Cloud Data Synchronization bandwidth

End-User License Agreement

Last Updated: [dd/mm/yyyy]

This End-User License Agreement (this "Agreement") is between the individual or entity accepting it (the "End User" or "you") and [please insert the full name of the vendor] ("Company"), and governs your acquisition of Company's product or services provided via Alibaba Cloud International Marketplace Platform  (currently located at the URL: https://marketplace.alibabacloud.com/ ) and described in the Order Form (the "Company Products and/or Services") and your use of such Company Products and/or Services.

Please read this Agreement carefully before downloading, installing, or using the Company Products and/or Services. By downloading, installing, or using the Company Products and/or Services, you are agreeing to be bound by the terms and conditions of this Agreement. This Agreement, together with the Order Form, represents the entire agreement concerning the Company Products and/or Services between you and Company and supersedes any prior understanding or agreement between the parties. If you do not agree to the terms of this Agreement, do not download, install, or use the Company Products and/or Services. You shall inform all users of the Company Products and/or Services of the terms and conditions of this Agreement. You agree that all updates, enhancements, maintenance releases, patches, bug-fixes or other modifications to the Company Products and/or Services provided to you, on a when and if available basis, shall be governed by the terms and conditions contained in this Agreement.

Any pre-printed terms or conditions on a quote, purchase order, or similar document and/or written agreement, mutually executed by the parties, that incorporates by reference this Agreement ("Order Form") that conflict with this Agreement shall be null and void. This Agreement may be superseded only by a mutually signed amendment to this Agreement.

1. Licenses
   1. Grant of License. Subject to the terms and conditions of this Agreement, Company grants to End User a time-based, non-transferable, nonexclusive license during the Term, without the right to sublicense, to: a) use the Company Products and/or Services during the Term and subject to payment of the fees set forth in the Order Form; and b) use any Documentation solely in connection with the use of the Company Products and/or Services in accordance with this Agreement and make a reasonable number of copies of the Documentation for such purpose. "Documentation" means: (i) Company's user guide for the Company Products and/or Services, and (ii) Company's written specification documents for the Company Products and/or Services. 

Except as expressly set forth in this Section 1.1, End User shall have no right to use, install, reproduce or distribute the Company Products and/or Services or Documentation.

