Your Partner in Marketing Excellence
Welcome to Catalysty, where innovation meets strategy to drive your brand’s success.
terms of service
Effective as of Jan 1st 2023.
These Terms of Service together with its Exhibits (the "Agreement") are entered into by and between TRIFFT ME s.r.o., a Slovak limited liability company, ID No. 50948997, with its seat at Jozefská 17, 811 06 Bratislava, Slovakia, registered in the Business Register of the District Court Bratislava I under Section Sro, Insert No. 120553/B (the "Provider") and the entity or person placing an order for or accessing any Services (the "Customer"). The Agreement consists of the terms and conditions set forth below, any attachments or exhibits identified below and all Order Forms (as defined below) that reference this Agreement.
The "Effective Date" of this Agreement is the date which is the earlier of (a) Customer's initial access to any Services (as defined below) or (b) the effective date of the first Order Form referencing this Agreement.
1. DEFINITIONS
Other than the terms defined in the body of this Agreement, these terms have the following meaning
"Affiliate" means any entity under the control of a Party where "control" means ownership of or the right to direct greater than 50% of the voting securities of such entity.
"Beta Offerings" mean pre-release services, features, or functions identified as alpha, beta, preview, early access, or words or phrases with similar meanings.
"Code" means certain React, React Native code, JavaScript, software development kits (SDKs) or other code provided by the Provider for deployment on Customer Properties.
"Contractor" means an independent contractor or consultant of the Customer who is not a competitor of the Provider.
"Customer Data" means any data of any type that is submitted to the Services by or on behalf of the Customer, including without limitation data submitted, uploaded, or imported to the Services by the Customer (including from Third-Party Platforms).
"Customer Properties" mean Customer's websites, servers, apps, or other offerings owned and operated by (or for the benefit of) Customer through which Customer uses the Services.
"Dashboard" means Provider's user interface for accessing and administering the Services that Customer may access via the web.
"DPA" means the data processing addendum attached hereto as Exhibit A.
"Documentation" means the technical user documentation provided with the Services.
"Feedback" means comments, questions, suggestions, or other feedback relating to the Services, but excluding any Customer Data.
"Initial Term" means a set term designated in an Order Form during which the Services are provided to the Customer.
"Intellectual Property Rights" include all valid patents, trademarks, copyrights, trade secrets, moral rights, feedback, and other intellectual property rights, as may exist now or hereafter come into existence, and all renewals and extensions thereof, and all improvements to any of the foregoing, regardless of whether any of such rights arise under the laws of any state, country, or other jurisdiction.
"Laws" mean all applicable local, state, federal, and international laws, regulations, and conventions.
"Order Form" means a written or electronic form to order the Services referencing this Agreement. Upon execution by the authorized parties each Order Form will be subject to the terms and conditions of this Agreement.
"Party" means either The Provider or the Customer; the "Parties" both The Provider and the Customer.
"Permitted User" means an employee or a Contractor of the Customer or its Affiliate who is authorized to access the Services.
"Renewal Term" means successive periods equal to Initial Term, beginning after the then-current Subscription Term.
"Sensitive Personal Information" means any of the following: (i) credit, debit or other payment card data subject to the Payment Card Industry Data Security Standards ("PCI DSS"); (ii) patient, medical or other protected health information regulated by the Health Insurance Portability and Accountability Act ("HIPAA"), if applicable; or (iii) any other personal data of an EU citizen deemed to be in a "special category" (as identified in the EU General Data Protection Regulation or any successor Laws).
"Services" mean the Provider's proprietary software-as-a-service solution, including all products, services, and software provided by the Provider to the Customer.
"Subscription Term" means either the Initial Term or then-current Renewal Term.
"Support" means standard technical support and maintenance as further set forth under the Service Level Agreement attached to the Order Form (if applicable).
"Taxes" mean any sales, use, GST, value-added, withholding, or similar taxes or levies, whether domestic or foreign, other than taxes based on the income of the Provider.
"Third-Party Platform" means any software, software-as-a-service, data sources or other products or services not provided by the Provider that are integrated with or otherwise accessible through the Services.
2. PROVIDER SERVICES
2.1. Provision of Services. The Services are provided on a subscription basis for a Subscription Term. The Customer will purchase, and the Provider will provide the Services identified and agreed upon in the applicable Order Form.
2.2. Access to Services. The Customer may access and use the Services solely for its own benefit and in accordance with the terms and conditions of this Agreement, the Documentation, and any scope of use restrictions designated in the applicable Order Form. Use of and access to the Services is permitted only by Permitted Users. If Customer is given API keys or passwords to access the Services on the Provider's systems, the Customer will require that all Permitted Users keep API keys, user ID and password information strictly confidential and not share such information with any unauthorized person. User IDs are granted to individual, named persons, and may not be shared. If the Customer is accessing the Services using credentials provided by a third party (e.g., Google), then the Customer will comply with all applicable terms and conditions of such third-party regarding provisioning and use of such credentials. The Customer will be responsible for all actions taken using Customer's accounts and passwords. If a Permitted User who has access to a user ID is no longer an employee or Contractor of the Customer, then the Customer will promptly delete such user ID and otherwise terminate such Permitted User's access to the Services.
2.3. Contractors and Affiliates. The Customer may permit its Affiliates and Contractors to serve as Permitted Users, provided the Customer remains responsible for compliance by such individuals with all the terms and conditions of this Agreement, and all use of the Services by such individuals is for the sole benefit of the Customer.
