Terms of Service
Last Revised: September 19, 2022
Status Terms of Service
NOTICE: BY CREATING AN ACCOUNT OR BY UTILIZING STATUS YOU AGREE TO BE BOUND BY THESE TERMS OF SERVICE.
We may revise the Terms at any time. Your continued use of the Services means you accept all such revisions, and you agree to comply with all applicable laws and regulations. The materials provided on the Services are protected by law, including, but not limited to, United States copyright and trademark laws and international treaties.
The terms “you,” “your,” “user,” and “users,” as used herein, refer to all individuals accessing the Services for any reason. If the Services are being used on behalf of an entity by an individual authorized to agree to such terms on behalf of such entity, then “you” and like terms include you and such entity. If you are accessing the Services on behalf of an entity, you represent and warrant that (a) you are an authorized representative of the entity with the authority to bind the entity to the Terms, and (b) you agree to the Terms on that entity’s behalf.
PLEASE NOTE: THESE TERMS CONTAIN AN ARBITRATION CLAUSE AND CLASS ACTION WAIVER, WHICH AFFECT HOW DISPUTES WITH STATUS ARE RESOLVED. BY ACCEPTING THESE TERMS, YOU AGREE TO BE BOUND BY THE ARBITRATION PROVISION (SECTION 11). PLEASE READ IT CAREFULLY.
2. YOUR RESPONSIBILITIES
You acknowledge and agree that our ability to meet our obligations under the Agreement is dependent upon the timely, accurate, and complete satisfaction of your responsibilities under the Agreement. We shall be entitled to rely on all decisions and approvals by you or your points of contact.
3. USE RIGHTS AND RESTRICTIONS
3.1. Grant of Access. When you receive an invite-link, portal view link, or other means of authorizing you to create an account or otherwise access the Services, you will be deemed a “User” of the Services. The access links and credentials you receive are for your personal use only, and you are not authorized to, and you agree not to, share any links and/or access credentials you receive with any other persons. Your access to the Services may be via invitation from a third-party, such as a customer of Status, in which case your permissions and access may be governed by other terms and conditions, including terms and conditions imposed by the person or entity that granted you access to the Services. In cases where your access to the Services was granted by a person or entity other than Status, you agree that we may provide such person or entity with the ability to limit or restrict your access to the Services, including the User Content (as defined below in Section 3.4) you submit. You are responsible for maintaining the confidentiality of any access data and credentials, including your password, for your account, and you understand and agree that you are fully responsible for all activities that occur under your account.
By using the Services, you represent and warrant that you are at least 18 years of age, and you agree to immediately notify Status of any known or suspected unauthorized use of your account or any other breach of security. Status is not liable for any loss or damage arising from acts or omissions by you in connection with your account and/or your failure to comply with this section. You agree to: (a) provide true, accurate, current and complete information about yourself as prompted by the Services’ registration form, when applicable, and (b) maintain and promptly update your information to keep it true, accurate, current and complete.
Subject to the terms of the Agreement, we grant Users for the term a non‑transferable, non‑exclusive, limited right for Users to access the Services solely for your internal business purposes.
3.2. Restrictions. You shall not, and shall ensure your Users do not:
(a) sell, resell, distribute, host, lease, rent, license or sublicense, in whole or in part, or otherwise permit any third party not authorized by the Agreement or by Status, in writing, to access or use the Services;
(b) translate, modify, or develop any derivative works based on the Services;
(c) decipher, disassemble, reverse assemble, reverse engineer, decompile, or otherwise attempt to derive source code, specifications, architecture, structure, or any other components or elements of the Services;
(d) use the Services to send or store material containing viruses or other harmful computer code, scripts, agents, files, or programs;
(e) utilize or access the Services in any way, in whole or in part, to build a competitive product or service;
(f) disrupt, delay, or otherwise interfere with the integrity or performance of the Services, the Company’s ability to maintain and deploy the Services, or data stored within the Services;
(g) use the Services to provide processing services to third parties, without written authorization by Status;
(h) collect or disclose performance, capacity, or benchmark statistics on the Services or other Services;
(i) attempt to gain unauthorized access to the Services or related systems;
(j) violate our intellectual property rights or in any way disrupt or impede our ability to protect, assert, or defend our intellectual property rights; or
(k) otherwise use the Services except as expressly permitted by the Agreement.
3.4. User Content. Status does not claim ownership over any content, materials or information you and other users submit on or through the Services (“User Content”). You are the owner of, and are responsible for, your User Content. By uploading any User Content to the Services, however, you grant us a perpetual, irrevocable, royalty-free, worldwide, transferable, sublicensable, and nonexclusive license to access, distribute, store, store, reproduce, transmit, display, modify and adapt and create derivative works in any fashion from, and otherwise use, your User Content. To the extent you choose to share any of your User Content with other Users of the Services, you agree to allow these Users to view, use, publish, display, modify or include a copy of your User Content as part of their own use of the Services and, to the extent applicable, collaborate with you and your User Content.
You understand that all User Content is the sole responsibility of the person from which such User Content originated. You also understand and agree that Status does not control and has no duty to validate, and does not guarantee in any way, the User Content posted via the Services. By posting or submitting your User Consent through the Services, you represent and warrant that you have, or have obtained, all rights, licenses, consents, permissions, power and/or authority necessary to grant the rights granted herein for your User Content.
You agree that you will not:
(a) upload, create, or otherwise make available any User Content that is unlawful, harmful or abusive, vulgar, invasive of another’s privacy or discloses their identity or contact information (without the written consent of the owner of that information), hateful or racist, or otherwise objectionable;
(b) upload, create, or otherwise make available any User Content that is (i) patient, medical or other protected health information regulated by the Health Insurance Portability and Accountability Act of 1996; (ii) used to identify a specific individual and is sensitive in nature, such as social security numbers, driver’s license numbers or other government ID numbers; (iii) other personal information subject to regulation or protection under specific laws such as the Gramm-Leach-Bliley Act (or related rules or regulations); (iv) financial information, such as credit, debit or other payment card data subject to PCI DSS; (v) personal data enumerated in Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; or (vi) any data similar to the foregoing that is protected or otherwise regulated under foreign or domestic laws or regulations;
(c) engage in any manipulation of data or fields, or any other behavior intended to disguise the origin of any User Content;
(d) upload or create in the Services any User Content that you do not have a right to upload or create, including any User Content that infringes in any way the intellectual property rights, rights of privacy, or proprietary rights of any party; or
(e) upload or create any content that is considered “spam” by nature or type.
3.5. Updates. We may make available, from time to time and in our sole discretion, updates and upgrades to the Services. You will be responsible for the cost of any modifications to your infrastructure that may be required in connection with implementation of any updates or upgrades. We may modify, alter, add and/or substitute features of the Services from time to time, in whole or in part, without any notice to you.
3.6. Integrations. You may integrate the Services with your accounts or subscriptions to third-party services or applications, and we may, but are not required to, provide you with assistance in integrating such accounts. We do not warrant or endorse and do not assume and will not have any liability or responsibility to you or any User for any such third-party services or applications, including any integrations, whether connected or setup by you or Status.
3.7. Free Trials. If we provides you with a free trial to access and use the Services, Services will be made available in accordance with the terms of the Agreement on a trial basis free of charge until the earlier of:
(a) the end of the free trial period;
(b) the start date of any paid subscription to the Services; or
(c) termination of the free trial by Status in our sole discretion.
Any data inputted or transmitted through the Services, and any configurations made to the Services during the free trial period will be permanently lost unless you purchase a paid subscription to the Services, or export such data, before the end of the free trial period.
NOTWITHSTANDING SECTION 9 (“INDEMNIFICATION”) BELOW, DURING THE FREE TRIAL THE PLATFORM IS PROVIDED “AS-IS” WITHOUT ANY WARRANTY AND STATUS SHALL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY TO YOU OF ANY TYPE WITH RESPECT TO THE SERVICES FOR THE DURATION OF THE FREE TRIAL PERIOD.
