Convert big data to great customer experience...

Terms of service

Acceptable Use Policy

Use of the Services is subject to this Acceptable Use Policy.

Capitalized terms have the meaning stated in the applicable agreement between Customer and Reputize.

Customer agrees not to, and not to allow third parties to use the Services:

  • to violate, or encourage the violation of, the legal rights of others (for example, this may include allowing Customer End Users to infringe or misappropriate the intellectual property rights of others in violation of the Digital Millennium Copyright Act);
  • to engage in, promote or encourage illegal activity;
  • for any unlawful, invasive, infringing, defamatory or fraudulent purpose (for example, this may include phishing, creating a pyramid scheme or mirroring a website);
  • to intentionally distribute viruses, worms, Trojan horses, corrupted files, hoaxes, or other items of a destructive or deceptive nature;
  • to interfere with the use of the Services, or the equipment used to provide the Services, by customers, authorized resellers, or other authorized users;
  • to disable, interfere with or circumvent any aspect of the Services;
  • to generate, distribute, publish or facilitate unsolicited mass email, promotions, advertisings or other solicitations (“spam”); or
  • to use the Services, or any interfaces provided with the Services, to access any other Reputize product or service in a manner that violates the terms of service of such other Reputize product or service.

Reputize License Agreement

This Reputize License Agreement (the "Agreement") is made and entered into by and between Reputize and the entity agreeing to these terms ("Customer"). "Reputize" means Reputize Limited, with offices at TechHub, 4-5 Bonhill Str, EC2A4BX London, UK and registration address at 220 Oval Road, Dagenham, RM109EJ, UK.

This Agreement is deemed accepted and is effective as of the date Customer received access to Reputize services (the "Effective Date"). If you are accepting on behalf of Customer, you represent and warrant that: (i) you have full legal authority to bind Customer to this Agreement; (ii) you have read and understand this Agreement; and (iii) you agree, on behalf of Customer, to this Agreement. If you do not have the legal authority to bind Customer, please do not click to accept. This Agreement governs Customer's access to and use of the Service. For an offline variant of this Agreement, you may contact Reputize for more information.

1. Provision of the Services.

1.1 Services Use. Subject to this Agreement, during the Term, Customer may: (a) use the Services, (b) integrate the Services into any Application that has material value independent of the Services, and (c) use any Software provided by Reputize as part of the Services. Customer may not sublicense or transfer these rights except as permitted under the Assignment section of the Agreement.

1.2 Console. Reputize will provide the Services to Customer. As part of receiving the Services, Customer will have access to the Admin Console, through which Customer may administer the Services.

1.3 Facilities. All facilities used to store and process an Application and Customer Data will adhere to reasonable security standards no less protective than the security standards at facilities where Reputize processes and stores its own information of a similar type. Reputize has implemented at least industry standard systems and procedures to (i) ensure the security and confidentiality of an Application and Customer Data, (ii) protect against anticipated threats or hazards to the security or integrity of an Application and Customer Data, and (iii) protect against unauthorized access to or use of an Application and Customer Data.

1.4 Data Location. Reputize may process and store the Customer Data anywhere Reputize or its agents maintain facilities. By using the Services, Customer consents to this processing and storage of Customer Data. Under this Agreement, Reputize is merely a data processor.

1.5 Accounts. Customer must have an Account and a Token (if applicable) to use the Services, and is responsible for the information it provides to create the Account, the security of the Token and its passwords for the Account, and for any use of its Account and the Token. If Customer becomes aware of any unauthorized use of its password, its Account or the Token, Customer will notify Reputize as promptly as possible. Reputize has no obligation to provide Customer multiple Tokens or Accounts.

1.6 New Applications and Services. Reputize may: (i) make new applications, tools, features or functionality available from time to time through the Services and (ii) add new services to the "Services" definition from time to time (by adding them at the URL set forth under that definition), the use of which may be contingent upon Customer’s agreement to additional terms.

1.7 Modifications.

a. To the Services. Reputize may make commercially reasonable updates to the Services from time to time. If Reputize makes a material change to the Services, Reputize will inform Customer, provided that Customer has subscribed with Reputize to be informed about such change.

b. To the Agreement. Reputize may make changes to this Agreement, including pricing (and any linked documents) from time to time. Unless otherwise noted by Reputize, material changes to the Agreement will become effective 30 days after they are posted, except if the changes apply to new functionality in which case they will be effective immediately. If Customer does not agree to the revised Agreement, please stop using the Services. Reputize will post any modification to this Agreement to the Terms URL.

c. To the Data Processing and Security Terms. Reputize may only change the Data Processing and Security Terms where such change is required to comply with applicable law, applicable regulation, court order, or guidance issued by a governmental regulator or agency, where such change is expressly permitted by the Data Processing and Security Terms, or where such change:

(i) is commercially reasonable;

(ii) does not result in a degradation of the overall security of the Services;

(iii) does not expand the scope of or remove any restrictions on Reputize’s processing of Customer Personal Data, as described in Section 5.2 (Scope of Processing) of the Data Processing and Security Terms; and

(iv) does not otherwise have a material adverse impact on Customer’s rights under the Data Processing and Security Terms.

If Reputize makes a material change to the Data Processing and Security Terms in accordance with this Section, Reputize will post the modification to the URL containing those terms.

1.8 Service Specific Terms and Data Processing and Security Terms. The Service Specific Terms and Data Processing and Security Terms are incorporated by this reference into the Agreement.

2. Payment Terms.

2.1 Free Trial/Quota. Certain Services may be provided to Customer without charge subject to a separate agreement.

2.2 Billing. Reputize will issue an invoice to Customer for all agreed services in accordance with the agreed payment terms. Customer will pay all Fees in the currency set forth in the invoice. Customer will pay all Fees in accordance with the payment terms applicable to the Service. Reputize's measurement of Customer’s use of the Services is final. Reputize has no obligation to provide multiple bills.

2.3 Taxes. Customer is responsible for any Taxes, and Customer will pay Reputize for the Services without any reduction for Taxes. If Reputize is obligated to collect or pay Taxes, the Taxes will be invoiced to Customer, unless Customer provides Reputize with a timely and valid tax exemption certificate authorized by the appropriate taxing authority. In some states the sales tax is due on the total purchase price at the time of sale and must be invoiced and collected at the time of the sale. If Customer is required by law to withhold any Taxes from its payments to Reputize, Customer must provide Reputize with an official tax receipt or other appropriate documentation to support such withholding.

2.4 Invoice Disputes & Refunds. To the fullest extent permitted by law, Customer waives all claims relating to Fees unless claimed within sixty days after charged (this does not affect any Customer rights with its credit card issuer). Refunds (if any) are at the discretion of Reputize and will only be in the form of credit for the Services. Nothing in this Agreement obligates Reputize to extend credit to any party.

2.5 Delinquent Payments. Late payments may bear interest at the rate of 1.5% per month (or the highest rate permitted by law, if less). Reputize reserves the right to suspend Customer’s Account, for any late payments.

3. Customer Obligations.

3.1 Compliance. Customer is solely responsible for its Applications, Projects, and Customer Data and for making sure its Applications, Projects, and Customer Data comply with the AUP. Reputize reserves the right to review the Application, Project, and Customer Data for compliance with the AUP. Customer is responsible for ensuring all Customer End Users comply with Customer’s obligations under the AUP, the Service Specific Terms, and the restrictions in Sections 3.3 and 3.5 below.

3.2 Privacy. Customer will obtain and maintain any required consents necessary to permit the processing of Customer Data under this Agreement.

3.3 Restrictions. Customer will not, and will not allow third parties under its control to: (a) copy, modify, create a derivative work of, reverse engineer, decompile, translate, disassemble, or otherwise attempt to extract any or all of the source code of the Services (subject to Section 3.4 below and except to the extent such restriction is expressly prohibited by applicable law); (b) use the Services for High Risk Activities; (c) sublicense, resell, or distribute any or all of the Services separate from any integrated Application; (d) create multiple Applications, Accounts, or Projects to simulate or act as a single Application, Account, or Project (respectively) or otherwise access the Services in a manner intended to avoid incurring Fees; (e) unless otherwise set forth in the Service Specific Terms, use the Services to operate or enable any telecommunications service or in connection with any Application that allows Customer End Users to place calls or to receive calls from any public switched telephone network; or (f) process or store any Customer Data that is subject to the International Traffic in Arms Regulations maintained by the Department of State. Unless otherwise specified in writing by Reputize, Reputize does not intend uses of the Services to create obligations under HIPAA, and makes no representations that the Services satisfy HIPAA requirements. If Customer is (or becomes) a Covered Entity or Business Associate, as defined in HIPAA, Customer will not use the Services for any purpose or in any manner involving Protected Health Information (as defined in HIPAA) unless Customer has received prior written consent to such use from Reputize.

3.4 Third Party Components. Third party components (which may include open source software) of the Services may be subject to separate license agreements. To the limited extent a third party license expressly supersedes this Agreement, that third party license governs Customer’s use of that third party component.

3.5 Documentation. Reputize may provide Documentation for Customer’s use of the Services. The Documentation may specify restrictions (e.g. attribution or HTML restrictions) on how the Applications may be built or the Services may be used and Customer will comply with any such restrictions specified.