1. 2. License Restrictions. Other than as expressly set forth herein, End User shall have no right to (i) modify or otherwise prepare derivative works of the Company Products and/or Services or Documentation, or any portion thereof, (ii) rent, lease, loan, sublicense, sell or otherwise distribute the Company Products and/or Services or Documentation, (iii) except as expressly permitted by applicable law, reverse engineer or decompile the Company Products and/or Services, or otherwise attempt to derive or modify the source code of, or any processes, techniques, methods, specifications, protocols, algorithms, interfaces, data structures, or other information embodied or used in, the Company Products and/or Services; (iv) transfer or assign your rights to use the Company Products and/or Services; (v) use the Company Products and/or Services in violation of applicable laws or regulations; (vi) use the Company Products and/or Services for any purpose other than as permitted in this Agreement; or, (vii) remove, destroy, erase, alter or otherwise modify Company’s trademarks.  
   3. Open-Source Software Licenses. End User acknowledges that portions of the Company Products and/or Services are subject to additional licenses that you shall be obligated to obtain separately from this Agreement.
   4. End User Data.  "End User Data" means all of End User's information and data, including any software applications, application data, and other information, transferred to Company in connection with the use of the Company Products and/or Services. You represent and warrant that you own or have the right to use all End User Data that you provide to Company in connection with the use of the Company Products and/or Services. You hereby grant to Company a license to use any End User Data that you provide to Company in connection with the use of the Company Products and/or Services solely for the purposes of providing the services as set forth in this Agreement. 
2. Warranty
   1. Warranty. Company warrants to End User that during the Term, the Company Products and/or Services will be free of Errors. Company's sole obligation for a breach of this warranty will be to use its commercially reasonable efforts to correct the Error identified in such notice, provided that if Company is unable to correct any emergency Error or high severity Error within thirty (30) days of receiving notice from End User reporting such Error, End User will have the right to terminate this Agreement, the Order Form, any Company's then-current support terms that govern Support Services, as set forth, if applicable, in the Order Form or other separate agreement ("Support Terms") and all other exhibits and amendments executed by the parties and attached to the Order Form for a refund of a pro-rated portion of any services fees and support and maintenance fees actually paid by End User for the remainder of the then-current Term. "Error" means a material failure of the Company Products and/or Services to operate in accordance with the functional specifications for the Company Products and/or Services set forth in the applicable Documentation.
   2. Limitations. Notwithstanding the foregoing, the warranty in Section 2.1 and Company's obligations set forth in Section 2.1 will not apply: (i) to the extent that an Error is due to causes that are external to the Company Products and/or Services or otherwise beyond Company's reasonable control, including, without limitation, natural disasters, fire, smoke, water, earthquakes, lightening, electrical power fluctuations or failures, or hardware or software not provided by Company; (ii) if the Company Products and/or Services has been misused and/or not used in compliance with the Documentation or this Agreement; (iii) if there has been a modification or attempted modification of the Company Products and/or Services other than by Company; or (iv) if End User has refused or otherwise failed to implement corrections, updates, enhancements, new releases or other modifications provided by Company.
   3. Disclaimer. EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH IN SECTION 2.1, COMPANY MAKES NO OTHER REPRESENTATIONS, WARRANTIES OR CONDITIONS, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, WITH RESPECT TO THE COMPANY PRODUCTS AND/OR SERVICES, THE DOCUMENTATION, OR ANY OTHER PRODUCTS OR SERVICES PROVIDED BY COMPANY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR DELAYS OR INTERRUPTION IN SERVICE RESULTING FROM USE OF THE INTERNET AND/OR TELECOMMUNICATIONS SERVICES NOT UNDER THE CONTROL OF COMPANY. THE COMPANY PRODUCTS AND/OR SERVICES ARE NOT WARRANTED TO OPERATE WITHOUT INTERRUPTION OR FAILURE. THE COMPANY PRODUCTS AND/OR SERVICES SHOULD ONLY BE USED IN SYSTEMS DESIGNED WITH APPROPRIATE REDUNDANCY, FAULT TOLERANCE AND BACK-UP FEATURES.
3. Support. Company provides paid support and maintenance services purchased separately from this Agreement in connection with the Company Products and/or Services ("Support Services") pursuant to the Support Terms, for the period set forth in the Order Form and commencing on the date set forth in the Order Form.
4. Limitations of Liability
   1. Maximum Liability. To the maximum extent enforceable under applicable law, other than for payment of license and service fees pursuant to this Agreement, the entire liability of each party hereto and their respective affiliates to the other party and its affiliates for damages or other amounts arising out of or in connection with the Company Products and/or Services, the Documentation, any other products or services provided by Company, the use of any of the foregoing or any other aspect of this Agreement shall not exceed the total amount actually paid by End User for the Company Products and/or Services and any other products and services provided under this Agreement in the twelve (12) month period immediately preceding the event giving rise to such claim.