3.8. Email and Other Notifications. At our sole discretion, we may provide you the ability to enable custom notification processes and/or authenticate custom domains through the Services or a third-party integration for purposes including, but not limited to, sending email, text, and other types of notifications. You understand and agree that, if enabled, the Services will be able to send notification emails, text messages, and/or other types of notifications to Users and external recipients on your behalf, that these notifications will be generated by the Services but may appear to be sent by you, and that you are solely responsible for complying with all laws and regulations applicable to sending such notifications.
3.8. Compliance with Applicable Laws. In undertaking any activity under this Agreement, you shall comply with any and all laws, rules, regulations and relevant industry standards applicable to your performance of your obligations under this Agreement. Without limiting the foregoing, youill fully comply with:
(a) the U.S. Foreign Corrupt Practices Act and will not make any payment to third parties that would cause you or Status to violate such statute;
(b) all export laws and regulations of the U.S. Department of Commerce and all other U.S. agencies and authorities, including the Export Administration Regulations promulgated by the Bureau of Industry and Security (as codified in 15 C.F.R. Parts §§ 730-774); and
(c) all applicable data protection, information security and privacy laws, rules, regulations and relevant industry standards (“Data Protection Laws”), including without limitation (i) the GDPR, (ii) the UK DPA, (iii) the Health Insurance Portability and Accountability Act, (iv) the California Consumer Privacy Act, (v) the Gramm-Leach-Bliley Act and (vi) the PCI Data Security Standards.
4. FINANCIAL TERMS
4.1. Subscription Plans. We may offer plans that allow you to use certain aspects of the Services, either for free or for a fee (a "Subscription Plan"). We may change Subscription Plans by offering new services for additional fees and charges and adding or amending fees and charges for existing Subscription Plans, at any time and in our sole discretion. Any change to a Subscription Plan’s pricing or payment terms will become effective in the billing cycle following notice of such change as provided in the Agreement. Subscription Plans may set allotments for use of particular features of the Services. Use in excess of a Subscription Plan’s allotment may result in additional fees, as specified in the plan, and such fees will be included in a subsequent invoice or charged automatically via the payment method associated with your account ("Payment Method").
4.2. Billing and Payment. For any paid Subscription Plan, you agree to make payments, and we may automatically charge the Payment Method, as described below, until Services are terminated in accordance with the terms of the Agreement. If you elect to use a paid Subscription Plan, you agree to the pricing and payment terms specified at checkout. By providing us with Payment Method, you authorize us to provide payment information to third parties to process and complete subscription payments, in United States dollars, plus any applicable taxes and any other transaction-related fees or charges, and any applicable recurring charges as described below. We currently use Stripe as the third-party service provider for payment services, and you agree to be bound by Stripe’s Services Agreement, available at stripe.com/us/legal. You agree that all payments for transactions are non-refundable and non-transferable except as expressly provided in the Agreement. You shall reimburse us for any expenses incurred, including interest and reasonable attorneys’ fees, in collecting amounts due to Company hereunder.
4.3. Renewals. Your subscription shall continue until terminated by you or until we terminate access to or use of the Services in accordance with the Agreement. All Subscription Plans will automatically renew for successive terms equal to the period selected and specified at checkout, unless either party notifies the other of its intent to not renew at least 30 days prior to the end of the then-term. You authorize us to automatically charge the Payment Method at the beginning of each renewal period. By electing to purchase a Subscription Plan, you acknowledge and agree to recurring payments, and accept responsibility for all recurring payment obligations prior to cancellation of the subscription by you or Status.
4.4. Cancellations. If we terminate your subscription, except in the event of your breach of the Agreement or failure to pay fees when due, we will grant a prorated refund for the remaining unused portion of the term. If you wish to cancel your subscription, you must provide notice of your desire to cancel at least 30 days before the end of the term, and shall not be entitled to any refund of fees already paid.
4.5. Late Payments. Any late payments shall be subject to a service charge equal to 1.5% per month of the amount due or the maximum amount allowed by law, whichever is less (plus the costs of collection).
5.1. Confidential Information. Confidential Information means nonpublic information that relates to or is provided by one party (the “Disclosing Party”) to the other party (the “Receiving Party”) that the Disclosing Party designates as being confidential or that under the circumstances surrounding disclosure should be treated as confidential (“Confidential Information”). Confidential Information includes, without limitation: information relating to the disclosing party’s software or hardware products that may include source code, API data files, documentation, specifications, databases, networks, system design, file layouts, tool combinations and development methods as well as information relating to the disclosing party’s business or financial affairs, which may include business methods, marketing strategies, pricing, competitor information, product development strategies and methods, customer lists and financial results. Confidential Information also includes information received from third parties that the Disclosing Party is obligated to treat as confidential.
5.2. Exceptions. Confidential Information shall not include any information that the Disclosing Party can show:
(a) is already known to the Receiving Party prior to disclosure pursuant to this Agreement;
(b) is or becomes publicly known through no wrongful act of the Receiving Party;
(c) is received by the Receiving Party from a third party without any restriction on confidentiality; or
(d) is approved for release by prior written authorization of the Disclosing Party.
5.3. Confidentiality Obligations. The Receiving Party agrees to maintain the confidentiality of the Disclosing Party’s Confidential Information and to use at least the same care and precaution in protecting the Disclosing Party’s Confidential Information as the Receiving Party uses to protect its own Confidential Information, but in no event less than a reasonable degree of care. Without limiting the generality of the foregoing, the Receiving Party shall not publish or disclose the Disclosing Party’s Confidential Information to third parties other than its employees, personnel, attorneys, advisors, and potential investors who are bound to keep such information confidential. Either party may only use Confidential Information in order to fulfill its obligations under this Agreement.
5.4. Required Disclosures. Notwithstanding the provisions of this Section 5, Receiving Party shall not be in breach of the Agreement if it, or any of its Representatives disclose Confidential Information
(a) in response to a valid order by a court or other governmental body of competent jurisdiction;
(b) as required by law; or
(c) if such disclosure was necessary to establish the relative rights of the Parties in a legal proceeding; provided, that Receiving Party promptly notifies Disclosing Party in writing of any such requirement so that Disclosing Party may seek an appropriate protective order or other appropriate remedy or waive compliance with the provisions of this Agreement.
Receiving Party will reasonably cooperate with Disclosing Party so that it can seek a protective order or other appropriate remedy or limitation, and Disclosing Party will reimburse all reasonable costs (including reasonable attorneys’ fees and expenses) incurred by Receiving Party in connection with a written request for specified assistance and cooperation by Disclosing Party.
6. OWNERSHIP – INTELLECTUAL PROPERTY RIGHTS
6.1. Our Rights. The Services, all materials used in the performance of any Implementation Services, other than any Client Materials (as defined below), and all deliverables provided in the performance of the Services will at all times remain the exclusive, sole and absolute property of Status or its licensors. You do not acquire any right, title, or interest in or to the Services or any deliverables provided as part of the Services except the limited right to access and use them in accordance with the terms of the Agreement. All rights, title and interest (including all intellectual property rights) in or to the Services not expressly granted under the Agreement are reserved by Status and its licensors. If you or your Invited Users elect to provide us with any feedback, comments, or suggestions for improvements of any kind related to the Services (“Feedback”), the Feedback will be the sole and exclusive property of Status and you hereby assign all rights in and to the Feedback to Status. We will have the right to use and disclose such Feedback in any manner and for any purpose, without remuneration, compensation, or attribution to you or your Invited Users.
6.2. Your Rights. You retain sole and exclusive ownership to:
(a) the Client Data (as defined in Section 7.3 below);
(b) content, materials or technology supplied by you to Status in connection with our provision of the Services (the “Client Materials”); and
(c) your name, trademarks and logos (the “Client Marks”).
You hereby grant Status a non-exclusive, royalty-free, fully-paid, non-sublicensable (except to our contractors performing services on our behalf) license during the term to (i) use, copy, display and reproduce the Client Marks and (ii) use, transmit, reproduce, display, distribute and prepare derivative works of the Client Materials, in each case as necessary to provide the Services to you. You also grant Company a non-exclusive, royalty-free license to use the Client Marks to identify you as a customer of Status on promotional materials and our website. Any use of the Client Marks shall be in accordance with your standard trademark guidelines, if any such guidelines are provided to us.