3.6 DMCA Policy. Reputize provides information to help copyright holders manage their intellectual property online, but Reputize cannot determine whether something is being used legally or not without their input. Reputize responds to notices of alleged copyright infringement and terminates accounts of repeat infringers according to the process set out in the U.S. Digital Millennium Copyright Act. If Customer thinks somebody is violating Customer’s or Customer End Users’ copyrights and wants to notify Reputize, Customer can contact Reputize here: http://www.reputize.co/contact

4. Suspension and Removals.

4.1 Suspension/Removals. If Customer becomes aware that any Application, Project, or Customer Data violates the AUP, Customer will immediately suspend the the Application and/or remove the relevant Customer Data (as applicable). If Customer fails to suspend or remove as noted in the prior sentence, Reputize may specifically request that Customer do so. If Customer fails to comply with Reputize’s request to do so within twenty-four hours, then Reputize may disable the Project or Application, and/or disable the Account (as may be applicable) until such violation is corrected.

4.2 Emergency Security Issues. Despite the foregoing, if there is an Emergency Security Issue, then Reputize may automatically suspend the offending Application, Project, and/or Account. Suspension will be to the minimum extent required, and of the minimum duration, to prevent or resolve the Emergency Security Issue. If Reputize suspends an Application, Project, or the Account, for any reason, without prior notice to Customer, at Customer’s request, Reputize will provide Customer the reason for the suspension as soon as is reasonably possible.

5. Intellectual Property Rights; Use of Customer Data; Feedback.

5.1 Intellectual Property Rights. Except as expressly set forth in this Agreement, this Agreement does not grant either party any rights, implied or otherwise, to the other’s content or any of the other’s intellectual property. As between the parties, Customer owns all Intellectual Property Rights in Customer Data and the Application or Project (if applicable), and Reputize owns all Intellectual Property Rights in the Services and Software.

5.2 Use of Customer Data. Reputize will not access or use Customer Data, except as necessary to provide the Services to Customer.

5.3 Customer Feedback. If Customer provides Reputize Feedback about the Services, then Reputize may use that information without obligation to Customer, and Customer hereby irrevocably assigns to Reputize all right, title, and interest in that Feedback.

6. Technical Support Services

6.1 By Customer. Customer is responsible for technical support of its Applications and Projects.

6.2 By Reputize. Subject to payment of applicable support Fees, Reputize will provide TSS to Customer during the Term in accordance with the TSS Guidelines.

7. Deprecation of Services

7.1 Discontinuance of Services. Subject to Section 7.2, Reputize may discontinue any Services or any portion or feature for any reason at any time without liability to Customer.

7.2 Deprecation Policy. Reputize will announce if it intends to discontinue or make backwards incompatible changes to the Services. Reputize will use commercially reasonable efforts to continue to operate those Services versions and features without these changes for at least one year after that announcement, unless (as Reputize determines in its reasonable good faith judgment):

(i) required by law or third party relationship (including if there is a change in applicable law or relationship), or

(ii) doing so could create a security risk or substantial economic or material technical burden.

The above policy is the "Deprecation Policy."

8. Confidential Information.

8.1 Obligations. The recipient will not disclose the Confidential Information, except to Affiliates, employees, agents or professional advisors who need to know it and who have agreed in writing (or in the case of professional advisors are otherwise bound) to keep it confidential. The recipient will ensure that those people and entities use the received Confidential Information only to exercise rights and fulfill obligations under this Agreement, while using reasonable care to keep it confidential.

8.2 Required Disclosure. Notwithstanding any provision to the contrary in this Agreement, the recipient may also disclose Confidential Information to the extent required by applicable Legal Process; provided that the recipient uses commercially reasonable efforts to: (i) promptly notify the other party of such disclosure before disclosing; and (ii) comply with the other party’s reasonable requests regarding its efforts to oppose the disclosure. Notwithstanding the foregoing, subsections (i) and (ii) above will not apply if the recipient determines that complying with (i) and (ii) could: (a) result in a violation of Legal Process; (b) obstruct a governmental investigation; and/or (c) lead to death or serious physical harm to an individual. As between the parties, Customer is responsible for responding to all third party requests concerning its use and Customer End Users’ use of the Services.

9. Term and Termination.

9.1 Agreement Term. The “Term” of this Agreement will begin on the Effective Date and continue until the Agreement is terminated as set forth in Section 9 of this Agreement. Except as otherwise set forth on a written form, this Agreement will automatically renew for a period equal to such initial term unless either party notifies the other in writing of its intent not to renew at least ninety (90) days prior to expiration of the then-current term.

9.2 Termination for Breach. Either party may terminate this Agreement for breach if: (i) the other party is in material breach of the Agreement and fails to cure that breach within thirty days after receipt of written notice; (ii) the other party ceases its business operations or becomes subject to insolvency proceedings and the proceedings are not dismissed within ninety days; or (iii) the other party is in material breach of this Agreement more than two times notwithstanding any cure of such breaches. In addition, Reputize may terminate any, all, or any portion of the Services or Projects, if Customer meets any of the conditions in Section 9.2(i), (ii), and/or (iii).

9.3 Termination for Inactivity. Reputize reserves the right to terminate the Services for inactivity, if, for a period exceeding 180 days, Customer: (a) has failed to access the Admin Console; (b) storage resources or an Application has not served any requests;

9.4 Termination for Convenience. Customer may stop using the Services at any time. Customer may terminate this Agreement for its convenience at any time on prior written notice and upon termination, must cease use of the applicable Services. Reputize may terminate this Agreement for its convenience at any time without liability to Customer.

9.5 Effect of Termination. If the Agreement is terminated, then: (i) the rights granted by one party to the other will immediately cease; (ii) all Fees owed by Customer to Reputize are immediately due upon receipt of the final invoice; (iii) Customer will delete the Software, any Application, Instance, Project, and any Customer Data; and (iv) upon request, each party will use commercially reasonable efforts to return or destroy all Confidential Information of the other party.

10. Publicity. Customer is permitted to state publicly that it is a customer of the Services, consistent with the Trademark Guidelines. If Customer wants to display Reputize Brand Features in connection with its use of the Services, Customer must obtain written permission from Reputize through the process specified in the Trademark Guidelines. Reputize may include Customer’s name or Brand Features in a list of Reputize customers, online or in promotional materials. Reputize may also verbally reference Customer as a customer of the Services. Neither party needs approval if it is repeating a public statement that is substantially similar to a previously-approved public statement. Any use of a party’s Brand Features will inure to the benefit of the party holding Intellectual Property Rights to those Brand Features. A party may revoke the other party’s right to use its Brand Features under this Section with written notice to the other party and a reasonable period to stop the use.

11. Representations and Warranties. Each party represents and warrants that: (a) it has full power and authority to enter into the Agreement; and (b) it will comply with all laws and regulations applicable to its provision, or use, of the Services, as applicable. Reputize warrants that it will provide the Services in accordance with the applicable SLA (if any).

12. Disclaimer. EXCEPT AS EXPRESSLY PROVIDED FOR IN THIS AGREEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, REPUTIZE AND ITS SUPPLIERS DO NOT MAKE ANY OTHER WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE AND NONINFRINGEMENT. REPUTIZE AND ITS SUPPLIERS ARE NOT RESPONSIBLE OR LIABLE FOR THE DELETION OF OR FAILURE TO STORE ANY CUSTOMER DATA AND OTHER COMMUNICATIONS MAINTAINED OR TRANSMITTED THROUGH USE OF THE SERVICES. CUSTOMER IS SOLELY RESPONSIBLE FOR SECURING AND BACKING UP ITS APPLICATION, PROJECT, AND CUSTOMER DATA. NEITHER REPUTIZE NOR ITS SUPPLIERS, WARRANTS THAT THE OPERATION OF THE SOFTWARE OR THE SERVICES WILL BE ERROR-FREE OR UNINTERRUPTED. NEITHER THE SOFTWARE NOR THE SERVICES ARE DESIGNED, MANUFACTURED, OR INTENDED FOR HIGH RISK ACTIVITIES.

13. Limitation of Liability.

13.1 Limitation on Indirect Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY, NOR REPUTIZE’S SUPPLIERS, WILL BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF DIRECT DAMAGES DO NOT SATISFY A REMEDY.

13.2 Limitation on Amount of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY, NOR REPUTIZE’S SUPPLIERS, MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR MORE THAN THE AMOUNT PAID BY CUSTOMER TO REPUTIZE UNDER THIS AGREEMENT DURING THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY.

13.3 Exceptions to Limitations. These limitations of liability do not apply to breaches of confidentiality obligations, violations of a party’s Intellectual Property Rights by the other party, indemnification obligations, or Customer's payment obligations.

14. Indemnification.

14.1 By Customer. Unless prohibited by applicable law, Customer will defend and indemnify Reputize and its Affiliates against Indemnified Liabilities in any Third-Party Legal Proceeding to the extent arising from: (i) any Application, Project, Instance, Customer Data or Customer Brand Features; or (ii) Customer’s, or Customer End Users’, use of the Services in violation of the AUP.

14.2 By Reputize. Reputize will defend and indemnify Customer and its Affiliates against Indemnified Liabilities in any Third-Party Legal Proceeding to the extent arising solely from an Allegation that use of (a) Reputize’s technology used to provide the Services (excluding any open source software) or (b) any Reputize Brand Feature infringes or misappropriates the third party’s patent, copyright, trade secret, or trademark.

