LICENCE, OR DELIVERY OF ANY APPLIANCES OR SERVICES BY DARKTRACE. By selecting the ‘accept’ option, installing or otherwise accessing or using the Offering (as defined herein), Customer acknowledges that Customer has read, understands and agrees to be bound by the terms and conditions of this Agreement. Where a reseller, service provider, consultant, contractor or other permitted third party downloads, installs or otherwise uses the Appliance on Customer’s behalf, such party will be deemed to be Customer’s agent and Customer will be deemed to have accepted all of the terms and conditions of this Agreement as if Customer had directly downloaded, installed or used the Appliance.
2.1. If Darktrace permits Customer to conduct a proof of value of the Offering (the “Evaluation”), Customer shall be granted a non- exclusive, non-transferable, non-sublicensable licence to use the Appliance free of charge for evaluation purposes only for a maximum of four (4) weeks, or such other duration as specified by Darktrace in writing at its sole discretion (the “EvaluationPeriod”). Except for the foregoing, Darktrace does not grant Customer any rights, implied or otherwise in or to the Offering in respect of an Evaluation. Customer must keep the Appliance free from liens, will be responsible for any damage to such Appliance during the Evaluation Period (reasonable wear and tear excepted) and will carry insurance coverage (all risks) in an amount equal to the full replacement value of the Appliance. On the expiry of the Evaluation Period, and unless the Parties agree to a subsequent purchase of the Offering, Customer shall return the Appliance to Darktrace securely and properly packaged, with carriage (and insurance at Customer’s option) and this Agreement will terminate.
2.2. If Darktrace provides Customer with a new product or new version of the Offering for technical preview or beta testing purposes (a “Preview Product”), Customer may use the Preview Product for evaluation purposes, in a non-production test environment only, for the period specified by Darktrace (the “Test Period”). Customer will test the Preview Product in accordance with any conditions specified in the readme file for the software or any accompanying Documentation and will gather and report test data, feedback, comments and suggestions to Darktrace. Customer’s right to use the Preview Product will terminate upon expiry of the Test Period. Darktrace does not warrant that it will release a commercial version of the Preview Product, or that a commercial version will contain the same or similar features as the Preview Product.
2.3. Clause 9 and Clause 12 will not apply to Evaluations or Preview Products. APPLIANCES PROVIDED FOR THE PURPOSES OF EVALUATION (“EVALUATION PRODUCTS”) AND PREVIEW PRODUCTS ARE PROVIDED “AS IS” AND, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW: (i) DARKTRACE MAKES NO WARRANTIES, CONDITIONS, REPRESENTATIONS OR UNDERTAKINGS OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE WITH RELATION TO SUCH EVALUATION PRODUCTS OR PREVIEW PRODUCTS; AND (ii) IN NO EVENT SHALL DARKTRACE BE LIABLE TO CUSTOMER OR TO THOSE CLAIMING THROUGH CUSTOMER FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR SPECIAL DAMAGE OR LOSS OF ANY KIND, OR ANY LOSS OF PROFITS, LOSS OF CONTRACTS, BUSINESS INTERRUPTIONS, LOSS OF OR CORRUPTION OF INFORMATION OR DATA HOWEVER CAUSED AND WHETHER ARISING UNDER CONTRACT OR TORT (INCLUDING WITHOUT LIMITATION NEGLIGENCE), EVEN IF DARKTRACE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2.4. IF ANY LIMITATION, EXCLUSION, DISCLAIMER OR OTHER PROVISION CONTAINED IN CLAUSE 2.3 ABOVE IS HELD TO BE INVALID FOR ANY REASON BY A COURT OF COMPETENT JURISDICTION AND DARKTRACE BECOMES LIABLE THEREBY FOR LOSS OR DAMAGE THAT MAY LAWFULLY BE LIMITED, SUCH LIABILITY WHETHER IN CONTRACT, TORT OR OTHERWISE, SHALL NOT EXCEED TEN THOUSAND POUNDS STERLING (£10,000).
3.1. Darktrace agrees to provide to Customer: (i) the number and type of Appliances; (ii) the Support Services; and (iii) the training to be provided to Customer, if any, each as set out in the Product Order Form. The Product Order Form must be in writing and reference this Agreement to be valid. The Product Order Form will be governed by this Agreement and any different or additional terms presented with or in any communication, including but not limited to, Customer’s purchase order, are deemed null and void and of no effect unless the additional terms are agreed upon by the Parties in writing prior to acceptance of that Product Order Form.
4.2. Delivery. Darktrace will use commercially reasonable efforts to ship the Appliance(s) on the agreed delivery dates (in partial or full shipments); provided, however, that Darktrace will in no event be liable for any delay in delivery or for failure to give notice of delay. Darktrace may withhold or delay shipment of any order if Customer is late in payment or is otherwise in default under this Agreement. Darktrace will deliver the Hardware FCA (Incoterms 2010) to the agreed Sites. In the absence of specific shipping instructions from Customer, Darktrace will ship by the method of its choice. Unless otherwise agreed, Customer will pay and be exclusively liable for all costs associated with shipping and delivery including without limitation, freight, shipping, customs charges and expenses, cost of special packaging or handling and insurance premiums incurred by Darktrace in connection with the shipment of the Appliance(s) to Customer. Darktrace will identify itself in all documents related to the shipment of the Appliance(s) as the exporter of record from the applicable jurisdiction of export, and Customer (or its agent, as applicable) as the importer of record into the country of delivery.
4.3. Title to Hardware. Save where otherwise stated in the Product Order Form, title to the Hardware will remain with Darktrace during the first twenty-four (24) month period of the Term. Following such initial twenty-four (24) month period and provided Customer is current in all payment obligations to Darktrace, title in the Hardware will pass to Customer. Upon termination for any reason during the first twenty-four (24) month period of the Term (or if the Term is less than twenty- four (24) months in duration, on expiration of the Term), Customer shall return the Hardware to Darktrace, securely and properly packaged, with carriage (and insurance at Customer’s option) prepaid. During such initial twenty-four (24) month period, Customer must (a) clearly designate the Hardware as Darktrace’s property; (b) hold the Hardware on a fiduciary basis as Darktrace’s bailee; (c) store and use the Hardware in a proper manner in conditions which adequately protect and preserve the Hardware; (d) insure the Hardware against all risks to its full replacement value; and (e) not sell, charge, pledge, mortgage or otherwise dispose of the Hardware or any part of it or permit any lien to arise over the Hardware (or part thereof) and keep the Hardware free from distress, execution and other legal process.