6.3. Digital Millennium Copyright Act. Status adopted the following policy towards copyright infringement in accordance with the Digital Millennium Copyright Act (the “DMCA”).
If You believe that any materials or works uploaded, downloaded or appearing on the Services have been copied in a way that infringes upon your intellectual property rights, please submit a notification alleging such infringement (“DMCA Takedown Notice”) including the following:
(a) a physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed;
(b) identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works;
(c) identification of the material claimed to be infringing or to be the subject of infringing activity and that is to be removed or access disabled and information reasonably sufficient to permit the service provider to locate the material;
(d) information reasonably sufficient to permit the service provider to contact you, such as an address, telephone number, and, if available, an electronic mail;
(e) a statement that you have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law; and
(f) a statement that, under penalty of perjury, the information in the notification is accurate and you are authorized to act on behalf of the owner of the exclusive right that is allegedly infringed.
Any DMCA Takedown Notices should be sent to email@example.com or via mail to the following address: Status Software, Inc., 881 Baxter Drive STE 100, South Jordan, UT 84095. Status will terminate access of repeat infringers.
7.1. Data Processing. You agree to the provisions set forth in our Data Processing Agreement, if .
7.3. Your Data. You shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness and ownership of all electronic information, in any form, that you or any of your Invited Users provide, upload, or otherwise submit through the Services (the “Client Data”). You shall only disclose, submit or provide to us Client Data as necessary for us to provide the Services to you. You hereby grant us a non-exclusive, royalty-free, fully-paid, worldwide license (with the right to sublicense) during the term to access, use, reproduce and create derivative works of the Client Data in order to provide the Services to you and fulfill our obligations under the Agreement. You hereby represent and warrant that you have provided all necessary and appropriate notices and opt-outs, and has obtained all necessary and appropriate consents, approvals and rights to collect, process, use, store, enhance and disclose the Client Data and allow us to use, store, disclose and otherwise process such Client Data as contemplated by the Agreement, including to and from Users wherever required under applicable law. You shall obtain and retain throughout the term, and for 3 years after the termination of this Agreement, records sufficient to demonstrate you have provided all such notices and opt-outs and obtained all such consents, approvals and rights.
7.4. No Sensitive Information. Unless specifically agreed to by Status in writing, you will not submit to the Services any Client Data that is:
(a) patient, medical or other protected health information regulated by the Health Insurance Portability and Accountability Act of 1996;
(b) credit, debit or other payment card data subject to PCI DSS;
(c) nonpublic personal information subject to regulation or protection under the Gramm-Leach-Bliley Act (or related rules or regulations);
(d) social security numbers, driver’s license numbers or other government ID numbers; or
(e) any information about individuals or other data similar to the foregoing that is protected under foreign or domestic laws or regulations (collectively, and hereinafter referred to as, “Prohibited Data” or “Sensitive Data”).
Notwithstanding the foregoing, you are not prohibited from including any link that contains Prohibited Data stored outside the Services, provided that at no point is Prohibited Data stored in or submitted to the Services. Notwithstanding any other provision to the contrary, we shall have no liability under the Agreement for any Client Data submitted in violation of this Section 7.4. In the event that we agree to your use of the Services to process Sensitive Data, you warrant that you and your Invited Users comply with all applicable laws, regulations, and policies. With the exception of our gross negligence, you agree to indemnify and hold harmless Status against any and all claims and suits brought by any party, including government agencies, for violations of any laws relating to the protection, handling, storage, and/or processing of Sensitive Data.
7.5. Public Access. You agree that User-generated public access links that provide limited access to the Services (“Portal Views”) shall not be used to display, store, enter, or otherwise transmit in any way, Prohibited Data. You shall indemnify and hold harmless Status for any misuse of Portal Views, and shall ensure that all Invited Users:
(a) understand and comply with the terms of the Agreement;
(b) understand the proper use of, and how to protect information contained in, Portal Views; and
(c) protect, control the release of, and disable when appropriate, all links to Portal Views.
8.1. General Warranty Disclaimer. THE PLATFORM AND ALL OTHER SERVICES ARE PROVIDED “AS IS,” AND “AS AVAILABLE” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES CONCERNING THE AVAILABILITY, ACCURACY, USEFULNESS, SECURITY OR CONTENT OF THE PLATFORM OR OTHER SERVICES, OR ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. FURTHERMORE, STATUS DOES NOT WARRANT THAT THE SERVICES WILL BE FREE OF ERROR, VIRUSES OR OTHER MALICIOUS CODE, WILL BE UNINTERRUPTED OR THAT ALL ERRORS WILL BE CORRECTED OR THAT THE SERVICES WILL OPERATE IN COMBINATION WITH YOUR CONTENT OR APPLICATIONS, OR WITH ANY OTHER HARDWARE, SOFTWARE, SYSTEMS, SERVICES OR DATA NOT PROVIDED BY STATUS. ANY MATERIAL DOWNLOADED OR OTHERWISE OBTAINED THROUGH THE USE OF OUR SERVICES IS ACCESSED AT YOUR OWN DISCRETION AND RISK. STATUS IS NOT RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER HARDWARE, COMPUTER SOFTWARE, OR OTHER EQUIPMENT OR TECHNOLOGY INCLUDING, BUT WITHOUT LIMITATION, DAMAGE FROM ANY SECURITY BREACH OR FROM ANY VIRUS, BUGS, TAMPERING, FRAUD, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMPUTER LINE OR NETWORK FAILURE, OR ANY OTHER TECHNICAL OR OTHER MALFUNCTION.
YOU UNDERSTAND AND AGREE THAT WE MAY, AT ANY TIME AND IN OUR SOLE DISCRETION, MODIFY OR DISCONTINUE, PERMANENTLY OR TEMPORARILY, ANY PART OF OR ALL OF THE SERVICES WITH OR WITHOUT NOTICE, AND THAT WE SHALL NOT BE LIABLE TO YOU OR TO ANY OTHER PARTY FOR TAKING SUCH ACTION.
8.2. Connections over the Internet. You acknowledge that use of or connection to the Internet provides the opportunity for unauthorized third parties to circumvent security precautions and illegally gain access to the Services and User Content. Accordingly, Status cannot and does not guarantee the privacy, security or authenticity of any information so transmitted over or stored in any system connected to the internet.
8.3. Use of Third Party Materials in the Services. Certain Services may display, include, or make available content, data, information, applications, or materials from third parties (“Third Party Materials”) or provide links to certain third party websites. By using the Services, you acknowledge and agree that we are not responsible for examining or evaluating the content, accuracy, completeness, availability, timeliness, validity, copyright compliance, legality, decency, quality, or any other aspect of such Third Party Materials or websites. We do not warrant or endorse and do not assume and will not have any liability or responsibility to you or any other person for any Third Party Materials, or for any other materials, products, services, or websites of third parties.
9.1. Company Indemnification. We shall indemnify, defend and hold harmless you and your affiliates, and each of your officers, members, shareholders, directors, employees, and agents (collectively, the “Client Indemnified Parties”), from and against all liabilities, obligations, losses, damages, fines, judgments, settlements, charges, expenses (including reasonable attorneys’ and accountants’ fees and disbursements), and costs arising from a claim, demand, proceeding, suit, or action by a third party (“Third Party Claims”), incurred by or asserted against any of the Client Indemnified Parties, to the extent the Third Party Claims relate to, arise out of, or result from any actual or alleged infringement of any third party’s Intellectual Property Rights by the Services. We shall have no obligation under this Section 9.1 or otherwise regarding claims that arise from or relate to:
(a) you or your Invited Users’ use of the Services other than as contemplated by the Agreement;
(b) any modifications made to the Services by any person other than Status or its authorized representative;
(c) any combination of the Services with services or technologies not provided by or expressly authorized by Status;
(d) use of any version other than the latest commercially available version of the Services made available to you; or
(e) you or your Invited Users’ use of the Services or portion thereof after we have terminated the Agreement or such portion of the Services in accordance with this Section 9.1.
OUR OBLIGATIONS IN THIS SECTION 9.1 SHALL BE OUR SOLE AND EXCLUSIVE LIABILITY TO YOU, AND YOUR SOLE AND EXCLUSIVE REMEDY, WITH RESPECT TO ANY CLAIM OF INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS INVOLVING THE PLATFORM OR ANY OTHER SERVICES.