14.3 Exclusions. This Section 14 will not apply to the extent the underlying Allegation arises from:

a. the indemnified party’s breach of this Agreement;

b. modifications to the indemnifying party’s technology or Brand Features by anyone other than the indemnifying party;

c. combination of the indemnifying party’s technology or Brand Features with materials not provided by the indemnifying party; or

d. use of non-current or unsupported versions of the Services or Brand Features;

14.4 Conditions. Sections 14.1 and 14.2 will apply only to the extent:

a. The indemnified party has promptly notified the indemnifying party in writing of any Allegation(s) that preceded the Third-Party Legal Proceeding and cooperates reasonably with the indemnifying party to resolve the Allegation(s) and Third-Party Legal Proceeding. If breach of this Section 14.4(a) prejudices the defense of the Third-Party Legal Proceeding, the indemnifying party’s obligations under Section 14.1 or 14.2 (as applicable) will be reduced in proportion to the prejudice.

b. The indemnified party tenders sole control of the indemnified portion of the Third-Party Legal Proceeding to the indemnifying party, subject to the following: (i) the indemnified party may appoint its own non-controlling counsel, at its own expense; and (ii) any settlement requiring the indemnified party to admit liability, pay money, or take (or refrain from taking) any action, will require the indemnified party’s prior written consent, not to be unreasonably withheld, conditioned, or delayed.

14.5 Remedies.

a. If Reputize reasonably believes the Services might infringe a third party’s Intellectual Property Rights, then Reputize may, at its sole option and expense: (a) procure the right for Customer to continue using the Services; (b) modify the Services to make them non-infringing without materially reducing their functionality; or (c) replace the Services with a non-infringing, functionally equivalent alternative.

b. If Reputize does not believe the remedies in Section 14.5(a) are commercially reasonable, then Reputize may suspend or terminate Customer’s use of the impacted Services.

14.6 Sole Rights and Obligations. Without affecting either party’s termination rights, this Section 14 states the parties’ only rights and obligations under this Agreement for any third party's Intellectual Property Rights Allegations and Third-Party Legal Proceedings.

15. U.S. Federal Agency Users. The Services were developed solely at private expense and are commercial computer software and related documentation within the meaning of the applicable Federal Acquisition Regulations and their agency supplements.

16. Miscellaneous.

16.1 Notices. All notices must be in writing and addressed to the other party’s legal department and primary point of contact. The email address for notices being sent to Reputize’s Legal Department is info@reputize.co. Notice will be treated as given on receipt as verified by written or automated receipt or by electronic log (as applicable).

16.2 Assignment. Neither party may assign any part of this Agreement without the written consent of the other, except to an Affiliate where: (a) the assignee has agreed in writing to be bound by the terms of this Agreement; (b) the assigning party remains liable for obligations under the Agreement if the assignee defaults on them; and (c) the assigning party has notified the other party of the assignment. Any other attempt to assign is void.

16.3 Change of Control. If a party experiences a change of Control (for example, through a stock purchase or sale, merger, or other form of corporate transaction): (a) that party will give written notice to the other party within thirty days after the change of Control; and (b) the other party may immediately terminate this Agreement any time between the change of Control and thirty days after it receives that written notice.

16.4 Force Majeure. Neither party will be liable for failure or delay in performance to the extent caused by circumstances beyond its reasonable control.

16.5 No Agency. This Agreement does not create any agency, partnership or joint venture between the parties.

16.6 No Waiver. Neither party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under this Agreement.

16.7 Severability. If any term (or part of a term) of this Agreement is invalid, illegal, or unenforceable, the rest of the Agreement will remain in effect.

16.8 No Third-Party Beneficiaries. This Agreement does not confer any benefits on any third party unless it expressly states that it does.

16.9 Equitable Relief. Nothing in this Agreement will limit either party’s ability to seek equitable relief.

16.10 U.S. Governing Law.

a. For U.S. City, County, and State Government Entities. If Customer is a U.S. city, county or state government entity, then the Agreement will be silent regarding governing law and venue.

b. For U.S. Federal Government Entities. If Customer is a U.S. federal government entity then the following applies: ALL CLAIMS ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE SERVICES WILL BE GOVERNED BY THE LAWS OF THE UNITED STATES OF AMERICA, EXCLUDING ITS CONFLICT OF LAWS RULES. SOLELY TO THE EXTENT PERMITTED BY FEDERAL LAW: (I) THE LAWS OF THE STATE OF CALIFORNIA (EXCLUDING CALIFORNIA’S CONFLICT OF LAWS RULES) WILL APPLY IN THE ABSENCE OF APPLICABLE FEDERAL LAW; AND (II) FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE SERVICES, THE PARTIES CONSENT TO PERSONAL JURISDICTION IN, AND THE EXCLUSIVE VENUE OF, THE COURTS IN SANTA CLARA COUNTY, CALIFORNIA.

c. For All Other Entities. If Customer is any entity not set forth in Section 16.10(a) or (b) then the following applies: ALL CLAIMS ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE SERVICES WILL BE GOVERNED BY CALIFORNIA LAW, EXCLUDING THAT STATE’S CONFLICT OF LAWS RULES, AND WILL BE LITIGATED EXCLUSIVELY IN THE FEDERAL OR STATE COURTS OF SANTA CLARA COUNTY, CALIFORNIA, USA; THE PARTIES CONSENT TO PERSONAL JURISDICTION IN THOSE COURTS.

16.11 Amendments. Except as set forth in Section 1.7(b) or (c), any amendment must be in writing, signed by both parties, and expressly state that it is amending this Agreement.

16.12 Survival. The following Sections will survive expiration or termination of this Agreement: 5, 8, 9.5, 13, 14, and 16.

16.13 Entire Agreement. This Agreement sets out all terms agreed between the parties and supersedes all other agreements between the parties relating to its subject matter. In entering into this Agreement, neither party has relied on, and neither party will have any right or remedy based on, any statement, representation or warranty (whether made negligently or innocently), except those expressly set out in this Agreement. The terms located at a URL referenced in this Agreement and the Documentation are incorporated by reference into the Agreement. After the Effective Date, Reputize may provide an updated URL in place of any URL in this Agreement.

16.14 Conflicting Terms. If there is a conflict between the documents that make up this Agreement, the documents will control in the following order: the Agreement, and the terms at any URL.

16.15 Definitions.

·"Account" means Customer’s account at the Reputize website.

·"Admin Console" means the online console(s) and/or tool(s) provided by Reputize to Customer for administering the Services.

·"Affiliate" means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with a party.

·"Allegation" means an unaffiliated third party’s allegation.

·"Application(s)" means any web or other application Customer creates using the Services, including any source code written by Customer to be used with the Services, or hosted in an Instance.

·"AUP" means the acceptable use policy set forth for the Services.

·"Brand Features" means the trade names, trademarks, service marks, logos, domain names, and other distinctive brand features of each party, respectively, as secured by such party from time to time.

·"Committed Purchase(s)" have the meaning set forth in the Service Specific Terms.

·"Confidential Information" means information that one party (or an Affiliate) discloses to the other party under this Agreement, and which is marked as confidential or would normally under the circumstances be considered confidential information. It does not include information that is independently developed by the recipient, is rightfully given to the recipient by a third party without confidentiality obligations, or becomes public through no fault of the recipient. Subject to the preceding sentence, Customer Data is considered Customer’s Confidential Information.

·"Control" means control of greater than fifty percent of the voting rights or equity interests of a party.

·"Customer Data" means content provided to Reputize by Customer (or at its direction) via the Services under the Account.

·"Customer End Users" means the individuals Customer permits to use the Application.

·"Data Processing and Security Terms" means the terms set forth at the section Data Processing and Security Terms.

·"Documentation" means the Reputize documentation (as may be updated from time to time) in the form generally made available by Reputize to its customers for use with the Services including the following: (a) Reputize Review Analytics; (b) Reputize Surveys; (c) Reputize Marketing Tools.

·"Emergency Security Issue" means either: (a) Customer’s or Customer End Users’ use of the Services in violation of the AUP, which could disrupt: (i) the Services; (ii) other customers’ or their customer end users’ use of the Services; or (iii) the Reputize network or servers used to provide the Services; or (b) unauthorized third party access to the Services.

·"Fee Trial Period" means a calendar month or another period specified by Reputize in the Admin Console.

·“Feedback” means feedback or suggestions about the Services provided to Reputize by Customer.

·"Fees" means the applicable fees for each Service and any applicable Taxes. The Fees for each Service are set forth in a separate agreement.

·"High Risk Activities" means uses such as the operation of nuclear facilities, air traffic control, or life support systems, where the use or failure of the Services could lead to death, personal injury, or environmental damage.

·"HIPAA" means the Health Insurance Portability and Accountability Act of 1996 as it may be amended from time to time, and any regulations issued under it.

·"Indemnified Liabilities" means any (i) settlement amounts approved by the indemnifying party; and (ii) damages and costs finally awarded against the indemnified party and its Affiliates by a court of competent jurisdiction.

·"Intellectual Property Rights" means current and future worldwide rights under patent, copyright, trade secret, trademark, and moral rights laws, and other similar rights.

·"Legal Process" means a data disclosure request made under law, governmental regulation, court order, subpoena, warrant, governmental regulatory or agency request, or other valid legal authority, legal procedure, or similar process.

·"Package Purchase" means Customer’s commitment to purchase a specified package of the Services over a specified period of time, whether Customer uses those Services or not. A Package Purchase may be made using the Admin Console or the Ordering Document (if applicable).

·"Project" means a grouping of resources for Customer, and via which Customer may use the Services. Projects are more fully described in the Documentation.

·"Service Specific Terms" means the terms specific to one or more Services.

·"Services" means the services all services provided by Reputize (including any associated APIs); and TSS.

·"SLA" means the Service Level Agreement as applicable to: (a) Reputize Review Analytics; (b) Reputize Surveys; (c) Reputize Marketing Tools.