2.4. General Restrictions. The Customer will not (and will not permit any third party to): (a) rent, lease, provide access to, or sublicense the Services to a third party; (b) use the Services to provide, or incorporate the Services into, any product or service provided to a third party; (c) reverse engineer, decompile, disassemble, or otherwise seek to obtain the source code or non-public APIs to the Services, except to the extent expressly permitted by applicable law (and then only upon advance notice to The Provider); (d) copy or modify the Services or any Documentation, or create any derivative work from any of the foregoing; (e) remove or obscure any proprietary or other notices contained in the Services (notices on any reports or data printed from the Services); or (f) publicly disseminate information regarding the performance of the Services.
2.5. Provider APIs. If the Provider makes access to any APIs available as part of the Services, the Provider may monitor the Customer's usage of such APIs and limit the number of calls or requests Customer may make if the Provider believes that the Customer's usage is in breach of this Agreement or may negatively affect the security, operability or integrity of the Services (or otherwise impose liability on the Provider).
2.6. Apps. To the extent the Provider provides applications for use with the Services (the "Apps"), subject to all the terms and conditions of this Agreement, the Provider grants to the Customer a limited, non-transferable, non-sublicensable, non-exclusive license only during an applicable Subscription Term to use the object code form of the Apps internally, but only in connection with the Customer's use of the Services and otherwise in accordance with the Documentation and this Agreement.
2.7. Deployment of the Code. Subject to all the terms and conditions of this Agreement, the Provider grants to the Customer a limited, non-transferable, non-sublicensable, non-exclusive license only during an applicable Subscription Term to copy the Code in the form provided by the Provider on Customer Properties solely to support the Customer's use of the Services and otherwise in accordance with the Documentation and this Agreement. The Customer may need to implement the Code on the Customer Properties to enable features of the Services. The Customer will implement all the Code in strict accordance with the Documentation and other instructions provided by the Provider. The Customer acknowledges that any changes made to the Customer Properties after initial implementation of the Code may cause the Services to cease working or function improperly and that the Provider will have no responsibility for the impact of any such change.
2.8. Trial Subscriptions. If the Customer receives free access or a trial or evaluation subscription to the Services (a "Trial Subscription"), then the Customer may use the Services in accordance with the terms and conditions of this Agreement for a period of fourteen (14) days or such other period granted by the Provider (the "Trial Period"). Trial Subscriptions are permitted solely for the Customer's use to determine whether to purchase a paid subscription to the Services. Trial Subscriptions may not include all functionality and features accessible as part of a paid Subscription Term. If the Customer does not enter into a paid Subscription Term, this Agreement and the Customer's right to access and use the Services will terminate at the end of the Trial Period. The Provider has the right to terminate a Trial Subscription at any time for any reason. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, THE PROVIDER WILL HAVE NO WARRANTY, LIABILITY, INDEMNITY, SUPPORT, OR OTHER OBLIGATIONS WITH RESPECT TO TRIAL SUBSCRIPTIONS.
2.9. Beta Offering. From time to time, the Provider may make Beta Offerings available to the Customer at no charge. The Customer may elect to try such Beta Offering in its sole discretion. Beta Offerings are intended for evaluation purposes and not for production use, are not supported, and may be subject to additional terms. Beta Offerings are not considered "Services" under this Agreement; however, all restrictions, our ownership and the Customer obligations concerning the Services shall apply. Unless otherwise stated or communicated to the Customer, any Beta Offerings trial period will expire upon the date that a version of the Beta Offerings becomes generally available without the applicable Beta Offerings designation. The Provider may discontinue Beta Offerings at any time in its sole discretion and may never make them generally available. Beta Offerings may not be supported and may be modified at any time without notice. Beta Offerings may not be as reliable, available, or subject to the same security requirements as in the Security Policy (as defined below).
3. CUSTOMER DATA
3.1. Data Processing by the Provider. All data processing activities by the Services will be governed by the DPA.
3.2. Rights in Customer Data. As between the parties, the Customer will retain all right, title, and interest (including all Intellectual Property Rights) in and to the Customer Data as provided to the Provider. Subject to the terms of this Agreement, the Customer hereby grants to the Provider a non-exclusive, worldwide, royalty-free right to use, copy, store, transmit, modify, and display the Customer Data solely to the extent necessary to provide the Services to the Customer.
3.3. Storage of Customer Data. The Provider does not provide an archiving service. The Provider agrees only that it will not intentionally delete any Customer Data from the Services prior to termination of the Customer's applicable Subscription Term and expressly disclaims all other obligations with respect to storage.
3.4. Customer Obligations.
a) In General. The Customer is solely responsible for the accuracy, content, and legality of all Customer Data. The Customer represents and warrants to the Provider that the Customer has all necessary rights, consents, and permissions to collect, share, and use all Customer Data as contemplated in this Agreement (including granting the Provider the rights in Section 3.2 (Rights in Customer Data)) and that no Customer Data will violate or infringe (i) any third party Intellectual Property Rights or publicity, privacy, or other rights, (ii) any Laws, or (iii) any terms of service, privacy policies or other agreements governing Customer's accounts with any Third-Party Platforms. The Customer further represents and warrants that all Customer Data complies with the Agreement. The Customer will be fully responsible for all Customer Data submitted to the Services by any person as if it was submitted by the Customer.
b) No Sensitive Personal Information. Except as otherwise expressly agreed between the Parties in writing, the Customer specifically agrees not to use the Services to collect, store, process, or transmit any Sensitive Personal Information. The Customer acknowledges that the Provider is not a payment card processor and that the Services are not PCI DSS compliant. Except for the Provider's obligations as a business associate pursuant to this Agreement, the Customer shall be responsible for any Sensitive Personal Information it inadvertently submits to the Services, and the Provider will treat such submissions as Customer Data as defined in this Agreement such that the Provider is not subject to any additional obligations that apply to Sensitive Personal Information.
c) Compliance with Laws. The Customer agrees to comply with all applicable Laws in its use of the Services. Without limiting the generality of the foregoing, the Customer will not engage in any unsolicited advertising, marketing, or other activities using the Services, including without limitation any activities that violate the applicable Laws.
