May 24, 2018
These Terms (this “Agreement”) are attached to, and made a part of, that certain Order Form (the “Order”) executed by Hearken, Inc., a Delaware corporation (“Hearken”), and the customer named in, and signatory to, the Order (“Customer”). This Agreement, together with the Order, constitutes a legally binding agreement between Hearken and Customer. The parties may execute additional Orders and/or amend an existing Order, each of which shall, upon execution by the parties, be deemed to be a part of this Agreement. To the extent any provision in an Order clearly conflicts with a provision of this Agreement or a provision of an earlier Order, the provision in the new Order shall be binding and the conflicting provision in this Agreement or in the earlier Order is deemed modified solely to the extent reasonably necessary to eliminate the conflict and solely with respect to the new Order (unless explicitly intended to permanently amend this Agreement).
1. Platform; Services.
(a) License. Subject to the terms and conditions set forth herein, Hearken hereby grants to Customer a non-transferable (except as set forth herein), revocable, limited license to access and use Hearken’s hosted software platform for websites and other digital media intended to allow such users to engage and manage end user audiences (the “Platform”). The Platform is made available to Customer on a software-as-a-service basis during the Term (as defined below) solely for its intended purposes. As part of the registration process, Customer shall identify an administrative user name and password for Customer’s account (“Account”), which administrative user name and password can be used to create standard users (each with a user password) (each, a “Permitted User”) up to the maximum number permitted in the applicable Order (to the extent applicable). Customer shall only provide or allow access to the Platform to those of its employees who are Permitted Users. Customer shall educate Permitted Users regarding the Platform and require that Permitted Users utilize the Platform for its intended purposes. Hearken may, from time to time, update or modify the Platform, release new versions of the Platform or create new modules related thereto or included therein. To the extent Hearken creates and deploys an update and/or enhancement to the Platform that Hearken elects to make generally available to third party licensees similar to Customer at no additional charge, Customer will, within the Platform, also be provided with access to such updates or enhancements at no additional charge pursuant to the license described herein.
(b) Services. In addition to the license described above, Hearken may provide certain services to Customer as detailed within one or more Orders. To the extent any such services are to be provided, such services shall also be governed by this Agreement.
2. Certain Restrictions.
(a) General Restrictions. Customer shall not, and shall cause each Permitted User not to, directly or indirectly copy or reproduce all or any part of the Platform (including, without limitation, any source code or object code included therein), whether electronically, mechanically or otherwise, in any form including, but not limited to, the copying of presentation, style or organization. Customer shall use the Platform, and shall cause each Permitted User and/or all website visitors to use the Platform, solely for its intended purposes and shall not use the Platform for the benefit of any third party except as specifically contemplated under this Agreement. For the avoidance of doubt, all rights in the Platform not expressly granted herein are reserved by Hearken. Customer will not, and will cause each Permitted User and/or website visitor not to, use the Platform to post, transmit, convey, submit, distribute, store or destroy any information: (a) in violation of any applicable law, statute, ordinance or regulation; (b) in a manner that will infringe the intellectual property rights of others; (c) that is defamatory, obscene or trade libelous; (d) that contains any viruses, Trojan horses, worms, time bombs, cancel bots or other computer programming routines that are intended to damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information; (e) that is false, misleading or inaccurate in any way; or (f) in violation of any acceptable use policy or other policy posted within the Platform or otherwise made available to Customer from time to time. Customer shall not violate or attempt to violate the security of the Platform. Customer shall not reverse engineer, decompile, disassemble or otherwise attempt to derive source code or other trade secrets from the Platform.