9.2. Client Indemnification. You shall indemnify, defend, and hold harmless Status and our officers, shareholders, directors, employees and agents (collectively, the “Company Indemnified Parties”), from and against all Third Party Claims incurred by or asserted against any of the Company Indemnified Parties to the extent the Third Party Claims relate to, arise out of, or result from your actions, including but not limited to:
(a) breach of any representation or warranty of yours contained in the Agreement;
(b) your failure to comply with any federal, state, and local laws applicable to you in your use of the Services; or
(c) you or your Invited Users’ access and use of the Services; or
(d) our use of the Client Materials and Client Data in accordance with the terms of the Agreement.
9.3. Indemnification Procedures. Promptly after a party seeking indemnification obtains knowledge of the existence or commencement of any Third Party Claim, the party to be indemnified (the “Indemnified Party”) will notify the other party (the “Indemnifying Party”) of the Third Party Claim in writing; provided, however, that any failure to give this notice will not waive the Indemnified Party’s rights except to the extent that the rights of the Indemnifying Party are actually prejudiced by this failure to give notice. The Indemnifying Party will assume the defense and settlement of the Third Party Claim with counsel reasonably satisfactory to the Indemnified Party at the Indemnifying Party’s risk and expense; provided, however, that the Indemnified Party (a) may join in the defense and settlement of the Third Party Claim and employ counsel at its own expense, and (b) will reasonably cooperate with the Indemnifying Party in the defense and settlement of the Third Party Claim. The Indemnifying Party may settle any Third Party Claim without the Indemnified Party’s written consent unless the settlement:
(i) does not include a release of all covered claims pending against the Indemnified Party;
(ii) contains an admission of liability or wrongdoing by the Indemnified Party; or
(iii) imposes any obligations upon the Indemnified Party other than an obligation to stop using any infringing items.
9.4. Infringement Remedies. If a Third Party Claim exists under Section 9.1, and in addition to our obligations in this Section 9, we shall, at our expense and in our sole discretion, take one or more of the following actions:
(a) procure for you the right to continue use of the infringing portion(s) of the Services;
(b) replace the infringing portion(s) of the Services with functionally equivalent non-infringing the Services; or
(c) modify the infringing portion(s) of the Services to be non-infringing and functionally equivalent.
If we cannot accomplish any of the foregoing within a reasonable time and at commercially reasonable rates, then we shall terminate the Agreement and we shall provide you with a pro-rated refund as provided in Section 4.4.
10. LIMITATION OF LIABILITY
WE SHALL NOT BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, STATUTORY OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH OR ARISING OUT OF THE PERFORMANCE OR USE OF THE SERVICES, WHETHER ALLEGED AS A BREACH OF CONTRACT OR TORTIOUS CONDUCT OR ANY OTHER THEORY OF LIABILITY, INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF USE OR DATA, DAMAGE TO SYSTEMS OR EQUIPMENT, COST OF COVER OR OTHER PECUNIARY LOSS, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE CUMULATIVE LIABILITY OF STATUS TO YOU FOR ANY CLAIMS, WHETHER ARISING IN CONTRACT, TORT, OR OTHERWISE, SHALL NOT IN ANY EVENT EXCEED THE AMOUNT OF FEES PAID TO STATUS BY YOU HEREUNDER IN THE SIX MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR $500, WHICHEVER IS GREATER. THE FOREGOING ALLOCATION OF RISK AND LIMITATION OF LIABILITY HAS BEEN NEGOTIATED AND AGREED BY THE PARTIES AND FORMS THE BASIS OF THEIR WILLINGNESS TO ENTER INTO THIS AGREEMENT. THE LIMITATION OF LIABILITY PROVISIONS SET FORTH IN THIS SECTION 10 SHALL APPLY EVEN IF YOUR REMEDIES UNDER THIS AGREEMENT FAIL WITH RESPECT TO THEIR ESSENTIAL PURPOSE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES, SO SOME OR ALL OF THE EXCLUSIONS AND LIMITATIONS IN THIS SECTION MAY NOT APPLY TO YOU.
11. ARBITRATION, CLASS-ACTION WAIVER, AND JURY WAIVER
11.1. Arbitration. If you pursue a legal claim against us, you agreess to arbitration (with limited exceptions). Therefore, the exclusive means of resolving any dispute or claim arising out of or relating to the Agreement (including any alleged breach thereof) or the Services shall be BINDING ARBITRATION administered by JAMS under the JAMS Streamlined Arbitration Rules & Procedures. The one exception to the exclusivity of arbitration is that either party has the right to bring an individual claim against the other in a small-claims court of competent jurisdiction, or, if filed in arbitration, the responding party may request that the dispute proceed in small claims court if the party’s claim is within the jurisdiction of the small claims court. If the responding party requests to proceed in small claims court before the appointment of the arbitrator, the arbitration shall be administratively closed, and if requested after the appointment of the arbitrator, the arbitrator shall determine if the dispute should be decided in arbitration or if the arbitration should be administratively closed and decided in small claims court. Whether you choose arbitration or small-claims court, you may not under any circumstances commence or maintain against us any class action, class arbitration, or other representative action or proceeding.
11.2. Waiver. By using the Services in any manner, you agree to the above arbitration agreement. In doing so, YOU GIVE UP THE RIGHT TO GO TO COURT to assert or defend any claims between you and Status (except for matters that may be taken to small-claims court). YOU ALSO GIVE UP THE RIGHT TO PARTICIPATE IN A CLASS ACTION OR OTHER CLASS PROCEEDING. Your rights will be determined by a NEUTRAL ARBITRATOR, NOT A JUDGE OR JURY, and the arbitrator shall determine all issues regarding the arbitrability of the dispute. You are entitled to a fair hearing before the arbitrator. The arbitrator can grant any relief that a court can, but you understand that arbitration proceedings are different from trials and other judicial proceedings, and that decisions by the arbitrator are enforceable in court and may be overturned by a court only for very limited reasons.
11.3. Enforcement. Any proceeding to enforce this arbitration agreement, including any proceeding to confirm, modify, or vacate an arbitration award, may be commenced in any court of competent jurisdiction. In the event that this arbitration agreement is for any reason held to be unenforceable, any litigation against the Company (except for small-claims court actions) may be commenced only in the federal or state courts located in Utah County, Utah. You hereby irrevocably consent to the jurisdiction of those courts for such purposes.
12.1. Termination. Either party may terminate the Agreement immediately upon written notice at any time if the other party fails to cure any material breach or provide a written plan of cure reasonably acceptable to the non-breaching party within 30 days of being notified in writing of such breach, except for breach of payment obligations which shall have a 10 day cure period. If you breach any provision of the Terms, all access, privileges, and rights granted by Status will terminate automatically. Status may suspend, disable, or delete your account and/or the Services (or any part of the foregoing) with or without notice, for any or no reason. If you breach the Terms, or are suspected by Status to have breached the Terms, you will not be permitted to, and you agree not to, access or re-register the Services, including under a different name or email address. If we delete your account for any reason, Status may, but is not obligated to, delete any or all of your User Content. Status shall not be responsible for the deletion of, or the failure to delete, your User Content. Termination of your account will not limit any of our other rights or remedies at law or in equity.
12.2. Suspension. We will be entitled to suspend your and your Invited Users’ access to the Services immediately upon written notice to you in the event you or your Invited Users breach this Agreement or if, in our reasonable judgment, there is a security risk created by you that may interfere with the proper continued provision of the Services or the operation of our network or systems. You remain obligated for all payment obligations under this Agreement in the event of suspension.
12.3. Effect of Termination. Upon termination or expiration of the Agreement, all licenses set forth thereunder shall terminate, and your right to access the Services shall cease. No termination or expiration of the Agreement shall affect any rights or liabilities of a party that accrued prior to the date of termination or expiration, including any fees accrued or payable to Status prior to the effective date of termination or expiration. Upon any termination or expiration of this Agreement, we shall have no obligation to maintain or provide any Client Data to you and may thereafter delete all Client Data in our systems or otherwise in our possession or under our control.