5. LICENCE GRANT FOR THE SOFTWARE AND RESTRICTIONS
5.1. Licence Grant for Software. In consideration of the Fees paid by Customer to Darktrace, and subject to the terms and
conditions of this Agreement and the Product Order Form, Darktrace grants to Customer a non-exclusive, non-transferable, non-sublicensable licence for the Term to: (i) install and use the Appliance on the Site(s) or an Outsource Provider’s site(s) for Customer’s or its Affiliate’s internal business purposes (provided that neither Customer nor its Affiliates may use the Appliance or the Services as a commercial product or for the benefit of an unaffiliated third party); (ii) make a commercially reasonable number of copies of the Documentation; provided however, that Customer must reproduce and include all of Darktrace's and its suppliers' copyright notices and proprietary legends on each such copy; and (iii) use Reports, and reproduce and distribute such Reports, internally solely for Customer’s or its Affiliate’s own business purposes.
5.2. Licence Restrictions. All Software is licensed, not sold. The restrictions in this Agreement represent conditions of Customer’s licence. Unless otherwise specified in the Product Order Form or the Documentation, the Software is pre-installed on the Hardware and Customer agrees to use the Software solely in conjunction with such Hardware and not separately or apart from the Hardware. Customer specifically agrees not to: (i) sub-licence, rent, sell, lease, distribute or otherwise transfer the Software or any part thereof or use the Offering, or allow the Offering to be used, for timesharing or service bureau purposes or otherwise use or allow others to use for the benefit of any third party (other than Customer’s Affiliates); (ii) attempt to reverse engineer, decompile, disassemble, or attempt to derive the source code or underlying ideas or algorithms of the Software or Third Party Software (other than the GPL Software) or any portion thereof, except as required to be permitted by applicable law; (iii) modify, port, translate, localise or create derivative works of the Software, the Third Party Software, the Documentation or Reports (save as expressly permitted by Clause 5.1 above); (iv) use the Offering: (a) in violation of any law, statute, ordinance or regulation applicable to Customer (including but not limited to the laws and regulations governing publicity or privacy, export/import control, federal, state and local laws and regulations governing the use of network scanners and related software in all jurisdictions in which systems are scanned or scanning is controlled, or anti-discrimination, in each case that are applicable to Customer); or (b) negligently, intentionally or wilfully propagate any virus, worms, Trojan horses or other programming routine intended to damage any system or data; (v) remove or modify any acknowledgements, credits or legal notices contained on the Appliance or any part thereof; (vi) install or run on the Hardware on any software applications other than the Software and Third Party Software installed by Darktrace on such Hardware; (vii) collect any information from or through the Offering using any automated means (other than Darktrace approved APIs), including without limitation any script, spider, “screen scraping,” or “database scraping” application or gain or attempt to gain non-permitted access by any means to any Darktrace computer system, network, or database; and (viii) file copyright or patent applications that include the Offering or any portion thereof.
5.3. Affiliate Use. Darktrace acknowledges and agrees that the Offering may be used for the benefit of Customer Affiliates incorporated on or before the Effective Date of the Product Order Form. Such Customer Affiliates will be entitled to utilise the Offering in the same way as Customer under the terms of this Agreement. To the extent that any such Customer Affiliate utilises the Offering in accordance with this Clause 5.3 Customer (acting as agent and trustee of the relevant Customer Affiliate) will be entitled to enforce any term of this Agreement and recover all losses suffered by such Customer Affiliate pursuant to this Agreement as though Customer had suffered such loss itself, provided that in no event may Customer make multiple recoveries in respect of the same loss.
5.4. Outsource Provider. In the event that Customer contracts with any third party service provider(s) such as an outsourcer, hosting, managed service, or collocation service provider or other information technology service provider for the performance of information technology functions (each, an “Outsource Provider”), Customer may permit such Outsource Provider to exercise all or any portion of the rights granted in Clause 5.1 above solely on Customer’s or its Affiliates’ behalf, provided that, (i) the Outsource Provider will only use or operate the Offering for Customer’s use subject to terms and conditions that are consistent with the rights and limitations set out in this Agreement; and (ii) Customer will remain liable for the acts and omissions of the Outsource Provider under this Agreement.
5.5. Third Party Software/ Open Source Software. Customer acknowledges that the Software may contain or be accompanied by certain third-party hardware and software products or components (“Third Party Products”) including Open Source Software. Any Open Source Software provided to Customer as part of the Offering is copyrighted and is licensed to Customer under the GPL/LGPL and other Open Source Software licences. Copies of, or references to, those licences may be set out in a Product Order Form, the Third Party Product packaging or in a text file, installation file or folder accompanying the Software. If delivery of Open Source Software source code is required by the applicable licence, Customer may obtain the complete corresponding Open Source Software source code for a period of three years after Darktrace’s last shipment of the Software by sending a request to: Attn: Legal Department - Open Source Software Request, Darktrace Limited, Maurice Wilkes Building, Cowley Road, Cambridge CB4 0DS, United Kingdom.
6.1. Installation. Darktrace will conduct its standard installation and test procedures to confirm completion of the installation of the Appliance on Customer’s or its Outsource Provider’s site (“Installation Services”).
6.2. Support Services. Darktrace will provide the Standard Support Services for the Term and any Support Service Options specified in the Product Order Form (collectively, the “Support Services”). Darktrace’s Support Services are further described in the Support Services Data Sheet, which details Darktrace’s Standard Support Services and Support Service Options, and their respective eligibility requirements, service limitations and Customer responsibilities.
6.3. Call Home. Darktrace’s Call Home feature is critical for certain Support Services. Darktrace will limit its access solely to the extent relevant to Darktrace's provision of the Support Services, and such remote access will be subject to Customer’s reasonable policies and procedures provided to Darktrace in writing in advance. The Call Home connection remains within Customer’s complete control and is initiated by the onsite Appliance. It can be initiated and terminated at any time by Customer.