(b) Hearken Module Restrictions. For Hearken Platform “modules” (each, a “Module”) to be embedded within Customer’s website, in addition to the other terms and conditions set forth in this Agreement: (i) Customer may only embed and display the Module on Customer’s website and other properties Customer owns (e.g., Tumblr), subject to the terms and conditions of such websites or properties, and not in any other manner; (ii) Customer may not modify the Module as provided by Hearken (including, without limitation, changing any code provided by Hearken); (iii) Customer may not obscure or disable any element of the Module, and Customer may not tag links to any website from the Module with a “no-follow” attribute or otherwise prevent or discourage search engines from following or scoring the link; (iv) Customer’s web page title and other trademarks and logos must appear at least as prominent as any Hearken trademarks in the Module; (v) Customer may not use the Module in a manner that implies affiliation with Hearken in any negative manner, and Customer must immediately stop doing so if notified by Hearken; (vi) the Module must be placed within a website page and/or mobile application context appropriate to the content of the Module, and any reference to Hearken or its products and services must be accurate; (vii) Customer may not display the Module on any site or mobile application that disparages Hearken or its products or services, infringes any Hearken intellectual property or other rights, or violates any applicable law; (viii) Customer will not, without Hearken’s prior written consent, remove or disable any link included within a Module that points to Hearken’s end user terms governing website visitor or other third party access to and/or use of a Module (and, in any event, Customer shall ensure that its agreement or terms with its website visitors and/or users are, at a minimum, consistent with the terms set forth herein); and (ix) Hearken reserves the right to display attribution links such as “Powered by Hearken”, “Brought to you by…” and/or other similar links within or adjacent to the Module, and such attribution may not be altered or removed in any way without Hearken’s prior, written consent.
(c) Third Parties; Users. Customer shall not share Customer’s log-in or password to access the Platform, or any Permitted User’s log-in or password, with any third party. Customer is responsible for all activities conducted under its user log-ins and for its Permitted Users’ compliance with this Agreement. User log-ins are for designated Permitted Users and cannot be shared or used by more than one Permitted User. Customer will be responsible for the confidentiality and use of all such passwords and log-in information. Customer’s use of the Platform shall not include service bureau use, outsourcing, renting, reselling, sublicensing, concurrent use or time-sharing of the Platform.
3. Certain Responsibilities.
Hearken shall provide its standard and customary customer support during normal business hours of 9:00 a.m. to 6:00 p.m. (Central Standard Time). Notwithstanding the foregoing, Hearken shall have no obligation to support: (i) errors or issues caused by Customer’s negligence, hardware malfunction or other causes beyond the reasonable control of Hearken; (ii) errors or issues caused by any Customer software or technology; (iii) Customer’s failure to implement any upgrade following release thereof from Hearken to Customer; or (iv) third party software or ASP services not licensed through Hearken.
5. Representations and Warranties.
Customer shall pay to Hearken the fees set forth in the Order. To the extent payment is by credit card, Customer’s credit card will be charged as set forth in the Order, and Customer hereby authorizes Hearken to charge any credit card Customer may have on file with Hearken for the full amount of the charges owing by Customer (which includes any fees and/or other handling charges beyond those set forth in Hearken’s rate cards which are incurred by Hearken on account of Customer’s use of a credit card). Undisputed fees which are not timely paid shall accrue interest at a rate equal to 15% per annum (or, if less, the highest rate permissible under applicable law), and Customer shall reimburse Hearken for all costs and/or expenses incurred by Hearken in collecting past due fees (including, without limitation, attorneys’ fees and court costs). Fees, once paid, are non-refundable, except to the extent an Order is terminated by Customer on account of Hearken’s uncured breach of this Agreement, in which case pre-paid fees not yet earned as of the effective date of termination shall be refunded. In addition, Hearken shall be entitled, without limiting any other remedies it may have at law or hereunder, at any time while undisputed fees remain unpaid following notice of past due amounts to Customer, to suspend Customer’s and/or its Permitted Users’ access to the Platform until such time as all fees are brought current.
7. Term and Termination.
This Agreement shall continue in full force beginning on the Subscription Start Date set forth in the Order and ending on the expiration date set forth in the Order (the “Initial Term”), after which time this Agreement shall, unless otherwise set forth in the Order, automatically renew for successive periods of a duration set forth in the Order (each, a “Renewal Term”) until such time as either party elects not to renew this Agreement by providing written notice of non-renewal to the other party at least 60 days prior to the end of the Initial Term or any Renewal Term (the Initial Term and all Renewal Terms being referred to herein as the “Term”). Notwithstanding the foregoing, either party may terminate this Agreement on written notice to the other party if the other party declares bankruptcy, has bankruptcy proceedings initiated against it (to the extent such proceedings are not dismissed within 90 days from the date such proceedings were initiated) or has breached any material term or condition of this Agreement and has failed to cure such breach within 30 days of receipt of written notice of such breach. In addition, to the extent the Order includes a “test period”, Customer shall have a one-time right to terminate this Agreement for convenience during the Initial Term by providing written notice of termination to Hearken prior to the end of such test period. Upon termination of this Agreement for any reason, neither Customer nor any Permitted User shall be entitled to access, use or make available the Platform.
