- CyArx Software Subscription Agreement
- 1. Definitions
- 2. Interpretation
- 3. Installation
- 4. Use
- 5. Obligations
- 6. Performance Information and confidentiality
- 7. Fees
- 8. Restrictions
- 9. Term and Termination
- 10. Software quality- support and maintenance Service
- 11. Intellectual Property
- 12. Disclaimer of Warranty.
- 13. LIMITATION OF LIABILITY
- 14. Indemnity
- 15. Governing Law and Venue
- 16. Assignment
- 17. Subcontracting
- 18. Complete Terms and Severability
- 19. No waiver
- 20. Changes to the Agreement
- Data Processing Addendum
CyArx Software Subscription Agreement
THIS SUBSCRIPTION AGREEMENT (THE “AGREEMENT”) GOVERNS THE USE OF CYARX PROPRIETARY SECURITY ON-PREMISE OR CLOUD-BASED SOFTWARE (THE “SOFTWARE”).
THIS AGREEMENT CONSTITUTES A BINDING CONTRACT BETWEEN CYARX, INC., CYARX TECHNOLOGIES UK LTD. AND/OR CYARX TECHNOLOGIES LTD., AS APPLICABLE (“WE”, “US”, “OUR” OR “CYARX”), AND YOU – A LEGAL ENTITY (A COMPANY, A PARTNERSHIP, OR ANY OTHER LEGAL ENTITY, HEREINAFTER: “ORGANIZATION”), IDENTIFIED IN THE PROPOSAL (AS DEFINED BELOW).
- 1.1“Feedback” means information or content concerning enhancements, changes or additions to the Software requested, desired or suggested by the Organization.
- 1.2“Fees” means the license fees and other applicable fees set forth in the Proposal.
- 1.3“Intellectual Property Rights” means all rights, titles and interests evidenced by or embodied in (i) all inventions (regardless of patentability), all patents and patent applications; (ii) all trademarks, trade dress, trade names and service names, whether registered or not; (iii) all copyrightable works, author’s moral rights, performance rights and database rights; (iv) all trade secrets; (v) all mask works and integrated circuit designs; (vi) all utility designs and industrial designs; and (vii) all other intangible proprietary right and other similar proprietary, in whatever form or medium, in any jurisdiction worldwide.
- 1.4“Marks” means trademarks, trade names, and logos, whether registered or not.
- 1.5“Output Data” means the reports, alerts, notices and other types of information and data that the Software may generate.
- 1.6“Performance Information” means the Output Data and any information about the Organization’s use of the Software, including Software’s performance, compatibility, interoperability, bugs, errors and malfunctions, in connection with the Organization’s use of the Software, the architecture and layout of the Related Systems and the Software’s functions and processes as carried out with respect to the Related Systems.
- 1.7“Proposal” means the proposal or price quote issued by Reseller or CyArx (as applicable), specifying, among others, the Organization’s details and the Fees applicable to this Agreement. Such Proposal is incorporated by reference to this Agreement,and constitutes an integral part of it.
- 1.8“Related Systems” means the Organization’s IT systems that are directly or indirectly connected with or monitored by the Software.
- 1.9“Reseller” means the individual or legal entity duly authorized by CyArx to market, promote and distribute or offer the Software to you.
- 1.10“Service” means the maintenance and support services set forth in subsections 10.3-10.4.
- 1.11“Term” means the duration of this Agreement, as specified in subsection 9.1.
- 1.12“User” means any Organization employee or such other individual using or accessing the Software for or on behalf of the Organization.
- The term “including”, means including, but not limited to, and without limitation, to the generality of the preceding phrase. All examples in the Agreement and all "i.e." and "such as" notations, indicate an illustration, by way of example only, of the preceding phrase, without limiting its generality.
- If the Organization elected to use the on-premise version of the Software as evidenced in the Proposal, then Subject to the Organization’s compliance with all of its obligations under the Agreement, CyArx will endeavor to perform the initial integration, deployment, installation and configuration of the Software, at the Organization’s site or premises, according to the Organization’s particular IT architecture and layout and in accordance with the deployment scheme indicated in the Proposal.