6.4. DISCLAIMER. UNLESS EXPRESSLY AGREED, THE SERVICES DO NOT INCLUDE THE MONITORING, INTERPRETATION OR CORRECTIVE ACTION WITH RESPECT TO ANY ALERTS GENERATED BY THE OFFERING. NO ADVICE, REPORT, OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY CUSTOMER FROM DARKTRACE OR THROUGH OR FROM THE SERVICES SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT. CUSTOMER UNDERSTANDS THAT: (A) ANY OUTCOME OF THE SERVICES INVOLVING SECURITY ASSESSMENT IS LIMITED TO A POINT-IN-TIME EXAMINATION OF CUSTOMER’S SECURITY STATUS; AND (B) THE SERVICES DO NOT CONSTITUTE ANY FORM OF REPRESENTATION, WARRANTY OR GUARANTEE THAT CUSTOMER’S SYSTEMS ARE SECURE FROM EVERY FORM OF ATTACK, EVEN IF FULLY IMPLEMENTED. CUSTOMER UNDERSTANDS AND ACKNOWLEDGES THAT NOT ALL ANOMALIES / INTRUSIONS MAY BE REPORTED OR PREVENTED.
7.1. Fees. Fees are stated in the Product Order Form. No refunds will be made except as provided in Clause 9 and Clause 10.3 of this Agreement. Unless otherwise explicitly agreed in writing, fees are: (i) exclusive of sales and use taxes assessed by any taxing authority in the jurisdiction(s) in which Customer is physically located and takes delivery of the Appliance or Services; and (ii) exclusive of duties and shipping and handling fees, which unless otherwise agreed will be the responsibility of Customer. Should Customer be required under any law or regulation of any governmental entity or authority outside of the United Kingdom to withhold or deduct any portion of the payments due to Darktrace, then Customer will increase the sum payable to Darktrace by the amount necessary to yield to Darktrace an amount equal to the sum Darktrace would have received had no withholdings or deductions been made. Darktrace may also charge for hardware replacement costs not provided under the Support Services.
7.2. Invoices and Payment. Unless otherwise stated in the Product Order Form, Customer will be invoiced the Fees from the commencement date specified in the Product Order Form (the “Commencement Date”). Any other charges, such as out of pocket expenses will be invoiced monthly in arrears. Invoicing will occur via email. Unless otherwise agreed in the Product Order Form, Customer agrees to pay all undisputed amounts within thirty (30) days of Customer’s receipt of the applicable invoice by direct bank or wire transfer in accordance with the instructions on the invoice, and any bank charges assessed on Customer by Customer’s bank. UNLESS PAYMENTS ARE MADE BY BANK OR WIRE TRANSFER, THEY MUST BE MADE ANNUALLY IN ADVANCE. Darktrace may suspend or cancel performance of open orders or Services if Customer fails to make payments when due, reserving all other rights and remedies as may be provided by law. Darktrace may impose late charges on overdue payments at a rate equal to two percent (2%) per annum above the official dealing rate of the Bank of England, calculated from the date payment was due until the date payment is made, and all reasonable expenses incurred in collection, including legal fees.
7.3. Lapsed Fees. If Customer has lapsed in the payment of Fees due hereunder, Darktrace may suspend the provision of Services and prior to recommencement of the Services by Darktrace, Customer will be responsible for paying all fees associated with the Offering from the date such Services were stopped through to the then-current date.
7.4. Clause 7 shall not apply where Customer has purchased the Offering through a Darktrace authorised reseller.
8.1. Intellectual Property. Except as expressly set forth herein: (i) this Agreement does not grant either Party any rights, implied or otherwise, to the other’s Intellectual Property; and (ii) Darktrace, its suppliers and licensors, retain all right, title and interest in and to the Offering , and the Documentation and all copies thereof, including all enhancements, error correction,
new releases, updates, derivations, and modifications thereto (collectively, “Darktrace Intellectual Property”). Customer agrees to inform Darktrace promptly of any infringement or other improper action with respect to Darktrace Intellectual Property that comes to Customer’s attention.
9.1. Hardware Warranty. Darktrace warrants to Customer that during the three (3) year period from the date of delivery of the Appliance, the Hardware will perform materially in accordance with the applicable Datasheet.
9.2. Software Warranty. Darktrace warrants to Customer that during a period of ninety (90) days from the date of delivery of the Appliance, the Software will perform materially in accordance with the applicable Datasheet.
9.3 Services Warranty. Darktrace warrants to Customer that all Services will be performed with all reasonable care, skill and diligence in accordance with generally recognised commercial practices and standards.
9.4 Exceptions. The warranties contained in Clause 9.1 and Clause 9.2 above will not apply if: (i) Customer’s use of the Offering is not in accordance with this Agreement; (ii) Customer fails to follow Darktrace’s environmental, installation, operation or maintenance instructions or procedures in the Documentation; (iii) the Appliance has been subject to Customer’s (or its agent’s) abuse, negligence, improper storage, servicing or operation (including without limitation use with incompatible equipment), reasonable wear and tear excepted; (iv) the Appliance has been modified, repaired or improperly installed other than by Darktrace or any contractor or subcontractor of Darktrace; (v) Customer (or its agent) has failed to implement, or to allow Darktrace or its agents to implement, any corrections or modifications to the Appliance made available to Customer by Darktrace; or (vi) Customer (or its agent) has combined the Appliance with other software, services, or products that are not provided by Darktrace or not otherwise specified in the Documentation, and, but for such combination, the breach of warranty would have been avoided.
9.3 and Darktrace will re-perform any Service that fails to meet the warranted standard.
9.6 DISCLAIMER. EXCEPT FOR THE EXPRESS WARRANTIES SET OUT IN THIS AGREEMENT, AND TO THE FULLEST EXTENT PERMITTED BY LAW, NEITHER DARKTRACE NOR ANY OF ITS THIRD PARTY LICENSORS OR SUPPLIERS MAKE ANY WARRANTIES, CONDITIONS, UNDERTAKINGS OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE IN RELATION TO ANY SUBJECT MATTER OF THIS AGREEMENT, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OR ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE.. DARKTRACE DOES NOT WARRANT THAT THE OPERATION OF THE OFFERING WILL BE ERROR-FREE OR UNINTERRUPTED.