8. Intellectual Property.
All trademarks, patents, copyrights and other intellectual property rights owned by either party on the Effective Date shall continue to be owned solely by such party, and except as set forth herein, nothing in this Agreement shall be deemed to confer any rights to any such intellectual property on the other party. For purposes of clarity: (i) as between Customer and Hearken, Customer shall be deemed to be the sole owner of its name and trademarks, as well as all news stories and/or articles published or posted through, within or otherwise using the Platform and/or journalism created in connection with Customer’s use of the Platform (provided, that while Hearken takes no ownership over any such news stories and/or articles, Hearken shall be entitled to share any such articles and/or news stories on Hearken’s website(s) so long as Hearken credits Customer or the original author by linking back to Customer’s website or as otherwise agreed upon by Customer); and (ii) Hearken is the sole owner of the name “Hearken” as well as the Platform, and all source code, object code, software, copyrights, trademarks, patents and other intellectual property related thereto or included therein. While all data entered into the Platform by Customer and/or users of the Platform remains the confidential information of Customer, Hearken shall be entitled to (i) use such data in connection with operating and improving the Platform and to provide the services described herein and/or within the Order, and/or (ii) use such data on an aggregate basis such that the applicable data is not personally identifiable to any individual or Customer. To the extent any Customer content necessary for Hearken to perform the Services described herein is located behind a paywall or otherwise not accessible to Hearken, Customer will provide Hearken with a user name, password and any other credentials necessary for Hearken to access such content at no charge to Hearken. All suggestions, recommendations, bug-fixes, error-fixes or other communications from Customer to Hearken regarding the Platform shall, upon submission to Hearken, be owned solely and exclusively by Hearken. Customer acknowledges and agrees that the applicable supplier(s) of any third party software included within the Platform shall own all worldwide rights, title and interest in and to such third party software (and any intellectual property rights therein), subject to such suppliers’ license, if any, of such third party software to Hearken. Each party, during the Term, licenses use of its name(s) and trademarks to the other party to the limited extent necessary to perform under this Agreement. Hearken will take reasonable and industry standard measures to maintain Customer’s personal data in a secure manner. Customer agrees and acknowledges that Hearken may, from time to time, engage one or more third party hosting providers to host the Platform and data entered into the Platform, in which case security in respect of data entered into the Platform, while it resides on such servers, will be subject to the agreements executed with each such hosting provider.
9. Data Protection.
Each party agrees, that during the Term of this Agreement, Hearken is the processor and Customer is the controller of the personal data provided through the Platform. Therefore, in order to comply with the General Data Protection Regulation (Regulation EU 2016/679) (“GDPR”) the parties have agreed to enter into the Data Processing Agreement at Annex 1 which sets out the rights and obligations of each party in relation to the processing of personal data, by Hearken, through the Platform.
Each party agrees, during the Term and for a period of 2 years thereafter, to treat as confidential all confidential information of the other party, not to use such confidential information for any purpose other than to the limited extent necessary to perform under this Agreement and not to disclose such confidential information to any third party except as may be reasonably required pursuant to this Agreement and subject to confidentiality obligations at least as protective as those set forth herein. Without limiting the generality of the foregoing, each of the parties shall use at least the same degree of care which it uses to prevent the disclosure of its own confidential information of like importance to prevent the disclosure of confidential information disclosed to it by the other party, provided, however, that in no event shall such degree of care be less than reasonable in light of general industry practice. The terms of this Agreement shall be deemed to constitute confidential information of the parties and hence shall be subject to the protections set forth in this Section 9. The parties agree and acknowledge that neither will have any obligation to keep confidential any information that: (A) is known to the receiving party prior to receipt from the disclosing party, from a source other than one having any obligation of confidentiality to the disclosing party; (B) becomes known (independently of disclosure by the disclosing party) to the receiving party from a source other than one having an obligation of confidentiality to the disclosing party; (C) becomes publicly known or otherwise ceases to be secret or confidential, except through a breach of this Agreement by the receiving party; (D) the receiving party can demonstrate was developed by the receiving party independently of and without reference to any confidential information disclosed to it by the disclosing party; or (E) is required to be disclosed by court order, provided that the other party is notified of such disclosure in advance to allow the other party to limit or seek confidential treatment of such disclosure(s).
