(Version April 2024)
THESE HID PURCHASE ORDER TERMS (“AGREEMENT”) ARE BY AND BETWEEN THE HID ENTITY PLACING AN ORDER WITH SUPPLIER (“HID”) AND SUPPLIER (“SUPPLIER”), EACH HEREINAFTER REFERRED TO INDIVIDUALLY AS A “PARTY” AND COLLECTIVELY AS THE “PARTIES.” THIS AGREEMENT APPLIES TO ANY PRODUCTS OR SERVICES (THE “OFFERINGS”) PURCHASED BY HID.
OFFERINGS PURCHASED PURSUANT TO THIS AGREEMENT MAY BE SOLD to, OR INCORPORATED INTO A FINAL PRODUCT SOLD TO, AN END CUSTOMER.
1. Definitions.
“Affiliate” or “Affiliates” means entities which are controlled by a Party, which controls a Party or which is under common control with a Party, where "control" means the direct or indirect ownership of at least fifty percent (50%) of the shares or interests entitled to vote for the directors thereof or the equivalent, so long as such control exists.
“Agreement” means, collectively, all terms and conditions between HID and Supplier governing the sale of the Offerings, including this Agreement.
“Custom Offering” means any Offering that is modified or customized for HID prior to delivery.
“End Customer” means an end customer to which HID may provide the Offerings, either directly or indirectly, either individually or together with an HID product or service.
“Documentation” means the guides and manuals customarily supplied by Supplier for use with the Offerings. Supplier will provide to HID with all applicable Documentation to allow HID personnel to be able to understand, use, and operate the Offerings. Such Documentation must be updated on a regular basis with written notice to HID to account for any changes, updates, or replacement of the Offerings.
“Intellectual Property Rights” means worldwide common law and statutory rights associated with (a) patents and patent applications; (b) works of authorship, including mask work rights, copyrights, copyright applications, copyright registrations and “moral” rights; (c) the protection of trade and industrial secrets and confidential information; (d) all rights to registered and common law trademarks, trade names, trade dress, and service marks; and (e) other proprietary rights relating to intangible intellectual property (including but not limited to designs, design rights, source codes, proprietary material, know-how, ideas, concepts, methods, techniques, rights in databases and all other intellectual property rights and rights of a similar character whether registered or capable of registration).
“Order” means the purchase order(s) or other written document provided by HID setting forth the Offerings to be purchased.
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Quote” means the Supplier-issued written quotation or proposal for the Offerings, if any. For clarity, the Quote may also be referred to as a “Proposal” and such document does not constitute a legally binding agreement between the parties.
“Support Services” means the provision of any maintenance and support provided by Supplier. Unless otherwise agreed in signed writing by the parties, such Support Services will be provided in accordance with the terms set forth in Exhibit A.
2. Order Process and Order Changes.
- Orders placed by HID are firm and binding on Supplier. HID reserves the right to accept or reject any Quote provided by Supplier at any time, without liability of any kind.
- This Agreement does not specify a quantity of Offerings to be purchased by HID, does not obligate HID to purchase any Offerings, and is not an exclusive purchasing agreement.
- After an Order has been provided by HID, HID may request changes to the Order up to twenty-four hours prior to the confirmed Order shipment date. In such an event, at HID’s request, the Order will be amended to reflect such changes. HID may submit changes and cancellations to Orders at no additional cost to HID, except for the price of any additional quantities ordered.
3. Pricing and Payment Terms.
- Quoted prices are firm and binding on Supplier. Supplier may not increase any prices for the Offerings without prior written agreement by HID.
- Undisputed invoices are payable by HID within sixty (60) days from the date of HID’s receipt of the invoice.
- Prices include all national, state, local, or international property, license, privilege, sales, use, excise, gross receipts, VAT, duty or other like taxes relating to the sale, delivery, receipt, payment for or use of the Offerings including any interest, penalty and additional tax or other charge related to delay or failure to pay such amount.
4. Delivery and Acceptance.
- Supplier will ship the Offerings and any associated Documentation to HID or End Customer, as applicable at the sole discretion of HID, by full or partial shipment, in accordance with the Order. Unless otherwise mutually agreed by the Parties, all Offerings and Documentation delivered in a tangible form will be shipped FCA Supplier’s Site respectively (INCOTERMS 2020) and will be deemed shipped upon being made available to HID’s or End Customer’s carrier. Title and risk of loss or damage shall pass from Supplier to Purchaser upon tender to the carrier at Supplier’s facility. Notwithstanding, fees associated with export customs formalities are Supplier’s sole responsibility. If requested by HID, Supplier will arrange transport and handling of the Offerings.
- Supplier will provide packing slips for all shipments. Packing slips and other shipping documents, such as bills of lading, will show, at minimal, the Order number, Supplier information, and item, parts and other applicable reference numbers. For international shipments, in addition to the packing list, Supplier will include a customs valuation invoice (pro forma or “Commercial Invoice”, using the value set forth in the Order), with a master packing slip and will furnish all other required export/import documents. Export and trade credits will belong to HID. Supplier will furnish: (a) all documents required to obtain export credits and customs drawbacks; (b) certificates of origin of the materials and Offerings provided and the value added in each country; (c) any Free Trade Agreement or similar trade preference documents; (d) all required export licenses or authorizations; and (e) any other documents as may be requested by HID or End Customer. Supplier represents and warrants that the contents of all documents provided under this Section will be true and accurate. Supplier will indemnify HID, End Customer, and their respective Affiliates for any damages, including fines, duties, interest and penalties, arising from a false or inaccurate statement under this Section.
- Supplier will properly pack, mark, load and ship the Offerings as required by the Order and by the transporting carrier. For international shipments, all wooden packaging will be properly heat treated with IPPC stamp applied and certificate delivered to HID upon request. HID may specify the method of transportation and the type and number of packing slips and other documents to be provided with each shipment. Supplier will comply with shipping instructions and process as provided by HID. If HID has not provided packing or shipping instructions, Supplier will pack and ship the Offerings in accordance with industry standards. Supplier will reimburse HID for all expenses, including damage to the Offerings, incurred due to improper packing, marking, or loading. Unless otherwise provided in the Order, any charges or costs related to the handling, packaging, storage, or transportation of the Offerings are the responsibility of the Supplier and have been included in the price of the Offerings.
- Supplier must submit the Offerings to HID for acceptance testing. HID will conduct the acceptance testing of the Offerings within twenty (20) business days of receipt of the Offerings. If the Offerings fail to meet the acceptance specifications, HID may: (i) reject the failed Offerings and require Supplier to modify, repair, or replace the affected Offering(s) to HID’s satisfaction within a stated timeframe; (ii) accept only the portions of the Offerings acceptable with the fees reduced proportionally to the acceptable Offerings; (iii) terminate this Agreement without liability; or (iv) any combination of the foregoing. If Supplier fails to remediate the failed Offerings under the foregoing stated timeframe, HID may terminate this Agreement or the relevant Order with immediate effect and without liability. If the Offering is accepted, HID will provide written notice indicating as such.
- Supplier agrees that the TIME, QUANTITY, AND QUALITY ARE OF THE ESSENCE AS TO ALL OFFERINGS. Supplier’s failure to meet delivery timelines, full quantity, or quality requirements will be considered a breach of this Agreement. In addition to any other rights under the Agreement, HID may impose liquidated damages.
5. Additional Terms.
The following are in addition to the terms set forth in this Agreement:
- Hardware Offerings will be provided in accordance with the terms located in Exhibit B, attached hereto.
- On-premise Software Offerings will be provided in accordance with the terms located in Exhibit C, attached hereto.
- Software-as-a-Service Offerings will be provided in accordance with the terms located in Exhibit D, attached hereto.
- Professional Services are provided in accordance with the terms in Exhibit E, attached hereto.