   2. Waiver of Consequential Damages. TO THE MAXIMUM EXTENT ENFORCEABLE IN ACCORDANCE WITH APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY OR THEIR RESPECTIVE AFFILIATES BE LIABLE TO THE OTHER PARTY OR ITS AFFILIATES FOR ANY INCIDENTAL, INDIRECT, CONSEQUENTIAL, EXEMPLARY, PUNITIVE OR SPECIAL DAMAGES, OR ANY DAMAGES FOR LOST PROFITS OR REVENUE, LOST DATA OR LOST BUSINESS, EVEN IF SUCH PARTY HAS BEEN ADVISED AS TO THE POSSIBILITY OF SUCH DAMAGES.
   3. Loss of Use or Data. IN ADDITION TO THE LIABILITY LIMITATIONS SET FORTH ABOVE, TO THE MAXIMUM EXTENT ENFORCEABLE IN ACCORDANCE WITH APPLICABLE LAW, UNDER NO CIRCUMSTANCES WILL COMPANY OR ITS AFFILIATES BE LIABLE TO END USER, ANY RESELLER, THEIR RESPECTIVE AFFILIATES OR ANY OTHER PERSON OR ENTITY FOR ANY CLAIM, LOSS OR LIABILITY FOR INTERRUPTION IN THE OPERATION OF THE COMPANY PRODUCTS AND/OR SERVICES OR FOR ANY LOSS OF DATA THAT OCCURS AS A RESULT OF OR IN CONNECTION WITH THE USE OF THE COMPANY PRODUCTS AND/OR SERVICES, REGARDLESS OF WHETHER SUCH CLAIM, LOSS OR LIABILITY WAS FORESEEABLE BY COMPANY OR COMPANY WAS INFORMED OF THE POSSIBILITY OF SUCH CLAIM, LOSS OR LIABILITY.
   4. Disclaimers. THE LIMITATIONS IN THIS SECTION 4 SHALL APPLY NOTWITHSTANDING ANY FAILURE OF AN ESSENTIAL PURPOSE OF ANY LIMITED REMEDY PROVIDED HEREIN. THE PARTIES ACKNOWLEDGE THAT BUT FOR THE FOREGOING DISCLAIMER, THE FEES CHARGED FOR THE COMPANY PRODUCTS AND/OR SERVICES WOULD BE HIGHER AND COMPANY WOULD NOT HAVE ENTERED INTO THIS AGREEMENT. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR CERTAIN LIMITATIONS ON DAMAGES, SO A PORTION OF THE ABOVE EXCLUSIONS MAY NOT APPLY TO END USER. IN THE EVENT THAT IMPLIED WARRANTIES CANNOT BE EXCLUDED, ANY IMPLIED WARRANTIES ARE LIMITED IN DURATION TO THIRTY (30) DAYS FROM THE DATE OF DELIVERY OF THE COMPANY PRODUCTS AND/OR SERVICES. THIS AGREEMENT GIVES END USER SPECIFIC LEGAL RIGHTS. END USER MAY HAVE OTHER RIGHTS, WHICH VARY FROM JURISDICTION TO JURISDICTION.
5. Third-Party Rights
   1. Indemnification by Company. Subject to this Section 5, Company shall (i) defend End User from any claim asserted in a legal proceeding by a third party alleging that the then-current release of the Company Products and/or Services, in the form provided by Company to End User and used in compliance with Section 1 and the Documentation, infringes such third party's copyright, trade secret, patent or other intellectual property rights (a "Claim") and (ii) pay all liabilities, damages, losses, expenses, claims, demands, suits, fines, and judgments finally awarded against End User associated with such Claim ("Damages"), or any amount agreed to by Company in settlement of such Claim ("Settlement Payments"); provided that End User promptly notifies Company of any such Claim in writing, Company is given sole and exclusive control over the defense and settlement of such Claim, and End User provides all information and cooperation reasonably requested by Company in connection with the defense and settlement of such Claim. If Company assumes defense of the Claim, End User may retain its own counsel only at its own expense.
   2. Fixes. If any portion of the Company Products and/or Services becomes, or in Company's opinion is likely to become, the subject of a claim of infringement, Company may, at its option, (i) procure for End User the right to continue using the Company Products and/or Services, (ii) replace or modify the Company Products and/or Services to make it non-infringing or reduce the likelihood of infringement, such that the replacement or modification provides substantially the functionality required of the Company Products and/or Services that is replaced or modified, or (iii) terminate this Agreement and, as Company's sole liability and End User's sole remedy for such termination, refund to End User a pro-rated portion of any license fees and support and maintenance fees actually paid by End User hereunder for the remainder of the then-current term or scope of the license.
   3. Indemnification by End User. End User will defend Company against any claim, demand, suit or proceeding made or brought against Company by a third party alleging that End User Date or End User's use of the Company Products and/or Services in breach of this Agreement, infringes or misappropriates such third party's intellectual property rights or violates applicable law (a "Claim Against Company"), and will indemnify Company from any damages, attorney fees and costs awarded against Company as a result of, or for any amounts paid by Company in settlement of, a Claim Against Company, provided Company promptly notifies you of any such Claim Against Company in writing, End User is given sole and exclusive control over the defense and settlement of such Claim Against Company, and Company provides all information and cooperation reasonably requested by you in connection with the defense and settlement of such Claim Against Company. If End User assumes defense of the Claim, Company may retain its own counsel only at its own expense.
   4. Limitations. Notwithstanding any of the foregoing, Company shall have no obligations under this Section 5 with respect to any Claim to the extent that the alleged infringement is based on or arises out of: (i) any third-party hardware, software, data or other materials not provided or recommended by Company and used with the Company Products and/or Services; (ii) use of the Company Products and/or Services other than in accordance with this Agreement and the Documentation; (iii) modifications or additions to the Company Products and/or Services not made by Company; or (iv) End User's continuation of an allegedly infringing activity after being notified thereof.
   5. No Other Liabilities. This Section 5 states the entire liability of Company with respect to any claims of infringement or misappropriation of intellectual property rights.
6. Proprietary Rights

