement and which prevents performance of this Agreement, in whole or in part, by either Party.
14.2. If an event of Force Majeure occurs, performance of the Parties’ obligations under this Agreement which are affected by the Force Majeure shall be suspended for the duration of the event of Force Majeure and the period of performance shall be automatically extended, without penalty, for a period equal to the suspension.
14.3. The Party claiming Force Majeure shall promptly inform the other Party to this effect in writing, explaining its reasons for doing so.
14.4. If an event of Force Majeure occurs, the Parties shall immediately consult with one another with a view to finding an equitable solution and shall use all reasonable efforts to minimise the consequence of the occurrence. If the conditions of Force Majeure prevail for more than 1 month and the Parties have been unable to reach an equitable solution, the other Party shall have the right, pursuant to Article 8.3 of this License Agreement, to terminate the License Agreement.
15. Full Agreement
This Agreement contains the entire agreement between the Parties in relation to its subject matter and replace and supersede all prior negotiations and agreements. This Agreement may only be amended by means of a written agreement signed by duly authorised representatives of the Parties.
The Customer may not assign its rights or obligations under this Agreement in whole or in part to any third party without the prior approval of the Provider.
Failure to claim a right or impose a penalty by either Party shall not be construed as a waiver of that right.
Notifications intended for the purposes of exercising rights and obligations arising from this Agreement shall be (i) in writing; (ii) delivered to the Parties at the address of their respective registered offices (unless changed by either Party upon written notice to the other Party), and (ii) effective upon receipt.
19. Conflict of terms
Except as otherwise explicitly provided in this Agreement or an Annex to this Agreement, in case of conflict or inconsistency between a provision in this Agreement and a provision in an Annex to this Agreement, the provision in the Annex shall prevail and control.
If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, that provision shall be modified by the Parties and interpreted so as to best accomplish the original provision to the fullest extent permitted by law, the other provisions will remain in full force.
21. Customer Reference
The customer acknowledges and accepts that RESPONSUM has the right to use the customer’s name and logo to identify the customer as a customer of RESPONSUM, on RESPONSUM’s website, marketing materials and other activities. Such activities may include but are not limited to: a customer user story completed by RESPONSUM upon implementation of the Software, and a reasonable number of reference calls by investors or market analysts.
22. Governing Law and Jurisdiction
22.1. This Agreement will be governed by and construed in accordance with the laws of Belgium, excluding its conflict-of-law rules.
22.2. All disputes arising out of or in connection with this Agreement which cannot be solved amicably, shall be exclusively brought before the Dutch speaking courts of Brussels, Belgium.
Annex 1: Responsum specifications
Annex 2: Data Processing Agreement
Technical and Organizational Measures
Pursuant to the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data (‘GDPR’) and the Commission Decision 2010/87/EU on Standard contractual
clauses for the transfer of personal data.
The Customer as the “Controller”
Responsum (BV), Excelsiorlaan 43/3 1930 Zaventem
Hereafter referred to as the “Processor”
The Customer is considered as the Controller, and hereinafter referred to as “Controller”, whereas the Provider is considered as the Processor, hereinafter referred to as “Processor”. The Controller and the Processor will be referred together as the “Parties” and individually as a “Party” hereafter.