- Subject to the terms of this Agreement, the Organization’s payment of the applicable Fees and the scope of use set forth in the Proposal, the Organization may access and use the Software during the Term, only within the Organization’s internal IT activities. The Organization’s access and use of the Software is non-exclusive and non-transferable.
- 5.1To facilitate CyArx’s performance of its obligations under the Agreement and the proper provision of the Service, the Organization and its representatives (including Users) will work in close cooperation with CyArx to provide and share Performance Information at its disposal. If the Organization elected to use the on-premise version of the Software as evidenced in the Proposal, the Organization shall facilitate CyArx’s remote access to the Software deployed at the Organization’s site or premises for the purpose of CyArx obtaining Performance Information. If the Organization elected to use the SaaS version of the Software, the Organization will allow CyArx to remotely access the Organization’s account on the Software for the purpose of CyArx obtaining Performance Information. To the extent that the Organization fails to provide the foregoing, CyArx shall be excused from the performance of its obligations hereunder, insofar as such performance is frustrated by the Organization’s failure to so provide the foregoing.
- 5.2The Organization assumes sole and exclusive responsibility: (i) for all acts or omissions, that the Organization or others on its behalf engage in, in response to the Output Data; (ii) to thoroughly review the Output Data frequently, check for any alerts or warnings issued by the Software, address the findings specified in the Output Data and determine what actions are appropriate in light thereof; and (iii) to carry out such actions as the Organization deems appropriate as a result of the Output Data. CyArx has no responsibility or liability, regarding the Organization’s reliance upon, or use of, the Output Data, the Organization’s actions or omissions in connection with the Output Data, or any consequences resulting therefrom.
- 5.3The Organization acknowledges that given the nature of the Software, the use, operation and performance of the Software relies on the availability and proper configuration of the Related Systems. The Organization acknowledges and agrees that in order to use the Software, the Organization has to acquire and properly manage and configure such Related Systems, at its own responsibility, cost and expense.
- 5.4The Organization shall ensure that all Users fully comply with the substantive terms of this Agreement relating to the Software. The Organization shall be liable to CyArx for all acts and omissions of Users in connection with the Software, as though the Organization itself had performed those acts or omissions.
6. Performance Information and confidentiality
- 6.1The Organization acknowledges and agrees that CyArx, its affiliates in the CyArx corporate group, and CyArx’s service providers that assist CyArx in its activities and are bound to confidentiality, may use the following information for the following purposes:
- 6.1.1Use Performance Information to perform and enforce this Agreement, collect Fees, and conduct administrative activities necessary to maintain and provide the Software and the Service to the Organization;
- 6.1.2If CyArx, its affiliates in the CyArx corporate group or its service providers are required or reasonably believes they are required, by law, to share or disclose the Performance Information, provided that, to the extent legally permitted, CyArx will give the Organization prompt notice of the requirement prior to such disclosure; and
- 6.1.3Use Performance Information for research of the Software’s performance and general information security trends, Software development and testing, and enhancement, provided that CyArx and its affiliates in the CyArx corporate group do not use the Performance Information in any manner that would disclose to any third party (except service providers that assist CyArx in the above tasks are bound to confidentiality), the identity of the Organization as the origin of the Performance Information.
- 6.2Subject to the foregoing, CyArx and its affiliates in the CyArx corporate group will take precautions to maintain the confidentiality of the Performance Information, using reasonable care. CyArx and its affiliates in the CyArx corporate group will not use or disclose the Performance Information except as described above or otherwise subject to the express, prior, written permission of the Organization.
- 6.3The Organization represents and warrants that it has and will provide all appropriate notices, obtain all appropriate informed consents and comply at all times with all applicable privacy and data protection laws and regulations (including, if applicable, the EU General Data Protection Regulation (“GDPR”), in order to allow CyArx and its affiliates in the CyArx corporate group to use the Performance Information in the manners specified above. To the extent that the Organization is subject to the GDPR or to the CCPA, the appended Data Processing Addendum applies, and the Organization and CyArx shall comply with it and adhere to its provisions.