End User acknowledges that, other than open source software, Company has retained and shall retain all right, title and interest (including, without limitation, all intellectual property rights) in and to the Company Products and/or Services and Documentation, including all modifications, improvements and additions thereto and all derivative rights therein.

End User acknowledges that Company shall remain exclusive owner of any and all developments and designs made in the course of this Agreement by use of the Company Products and/or Services, and Company shall own and retain all right, title, interest, and any intellectual property rights attached thereto.

End User grants to Company a worldwide, limited-term license to host, copy, and transmit End User Data, and any non-Company applications and programs provided by you, as necessary for Company to provide the Company Products and/or Services and or support service in accordance with this Agreement. Subject to the foregoing limited license, Company acquires no right, title or interest from you under this Agreement in or to End User Data.

7. Confidentiality

"Information" means, subject to the exceptions set forth in Section 7.3 below, all financial and technical information, data, designs, specifications, know-how, non-public marketing strategies, business and marketing plans, price lists, inventions, processes, software programs, firmware, source code, algorithms, and other technical and business information and all documents and materials, supplied in connection with this Agreement or the Company Products and/or Services, which at the time of disclosure is designated as confidential (or similar designation), is disclosed in circumstances of confidence, or would be understood by the parties, exercising reasonable business judgment, to be confidential.

7. 1. Company Information. Except as otherwise expressly provided in this Section 7.1, End User shall protect and keep confidential all Company Information. End User shall use Company Information only for the purposes contemplated by this Agreement. End User may disclose Company Information only (i) as necessary for its use of the Company Products and/or Services in accordance with this Agreement, (ii) to End User's employees or third-party contractors who have agreed in writing to maintain such information in confidence; or (iii) if required to do so by subpoena, court order or legal process, provided that Company is provided sufficient written notice to request a protective order.
   2. End User Information. Right to Disclose. Except as otherwise expressly provided in this Section 7.2, Company shall protect and keep confidential all End User Information and shall use End User Information only for the purposes contemplated in this Agreement and for purposes of improving and enhancing the Company Products and/or Services. Company may disclose End User Information only (i) as necessary to support End User's use of the Company Products and/or Services in accordance with this Agreement, (ii) to Company's employees or third-party contractors who have agreed in writing to maintain such information in confidence; or (iii) if required to do so by subpoena, court order or legal process, provided that End User is provided sufficient written notice to request a protective order.
   3. Exceptions. Sections 7.1 and 7.2 shall not apply to Information of the disclosing party that (i) is or becomes generally available to the public other than through a wrongful act of the receiving party; (ii) is or becomes available to the receiving party on a non-confidential basis from a source that is entitled to disclose it to the receiving party; or (iii) is independently developed by the receiving party, its employees or third-party contractors without access to or use of the disclosing party's Information
   4. Company Products and/or Services; Documentation. End User acknowledges that the Company Products and/or Services and Documentation constitute Company Information.
   5. Data Processing. In respect of any personal data processed by Company in connection with the provision of the Company Products and/or Services, both parties shall comply with the provisions of Schedule 1 Data Processing Addendum, which are hereby incorporated by reference into this Agreement.
8. Duration, Termination and Fees
   1. Duration. "Term" shall commence on the earlier of the date this Agreement is accepted by End User or the start date set forth in the Order Form, and shall continue for the term set forth in the Order Form or for as long as you use the Company Products and/or Services. Company shall provide the services and the license rights granted herein for the Term. End User and Company may extend or renew the services upon written agreement.
   2. Fees & Charges. End User shall pay all license fees, service fees and other charges set forth in an Order Form according to the terms of the Order Form and this Agreement. Any failure to pay such fees and charges shall constitute a material breach of this Agreement.
   3. Termination for Breach. Either party shall be entitled to terminate this Agreement in the event the other party commits a material breach of this Agreement and fails to cure such breach within thirty (30) days of being notified in writing of such breach.
   4. Discontinued Use. Upon any expiration or termination of this Agreement or the Order Form, End User shall immediately (i) discontinue use of the Company Products and/or Services and Documentation and (ii) remove, delete and otherwise destroy all copies (electronic or otherwise) of the Company Products and/or Services and Documentation. 
   5. Effect of Termination. Termination of this Agreement by either party shall not act as a waiver of any breach of this Agreement and shall not act as a release of either party from any liability for breach of such party's obligations under this Agreement.
   6. Survival. Upon any expiration or termination of this Agreement, the rights and obligations of the parties shall terminate, except that Sections 1.2, 2.3, 4, 5, 6, 7, 8.4 and 9 shall survive such expiration or termination. End User's liability and obligation to pay any fees or other amounts that have accrued prior to such expiration or termination will also survive such expiration or termination.
9. Miscellaneous
   1. Governing Law and Jurisdiction. This Agreement will be governed by the laws of Singapore without regard to any rules governing conflicts of laws. The parties agree that any dispute or claim arising out of, in connection with or relating to this Agreement shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre in accordance with its arbitration rules for the time being in force.
   2. Acknowledgement. Both parties acknowledge that the Company Products and/or Services on Alibaba Cloud International Website are provided and uploaded by the Company itself, and the Company is solely and fully responsible and liable for such Company Products and/or Services. Furthermore, the parties acknowledge that Alibaba Cloud International Marketplace Platform and its owner: (i) have no access to Information and End User Data; (ii) will not process any Information or End User Data; and (iii) are not liable to the parties, either directly or indirectly, with respect to the Company Products and/or Services.