10. INTELLECTUAL PROPERTY RIGHTS INFRINGEMENT INDEMNITY
10.1. Darktrace Indemnity. Darktrace will indemnify Customer, Customer’s Affiliates, and their respective officers, directors, and employees (and any successors and assigns of the foregoing) (collectively, the “Customer Indemnitees”) against all liabilities, damages, and costs (including settlement costs and reasonable attorneys’ fees) arising out of a third party claim that the Software provided or made available by Darktrace under this Agreement , or its receipt, possession or use by any Customer Indemnitee, infringes a European or U.S. patent, any copyright, or misappropriates any third party trade secrets. The indemnification obligations of Darktrace will be subject to Customer: (i) notifying Darktrace in writing within twenty
(20) days of receiving notice of any threat or claim of such action; (ii) giving Darktrace exclusive control and authority over the defence or settlement of such action (provided that: (A) any settlement will not entail an admission of fault or guilt by any Customer Indemnitee; and (B) the settlement includes, as an unconditional term, the claimant’s or the plaintiff’s release of Customer Indemnitees from all liability in respect of the claim); (iii) not entering into any settlement or compromise of any such action without Darktrace’s prior written consent; and (iv) providing reasonable assistance requested by Darktrace
at Darktrace’s expense. . Customer will be obliged to mitigate its losses insofar as is reasonable in the circumstances.
10.2. Exclusions. The obligations set out in Clause 10.1 do not apply to the extent that a third party claim is caused by, or results from: (a) Customer’s combination or use of the Software that is the subject of the claim with other software, services, or products that are not provided or authorised by Darktrace in writing, if the claim would have been avoided by the non- combined or independent use of the Software that is the subject of the claim; (b) modification of the Software that is the subject of the claim by anyone other than Darktrace or any contractor or subcontractor of Darktrace, if the third party claim would have been avoided by use of the unmodified Offering or other intellectual property that is the subject of the claim;
(c) Customer’s continued allegedly infringing activity after being notified thereof and being provided with modifications that would have avoided the alleged infringement (which in implementing such modifications, Darktrace will use commercially reasonable efforts to have substantially preserve the utility and functionality of the Offering or other intellectual property that is the subject of the claim); (d) Customer’s use of the Software that is the subject of the claim in a manner not in accordance with this Agreement or the Documentation; (e) use of other than Darktrace’s most current release of the Software that is the subject of the claim if the third party claim would have been avoided by use of the most current release or revision release or revision.
10.3. Remedies. If Darktrace reasonably believes the Software infringes a third party’s Intellectual Property Rights, then Darktrace will, at its option and at no additional cost to Customer: (a) procure for Customer the right to continue to use the Software; (b) replace the Software; or (c) modify the Software to avoid the alleged infringement. If none of the options in the previous sentence are commercially reasonable, Darktrace may terminate the licence for the allegedly infringing Software and refund a pro rata refund of the Fees paid by Customer from the date a third party claim arose for the allegedly infringing Software to the then-current date, whereupon this Agreement will automatically terminate.
10.4. THIS CLAUSE 10 IS A COMPLETE STATEMENT OF THE CUSTOMER’S REMEDIES FOR THIRD PARTY CLAIMS FOR INFRINGEMENT
11. CUSTOMER DATA; CUSTOMER UNDERTAKINGS AND INDEMNITY
11.1. Customer Data; Licence Grant. Customer will own all right, title and interest in and to the Customer Data and to the extent such Customer Data is included in a Report, the actual content of such Report. For any Customer Data stored on the Appliance, to the extent required to provide the Services, Customer grants to Darktrace a limited, and non-exclusive licence to access and use the Customer Data only to the extent necessary for Darktrace to perform the Services. Customer agrees Darktrace may utilise the details of any Alerts occurring in Customer’s network and any connected data source to develop the Offering on an anonymised basis and excluding any Customer Confidential Information.
11.2. Customer Security Obligations. In using the Offering or authorising its Outsource Provider and third parties to use it on Customer’s behalf, Customer (and not Darktrace) will be responsible for establishing, monitoring, and implementing security practices to control the physical access to and use of the Offering and all Customer Data therein, including Personal Data.
11.3. DATA DISCLAIMER; INDEMNITY. CUSTOMER IS SOLELY RESPONSIBLE FOR ITS USE OF THE OFFERING, THE ACTIVITIES OF ITS USERS AND FOR THE ACCURACY, INTEGRITY, LEGALITY, RELIABILITY AND APPROPRIATENESS OF ALL CUSTOMER DATA. CUSTOMER EXPRESSLY RECOGNISES THAT DARKTRACE DOES NOT CREATE OR ENDORSE ANY CUSTOMER DATA PROCESSED BY OR USED IN CONJUNCTION WITH THE OFFERING. CUSTOMER FURTHER ACKNOWLEDGES THAT DARKTRACE AND ITS AFFILIATES DO NOT PROVIDE BACKUP SERVICES FOR CUSTOMER DATA AND CUSTOMER UNDERTAKES THAT IT SHALL BE SOLELY RESPONSIBLE FOR BACKUP OF ALL CUSTOMER DATA. Customer will, at Customer’s own expense, indemnify, defend and hold Darktrace, its Affiliates, and their respective officers, directors, and employees, (“Darktrace Indemnitees”) harmless from and against all liabilities, damages, and costs, including settlement costs and reasonable attorneys’ fees, incurred by reason of Darktrace's compliance with the instructions of Customer with respect to the ownership, custody, processing or disposition of the Customer Data by Darktrace, as applicable.
12.1. LIMITATION OF LIABILITY. SUBJECT TO THE REMAINDER OF THIS CLAUSE 12, EACH PARTY’S MAXIMUM LIABILITY TO THE OTHER PARTY FOR ANY AND ALL CLAIMS, LOSS OR DAMAGE, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF STATUTORY DUTY, OR OTHERWISE, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT SHALL NOT EXCEED, IN THE AGGREGATE, THE TOTAL AMOUNT OF ALL FEES PAID OR PAYABLE TO DARKTRACE FOR THE OFFERING DURING THE THEN-APPLICABLE TERM, EXCEPT THAT IN RESPECT OF (I) CLAUSE 11.3 (“DATA DISCLAIMER; INDEMNITY”) AND CLAUSE 15 (“DATA PROTECTION”) EACH PARTY’S LIABILITY TO THE OTHER FOR ALL SUCH BREACHES SHALL NOT
EXCEED, IN THE AGGREGATE , THE GREATER OF (A) THREE TIMES (3X) TOTAL FEES PAID OR PAYABLE TO DARKTRACE FOR THE OFFERING DURING THE THEN-APPLICABLE TERM OR (B) TWO HUNDRED AND FIFTY THOUSAND POUNDS STERLING (£250,000).