- 6.4The Organization acknowledges that all technical and non-technical information and materials regarding the Software, its functionality, capabilities, structure, design and all other details related thereto, as well the details of this engagement and its performance, all constitute proprietary confidential information of CyArx and its affiliates in the CyArx corporate group. The Organization will treat all such information as confidential in a manner no less protective than it uses to protect its own similar assets, but in no event less than reasonable care. The Organization will not disclose such Confidential Information, or have them disclosed, directly or indirectly to any third party without CyArx’s prior written consent. Subsection 6.1.2 above will apply, mutatis mutandis, to the Organization, if the Organization is required, or reasonably believe that it is required, by law, to share or disclose CyArx’s confidential information.
- 6.1The Organization acknowledges and agrees that CyArx, its affiliates in the CyArx corporate group, and CyArx’s service providers that assist CyArx in its activities and are bound to confidentiality, may use the following information for the following purposes:
- 7.1In consideration of the rights granted to you under this Agreement, you will pay all applicable Fees, for each subscription period during the Term, in accordance with the levels, schemes, amounts and payment terms set forth in this Agreement and the Proposal, or as otherwise separately conveyed to you in writing by CyArx or the Reseller. If you have concluded the transaction directly with CyArx, then you shall remit all such Fees to CyArx. If you have concluded the transaction with the Reseller, then you shall remit all such Fees to the Reseller. All Fees are quoted in US Dollars, unless expressly stated otherwise.
- 7.2The applicable periodic subscription Fees are due on the first business day of each subscription period, unless otherwise specified in the Proposal or otherwise agreed upon in writing between you and CyArx or the Reseller (as applicable).
- 7.3The Organization will remit payment of Fees by wire transfer according to the wire details conveyed to the Organization or by any other means of payment CyArx or the Reseller (as applicable) determines from time to time.
- 7.4All Fees payable pursuant to this Agreement and the Proposal are exclusive of taxes or other governmental charges, wire fees, or transaction charges. The Organization is responsible for the payment of all such applicable taxes or charges and will remit grossed-up payments, to include all such taxes, fees and transaction charges. In the event that CyArx or the Reseller (as applicable) is legally obligated to collect or deduct taxes, they are entitled to fully invoice the Organization for the corresponding tax. As soon as possible following a request by CyArx or the Reseller (as applicable), the Organization will provide the taxation documentation necessary for processing the Fees.
- 7.5All Fees paid by the Organization are non-refundable. The Organization is responsible for paying all applicable Fees, whether or not it has actively used the Software or the Service.
- 7.6Without derogating from any other rights and remedies available to CyArx or the Reseller (as applicable) under the applicable law, Fees overdue for more than thirty (30) days will accrue interest at the rate of one and a half percent (1.5%) per month or part thereof, compounded monthly on the linked capital from the due date until the date of actual payment. The Organization agrees to reimburse CyArx or the Reseller (as applicable) for all legal costs and attorney fees CyArx or the Reseller (as applicable) incurs in the course of collecting overdue Fees.
- 7.7Failure to settle any overdue fee within sixty (60) calendar days of its original due date will constitute a material breach of the Agreement.
- 7.8The Organization may not withhold or set-off any payment from any Fees due to CyArx or the Reseller (as applicable).
- 8.1The Organization may not use, or have others use, or provide to third parties, the Software or any part thereof including by reselling, licensing, renting, leasing, transferring, lending, timesharing, assigning or redistributing the Software or any part thereof.
- 8.2The Organization may not modify, make derivative works of, disassemble, de-compile or reverse engineer any part of the Software.
- 8.3The Organization may not use the Software in order to develop, or create, or permit others to develop or create, a similar or competitive product or Software.
- 8.4The Organization may not perform or attempt to perform any of the following: (i) breaching the security of the Software, or identifying any security vulnerabilities thereof; (ii) interfering with, circumventing, manipulating, impairing or disrupting the operation, or the functionality of the Software; (iii) working around or circumventing any technical limitations in the Software; or (iv) using any tool to enable features or functionalities that are otherwise disabled, inaccessible or undocumented in the Software.
- 8.5THE ORGANIZATION MAY NOT USE THE SOFTWARE FOR ANY ACTIVITY THAT CONSTITUTES, OR ENCOURAGES CONDUCT THAT WOULD CONSTITUTE, A CRIMINAL OFFENSE, GIVE RISE TO CIVIL LIABILITY OR OTHERWISE VIOLATE ANY APPLICABLE LAW.