Schedule 1 Data Processing Addendum

This Data Processing Addendum ("DPA") is entered into between [Insert applicable Customer entity] ("Customer") on behalf of itself and its affiliates and [Insert ISV name] ("Vendor") and shall be effective on the date both parties have executed the DPA ("Effective Date").  

Recitals

1. Vendor has entered into an End User Licence Agreement with Customer (the "Services Agreement") pursuant to which the Vendor has agreed to provide certain services to Customer as more particularly described in the Services Agreement ("Services"). In providing the Services, Vendor may Process Personal Data controlled by Customer or its customers.
2. As part of its privacy notices and contractual arrangements, Customer has provided certain assurances to its customers, candidates, contacts, employees, and/or partners to ensure the appropriate protection of Personal Data when Customer engages third party vendors. Customer’s engagement of Vendor is conditioned upon Vendor’s agreement to this DPA.

IT IS AGREED:

1. Definitions:  The following terms shall have the following meanings:
   1. 1. 1. "Applicable Privacy Laws" means any and all national, international, federal, state and other privacy and data protection laws that apply to the Processing of Personal Data that is the subject of this DPA;
         2. "Controller" means an entity that determines the purposes and means of the Processing of Personal Data;
         3. "Data Subject" means an identified or identifiable individual;
         4. "Personal Data" means any information relating to an identified or identifiable individual (including any information that falls within the scope of "Personal Data", "personal information", or "personally identifiable information", as defined under Applicable Privacy Laws);
         5. "Processing" (and "Process") means any operation or set of operations performed on Personal Data; and
         6. "Processor" means an entity that Processes Personal Data on behalf of a Controller.
2. Relationship of the parties:  Customer (either as a Controller, or as a Processor acting on behalf of a third party Controller, such as an enterprise customer of Customer) appoints Vendor (as a Processor or sub-Processor, as applicable) to Process the Personal Data described in Appendix 1 ("Customer Data") in order to provide Services pursuant to the Services Agreement.  
3. Purpose limitation:  Vendor shall Process Customer Data as a Processor (or sub-Processor, as applicable) as necessary to perform its obligations under the Services Agreement, and as more particularly described in Appendix 1. In doing so, it shall Process Customer Data strictly in accordance with the documented instructions of Customer, except where and to the extent otherwise required by law(s) applicable to Vendor provided that such law(s) are not incompatible with Applicable Privacy Laws.  In no event shall Vendor Process Customer Data for its own purposes or those of any third party.  Vendor shall immediately inform Customer if in its opinion, an instruction of Customer infringes Applicable Privacy Laws or any other applicable laws.
4. International transfers:  Vendor shall not Process Customer Data (nor permit Customer Data to be Processed) in a territory that is different to the territory in which Vendor is established, unless it has obtained prior written authorisation from Customer and takes such measures as are necessary to ensure the transfer of Customer Data to, and Processing of Customer Data in, the recipient territory complies with Applicable Privacy Laws.
5. Security:  Vendor shall implement appropriate technical and organisational measures to protect Customer Data from and against (a) accidental unauthorised or unlawful destruction, and (ii) loss, unauthorised copying, alteration, unauthorised disclosure or disposal of, or access to Customer Data (a "Security Incident").  At a minimum, such measures shall include those identified in Appendix 2.  
6. Security Incidents: Vendor shall report any Security Incident (including suspected Security Incident) without undue delay to Customer and, at no additional cost, provide such assistance as Customer may reasonably require for the purposes of complying with its obligations under applicable law relating to the incident.  Vendor shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all developments in connection with the Security Incident.  Vendor shall not report any Security Incidents to any other third party, except where and to the extent required by law(s) applicable to Vendor (and, where so required, Vendor shall notify Customer prior to making such report, unless legally prohibited from doing so).