- The Offerings will comply with HID Supplier Quality Assurance Agreement located at: https://www.hidglobal.com/purchase-order-terms
- To the extent Supplier uses HID trademarks, trade names, trade dress, service marks, logos, or designs (“Trademarks”), HID reserves the right to review all uses and Supplier agrees to follow any trademark or identity guidelines and instructions that are provided to it by the other Party, including, but not limited to, any guidelines and instructions appearing on the website www.hidglobal.com/brand and any sub-pages thereunder, which HID may update from time-to-time in its sole discretion.
- To the extent Supplier processes Personal Data, the Data Processing Terms attached hereto as Exhibit F shall apply.
6. Additional Licenses and Registration.
- If the Offerings will be used by End Customer as part of a larger solution including third party products and/or services, Supplier will obtain any additional license or use rights necessary for HID to integrate the Offerings, or create interoperability, with technology owned or otherwise provided by such third parties.
- If required by applicable law or for reasons of commercial expediency the Offerings need to be registered, certified or otherwise approved by any applicable government body or other agency (hereinafter called "Offering Registration(s)") the following provisions will apply: (i) HID will supply, subject to confidentiality, Supplier with all reasonable information and materials necessary to assist Supplier in obtaining such Offering Registration; and (ii) Supplier will at its cost use its best endeavors to obtain the Offering Registration. If it is required that the Offering Registration only be issued in the name of Supplier, Supplier will procure that HID or End Customer enjoys the full benefit of such Offering Registrations; and, it will promptly transfer or procure the transfer of such registrations to HID, if at any time it becomes permissible to do so; and (iv) Supplier will promptly provide to HID copies of all correspondence with and documents supplied to, and documents, certificates and correspondence received from, an Offering Registration authority as and when sent, delivered or received together with such translations of their main points as HID may reasonably request, for which. Supplier agrees to bear reasonable translation costs.
7. Changes and Discontinuation.
- Supplier will provide advance written notice, not less than sixty (60) days, to HID prior to making any material changes to its business operations.
- Supplier will provide HID with at least one hundred eighty (180) days’ advance written notice prior to a change to the form, fit or function or the discontinuance of manufacturing or supply of any Offerings provided to HID pursuant to this Agreement. During such notice period, HID will be allowed to place Orders for additional quantities of such Offering at prices that will not be higher than prices established pursuant to this Agreement.
8. Intellectual Property and Proprietary Rights. Each Party, its suppliers and service providers retain all right, title and interest in any Intellectual Property owned or licensed by such parties, and all Intellectual Property Rights embodied therein or relating thereto. All rights not expressly granted under this Agreement (including any Exhibit) or otherwise set forth in a SOW (as defined under Exhibit E attached hereto) or other scoping document, are reserved by the respective Party. There are no implied rights.Notwithstanding the foregoing, unless otherwise agreed in signed writing by the Parties, to the extent there is customization or alteration to the Offerings, or any specifications at the direction or request of HID or any of its representatives, such customization or alteration will cause the Offerings to become Custom Offerings. HID will retail all right, title and interest in any Custom Offerings.
9. Confidentiality. HID and Supplier acknowledge that each Party may have access to certain of the other Party’s confidential and proprietary information in connection with the performance of this Agreement (the “Confidential Information”). Each Party will take all reasonable precautions necessary to safeguard the confidentiality of the other Party’s Confidential Information, including those taken by such Party to protect its own Confidential Information of a similar nature. Each Party will use the other Party’s Confidential Information solely to fulfill the purposes of this Agreement. Supplier will not, or attempt to, submit, reproduce, or use any Confidential Information, in whole or in part, for use or training of generative artificial intelligence technologies. Neither Party will have any confidentiality obligation with respect to any portion of the other Party’s information that (i) it independently develops without reference to the Confidential Information, (ii) it lawfully obtains from a third party under no obligation of confidentiality, or (iii) becomes available to the public other than as a result of its act or omission. Because of the unique nature of the Confidential Information, each Party agrees that the disclosing Party may suffer irreparable harm in the event the recipient fails to comply with its confidentiality obligations under this Agreement, and that monetary damages may be inadequate to compensate the disclosing Party for such breach. Accordingly, the recipient agrees that the disclosing Party will, in addition to any other remedies available to it at law or in equity, be entitled to seek injunctive relief to enforce such confidentiality obligations. For clarity, HID is permitted to share Supplier Confidential Information with its customers pursuant to confidentiality terms at least as protective as those set forth herein.
10. Warranty.
- Supplier represents and warrants to HID that Supplier has the authority to enter into this Agreement and grant the rights set forth herein.
- In addition to any express warranties, statutory warranties, and any implied warranties by law, Supplier, on behalf of itself and its subcontractors, represents and warrants that the Offering will: (i) not infringe any Intellectual Property Rights; (ii) in the case of hardware, be new, unused, not remanufactured, and fit for its intended purpose; (iii) be free from defects in materials, design, and workmanship; (iv) conform with performance, functionality, and other specification contained within its Documentation or End Customers’ reasonable expectations; (v) be free and clear of all liens, claims or other encumbrances, and conveyed to HID with good title; (vi) conform to all specifications, requirements, drawings, and descriptions set forth in the applicable Order; (vii) be free of all malware, viruses and all other malicious code, disabling code, or code that causes either the Offering or any product into which the Offering is incorporated to perform in an unintended manner; and (viii) not cause any portion of HID product or any software owned or licensed by HID, or any derivative thereof to (A) become subject to all or part of the license obligations or other Intellectual Property Rights or restrictions of any third party, including any open source software requirements; or (B) be disclosed or distributed in source code form, licensed to third parties for the purpose of making derivatives or such software, or redistributed free or charge. Supplier further represents and warrants that the Offerings will not contain any viruses, worms or other malicious computer programming codes intended to damage, disrupt, or disable any network, systems or data of HID or any other third party. This warranty will survive the expiration of any set period of warranty with respect to any claim made by HID prior to such expiration. Notwithstanding anything contained herein to the contrary, HID may assign or otherwise transfer any warranty, or grant as agent acting on behalf of the Supplier any warranty, in whole or in part, on or to any particular to any End Customer; whereupon, such End Customer may enforce this warranty against the Supplier directly.
- Supplier represents and warrants that Supplier will: (i) perform all services in a professional and workmanlike manner, using qualified personnel with the required skill, experience, and qualifications to meet its obligations under the Agreement; (ii) perform all services in accordance with applicable laws, industry standards, or other standards in every jurisdiction where the Offering if sold or used; and (iii) not infringe or misappropriate any Intellectual Property Rights of any third party.
11. Indemnification.
- Each Party will defend and indemnify the other Party, at its expense, from and against any losses, costs or damages arising from any claims filed by third parties arising out of or resulting from gross negligence, fraud, or willful misconduct in connection with this Agreement.
- In addition to the above, Supplier will defend, indemnify, and hold harmless HID, its Affiliates, officers, directors, third-party providers, and employees from and against any and all claims, damages, losses, costs or other expenses (including reasonable attorneys' fees) in connection with, arising out of, or resulting from: (i) a breach of the terms of this Agreement; (ii) personal injury or property damage; (iii) violation of law; (iv) a violation of Intellectual Property Rights; or (v) use of any personnel or third party. In the event that Supplier anticipates that the Offerings may or do become subject to a violation of a Intellectual Property Rights claim, Supplier will immediately: (A) obtain for HID or Reseller the right to continue using the Offerings; (B) substitute the Offerings with another substantially similar offering; or (C) provide HID a full refund of all amounts paid for the Offerings and any other services or products rendered unusable by HID.
- The indemnitee agrees to promptly notify the indemnitor, in writing, of any claim pursuant to this Section 11. The indemnitor will have sole control of the defense of any such action (and all negotiations for its settlement or compromise). The indemnitee agrees to provide the indemnitor with all information and assistance reasonably required for the defense of the claim. No costs or any expense will be incurred on the indemnitor’s account without the indemnitor’s prior written consent. The indemnitee will be entitled to participate in its defense at its own expense with counsel of its own choosing.