9. Term and Termination
- 9.1This Agreement commences on the start date indicated in the Proposal, and, unless terminated in accordance with the provisions of this section 9 shall remain in full force and effect for an initial subscription period of one year from such start date. Thereafter, the Agreement shall renew automatically for successive one year subscription periods each time, unless a party notifies the other party in writing of its desire not to renew the Agreement at least forty-five (45) days prior to the start of the renewable period.
- 9.2Either party may terminate this Agreement: (a) immediately upon written notice to the other party, if the other party materially breaches this Agreement; (b) upon a fifteen (15) day prior written notice of breach to the other party, if the other party non-materially breaches this Agreement, and failed to cure the breach, within said notice period.
- 9.3Upon termination of this Agreement for any reason whatsoever, the Organization must: (a) cease any and all use of the Software and cause all other Users of the Organization to cease any and all use of the Software; (b) permanently uninstall the Software from all computers and other devices in its possession or control, if the Organization elected to use the on-premise version of the Software, and permanently disconnect its access to the Software, if the Organization elects to use the SaaS version of the Software; and (c) permanently delete all other copies of the Software in its possession or control, if the Organization elected to use the on-premise version of the Software. The foregoing (a)-(c) shall not apply if the Parties have executed a separate written agreement, prior to the end of the Term, which grants the Organization a license to continue using the Software after the Term.
- 9.4Termination of this Agreement by CyArx will be, in addition to, and not in lieu of, any equitable or other remedies available to CyArx.
- 9.5Any provision of this Agreement, that by its nature ought to survive the termination of this Agreement, including sections 6, 9, 11 and 12 - 15, will so survive and continue to bind in full force and effect following such termination.
10. Software quality- support and maintenance Service
- 10.1CyArx will use reasonable efforts to have the Software operate properly. However, as software that relies on third party networks, Related Systems, infrastructure, hardware and other software, CyArx does not guarantee that the Software will operate in an uninterrupted or error-free manner, or that it will always be available, free from errors or omissions, malfunctions, bugs or failures, including, but not limited to, hardware failures, software failures and communication failures. If CyArx receives notice of any failure or malfunction, or if CyArx identifies them by itself, CyArx will endeavor to regain the Software's full functionality as soon as practicable, pursuant to the provisions of this section. However, such incidents will not be considered a breach of this Agreement.
- 10.2The Organization acknowledges that CyArx may, upon coordination with the Organization, suspend the operation of the Software, for periodic maintenance purposes.
- 10.3During the Term, and subject to the terms and conditions of this Agreement and your full payment of all applicable Fees, we, either directly or with the assistance of the Reseller or other third party, will provide you technical support for questions, problems and inquiries regarding the Software, pursuant to the SLA separately provided to the Organization by CyArx.
- 10.4During the Term, and subject to the terms and conditions of this Agreement and your full payment of all applicable Fees, we either directly or with the assistance of the Reseller or other third party, will provide updates to the Software (which may add to, improve or enhance features and capabilities of the then-current version of the Software), to the extent that we issue such updates on ‘general release’ to all customers. We, in our discretion, will determine the frequency and scope of such updates.
11. Intellectual Property
- 11.1The Software is a proprietary product of CyArx or its licensors, protected under copyright laws and international copyright treaties, patent law, trade secret law and other intellectual property rights of general applicability.
- 11.2All rights, title and interest, including copyrights, trademarks, trade names, trade secrets and other intellectual property rights, and any goodwill associated therewith, in and to the Software and any part thereof, including computer code, graphic design, layout and the user interfaces of the Software, and all derivatives, improvements and variations thereof, whether or not based on or resulting from Feedback, are and will remain at all times, exclusively owned by, or licensed, to CyArx. Other than the limited use rights expressly granted herein, no other right, title, interest or license in or to any of the foregoing elements regarding the Software, are granted, sold, transferred, assigned or shared with the Organization.