7. Sub-Processing: Vendor shall not subcontract any Processing of Customer Data to a third party sub-Processor without the prior written consent of Customer.  Notwithstanding this, Customer consents to Vendor engaging third party sub-Processors to Process Customer Data provided that: (i) Vendor provides at least 30 days' prior notice of the addition or removal of any sub-Processor (including details of the Processing it performs or will perform) [which may be given by posting details of such addition or removal at the following URL: [insert URL]]; (ii) Vendor imposes data protection terms on any sub-Processor it appoints that protect Customer Data to the same standard provided for by this DPA; and (iii) Vendor remains fully liable for any breach of this DPA that is caused by an act, error or omission of its sub-Processor. A list of approved sub-Processors as at the Effective Date is attached at Appendix 3, and Vendor shall maintain and provide updated copies of this list to Customer when it adds or removes sub-Processors in accordance with this DPA.  If Customer refuses to consent to Vendor's appointment of a third party sub-Processor on grounds relating to the protection of Customer Data, then either Vendor will not appoint the sub-Processor or Customer may elect to suspend or terminate the Services Agreement without penalty.
8. Cooperation and Data Subjects' rights:  Vendor shall at no additional cost provide to Customer all reasonable and timely assistance (including by appropriate technical and organisational measures) to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its data protection rights (including its rights of access, correction, objection, erasure and data portability etc., in accordance with Applicable Privacy Laws); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of Customer Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Vendor, Vendor shall promptly inform Customer providing full details of the same without responding, except where and to the extent require by law(s) applicable to the Vendor.
9. Confidentiality of Processing:  Vendor shall ensure that any person that it authorises to Process Customer Data (including Vendor's staff, agents and sub-Processors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to Process Customer Data who is not under such a duty of confidentiality. Vendor shall ensure that all Authorised Persons Process Customer Data only as necessary for the Permitted Purpose.
10. Data Protection Impact Assessment [Can be deleted if GDPR or UK GDPR does not apply]:  If Vendor believes or becomes aware that its Processing of Customer Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform Customer. Vendor shall provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment in accordance with Applicable Privacy Laws including, if necessary, to assist Customer to consult with its relevant data protection authority.
11. Deletion or return of Customer Data:  Upon termination or expiry of the Services Agreement, Vendor shall (at Customer's election) destroy or return to Customer all Customer Data (including all copies of Customer Data) in its possession or control (including any Customer Data subcontracted to a third party for Processing) and provide a confirmation/statement to Customer in written.  
12. Audit [This clause is mandatory if GDPR is applicable. It is not legally required under US or Singapore law]:  Vendor shall permit, at no additional cost, Customer (or its appointed third party auditors) to audit Vendor's compliance with this DPA, and shall make available to Customer all information, systems and staff necessary for Customer (or its third party auditors) to conduct such audit.
13. Indemnity:  Vendor shall indemnify Customer any and any of their officers, directors, employees, consultants, agents and other representatives from and against all losses, costs, harm, expenses (including reasonable legal fees and costs, interparty damages and settlement amounts), liabilities or damage ("Damage") suffered or incurred as a result of any data incident involving Customer’s data, breach of this DPA or of applicable law by Vendor or its sub-contractors, provided that: (i) Customer gives the Vendor prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this Clause; and (ii) Customer takes reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of the Vendor's breach.
14. Jurisdiction-specific terms:  The parties acknowledge that Appendix 4 sets out certain jurisdiction-specific terms and conditions, organised by country or region under section headings, that reflect the requirements of local privacy and data protection laws that may apply to Vendor's Processing of the Customer Data pursuant to the Services Agreement.  Accordingly, both parties agree that they shall comply with their relevant section of Appendix 4 that apply to the Processing of Customer Data pursuant to the Services Agreement.
15. Relationship between the Services Agreement and this DPA: The parties intend and agree that this DPA shall be incorporated into, and form an integral part of, the Services Agreement.  Accordingly, with effect from the Effective Date, this DPA shall amend the Services Agreement to the extent necessary to incorporate this DPA into the Services Agreement.  Except where expressly stated otherwise in this DPA, this DPA shall be subject to the terms and conditions of the Services Agreement (excluding any exclusions or limitations of liability) in full.  To the extent there is any conflict or inconsistency between this DPA and the Services Agreement, the terms of this DPA shall prevail.  Further, to the extent there is any conflict or inconsistency between the body and appendices of this DPA, the appendices shall prevail.