12. Limitation of Liability. IN NO EVENT WILL HID, ITS AFFILIATES OR THIRD-PARTY SERVICE PROVIDERS OR THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES OR AGENTS BE LIABLE TO SUPPLIER FOR ANY INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, BUSINESS, LOSS OF DATA OR DATA BREACH, GOODWILL, ANTICIPATED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS OPPORTUNITY AND THE LIKE), EVEN IF HID OR ITS AUTHORIZED REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL HID’S AGGREGATE LIABILITY FOR DAMAGES UNDER THIS AGREEMENT EXCEED THE AMOUNT ACTUALLY PAID BY HID FOR THE OFFERINGS AT ISSUE DURING THE TWELVE MONTHS IMMEDIATELY PRECEDING THE CLAIM. The foregoing limitations and exclusions apply even if a limited or exclusive remedy fails of its essential purpose and will apply to the extent permitted by applicable law in Supplier’s jurisdiction. If applicable law limits the application of the provisions of this Section, HID’s liability will be limited to the maximum extent permissible.
13. Insurance.
- At all times during the term of this Agreement, Supplier will, at its sole cost and expense, provide all insurance coverages required by federal and state laws, including at least the following types and limits of insurance (naming HID as additional insured on applicable liability policies), and will provide HID with proof of such coverage on HID’s request:
- Workers’ Compensation and Employers Liability Insurance, with statutory limits for workers’ compensation and Employer’s Liability Insurance liability limits of $1,000,000 per accident or claim;
- Commercial General Liability insurance with limits of $1,000,000 per occurrence;
- Umbrella Liability Insurance with a minimum limit of $2,000,000 in excess of the insurance coverage described above;
- Professional/Electronic Errors and Omissions Liability Insurance, Cyber-Risk (Network Security), Privacy Liability and Media Liability insurance, covering liability for financial loss arising from acts, errors or omissions in rendering Services in connection with this Agreement due to (i) computer or electronic information services; (ii) network risks, including data breaches, unauthorized access or use of any data or systems, wrongful disclosure, failure to safeguard such data or systems, identity theft, failure to protect confidential information, damage/loss/theft of data, degradation, and any other unauthorized access or use (including breach of privacy, virus transmission, downtime, denial of service); (iii) copyright or trademark infringement, libel, slander, defamation, violation of right to privacy, and infliction of emotional distress, with limits of no less than $2,000,000 per claim; and
- Any additional insurance as may be specified by HID.
14. Compliance with Laws; Code of Conduct.
- Supplier will obtain any and all permits, licenses, authorizations and/or certificates that may be required in any jurisdiction or by any regulatory agency in connection with the conduct of its business and the distribution or sale of the Offerings, if so authorized.
- Each Party will comply with all applicable laws, ordinances, rules and regulations, and will obtain any and all permits, licenses, authorizations, and/or certificates that may be required in any jurisdiction or any regulatory or administrative agency in connection with the sale, use and/or operations of Offerings or other technology Supplier makes available. In particular, the Parties will comply fully with all applicable laws and regulations governing or in any way relating to: (i) the import and export of the Offerings, (ii) economic sanctions and embargoes, (iii) anti-boycott controls, including those maintained by the U.S. Departments of Commerce and Treasury, (iv) the U.S. Foreign Corrupt Practices Act, the UK Bribery Act or any other laws or regulations regarding corruption or bribery; or (v) the use of deceptive or misleading practices. Without limiting the generality of the foregoing, Supplier will comply with all laws and regulations on data privacy, international communications, and the exportation of technical or personal data.
- The Offerings or other technology Supplier makes available may be subject to export laws and regulations of the United States and other jurisdictions. Supplier agrees to comply strictly with all export laws and regulations. Supplier will not permit access or use of any Offerings, or other technology Supplier makes available, to any person or entity that is the target of sanctions or in an embargoed country that would prohibit such access or in violation of any export law or regulation. Supplier represents, warrants and undertakes that a) Supplier and its affiliates and agents shall comply with all economic sanctions and export controls laws and regulations, including but not limited to import restrictions on specific materials or products, adopted and enforced by governmental authorities of the US, EU, UK and UN, as well as any economic sanctions and export control laws and regulations adopted by other jurisdictions that are applicable to HID or the Supplier, b) neither the Supplier, its affiliates or any of its respective officers, directors or employees, is listed, or is owned or controlled by any individual or entity listed in such laws, (c) Supplier will not engage in any business involving any such listed parties, and (d) Supplier will immediately inform HID of any breach of the foregoing. Following any breach, HID may refuse further performance, or terminate this agreement and HID’s relationship with the Supplier, without liability to the Supplier.
- Whenever requested by HID, Supplier will provide HID with a written certificate, in a form acceptable to HID, certifying the continued compliance with this Section. In addition, HID maintains the right to request and review records or other documents from Supplier, or, with reasonable advance notice, to conduct an audit at the site of Supplier’s operations, to confirm Supplier’s compliance with the terms of this Section and the Agreement.
- Supplier represents and warrants that Supplier will comply with the Code of Conduct of HID’s parent company, ASSA ABLOY AB, located at https://www.assaabloy.com/en/com/sustainability/code-of-conduct/code-of-conduct-business-partners and Anti-Corruption Compliance Program policy located at: https://www.assaabloy.com/group/en/sustainability/sustainability-governance/anti-corruption-compliance, as may be amended from time to time.
- Supplier covenants and agrees to maintain complete and accurate records concerning all actions taken by, on behalf of, or at the direction of Supplier pursuant to this Agreement.
- Notwithstanding any provision of this Agreement to the contrary, HID will not be obligated to make any payment or take any other action under this Agreement if it believes in good faith that such action may constitute a violation, or contribute to any violation, of any Anti-Bribery Law; and HID will not be liable to Supplier for any claims, losses or damages arising from HID’s exercise of its rights under this Section.
15. Term, Suspension, Termination, and Renewal.
- Unless sooner terminated in accordance with other provisions of this Agreement, this Agreement will continue in full force and effect until all rights and duties set forth herein have been completed, expired or terminated.
- Either Party may terminate this Agreement if: (i) the other Party files or has filed against it a petition for voluntary or involuntary bankruptcy or pursuant to any other insolvency law or is adjudicated bankrupt; or (ii) makes or seeks to make a general assignment for the benefit of its creditors or applies for, or consents to, the appointment of a trustee, receiver, or custodian for a substantial part of its property.
- Following termination, this Agreement will continue to apply to all past purchase and/or resale of the Offerings. Notwithstanding, subject to payment of all applicable fees, unless HID or End Customer’s use is specifically terminated, upon termination of this Agreement, HID or End Customer will retain the right to continue use of the Offerings.
- The Sections of this Agreement that contemplate performance or observance after termination or expiration of this Agreement, or that by their nature are intended to survive termination or expiration of this Agreement will so survive termination or expiration and continue in full force and effect.
16. Information Security and Data Privacy.
- Supplier will implement and maintain, and will require its subcontractors to implement and maintain, commercially reasonable security measures designed to meet the following objectives: (i) reasonably protect the security and confidentiality of HID or End Customer data in the custody and under the control of Supplier; (ii) protect against known threats or hazards to the security or integrity of such data; (iii) protect against unauthorized access to or use of such data; and (iv) return or disposal of such data is performed in a manner consistent with HID’s obligations under items (i)-(iii) above.
- Each Party will maintain and protect all Personal Data of the other Party as required by the applicable law of any governmental authority having relevant jurisdiction, including without limitation any applicable data protection laws. Except as and to the extent strictly necessary to meet a Party’s obligations in connection with this Agreement, neither Party will share, publish, sell, trade, give away, or in any other way use, disseminate or disclose Personal Data received from the other Party or any Affiliate, or transfer such Personal Data from one country or territory to another, without the prior written consent of the Party disclosing such Personal Data and in accordance with all applicable laws and regulations. Each Party will notify the other Party promptly in the event that such Party’s Personal Data is compromised in any way and will reasonably and promptly assist and cooperate with such Party in responding to inquiries and complaints concerning such compromise in a timely manner, including without limitation those inquiries and complaints brought by End Customers, employees, government or regulatory authorities, or other third parties. If necessary, the Parties will agree upon and execute further documentation, as appropriate, required to comply with the Parties’ respective obligations under applicable data protection laws. Each Party will comply with its own privacy policy.