12.4. Survival. Sections 1, 4, 5, 6, 7.3, 7.4, 7.5, 8, 9, 10, 11, 12.2, 12.3, 12.4, and 13 shall survive termination of this Agreement. All other sections which by their nature should survive the termination of the Terms shall continue in full force and effect subsequent to and notwithstanding any termination of the Terms by Status or you.
13. MISCELLANEOUS PROVISIONS
13.1. Independent Contractor. You and Status agree that the relationship with the other party is that of an independent contractor. Neither Status nor you are, or shall be deemed for any purpose to be, employees or agents of the other and neither party shall have the power or authority to bind the other party to any contract or obligation.
13.2. Governing Law. Utah law and the Federal Arbitration Act will apply if there is a dispute (except where prohibited by law). Except where this arbitration agreement is prohibited by law, the laws of the State of Utah, excluding Utah’s conflict of laws rules, will apply to any disputes arising out of or relating to the Agreement, the Product, or the Services. Notwithstanding the foregoing, the Arbitration Agreement in Section 11 above shall be governed by the Federal Arbitration Act.
13.3. Venue. Any claims that are not submitted to arbitration for any reason must be litigated in Utah County, Utah (except for claims brought in small claims court, or where prohibited by law). Except for claims that may be properly brought in a small claims court of competent jurisdiction in the county or other jurisdiction in which you reside or in Utah County, Utah, all claims arising out of or relating to this Agreement, to the Services, or to your relationship with Status that for whatever reason are not submitted to arbitration will be litigated exclusively in the federal or state courts of Utah County, Utah, U.S.A. You consent to the exercise of personal jurisdiction of courts in the State of Utah and waive any claim that such courts constitute an inconvenient forum.
13.4. Modifications. We may modify this Agreement at any time by posting a revised version on our website and/or application, which modifications will become effective as of the first day of the calendar month following the month in which they were first posted; provided, however, that if the then-current term is for 12 months or longer, the modifications will instead be effective immediately upon the start of the next renewal term, if any.
13.5. Severability. In the event one or more of the provisions of this Agreement is held to be invalid or otherwise unenforceable by a court of competent jurisdiction for the matter in question, the enforceability of the remaining provisions shall be unimpaired.
13.6. Waiver. The failure of either party at any time to enforce any right or remedy available to it under this Agreement with respect to any breach or failure by the other party shall not be construed to be a waiver of such right or remedy with respect to any other breach or failure by the other party.
13.7. Assignment. Neither party shall assign the Agreement or any of its rights and obligations hereunder without the prior written consent of the other party; provided, however, that either party may assign the Agreement and all of its rights and obligations hereunder to an affiliate or as part of a merger or sale of substantially all the assets or stock of such party. Any assignment by either party in violation of this section shall be null and void. Subject to the foregoing, the Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective heirs, personal representatives, successors and permitted assigns.
13.8. Equitable Remedies. The parties agree that (a) the unauthorized disclosure of Confidential Information may cause irreparable harm to the party whose information is disclosed and (b) your breach of Section 3.2 may cause irreparable harm to Company. In such event, the applicable affected party shall be entitled to seek injunctive or other equitable relief seeking to restrain such use or disclosure without the necessity of posting any bond.
13.9. Force Majeure. Neither party shall incur any liability to the other party on account of any loss, claim, damage or liability to the extent resulting from any delay or failure to perform all or any part of this Agreement (except for payment obligations), if and to the extent such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control and without any negligence on the part of the party seeking protection under this section, including, without limitation, acts of God, strikes, lockouts, riots, acts of war, terrorism, earthquake, fire, explosions, any law or direction of any governmental entity, pandemics, epidemics, emergencies, civil unrest, viruses or denial of service attacks, telecommunications failure, or failure of the internet or internet service provider. Dates by which performance obligations are scheduled to be met will be extended for a period of time equal to the time lost due to any delay so caused.
13.10. Notices. Any notice required or permitted under this Agreement or required by law must be in writing and must be:
(a) delivered in person;
(b) sent by first class registered mail, or air mail, as appropriate; or
(c) sent by electronic mail.
Notices shall be considered to have been given upon receipt of confirmation or acknowledgment of delivery, provided in each case that delivery in fact is accomplished. Either party may change its contact person for notices and/or address for notice by means of notice to the other party given in accordance with this section.
13.11. Headings. The section headings contained in this Agreement are inserted for convenience only and shall not affect in any way the meaning or interpretation of this Agreement.
HOW TO CONTACT US
You may contact us regarding the Services or the Terms at: Status Technologies, Inc., 881 Baxter Drive STE 100, South Jordan, UT 84095 or by email at firstname.lastname@example.org.
Status Data Processing Agreement
Effective Date: September 19, 2022
Last Updated on: September 19, 2022
STATUS DATA PROCESSING AGREEMENT
NOTE: This Data Processing Agreement is only applicable in the event that you want Status to process Personal Data that requires such agreement, and only if separately agreed to by Status in writing.
This Data Processing Agreement (“DPA”) constitutes a legally binding agreement between you and Status. You are required to read this DPA carefully as this DPA forms an integral part of our Terms of Service. We may make changes and updates to this DPA at any time, and it is your responsibility to review this DPA for any such changes when you access the Services. By using or accessing the Services, you agree to this DPA and represent and warrant that you have the authority to agree to this DPA, either on behalf of yourself or on behalf of the entity you represent.
HOW THIS DPA APPLIES
This DPA is only valid and legally binding if you are using the Services and are a Controller to which Article 3 of the GDPR applies. Status is a party to this DPA for the sole purpose of complying with any obligations that are expressly stated to be Status obligations in this DPA, including assisting you to comply with its legal obligations under applicable Data Protection Legislation with respect to Personal Data that Status processes when providing the Services to you.
“CCPA” means the California Consumer Privacy Act of 2018 and its regulations.
“Controller”, “data subject”, “personal data”, “personal data breach,” “process”, “processing”, “processor”, and “supervisory authority” have the same meanings as in the GDPR.
“Customer” means you, and if the Services are being used on behalf of an entity by an individual authorized to agree to such terms on behalf of such entity, then “Customer” includes you and such entity, as well as Users authorized by such entity and any Customer affiliates.
“Data Protection Legislation” means all data protection laws and regulations, including laws and regulations of the European Union, the European Economic Area (EEA) and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, as amended or replaced from time to time, including without limitation the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”).
“Personal Data” means personal data that is submitted to the Services by Customer and processed by Status for the purposes of providing the Services to Customer. The types of Personal Data and the specific uses of the Personal Data are detailed in Exhibit A below.
“Services” has the meaning given in the Terms of Service.
“Standard Contractual Clauses” or “Clauses” means (i) for transfers of Personal Data from the EEA and Switzerland, the Standard Contractual Clauses adopted by the European Commission pursuant to its Implementing Decision (EU) 2021/914 of 4 June 2021 (including all modules governing controller to processor transfers of personal data) or any such clauses amending, replacing or superseding those by a European Commission decision or by a legally binding decision made by any other authorized body which are attached hereto as Attachment 1, and (ii) for transfers of Personal Data from the United Kingdom, the Standard Contractual Clauses for controllers to processors published by the UK Information Commissioner’s Office (“ICO”) at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/sccs-after-transition-period/, or such successor Standard Contractual Clauses as are published by ICO.
2. DATA PROCESSING
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the processing of Personal Data for the provision of the Services, Customer is the Controller and Status is the Processor.