Article 2: Subject-matter of the Data Processing Agreement
- Employees of the Licensee (People to enrol in E-learnings and Phishing Campaigns)
o First Name
o Last Name
o Email Address
o Active Department
o Phone Number
o Login Credentials (for LMS)
o Grades (for followed E-learnings and Quizzes related to Privacy, Security and Data Management)
o Phishing campaign results (If employee opened the phishing SMS/Email, Clicked the link and/or submitted any information (depending on the scenario)
- Users of the Licensee (Users of the Responsum application itself)
o First Name
o Last Name
o Email Address
o Active Department
o Login credentials
o User Logging (Last Sign In, role changes, Creation date…) (For accountability purposes and to show to Admins in Configuration - User Management)
o User Role within Responsum (Admin, Management Lead, Process Champion, CxO and/or Experience Center)
o Specific permissions within Responsum (Ex. Access as management lead to certain Sub-modules of Responsum)
o Responsibilities of a user within the Organization related to Privacy and Security Compliance (ex. Responsible to review Processing activities, Legal Advices…)
- Details of the Data Subjects of the Controller (ex. Controllers’ Clients, Members, Employees…) (Specific for the “Data Subject Rights” Module)
o Potentially a Full Name or (preferably) a pseudonymised identifier of the Controllers’ Data Subject the request originates from (Ex. Employee 1367 or Employee John Doe…)
o Controller can upload files of all possible filetypes. These can potentially contain personal identifiers of the Controllers’ Data Subjects. (Full Name, Internal ID, Email address and/or Phone number)
- Related Licensee contractors (not personal data)
o Contact person details (ex. contact person within company that supplies software package…)
o Name and location of the third-party contractor
Article 3: Duration of the processing
Article 4: CONTROLLER’S instructions
Article 5: Assistance to the CONTROLLER
The Processor shall assist the Controller in ensuring compliance with its obligations pursuant to article 32 – 36 GDPR, taking into account the nature of processing and the information available to the Processor.
Article 6: Information obligations
Article 7: PROCESSOR’S obligations
Article 8: CONTROLLER’S obligations
Article 9: The use of Sub-processors
a) NSX: Back-end development and Server maintenance
b) Mediaan: Front-end development
c) Delta Blue: Delivering a vendor and cloud agnostic platform that assists in server management and fully automates the Responsum application life cycle management.
d) Upcloud: Hosting services (via Delta Blue cloud)
e) Brightest: Testing automation assistance
The Processor has entered into a data processing agreement with these sub processors, containing at least the same obligations as set forth in this Data Processing Agreement.
Article 10: Rights of the Data Subjects
Article 11: Security Measures
Article 12: Audit
Article 13: Transfer outside the EEA
Article 14: Transfer to Third Parties (Non-Disclosure/Confidentiality)
14.1. All information received by the Processor from the Controller is subject to an obligation of confidentiality when it comes to transfers of this (Personal) Data to Third Parties.
14.2. This obligation of confidentiality does not apply in so far as the Controller has given his prior Explicit Consent to provide information to listed Third Parties or if the transfer of this data to Third Parties is necessary to comply with the Agreement between the Parties.
14.3. The obligation of confidentiality shall also not apply if the Processor is required by law to provide the information to a Third Party. If the Processor is in doubt as to whether it is permitted to provide information to Third Parties, it shall consult the Controller prior to the Transfer.
14.4. After termination of this Agreement, this obligation of confidentiality shall continue to apply as long as the (Personal) Data of the Controller is still processed in any way by the Processor.
Article 15: Data Breach Notification
15.1 The Processor shall fully and immediately after detecting a (potential) Data Breach inform the Controller about:
a. The time the data breach started,
b. The nature and extent of the data breach,
c. The service and/or part of the service at which the data breach occurred,
d. The nature and extent of the data files involved,
e. The impact of the data breach and the associated risk analysis of the expanding effect thereof,
f. The expected recovery time of the Responsum service,
g. Which measures have been taken (or are proposed to be taken) to mitigate the data breach.
h. Which measures have been taken (or will be taken) to prevent such data breaches in the future.
15.2 The processor shall be prohibited, whether or not in the context of a data breach, from communicating directly with the Controllers’ data subjects and/or report the data breach to the supervisory authorities in name of the Controller, other than on the express written instruction of the Controller, or with his explicit consent.
Article 16: Mediation and jurisdiction
Article 17: Intellectual Property Rights
All Intellectual Property Rights as regards to the Personal Data and as regards to the databases which contain these Personal Data are reserved to the CONTROLLER, unless otherwise contractually agreed upon between the Parties.
Article 18: Liability
Without prejudice to the Principal Agreement, the PROCESSOR is liable for the damage caused by processing only where it has not complied with the obligations of the Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the CONTROLLER.
Without prejudice to Article 16.1 of this Agreement, the PROCESSOR shall in no case be liable, if it proves that it is not responsible for the event giving rise to the damage.
If it appears that both the CONTROLLER and the PROCESSOR are responsible for the damage caused by the processing of Personal Data, both Parties shall be liable and pay damages, in accordance with their individual share in the responsibility for the damage caused by the processing.