- 11.3The Software may use or include open source software components (“OSS”). To the extent so stipulated by the license that governs each OSS ("OSS License"), each such OSS is subject to its respective OSS License, not this Agreement, and is licensed to you directly by its respective licensor, not sublicensed by us. If, and to the extent, an OSS License requires that this Agreement effectively impose, or incorporate by reference, certain disclaimers, provisions, prohibitions or restrictions, then such disclaimers, provisions, prohibitions or restrictions shall be deemed to be imposed, or incorporated by reference into this Agreement, as required, and shall supersede any conflicting provision of this Agreement, solely with respect to the corresponding OSS which is governed by such OSS License.
- 11.4You grant CyArx permission to use your Marks on CyArx’s website and in its marketing materials and marketing communications, to indicate that are (or were) CyArx’s customer.
- 11.5The Organization will not be entitled to any remuneration from us, for our use of the Performance Information or the Feedback.
12. Disclaimer of Warranty.
- THE SOFTWARE AND THE SERVICE ARE PROVIDED TO THE ORGANIZATION “AS IS”. CYARX DISCLAIMS ALL WARRANTIES AND REPRESENTATIONS, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THE SOFTWARE AND THE SERVICE, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, NON-INFRINGEMENT, TITLE, COMPATIBILITY, PERFORMANCE, SECURITY, ACCURACY, OR COMPLETENESS OR CORRECTNESS OF THE OUTPUT DATA. WITHOUT LIMITING THE FOREGOING, CYARX SPECIFICALLY DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES THAT THE SOFTWARE, THE SERVICE, OR THE OUTPUT DATA WILL MEET THE ORGANIZATION’S REQUIREMENTS OR FULFILL ITS NEEDS. NO REPRESENTATION OR OTHER AFFIRMATION OF FACT, INCLUDING STATEMENTS REGARDING CAPACITY OR SUITABILITY FOR USE OR PERFORMANCE OF THE SOFTWARE OR THE SERVICE, WHETHER MADE BY CYARX’S EMPLOYEES OR OTHERWISE, SHALL BE DEEMED TO BE A WARRANTY BY CYARX FOR ANY PURPOSE, OR GIVE RISE TO ANY LIABILITY OF CYARX WHATSOEVER.
13. LIMITATION OF LIABILITY
- EXCEPT FOR BREACH OF CYARX’S CONFIDENTIALITY OBLIGATIONS PURSUANT TO SECTION 6 ABOVE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, CYARX AND ITS AFFILIATES CORPORATE GROUP COMPANIES, INCLUDING THEIR EMPLOYEES, DIRECTORS, SHAREHOLDERS, ADVISORS, AND ANYONE ACTING ON THEIR BEHALF, WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, STATUTORY OR PUNITIVE DAMAGES, OR ANY OTHER DAMAGE OR LOSS (INCLUDING LOSS OF PROFIT AND LOSS OF DATA), COSTS, EXPENSES AND PAYMENTS, EITHER IN TORT (INCLUDING NEGLIGENCE), CONTRACT, OR IN ANY OTHER FORM OR THEORY OF LIABILITY, ARISING FROM, OR IN CONNECTION, WITH THIS AGREEMENT, THE SOFTWARE OR THE SERVICE, INCLUDING ANY USE OF, OR THE INABILITY TO USE THE SOFTWARE; ANY THIRD PARTY HARMFUL ACTS ADVERSELY IMPACTING THE ORGANIZATION’S IT SYSTEMS; ANY DAMAGE TO OR LOSS OF DATA; ANY RELIANCE UPON THE OUTPUT DATA; ANY ERROR, INCOMPLETENESS, INCORRECTNESS OR INACCURACY OF THE OUTPUT DATA, OR INABILITY TO PROPERLY RECOVER DATA; OR ANY OTHER FAILURE, ERROR, OR BREAKDOWN IN THE FUNCTION OF THE SOFTWARE. THE TOTAL AND AGGREGATED LIABILITY OF CYARX AND ITS AFFILIATES CORPORATE GROUP COMPANIES, INCLUDING THEIR EMPLOYEES, DIRECTORS, SHAREHOLDERS, ADVISORS, AND ANYONE ACTING ON THEIR BEHALF, TO THE ORGANIZATION FOR ANY AND ALL DAMAGES WHATSOEVER ARISING FROM, OR IN CONNECTION, WITH THIS AGREEMENT, THE SOFTWARE OR THE SERVICE, SHALL BE LIMITED TO THE FEES THAT THE ORGANIZATION ACTUALLY PAID TO CYARX OR THE RESELLER (AS APPLICABLE) DURING THE 12 MONTHS PRECEDING THE EVENT PURPORTEDLY GIVING RISE TO THE DAMAGE. NOTWITHSTANDING THE FOREGOING, CYARX’S SOLE LIABILITY AND THE ORGANIZATION’S EXCLUSIVE REMEDY, FOR ANY CLAIMS REGARDING THE SOFTWARE’S PERFORMANCE, AVAILABILITY, ERRORS OR MALFUNCTIONS, IS THE PERFORMANCE OF CYARX’S SERVICE OBLIGATIONS.