·"Software" means any downloadable tools, software development kits or other such proprietary computer software provided by Reputize in connection with the Services, which may be downloaded by Customer, and any updates Reputize may make to such Software from time to time.

·"Taxes" means any duties, customs fees, or taxes (other than Reputize’s income tax) associated with the purchase of the Services, including any related penalties or interest.

·"Term" has the meaning set forth in Section 9 of this Agreement.

·/span>"Terms URL" means the following URL set forth at the current webpage.

·"Third-Party Legal Proceeding" means any formal legal proceeding filed by an unaffiliated third party before a court or government tribunal (including any appellate proceeding).

·"Token" means an alphanumeric key that is uniquely associated with Customer’s Account.

·"Trademark Guidelines" means Reputize’s Guidelines for Third Party Use of Reputize Brand Features.

·"TSS" means the technical support service provided by Reputize to the administrators under the TSS Guidelines.

·"TSS Guidelines" means Reputize’s technical support services guidelines then in effect for the Services.

Service Specific Terms

Capitalized terms not defined in these Service Specific Terms have the meaning set forth in the Reputize License Agreement between Customer and Reputize or the Reputize Reseller Agreement between Reseller and Reputize (as applicable, "Agreement"). For the purpose of these Service Specific Terms, if the Agreement is the Reputize Reseller Agreement, then for that Agreement: (i) the term "Customer" means Customer and/or Reseller based on which entity is accessing the applicable Service, and (ii) the term "Customer" means "Reseller".

1. Reputize Review Analytics.

The following terms apply only to the Reputize Review Analytics Service:

1.1 In order to provide the Services Reputize gathers, stores, analyzes, displays and uses a variety of information, including without limitation (i) publicly available content such as reviews and hotel rankings posted on third party web sites, feedback and information provided by guests at Customer facilities, posts from social media sites and forums, news articles, blog posts, photos and videos, and (ii) commercially available data regarding businesses in Customer’s industry (such as hotel occupancy rates, average daily rates and revenue per available room) (collectively “Third Party Content”). Some Third Party Content is public information (such as online hotel reviews) and other Third Party Content is proprietary to its creators (such as industry research data). Third Party Content may be owned by the people or entities that publish such content, or by other parties.

1.2 Customer acknowledges that (i) Reputize aggregates Third Party Content from various public web sites (including Reputize sites) and from commercial databases, and (ii) Third Party Content may be obtained by Reputize or licensed to Reputize by third parties subject to copyright and other restrictions on re-use or redistribution. Customer understands the foregoing and agrees that it is requesting Reputize to aggregate and present both publicly available and proprietary Third Party Content to Customer and its Users. 

1.3 Reputize shall use good faith efforts to provide comprehensive and accurate Services to Customer, however, Reputize cannot assure that all relevant hotel reviews, videos, images, blog entries, article postings, references and other information will be found or delivered, or that irrelevant hotel reviews, videos, images, blog entries, article postings, references and other information will not be delivered. From time to time delivery of the Services may be delayed due to scheduled or unscheduled maintenance or factors beyond Reputize’s control, and Reputize’s failure to deliver the Services in such event or events shall not constitute a breach of the Agreement.

1.4 Customer shall provide Reputize with the following prior to the commencement of Services: (i) applicable hotel name(s), (ii) hotel website(s), (iii) the name of Customer’s competitors, and (iv) e-mail addresses of all End Users.

1.5 Customer acknowledges that Reputize aggregates and provides, but does not generate, the content underlying the Services, and that information furnished by Provider represents the opinions of others and may contain inaccuracies, libelous material, profanity, and pornography. Reputize may block certain comments using specific keywords, and Customer will have the ability to control the blocking of key-words.

1.6 Reputize does not guarantee any specific results from the use of the Service.

2. Reputize Surveys.

The following terms apply only to the Reputize Surveys

2.1 The Services may include tablet systems and other hardware installed in Customer facilities. Hardware is configured to be used only with the Services. Hardware may not be reconfigured, used to run any other applications, or used for any other purpose. Customer may purchase the hardware or lease it from Reputize, as specified in the Service Order Form. If leased, all hardware remains the property of Reputize (or its third party equipment provider) and must be returned to Reputize within 15 days following termination of the applicable Services. Customer who does not return the hardware within this time period will be billed Reputize’s cost to replace the hardware.Customer Data may be stored transiently or cached anywhere where Reputize or its agents maintain facilities.

2.2 Certain Services requires the use of Guest Personal Data (as defined in the Privacy Policy). Customer hereby grants Reputize a nonexclusive and nontransferable right to access, use, store and process the Guest Personal Data collected via the Services and otherwise from the Customer, solely for the purposes of providing those Services to Customer during the term of and in accordance with this Agreement.

2.3 Certain Services permit Customer to send email, SMS and other messages to their guests. The sending of commercial messages is regulated by law, including US CAN-SPAM and the Telephone Consumer Privacy Act. Customer acknowledges and agrees that it is responsible for complying with all applicable laws, published rules and policies regarding communication with its guests. Customer represents and warrants that it has obtained written or electronic opt-in permission from each guest to send messages to that guest, and agrees that if a guest opts out of a specific form of messaging from Customer (e.g. SMS), Customer will update the Services accordingly. Customer may not send any messages to a guest through the Services unless such messages are directly related to the type of information the guest has opted-in to receive from Customer. Reputize will notify Customer if it becomes aware of any violation or perceived violation of applicable laws, published rules and policies, and Customer is immediately obligated to correct any actual violation. Reputize may suspend Customer’s use of messaging features in the Services until a violation is cured. The Customer agrees that any email lists that they use to distribute survey invitations are based on an existing relationship with the survey respondent or that the person that owns the email address has agreed to participate in a survey. Customer will remain responsible for ensuring that it complies with all applicable laws, rules and regulations when communicating with its guests via the Services and will keep Reputize fully indemnified in accordance with this Agreement in respect of any breach of this Agreement.

2.4 Customer shall not solicit Respondents by use of means which might reasonably be expected to impair or unduly influence the judgment of the Respondent and therefore the accuracy or veracity of the Respondent’s use of the Application. Practices that are deemed likely to so impair or influence a response include, without limitation:

(i) Compensation payable to the reviewer which is dependent on the content of the response or which constitutes an immoderate incentive;
(ii) Exerting pressure on Respondents to alter or withdraw a response, including through unjustified threat of legal action;
(iii) Offering incentives for positive responses, or for changing negative responses;
(iv) Soliciting or knowingly publishing responses created by people other than hotel guests, or by insiders or other parties affiliated with
Customer; and
(v) Soliciting responses only from guests already identified as satisfied or otherwise likely to post a positive response.
Customer will inform Reputize of the nature and extent of its planned promotions which increase or are intended to increase the volume or nature of responses.

2.5 The Application shall be used for lawful purposes only. No material shall be posted on, transmitted or reproduced by a Customer which violates or infringes in any way upon the rights of others, which is unlawful, threatening, abusive, defamatory, invasive of privacy or publicity rights, vulgar, obscene, profane, indecent or otherwise objectionable, which encourages conduct that would constitute a criminal offense, gives rise to civil liability or otherwise violates any law.

2.6 The Application contains copyrighted material, trademarks and other proprietary information including, but not limited to, text, software, photos, video, graphics, music and sound. Reputize owns the copyright to the selection, coordination, arrangement and enhancement of such content, as well as in the content original to it. Each third party content provider owns the copyright for content original to it. No Customer may modify, publish, transmit, participate in the transfer or sale, create derivative works, reveal or display publicly or in any way exploit, any of the content of the Application, in whole or in part, without the express written permission of Reputize. Except as otherwise expressly permitted under copyright law, no copying, redistribution, publication or commercial exploitation of downloaded material from the Application will be permitted without the express-written permission of Reputize and any other copyright owner. In the event of any permitted copying, redistribution or publication of copyrighted material, no changes in or deletion of author attribution, trademark, legend or copyright notice shall be made. Each Customer acknowledges that he or she does not acquire any ownership rights by downloading copyrighted material.

2.7 No material protected by copyright, trademark or other proprietary right shall be uploaded, posted or otherwise made available by a Customer, including a Respondent, either via the Application or through the use of any other means, without the express permission of the owner of the copyright, trademark or other proprietary right and the burden of determining that any material is not protected by copyright rests with the Customer. The Customer shall be solely liable for any damages resulting from any infringement of copyrights, proprietary rights, or any other harm resulting from any uploading, posting or submission.Each Customer represents and warrants that Customer has ownership or other authority to post any sound, image, text, or other material it posts via the Application. Each Customer hereby grants to Reputize, it's successors, assigns and licensees, an irrevocable, royalty-free license to use, reproduce, modify, adapt, publish, translate, perform, create derivative works from, and display any message or other content of any nature whatsoever, in whole or in part, provided by Customer in the course of, or arising out of, the Application, and to incorporate such content in other works in any form, media or technology now known or hereinafter developed.

2.8 Any Customer that offers rewards or incentives to survey respondents, must in good faith, try to honor this commitment. The Customer must provide information about offering rewards to respondents and comply with all applicable laws and regulations. Reputize has the right to pass all contact information about the Customer on to the survey Respondent.

2.9 Respondents should never provide information that they do not feel comfortable providing to an Customer. Once a Respondent fills out a survey or form through the Application, Customer can download that data and Reputize has absolutely no control over what the Customer does with that data. It is the Respondents responsibility to know what information they are providing, and who they are providing it to.

2.10 The Customer Agreement, Privacy Policy, and other terms of service may be changed without notice by Reputize, and use of the Application constitutes agreement with and acceptance of any such changes.