3.5. Indemnification by Customer. The Customer will defend the Provider from and against any claim arising from or relating to any Customer Data, Customer's use of a Third Party Platform, or Customer's use of the Services in violation of Laws and will indemnify and hold the Provider harmless from and against any damages and costs awarded against the Provider or agreed in settlement by the Customer (including reasonable attorneys' fees) resulting from such claim, provided that the Customer will have received from the Provider: (i) prompt written notice of such claim (but in any event notice in sufficient time for the Customer to respond without prejudice); (ii) the exclusive right to control and direct the investigation, defense and settlement (if applicable) of such claim; and (iii) all reasonably necessary cooperation of the Provider (at the Customer's expense). Notwithstanding the foregoing sentence, (a) the Provider may participate in the defense of any claim by counsel of its own choosing, at its cost and expense; and (b) the Customer will not settle any claim without the Provider's prior written consent, unless the settlement fully and unconditionally releases the Provider and does not require the Provider to take any action or admit any liability.
3.6. Aggregated Anonymous Data. Notwithstanding anything to the contrary herein, the Customer agrees that the Provider may obtain and aggregate technical and other data about Customer's use of the Services that is non-personally identifiable with respect to the Customer ("Aggregated Anonymous Data"), and the Provider may use the Aggregated Anonymous Data to analyze, improve, support, and operate the Services and otherwise for any business purpose during and after the term of this Agreement, including without limitation to generate industry benchmark or best practice guidance, recommendations, or similar reports for distribution to and consumption by the Customer and other Provider's customers. For clarity, this Section 3.6 does not give the Provider the right to identify the Customer as the source of any Aggregated Anonymous Data.
4. SECURITY.
The Provider agrees to use commercially reasonable technical and organizational measures designed to prevent unauthorized access, use, alteration, or disclosure of the Services or Customer Data, as further described in the Provider's Technical and Organizational Measures set forth as Annex C to the DPA (the "Security Policy"). However, the Provider will have no responsibility for errors in transmission, unauthorized third-party access, or other causes beyond the Provider's control.
5. THIRD-PARTY INTEGRATIONS
The Services may support integrations with certain Third-Party Platforms. To enable the Services to access and receive Customer's information from a Third-Party Platform, the Customer may be required to input its credentials for such Third-Party Platform. By enabling use of the Services with any Third-Party Platform, the Customer authorizes The Provider to access Customer's accounts with such Third-Party Platform for the purposes described in this Agreement. The Customer is responsible for complying with any relevant terms and conditions of the Third-Party Platform and for maintaining appropriate accounts in good standing with the providers of the Third-Party Platforms. Customer acknowledges and agrees that the Provider has no responsibility or liability for any Third-Party Platform, or how a Third-Party Platform uses or processes Customer Data after such is exported to a Third-Party Platform. The Provider cannot ensure that the Services will maintain integrations with any Third-Party Platform and the Provider may disable integrations of the Services with any Third-Party Platform at any time with or without notice to the Customer. For clarity, this Agreement governs Customer's use of and access to the Services, even if accessed through an integration with a Third-Party Platform. TO THE EXTENT THE CUSTOMER USES FEATURES IN THE SERVICES THAT INTEGRATE WITH A THIRD-PARTY PLATFORM AND THE CUSTOMER REQUESTS THAT THE PROVIDER INTEGRATE WITH SUCH THIRD-PARTY PLATFORM'S BETA OR PRE-RELEASE FEATURES (the "THIRD-PARTY BETA RELEASES"), THE PROVIDER WILL HAVE NO LIABILITY ARISING OUT OF OR IN CONNECTION WITH THE PROVIDER'S PARTICIPATION IN SUCH THIRD-PARTY BETA RELEASES OR CUSTOMER'S USE OF SUCH INTEGRATED FEATURES.
6. OWNERSHIP.
6.1. Provider's Technology. This is a subscription agreement for access to and use of the Services. The Customer acknowledges that it is obtaining only a limited right to the Services and that irrespective of any use of the words "purchase", "sale", or like terms in this Agreement, no ownership rights are being conveyed to the Customer under this Agreement. The Customer agrees that the Provider or its suppliers retain all right, title, and interest (including all Intellectual Property Rights) in and to the Services and all Documentation, Professional Services' deliverables and all related and underlying technology and documentation and any derivative works, modifications or improvements of any of the foregoing, including Feedback (collectively, the "Provider's Technology"). Except as expressly set forth in this Agreement, no rights in the Provider's Technology are granted to the Customer. Further, the Customer acknowledges that the Services are offered as an on-line, hosted solution, and that the Customer has no right to obtain a copy of any of the Services, except for the Code and the Apps in the format provided by the Provider.
6.2. Feedback. The Customer may, from time to time, submit Feedback to the Provider. The Provider may freely use or exploit Feedback in connection with the Services and may also disclose such Feedback to third party. The Provider shall not disclose the name of the Customer in any use or exploitation of the Feedback.