12.2. EXCLUSION OF CONSEQUENTIAL DAMAGES. SUBJECT TO CLAUSE 12.3 BELOW, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDRECT OR CONSEQUENTIAL LOSS; OR ANY LOSS OF PROFITS; LOSS OF REVENUE OR BUSINESS; LOSS OF GOODWILL OR REPUTATION; LOSS OF OR CORRUPTION OR DAMAGE TO DATA; LOSS OF MANAGEMENT TIME, HOWSOEVER ARISING AND WHETHER OR NOT SUCH PARTY HAD BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS, CORRUPTION OR DAMAGE.
12.3. Exclusions from Limitation of Liability. Nothing in this Agreement will exclude or limit either Party’s liability for: (i) for death or personal injury due to negligence; (ii) fraud; (iii) breach of Clause 14 (“Confidentiality”); (iv) breach of Clause 5 (“Licence Grant for the Software and Restrictions”), or (v) for any other matter in respect of which liability cannot lawfully be limited or excluded.
13.2. Expiration of the Term. Notwithstanding any provision of this Clause 13, Customer’s right to use, and Customer’s access to, the Appliance will automatically terminate on expiry of the Term unless and until Customer renews or extends the Term for the Appliance.
13.3. Termination for Breach. Either Party may terminate this Agreement if: (i) the other Party is in material breach of the Agreement and fails to cure such breach within thirty (30) days after receipt of written notice; or (ii) the other Party ceases its business operations or becomes subject to insolvency proceedings, which proceedings are not dismissed within thirty
13.4. Termination or Suspension by Darktrace. Without prejudice to any other right or remedy available to Darktrace:
13.4.1. Darktrace may restrict, suspend or terminate Customer’s licence or use of the Offering without liability if a court or other government authority issues an order prohibiting Darktrace from furnishing the Offering to Customer. Customer’s obligation to pay Fees during any period of suspension under this Clause 13.4.1 will also be suspended. In the event the Offering is suspended pursuant to this Clause 13.4.1 then provided it is lawful to do so, Darktrace will inform Customer of the reasons for the suspension and will work with Customer to resolve such issues and re- instate the Offering.
13.4.2. Additionally, Darktrace may terminate, suspend or limit Customer’s licence grant or use of the Offering without liability if Darktrace provides Customer with written notice that it has a reasonable suspicion that Customer is using the Offering: (i) in breach of Clause 5.1 or Clause 5.2; or (ii) in a manner that is otherwise unlawful, and in each case Customer does not cure the condition identified in such notice within five (5) business days.
13.5. Effect of Termination. Upon termination or expiration of this Agreement:
13.5.1 the Term and all other rights and licences granted by one Party to the other, and any Services provided by Darktrace to Customer, will cease immediately;
13.5.2 in the event that title to the Hardware has not transferred to Customer, Customer shall ensure all Customer Data is removed from the Appliance and return the Appliance to Darktrace in accordance with Clause 4.3. If Customer wishes to retain the Hardware, this will be chargeable at Darktrace’s then-current list price. If Customer fails to return the Hardware, Darktrace may invoice, and Customer will pay, for the Hardware at Darktrace’s then-current list price. DARKTRACE WILL NOT BE RESPONSIBLE FOR MAINTAINING OR PROTECTING ANY CONFIGURATION SETTINGS OR DATA FOUND ON THE RETURNED HARDWARE OR COMPONENT PART OF THE HARDWARE AND IT IS CUSTOMER'S SOLE RESPONSIBILITY TO DELETE ANY SUCH INFORMATION PRIOR TO RETURN;
13.5.3 if title to the Hardware has transferred to Customer pursuant to Clause 4.3, Customer must immediately permanently delete the Software from the Hardware and certify erasure to Darktrace in writing or Darktrace will be allowed (i) entry to the Site(s) as necessary to access the Appliance (on reasonable advance notice and subject to
Customer’s applicable policies and procedures); or (ii) remote access to the Appliance, in each case in order to delete or disable the Software from the Hardware; and;
13.5.4 all undisputed Fees owing to Darktrace at the date on which termination takes effect will become due and payable.
14.1. Each party will treat the other party’s Confidential Information as confidential. Confidential Information of one Party (the “Disclosing Party”) may only be used by the other Party (the “Receiving Party”) for the purpose of fulfilling obligations or exercising rights under this Agreement, and may only be shared with employees, agents or contractors of the Receiving Party who have a need to know such information to support such purpose (“Representatives”). Each Party will procure that any of its Representatives to whom Confidential Information is disclosed are bound by contractual obligations equivalent to those in this Clause 14.1. Notwithstanding the foregoing, the Receiving Party shall remain liable for the acts or omissions of its Representatives. Confidential Information will be protected using a reasonable degree of care to prevent unauthorised use or disclosure for five (5) years from the date of receipt or (if longer) for such period as the information remains confidential. These obligations do not cover information that: (i) was known or becomes known to the Receiving Party on a non-confidential basis from a third party, provided that: (a) the Receiving Party has no knowledge that the third party is subject to a confidentiality agreement with the Disclosing Party in respect of the information; and (b) such information is not of a type or character that a reasonable person would have regarded it as confidential; (ii) is independently developed by the Receiving Party without violating the Disclosing Party’s rights; (iii) is or becomes publicly known other than through disclosure by the Receiving Party or one if its Representatives in breach of this Agreement; (iv) was lawfully in the possession of the Receiving Party before the information was disclosed by the Disclosing Party. A party may disclose Confidential Information to the extent disclosure is required by law or a governmental agency provided that, to the extent it is lawful to do so, the Receiving Party notifies the Disclosing Party of the request giving it reasonable opportunity to respond, and cooperate with the Disclosing Party’s reasonable, lawful efforts to resist, limit or delay disclosure at the Disclosing Party’s expense, and except for making such required disclosure, such information will otherwise continue to be Confidential Information. On termination of the Agreement, each Party will promptly return or destroy all Confidential Information of the other Party.
15.1. The Parties acknowledge that the Offering may be used to process Personal Data regulated by the Data Privacy Laws and the Parties shall comply with the data processing requirements as set out in Appendix 2.
16.1.1. This Agreement, the appendices and any documents referenced herein, represent the entire agreement between the Parties on the subject matter hereof and supersedes all prior discussions, agreements and understandings of every kind and nature between the Parties and excludes, without limitation, any terms appearing on a purchase order, invoice or other Customer paperwork or any other terms (in each case whether by way of conduct or otherwise). No modification of this Agreement will be effective unless in writing and signed by both Parties. Each Party acknowledges and agrees that, in connection with the Agreement, it has not been induced to enter into the Agreement in reliance upon, and does not have any remedy in respect of, any representation or other promise of any nature other than as expressly set out in this Agreement. Each Party signing this Agreement acknowledges that it has had the opportunity to review this Agreement with legal counsel of its choice and there will be no presumption that ambiguities will be construed or interpreted against the drafter.