2.11 The Customer agrees that Reputize’s liability under this Agreement shall be limited to the amount the Customer has paid its use of the Application.

2.12 The Application is intended for survey creators and Respondents of the age of majority. The Application may not be used by, or to collect information from, minor children, according to laws in the minor's locality, without parental permission. Customer shall in no case use the Application to collect information from children under age 13 without parental permission. Customer agrees to defend, indemnify, and hold harmless the Reputize Parties from any liability related to use of the Application in a manner inconsistent with this Agreement.

2.13 CUSTOMER AGREES NOT TO CIRCUMVENT REPUTIZE’S PRIVACY OR SECURITY MEASURES FOR SURVEY TAKERS. If for any reason Customer tries to violate the survey responders' privacy, Customer agrees to hold harmless, defend, and indemnify the Reputize Affiliates for any liability to other Customers or third parties, including all attorney's fees incurred by the Reputize Parties as a result of Customer's actions. This agreement by Customer to defend, indemnify, and hold harmless the Reputize Parties is in addition to any other legal rights or remedies they may have under any other part of this Agreement or under the law.

2.14 Reputize does not guarantee any specific results from the use of the Service.

 

3. Reputize Marketing Tools.

The following terms apply only to the Reputize Marketing Tools:

3.1 The Services may integrate third-party services (for example, Twitter or Facebook) allowing Customer to post information to web sites outside the Services. Customer, and each User, agrees to inform itself of the terms and conditions of each of these integrated third-party services prior to use, and abide by such terms and conditions if Customer utilizes such integrated services.

3.2 Certain Services permit Customers to send email, SMS and other messages to their guests. The sending of commercial messages is regulated by law, including CAN-SPAM and the Telephone Consumer Privacy Act. SMS messaging is further regulated by mobile service carriers (“Carriers”) and by the policies and best practices of the Mobile Marketing Association and the CTIA, which collectively impose requirements regarding the integrity of SMS content and compliance with acceptable use policies. Customer acknowledges and agrees that it is responsible for complying with all applicable laws, published rules and policies regarding communication with its guests. Customer represents and warrants that it has obtained written or electronic opt-in permission from each guest to send messages to that guest, and agrees that if a guest opts out of a specific form of messaging from Customer (e.g. SMS), Customer will update the Services accordingly. Customer may not send any messages to a guest through the Services unless such messages are directly related to the type of information the guest has opted-in to receive from Customer. Reputize will notify Customer if it becomes aware of any violation or perceived violation of applicable laws, published rules and policies, and Customer is immediately obligated to correct any actual violation. Reputize may suspend Customer’s use of messaging features in the Services until a violation is cured. Customer will remain responsible for ensuring that it complies with all applicable laws, rules and regulations when communicating with its guests via the Services and will keep Reputize fully indemnified in accordance with Section 8 of this Agreement in respect of any breach of this Section 6(g).

3.3 No material protected by copyright, trademark or other proprietary right shall be uploaded, posted or otherwise made available by a Customer, including a Respondent, either via the Application or through the use of any other means, without the express permission of the owner of the copyright, trademark or other proprietary right and the burden of determining that any material is not protected by copyright rests with the Customer. The Customer shall be solely liable for any damages resulting from any infringement of copyrights, proprietary rights, or any other harm resulting from any uploading, posting or submission.Each Customer represents and warrants that Customer has ownership or other authority to post any sound, image, text, or other material it posts via the Application. Each Customer hereby grants to Reputize, it's successors, assigns and licensees, an irrevocable, royalty-free license to use, reproduce, modify, adapt, publish, translate, perform, create derivative works from, and display any message or other content of any nature whatsoever, in whole or in part, provided by Customer in the course of, or arising out of, the Application, and to incorporate such content in other works in any form, media or technology now known or hereinafter developed.

3.4 Reputize does not guarantee any specific results from the use of the Service.

4. Third Party Additional Terms

4.1 HolidayCheck. Customer's use of the the Reputize’s integration service with HolidayCheck, which may include associated media, printed materials, and "online" or electronic documentation (individually and collectively, "Products"), provided by Reputize in conjunction with Reputize Services is subject to the terms and conditions set forth here: http://www.holidaycheck.com/terms_of_use.php.

Data Processing and Security Terms

The Customer agreeing to these terms (“Customer”) and Reputize Ltd., (as applicable, “Reputize”) have entered into a Reputize Service License Agreement. These Data Processing and Security Terms, including the Appendices (collectively, the “Terms”) are entered into by Customer and Reputize as of the Terms Effective Date and supplement the Reputize Service License Agreement.

1. Introduction

These Terms reflect the parties’ agreement with respect to terms governing the processing of Customer Personal Data under the Reputize Service License Agreement.

2. Definitions

2.1 Capitalized terms used but not defined in these Terms have the meanings set out in the Reputize Service License Agreement. In these Terms, unless expressly stated otherwise:

Additional Products means products, services and applications (whether made available by Reputize or a third party) that are not part of the Services, but that may be accessible via the Admin Console or otherwise, for use with the Services.

Agreement means the Reputize Service License Agreement, as supplemented by these Data Processing and Security Terms, and as may be further amended from time to time in accordance with the Reputize Service License Agreement.

Customer Personal Data means the personal data that is contained within the Customer Data.

Data Incident means (a) any unlawful access to Customer Data stored in the Services or systems, equipment, or facilities of Reputize or its Subprocessors, or (b) unauthorized access to such Services, systems, equipment, or facilities that results in loss, disclosure, or alteration of Customer Data.

Data Protection Legislation means, as applicable: (a) any national provisions adopted pursuant to the Directive that are applicable to Customer and/or any Customer Affiliates as the controller(s) of the Customer Personal Data; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).

Directive means Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

EEA means the European Economic Area.

Reputize Group means those Reputize Affiliates involved in provision of the Services to Customer.

Instructions means Customer’s written instructions to Reputize consisting of the Agreement, including instructions to Reputize to provide the Services as set out in the Agreement; instructions given by Customer via the Admin Console and otherwise in its use of the Services; and any subsequent written instructions given by Customer to Reputize and acknowledged by Reputize.

Model Contract Clauses or MCCs mean the standard contractual clauses (processors) for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

Safe Harbor Certification means a current certification to the U.S. Department of Commerce Safe Harbor framework requirements as set out at: http://export.gov/safeharbor/eu/eg_main_018475.asp, or any replacement framework or URL from time to time.

Security Measures has the meaning given in Section 6.1 (Security Measures) of these Terms.

Subprocessors means (a) all Reputize Group entities that have logical access to, and process, Customer Personal Data (each, a “Reputize Group Subprocessor”), and (b) all third parties (other than Reputize Group entities) that are engaged to provide services to Customer and that have logical access to, and process, Customer Personal Data (each, a "Third Party Subprocessor").

Third Party Auditor means a qualified and independent third party auditor, whose then-current identity Reputize will disclose to Customer.

2.2 The terms “personal data”, “processing”, “data subject”, “controller” and “processor” have the meanings given to them in the Directive. The terms “data importer” and “data exporter” have the meanings given to them in the Model Contract Clauses.

3. Term

These Terms will take effect on the Terms Effective Date and, notwithstanding expiry or termination of the Reputize Service License Agreement, will remain in effect until, and automatically terminate upon, deletion by Reputize of all data as described in Section 7 (Data Correction, Blocking, Exporting, and Deletion) of these Terms.

4. Data Protection Legislation

The parties agree and acknowledge that the Data Protection Legislation may apply to the processing of Customer Personal Data.

5. Processing of Customer Personal Data

5.1 Controller and Processor. If the Data Protection Legislation applies to the processing of Customer Personal Data, then as between the parties, the parties acknowledge and agree that: (a) Customer is the controller of Customer Personal Data under the Agreement; (b) Reputize is a processor of such data; (c) Customer will comply with its obligations as a controller under the Data Protection Legislation; and (d) Reputize will comply with its obligations as a processor under the Agreement. If under the Data Protection Legislation a Customer Affiliate is considered the controller (either alone or jointly with the Customer) with respect to certain Customer Personal Data, Customer represents and warrants to Reputize that Customer is authorized: (i) to give the Instructions to Reputize and otherwise act on behalf of such Customer Affiliate in relation to such Customer Personal Data as described in these Terms, and (ii) to bind the Customer Affiliate to these Terms. Appendix 1 sets out a description of the categories of data that may fall within Customer Personal Data and of the categories of data subjects to which that data may relate.

5.2 Scope of Processing. Reputize will only process Customer Personal Data in accordance with the Instructions, and will not process Customer Personal Data for any other purpose.

5.3 Additional Products. Customer acknowledges that if it installs, uses, or enables Additional Products, then the Services may allow such Additional Products to access Customer Data as required for the interoperation of those Additional Products with the Services. The Agreement does not apply to the processing of data transmitted to or from such Additional Products. Such Additional Products are not required to use the Services.

6. Data Security; Security Compliance; Audits

6.1 Security Measures. Reputize will take and implement appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction or accidental loss or alteration, or unauthorized disclosure or access, or other unauthorized processing, as detailed in Appendix 2 (the "Security Measures"). Reputize may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. Customer agrees that it is solely responsible for its use of the Services, including securing its account authentication credentials, and that Reputize has no obligation to protect Customer Data that Customer elects to store or transfer outside of Reputize’s and its Subprocessors’ systems (e.g., offline or on-premise storage).