7. SUBSCRIPTION TERM, FEES & PAYMENT
7.1. Subscription Term and Renewals. The Subscription Term and Renewal Term will be as set forth in the applicable Order Form. Unless otherwise specified in an applicable Order Form, each Subscription Term will automatically renew for the Renewal Term set forth in such Order Form unless either party gives the other written notice of termination at least thirty (30) days prior to expiration of the then-current Subscription Term.
7.2. Fees and Payment. All fees are as set forth in the applicable Order Form and will be paid by the Customer in accordance with the payment terms set forth in the Order Form. Except as expressly set forth in Section 9 (Limited Warranty), Section 13 (Indemnification), or Section 16.7 (Modifications to this Agreement), all fees are non-refundable. The Customer is responsible for paying all Taxes, and all Taxes are excluded from any fees set forth in the applicable Order Form. If the Customer is required by Law to withhold any Taxes from Customer's payment, the fees payable by the Customer will be increased as necessary so that after making any required withholdings, the Provider receives and retains (free from any liability for payment of Taxes) an amount equal to the amount it would have received had no such withholdings been made. Any late payments will be subject to a service charge equal to 1.5% per month of the amount due or the maximum amount allowed by law, whichever is less.
7.3. Suspension of Service. Without limiting the Provider's termination or other rights hereunder, the Provider reserves the right to suspend Customer's access to the applicable Services (and any related Professional Services and Support) in whole or in part, without liability to the Customer: (i) if Customer's account is thirty (30) days or more overdue; (ii) for Customer's breach of Sections 2.4 (General Restrictions) or 3.4 (Customer Obligations); or (iii) to prevent harm to other customers or third parties or to preserve the security, availability or integrity of the Services. Unless this Agreement has been terminated, the Provider will restore Customer's access to the Services promptly after the Customer has resolved the issue requiring suspension.
8. TERM AND TERMINATION
8.1. Term. This Agreement is effective as of the Effective Date and expires on the date of expiration or termination of all Subscription Terms.
8.2. Termination for Cause. Either party may terminate this Agreement (including all related Order Forms) if the other party (a) fails to cure any material breach of this Agreement (including with respect to the Customer any of the events set forth in Section 7.3 (Suspension)) within thirty (30) days after written notice; (b) ceases operation without a successor; or (c) seeks protection under any bankruptcy, receivership, trust deed, creditors' arrangement, composition, or comparable proceeding, or if any such proceeding is instituted against that party (and not dismissed within sixty (60) days thereafter).
8.3. Effect of Termination. Upon any expiration or termination of this Agreement, the Customer will immediately cease all use of and access to all Services (including all related Provider's Technology) and delete (or, at the Provider's request, return) all copies of the Documentation, all passwords or access codes and all other Provider's Confidential Information in its possession. The Customer acknowledges that thirty (30) days following termination it will have no further access to any Customer Data input into any Services, and that the Provider may delete any such data as may have been stored by the Provider at any time thereafter. Except where an exclusive remedy is specified, the exercise of either party of any remedy under this Agreement, including termination, will be without prejudice to any other remedies it may have under this Agreement, by law or otherwise.
8.4. Survival. The following Sections will survive any expiration or termination of this Agreement: 2.4 (General Restrictions), 2.8 (Trial Subscriptions), 3.3 (Storage of Customer Data), 3.5 (Indemnification by Customer), 3.6 (Aggregated Anonymous Data), 6 (Ownership), 7.2 (Fees and Payment), 8 (Term and Termination), 9.1 (Warranty Disclaimer), 12 (Limitation of Remedies and Damages), 13 (Indemnification), 14 (Confidential Information), and 16 (General Terms).
9. LIMITED WARRANTY
9.1. Limited Warranty. The Provider warrants, for Customer's benefit only, that the Services will operate in substantial conformity with the applicable Documentation and in accordance with applicable law. The Provider's sole liability (and Customer's sole and exclusive remedy) for any breach of this warranty will be, at no charge to the Customer, for the Provider to provide Support to correct the reported non-conformity, or if the Provider determines such remedy to be impracticable, either Party may terminate the applicable Subscription Term and the Customer will receive as its sole remedy a refund of any fees the Customer has pre-paid for use of such Services for the terminated portion of the applicable Subscription Term. The limited warranty set forth in this Section 9.1 will not apply: (i) unless the Customer makes a claim within thirty (30) days of the date on which the Customer first noticed the non-conformity, (ii) if the error was caused by misuse, unauthorized modifications, or third-party hardware, software, or services, or (iii) to use provided on a no-charge, trial, or evaluation basis.
9.2. Warranty Disclaimer. EXCEPT FOR THE LIMITED WARRANTY IN SECTION 9.1, ALL SERVICES, SUPPORT, AND PROFESSIONAL SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" (SUBJECT TO OBLIGATIONS IN SERVICE LEVEL AGREEMENT), THE PROVIDER AND ITS AFFILIATES DISCLAIM ALL OTHER WARRANTIES, CONDITIONS, GUARANTEES, OR UNDERTAKINGS, WHETHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, QUALITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. THE PROVIDER DOES NOT WARRANT THAT CUSTOMER'S USE OF THE SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT IT WILL MEET ITS NEEDS. THE PROVIDER SHALL NOT BE LIABLE FOR DELAYS, INTERRUPTIONS, SERVICES' FAILURES OR OTHER PROBLEMS INHERENT IN USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS, THIRD-PARTY PLATFORMS, OR OTHER SYSTEMS OUTSIDE THE REASONABLE CONTROL OF THE PROVIDER. PARTIES ALSO EXCLUDE THE APPLICATION OF BUSINESS PRACTICES.