(a) Except as explicitly set forth herein, neither party, its affiliates, nor any such party’s employees, officers, managers, directors, equity holders, agents, suppliers, licensors nor the like, makes any warranties of any kind, either expressed or implied, including, without limitation, (a) warranties of merchantability or fitness for a particular purpose, (b) that the Platform will be error-free, (c) that the Platform will be available and/or functional at all times, or (d) as to the results that may be obtained by the other party in connection with the relationship established hereby or any services provided by Hearken to Customer. Customer is solely responsible, at its sole cost and expense, for providing and maintaining all equipment, services and connections necessary to access the Internet and/or the Platform. While it is Hearken’s objective to make the Platform accessible at all times, the Platform may be unavailable from time to time for any reason including, without limitation, routine maintenance.
(b) Notwithstanding the foregoing, in the event that Downtime (as defined below) is greater than (i) 1.5% during any calendar month but at or less than 3% during such month (any such month experiencing Downtime being referred to as a “Downtime Month”), Customer shall receive a credit against future fees due and owing hereunder equal to 5% of the fee amount payable for the Downtime Month in connection with the portion of the Platform experiencing Downtime, (ii) 3% during any calendar month but at or less than 5% during such month, Customer shall receive a credit against future fees due and owing hereunder equal to 10% of the fee amount payable for the Downtime Month in connection with the portion of the Platform experiencing Downtime, and (iii) 5% during any calendar month, Customer shall receive a credit against future fees due and owing hereunder equal to 20% of the fee amount payable for the Downtime Month in connection with the portion of the Platform experiencing Downtime. “Downtime” shall be defined as circumstances where the Platform is not, in all material respects, accessible to Customer for reasons other than (i) malfunctions or defects in any computers, servers, software, websites, equipment or other systems of Customer and/or any Permitted User, (ii) scheduled downtime for routine maintenance during off-peak hours, (iii) general Internet outages, and/or (iv) force majeure events or other events beyond Hearken’s reasonable control. The foregoing credits shall be Customer’s sole and exclusive remedy in the event of any Downtime.
(a) Each party, at its own expense, shall defend, indemnify and hold the other party and its directors, officers, members, shareholders, managers and employees harmless from all claims, actions and demands (together with claims described in Section 11(b) below, “Claims”), and shall pay any resulting liabilities, losses, damages, judgments, settlements, costs and expenses (including reasonable attorneys’ fees) incurred (collectively, “Losses”) insofar as such Claims are related to third party claims arising out of: (i) its breach of any representation, warranty, covenant or agreement made by it hereunder; (ii) any act or omission by it that constitutes gross negligence or willful misconduct; (iii) any injury or damage caused by it to persons or tangible property; or (iv) its breach of its confidentiality obligations.
(b) In addition to the foregoing, Hearken shall indemnify, defend and hold harmless
Customer from and against any third party lawsuit alleging that the Platform, when accessed
and used by Customer for its intended purposes and within the scope of this Agreement and the Order (and excluding claims based on use of the Platform in combination with other non- Hearken intellectual property and/or any changes or modifications to the Platform made by any party other than Hearken), infringes the U.S. patent, trademark or copyright of any third party. In the event of any such Claim, Hearken may, in its sole discretion, either (i) procure for Customer the right from such third party to permit Customer to continue to use the Platform, (ii) replace or modify the applicable portion of the Platform such that it becomes non-infringing and provides reasonably equivalent functionality, or (iii) if Hearken determines that the options described under subsections (i) and (ii) above are not practicable, terminate this Agreement and/or suspend access to the Platform.
(c) Promptly after receipt by the indemnified party of a threat, notice or filing of any Claim against such party, the indemnified party shall give written notice thereof to indemnifying party. The indemnifying party shall have sole control of the defense and of all negotiations for settlement of a Claim; provided, however, that (i) the indemnified party shall have the right, at its own expense, to monitor the indemnifying party’s defense of a Claim, and (ii) the indemnifying party shall not, without prior written consent from the indemnified party, settle any Claim to the extent such settlement imposes any non-monetary obligations on the indemnified party. At the indemnifying party’s request, the indemnified party shall reasonably cooperate with the indemnifying party in defending against or settling a Claim. This Section 12 states each party’s sole responsibility and obligation, and each party’s sole and exclusive remedy, in connection with any Claim.
