This Data Processing Addendum (the “Addendum”), is effective as of the Effective Date of the Platform Services Agreement between AIX and Customer and is coterminous with such Platform Services Agreement (the “PSA”) or, if AIX and Customer have not entered into a PSA, then this Data Processing Addendum is effective as of the Customer’s acceptance of the Terms and Conditions of Platform Services Agreement (“Terms and Conditions”) and is coterminous with such Terms and Conditions. This Addendum supplements the PSA and/or the Terms and Conditions, as applicable, and provides additional terms agreed-to by the Parties. Capitalized terms used herein and not otherwise defined shall have the meanings attributed to them in the PSA and/or the Terms and Conditions, as applicable.
In consideration of the mutual covenants, terms, and conditions set forth herein and in the PSA, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, and intending to be legally bound, the Parties agree as follows:
- Definitions. The following terms shall have the following meanings:
1.1. “Access Credentials” means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or in combination, to verify an individual’s identity and authorization to access and use certain Systems (including, without limitation, User IDs used to access the Customer Account).
1.2. “AIX Systems” means the information technology infrastructure used by, and in the possession, custody, or control of, AIX (or its service providers) in connection with the provision of the Platform or the Services, including all computers, software, hardware, databases, electronic systems (including database management systems), and networks, whether operated directly by AIX or through the use of third-party service providers.
1.3. “Customer Systems” means the information technology infrastructure used by Customer or its Authorized Users to use and access the Platform or Services, including all computers, software, hardware, databases, electronic systems (including database management systems), and networks, whether operated directly by Customer or its Authorized Users or through the use of third-party service providers, but excluding the AIX Systems.
1.4. “Data” means Platform Data and/or the Customer Data, as applicable context dictates.
1.5. “Harmful Code” means any software, hardware, or other technology, device, or means, including any virus, worm, malware, or other malicious computer code, the purpose or effect of which is to permit unauthorized access to, or to destroy, disrupt, disable, distort, or otherwise harm or impede in any manner any (i) computer, software, firmware, hardware, system, or network; or (ii) any application or function of any of the foregoing or the security, integrity, confidentiality, or use of any data Processed thereby.
1.6. “Systems” means the AIX Systems and/or the Customer Systems, as applicable context dictates.
1.7. “Term” means the term of the PSA.
1.8. “Territory” means the United States and the District of Columbia including, without limitation, the United States’ possessions and territories.
- Systems. Each Party has and will retain sole control over the operation, provision, maintenance, and management of its respective Systems. Customer shall have sole responsibility and liability for all access to and use of the AIX Systems (whether authorized or not) by Customer or its Authorized Users. Customer shall, and shall ensure its Authorized Users, hold in strict confidence any Access Credentials and shall not (and shall ensure its Authorized Users do not) share, disclose, or otherwise provide such Access Credentials to any other person or entity. Customer shall be responsible and liable for all acts and omissions of its Authorized Users as if such acts and omissions were performed by Customer and a breach of any term or condition of this Addendum by an Authorized User shall constitute a breach by Customer.
- License Grants.
3.1. Platform Data. Customer may have access to data, databases, files, materials, information, and other content through the Platform and the Services or in connection with the Additional Services including, without limitation, Personally Identifiable Information, product performance information, and accompanying data, documents and materials, in each case that may be produced by AIX or by third parties (including other Platform Users) or made available by AIX via the Platform (collectively, and excluding Customer Data, the “Platform Data”). Any derivatives, translations, modifications, enhancements, or alterations of the Platform Data, whether made by AIX or Customer (or Customer’s Authorized Users) shall also constitute Platform Data. Subject to and conditioned on Customer’s (and its Authorized Users’) compliance with all terms and conditions of this Addendum and the Agreement, AIX hereby grants to Customer and its Authorized Users a limited, non-exclusive, non-sublicensable, non-transferable (subject to Section 11(i) of the PSA), fully paid up, right and license during the Term and solely in the Territory, to use, modify, and enrich the Platform Data solely for Customer’s internal business purposes as needed for Customer and its Authorized Users to (a) use the Platform and receive the benefit of the Services (solely as made available by AIX) to effectuate transactions and complete Transaction Packages in compliance with applicable Laws, (b) as needed for Customer to perform its duties or obligations under the PSA, the Terms and Conditions, or this Addendum, and (c) to provide a Customer client (“Client”) information associated with the Client’s account (collectively, the “Customer Permitted Use”). Except as expressly set forth herein, the foregoing license grant expressly excludes any right to prepare derivative works of, or to otherwise modify, alter, translate, change the Platform Data or to combine the Platform Data with or incorporate the Platform Data into other information, data, or materials, unless agreed to in writing by AIX or except to the extent such functionality is expressly made available by AIX via the Platform and, then, only to the extent Customer is compliant with applicable Laws. AIX is not responsible for the accuracy or completeness of any Platform Data. By accessing the Platform, Customer and its Authorized Users agree that AIX and its affiliates are not liable, directly or indirectly, for any damages resulting from the use of or reliance on any Platform Data. Except as expressly provided in the Agreement or this Addendum, Customer is granted no rights in or to the Platform Data, the rights in which are expressly reserved by, as applicable, AIX and its third-party licensors.