- End Customer is solely responsible for its own: (i) use of the Offering, including without limitation, installation, deployment, and management of any software; (ii) use of the Offerings in compliance with all applicable laws; (iii) ensuring the security of all data collected, processed, stored, and maintained using the Offerings; and (iv) providing adequate notice and obtaining and maintaining valid consents from all of end users, as may be necessary under applicable law (including applicable data protection laws), to process Personal Data using the Offerings for intended purposes.
- "Customer Data" means any and all information pertaining to or specifically identifying any individual which may be provided in the course of Supplier’s relationship with HID, including without limitation names, telephone numbers, email addresses, and other personally identifiable information. This will include Customer Data that may be provided either: (a) by or on behalf of End Customer to Supplier, or (b) to Supplier by or on behalf of HID. Except as and to the extent strictly necessary to meet Supplier’s obligations under this Agreement, Supplier will not share, publish, sell, trade, give away, or in any other way use, disseminate or disclose Customer Data received from HID, or transfer such Customer Data from one country or territory to another, without HID's prior written consent and in accordance with all applicable laws and regulations. Supplier represents and warrants that Supplier’s collection, use and disclosure of Customer Data to HID or End Customer are consistent and compliant with this Agreement and any applicable laws governing the collection, use and protection of Personal Data applicable to HID or End Customer’s country/region of operation and/or the country/region where data subjects are located. To the extent applicable, Supplier further represents and warrants that Supplier has communicated to End Customers and potential End Customers whose information Supplier is providing to HID that Supplier will share this information with HID, including HID's subcontractors and fulfillment vendors, in the United States or other countries that may have less protective data protection laws than the region in which they are situated (including the European Economic Area), as well as its intended use, and that Supplier has obtained all appropriate consents required for such transfer and use. Supplier will maintain and protect all Customer Data as required by the laws, rules, regulations and orders of any governmental authority having relevant jurisdiction, including without limitation the applicable provisions of any data protection laws. Supplier will notify HID promptly in the event that any Customer Data is compromised in any way and will reasonably and promptly assist and cooperate with HID in responding to inquiries and complaints concerning such compromise in a timely manner, including without limitation those inquiries and complaints brought by any data subjects, government or regulatory authorities, or other third parties.
- All Personal Data about Supplier and Supplier’s employees, contractors or representatives provided in the course of Supplier’s relationship with HID, including without limitation names, telephone numbers, email addresses, financial information, order information, and other personally identifiable information provided to HID will be processed by HID to conduct the Parties relationship and to fulfill their respective commitments pursuant to this Agreement, including, but not limited to, to effect any notices pursuant to this Agreement and to send Supplier information regarding HID products and services. HID collects, uses, discloses and protects personal information in accordance with the terms and conditions of HID’s privacy policy available at https://www.hidglobal.com/about/privacy. If Supplier has any questions regarding HID’s privacy policy, Supplier may contact HID by e-mail at [email protected].
17. Subcontracting. Supplier will not subcontract any of its obligations under this Agreement without the prior written consent of HID. Any such consent of HID will not release Supplier from, or limit, any of Supplier’s obligations under the Agreement. Supplier warrants and guarantees that any such subcontractor’s performance will satisfy all requirements and obligations applicable to Supplier under the Agreement.
18. Setoff and Recoupment.
- In addition to any right of setoff or recoupment provided under applicable law or in equity, all amounts due Supplier or any of its Affiliates will be considered net of indebtedness or obligations of Supplier to HID and its Affiliates, and HID will be entitled at any time to setoff against or recoup from any amounts due or to become due from Supplier or any of its Affiliates to HID and its Affiliates however and whenever arising, including HID’s attorneys’ fees and costs of enforcement. If HID or any of its Affiliates reasonably feels at risk, HID may withhold and recoup a corresponding amount due Supplier and its Affiliates to protect against such risk.
- If an obligation of Supplier or any of its Affiliates to HID is disputed, contingent or unliquidated, HID may defer payment of all or any portion of the amount due until such obligation is resolved.
- Any refunds, losses, liquidated damages, costs and expenses recoverable by HID from the Supplier as a result of the Supplier’s breach of this Agreement may be deducted from money then due to the Supplier under this Agreement and if that money is insufficient for that purpose, the balance remaining unpaid will be a debt immediately due by the Supplier to HID.
19. Miscellaneous.
- In the event of a conflict between or among any document comprising this Agreement, the applicable document will prevail as follows: (a) an order amendment issued by HID (if any), (b) the Order, (c) the Additional Terms in Section 5 or any written agreement between the Parties, and (d) these terms and conditions.
- Nothing in this Agreement is intended to create a partnership, franchise, joint venture, agency, or a fiduciary or employment relationship. Neither Party may bind the other Party or act in a manner which expresses or implies a relationship other than that of independent contractor. Except as otherwise set forth herein, each Party will bear its own costs and expenses in performing this Agreement.
- HID will not be considered in default of performance of its obligations under this Agreement if performance of such obligations is prevented or delayed by any circumstances not within HID’s control including, but without limitation: pandemics, epidemics, and any associated travel restrictions or advisories of relevant governmental and global authorities (such as the World Health Organization) prohibiting or restricting (or recommending the prohibition or restriction of) the movement of persons or goods or the closure of or restricted operation of facilities, acts of God, fire, explosion, flood, storm, terrorist attack, civil war, commotion or riots, war (or threat of war), imposition of sanctions, embargoes or acts of government (including without limitation failure or delay to obtain export licenses), labor disputes, failure or delay of transportation, or any other similar cause or causes beyond the control of HID. Time of performance of HID’s obligations hereunder will be extended by the time period reasonably necessary to overcome the effects of such force majeure occurrences.
-
The Agreement will be construed in accordance with the governing law and jurisdiction set forth in the following table:
Region of HID Contracting Entity Choice of Law Jurisdiction Argentina Argentina Argentina Australia & New Zealand Australia, State of Victoria Victoria, Australia Brazil Brazil Brazil France France Paris, France All other EMEA regions Ireland Galway, Ireland England & Wales England & Wales London, England Asia Pacific Region Singapore Singapore United States, Canada, & Mexico USA, State of Texas Travis County, Texas, USA The Parties hereby irrevocably waive any and all rights to trial by jury in any legal proceedings arising out of or related to the Agreement or the transactions contemplated hereby. The provisions of the United Nations Convention on Contracts for the International Sale of Goods will not apply to the Agreement, or any Order issued hereunder.
- This Agreement will be binding upon and inure to the benefit of the parties hereto and their respective successors and assigns; provided, however, no right or obligation of Supplier under this Agreement will be assigned, delegated or otherwise transferred, whether by agreement, operation of law or otherwise, without HID’s prior express written consent, and any attempt to do so without HID’s consent will be void. Notwithstanding the foregoing, (i) HID may assign this Agreement to a successor in interest (or its equivalent) of all or substantially all of its relevant assets, whether by sale, merger, or otherwise; and (ii) HID may assign this Agreement to any of its Affiliates.
- HID will provide Supplier with any legal notices by certified or registered mail, express mail, or overnight delivery service or to the email address Supplier provided in writing. Supplier is responsible for keeping its mailing and email address current with HID. Legal notices to HID will be made in writing and provided by means of certified or registered mail, express mail or other overnight delivery service, or hand delivery, proper postage or other charges paid and addressed or directed to: HID Global Corporation, 611 Center Ridge Drive, Austin, TX 78753, USA, Attention: Legal Department.
- If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law or public policy the remaining provisions will remain in full force and effect.
- No term or provision hereof will be deemed waived, and no breach consented to or excused, unless such waiver, consent or excuse will be in writing and signed by the Party claimed to have waived or consented. Should either Party consent, waive, or excuse a breach by the other Party, such will not constitute consent to, waiver of, or excuse of any other different or subsequent breach whether or not of the same kind as the original breach.