13. Limitation on Liability.
Neither party shall, under any set of circumstances, be liable to the other party for any special, incidental, indirect, punitive or consequential damages, including, but not limited to, lost profits or data, arising out of this agreement, whether based in contract, tort or any other legal theory, even if advised of the possibility of such damages. In any event, excluding fee payment obligations on the part of customer and each party’s indemnification obligations pursuant to section 11 of this agreement, each party’s total liability to the other party for any claim arising hereunder or related hereto shall not exceed the amount of the aggregate fees paid to hearken hereunder during the 6-month period immediately preceding the date of the applicable claim.
Hearken shall, at its own expense, procure and maintain in full force and effect during the term of this Agreement, the following insurance policies with reputable insurance carriers: (i) commercial general liability ($1,000,000 per occurrence, $2,000,000 aggregate); (ii) workers’ compensation (statutory limits) and employers’ liability ($500,000 per accident); and (iii) errors & omissions liability ($1,000,000 per occurrence, $1,000,000 aggregate).
15. Force Majeure.
Excluding fee payment obligations hereunder, neither party shall be liable to the other party for failure or delay in performing its obligations hereunder if such failure or delay is due to circumstances beyond its reasonable control including, without limitation, acts of any governmental body, war, insurrection, sabotage, embargo, fire, flood, labor disturbance, interruption of or delay in transportation, unavailability of third party services, failure of third party software or inability to obtain raw materials, supplies or power used in or equipment needed for provision of the Platform.
Each party shall be entitled to reference the other as a customer and/or vendor on its website. In addition, Hearken shall be entitled to reference Customer within Hearken’s best practices case-study “knowledge center”. Except as set forth above in this Section 16, neither party shall reference the name of the other party in any materials without the prior, written consent of such party.
The Platform, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations.
18. Copyright Infringement.
If any party believes that such party’s intellectual property or work has been copied in a way that constitutes copyright infringement, or that such party’s intellectual property rights have been otherwise violated, such party should provide Hearken’s Agent for Notice with the following information in English (“Notice”):
1. an electronic or physical signature of the person authorized to act on behalf of the owner of the copyright or other intellectual property interest;
2. a description of the copyrighted work or other intellectual property that such party claims has been infringed;
3. a description of where the material that such party claims is infringing is located on the Site;
4. Such party’s address, telephone number, and email address;
5. a statement by such party that such party has a good faith belief that the disputed use is not authorized by the copyright or intellectual property owner, its agent, or the law;
6. a statement by such party, made under penalty of perjury, that the above information in the Notice is accurate and that such party is the copyright or intellectual property owner or authorized to act on the copyright or intellectual property owner’s behalf.
In some circumstances, in order to notify the individual or entity who or which provided the allegedly infringing content to which Hearken has disabled access, Hearken may forward a copy of a valid Notice including name and email address to such individual or entity. Hearken’s Agent for Notice of claims of copyright or other intellectual property infringement can be reached as follows:
200 E Randolph Street
Chicago, IL 60640
Each party shall pay its own costs and expenses in connection with this Agreement and its activities hereunder. If Customer’s notice, billing or service address provided in an initial Order is in Illinois, or Customer is headquartered in or organized under the laws of Illinois, this Agreement (including all Orders) will be governed by the laws of the state of Illinois; otherwise, this Agreement (including all Orders) will be governed by the laws of the state of Delaware, in either case without reference to conflict of law principles. The parties shall endeavor to resolve all disputes hereunder or relating to this Agreement through good faith discussions and negotiations, however should the parties be unable to resolve any such dispute amicably as set forth above, such dispute shall be resolved solely in the appropriate Federal or state court located in Cook County, Illinois. Hearken shall be entitled to subcontract certain portions of the services to be provided hereunder, it being understood that Hearken shall remain responsible for adherence to all obligations and restrictions set forth herein. The relationship between the parties under this Agreement is that of independent contractors and neither shall be, nor represent itself to be, the joint venture, franchiser, franchisee, partner, agent or representative of the other party for any purpose whatsoever. Customer agrees to pay all sales and/or use taxes levied by any governmental authority upon the goods and services provided hereunder by Hearken (other than taxes due and owing on Hearken’s net income). This Agreement shall inure to the benefit of and be binding upon the parties hereto and their respective successors and assigns, but shall not be assignable by either party other than (i) to an entity acquiring substantially all of its assets, equity or business and assuming all of its obligations, or (ii) to an affiliate upon prior written notice to the other party. Any notice pursuant this Agreement shall be deemed effective one day after sending such notice to the address listed on Order for each party by reputable overnight courier with confirmation of next-day receipt. If any provision of this Agreement is held to be unenforceable or invalid for any reason, or if any governmental agency rules that any portion of this Agreement is illegal or contrary to public policy, the remaining provisions, to the extent feasible, will continue in full force and effect with such unenforceable or invalid provision to be changed and interpreted to best accomplish its original intent and objectives. This Agreement may be executed in counterparts (including by facsimile and/or scanned electronic signature).