16.1.2. Unless otherwise specifically agreed to in a writing signed by each of the Parties, in the event of any conflict or inconsistency between this Agreement, an appendix hereto, any Product Order Form issued hereunder, and or any document incorporated by reference, the order of precedence of the documents from highest to lowest is the
Product Order Form, this Agreement, any appendix hereto and the documents incorporated by reference.
16.2. Severability. The illegality or unenforceability of any provision of this Agreement will not affect the validity and enforceability of any legal and enforceable provisions hereof.
16.3. Force Majeure. Neither Party will be liable for any failure or delay in performing services or any other obligation under this Agreement, nor for any damages suffered by the other or a Customer by reason of such failure or delay, which is, indirectly or directly, caused by an event beyond such Party’s reasonable control, riots, natural catastrophes, terrorist acts, governmental intervention, refusal of licences by any government or other government agency, or other acts of god (each, a “Force Majeure Event”), and such non-performance, hindrance or delay could not have been avoided by the non- performing Party through commercially reasonable precautions and cannot be overcome by the non-performing Party through commercially reasonable substitute services, alternate sources, workarounds or other means. During the continuation of a Force Majeure Event, the non-performing Party will use commercially reasonable efforts to overcome the Force Majeure Event and, to the extent it is able, continue to perform its obligations under the Agreement.
16.4. Notices. Any notice will be delivered by hand or sent by recorded delivery, registered post or registered airmail and satisfactory proof of such delivery must be retained by the sender. All notices will only become effective on actual receipt. Any notices required to be given in writing to Darktrace or any questions concerning this Agreement should be addressed to: Attn: Legal Department, Darktrace Limited, Maurice Wilkes Building, Cowley Road, Cambridge CB4 0DS, United Kingdom.
16.5. Rights of Third Parties. The provisions of this Agreement concerning restrictions on usage of the Offering and protection of Intellectual Property Rights are for the benefit of and may be enforced by each of Darktrace, any Darktrace Affiliate and the Darktrace Indemnitees. Except for the foregoing sentence, or as otherwise expressly set out in the Agreement, this Agreement does not create any rights for any person who is not a party to it and no person who is not a party to this Agreement may enforce any of its terms or rely on any exclusion or limitation contained herein.
16.6. Audit. Customer will permit Darktrace or an independent certified accountant appointed by Darktrace access, on written notice, to Customer’s premises and Customer’s books of account and records at any time during normal business hours for the purpose of inspecting, auditing, verifying or monitoring the manner and performance of Customer’s obligations under this Agreement. Darktrace will not be able to exercise this right more than twice in each calendar year.
16.7. Independent Contractors. The Parties are independent contractors. Nothing in this Agreement will be construed to create a partnership, joint venture, or agency relationship between the Parties.
16.8. Assignment. This Agreement may not be assigned by either Party without the written consent of the other Party. Notwithstanding the foregoing, consent of the other Party will not be required for a transfer to an Affiliate of a Party or if a Party undertakes an initial public offering, a sale of all or substantially all of its shares or assigns all or substantially all of its business and assets to another entity that is not a direct competitor of the non-assigning Party. Any attempt to assign this Agreement in violation of the foregoing will be null and void. This Agreement binds the Parties, their respective Affiliates, successors and permitted assigns.
16.9. Governing Law. Any dispute or claim relating in any way to this Agreement will be governed by the Governing Law, and adjudicated in the Governing Courts, as defined in the table below, and each Party consents to the exclusive jurisdiction and venue thereof; save that (i) each party may enforce its or its Affiliates’ intellectual property rights in any court of competent jurisdiction, including but not limited to equitable relief and (ii) Darktrace or its Affiliate may, bring suit for payment in the country where the Customer Affiliate that placed the Product Order Form is located. Where arbitration applies it shall be conducted in English, under the Rules of Arbitration of the International Chamber of Commerce (the “ICC”) by three arbitrators in accordance with Art 12 of said Rules. The award shall be final and binding on the Parties. Except to the extent entry of judgment and any subsequent enforcement may require disclosure, all matters relating to the arbitration, including the award, shall be held in confidence. Customer and Darktrace agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply.
Customer location (as stated in the Product Order Form)
The laws of England & Wales
The courts of England & Wales
United States of America
The laws of the state of California
The state or Federal courts in San Francisco, California
None of the above
The laws of England & Wales
Arbitration at the ICC in London
16.10. Export Restrictions. The Offering is for Customer’s use and not for further commercialisation. Customer acknowledges that the Offering may be classified and controlled as encryption items under the United Kingdom’s Export Regulations and other national regulations. Each Party will comply with all applicable laws regarding export-controlled items, and will not export, re-export or import, directly or indirectly, any export-controlled items, or any direct product of them, nor undertake any transaction hereunder in violation of any applicable export laws.
16.11. ITAR. Customer understands that employees of Darktrace and/or its suppliers may have access to native data to perform the Support Services herein and represents that none of this data requires protection from access by foreign persons because it contains technical information regarding defence articles or defence services within the meaning of the United States International Traffic in Arms Regulations (22 CFR § 120) or technical data within the meaning of the United States Export Administration Regulations (15 CFR §§ 730 - 774). If any of this data does contain any such information, Customer will either lock down access to any such data and/or identify any folders containing such data as export-controlled information and acknowledges that special service rates may apply thereto.
16.12. Government End-User Notice (applicable to United States government customers only). The Offering is commercial within the meaning of the applicable civilian and military Federal acquisition regulations and any supplements thereto. If the user of the Appliance is an agency, department, employee, or other entity of the United States Government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Appliance, including technical data or manuals, is governed by the terms, conditions and covenants contained in the Darktrace standard commercial licence agreement, as contained herein.
16.13. Waiver. Each Party agrees that the failure of the other Party at any time to require performance by such Party of any of the provisions herein will not operate as a waiver of the rights of such Party to request strict performance of the same or like provisions, or any other provisions hereof, at a later time.
16.14. Headings. All headings used herein are for convenience of reference only and will not in any way affect the interpretation of this Agreement.