3.2. Customer Data. Customer will be solely responsible for all data, information and other content, documents, and materials that Customer or any Customer Authorized User may provide, upload, transmit or otherwise make available to AIX, including through the use of the Platform (“Customer Data”). Customer grants to AIX all rights and licenses in and to Customer Data necessary for AIX to provide the Services and Additional Services under the Agreement (including any Customer Data obtained from authorized third parties), and as needed for AIX to exercise its rights, or perform its duties or obligations, under the Agreement, all such rights and licenses on a non-exclusive, irrevocable, fully sublicensable, fully transferable, royalty free, and worldwide basis. As between the Parties, Customer owns and retains all of the ownership rights in and to all Customer Data. Customer represents, warrants and covenants that: (i) none of Customer Data or AIX’s or its Representatives’ (or any authorized third party’s (including any authorized Platform User’s) use thereof as contemplated by the Agreement or any EUAA violates or will violate any Law, or infringes upon, misappropriates or violates or will infringe upon, misappropriate, or violate any IPR or other rights of any third party, including without limitation any right of privacy; (ii) Customer has all necessary right, title, interest, consents and authorizations including, without limitation, any authorizations required from any financial or other counterparties, intermediaries or agents and any consents required pursuant to any Data Security Laws, necessary to allow AIX to use Customer Data as necessary to provide the Services and Additional Services and to otherwise perform its duties and obligations, and exercise its rights, under the Agreement, and to make available same to AIX’s Representatives and to authorized third parties (including authorized Platform Users) and to permit such third parties to use, display, modify, and enrich such Customer Data as contemplated by the Agreement (including, for example, as needed to effectuate a transaction, prepare a Transaction Package, or obtain approved Reports and Analyses); (iii) the Customer Data will be accurate and complete; and (iv) the Customer Data will not be obscene, threatening, libelous or otherwise unlawful, illegal or tortious. Customer will promptly provide AIX with any updates to Customer Data. AIX will not be responsible or liable for any deletion, correction, destruction, damage, loss, or failure to store or back up any Customer Data, except to the extent such liability arises out of AIX’s knowing or willful misconduct.
- Restrictions on Use and Access.
4.1. Specific Restrictions. Except as expressly permitted pursuant to the Agreement or this Addendum, Customer shall not, nor shall Customer permit any person or entity to, access or use the AIX Systems or Platform Data. Without limiting the generality of the foregoing, Customer shall (and shall ensure its Authorized Users do) not, except as the Agreement or the Addendum expressly permits or to the extent the following restrictions are prohibited per applicable Law, directly or indirectly:
4.1.1. copy, modify, or create derivative works or improvements of the AIX Systems or Platform Data;
4.1.2. use the Platform Data for any purpose other than the Customer Permitted Use, unless otherwise expressly agreed to in writing by AIX;
4.1.3. rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer, or otherwise make available any Platform Data, Access Credentials, or the AIX Systems to any person or entity including, without limitation, on or in connection with the internet or any time-sharing, service bureau, software as a service, cloud, or other technology or service;
4.1.4. reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to the source code or source of the Platform Data, Access Credentials provided by AIX, or the AIX Systems, in whole or in part;
4.1.5. bypass or breach any security device or protection used by the AIX Systems or access or use the AIX Systems, Access Credentials provided by AIX, or Platform Data other than as expressly authorized by AIX and only by an Authorized User through the use of his or her own then-valid Access Credentials using the functionality made available by AIX;
4.1.6. input, upload, transmit, or otherwise provide to or through the AIX Systems, any information or materials that are unlawful or injurious, or contain, transmit, or activate any Harmful Code;
4.1.7. damage, destroy, disrupt, disable, impair, interfere with, or otherwise impede or harm in any manner the AIX Systems, in whole or in part;
4.1.8. remove, delete, alter, or obscure any trademarks, warranties, or disclaimers, or any copyright, trademark, patent, or other IPR notices from any Platform Data (including any copy thereof);
4.1.9. access or use the AIX Systems in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any third party, or that violates any applicable Law;
4.1.10. access or use the AIX Systems or Platform Data for purposes of competitive analysis, the development, provision, or use of a competing software service or product or any other purpose that is to the AIX’s detriment or commercial disadvantage;
4.1.11. publish, enhance, or display any compilation or directory based upon information derived from the Platform Data; or
4.1.12. otherwise access or use the Platform Data, Access Credentials provided by AIX, or AIX Systems beyond the scope of the authorization granted by AIX under the Agreement, this Addendum, or otherwise expressly in writing.