2.2 Processing of Personal Data. Status may process Personal Data on behalf of Customer as part the provision of the Services to Customer. Status will process Personal Data as follows:
Status will comply with applicable Data Protection Legislation;
Status will implement appropriate technical, administrative, physical and organizational measures to adequately safeguard and protect the security and confidentiality of Personal Data against accidental, unauthorized or unlawful destruction, alteration, modification, processing, disclosure, loss, or access;
Status will process the Personal Data only in accordance with any documented Customer instructions received by Status with respect to the processing of such Personal Data and in a manner necessary for the provision of the Services by Status which will, for the avoidance of doubt, include processing in accordance with this DPA and the Agreement;
Status will ensure that persons authorized to process Personal Data on behalf of Status have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
Status will assist Customer by appropriate technical and organization measures for the fulfillment of Customer’s obligations to respond to requests for exercising a data subject’s rights with respect to Personal Data under Chapter III of the GDPR;
Status will promptly inform Customer if in its opinion compliance with any Customer instruction would infringe Data Protection Legislation;
Status will assist Customer in complying with its obligations with respect to Personal Data pursuant to Articles 32 to 36 of the GDPR;
Status will, at Customer’s option, and subject to the terms of this DPA (i) delete or return all Personal Data to Customer after the end of the provision of the Services, and (ii) delete existing copies of Personal Data unless applicable law of the EU or an EU member state requires retention of the Personal Data;
Status will make available to Customer all information necessary to demonstrate compliance with its obligations as a Processor as specified in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, consistent with Section 8 of this DPA;
Status will maintain a record of all categories of processing activities carried out on behalf of Customer in accordance with Article 30(2) of the GDPR; and
Status and its representatives will cooperate, on request, with the relevant supervisory authority in providing the Services.
Status will act as Customer’s “service provider,” as that term is defined in the CCPA. In particular, Status will not: (i) “sell” (as defined in the CCPA) Personal Data or (ii) collect, retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services, including collecting, retaining, using, or disclosing Personal Data for any commercial purposes other than providing the Services, unless otherwise permitted under the CCPA (e.g., for Status’s internal use to build or improve the quality of its services, to detect data security incidents, or to protect against fraudulent or illegal acts).
2.3 Customer Responsibilities. Customer will, in its use of the Services, process Personal Data in accordance with the requirements of applicable Data Protection Legislation. For the avoidance of doubt, Customer’s instructions to Status for the processing of Personal Data will comply with applicable Data Protection Legislation. Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data and for ensuring that the Personal Data was lawfully acquired by Customer (including any authorizations or consents if required). Customer shall ensure that Customer is entitled to transfer the relevant Personal Data to Status so that Status and its Sub-processors (as defined in Section 5.1 of this DPA) may lawfully use, process and transfer the Personal Data in accordance with this DPA and the Agreement on Customer’s behalf as a Processor.
2.4 Processing Instructions. Customer instructs Status to process Personal Data for the following purposes: (a) processing necessary for the provision of the Services and in accordance with the Agreement; (b) processing initiated by Customer’s end users in their use of the Services; and (c) processing to comply with the other reasonable written instructions provided by Customer to Status (e.g., via email or via support requests) where such instructions are consistent with the terms of the Agreement, as required to comply with applicable Data Protection Legislation, or as otherwise mutually agreed by the parties in writing. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the foregoing is deemed an instruction by the data exporter to process Personal Data. The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by Status to Customer upon Customer’s written request.
3. RIGHTS OF DATA SUBJECTS
Status shall, to the extent legally permitted, promptly notify Customer if Status receives a request from a data subject to exercise the data subject's right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the processing, Status shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under applicable Data Protection Legislation. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Status shall upon Customer’s request provide commercially reasonable assistance to Customer in responding to such Data Subject Request, to the extent Status is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any reasonable costs that Status may incur in providing such assistance.
4. DATA TRANSFER REQUIREMENTS
The Standard Contractual Clauses will apply to all processing of Personal Data by Status where the Personal Data is transferred from the EEA, Switzerland or the United Kingdom to outside the EEA, Switzerland or United Kingdom, from a data exporter acting as Controller to a data importer acting as Processor, to any country or recipient: (a) not recognized by the European Commission or the UK ICO as providing an adequate level of protection for Personal Data (as described in the Data Protection Legislation), and (b) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data.
Status will abide by the requirements of the Data Protection Legislation regarding the collection, use, transfer, retention, and other processing of Personal Data from the EEA, Switzerland and United Kingdom, including, without limitation, completing any required prior assessments. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR. Status agrees to notify Customer if it makes a determination that a change in the Data Protection Legislation is likely to have a substantial adverse effect on the warranties and obligations provided under the Standard Contractual Clauses. In such event, Status will work with the Customer to find a mutually agreeable solution. To the extent that there are any further measures that are legally required by relevant Data Protection Legislation to be implemented by Status to ensure ongoing compliance with the Standard Contractual Clauses, Status shall implement such measures within a reasonable time.
In addition, Status is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail, although Status does not rely on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18 and the opinion of the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland dated September 8, 2020. Status agrees to notify Customer if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles.
5.1 Sub-processing. The parties acknowledge that applicable Data Protection Legislation permits a Controller to provide the Processor a general written authorization to sub-processing. Accordingly, Customer provides a general authorization to Status, pursuant to Clause 11 of the Standard Contractual Clauses and Article 28(2) and (4) of the GDPR, to engage sub-processors (“Sub-processors”) to enable Status to fulfill its contractual obligations under the Agreement and to provide support services on Status’s behalf, subject to compliance with the requirements in this Section. The parties agree that copies of any Sub-processor agreements that are provided by Status to Customer pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Status beforehand. Such copies will be provided by Status, in a manner to be determined in its discretion, upon written request by Customer.
5.2 Sub-processor Agreements. Status will: (a) enter into a written agreement in accordance with the requirements of Article 28(4) of the GDPR with any Sub-processor that will process Personal Data; (b) ensure that each such written agreement contains terms that are no less protective of Personal Data than those contained in this DPA; and (c) be liable for the acts and omissions of its Sub-processors to the same extent that Status would be liable if it were performing the services of each of those Sub-processors directly under the terms of this DPA.
5.3 Sub-processor List. Information regarding Status’s current Sub-processors, including their location and services provided (the “Sub-processor List”), is provided at Attachment 1, Annex III to this DPA. This Sub-processor list may be updated by Status from time to time in accordance with subsection 5.4.
5.4 Changes to Sub-processor List. Status will provide Customer with advance written notice before a new Sub-processor processes any Personal Data (which may be provided through email to the address communicated by Customer in its Status admin portal, or such other reasonable means). Customer may object to the new Sub-processor within fifteen (15) days of such notice on reasonable grounds relating to the protection of Personal Data by following the instructions set forth in the Sub-processor List. In such case, Status shall have the right to cure the objection through one of the following options: (1) Status will cancel its plans to use the Sub-processor with regards to processing Personal Data or will offer an alternative to provide the Services without such Sub-processor; or (2) Status will take the corrective steps requested by Customer in its objection notice and proceed to use the Sub-processor; or (3) Status may cease to provide, or Customer may agree not to use whether temporarily or permanently, the particular aspect or feature of the Services that would involve the use of such Sub-processor. If none of the above options are commercially feasible, in Status’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the parties within thirty (30) days after Status’s receipt of Customer’s objection notice, then either party may terminate the Agreement for cause and in such case, Customer will be refunded any pre-paid fees for the applicable Services pro-rated for the unused portion of the Subscription Term. Such termination right is Customer’s sole and exclusive remedy if Customer objects to any new Sub-processor.
6. SECURITY MEASURES
Status implements the physical, technical, and organizational security measures set forth in EXHIBIT B of this DPA with respect to the Personal Data (“Security Measures”) to ensure a level of security appropriate to the risk in accordance with the standards of Article 32 of the GDPR. Status regularly tests, assesses and evaluates the effectiveness of the Security Measures. Status will not materially decrease the overall security of the Services during the term of the Agreement. Status will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-processors to the extent applicable to their scope of performance.
7. SECURITY INCIDENT NOTIFICATION
The parties agree that Status’s obligations under Clause 5(d)(ii) of the Standard Contractual Clauses and under Article 28(3)(f) of the GDPR with respect to Customer’s compliance with Articles 33 and 34 of the GDPR will be carried out in accordance with this Section 7. If Status becomes aware of any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of, Customer’s Personal Data, including any “personal data breach” as defined in the GDPR (“Security Incident”), Status will notify Customer without undue delay after becoming aware of and confirming the Security Incident. Status will take reasonable steps to: (a) identify the cause of the Security Incident; and (b) take any actions necessary and reasonable to remediate the cause of such Security Incident to the extent such remediation is within Status’s reasonable control. Status will also reasonably cooperate with Customer with respect to any investigations and with preparing potentially required notices, and provide any information reasonably requested by Customer in relation to the Security Incident.