- This Agreement is the entire understanding and agreement between the Parties hereto with respect to the subject matter of this Agreement and merges and supersedes all prior communications, understanding and agreements, written or oral, and no amendments will become effective without written agreement signed by the Parties hereto. All other terms and conditions (including but not limited to any terms and conditions contained online or in an order acknowledgment or similar document issued by the Supplier) and any purported modifications or variations to this Agreement are expressly excluded and rejected by HID and are of no force or effect, unless otherwise expressly agreed in signed writing by the Parties.
Exhibit A
Support and Maintenance
1. Training. At no additional cost, Supplier will provide HID personnel with training sufficient to sell, configure, and support the Products and any subsequent updates, modifications, or versions of the Products. This training will include, but is not limited to, training and certification on installation and troubleshoot for all Products, installers, and technical support processes and procedures.
2. Support Services. Supplier shall provide the following Support Services for HID with respect to the Products. The Support Services shall be provided at no additional charge, unless HID has agreed in writing to pay support fees pursuant to this Agreement, an Order or a separate agreement. Supplier agrees to:
- correct any failure of the Products to perform in accordance with the Documentation, including without limitation, defect repair, programming corrections, and remedial programming, and provide such services and repairs required to maintain the Products so that it operates properly and in accordance with the Documentation;
- Supplier will perform a root cause of failure analysis for any material failure in the functionality of the Products, identify corrective and preventative actions with respect to same, and provide documentation to HID for review;
- provide telephone and portal-based support: (i) 24/7 for Software-as-a-Service and cloud-based/hosted solutions; and (ii) for all other Products, Monday through Friday, based on End Customer location:
- provide online access to technical support bulletins and other user support information and forums;
- provide access to up-to-date knowledge base, installation guides, user manuals, maintenance plans and manuals, integration checklists, software development kits, developers guide, commissioning reports in English and in electronic and editable form;
- provide all updates, modifications, bug fixes, and releases that Supplier provides to its customers generally at no additional charge, or if applicable; and
- ensure that Products intended for use on mobile devices are compatible with all mobile devices generally used by consumers in all countries (including subsequent software updates for such devices).
3. Service Level Agreement. The following Service Level Agreement (SLA) table applies to Software-as-a-Service solutions:
Severity | Description | Initial Response Time | Status Update | Restoration or Resolution Target (Workaround or Hotfix) |
---|---|---|---|---|
1-Urgent/ Critical |
Production outage or cloud service is down or is severely impacted or a security breach. | Within 30 minutes | Within 60 minutes | ≤ 2 hours |
2-High | Product can be used but an important function is not available or partial cloud service outage with significant performance degradation. Major functionality is impacted. | Within 60 minutes | Within 180 minutes | 24 hours |
3-Medium | Product can be used but some moderate impact or functional restrictions. | Within 8 hours | 5 working days | Weekly effort |
4-Low | Minor non-significant problem, request for enhancement, or documentation issue. | Within 1 day | To be determined based upon the problem |
At HID’s option, HID may refer HID customers directly to Supplier to obtain Support, and under such circumstances, Supplier agrees to provide HID customers direct support commensurate with these terms.
Exhibit B
Hardware Exhibit
This Exhibit contains additional terms that apply to hardware and other respective tangible hardware (“Hardware”). For clarity, Hardware may include both Hardware and compiled and embedded versions of software needed for a device to function. All capitalized terms not defined herein will have the meaning ascribed in this Agreement.
1. Warranty.
Supplier warrants that the Hardware, including all component parts (e.g. batteries) will: (i) be fit for its intended purpose, and be new, unused, and not remanufactured; (ii) be free from defects in materials, workmanship, and design; (iii) operate in conformity with the performance, functionality, and other specifications contained in its Documentation; and (iv) conform to all specifications, requirements, drawings, and descriptions referenced or set forth in the applicable Order, for: (A) the period set forth in Supplier’s standard warranty; or (B) two (2) years from the date of shipment by Supplier, whichever is longer (“Warranty Period”). In the event of a warranty failure, Supplier shall either: (i) repair the Hardware; (ii) replace the Hardware with new or refurbished Hardware (replacement Hardware being of identical model or functional equivalent - replacement parts may be new or equivalent to new); or (iii) provide HID a credit or give HID a refund equal to the full amount of the purchase price originally paid by HID for each such Hardware Product plus applicable freight charges paid by HID on the original delivery of such Product. Any replacement Hardware will be warranted for the remainder of the original Warranty Period, or for one hundred and eighty (180) days, whichever is longer. The warranty shall survive the expiration of the Warranty Period with respect to any claim made prior to such expiration.
All return shipments of defective Hardware to Supplier shall be at Supplier’s sole cost, risk, and expense. Supplier shall bear all shipping costs for warranty returns and all costs and expenses incurred by HID to replace a defective Hardware Product with a new conforming Product. HID has the right to return Hardware Product on a per occurrence basis with no minimum quantity required. If HID requires Supplier to repair or replace defective Hardware, Supplier shall do so promptly and correctly at its expense, and the Performance Warranty shall apply to all such repaired or replaced Hardware.
2. Forecasting. On a monthly basis, HID may provide Supplier with a non-binding rolling forecast of its estimated needs for Hardware from Supplier for the following 12 months. Supplier shall maintain a three (3) week supply of Hardware (“Safety Stock”) to reduce lead times and to meet on time delivery. Supplier shall maintain the capacity to deliver all Hardware within the lead times specified by HID.
3. Inventory Planning and Targets. Supplier shall be responsible for material planning to meet HID supply requirements. Material planning responsibilities include but are not limited to: (a) monitoring daily and weekly HID demand data in relation to required lead times; (b) reviewing HID’s Hardware forecasts; (c) providing timely feedback to HID on Hardware availability issues.
4. Supply Flexibility. Supplier will provide upside supply flexibility of +50% of the forecasted demand of Hardware within 30 days; and an additional +100% of the forecasted demand of Hardware beyond 31 days. In addition to Safety Stock requirements, Supplier will maintain a three (3) week supply of unique/long lead time Hardware components to minimize lead times.
5. Recall/Corrective Action. If Supplier, HID, or any government agency or court having jurisdiction finds that any Offering contains a hazard, condition, or defect that requires or would make advisable a field repair, user/customer notification campaign, rework or recall of such Offering, each Party will promptly communicate all relevant facts, information and data to the other Party. Supplier will immediately notify HID in writing when it becomes aware of any ingredient, component, design or defect in the Offerings that is or may become harmful to persons or property or fails to meet the specifications or other requirements of the Agreement. Supplier will undertake all necessary and required corrective actions, included those required to meet all obligations imposed by applicable law. HID is not precluded from taking any action as may be required under applicable law. Supplier will perform all necessary repairs or modifications at its own expense. Supplier will be solely responsible for all expenses with the correction of a hazard, condition, or other defect as prescribed by the preceding paragraph caused by or associated with any product produced by Supplier.
Exhibit C
On-Premise Software Exhibit
This Exhibit contains additional terms that apply to software owned or licensed by Supplier and distributed for on-premise use (“Software”). All capitalized terms not defined herein will have the meaning ascribed in this Agreement.
1. Grant. Unless otherwise agreed in signed writing by the Parties, Supplier hereby grants to HID a worldwide, non-exclusive, non-transferable, non-sublicensable (except to authorized End Customers and Channel Partners) license to: (A) use the Software; (B) use, distribute, display, and configure the Software in connection with any compatible hardware and/or software configuration that HID now utilizes or may hereafter acquire in order to support, integrate, and commercialize the Products and any HID solution; and (C) use Documentation delivered by Supplier and to copy such Documentation.