Hearken Data Processing Addendum
This Data Processing Addendum (“Addendum”) applies to the Services provided pursuant to the Order Form and Terms and Conditions (“Agreement”) between Hearken Inc , a corporation incorporated in Delaware and having its registered office at 914 W Carmen Ave Unit 3E, Chicago, Illinois 60640, USA (“Hearken”), and the customer identified in the Order Form (“Customer”). This Addendum is made a part of the Agreement when signed by Customer and Hearken.
1. Purpose And Application
This Addendum is the parties’ agreement with respect to the Processing by Hearken of Personal Data under the Agreement. Except where the terms of this Addendum state otherwise, the terms of this Addendum will apply regardless of whether the GDPR or other Data Protection Laws apply to the Processing of Personal Data.
The terms of this Addendum shall be in force on the later of: (a) the date of this Addendum; or, (b) the Subscription Start Date set out in the Order Form.
Capitalized terms used but not defined in this Addendum have the meanings set out in the Agreement. In this Addendum, unless stated otherwise:
“Authorized Personnel” has the meaning given to the term in Section 4 to this Addendum.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data and for the purposes of this Addendum this shall be the Customer
“Customer Data” means any data supplied by the Customer and or the Permitted User whilst interacting with the Platform.
“Data Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data.
“Data Protection Laws” means laws and regulations applicable to the Processing of Personal Data under the Agreement and the GDPR to the extent applicable to such Processing.
“GDPR” means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016); and until 25 May 2018, the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995; and any applicable legislation adopted by any Member State of the European Union, or by the United Kingdom post its ceasing to be a Member State of the European Union.
“Personal Data” means Customer Data that is information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing” means any operation or set of operations which is performed upon or with respect to Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
“Processor” means the natural or legal person which Processes Personal Data on behalf of the Controller and for the purposes of this Addendum, Hearken.
“Restricted Transfer” means the transfer of any Personal Data to which the GDPR applies to any country or organisation, where such transfer would not be permitted by the GDPR in the absence of some legal basis permitted by the GDPR.
“Services” means all of the services to be provided by Hearken to the Customer and set out in the Order Form.
“Subprocessor” means a third-party who Processes Customer Data on behalf of the Processor in order to provide portions of the Services.
3. Processing of Personal Data
3.1 Roles and Responsibilities
3.1.1 Where the GDPR applies to the Processing of Personal Data by Hearken, Customer is, for all purposes and with respect to all Data Protection Laws, the Controller of the Personal Data and Hearken is the Processor of the Personal Data, except only when Customer acts as a Processor of Personal Data on behalf of a third party who is the Controller of same, in which case Hearken shall be only a sub-processor. Where Hearken is a sub-processor, Customer represents and warrants that it has all necessary authority of the relevant Controller to engage Hearken as a sub-processor. Notwithstanding anything to the contrary, in all cases, Customer acknowledges, agrees and represents that Hearken shall not be the Controller of Personal Data.
3.1.2 Hearken shall only comply with Data Protection Laws to the extent they apply to Hearken’s Processing of Personal Data on behalf of Customer. Customer shall comply with all Data Protection Laws applicable to Personal Data. For clarity, Customer shall obtain all required consent from the data subjects of Personal Data for Hearken to Process Personal Data and shall comply with all obligations under Data Protection Laws as a Controller of Personal Data and all similar obligations.
3.2 Scope of Processing
3.2.1 Customer instructs Hearken to process Personal Data: (a) to provide the Services; (b) as set out in the Agreement, including this Addendum; (c) as specified by Customer’s use of the Services; and, (d) as further documented in any other of Customer’s written instructions that are acknowledged by Hearken as being instructions for the purposes of the Agreement.
3.2.2 Customer’s instructions for Hearken’s Processing of Personal Data shall comply with all Data Protection Laws. Customer shall not instruct Hearken to undertake any Restricted Transfer.