The parties agree that the audits described in Clauses 5(f) and 12(2) of the Standard Contractual Clauses and Article 28(h) of the GDPR (the “Audit”) will be carried out in accordance with the following conditions:
An Audit of its data processing facilities may be performed no more than once per year during Status’s normal business hours, unless (i) otherwise agreed to in writing by Customer and Status, (ii) required by a regulator or under applicable Data Protection Legislation, or (iii) there is a Security Incident;
Customer will provide Status with at least thirty (30) days’ prior written notice of an Audit, which may be conducted by Customer or an independent auditor appointed by Customer that is not a competitor of Status (“Auditor”);
The Auditors will conduct Audits subject to any appropriate and reasonable confidentiality restrictions requested by Status;
The scope of an Audit will be limited to Status systems, processes and documentation relevant to the processing and protection of Personal Data;
Prior to the start of an Audit, the parties will agree to reasonable scope, time, duration, place and conditions for the Audit, and a reasonable reimbursement rate payable by Customer to Status for Status’s Audit expenses;
If available, Status will provide an Auditor, upon request, with any third-party certifications pertinent to Status’s compliance with its obligations under this DPA (for example, ISO 27001, ISO 27701 and/or SOC 2, Type II); and
Customer will promptly notify and provide Status with full details regarding any perceived non-compliance or security concerns discovered during the course of an Audit.
9.1 Term and Termination. This DPA will remain in force until (i) it is replaced or repealed by mutual agreement of Customer and Status, or (ii) the Agreement is terminated or expires.
9.2 Liability. Any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Agreement. Status’s liability to Customer under this DPA will be limited to the same extent as Status’s liability to Customer under the Agreement. For the avoidance of doubt, the total liability of Status and its affiliates for all claims by Customer arising out of or related to the Agreement and this DPA shall apply in aggregate for all claims under both the Agreement and this DPA. In no event will either party limit its liability with respect to any data subject rights under the Standard Contractual Clauses or the GDPR.
9.3 Governing Law. Without prejudice to clause 7 (Mediation and Jurisdiction) and clause 9 (Governing Law) of the Standard Contractual Clauses: (i) the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
(ii) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
9.4 Changes in Data Protection Legislation. Status and Customer may, by written notice to the other party, propose to amend the appendices to the Standard Contractual Clauses or this DPA as required as a result of any change in, or decision of a competent authority under, applicable Data Protection Legislation, to allow processing of Personal Data to be done (or continue to be done) without breach of such Data Protection Legislation. The parties agree to make any such required amendment, which shall be in writing and signed by both parties.
9.5 Counterparts. This DPA may be executed in any number of counterparts, each of which will be deemed to be an original and all of which taken together will comprise a single instrument. This DPA may be delivered by facsimile or electronic document format (e.g. PDF), and facsimile or electronic copies of executed signature pages will be binding as originals.
9.6 Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement between the parties and supersedes any other prior or contemporaneous agreements or terms and conditions, written or oral, concerning its subject matter. In case of conflict or inconsistency between this DPA, the Agreement, and the Standard Contractual Clauses, the following order of precedence shall govern to the extent of the conflict or inconsistency: (i) the Standard Contractual Clauses; (ii) this DPA; and (iii) the Agreement.
9.7 Severability. If any provision of this DPA is determined to be unenforceable by a court of competent jurisdiction, that provision will be severed and the remainder of terms will remain in full effect.
EXHIBIT A: Personal Data
Subject Matter of Processing. The subject matter of Processing are the Services pursuant to the Agreement.
Duration of Processing. The Processing will continue until the expiration or termination of the Agreement.
Categories of Data Subjects. Employees, contractors and other authorized users of Customer.
Nature and Purpose of Processing. Nature: Processing as part of the Services ordered by Customer in the Agreement.
Purpose: The purpose of the Processing of Personal Data by Status is to provide the Services pursuant to the Agreement.
Types of Personal Data. Personal Data provided by Customer to facilitate Status’s provision of the Services to Customer, including names, email addresses and phone numbers of Data Subjects.
EXHIBIT B: Status Security Measures
1. Preventing unauthorized persons from gaining access to data processing systems (physical access control)
2. Preventing personal data processing systems from being used without authorization (logical access control)
3. Ensuring that persons entitled to use a data processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights and that, in the course of processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control)
4. Ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control)
5. Ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from personal data processing (entry control)
6. Ensuring that Personal Data is processed solely in accordance with the Instructions (control of Instructions)
7. Ensuring that Personal Data is protected against accidental destruction or loss (availability control)
8. Ensuring that Personal Data collected for different purposes can be processed separately (separation control)
Attachment 1: EU Standard Contractual Clauses (Controller to Processor)
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Use of sub-processors
(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Data subject rights
(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
[Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Obligations of the data importer in case of access by public authorities
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of France.
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of the EU Member State in which the data exporter is established.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
A. LIST OF PARTIES
Data Exporter(s): The Data Exporter is the entity that has subscribed to the Terms and their contact details are as provided by them while subscribing to the Terms.
Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Name: Status Software, Inc.
Address: 881 Baxter Drive, Suite 100, South Jordan, UT 84095
Contact person’s name, position and contact details:
Name: Jacob Shumway Email: email@example.com
Activities relevant to the data transferred under these Clauses:
Processing as part of the services ordered by Data Exporter pursuant to the Terms of Service.
B. DESCRIPTION OF TRANSFER
Data Importer is engaged in providing services relating to workflow and team management software built to streamline and automate the onboarding and ongoing management of customers. The data transferred is the Personal Data provided by the Data Exporter to the Data Importer in connection with its use of the services. Such Personal Data may include first name, last name, email address, contact information, and other personal data provided by the Data Exporter. See Exhibit A of the DPA.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority will be the Regulator in the EU Member State in which the data exporter is established.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
See Section 6 and Exhibit B of the DPA.
LIST OF SUB-PROCESSORS
Description of the Processing
Last Revised: September 19, 2022
1. INFORMATION WE COLLECT
where you live (your full address);
your email address;
financial information, such as credit card and bank information, including business/corporate financial information; and
your IP address;
your phone or mobile-device ID number;
device information; and
Information You Provide
We may collect and store Personal Information and Non-personal Information that you provide in order to use our Services. For example, we may ask for information when you:
register to create an account, update your information, or sign up for a Subscription Plan (as defined in our Terms of Service);
use certain features;
access, upload or download content;
purchase partner products or services; or
fill out a survey, data collection form, request customer support, or otherwise communicate with us.
In the process of supporting our Services, we may discover personally identifiable information associated with your account, and we may need to investigate the data within your user account. In all cases, we (or our service providers or business partners) may collect and store this information.
Information We Receive from Others
In addition to the information you provide us directly, we may receive information about you from others.
Information from Customers or other users. Other users may provide information about you as they use our Services. For instance, we may collect information about you from other users if they contact us about you. We may also use contact information provided by a Status customer to contact you.
Information from email providers. You may be able to use your email account login (such as Gmail) to create and log into your Status account. This allows you to share some information from your email account with us.
Information Collected During Your Use of Our Services
When you use our Services, we collect information about which features you use, how you use them, and the devices you use to access our Services.
Usage information. We collect information about your activity on our Services, for instance how you use them (e.g., date and time you logged in, features you’ve been using, searches, clicks and pages which have been shown to you, referring webpage address, advertising that you click on) and how you interact with other users (e.g., users you connect and interact with, time and date of your exchanges, number of messages you send and receive).
Device information. We collect information from and about the device(s) you use to access our Services, including:
hardware and software information such as IP address, device ID and type, device-specific and apps settings and characteristics, app crashes, advertising IDs (such as Google’s AAID and Apple's IDFA, both of which are randomly generated numbers that you can reset by going into your device’ settings), browser type, version and language, operating system, time zones, identifiers associated with cookies or other technologies that may uniquely identify your device or browser (e.g., IMEI/UDID and MAC address); and
information on your wireless, mobile, internet, or other network connections, like your service provider and signal strength; and
information on device sensors such as accelerometers, gyroscopes and compasses.