2. Warranty.Supplier warrants that for: (A) the period set forth in Supplier’s standard warranty; or (B) one-hundred and eight (180) days from the earlier of the date the Software is delivered to or downloaded by the End Customer, whichever is longer (“Warranty Period”): (i) the media on which the Software is recorded will be free from material defects in materials and workmanship under normal use, and (ii) the Software will perform substantially in accordance with the then-current Documentation. In the event of a warranty failure, Supplier shall either: (A) replace of the media if defective, or (B) repair or replace the Software to make the Software perform substantially in accordance with the accompanying Documentation. In the event Supplier is unable to remedy the non-conformity and such non-conformity materially affects the functionality of the Software, HID may promptly terminate the license applicable to the non-conforming Software and return such Software and any applicable Documentation to Supplier. In such event, HID will receive a refund of the license fee. Any replacement Software will be warranted for the remainder of the original Warranty Period, or for sixty (60) days, whichever is longer. The warranty shall survive the expiration of the Warranty Period with respect to any claim made prior to such expiration. For clarity, Software embedded as firmware or otherwise integrated into a hardware Product is not separately warranted and subject to the warranty applicable to the hardware Product.
3. No Open-source Software. Supplier will not provide any Software containing Open-source Software or introduce any Open-Source Software into HID systems. “Open-Source Software” means any Software or portions thereof that contain materials in source code or object code form that would require or allow disclosure or distribution of the Software to a third party.
4. SDK. If applicable, Supplier will make available free of charge to HID any software development kit as necessary to use the Offering its intended purpose.
Exhibit D
Software-as-a-Service Exhibit
This Exhibit contains additional terms that apply to software-as-a-service offerings (“Service” or “Services”). All capitalized terms not defined herein will have the meaning ascribed in this Agreement.
1. Grant. Unless otherwise agreed in signed writing by the Parties, Supplier hereby grants to HID: (i) access to Services as necessary to use Services, provide Services to End Customers, and implement, maintain, configure, and support Services in accordance with this Agreement; and (ii) a worldwide, non-exclusive, non-transferable, non-sublicensable (except to authorized End Customers and Channel Partners) license to: (A) use the software; (B) use, distribute, display, and configure the software in connection with any compatible hardware and/or software configuration that HID now utilizes or may hereafter acquire in order to support, integrate, and commercialize the Products and any HID solution; (C) access and use application programming interfaces (“APIs”) as necessary to provide and use Services; and (D) use Documentation delivered by Supplier and to copy such Documentation.
2. Service Level Agreement – Service Availability.
This Service Level Agreement sets forth Supplier’s commitments with respect to Availability (as defined herein) of Service and the remedies associated with Supplier’s failure to meet such commitments.
Definitions
“Available” means that the Service can process and respond to correctly constructed requests from end users and/or HID Applications (if applicable) over the internet.
“Availability” means a figure calculated with reference to each calendar month, separately, during which the Services were Available. Availability is calculated on a monthly basis, by subtracting any Downtime (“D”) in in minutes from the total number of minutes for the given month (“M”), divided by the total number of minutes for the given month (M). This score is multiplied by 100 to provide a percentage-based metric:
Availability = M-D/M x 100
“Downtime” means the total time, measured in minutes for each month, during which the Services were not Available, excluding Maintenance and factors outside of Supplier’s reasonable control, including but not limited to: (i) End Customer’s use of unsupported software, hardware or configuration; or (ii) failure or latency of any network, system or application, including the Internet, not under Supplier’s direct control (“Exclusions”).
“Maintenance” means any period of Downtime of the Services in connection with maintenance of the Service(s) by Supplier or of Supplier business operations applicable to the Service(s), communicated by Supplier in advance of the event per the Service Level Commitment.
Commitment
Supplier will provide Availability of each Service at least 99.9% of the time each calendar month (the “Commitment”). Supplier’s Commitment does not apply to any unavailability due to Maintenance.
Supplier will provide notice to HID within fifteen (15) minutes after a Service is detected as not Available.
Supplier will provide notice in advance of Maintenance events at least ten (10) days in advance of the given event.
Supplier will conclude each event of Maintenance within ninety (90) minutes of the noticed start time of such event. Events qualifying as Maintenance will not occur more than twelve (12) times in any given calendar year.
Service Level Credits
If Supplier fails to meet the applicable Service Level Commitment during a given month, HID may claim an account-level credit allowance equivalent to one week of the impacted Service.
3. HID Application. Supplier will reasonably assist HID with the implementation of the HID Application. If applicable, Supplier grants HID a license to access the application programming interfaces at no additional charge.
4. Cloud Infrastructure. Supplier will acquire, operate and maintain, at its own cost and expense, the infrastructure used to supply the SaaS including, without limitation, any necessary licenses (including software licenses) and third-party approvals in order to provide HID with the rights to access and use the SaaS in accordance with the service level agreement, described below. Supplier may not change the infrastructure used to supply the SaaS without the prior written approval of HID, which will not be unreasonably withheld.
Exhibit E
Professional Services Addendum
This Exhibit contains additional terms that apply to Professional Services. All capitalized terms not defined herein will have the meaning ascribed in this Agreement.
1. Delivery and Acceptance.
Supplier shall provide all Professional Services in a timely, professional, and workmanlike manner and in accordance with the terms of this Agreement and any applicable SOW.
HID shall have sixty (60) calendar days from the date of delivery of the final product of all Professional Services to be performed under the SOW (the “Acceptance Period”) to examine and verify the Professional Services conform with the applicable SOW (“Acceptance Tests”) and confirm acceptance thereof. Supplier shall make suitable personnel available to observe or participate in such Acceptance Tests. HID shall provide Supplier with a written acceptance of the Professional Services or a detailed statement of errors requiring correction within such Acceptance Period.
If Acceptance Tests identify any non-conformities, Supplier, at Supplier’s sole cost and expense, shall promptly remedy all such non-conformities and re-deliver the Professional Services. Professional Services after a second or subsequent delivery thereof, or Supplier fails to re-deliver the Professional Services on a timely basis, HID may, in its sole discretion, by written notice to Supplier, deem the failure to be a non-curable material breach of the SOW, and terminate to SOW in accordance with the Agreement. Upon termination pursuant to this Section, HID shall be entitled to a full refund of all fees paid.
2. Open-Source Components and Third Party Materials. Supplier shall not include in any deliverables, and operation of all deliverables shall not require the use of, any Open-Source Components or third-party materials, other than those expressly approved by HID in writing. Supplier shall provide HID with a complete, machine-readable copy of the source code for approved Open-Source Components in accordance with the terms of the Open-Source license(s) therefor at no cost to the HID. Supplier shall secure, at its sole cost and expense, all necessary rights, licenses, consents, approvals, and authorizations necessary for HID to use, perpetually and throughout the universe, all approved third-party materials as incorporated in or otherwise used in conjunction with the Professional Services. Notwithstanding the generality of the foregoing, Supplier will not, or permit any of its third-party service providers to, use generative artificial intelligence technologies, in whole or in part, in the provision of the Professional Services. “Open-Source Component(s)” means any material that would require or allow disclosure or distribution of the component or the entire Offering to which it belongs to a third party.”
3. Subcontractors. Supplier shall not, without prior written approval of HID, engage any subcontractors in the performance of any Professional Services. If Vendor uses any subcontractors, Vendor shall be liable for all subcontractor conduct.
4. Time of the Essence. Supplier acknowledges that time is of the essence with respect to Supplier’s obligations hereunder and agrees that prompt and timely performance of all such obligations is strictly required.
5. Representations and Warranties. Supplier warrants that: (i) it will perform all Professional Services in a professional and workmanlike manner in accordance with generally recognized industry standards and practices for similar services, using personnel with the requisite skill, experience, and qualifications, and shall devote adequate resources to meet its obligations under this Agreement; (ii) HID will receive good and valid title to all deliverables, free and clear of all encumbrances and liens of any kind; (iii) when delivered, no deliverable will contain (a) any virus, trojan horse, worm, backdoor, or other software or hardware devices the effect of which is to permit unauthorized access to, or to disable, erase, or otherwise harm, any computer, systems, or software; or (b) time bomb, drop-dead device, or other software or hardware device designed to deprive HID of its lawful right to use the deliverable; and (iv) it will perform all testing and verification necessary to ensure the deliverables adhere to industry standard to ensure reasonable security measures and protection of personal data; and (v) the Professional Services (a) will not infringe, misappropriate, or otherwise violate any Intellectual Property Right or other right of any Third Party; and (b) will comply with all applicable laws and regulations.