Signed by the parties or their duly authorised representatives:

Appendix 1

Data Processing Description

This Appendix 1 describes the Processing that the Vendor will perform on behalf of Customer.

Appendix 2

Minimum Security Measures

Vendor shall at a minimum ensure the following security measures:

• Information security policy:  Vendor will implement and adhere to a written information security policy that specifies the security standards it will apply to protect the Personal Data it processes in accordance with this DPA. The information security policy will mandate the use of appropriate technical and organisational security measures in the Vendor's organisation to protect Personal Data against unauthorised and unlawful processing and against accidental loss, damage or destruction.  It will further describe the measures to be taken in the event of an actual or suspected data or security breach.  
• Information security officer:  Vendor will appoint a duly skilled employee with responsibility for ensuring the security of Personal Data processed by Vendor in its organisation and for reviewing, maintaining and updating the Vendor's information security policy.  
• Physical security:  Access to data processing facilities will be restricted to duly authorised employees and contractors by use of keys, fingerprint readers, or other electronic security measures.  
• Firewall and anti-virus:  Vendor will implement appropriate firewall, anti-virus, anti-spyware and other anti-malware software and technologies on all networks and systems it uses to process Personal Data.  Vendor will update its firewall, anti-virus, anti-spyware and other anti-malware software and technologies on a regular basis to ensure that they protect against then-current virus, spyware and other malware threats.
• Access controls:  Vendor will implement technical access controls that restrict access to Personal Data it processes to duly authorised employees and contractors only.  Duly authorised employees and contractors will be permitted to access Personal Data only to the extent necessary for the performance of their duties.  Vendor will identify and appoint a system administrator with overall responsibility for granting, changing or voiding data access privileges to its data processing systems.  
• Usernames / passwords:  Access to Personal Data will be controlled through access privileges (described above), usernames and confidential passwords.  No two employees or contractors may share or use the same username.  Employees and contractors will be required to change their passwords on a regular basis and at least once every six months.  All employee passwords must be at least eight characters, including a minimum of one uppercase letter and one numeral.
• Back-up:  Vendor will take regular, at least weekly, back-ups of the Personal Data that it processes on behalf of Customer.  Data back-ups will be stored securely at an offsite location and will be available for data restoration within a reasonable period of time.
• Disaster recovery / business continuity:  Vendor will implement and adhere to appropriate disaster recovery and business continuity plans that will ensure the availability, security, integrity and (where necessary) restoration of the Personal Data on the occurrence of a force majeure or similar business interruption event.  Vendor will provide a copy of its disaster recovery and business continuity plans to Customer upon request.
• Power loss:  Vendor's data processing systems will protect against loss, destruction or damage of Personal Data due to failure or interference of any power supply.
• Audit:  Vendor will audit its compliance with its information security policy on a regular basis.  Any remedial measures identified as necessary following an audit will be reviewed and implemented as appropriate under the circumstances.

Also describe the specific technical and organisational measures to be taken by Vendor (as Processor) to be able to provide assistance to Customer.

Appendix 3

Approved Sub-Processors

 [List (or link to a list of) any approved sub-Processors of Vendor here.]