3.2.3 Notwithstanding Section 3.2.1 above, Hearken may Process Personal Data where required by any applicable law to which Hearken is subject, in which case Hearken shall (to the extent permitted by law) inform Customer of that legal requirement before carrying out the Processing.
3.2.4 The nature and purpose of Hearken’s Processing of Personal Data shall be to provide the Services pursuant to the Agreement. The type of Personal Data, the categories of data subjects, and the obligation and rights of Customer are set out in the Agreement, including in this Addendum.
4.1 Security Measures
4.1.1 Hearken and Customer shall, taking into account the costs of implementation, and the nature, scope, context and purposes of Processing, take appropriate technical and organizational measures to ensure a level of security for the Personal Data, within their respective possession, which is appropriate to the risks to the applicable individual data subjects that may result from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data.
4.1.2 Hearken shall cause that access to Personal Data within the possession of Hearken is limited to those individuals who need access in order to meet Hearken’s obligations under the Agreement (together the “Authorized Personnel”).
4.1.3 All Authorized Personnel are or will be trained in the handling of Personal Data, informed of the confidential nature of the Personal Data, and will be bound by appropriate confidentiality obligations when accessing it, and they will not Process Personal Data except pursuant to the instructions of Customer.
4.2 Data Incident
4.2.1 On becoming aware of a Data Incident, Hearken will: (a) notify Customer of the Data Incident without undue delay; (b) make reasonable efforts to identify the cause of such Data Incident; and, (c) where the Data Incident was not caused by Customer or any Permitted User, take those steps that Hearken deems necessary and reasonable in order to remediate the cause of the Data Incident to the extent the cause of the Data Incident is in Hearken’s reasonable control.
4.3 Customer Responsibilities
4.3.1 Customer is responsible for securing all Logins and Users and all systems and devices that Customer uses to access the Services.
4.3.2 Customer is responsible for backing up the Customer Data.
5.1.1 Hearken shall not engage Sub-processors (excluding independent contractors) without prior specific or general written authorization of Customer and will require such Sub-processors to be bound by provisions substantially similar to those in this Addendum, as applicable. A list of Hearken’s current Sub-processors are set out in Appendix A and Customer hereby authorizes Hearken to use such Sub-processors.
5.1.2 Hearken may, at its discretion, choose to engage additional third-parties as Sub-processors generally. If Hearken chooses to engage Sub-processors generally, Hearken will inform Customer of any new Sub-processors at least 20 days prior to authorizing the Sub-processor to Process Personal Data and Customer may object to the new Sub-processor by providing Hearken written notice within 15 days of receipt of such notice. If Customer objects to the new Sub-processor under this Section 5.1.2: (i) Hearken will, in its sole discretion, provide the Services without the new Sub-processor Processing any Personal Data; or, (ii) Customer may terminate the Services which require the new Sub-processor.
6.1 GDPR Audits
6.1.1 Where the Processing of Personal Data is subject to the GDPR, at Customer’s sole expense, Hearken shall make available to Customer such of Hearken’s information as is reasonably necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
7. Deletion and Return of Personal Data
7.1.1 At the end of the Services and at the choice of Customer, Hearken shall delete or return all the Customer Data to Customer, and delete all Personal Data unless prohibited by Data Protection Laws.
8. Rights of Data Subjects
8.1.1 Hearken will make available to Customer the Personal Data of its data subjects and shall, at Customer’s sole expense, fulfill data subject requests to access, rectify, and restrict processing of Personal Data in a manner consistent with Data Protection Laws, the functionality of the Services, and Hearken’s role as a Processor.
9. Impact Assessment
9.1.1 Where the Processing of Personal Data is subject to the GDPR, at Customer’s sole expense, Hearken will provide reasonable assistance to Customer in its obligations to comply with its obligations to conduct privacy impact assessments and consult with regulatory bodies in relation to any Processing of Personal Data undertaken under this Agreement.
10.1.1 Customer shall fully indemnify and keep indemnified and defend at its own expense Hearken against all losses, liabilities, costs, claims and reasonable expenses incurred by Hearken or for which Hearken may become liable to the extent arising from any Processing of Personal Data on the instructions of the Customer, any Customer breach of this Addendum or any Data Protection Laws, or any of Customer’s acts or omissions in respect of its obligations as a Controller of Personal Data.