16.15. Equitable Remedies. The Parties agree that with respect to a breach by a Party of Clauses 5, 8 or 14, monetary damages may not be an adequate or sufficient remedy for a breach of this Agreement. Therefore, in addition to any applicable monetary damages, a Party will also be entitled to apply for injunctive relief and other equitable relief to prevent breaches of the Agreement, without proof of actual damage.
1.1. Defined Terms. Terms defined in this Appendix 1 will have the meanings given below. Defined terms may be used in the singular or plural depending on the context.
“Affiliate” means any corporation or other business entity that directly or indirectly controls, is controlled by or is under common control with a Party. Control means direct or indirect ownership of or other beneficial interest in fifty percent (50%) or more of the voting stock, other vesting interest, or income of a corporation or other business entity;
“Alerts” means features of the Software that generates alerts of suspected malicious activity on a Customer’s network;
“Appliance(s)” means the Software, or Software combined with Hardware, as more fully described on the Product Order Form
“Call Home” means the secure and encrypted channel that connects the Appliance to Darktrace central management;
“Confidential Information” means any information, however conveyed or presented, that relates to the business, affairs, operations, customers, suppliers, processes, budgets, pricing policies, product information, strategies, developments, trade secrets, Intellectual Property, and know-how of a Party, and any other information clearly designated by a Party as being confidential to it (whether or not it is marked "confidential"), and information that ought reasonably be considered to be confidential, but in all circumstances excludes any Personal Data.
“Customer Data” means all data and information provided by Customer to, or accessible by, Darktrace under this Agreement in connection with the performance of the Services (which may include information about network traffic on Customer’s network (metrics), log/metadata collection, as well as the raw packet capture data from Customer’s network);
“Datasheet” means the document providing the specification for the Hardware, Software or Services, as applicable and as
may be updated by Darktrace from time to time;
“Data Privacy Laws” means the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”), and laws of similar purpose or effect in any relevant jurisdiction, in each case as amended, updated, re-enacted or replaced from time to time;
“Documentation” means user manuals for the Appliance consisting of the applicable installation guides, Datasheets; service descriptions, technical specifications and online help files provided by Darktrace or available on Darktrace’s online portal, as may be updated by Darktrace from time to time;
“Effective Date” means the Effective Date specified in the Product Order Form;
“ EU Model Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection under Directive 95/46/EC, pursuant to the European Commission Decision of 5 February 2010;
"Fees" means all applicable fees as set out in the Product Order Form;
“GPL Software” means third party software provided by Darktrace on the Hardware to support use of the Software that is licensed directly to Customer and the relevant Customer Affiliates by the relevant rights holder on the terms of the version included or provided with it of the GNU General Public Licence, GNU Lesser General Public Licence or other comparable licence.
“Hardware” means any hardware device (including embedded firmware) shipped and installed as part of the Offering;
“Information Security Standards” means Darktrace’s information security code of conduct, as amended from time to time in Darktrace’s sole discretion and available upon request;
“Intellectual Property” means patents, trademarks, service marks, rights (registered or unregistered) in any designs, applications for any of the foregoing, trade or business names, copyright (including rights in computer software) and topography rights, know-how and other proprietary knowledge and information, internet domain names, rights protecting goodwill and reputation, database rights (including rights of extraction) and all rights and forms of protection of a similar nature to any of the foregoing or having equivalent effect anywhere in the world and all rights under licences and consents in respect of any of the rights and forms of protection mentioned in this definition (and “Intellectual Property Rights” will be construed accordingly);
“Offering” means collectively the Appliance(s), Software, Services and the Documentation;
“Open Source Software” means third party software that Darktrace distributes with the Software pursuant to a licence that requires, as a condition of use, modification or distribution of such software, that the software or other software combined and/or distributed with it be: (i) disclosed or distributed in source code form; (ii) licensed for the purpose of making derivative works; (iii) redistributable at no charge; or (iv) redistributable but subject to other limitations;
“Product Order Form” has the meaning set forth in the introductory paragraphs;
“Personal Data” means, generally, information relating to an identified or identifiable natural person, or other regulated data types as defined by applicable Data Privacy Laws;
“Reports” means Threat Intelligence Reports as more fully described in the Support Services Data Sheet;
“Services” means the Darktrace Support Services, and any Installation Services, training or professional services which may be provided by Darktrace as specified in the Product Order Form;
“Support Service Options” means the optional support services, if any, as specified in the Product Order Form and further described in the Support Services Data Sheet;
“Site(s)” means the Customer’s business location or its datacentre at the locations described in a Product Order Form;
“Software” means the Darktrace and the Third Party Software (in object code form) delivered to Customer as part of the Offering or on a standalone basis, together with all enhancements, error corrections, and/or updates which are generally made available by Darktrace as part of the Offering. The GPL Software does not form part of the Software and is licensed to Customer and the Customer Affiliates directly on the terms of the applicable licences, provided that the GPL Software will nevertheless be deemed to form part of the Software for the purposes of the Support Services, such that Darktrace will support it as if it were part of the Software;
“Standard Support Services” means the standard support services provided by Darktrace as set out in the Darktrace Support Services Data Sheet;
“Support Services Data Sheet” means the Documentation describing the terms of the Support Services.
“Third Party Licensors” means the suppliers of the Third Party Software to Darktrace; and
“Third Party Software” means: (i) any software or other technology that is licensed to Darktrace from Third Party Licensors for the purpose of making the Offering available commercially; and (ii) Open Source Software.
1.2. Construction. In this Agreement (except where the context otherwise requires):
1.2.1. any reference to a clause or schedule is to the relevant clause or schedule of or to this Agreement and any reference to a paragraph is to the relevant paragraph of the clause or schedule in which it appears;
1.2.2. the index and clause headings are included for convenience only and will not affect the interpretation of this Agreement;
1.2.3. use of the singular will include the plural and vice versa;
1.2.4. use of any gender will include any other gender;
1.2.5. any reference to persons includes natural persons, firms, partnerships, companies, corporations, associations, organisations, governments, foundations and trust (in each case whether or not having separate legal personality);
1.2.6. any phrase introduced by the terms “including”, “include”, “in particular” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding those terms;
1.2.7. any reference to any other document is a reference to that other document as amended, varied, supplemented, or novated (in each case, other than in breach of the provisions of this Agreement) at any time.
1. DEFINITIONS. For the purposes of this DPA, the terms defined in this Appendix shall have the meanings as set forth in the Agreement. Any terms not specifically defined by this DPA or the Agreement shall have the meaning given by GDPR.