4.2. Corrective Action. If Customer becomes aware of any actual or threatened activity prohibited by Section 4.1, Customer shall, and shall cause its Authorized Users to, immediately: (a) take all reasonable and lawful measures within their respective control that are necessary to stop the activity or threatened activity and to mitigate its effects (including, where applicable, by discontinuing and preventing any unauthorized access to the AIX Systems, Access Credentials provided by AIX and Platform Data, and permanently erasing from their systems and destroying any data to which any of them have gained unauthorized access); and (b) notify AIX of any such actual or threatened activity.
- Intellectual Property.
5.1. Ownership of Platform Data. Customer acknowledges that, as between the Parties, AIX owns all rights, title, and interest including, without limitation, IPR, in and to the Platform Data (other than the limited rights granted to Customer hereunder). To the extent Customer acquires any rights, title, or interests including, without limitation, IPR, in and to the Platform Data, to the fullest extent permitted per applicable Law, Customer hereby assigns, transfers, and conveys to AIX, for no additional consideration, all rights, title, and interests including, without limitation, IPR, in and to such Platform Data immediately and automatically upon such Platform Data coming into existence or upon Customer’s acquisition of any such rights. To the extent such assignment is invalid or unenforceable for any reason, Customer hereby grants to AIX a non-exclusive, fully paid up, perpetual, irrevocable, fully sublicensable, fully transferable, worldwide right and license to make, use, have made, offer for sale, sell, import, export, advertise, market, promote, reproduce, distribute, display, perform, prepare derivative works of, and otherwise commercially exploit such Platform Data for any reason or no reason, in AIX’s sole discretion.
5.2. Ownership of Customer Data. AIX acknowledges that, as between the Parties, Customer owns all rights, title, and interest including, without limitation, IPR, in and to the Customer Data.
5.3. Reservation of Rights. Each Party reserves all rights not expressly granted to the other Party. Except for the limited rights and licenses expressly granted under the Agreement and this Addendum, nothing in the Agreement or this Addendum grants, by implication, waiver, estoppel, or otherwise, to any Party or any third party any intellectual property rights or other right, title, or interest in or to the Data.
- Confidentiality and Data Security.
6.1. Confidential Information. The Customer understands and agrees that the Platform Data constitutes AIX’s Confidential Information and is a special, valuable, and unique asset to AIX. AIX understands and agrees that the Customer Data constitutes Customer’s or its Authorized Users’ Confidential Information and is a special, valuable, and unique asset to Customer or such Authorized Users. For itself and, with respect to Customer, on behalf of each of the Customer Authorized Users, each Party hereby agrees to the following:
6.1.2. If a Party faces legal action or is subject to legal proceedings requiring disclosure of the other Party’s Data, then, prior to disclosing any such Data, such Party shall promptly notify the other Party (to the extent not prohibited per applicable Law) and, upon the other Party’s request, shall cooperate with such Party in contesting such request or, as a last resort, obtaining a protective order with respect to such Data;
6.1.3. Except as expressly set forth in the Agreement or this Addendum, no license under any patents, copyrights, mask rights or other IPR is granted or conveyed to a Party in the other Party’s Data;
6.1.4. Customer shall be responsible for all risk or loss arising out of its use of the Platform Data and agrees that AIX shall have no liability resulting from the use or misuse of the Platform Data by Customer or its Authorized Users; and
6.1.5. Notwithstanding any other provision of this Addendum, neither Party shall export or re-export any of the other Party’s Data or any commodities using such other Party’s Data to any country to which the United States government forbids export or, at the time of export, requires an export license or approval, without first obtaining such license or approval and approval by the other Party. Customer shall not transfer Platform Data outside of the Territory.