Other information. If you give us permission, we can collect your precise geolocation (latitude and longitude) through various means, depending on the service and device you’re using, including GPS, Bluetooth or Wi-Fi connections. The collection of your geolocation may occur in the background even when you aren’t using the Services if the permission you gave us expressly permits such collection. If you decline permission for us to collect your geolocation, we will not collect it.
We may discover, by reviewing log files, that a particular account is using the Services in a way that is degrading the experience for all the Services’ Users. If this is discovered, we may look up personally identifiable information associated with that account in order to contact you or the relevant Status customer. We handle and disclose this information in the same way we handle other potentially personally-identifying information as described below.
Information You Choose To Display Publicly On Our Services
Personal and/or sensitive information that is voluntarily posted in publicly visible parts of our Services is considered to be public, even if it would otherwise be considered to be personally identifying or sensitive. If you choose to provide personally identifiable information or otherwise sensitive information using certain public features of the Services, individuals reading such information may use or disclose it to other individuals or entities without our control and without your knowledge. We therefore urge you to think carefully about including any specific information you may deem private in content that you create or information that you submit through our Services.
Information You Give To Other People
This Policy only applies to information collected by Status. It does not apply to the practices of companies that we don’t own or control, or employees that we don’t manage, even if and when such companies utilize the Services to collect information. The Services may contain links to third party websites, and any information you provide to those sites will be covered by any privacy policies they may have, not this Policy. Please be sure to read the privacy policies of any third-party sites you visit. It is those sites’ responsibility to protect any information you give them, and we will not be held liable for their wrongful use of your personally identifying information.
2. COOKIES AND OTHER SIMILAR DATA COLLECTION TECHNOLOGIES
Some web browsers (including Safari, Internet Explorer, Firefox and Chrome) have a “Do Not Track” (“DNT”) feature that tells a website that a user does not want to have his or her online activity tracked. If a website that responds to a DNT signal receives a DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many businesses, including Status, do not currently respond to DNT signals.
3. HOW WE USE INFORMATION
We may use your information for the following purposes.
To administer your account and provide our Services to you. For example, to:
create and manage your account;
provide you with customer support and respond to your requests;
send you product, service and new feature information, or information about changes to our terms, conditions, and policies and other administrative information;
respond to inquiries, offer support to Users and help us solve any potential issues you might have with the use of our Services;
complete your transactions; and
communicate with you about our Services, including order management and billing.
To ensure a consistent experience across your devices. We may link the various devices you use so that you can enjoy a consistent experience of our Services on all of them. We do this by linking devices and browser data, such as when you log into your account on different devices or by using partial or full IP address, browser version and similar data about your devices to help identify and link them.
To improve our Services and develop new ones. For example, to:
administer focus groups and surveys;
request feedback and to contact you about your use of our Services;
conduct research and analysis of users’ behavior to improve our Services and content (for instance, we may decide to change the look and feel or even substantially modify a given feature based on users’ behavior); and
develop new features and Services.
To prevent, detect and fight fraud or other illegal or unauthorized activities. For example, to:
address ongoing or alleged misbehavior on and off-platform;
perform data analysis to better understand and design countermeasures against these activities; and
retain data related to fraudulent activities to prevent against recurrences.
To ensure legal compliance. For example, to:
comply with legal requirements;
assist law enforcement; and
enforce or exercise our rights, for example our Terms of Service.
To process your information as described above, we rely on the following legal bases:
Provide our Services to you. Most of the time, the reason we process your information is to perform the contract that you have with us.
Legitimate interests. We may use your information where we have legitimate interests to do so. For instance, we analyze users’ behavior on our Services to continuously improve the Services, and we process information for administrative, fraud detection, and other legal purposes.
4. HOW WE SHARE INFORMATION
We may share your information with others, as follows.
With other users. You share information with other users when you voluntarily disclose information on the Services. Please be careful with your information and make sure that the content you share is content that you’re comfortable being publicly viewable since neither you nor we can control what others do with your information once you share it.
With our service providers and partners. We use third parties to help us operate and improve our Services. These third parties assist us with various tasks, including data hosting and maintenance, analytics, customer care, marketing, advertising, payment processing and security operations. We may also share information with partners who distribute and assist us in advertising our Services. For instance, we may share information on you in hashed, non-human readable form to advertising partners.
For corporate transactions. We may transfer your information if we are involved, whether in whole or in part, in a merger, sale, acquisition, divestiture, restructuring, reorganization, dissolution, bankruptcy or other change of ownership or control.
When required by law. We may disclose your information if reasonably necessary: (a) to comply with a legal process, such as a court order, subpoena or search warrant, government / law enforcement investigation or other legal requirements; (b) to assist in the prevention or detection of crime (subject in each case to applicable law); or (c) to protect the safety of any person.
To enforce legal rights. We may also share information: (a) if disclosure would mitigate our liability in an actual or threatened lawsuit; (b) as necessary to protect our legal rights and legal rights of our users, business partners or other interested parties; (c) to enforce our agreements with you; and (d) to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing.
With your consent or at your request. We may ask for your consent to share your information with third parties. In any such case, we will make it clear why we want to share the information.
As allowable by law. We may use and share Non-personal Information, as well as Personal Information in hashed, non-human readable form, under any of the above circumstances, or to the extent provided by law. We may combine this information with additional Non-personal Information or Personal Information in hashed, non-human readable form collected from other sources.
Our Customers. We share information about Users with the relevant Customer and with other third parties that the Customer may direct us to share that information with.
5. YOUR RIGHTS
We do not participate in the Digital Advertising Alliance, and we are not a member of NAI. However, to opt-out of such collection and use for online behavioral advertising by the Digital Advertising Alliance (DAA) participating companies in the United States, please visit: http://www.aboutads.info/choices and http://www.aboutads.info/appchoices. To opt-out from the use of information about your online activities for online behavioral advertising by NAI member companies, visit: http://www.networkadvertising.org/choices. Please note that even if you opt-out, you may still receive advertisements from us that are not customized based on your usage Information. To learn how to manage privacy and storage settings for Flash cookies, please visit: https://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager.html
6. RESIDENTS OF CALIFORNIA
If you are a resident of California, you are granted specific rights regarding access to your information. If you are under 18 years of age, reside in California, and have a registered account with the Services, you have the right to request removal of information that you publicly post on the Services. To request removal of such information, please contact us using the contact information provided below, and include the email address associated with your account, a statement that you reside in California and details of where the information is posted. We will make reasonably good faith efforts to remove this information so that it is not publicly displayed on the Services, but please be aware that this process cannot ensure complete or comprehensive removal. For instance, third-parties may have republished the post and archived copies of it may be stored by search engines and others that we do not control.
7. HOW WE PROTECT YOUR INFORMATION
We use third-party services to process and store the data we collect, such as the Google Cloud Platform (“Sub-processors”). By using the Services you agree and signify that you understand and agree to the terms and limitations contained in the Google Cloud Platform Terms of Service, and that your information may be transferred and processed in the United States and anywhere in the world where we, our affiliates, and/or Sub-processors maintain data processing operations. Although we take steps to secure your information, we do not promise, and you should not expect, that your personal information will always remain secure. We may suspend your use of all or part of the Services without notice if we suspect or detect any breach of security. You understand and agree that we shall not be held responsible or liable for any Sub-processor failures including, but not limited to: data breaches, security incidents, and loss of data. If you believe that your account or information is no longer secure, please notify us immediately at firstname.lastname@example.org.
8. HOW LONG WE RETAIN YOUR INFORMATION
We keep your personal information to the fullest extent permitted by applicable law.
9. CHILDREN'S PRIVACY
We do not attempt to, nor do we knowingly collect any personal information from, children under the age of 13. If we learn that a child under the age of thirteen has provided personally identifiable information through the Services, we will use reasonable efforts to remove such information from our files.
This policy may change over time. It is your responsibility to visit this page regularly and stay informed of any changes. The updated version will be indicated by an updated “Revised” date and the updated version will be effective as soon as it is accessible.
11. HOW TO CONTACT US
By mail: Status Software, Inc.
881 Baxter Drive STE 100
South Jordan, UT 84095