16.8. Force Majeure. Neither party will be liable to the other for any delay or failure to perform any obligation under this Agreement (except for a failure to pay fees) if the delay or failure is due to unforeseen events that occur after the signing of this Agreement and that are beyond the reasonable control of such party, such as a strike, blockade, war, act of terrorism, riot, natural disaster, failure or diminishment of power or telecommunications or data networks or services, or refusal of a license by a government agency.
16.9. Hardship. If continued performance has become excessively onerous due to an event beyond a party's reasonable control which it could not reasonably have been expected to have taken into account (a "Hardship"), the Parties will in good faith negotiate alternative terms which reasonably allow for the consequences of such event. The Parties expressly exclude the ability of a court to adapt, amend, or terminate the Agreement in case of Hardship, and assume such risk.
16.10. Subcontractors. The Provider may use the services of subcontractors and permit them to exercise the rights granted to the Provider in order to provide the Services under this Agreement, provided that the Provider remains responsible for (i) compliance of any such subcontractor with the terms of this Agreement, (ii) for the overall performance of the Services as required under this Agreement and (iii) compliance with the terms of the DPA.
16.11. Court Orders. Nothing in this Agreement prevents the Provider from disclosing Customer Data to the extent required by law, subpoenas, or court orders, but the Provider will use commercially reasonable efforts to notify the Customer where permitted to do so.
16.12. Independent Contractors. The parties to this Agreement are independent contractors. There is no relationship of partnership, joint venture, employment, franchise, or agency created hereby between the parties. Neither party will have the power to bind the other or incur obligations on the other party's behalf without the other party's prior written consent.
16.13. Export Control. In its use of the Services, the Customer agrees to comply with all export and import laws and regulations of the applicable jurisdictions. Without limiting the foregoing, (i) the Customer represents and warrants that it is not listed on any US, UK, or EU government list of prohibited or restricted parties or located in (or a national of) a country that is subject to a US, UK, or EU government embargo or that has been designated by the US, UK, or EU government as a "terrorist supporting" country, (ii) the Customer will not (and will not permit any of its users to) access or use the Services in violation of any US, UK, or EU export embargo, prohibition or restriction, and (iii) the Customer will not submit to the Services any information that is controlled under the U.S. International Traffic in Arms Regulations.
16.14. Counterparts. This Agreement may be executed in counterparts, each of which will be deemed an original and all of which together will be considered one and the same agreement.
Exhibit A
DATA PROCESSING ADDENDUM
1. INITIAL PROVISIONS
1.1. Agreement. This Data Processing Addendum (the "DPA") forms an integral part of the Agreement and is referenced in the Agreement.
1.2. Data Processing Agreement. By entering into the Agreement with the Provider You, the Customer, acknowledge that you have read and understood this DPA and agree to be bound by it.
2. DEFINITIONS
Other than the terms defined in the body of this DPA or in the Agreement, these terms have the following meaning:
"CCPA" means the California Consumer Privacy Act, California Civil Code §§1798.100 et seq., including any amendments and implementing regulations that become effective on or after the effective date of this DPA. Terms "business", "service provider" and "sale" have the same meaning given to it under the CCPA.
"Data Breach" means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by The Provider under this DPA.
"Data Protection Legislation" means, as applicable to a party and its Processing of Personal Data: (i) EU Data Protection Law (ii) UK Data Protection Law, (iii) CCPA and any national data protection laws made under the CCPA, (iv) any other law applicable for the provision of the Services.
"EU Data Protection Laws" mean Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR") and the EU e-Privacy Directive (Directive 2002/58/EC). Terms "Controller", "Processor", "Process", "Processing", and "Data Subject" shall have the same meanings given to them under the GDPR.
"Personal Data" means any information that (i) is protected as "personal data", "personal information" or "personally identifiable information" under Data Protection Legislation; and (ii) is Processed by the Provider on behalf of Customer in the course of providing the Services, as more particularly described in Annex A of this DPA.
"Restricted Transfer" means a transfer of Personal Data from the European union/EEA to any other country which is not subject based on adequacy regulations pursuant to Article 45 of Regulation (EU) 2016/679.
"Sub-processor" means any third party engaged by the Provider to assist in fulfilling its obligations with respect to providing the Services and that Processes Personal Data as Processor.
"Standard Contractual Clauses" means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (the "EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs").
"UK Data Protection Law" means: (i) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i) or (ii); in each case, as may be amended or superseded from time to time.
3. PROVIDER'S OBLIGATIONS
3.1. Roles. For the purposes of the GDPR and similar Data Protection Legislation, Customer (or third party on whose behalf Customer is authorized to instruct the Provider) is the Controller of Customer Data that are Personal Data, and the Provider shall Process Personal Data as a Processor (or sub-Processor, as applicable to Customer's use of the Services); and for the purposes of the CCPA (to the extent the CCPA is applicable), Customer is the business and the Provider is the service provider.
3.2. Permitted Purposes. The Provider shall Process Personal Data for the purposes described in Annex A and in accordance with Customer's documented lawful instructions ("Permitted Purposes"), except where otherwise required by laws that are compatible with applicable Data Protection Legislation. In particular and to the extent the CCPA is applicable, Customer's transfer of Personal Data to the Provider is not a sale, and the Provider provides no monetary or other valuable consideration to Customer in exchange for Personal Data. To the extent required by Data Protection Legislation, this Section 3.2 constitutes the certification from the Provider to the Processing instructions herein. The Provider is obliged at all times to Process Personal Data in compliance with Data Protection Legislation and fulfill all its obligations arising out of Data Protection Legislation.