6. Intellectual Property Rights.
All Intellectual Property Rights in the Professional Services, including but not limited to, any deliverable furnished to HID as part of the Professional Services or any modifications, customizations and interfaces developed with respect to a deliverable, in whole or in part, provided to HID by Supplier under the SOW shall be solely the property of HID. Supplier hereby assigns all right, title and interest in and to and exclusive ownership of such Professional Services to HID and Supplier shall take all actions necessary to transfer exclusive ownership of the same to HID. HID and Supplier agree that any product created, conceived, and/or prepared by Supplier in the performance of the Professional Services contained in the SOW shall in all respects be considered a “work made for hire” within the meaning of the federal copyright and patent laws. Supplier represents and warrants that such ”work made for hire” products are assignable under all applicable laws and regulations.
HID retains all Intellectual Property Rights in the materials and resources, including any software and hardware, provided to Supplier by HID during the project, including but not limited to, any source code, which shall constitute the trade secrets of HID. Supplier’s use of any such materials shall be limited to as necessary to perform its obligations under the SOW.
7. Additional Indemnity. Supplier shall defend, indemnify, and hold harmless HID and each of HID’s Affiliates and their and their respective officers, directors, employees, agents, contractors, successors, and assigns (each, a “HID Indemnitee”) from and against any and all Losses incurred by the HID Indemnitee resulting from any claim that arise out of or result from, or are alleged to arise out of or result from: (i) negligence, fraud, or willful misconduct; (ii) infringement of a third-party copyright or patent or other third party rights; (iii) violation of applicable law; (iv) breach of warranty; or (v) property damage or personal injury. As used herein, “Losses” means all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.
Exhibit F
Data Processing Terms
These Data Processing Terms apply when Personal Data is processed by Supplier as necessary to provide a service or product (“Service”).
1. Definitions
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
“CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General. If the CCPA applies to provision of or use of the Service, the parties further agree to be bound by the terms set forth in Attachment 1, attached hereto.
“Controller” has the meaning set forth in the GDPR. Unless otherwise specified, with respect to the Service, HID is the Controller of Personal Data.
“Data Privacy Laws” means laws, rules, regulations, governmental requirements, codes as well as international, federal, state, provincial laws applicable to Personal Data.
“GDPR” means the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), the European Directives 95/46 and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them.
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processor” has the meaning set forth in the GDPR. Unless otherwise specified, with respect to the Service, Supplier is the Processor of Personal Data.
“Standard Contractual Clauses” means the Standard Contractual Clauses – Controller to Processor attached hereto as Attachment 2.
“Sub-Processor” means a third party appointed to process Personal Data on behalf of the Processor.
“Rights of Individuals” means the legal rights of individuals to access, rectify, delete, and port Personal Data.
2. Data Processing Specifications. Supplier will provide HID with sufficient information that describes: (i) the subject matter of Supplier’s data processing; (ii) the type of Personal Data processed; (ii) the name and location of the party hosting the Personal Data; (iii) Sub-Processors involved in the processing of the Personal Data, if any; (iv) the purpose of the data processing; and (v) the period of time the Personal Data is retained.
3. Processing Instructions. Supplier and its Sub-Processors will process Personal Data only in accordance with the instructions provided by HID. In accordance with applicable Data Privacy Laws, as a general principle Supplier and its sub-processors do not keep Personal Data longer than necessary for the provision of the relevant service. Unless otherwise agreed in writing by the parties, the data retention period retention shall be no longer than thirty (30) days after termination of the Services.
4. Data Processing and Disclosure. Supplier, and its Sub-Processors, will only access, use, review, share, disclose, distribute, or reference Personal Data as necessary to maintain and perform the Service. Notwithstanding, Supplier may disclose Personal Data as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If compelled to disclose Personal Data to a governmental body Supplier will give HID notice of the demand. Any change in the processing of Personal Data will be in accordance with applicable Data Privacy Laws.
5. Standard Contractual Clauses. Any transfer of Personal Data resulting from the Service may be subject to the Standard Contractual Clauses. If applicable, the parties agree to be bound by the Standard Contractual Clauses.
6. Sub-Processors. Supplier shall not sub-contract any of its processing activities performed on behalf of HID under this Data Sub-Processing Agreement to a sub-processor without the prior specific written authorization of the Controller. The Supplier shall submit the request for specific authorization at least ninety (90) days prior to the engagement of the sub-processor, together with the information necessary to enable the Controller to decide on the authorization. It shall inform the HID of such engagement. Supplier is responsible for keeping the list of sub-processors up to date.
7. Obligations. Each party will comply with Data Privacy Laws, rules and regulations applicable to it in the use and/or performance of the Service. Supplier will further comply with Privacy Directive (2002/58/EC), as amended by Directive 2009/136/EC, as applicable. Supplier will also take any additional measures that are required by the Data Privacy Laws or governmental and regulatory authorities (including European data protection authorities) that are provided with respect to the transfer of personal data from the EU to the US. Supplier will keep appropriate records of processing activities. Supplier will cooperate with governmental and regulatory authorities in the event of an inquiry regarding the Service and compliance with applicable Data Privacy Laws. If Supplier: (i) determines that Supplier, or a Sub-Processor, is;to comply with the obligations set forth in these Data Processing Terms; or (ii) becomes aware of any circumstance or change in the applicable Data Privacy Laws, that is likely to have a substantial adverse effect on its ability to meet the obligations set forth in these Data Processing Terms, Supplier will immediately notify HID and HID will have the right to temporarily suspend the processing of Personal Data until the non-compliance is remedied. HID shall not be liable for the fees associated with any period of suspension pursuant to this Section.
8. Security of Data Processing. With respect to the Personal Data, Supplier will maintain reasonable security measures and protect Personal Data in a manner legally required or otherwise reasonably appropriate to the nature of the Personal Data. Supplier will take appropriate steps to ensure compliance with these Data Processing Terms. Supplier shall ensure that those processing Personal Data are subject to a duty of confidence. Supplier imposes appropriate contractual obligations upon its personnel and Supplier, including relevant obligations regarding confidentiality, data protection and data security. At minimum the data center and any infrastructure services Supplier uses to provide the Service shall be certified for: ISO/IEC 27001, SOC 2 Type II and PCI/DSS.
9. Personal Data Breach Notification.
9.1 After becoming aware of a Personal Data Breach, Supplier will (a) notify HID of the Personal Data Breach without undue delay, within forty-eight (48) hours, unless otherwise prohibited by law, and (b) take steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach. To assist HID in relation to any personal data breach notifications HID is required to make under applicable Data Privacy Laws, Supplier will include in the notification such information about the Personal Data Breach as Supplier is able to disclose to HID.
9.2 Notification of a Personal Data Breach will be delivered to [email protected]
9.3 Immediately following Supplier’s notification to HID of a Personal Data Breach, HID and Supplier shall coordinate with each other to investigate the Personal Data Breach. Supplier agrees to cooperate with HID in the handling of the Personal Data Breach, including, without limitation: (i) assisting with any investigation; (ii) providing HID with physical access to the facilities and operations affected which are under the control of Supplier; (iii) facilitating interviews with relevant Supplier employees, contractors, and Supplier; and (iv) making available the relevant records, logs, files, data reporting and other materials related to HID and required to comply with applicable Data Privacy Laws, regulation, or as otherwise required by HID.
10. Audits. Once per calendar year or following a successful Personal Data Breach, HID may audit Supplier’s security controls with respect to the sub-processing activities and compliance with applicable Data Privacy Laws and these Data Processing Terms. HID and Supplier will discuss and agree in advance on: (i) a reasonable start date for the audit (i.e., at a minimum fifteen (15) calendar days from the date of receipt by Supplier the request to audit); (ii) scope and duration of the audit; and (iii) the security and confidentiality controls applicable to such audit.