6.2 Security Compliance by Reputize Staff. Reputize will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance.

6.3 Data Incidents. If Reputize becomes aware of a Data Incident, Reputize will promptly notify Customer of the Data Incident, and take reasonable steps to minimize harm and secure Customer Data. Notification(s) of any Data Incident(s) will be delivered to the email address provided by Customer in the Agreement (or in the Admin Console) or, at Reputize’s discretion, by direct Customer communication (e.g., by phone call or an in-person meeting). Customer acknowledges that it is solely responsible for ensuring that the contact information set forth above is current and valid, and for fulfilling any third party notification obligations. Customer agrees that “Data Incidents” do not include: (i) unsuccessful access attempts or similar events that do not compromise the security or privacy of Customer Data, including pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems; or (ii) accidental loss or disclosure of Customer Data caused by Customer’s use of the Services or Customer’s loss of account authentication credentials. Reputize’s obligation to report or respond to a Data Incident under this Section will not be construed as an acknowledgement by Reputize of any fault or liability with respect to the Data Incident.

7. Data Correction, Blocking, Exporting, and Deletion

During the Term, Reputize will provide Customer with the ability to correct, block, export and delete Customer Data in a manner consistent with the functionality of the Services and in accordance with the terms of the Agreement. Once Customer deletes Customer Data via the Services such that the Customer Data cannot be recovered by Customer (the “Customer-Deleted Data”), Reputize will delete the Customer-Deleted Data within a maximum period of 180 days, unless applicable legislation or legal process prevents it from doing so. On the expiry or termination of the Agreement (or, if applicable on expiry of any post-termination period during which Reputize may agree to continue providing access to the Services), after a recovery period of up to 30 days following such expiry or termination, Reputize will thereafter delete the Customer-Deleted Data within a maximum period of 180 days, unless applicable legislation or legal process prevents it from doing so.

8. Access; Export of Data

During the Term, Reputize will make available to Customer the Customer Data in a manner consistent with the functionality of the Services and in accordance with the terms of the Agreement. To the extent Customer, in its use and administration of the Services during the Term, does not have the ability to amend or delete Customer Data (as required by applicable law), or migrate Customer Data to another system or service provider, Reputize will, at Customer’s reasonable expense, comply with any reasonable requests by Customer to assist in facilitating such actions to the extent Reputize is legally permitted to do so and has reasonable access to the relevant Customer Data.

9. Data Privacy Contact for Reputize Services

Reputize’s Data Privacy Contact for Reputize Service can be contacted by Customer administrators at: http://www.reputize.co/contact (or via such other means as Reputize may provide).

10. Data Transfers

10.1 Data Location and Transfers. Reputize may store and process the relevant Customer Data anywhere Reputize or its Subprocessors maintain facilities in accordance with the Service Specific Terms.

10.2 Transfers of Data Out of the EEA. If the storage and processing of Customer Data (as set out in Section 10.1 above) involves transfers of Customer Personal Data out of the EEA, and Data Protection Legislation applies to those transfers, Reputize will:

10.2.1 ensure that the transfers are made in accordance with the Safe Harbor Agreement; and/or

10.2.2 ensure that Reputize Ltd as the data importer of Customer Personal Data enters into Model Contract Clauses with Customer (or an authorized Customer Affiliate) as the data exporter of such data, if Customer so requests, and that the transfers are made in accordance with any such Model Contract Clauses; and/or

10.2.3 adopt an alternative solution that achieves compliance with the terms of the Directive for transfers of personal data to a third country, and ensure that the transfers are made in accordance with such solution.

10.3 Data Center Information. Reputize will make available to Customer information about the countries in which data centers used to store Customer Personal Data are located.

11. Subprocessors

11.1 Subprocessors. Reputize may engage Subprocessors to provide limited parts of the Services, subject to the restrictions in these Terms.

11.2 Subprocessing Restrictions. Reputize will ensure that Subprocessors only access and use Customer Data in accordance with Section 10.1 (Data Location and Transfers) and terms of the Agreement and that they are bound by written agreements that require them to provide at least the level of data protection required by the following, as applicable pursuant to Section 10.2 (Transfers of Data Out of the EEA): (a) any Safe Harbor Certification maintained by Reputize Subprocessors; (b) any Model Contract Clauses entered into by Reputize Ltd and Customer (or an authorized Customer Affiliate); and/or (c) any alternative compliance solution adopted by Reputize.

11.3 Consent to Subprocessing. Customer consents to Reputize subcontracting the processing of Customer Data to Subprocessors in accordance with the Agreement. If the Model Contract Clauses have been entered into as described above, Customer (or, if applicable, an authorized Customer Affiliate) consents to Reputize Ltd subcontracting the processing of Customer Data in accordance with the terms of the Model Contract Clauses.

11.4 Additional Information. the written request of the Customer, Reputize will provide additional information regarding Subprocessors and their locations. Any such requests must be sent to Reputize’s Data Privacy Contact for Reputize Service, the contact details of which are set out in Section 9 (Data Privacy Contact for Reputize Service) above.

11.5 Termination. If the Model Contract Clauses have been entered into by the parties: (i) Reputize will, at least 15 days before appointing any new Third Party Subprocessor, inform Customer of the appointment (including the name and location of such subprocessor and the activities it will perform) either by sending an email to Customer or via the Admin Console; and (ii) if Customer objects to Reputize's use of any new Third Party Subprocessors, Customer may, as its sole and exclusive remedy, terminate the Reputize Service License Agreement by giving written notice to Reputize within 30 days of being informed by Reputize of the appointment of such subprocessor.

12. Liability Cap

If Reputize Ltd and Customer (or an authorized Customer Affiliate) enter into Model Contract Clauses as described above, then, subject to the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability), the total combined liability of Reputize and its Affiliates, on the one hand, and Customer and its Affiliates, on the other hand, under or in connection with the Agreement and all those MCCs combined will be limited to the maximum monetary or payment-based liability amount set out in the Agreement.

13. Third Party Beneficiary

Notwithstanding anything to the contrary in the Agreement, where Reputize Ltd is not a party to the Agreement, Reputize Ltd will be a third party beneficiary of Section 6.5 (Auditing Security Compliance), Section 11.3 (Consent to Subprocessing), and Section 12 (Liability Cap) of these Terms.

14. Priority

Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between these Terms and the remaining terms of the Agreement, these Terms will govern.

Appendix 1: Categories of Personal Data and Data Subjects

1 Categories of Personal Data. Data relating to individuals provided to Reputize via the Services, by (or at the direction of) Customer.

2 Data Subjects. Data subjects include the individuals about whom data is provided to Reputize via the Services by (or at the direction of) Customer.

Appendix 2: Security Measures

As of the Terms Effective Date, Reputize will take and implement the Security Measures set out in this Appendix. Reputize may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

1. Data Center and Network Security

(a) Data Centers.

Infrastructure. Reputize uses geographically distributed data centers. Reputize stores all production data in physically secure data centers.

Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to allow Reputize to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.

Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.

Server Operating Systems. Reputize servers use a Linux based implementation customized for the application environment. Data is stored using proprietary algorithms to augment data security and redundancy.

Businesses Continuity. Reputize replicates data over multiple systems to help to protect against accidental destruction or loss.

(b) Networks and Transmission.

Data Transmission. Data centers are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Reputize transfers data via Internet standard protocols.

External Attack Surface. Reputize employs multiple layers of network devices and intrusion detection to protect its external attack surface. Reputize considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.

Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Reputize intrusion detection involves:

1.tightly controlling the size and make-up of Reputize’s attack surface through preventative measures;

2.employing intelligent detection controls at data entry points; and

3.employing technologies that automatically remedy certain dangerous situations.

Incident Response. Reputize monitors a variety of communication channels for security incidents, and Reputize’s security personnel will react promptly to known incidents.

Encryption Technologies. Reputize makes HTTPS encryption (also referred to as SSL or TLS connection) available.

2. Access and Site Controls

(a) Site Controls.

On-site Data Center Security Operation. Reputize’s stores data at third-party-owned data centers that maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor closed circuit TV (CCTV) cameras and all alarm systems. On-site security operation personnel perform internal and external patrols of the data center regularly.

Data Center Access Procedures. Reputize stores data at third-party-owned data centers that maintains formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers. Only authorized employees and contractors are permitted to request electronic card key access to these facilities. Data center electronic card key access requests must be made through e-mail, and requires the approval of the requestor’s manager and the data center director. All other entrants requiring temporary data center access must: (i) obtain approval in advance from the data center managers for the specific data center and internal areas they wish to visit; (ii) sign in at on-site security operations; and (iii) reference an approved data center access record identifying the individual as approved.

On-site Data Center Security Devices. Reputize’s stores data at third-party-owned data centers that employ an electronic card key and biometric access control system that is linked to a system alarm. The access control system monitors and records each individual’s electronic card key and when they access perimeter doors, shipping and receiving, and other critical areas. Unauthorized activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorized access throughout the business operations and data centers is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centers are alarmed. CCTV cameras are in operation both inside and outside the data centers. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data center building, and shipping/receiving. On-site security operations personnel manage the CCTV monitoring, recording and control equipment. Secure cables throughout the data centers connect the CCTV equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. The surveillance records are retained for up to 30 days based on activity.

(b) Access Control.

Infrastructure Security Personnel. Reputize has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Reputize’s personnel are responsible for the ongoing monitoring of Reputize’s security infrastructure, the review of the Services, and responding to security incidents.

Access Control and Privilege Management. Customer’s administrators must authenticate themselves via a central authentication system or via a single sign on system in order to administer the Services.