3.3. Processing Instructions. The Provider shall immediately inform Customer if it becomes aware that Customer's Processing instructions infringe Data Protection Legislation. If the Provider is unable to Process Personal Data in accordance with the Customer's documented lawful instructions, the Provider is obliged to promptly notify Customer of its inability to comply.
3.4. Security Measures. The Provider shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect all data, including Personal Data, from Data Breaches and preserve their security, integrity, and confidentiality. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, these measures must include the measures identified in Annex C of this DPA.
3.5. Access and Confidentiality. The Provider shall ensure that any person it authorizes to Process the Personal Data (including Provider's staff, agents and Sub-processors) ("Personnel") are under appropriate obligations of confidentiality (whether a contractual or statutory duty), have received proper training, and are informed about the confidential nature of the Personal Data and their obligations related to it and have access to Personal Data only on need-to-know basis. The Provider shall ensure that Personnel Processes the Personal Data only as necessary for the Permitted Purposes.
3.6. Data Returns and Deletion. Upon termination or expiration of the Agreement, the Provider must delete or return to the Customer all Personal Data in its possession or control except for one copy for archival and compliance purposes.
4. AUDIT RIGHTS
4.1. Right to conduct audits. The Customer shall have the right to conduct an audit to verify Provider's compliance with its obligations laid down in Art. 28 GDPR (if applicable) and in this DPA. The Provider shall allow the Customer to carry out the audit if (i) the Customer requests to carry out the audit via a written notice at least 30 (thirty) days in advance; (ii) the Customer will specify the agenda for such audit in such notice; (iii) the audit shall not take place more than once a year; (iv) all associated costs and expenses shall be borne by the Customer or reimbursed to the Provider on demand; and (v) the audit shall last no longer than the equivalent of 1 working day (8 hours) of Provider's representative. On the request of the Customer, the Provider will provide the Customer with the estimated cost that it expects to incur during such audit according to the extent specified in the agenda provided by the Customer.
4.2. Independent Auditor. In case the Customer requests the audit by an independent party – external licensed auditor, the Provider may object to an external licensed auditor appointed by the Customer to conduct the audit if the auditor is, in Provider's reasonable opinion, not suitably qualified or independent, a competitor of the Provider, or otherwise manifestly unsuitable. Any such objection will require the Customer to appoint another auditor.
5. CUSTOMER'S OBLIGATIONS
5.1. Customer's Processing of Personal Data. The Customer shall, in its use of the Services, Process Personal Data in accordance with Data Protection Legislation. The Customer shall have the sole responsibility for the accuracy, quality, and legality of Personal Data and how the Customer acquired Personal Data.
5.2. Customer's Compliance. The Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Legislation in respect of its Processing of Personal Data and any Processing instructions it issues to the Provider; (ii) it has provided notice and obtained (or shall obtain) all consents or any other necessary authorizations (as applicable) under Data Protection Legislation for the Provider to Process Personal Data for the Permitted Purposes; (iii) it shall be responsible for providing any notices required by Data Protection Legislation to its Permitted users and other relevant data subjects with respect to sharing their Personal Data with the Provider; (iv) it has fulfilled (or shall fulfil) all registration or notification obligations to which the Customer is subject to under the Data Protection Legislation; and (v) it is responsible for its own Processing of Personal Data, including integrity, security, maintenance, and appropriate protection of Personal Data under Customer's control.
5.3. Technical and Organizational Measures. The Customer is responsible for its secure use of the Services, including securing the user IDs and passwords, protecting the security of Personal Data when in transit to and from the Services, and taking any appropriate technical, organizational, and security measures to securely encrypt or backup any Personal Data uploaded to the Services. The Customer is also responsible for the use of the Services by any person the Customer authorized to access or use the Services, and any person who gains access to its Personal Data or the Services as a result of its failure to use reasonable security precautions, even if the Customer did not authorize such use. The Customer agrees to, immediately upon awareness, notify the Provider of any unauthorized use of the Services or of any other breach of security involving the Services.
6. COOPERATION
6.1. Data Subject Rights. To the extent that the Customer is unable to access the relevant Personal Data within the Services independently, the Provider shall, taking into account the nature of the Processing, provide assistance (including by appropriate technical and organizational measures) to provide reasonable cooperation to the Customer in order to (i) respond to any requests from a data subject seeking to exercise any of its rights under Data Protection Legislation (including its right of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Personal Data (collectively "Correspondence").
In the event that any such Correspondence is made directly to the Provider, it shall promptly notify the Customer and shall not respond directly unless legally compelled to do so. If the Provider is required to respond to such Correspondence, the Provider shall promptly notify the Customer and provide it with a copy of the request, unless legally prohibited from doing so.
6.2. Data Protection Impact Assessment. To the extent required by Data Protection Legislation, the Provider shall provide reasonable cooperation regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Legislation.
6.3. Request for Disclosure. The Provider is obliged to promptly notify the Customer about any legally binding request for disclosure of the personal data by a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry and to assist the Customer accordingly (at Customer's expense).
7. SECURITY INCIDENTS
7.1. Data Breach. Upon becoming aware of a Data Breach, the Provider shall notify the Customer without undue delay and shall provide such timely information and cooperation as the Customer may reasonably require in order to fulfil its data breach reporting obligations under Data Protection Legislation, including the type of data affected and the identity of the affected person(s) as soon as such information becomes known or available to the Provider.
7.2. No acknowledgement. The Customer agrees that any notification that the Provider provides to the Customer in relation to a Data Breach shall not be construed or understood as an acknowledgement of any fault or liability.