11. Assistance. Supplier will deal promptly and appropriately with inquiries by HID related to the processing of Personal Data. Supplier will cooperate with HID where necessary for the performance of HID’s privacy impact assessments. Supplier will comply with requests or instructions by HID requiring Supplier to provide, amend, transfer, or delete Personal Data or to otherwise assist with requests pursuant to the Rights of Individuals under applicable Data Privacy Laws. Should individual data subject contact Supplier, Supplier will forward such request to HID. Supplier will cooperate with HID to address and resolve any complaints, requests or inquiries.
12. Changes. The parties acknowledge that changes to applicable Data Privacy Laws may necessitate amendments and updates to these Data Processing Terms overtime and agree to negotiated in good faith with respect to any such amendment or update in the future.
Attachment 1
CCPA ADDENDUM
If the CCPA applies to provision of or use of the Service, the parties further agree to be bound by the terms of this CCPA Addendum in addition to Data Processing Terms.
CCPA Compliance. Supplier warrants that it will comply with all applicable requirements of the CCPA when using, retaining, or disclosing Personal Information. For the avoidance of doubt, CCPA Compliance shall be interpreted to include compliance with amendments made to the CCPA, including the CPRA.
Retention, Use & Disclosure. Supplier shall limit use, retention, and disclosure to activities reasonably necessary and proportionate for the business purpose set forth in the Supplier Agreement. Supplier shall not retain, use or disclose Personal Information for a commercial purpose other than providing the services under the Supplier Agreement. Supplier shall not use, retain, disclose, or otherwise make Personal Information available outside the direct business relationship between Supplier and HID, for Supplier’s own commercial purpose(s) or in a way that does not comply with the CCPA. Notwithstanding, Supplier may use de-identified data for its own business purpose(s) solely as necessary to perform the services under the Supplier Agreement. Except to the extent permitted under applicable regulations, Supplier shall not combine Personal Information received from HID with any Personal Information received from other sources.
Data Requests; Assistance. Supplier shall promptly comply with any request or instruction by HID requiring Supplier to provide, amend, transfer, or delete Personal Information, or to stop, mitigate, or remedy any unauthorized processing. Supplier shall provide assistance to HID, including, but not limited to: (i) reasonably cooperating and assisting HID with meeting HID’s CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable requests by data subjects; and (ii) notifying HID immediately if Supplier receives any complaint, notice, or communication that directly or indirectly relates to either HID or Supplier’s compliance with CCPA. Supplier shall notify HID within three (3) business days if Supplier receives a verifiable data subject request under the CCPA.
Disclosure. If Supplier is legally required to disclose Personal Information for a purpose unrelated to the business purpose set forth in the Supplier Agreement, Supplier shall inform HID in writing of the legal requirement and give HID an opportunity to object or challenge the requirement.
Subcontractors. If Supplier authorizes any subcontractor, Supplier or third party to process Personal Information, Supplier acknowledges that such subcontractor, Supplier or third party is also a “Supplier” as defined in the CCPA. If Supplier authorizes any subcontractor, Supplier shall notify HID of the engagement, which shall be pursuant to a written contract in which the subcontractor agrees to comply with all privacy and security obligations applicable to Supplier.
No Sale or Sharing of Personal Information. Supplier acknowledges that any transfer or disclosure of Personal Information by HID is not for monetary or other valuable consideration, but merely to Support Services pursuant to the Supplier Agreement, and therefore does not constitute the selling or sharing of Personal Information to Supplier. Supplier shall not sell or share any Personal Information.
Security Safeguards. Supplier shall implement reasonable security procedures and practices appropriate to the nature of the information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure.
Attachment 2
STANDARD CONTRACTUAL CLAUSES - CONTROLLER TO PROCESSOR
SECTION I
Clause 1
Purpose and scope
- The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)[1] for the transfer of personal data to a third country.
- The Parties:
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
- These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
- The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
- These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
- These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
- Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 – Clauses 8.1(b), 8.9(a), (c), (d) and (e)
- Clause 9 – Clauses 9(a), (c), (d) and (e)
- Clause 12 – Clauses 12(a), (d) and (f);
- Clause 13;
- Clauses 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 – Clauses 18(a) and (b)
- (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
- These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
- These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
- An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
- Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
- The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
- The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
- The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
- TThe data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
- TThe data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- TIn the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
- TThe data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (4) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
- Tthe onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
- Tthe third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
- Tthe onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
- Tthe onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
- The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
- The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
- The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
- The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
- The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
- The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the prior specific written authorisation of the controller. The data importer shall submit the request for specific authorisation at least ninety (90) days prior to the engagement of the sub-processor, together with the information necessary to enable the controller to decide on the authorisation. It shall inform the data exporter of such engagement.
- Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.[2] The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
- The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
- The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
- The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
- The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
- TThe data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
- TIn fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
- In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
- Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
- lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
- (ii) refer the dispute to the competent courts within the meaning of Clause 18.
- The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
- The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
- The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
- Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
- The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
- Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
- The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
- Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
- The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
- The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
- The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
- The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
- The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
- The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
- the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
- the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards [1]
- any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
- The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
- The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
- The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
- Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
- The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
- receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
- becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
- If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
- Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
- The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
- Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
- The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
- The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
- The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
- The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
- In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
- The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
- the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
- the data importer is in substantial or persistent breach of these Clauses; or
- the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
- Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
- Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
- The Parties agree that those shall be the courts of Galway, Ireland.
- A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
- The Parties agree to submit themselves to the jurisdiction of such courts.
[1] As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.
ANNEX I
A. LIST OF PARTIES
Data exporter(s): HID
Name: HID Global Corporation and its affiliated entities
Activities relevant to the data transferred under these Clauses: Transfer of personal data to data importer as necessary for data importer to provide a service, as contracted.
Role: Controller
Data importer(s): Supplier
Activities relevant to the data transferred under these Clauses: Processing of personal data as necessary for data importer provide a service, as contracted.
Role: Processor
B. DESCRIPTION OF TRANSFER
Description of transfer shall be made available to HID in writing. Notwithstanding anything to the contrary, transfer shall be limited to only the data types necessary to complete the Services.
C. COMPETENT SUPERVISORY AUTHORITY
The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANIzATIONAL MEASURES
Supplier shall implement and maintain at all times appropriate and legally required administrative, physical and technical measures (“Security Measures”) that prevent any impermissible collection, use or disclosure of, or access to Personal Data. Such Security Measures include: (a) maintaining industry-standard perimeter protection for Supplier’s network and devices connected thereto (“Supplier’s System”); (b) applying, as soon as practicable, patches or other controls to Supplier’s System that effectively address actual or potential code-based security vulnerabilities; (c) employing commercially reasonable efforts to ensure that Supplier’s System remains free of security vulnerabilities, viruses, malware, and other harmful code; (d) employing commercially reasonable efforts to practice safe coding standard and practices which address common application security vulnerabilities; (e) providing appropriate education and training to Supplier employees and workers regarding security and ensuring that those individuals are bound by confidentiality obligations; (f) accessing or transferring Personal Data only in a secure and confidential manner; and (g) limiting Supplier employee/agent/subcontractor access to Supplier’s network, systems, devices and facilities to those with a need for such access with sufficient competence in information security issues, and whose access privileges shall be revoked promptly upon their termination.
Supplier shall encrypt Personal Data when appropriate and in any case: (i) when it is transferred, communicated, or otherwise transmitted electronically outside the Supplier’s system and/or the EU or European Economic Area (EEA); (ii) in connection with remote access connectivity involving such Personal Data; (iii) to the extent any portable devices are used to process Personal Data; and (iv) in any circumstances required under applicable data privacy laws.
At minimum the data center and any infrastructure services Supplier uses to provide the Service shall be certified for: ISO/IEC 27001, SOC 2 Type II and PCI/DSS.
*Supplier agrees to negotiate, in good faith, any amendment to this Annex II as may be needed to comply with Controller requirements regarding Technical and Organizational Measures.
1Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.
2This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.
3As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.