- The Organization shall indemnify and hold harmless CyArx and anyone acting on CyArx’s behalf, from, and against, any damages, loss, costs, expenses and payments, including reasonable attorney’s fees and legal expenses, resulting from any complaint, claim, allegation or demand arising from or in connection with: (a) your breach of this Agreement; or (b) your use of the Software, or your violation or infringement of any other person's rights committed by using the Software – in either case, provided that the complaint, claim, allegation or demand would have been avoided but for the use you made of the Software.
15. Governing Law and Venue
- Regardless of the Organization’s jurisdiction of incorporation, the jurisdiction where the Organization engages in business or where the Organization or Users access or use the Software from, this Agreement and the Organization’s and Users’ use of the Software will be exclusively governed by and construed in accordance with the laws of the State of New York, excluding any otherwise applicable rules of conflict of laws. Any dispute, controversy or claim which may arise out of or in connection with this Agreement or the Software, shall be submitted to the sole and exclusive jurisdiction of the New York State Courts located in New York County, and the federal district court for the Southern District of New York. Subject to the following sentence, the Organization and CyArx, each hereby expressly consent to the exclusive personal jurisdiction and venue of such courts, and waive any objections related thereto including objections on the grounds of improper venue, lack of personal jurisdiction or forum non conveniens. Notwithstanding the foregoing CyArx may: (a) lodge a claim against the Organization pursuant to the indemnity clause above, in any court adjudicating a third party claim against CyArx; and ; and (b) seek interim or preliminary relief in any court with competent jurisdiction.
- The Organization may not assign the Agreement without CyArx’s prior written consent, which shall not be unreasonably withheld. Any purported assignment without CyArx’s prior written consent is void. CyArx may assign and delegate this Agreement in its entirety, including all right, duties, liabilities, performance and obligations herein, upon notice to the Organization and without obtaining the Organization’s specific consent, to a third-party, upon a merger, acquisition, change of control or the sale of all or substantially all of CyArx’s equity or assets. By virtue of such assignment, the assignee assumes CyArx’s stead, including all right, duties, liabilities, performance and obligations, and CyArx shall be irrevocably released from the same.
- CyArx may subcontract or delegate the performance of its obligations under the Agreement, the exercise of its rights under the Agreement, or the provision of the Service (or any part thereof), to any third party of its choosing provided, including affiliated companies in the CyArx corporate group, provided however, that CyArx remains liable to the Organization for the performance of its obligations under the Agreement. The Organization acknowledges and agrees that the technical means by which CyArx supplies the Software or the Service is at CyArx’s sole discretion.
18. Complete Terms and Severability
- This Agreement constitutes the entire and complete agreement between the Organization and CyArx concerning the subject matter herein. This Agreement supersedes all prior oral or written statements, understandings, negotiations and representations with respect to the subject matter herein. If any provision of this Agreement is held invalid or unenforceable, that provision shall be construed in a manner consistent with the applicable law to reflect, as nearly as possible, the original intentions of the parties, and the remaining provisions will remain in full force and effect. This Agreement may be modified or amended only in writing, signed by the duly authorized representatives of both parties.
19. No waiver
- Neither party will, by mere lapse of time, without giving express notice thereof, be deemed to have waived any breach, by the other party, of any terms or provisions of this Agreement. The waiver, by either party, of any such breach, will not be construed as a waiver of subsequent breaches or as a continuing waiver of such breach.
20. Changes to the Agreement
- From time to time, we may change the Agreement, by providing you notice of such changes and seeking your consent to them. In any event, we will seek your consent to any increase in the applicable Fees, before we bill you for a newly priced subscription Fee. If you do not consent to the amended Agreement or new subscription Fees, we may terminate this Agreement as set out in section 9.1.