7.3. Further Conduct. The Provider shall further take all such measures and actions as are reasonable to remedy or mitigate the effects of the Data Breach and shall keep Customer informed of all developments in connection with the Data Breach.
7.4. Cooperation. If a Data Breach is caused or materially contributed to by the Customer, the Provider will cooperate in the investigation of the Data Breach subject to Customer's obligation to compensate the Provider for its expenses and costs.
8. SUB-PROCESSING
8.1. Authorized Sub-processors. The Customer provides a general authorization for the Provider to engage Sub-processors to Process Personal Data on Customer's behalf. The Sub-processors currently engaged by the Provider are listed in Annex B.
8.2. New Sub-processors. The Provider shall provide at least ten (10) days prior written notice to the Customer of the engagement of any new Sub-processor (including details of the Processing and location), whereas the Provider provides such notifications to the Customer via enabling an RSS Feed on the Provider's website (https://www.trifft.io/rss.xml). It is the responsibility of the Customer to subscribe to the RSS Feed.
8.3. Objections. If the Customer has a reasonable objection to any new sub-processor, it shall notify the Provider of such objections in writing to hello@trifft.io within ten (10) days from receiving the notification and the Parties will seek to resolve the matter in good faith. If Customer does not provide a timely objection to any new sub-processor in accordance with this Section 8.3, Customer will be deemed to have consented to the sub-processor and waived its right to object.
8.4. Liability for sub-processors. The Provider remains liable for any breach of this DPA caused by an act, error, or omission of such Sub-processor.
9. DATA TRANSFERS
9.1. International Data Transfers. The Provider shall take all such measures necessary to ensure that the Processing and transfer of Personal Data in or to a territory other than the territory in which the Personal Data was first collected complies with Data Protection Legislation.
9.2. Application of Standard Contractual Clauses. The Parties agree that when and to the extent the transfer of Personal Data from the Customer to the Provider is a Restricted Transfer and EU Data Protection Laws or UK Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be governed by the EU SCCs, which shall be incorporated by reference into and form an integral part of this DPA.
9.3. EU Data. For the purposes of Personal Data that is subject to the EU Data Protection Laws ("EU Data"):
a) Where the Customer is a Controller of Personal Data, Module Two (Controller to Processor Clauses) will apply and where the Customer is a Processor acting on behalf of third-party Controllers, Module 3 (Processor to Processor Clauses) will apply;
b) in Clause 7 (Docking Clause), the optional docking clause will apply;
c) in Clause 9 (Use of Sub-processors), Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Section 8.2 of this DPA and the period for notification of objections in Section 8.3 of this DPA;
d) in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;
e) in Clause 17 (Governing Law), Option 1 will apply, and the EU SCCs will be governed by Irish law;
f) in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Dublin, Ireland;
9.4. UK Data. For the purposes of Personal Data that is subject to the UK Data Protection Laws ("UK Data"), the EU SCCs will also apply in accordance with paragraphs 9.3.a) to 9.3.d) above, with the following modifications:
a) references to "Regulation (EU) 2016/679" shall be interpreted as references to UK GDPR;
b) references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of UK GDPR;
c) references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to the "UK" and "UK law";
d) the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK from the possibility of suing for their rights in their place of habitual residence (i.e., the UK);
e) Clause 13(a) of the EU SCCs and Part C3of Annex A of the DPA are not used and the "Supervisory authority" is the UK Information Commissioner's Office;
f) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales";
g) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales; and
h) with respect to transfers to which UK GDPR apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts",
i) unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer Personal Data in compliance with the UK GDPR, the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs shall be populated using the information contained in Annexes A, B and C (as applicable).
10. LIMITATION OF LIABILITY
Customer's remedies, including its Affiliates, and the Provider's liability arising out of or in relation to this DPA (including Standard Contractual Clauses), are subject to those limitations of liability and disclaimers set forth in the Agreement. For the avoidance of doubt, nothing in this DPA is intended to limit the rights a Data Subject may have against either Party arising out of such Party's breach of the Standard Contractual Clauses, where applicable.
11. FINAL PROVISIONS
11.1. Third-Party Beneficiaries. Data Subjects are the sole third-party beneficiaries to the Standard Contractual Clauses, and there are no other third-party beneficiaries to this DPA, unless specified to the contrary in the Agreement.
11.2. Governing Law and Jurisdiction. This DPA shall be governed by and construed with governing law and jurisdiction provisions in the Agreement, unless and to the extent required otherwise by the Data Protection Legislation or the Standard Contractual Clauses.
11.3. Scope of this DPA. For the avoidance of doubt, the processing of information other than Personal Data for the Permitted Purposes does not fall under the scope of this DPA.
11.4. Term. This DPA shall continue to be in effect for the term of the Agreement plus the period from expiry of the Agreement until the Provider ceases to process Personal Data on behalf of the Customer.