2. SUBJECT MATTER OF THE DATA PROCESSING AGREEMENT
2.1 This Data Processing Agreement (“DPA”) applies to the processing of Customer Personal Data under the Agreement.
2.2 Customer will be the Data Controller and Darktrace will be the Data Processor as defined under GDPR. Each Party agrees that it shall comply with its obligations as a Data Controller and a Data Processor, respectively under the Data Privacy Laws in exercising its rights and performing its obligations under this Agreement.
2.3 This DPA is an Appendix to the Agreement.
3. NATURE AND PURPOSE OF PROCESSING REGULATED DATA
3.1 The Data Processor shall process Personal Data in order to provide the Support Services as set forth in the Support Services Datasheet.
3.2 In the event that the Data Controller has purchased Antigena Email, the additional data protection provisions of the Antigena Email Schedule shall apply and be incorporated into this DPA.
4. TYPES AND CATEGORIES OF PERSONAL DATA
4.1 Categories of Data Subjects.
- Employees including volunteers, agents, temporary workers, independent contractors;
- Customer clients, prospects
- Suppliers, vendors
- Advisors, consultants and other professional experts
- Customer officers, directors
- And any other categories of Data Subjects that may be contained in the Data Controller’s network.
4.2 Types of Personal Data:
- IP addresses
- Host names
- File names
- Email addresses
- And any other types of Personal Data that may be contained in the Data Controller’s network.
5. RIGHTS AND OBLIGATIONS OF THE CONTROLLER
5.1 The Data Controller hereby instructs the Data Processor to take such steps in the processing of Personal Data as are reasonably necessary for the performance of the Data Processor’s obligations under the Agreement, and agrees that such instructions, comprising the terms of this DPA and the Agreement, constitute its full and complete instructions as to the means by which Personal Data shall be processed by the Data Processor.
6. RIGHTS AND OBLIGATIONS OF THE PROCESSOR
6.1 The Data Processor shall only process Personal Data in accordance with the Data Controller’s written instruction as specified herein and shall not use Personal Data except to deliver the Offering and the Services as instructed by the Agreement, unless such processing is required by law to which the Data Processor is subject, in which case the Data Processor shall, to the extent permitted by law, inform the Data Controller of that legal requirement prior to carrying out the applicable processing.
6.2 The Data Processor shall immediately inform the Data Controller if, in the Data Processor’s reasonable opinion, an
instruction from the Data Controller infringes the Data Privacy Laws.
6.3 The Data Processor shall not transfer Personal Data outside the European Economic Area (“EEA”) without the prior written consent of the Data Controller and not without procuring provision of adequate safeguards (as defined by the European Commission from time to time);
6.5 The Data Processor shall take reasonable steps to ensure the reliability of its agents and employees who have access to any Personal Data.
7.1 Taking into account the nature, scope, context and purposes of processing, the Data Processor has implemented and will maintain the administrative, physical, technical and organisational measures as described in the Darktrace Information Security Policy to protect any Personal Data accessed or processed by it against unauthorised or unlawful processing or accidental loss, destruction, damage or disclosure. The parties agree that for the purposes of the processing hereunder, the measures contained within the Darktrace Information Security Policy are appropriate, given the nature of the data to be processed and the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction, disclosure, access or damage.
8. PERSONAL DATA BREACH NOTIFICATION
8.1 In the event that the Data Processor suffers a Personal Data Breach, the Data Processor shall inform the Data Controller within twenty-four (24) hours upon learning of the same and reasonably cooperate with the Data Controller to mitigate the effects and to minimise any damage resulting therefrom. To the extent reasonably possible, the notification to the Data Controller shall include: (i) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; (iii) a description of the likely consequences of the incident; and (iv) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects
9.1 Save as expressly provided herein, the Data Processor will not use subprocessors for the processing of Personal Data. For the purposes of providing Support Services alone: (i) The Data Controller hereby authorises the Data Processor to use its affiliates specified in the Support Services Datasheet to process Personal Data (the “Affiliate Subprocessors”); (ii) The Data Processor shall have in place with the Affiliate Subprocessors a written agreement equivalent to the terms contained herein to protect Personal Data; and (iii) The EU Model Clauses shall apply to the extent the processing of Personal Data by the Affiliate Subprocessors involves a transfer of Personal Data which originates in the EEA to a third country outside of the EEA. For such purposes, the Data Controller hereby authorises the Data Processor to enter into the EU Model Clauses with the Affiliate Subprocessors on the Data Controller’s behalf.
9.2 Save for the foregoing, the Data Processor shall not engage any subprocessors without the prior written authorisation of the Data Controller. In the event that the Data Controller authorises the use by the Data Processor of any other subprocessors, the Data Processor shall procure that such subprocessors enter into a written agreement containing provisions no less stringent than this DPA.
9.3 The Data Processor shall be fully liable for any breach by the subprocessors of any data protection obligations set out in this Clause.
10. ASSISTANCE WHEN HANDLING REQUESTS FROM DATA SUBJECTS
10.1 Taking into account the nature of processing and the information available to the Data Processor, the Data Processor will provide reasonable support to the Data Controller: (i) in complying with any legally mandated request for access to or correction of any Personal Data by a data subject under Chapter III GDPR (and where such request is submitted to the Data Processor, the Data Processor will promptly notify the Data Controller of it); (ii) in responding to requests or demands made to the Data Controller by any court or governmental authority responsible for enforcing privacy or data protection laws; or (iii) in its preparation of a Data Protection Impact Assessment.
11.1 The Data Processor agrees to maintain ISO 27001 certification for the duration of the Term. The Data Processor will use an external auditor to verify that its security measures meet ISO 27001 standards in accordance with the ISO certification process. On the Data Controller’s written request, and subject to appropriate confidentiality obligations, the Data Processor will make available to the Data Controller: (i) a copy of the current certificate in relation to the ISO 27001 certification; and (ii) Information reasonably requested by the Data Controller in writing with regards to the Data Processor’s processing of Personal Data under this DPA. The Data Controller agrees to exercise any right it may have to conduct an audit or inspection under GDPR (or the EU Model Clauses if they apply) by requesting the foregoing information.
12. RETURN/DESTRUCTION OF PERSONAL DATA
12.1 Upon termination of the Agreement, the Data Processor shall delete or return all Personal Data in accordance with the Data Controller’s written instructions.