6.2. Data Security. Each Party further agrees as follows with respect to data security and data privacy:
6.2.1. Compliance with Data Security Laws. Each Party agrees to abide by any and all applicable Laws, including, but not limited to, any and all applicable Data Security Laws, and all revisions or amendments thereto (whether existing prior to the effective date or effective thereafter) concerning the use or Processing of Data. Customer will ensure its Authorized Users comply with all applicable Data Security Laws, and all revisions and amendments thereto (whether existing prior to or after the Effective Date).
6.2.2. Standard of Care. Each Party shall exercise the utmost care in the collection, handling, storage, Processing, use, transmission, disclosure, importing, exporting, and/or maintenance of the other Party’s Data, and except as expressly set forth in the Agreement or this Addendum, shall hold and maintain (and cause to be held and maintained) such other Party’s Data in strict confidence. Customer shall be solely liable for the unauthorized collection of or access to or disclosure, distribution, Processing, use or transmission of Platform Data in Customer’s possession, custody or control (including, without limitation, on any Customer Systems) and/or in the possession, custody or control of any Authorized Users. Other than as expressly authorized this Addendum or the Agreement, Customer agrees that it will not share, disclose, or transmit to any person or entity, or otherwise grant any person or entity access to, any Platform Data that is Personally Identifiable Information unless (a) such person or entity agrees, in writing, to abide by data security obligations at least as restrictive as set forth in this Addendum and as required to be compliant with applicable Law; and (b) Customer obtains AIX’s express, written consent before doing so, which consent will not be unreasonably withheld.
6.2.3. Protection of Data. Each Party shall, and Customer will ensure its Authorized Users, implement administrative, technical, and physical safeguards appropriate to such Party’s, person’s, or entity’s size, complexity and scope of activities to protect the other Party’s Data from unauthorized use, access, or disclosure and, notwithstanding the generality of the foregoing, as needed to (a) reasonably protect the security, integrity, availability, and confidentiality of other Party’s Data in such Party’s possession, custody, or control; (b) reasonably protect against anticipated threats or hazards to the security or integrity of the other Party’s Data or such Party’s Systems; (c) reasonably protect against destruction, loss, alteration or unauthorized access to or use of the other Party’s Data; (d) encrypt the other Party’s Data during storage and transmission thereof (including, without limitation, when stored on laptops or mobile devices or transmitted over the internet); (e) maintain a comprehensive information security program to protect the other Party’s Data from unauthorized access, use, modification, publication, theft, disclosure or transmission, (f) maintain appropriate technical and organizational measures to protect the other Party’s Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure; (g) take measures to secure the transmission, storage and disposal of the other Party’s Data; (h) implement authentication and access controls to ensure that the other Party’s Data is made available only to persons or entities as expressly permitted pursuant to the Agreement or this Addendum; (i) take measures not to co-mingle the other Party’s Data with other information or data, except as needed to provide or receive the Services or perform associated transactions or as otherwise permitted in the Agreement or this Addendum; (j) conduct risk assessments, penetration tests and vulnerability analyses and promptly implement appropriate safeguards and take appropriate measures to mitigate any risks evident from such testing or scans; (k) appropriately train employees and other personnel as to how to handle Personally Identifiable Information, the Data Security Laws and industry standards; (l) establish appropriate procedures to ensure the integrity of such Party’s Representatives; and (m) otherwise comply with applicable Laws.