Annex A
Description of the Processing Activities / Transfer
Annex A(1) List of Parties
Data Exporter | Data Importer |
---|---|
Name: Customer, as identified in the Order Form | Name: Provider, as identified in the Agreement |
Address: As identified in the Order Form | Address: As identified in the Agreement |
Contact details: As identified in the Order Form | Contact details: As identified in the Agreement |
Activities relevant to the transfer: See Annex A(2) below | Activities relevant to the transfer: See Annex A(2) below |
Role: Controller | Role: Processor |
Area | Description |
---|---|
Categories of data subjects: | • Permitted users – any of Customer's employees or other personnel, suppliers and other third parties authorised under the Agreement to use the Services. • Customer’s loyalty program members – any of the Customer’s loyalty program members accessing Customer’s program running the Services. |
Categories of personal data: | • Permitted users – contact data • Customer’s loyalty program members – Customer determines the categories of Personal Data which could be processed in the Services (generally identification data). |
Nature and subject matter of processing: | The Provider does not require any special categories of data to provide the Services and does not intentionally collect or process such data in connection with the provision of the Services. |
Frequency of the transfer: | Continuous |
Frequency of the transfer: | The Personal Data may be subject to the following processing activities: • storage (hosting) and other processing necessary to provide, maintain and improve the Services provided to Customer under the Agreement, • technical support provided to the Customer on a case by case basis, • disclosures in accordance with the Agreement and the DPA, as compelled by law, and • collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. |
Duration of the processing: | Processing Term. |
Purpose(s) of the data transfer and further processing: | (i) Processing to provide, maintain, support, and improve the Services provided to the Customer in accordance with the Agreement, (ii) Processing initiated by the Permitted users in their use of the Services, and (iii) Processing to comply with other documented reasonable instructions provided by the Customer (e.g., via email) where such instructions are consistent with the Agreement of the Agreement (including this DPA). |
Retention period (or, if not possible to determine, the criteria used to determine that period): | Processing Term. |
Annex A(3): Competent supervisory authority
With respect to EU Data the competent supervisory authority is The Office of Personal Data Protection of the Slovak Republic (the "Supervisory Authority").
Annex B
Approved Sub-processors
Sub-processor | Area of use |
---|---|
Microsoft Corporation, with the registered office atOne Microsoft way, Redmond, WA 98052, USA | Cloud services (Azure) |
Twilio Ireland Limited, with the registered office at3 Dublin Landings, North Wall Quay Dublin 1, Ireland | Text message (SMS) and push notification delivery service |
Mailgun Technologies, Inc., with the registered office at112 E Pecan St, #1135 San Antonio, TX, 78205, USA | Email delivery service |
Functional Software, Inc., with the registered office at 45 Fremont Street, San Francisco, CA 94105, USA | Application performance monitoring and error tracking (Sentry) |
Annex C
Technical and Organizational Measures
The technical and organisational measures implemented by The Provider (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context, and purposes of the processing, and the risks for the rights and freedoms of natural persons, are described at Microsoft Azure Legal Information, Microsoft Azure Agreement, Microsoft Azure Service Level Agreement, Microsoft Online Subscription Agreement, Microsoft Products and Services Data Protection Addendum (DPA),
and:
Type of measure | Implemented measure |
---|---|
Measures of pseudonymisation and encryption of personal data | • All personal data are encrypted with a private per-user key and decrypted only in-memory when needed. Personal data are annonymised when the key is deleted • Data in transit is encrypted with SSL. Selected sensitive data (e.g. user passwords) is also encrypted at rest. Key management is organised using Azure Key vaults (encrypted) |
Measures for ensuring ongoing confidentiality of processing systems and the Services | • Data in transit is encrypted with SSL. • Infrastructure behind firewall and API management service |
Measures for ensuring ongoing integrity of processing systems and the Services | • Event sourcing architecture allows re-play of event processing in case of backend error, overflow etc. Dev-ops monitors performance proactively deals with issues. Database writers are in transaction with rollback in case of errors. |
Measures for ensuring ongoing availability and resilience of processing systems and the Services | • Three data-center redundancy (different physical locations) of the whole backend in one region. Geo-redundant high-availability databases with 99,99% SLA (Microsoft Azure). Daily database backups with 7 day history. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | • 1) rely on Azure recovery tools 2) rollout new backend and recover database on Azure (estimated fix time: 3 hrs) 3) move critical infrastructure to Google or Amazon cloud services (estimated fix time: 24 hrs) • Codebase presence in GitHub, databases set to auto-backup by Azure. Kubernetes infrastructure is backed up as HELM config and versioned in GitHub codebase. Automatic recovery based on last config in place. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | • Proactive security audit of source code (Github) checking all code against known vulnerabilities. SonarCloud is used for ongoing quality and clean source code audit |
Measures for user identification and authorization | • In admin interface, user password or LDAP are available. In consumer-facing apps, email + password, phone number + SMS or social login (Google, FB, Apple) are supported. For 3rd API access, OAuth2 is used |
Measures for the protection of Data during storage | • Databases storing sensitive at-rest data are encrypted |
Measures for ensuring physical security of locations at which personal data are processed | • See Microsoft Azure above |
Measures for ensuring events logging | • Every user action are event sourced and stored in event store indefinitely • Every error or exceptions are processed by Sentry.io • Azure provides an activity-logging service • All http request metadata are logged by CloudFlare |
Measures for ensuring system configuration, including default configuration | • Codebase presence in GitHub, databases set to auto-backup by Azure. Kubernetes infrastructure is backed up as HELM config and versioned in GitHub codebase. Automatic recovery based on last config in place |
Measures for internal IT and IT security governance and management | • The least privilege access policy in place. Account and access rights audit performed at minimum once every calendar quarter |
Measures for ensuring data minimization | • By default no personal data are collected. For registered accounts minimum data required to identify an account (e.g. email address, phone number) are required. All other personal data are collected only if so set up by Client |
Measures for ensuring data quality | • Front end and backend data format validation |
Measures for ensuring limited data retention | • Data is deleted when i) user account is not accessed within 1 year, ii) user requests data |
Measures for ensuring accountability | • The Provider retains an independent DPO with sufficient powers to audit its measures and suggest improvements |
Measures for allowing data portability and ensuring erasure | • Data exports are available in admin interface • User data erasure available on-demand in admin interface or automatically when triggered and confirmed by user |