Internal Data Access Processes and Policies – Access Policy. Reputize’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Reputize designs its systems to (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. Reputize employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and a proprietary system utilizing RSA keys are designed to provide Reputize with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. Reputize requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with Reputize’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include password expiry, restrictions on password reuse and sufficient password strength. For access to extremely sensitive information (e.g. credit card data), Reputize uses hardware tokens.

3. Data

(a) Data Storage, Isolation and Logging. Reputize stores data in a multi-tenant environment on third-party-owned servers. The data and file system architecture are replicated between multiple geographically dispersed data centers. Reputize also logically isolates the Customer’s data. The Customer will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable Customer to determine the product sharing settings applicable to Customer End Users for specific purposes. Customer may choose to make use of certain logging capability that Reputize may make available via the Services.

(b) Decommissioned Disks and Disk Erase Policy. Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving Reputize’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Disk Erase Policy.

4. Personnel Security

Reputize personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Reputize conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Reputize’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Data are required to complete additional requirements appropriate to their role (eg., certifications). Reputize’s personnel will not process Customer Data without authorization.

5. Subprocessor Security

Prior to onboarding Subprocessors, Reputize conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Reputize has assessed the risks presented by the Subprocessor, then subject to the requirements set out in Section 11.2 (Subprocessing Restrictions) of these Terms, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

EU Model Contract Clauses

By using Reputize Services, you confirm that you (or the legal entity you declare to legally represent) accept these terms as a "data exporter" within the meaning of Commission Decision 2010/87/EU, and if it is determined you (or the legal entity you declare to legally represent) are  not to be a data exporter, the Model Contract Clauses below between the parties will not apply.

You represent and warrant that:

i.you have full legal authority to agree to the terms presented above on behalf of the legal entity accepting these terms;

ii.you have read and understood these terms; and

iii.you agree, on behalf of that entity, to these terms.


Reputize Services

Standard Contractual Clauses (processors)

for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

the non-Reputize legal entity accepting the Clauses (the “Data Exporter”)

And

Reputize Ltd
4-5 Bonhill Str, EC2A4BX London, United Kingdom
(the “Data Importer”)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the personal data specified in Appendix 1.

The Clauses (including Appendices 1 and 2) are effective from the date the non-Reputize entity has executed a valid “Reputize Service License Agreement” with “Data Processing and Security Terms” (collectively the “Services Agreement”) or is otherwise an authorized customer affiliate under such Services Agreemen. A “Reputize Service License Agreement” means a Reputize Service License Agreement entered into with Reputize Ltd. “Data Processing and Security Terms” means terms incorporated by reference in the Reputize Service License Agreement or otherwise subsequently agreed between the parties to that agreement that set forth certain terms in relation to the protection and processing of personal data.  

If you are representing on behalf of the Data Exporter, you represent and warrant that: (i) you have full legal authority to bind your employer, or the applicable entity, to these terms and conditions; (ii) you have read and understand the Clauses; and (iii) you agree, on behalf of the party that you represent, to the Clauses. The Clauses shall automatically expire on the termination or expiry of the Data Processing and Security Terms. The parties agree that where Data Exporter has been presented with these Clauses such presentation shall constitute execution of the entirety of the Clauses by both parties, subject to the effective date described above.

Clause 1

Definitions

For the purposes of the Clauses:

  • (a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘Data Subject’ and ‘Supervisory Authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  • (b) ‘the Data Exporter’ means the controller who transfers the personal data;
  • (c) ‘the Data Importer’ means the processor who agrees to receive from the Data Exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25 (1) of Directive 95/46/EC;
  • (d) ‘the Subprocessor’ means any processor engaged by the Data Importer or by any other subprocessor of the Data Importer who agrees to receive from the Data Importer or from any other subprocessor of the Data Importer personal data exclusively intended for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  • (e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the Data Exporter is established;
  • (f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

  • The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  • 1. The Data Subject can enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  • 2. The Data Subject can enforce against the Data Importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity.
  • 3. The Data Subject can enforce against the Subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the Data Subject can enforce them against such entity. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
  • 4. The parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the Data Exporter

The Data Exporter agrees and warrants:

  • (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State
  • (b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the Data Exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  • (c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  • (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation.
  • (e) that it will ensure compliance with the security measures;
  • (f) that, if the transfer involves special categories of data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  • (g) to forward any notification received from the data importer or any Subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the Data Exporter decides to continue the transfer or to lift the suspension;
  • (h) to make available to the Data Subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  • (i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the personal data and the rights of Data Subject as the Data Importer under the Clauses; and
  • (j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the Data Importer[1]

The Data Importer agrees and warrants:

  • (a) to process the personal data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • (c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  • (d) that it will promptly notify the Data Exporter about:

·(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

·(ii) any accidental or unauthorised access; and

·(iii) any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so;

  • (e) to deal promptly and properly with all inquiries from the Data Exporter relating to its processing of the personal Data Subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  • (f) at the request of the Data Exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the supervisory authority;
  • (g) to make available to the Data Subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter;
  • (h) that, in the event of sub-processing, it has previously informed the Data Exporter and obtained its prior written consent;
  • (i) that the processing services by the Subprocessor will be carried out in accordance with Clause 11;
  • (j) to send promptly a copy of any Subprocessor agreement it concludes under the Clauses to the Data Exporter.

Clause 6

Liability

  • 1. The parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Subprocessor is entitled to receive compensation from the Data Exporter for the damage suffered.
  • 2. If a Data Subject is not able to bring a claim for compensation in accordance with paragraph 1 against the Data Exporter, arising out of a breach by the Data Importer or his Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity.The Data Importer may not rely on a breach by a Subprocessor of its obligations in order to avoid its own liabilities.
  • 3. If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in paragraphs 1 and 2, arising out of a breach by the Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Subprocessor agrees that the Data Subject may issue a claim against the data Subprocessor with regard to its own processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  • 1. The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject;

·(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

·(b) to refer the dispute to the courts in the Member State in which the Data Exporter is established.

  • 2. The parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  • 1. The Data Exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  • 2. The parties agree that the supervisory authority has the right to conduct an audit of the Data Importer, and of any Subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the applicable data protection law.
  • 3. The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Subprocessor preventing the conduct of an audit of the Data Importer, or any Subprocessor, pursuant to paragraph 2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5(b).
  •  

Clause 9

Governing Law

  • The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.

Clause 10

Variation of the contract

  • The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-Processing

  • 1. The Data Importer may subcontract any of its processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, it shall do so only by way of a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor as are imposed on the Data Importer under the Clauses. Where the Subprocessor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Subprocessor’s obligations under such agreement.
  • 2. The prior written contract between the Data Importer and the Subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
  • 3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Data Exporter is established.
  • 4. The Data Exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Data Exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

  • 1. The parties agree that on the termination of the provision of data processing services, the Data Importer and the Subprocessor shall, at the choice of the Data Exporter, return all the personal data transferred and the copies thereof to the Data Exporter or shall destroy all the personal data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  • 2. The Data Importer and the Subprocessor warrant that upon request of the Data Exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1

to the Standard Contractual Clauses

This Appendix forms part of the Clauses

Data Exporter

  • The Data Exporter is the non-Reputize legal entity that is a party to the Clauses.

Data Importer

  • The Data Importer is Reputize Ltd, a global provider of a variety of technology services for businesses.

Data Subjects

  • The personal data transferred concern the following categories of data subjects: Data subjects include the individuals about whom data is provided to Reputize via the Services by (or at the direction of) Data Exporter.

Categories of data

  • The personal data transferred concern the following categories of data: Data relating to individuals provided to Reputize via the Services by (or at the direction of) Data Exporter.

Special categories of data (if appropriate)

  • The personal data transferred concern the following special categories of data: Data relating to individuals provided to Reputize via the Services by (or at the direction of) Data Exporter.

Processing operations

The personal data transferred will be subject to the following basic processing activities:

  • Scope of Processing.

·The Clauses reflect the parties’ agreement with respect to the processing and transfer of personal data specified in this Appendix pursuant to the provision of the Services. Personal data may be processed only to comply with Instructions (as defined in the Data Processing and Security Terms). The Data Exporter instructs the Data Importer to process personal data in countries in which the Data Importer or its Subprocessors maintain facilities.

  • Term of Data Processing.

·Data processing will be for the term specified in the Data Processing and Security Terms. Such term will automatically terminate upon the deletion by the Data Importer of all data as described in the Data Processing and Security Terms.

  • Data Deletion.

·During the term of the Services Agreement, the Data Importer will provide the Data Exporter with the ability to delete the Data Exporter’s personal data from the Services in accordance with the Services Agreement. After termination or expiry of the Services Agreement, the Data Importer will delete the Data Exporter’s personal data in accordance with the Services Agreement.

  • Access to Data.

·During the term of the Services Agreement, the Data Importer will provide the Data Exporter with access to, and the ability to correct, block, and export the Data Exporter’s personal data from the Services in accordance with the Services Agreement.

  • Subprocessors.

·The Data Importer may engage Subprocessors to provide parts of the Services. The Data Importer will ensure Subprocessors only access and use the Data Exporter’s personal data to provide the Services and not for any other purpose.

Appendix 2

to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

Description of the technical and organisational security measures implemented by the Data Importer in accordance with Clauses 4(c) and 5(c) (or document/legislation attached):

The Data Importer currently abides by the security standards in this Appendix 2. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the Services Agreement.

  • 1.Data Center & Network Security.

·(a) Data Centers.

·Infrastructure. The Data Importer stores data in third-party-owned data centers that maintains geographically distributed data centers. The Data Importer stores all production data in physically secure data centers.

·Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to allow the Data Importer to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.

·Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.

·Server Operating Systems. The Data Importer servers use a Linux based implementation customized for the application environment. Data is stored using proprietary algorithms to augment data security and redundancy.

·Businesses Continuity. The Data Importer stores data in third-party-owned data centers that replicate data over multiple systems to help to protect against accidental destruction or loss. The Data Importer has designed and regularly plans and tests its business continuity planning/disaster recovery programs.

·(b) Networks & Transmission.

·Data Transmission. Reputize stores data in third-party-owned data centers that are typically connected via high-speed private links to provide secure and fast data transfer between data centers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. The Data Importer transfers data via Internet standard protocols.

·External Attack Surface. The Data Importer stores data in third-party-owned data centers that employ multiple layers of network devices and intrusion detection to protect its external attack surface.

·Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. The Data Importer intrusion detection involves:

·1. Tightly controlling the size and make-up of the Data Importer’s attack surface through preventative measures;

·2. Employing intelligent detection controls at data entry points; and

·3. Employing technologies that automatically remedy certain dangerous situations.

·Incident Response. The Data Importer stores data in third-party-owned data centers that monitors a variety of communication channels for security incidents, and The Data Importer’s security personnel will react promptly to known incidents.

·Encryption Technologies. The Data Importer makes HTTPS encryption (also referred to as SSL or TLS connection) available.

  • 2. Access and Site Controls.

·(a) Site Controls.

·On-site Data Center Security Operation. The Data Importer stores data in third-party-owned data centers that maintain an on-site security operation responsible for all physical data center security functions 24 hours a day, 7 days a week. The on-site security operation personnel monitor Closed Circuit TV (CCTV) cameras and all alarm systems.

·Data Center Access Procedures. The Data Importer stores data in third-party-owned data centers that maintain formal access procedures for allowing physical access to the data centers. The data centers are housed in facilities that require electronic card key access, with alarms that are linked to the on-site security operation. All entrants to the data center are required to identify themselves as well as show proof of identity to on-site security operations. Only authorized employees, contractors and visitors are allowed entry to the data centers.

·On-site Data Center Security Devices. The Data Importer stores data in third-party-owned data centers that employ an electronic card key and/or biometric access control system that is linked to a system alarm.

·(b) Access Control.

·Infrastructure Security Personnel. The Data Importer has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. The Data Importer’s infrastructure security personnel are responsible for the ongoing monitoring of the Data Importer’s security infrastructure, the review of the Services, and responding to security incidents.

·Access Control and Privilege Management. The Data Exporter’s administrators must authenticate themselves via a central authentication system or via a single sign on system in order to administer the Services.

·Internal Data Access Processes and Policies – Access Policy. The Data Importer’s internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. The Data Importer designs its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access.The Data Importer employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and a proprietary system utilizing RSA keys are designed to provide the Data Importer with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. The Data Importer requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with The Data Importer’s internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include password expiry, restrictions on password reuse and sufficient password strength. For access to extremely sensitive information (e.g., credit card data), the Data Importer uses hardware tokens.

  • 3. Data.

·(a) Data Storage, Isolation & Logging.

·The Data Importer stores data in a multi-tenant environment on third-party-owned servers. The data and file system architecture are replicated between multiple geographically dispersed data centers. The Data Importer also logically isolates the Data Exporter’s data, and the Data Exporter will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable the Data Exporter to determine the product sharing settings applicable to end users for specific purposes. The Data Exporter may choose to make use of certain logging capability that the Data Importer may make available via the Services.

·(b) Decommissioned Disks and Disk Erase Policy.

·Certain disks containing data may experience performance issues, errors or hardware failure that lead them to be decommissioned (“Decommissioned Disk”). Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving the Data Importer’s premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Disk Erase Policy.

  • 4. Personnel Security.

·The Data Importer personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. The Data Importer conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

·Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, the Data Importer’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling customer data are required to complete additional requirements appropriate to their role (eg., certifications). The Data Importer’s personnel will not process customer data without authorization.

  • 5. Subprocessor Security.

·Prior to onboarding Subprocessors, the Data Importer conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once the Data Importer has assessed the risks presented by the Subprocessor, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

  • 6. Data Privacy Office.

·The Data Privacy Office of the Data Importer can be contacted by the Data Exporter’s administrators at: http://www.reputize.co/contact  (or via such other means as may be provided by the Data Importer). 

Version 1.1


[1] Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.

Technical Support Services Guidelines

The following technical support services guidelines ("Guidelines") apply to support services for Customers:

  • Reputize License Agreement
  • Reputize Review Analytics License Agreement
  • Reputize Surveys License Agreement
  • Reputize Marketing ToolsLicense Agreement

entered into by and between Reputize and Customer (as may be applicable, the "Agreement") if that support is committed under the Agreement. Capitalized terms not defined herein have the meaning set forth in the Agreement.


1. Support Request Submission

1.1 Customer Efforts to Fix Errors . Prior to making a request to Reputize, Customer will use reasonable efforts to fix any error, bug, malfunction or network connectivity defect without escalation to Reputize. Thereafter, a Customer Contact may submit a written request for technical support through the Reputize for Support Center.

1.2 Characterization of Requests . Customer designates priority upon submission of Requests. Upon receiving a request, Reputize will determine whether the request is a "Service Unusable," "Standard Request" or a "Feature Request." Any such determination made by Reputize is final and binding on Customer. Reputize reserves the right to change Customer’s priority designation if Reputize believes that Customer’s designation is incorrect and will inform Customer of any such change in its response to the support Request. Customer may appeal any such reclassification to Reputize's Support management for review through any available support channel.

1.3 Procedures for Acknowledgement and Resolution of Requests . When making a Request, Customer will provide all requested diagnostic information and assist Reputize Support Personnel as may be required to resolve a Request.

1.4 Request Acknowledgement . Reputize may respond to a Request by acknowledging receipt of the Request. Customer acknowledges and understands that Reputize may be unable to provide answers to, or resolve all, Requests.

1.5 Feature Requests . If Reputize deems a Request to be a Feature Request, Reputize will log such Request for consideration to add to a future update or release of the Services and will consider the matter closed. Reputize is under no obligation to respond to or resolve any Feature Request or to include any such Feature Request in any future update or release.

1.6 Building Applications . For clarity, Reputize will not have any obligation to write or build any Applications or write code to facilitate Applications.

1.7 Alpha and Beta . Although Reputize has no obligation to provide TSS for Alpha or Beta versions, features, or functionality of the Services, we will consider Requests at these development stages on a case-by-case basis.


2. Accessing Support

2.1 Designated Support Contacts . Customer will provide first-level support to Customer End Users. Reputize will provide second-level support to Customer only. If Customer wishes to change its Designated Contacts, it will notify Reputize via the Reputize for Support Center at least 5 Business Days prior to the change. If on the date these updated Guidelines were first posted Customer has more Designated Contacts than are set forth under the applicable Support level under Section 4 below, the current Contacts will continue to be allowed until the expiration of the current license term for the applicable Services under the Agreement.

2.2 Support Hours and Target Initial Response Times . Reputize will process Requests during the Hours of Operation, unless otherwise indicated in these Guidelines. Any Requests received outside of the Hours of Operation will be logged and processed during the next Business Day.


3. General Provisions

3.1 Maintenance . To ensure optimal performance of the Services, Reputize performs periodic Maintenance. In most cases, Maintenance will have limited or no negative impact on the availability and functionality of the Services. If Reputize expects planned Maintenance to negatively affect the availability or functionality of the Services, Reputize will use commercially reasonable efforts to provide at least 7 days advance notice of the Maintenance. In addition, Reputize may perform emergency unscheduled Maintenance at any time. If Reputize expects such emergency unscheduled Maintenance to negatively affect the availability or functionality of the Services, Reputize will use commercially reasonable efforts to provide advance notice of such Maintenance. Maintenance notices noted above will be provided via the Reputize for Support Center.

3.2 Language Support Generally . The parties agree that all support provided by Reputize pursuant to these Guidelines will be provided in the English language except as set forth in Section 3.3 below.



5. Definitions

5.1 "Business Day" means any day during the Hours of Operation.

5.2 "Business Hours" means 09:00 to 17:00 on Monday to Friday GMT except for regional holidays.

5.3 "Designated Contacts" means administrators or technical employees designated by Customer who are allowed to contact Reputize for technical support.

5.4 "Feature Request" means a Request by a Contact to incorporate a new feature or enhance an existing feature of the Services that is currently not available as part of the existing Services.

5.5 Reputize for Support Center is currently located at http://www.reputize.co/profile/support (or such other URL that may be provided by Reputize).

5.6 "Reputize Support Personnel" mean the Reputize representatives responsible for handling technical support requests.

5.7 "Hours of Operation" means 17:00 on Sunday to 17:00 on Friday GMT, except for holidays in local time for each region documented in the Reputize for Support Center.

5.8 "Maintenance" means maintenance work that is performed on hardware or software delivering the Services.

5.9 "Request" means a request from a designated Contact to Reputize Support Personnel for technical support to resolve a question or problem report regarding the Services.

5.10 "Services" are defined in the Agreement.

5.11 "Service Unusable" is any situation where Customer, adhering to published technical guidelines for and documented correct usage of the Services, is unable to access or use the Services for the majority of its Customer End Users for a period of time greater than fifteen (15) minutes.

5.12 "Standard Request" means a Request made by Customer to Reputize that is not a Service Unusable Request or Feature Request.

5.13 "Priority" means the level of impact a Request is having on Customer’s operations and is used to establish initial target response times.

Hotel Reputation Management.