Appendix 4
(Jurisdiction-Specific Terms)

This Appendix 4 sets out jurisdiction-specific terms and conditions with which the parties must comply.  Capitalised terms used in this Appendix 4 shall have the meanings given to them in the main body of this DPA, except where expressly indicated otherwise.

Section I
(EU/UK Data Protection Terms)

1. Scope and conflicts:  Where and to the extent that Customer Data Processed by Vendor pursuant to the Services Agreement is subject to EU/UK Data Protection Law, this Appendix 4, Section I shall apply.  
2. Definitions:  The following terms shall have the following meanings:
   1. 1. 1. "Controller", "Processor", "Data Subject", "Personal Data" and "Processing" (and "Process") shall have the meanings given in EU/UK Data Protection Law;
         2. "EEA" means the European Economic Area;
         3. "EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
         4. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and
         5. "Standard Contractual Clauses" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs").  
16. Restricted transfers:  The parties agree that when the transfer of Customer Data from Customer to Vendor is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
    1. 1. 1. in relation to data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

(i)      Module Two will apply (where Customer is a Controller of Customer Data);

(ii)    Module Three will apply (where Customer is a Processor of Customer Data on behalf of a third party Controller);

(iii) in Clause 7, the optional docking clause will apply;

(iv) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-Processor changes shall be as set out in Clause 7 of this DPA;

(v)     in Clause 11, the optional language will not apply;

(vi) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law of The Netherlands;

(vii) in Clause 18(b), disputes shall be resolved before the courts of The Netherlands;

(viii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Appendix 4;  and

(ix) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this Appendix 4.

1. 1. 1. 2. in relation to Customer Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:

(i) For so long as it is lawfully permitted to rely on standard contractual clauses for the transfer of personal data to processors set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 (“Prior C2P SCCs”) for transfers of personal data from the United Kingdom, the Prior C2P SCCs shall apply between Customer (which, where Customer is a processor it enters for the benefit of the relevant third party controller) and the Vendor on the following basis:

1. 1. 1. 1. 1. 1. Appendix 1 shall be completed with the relevant information set out in Annex I to this Appendix 4;
               2. Appendix 2 shall be completed with the relevant information set out in Annex II to this Appendix 4; and
               3. the optional illustrative indemnification Clause will not apply.

(ii) Where sub-clause (b)(i) above does not apply, but Customer and the Vendor are lawfully permitted to rely on the EU SCCs for transfers of personal data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:

1. 1. 1. 1. 1. 1. the EU SCCs, completed as set out above in clause 3(a) of this Section I shall also apply to transfers of such Customer Data, subject to sub-clause (B) below;

1. 1. 1. 1. 1. 4. the UK Addendum shall be deemed executed between the transferring Customer and the Vendor, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Customer Data.

(iii) If neither sub-clause (b)(i) or  sub-clause (b)(ii) applies, then Customer and the Vendor shall cooperate in good faith to implement appropriate safeguards for transfers of such Customer Data as required or permitted by the UK GDPR without undue delay; and

16. 1. 1. 3. in the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
17. Onward transfers:  Vendor shall not participate in (nor permit any sub-Processor to participate in) any other Restricted Transfers of Customer Data (whether as an exporter or an importer of Customer Data) unless: (i) it has first obtained Customer's prior written consent; and (ii) the Restricted Transfer is made in full compliance with EU/UK Data Protection Law and pursuant to Standard Contractual Clauses implemented between the exporter and importer of Customer Data.
18. Deletion or return of Customer Data:  Clause 9 of this DPA shall not apply to the extent that Vendor is required by any applicable EU or any EU Member State law (for Customer Data that is subject to the EU GDPR) or UK law (for Customer Data that is subject to the UK GDPR) to retain some or all of Customer Data, in which event Vendor shall isolate and protect Customer Data from any further Processing except to the extent required by such law until deletion is possible.

Annex I

Data Processing Description

This Annex I forms part of the DPA and describes the Processing that Vendor will perform on behalf of Customer (as Controller and/or Processor).

A. LIST OF PARTIES

Data exporter(s):

Processor(s) / Data importer(s):

В. DESCRIPTION OF TRANSFER 

Please see the description provided in Appendix 1 of this DPA.

C. COMPETENT SUPERVISORY AUTHORITY