Data Processing Addendum
This Addendum applies as follows:
- Part 1 applies in accordance with the applicability provision in Section 2 of Part 1, only where the CyArx entity contracting with the Organization is CyArx Technologies Ltd or CyArx Technologies UK Limited.
- Part 2 applies in accordance with the applicability provision in Section 2 of Part 2, only where the CyArx entity contracting with the Organization is CyArx Inc.
- Part 3 applies in accordance with the applicability provision in Section 2 of Part 3.
1. Capitalized terms used in this Part 1 of the Data Processing Addendum (“DPA”) but not defined in the DPA or in the Agreement have the meaning ascribed to them in Regulation (EU) 2016/679 (GDPR).
2. This Part 1 applies only where CyArx is Processing Personal Data as a Data Processor on behalf of the Organization and under the Organization’s instructions, where the Organization is a Data Controller subject to the GDPR with respect to the Personal Data that CyArx’s Processes. It does not apply to CyArx’s Processing Personal Data of Organization’s representatives to market or promote its products, to administer the business or contractual relationship between CyArx and the Organization, CyArx’s use of Performance Information as specified in subsection 6.1 of the Agreement, or in other instances where CyArx operates as the Data Controller.
3. CyArx will Process the Personal Data only on Organization’s behalf and for as long as Organization instructs CyArx to do so. CyArx shall not Process the Personal Data for any purpose other than the purpose set forth in the next section.
4. The subject matter and purposes of the Processing activities are the provision of technical support for the Software to the Organization. The Personal Data Processed may include, without limitation: Names, usernames, email addresses and other information contained in log files.
5. The Data Subjects about whom Personal Data is Processed are: employees and contractors of the Organization.
6. The Organization and CyArx are each responsible for complying with the GDPR as applicable to them in their roles as Data Controller and Data Processor, respectively.
7. CyArx will Process the Personal Data only on documented instructions from the Organization, unless CyArx is otherwise required to do so by law to which it is subject (and in such a case, CyArx shall inform the Organization of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). CyArx shall immediately inform the Organization if, in CyArx’s opinion, an instruction is in violation the GDPR.
8. The Organization may only use the Product to process personal data pursuant to a recognized and applicable lawful basis under the GDPR, such as (by way of example only) legitimate basis. The Organization is solely responsible for determining the lawfulness of the data processing instructions it provides to CyArx and shall provide CyArx only instructions that are lawful under the GDPR.
9. Taking into account the nature of CyArx’s Processing activities, it will assist the Organization to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. CyArx will pass on to Organization requests that it receives from Data Subjects regarding their Personal Data Processed by CyArx.
10. CyArx will make available to Organization all information in its disposal necessary to demonstrate compliance with the obligations under the GDPR.
11. Organization acknowledges and agrees that CyArx uses the sub-processors listed in https://www.siemplify.co/list-of-sub-processors/ to Process Personal Data.
12. The Organization authorizes CyArx to engage other and/or additional sub-processors for carrying out specific processing activities of the Product, provided that CyArx informs Organization at least 10 business days in advance of any new or substitute sub-processor, by email message to the email address that the Organization provided to CyArx when it enrolled to use the Software. The Organization shall have the right to object, on reasoned grounds, to that new or replaced sub-processor within that advance notice period. If Organization objects, CyArx shall have the right to satisfy the objection through one of the following:
(a) CyArx will cancel its plans to use such sub-processor with regard to Personal Data provided by the Organization or will offer an alternative to provide the Product without such sub-processor;
(b) CyArx will take the corrective steps requested by Organization in its objection notice (which remove Organization’s objection) and proceed to use such sub-processor with regard to Personal Data provided by the Organization; or
(c) CyArx may cease to provide, or Organization may agree not to use (temporarily or permanently), the particular aspect of the Product that would involve the use of such sub-processor with regard to Personal Data provided by Organization, subject to a mutual agreement of the Parties to adjust the remuneration for the Product considering their reduced scope.