6.2.4. Security Breach Obligations. Each Party acknowledges that certain applicable Laws (including certain Data Security Laws) may include certain provisions obligating owners, processors, controllers and licensees of Personally Identifiable Information to provide notice of Security Breaches, including any unauthorized access to or use of such information, to, among others, the individuals whose Personally Identifiable Information was accessed, disclosed or used in an unauthorized manner (the “Security Breach Laws”). If a Party becomes aware of any circumstance that may trigger either Party’s obligations under the Security Breach Laws, such Party shall promptly—and no more than three (3) days after becoming aware of such circumstance—provide notice to the other Party of such circumstance and the facts surrounding same. Moreover, each Party shall provide commercially reasonable cooperation to the other Party as needed for each Party to carry out its obligations under the Security Breach Laws (if any). Notwithstanding anything else to the contrary in the Agreement or this Addendum, each Party shall bear all direct costs of notification under the Security Breach Laws and arising out of any Security Breaches for any Data in such Party’s possession, custody, or control, or to the extent any Security Breach is caused, directly, or indirectly, by the acts or omissions of such Party (or, with respect to Customer, its Authorized Users), whether such costs are incurred by AIX, Customer, or Customer’s Authorized Users, including, but not limited to, all costs associated with printing, mailing, provision of a call center, and provision of credit monitoring services in appropriate circumstances. Further, each Party shall, at its cost and expense, use its best efforts to promptly contain and mitigate the effects of any Security Breach and to prevent any reoccurrence of any Security Breach, and shall preserve all logs, documents, records and other materials relating to any Security Breach and such Party’s actions in investigating, remedying and/or mitigating same.
6.2.5. Oversight. Upon the reasonable request of a Party, the other Party shall provide to the requesting Party documentation reasonably necessary for the requesting Party to confirm that the other Party is compliant with its duties and obligations under this Addendum, which provided documentation shall constitute the Confidential Information of the providing Party. Customer agrees that AIX shall be deemed to be compliant with this Section 6.2.5 if AIX provides to Customer, upon Customer’s reasonable request (not to exceed once in any 12-month period), a summary of AIX’s SOC-2 compliance audit results.
6.2.6. GLBA Compliance and Data Subject Rights. Notwithstanding anything to the contrary in the Addendum, in no event shall Customer use or disclose Platform Data for Customer’s or any third party’s marketing purposes. Furthermore, in the event a natural person who is the subject of any Data (a “Data Subject”) requests that a Party delete, modify, provide information concerning, restrict the Processing of, or destroy such Data Subject’s Personally Identifiable Information, the Party receiving such notice shall promptly, and in any event within ten (10) days, notify the other Party of such request. The Parties shall work together in good faith to fully comply with any such requests to the extent required per applicable Data Security Laws and within any applicable deadlines.
6.3. Return or Destruction of Data. Except to the extent a Party is required to retain Data in order to comply with applicable Laws or, with respect to AIX, except to the extent AIX may retain Customer Data in order to perform its duties or obligations, or exercise its rights, under the Agreement or as needed for AIX to comply with its internal document retention policies, in which case the obligations under this Addendum, in each case, shall remain in full force and effect, each Party shall return, destroy and/or purge (and Customer shall cause its Customer Authorized Users to so return, destroy and/or purge) the other Party’s Data (a) when such Data is no longer needed for such Party’s legitimate business or legal purposes; (b) promptly at such other Party’s request (c) as required per applicable Law; or; (d) in any event, upon termination or expiration of the Agreement. The foregoing provision shall apply to all documents, memoranda, notes and other tangible embodiments whatsoever prepared by a Party (or, with respect to Customer, its Customer Authorized Users) based on or which includes the Data of the other Party. Each Party shall certify in writing by an authorized representative that all of the other Party’s Data has been so returned, destroyed and/or purged upon the other Party’s request. Each Party shall comply with all applicable data disposal Laws in performing their duties or obligations under this Section.
6.4. Survival. The provisions in this Section 6 shall survive termination or expiration of the Agreement for any reason (a) with respect to any trade secrets comprising the Data, for so long as such trade secrets are protected as such per applicable Laws; (b) with respect to Personally Identifiable Information comprising the Data, for so long as such is protectable or protected under or as otherwise required per applicable Law; and (c) with respect to any other Data not falling within (a) or (b), for (i) a period of five (5) years from termination or expiration of this Agreement; or (ii) the longest time permitted per applicable Law, whichever is shorter.
- Effect of Termination. Upon expiration or termination of this Addendum for any reason, all non-perpetual rights and licenses granted by any Party hereunder shall automatically terminate and be revoked (except to the extent such rights and licenses must continue in effect in order for a Party to exercise any surviving rights under this Agreement), each Party shall promptly return, destroy, or erase the other Party’s Data as set forth herein, and each Party shall destroy all Access Credentials of the other Party and immediately cease (and ensure its Authorized Persons cease) all use or accessing of the other Party’s Systems.
- Further Assurances. On a Party’s reasonable request, the other Party shall, at the requesting Party’s sole cost and expense, execute and deliver all such documents and instruments, and take all such further actions, as may be necessary to give full effect to this Addendum.