All objections under Section 12(a) – (c) must be submitted by email to CyArx at email@example.com within 7 days of such change notice (each, an “Objection Notice”). If none of the options outlined in Clause 12(a), 12(b) or 12(c) of Section 12 are reasonably available and Organization’s objection has not been resolved to the Parties’ mutual satisfaction within 30 days of Cyarx’s receipt of the Objection Notice, either Party may terminate the affected purchase order and CyArx will refund to Organization a pro rata share of any unused amounts prepaid by Organization under the applicable purchase order for the Product on the basis of the remaining portion of the current terms of the Order.
If the Organization does not provide a timely Objection Notice with respect to a new sub-processor, Organization will be deemed to have authorized CyArx to use that new sub-processor and to have waived its right to object.
13. CyArx and its sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Articles 45 or 46 of the GDPR, or using adequate safeguards as required under the GDPR’s provisions governing cross-border data transfers (e.g., Model Clauses).
14. CyArx will procure that the sub-processors Process the Personal Data in a manner consistent with CyArx’s obligations under this Addendum and the GDPR, particularly Article 28 of the GDPR, with such obligations imposed on that sub-processor by way of law or contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
15. In Processing Personal Data, CyArx will implement appropriate technical and organizational measures, as set out in Exhibit 1, to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. CyArx will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
16. Not more than once per annum (unless otherwise required by a data protection authority or the GDPR), CyArx shall allow for and contribute to audits, including carrying out inspections on CyArx’s business premises conducted by Organization or another auditor mandated by Organization during normal business hours and subject to a prior notice to CyArx of at least 30 days as well as appropriate confidentiality undertakings by Organization covering such inspections in order to establish CyArx’s compliance with this Addendum and the provisions of the GDPR as regards the Personal Data that CyArx processes on behalf of Organization. If such audits entail material costs or expenses to CyArx, the parties shall first come to agreement on Organization reimbursing CyArx for such costs and expenses.
17. CyArx shall without undue delay notify Organization of any Personal Data Breach that it becomes aware of regarding Personal Data of Data Subjects that CyArx Processes. CyArx will use commercial efforts to mitigate the breach and prevent its recurrence. Organization and CyArx will cooperate in good-faith on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.
18. CyArx will assist Organization with the preparation of data privacy impact assessments and prior consultation as appropriate, provided, however, that if such assistance entails material costs or expenses to CyArx, the parties shall first come to agreement on Organization reimbursing CyArx for such costs and expenses.
19. CyArx will provide Organization prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Organization’s behalf, so that Organization may contest or attempt to limit the scope of production or disclosure request.
20. CyArx deletes the Personal Data it has Processed on Organization’s behalf under this Addendum from its own and its sub-processor’s systems, shortly after it completes the technical support request, and upon Organization’s request, will furnish written confirmation that the Personal Data has been deleted pursuant to this section.
21. The duration of Processing that CyArx performs on the Personal Data is for the period set out in the Agreement between the parties. This Addendum shall prevail in the event of inconsistencies between it and the Agreement between the parties or subsequent agreements entered into or purported to be entered into by the parties after the date of this Addendum – except where explicitly agreed otherwise in writing.
1. Capitalized terms used in this Part 2 of the Data Processing Addendum (“DPA”) but not defined in the DPA or in the Agreement have the meaning ascribed to them in Regulation (EU) 2016/679 (GDPR).
2. This Part 2 applies only where CyArx is Processing Personal Data as a Data Processor on behalf of the Organization and under the Organization’s instructions, where the Organization is a Data Controller subject to the GDPR with respect to the Personal Data that CyArx’s Processes. It does not apply to CyArx’s Processing Personal Data of Organization’s representatives to market or promote its products, to administer the business or contractual relationship between CyArx and the Organization, CyArx’s use of Performance Information as specified in subsection 6.1 of the Agreement, or in other instances where CyArx operates as the Data Controller.
3. The Organization and CyArx hereby assent to the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“SCCs”, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN), as follows:
3.1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO: Transfer controller to processor: The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 business days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The process and consequences for objections shall be as specified in Section 12 of Part 1 above.
3.2. In Section IV (Final Provisions), Clause 17 for MODULE TWO: Transfer controller to processor: The Parties agree that this shall be the EU member state in which the Organization is established, or, if the Organization is not established in any EU member state, then the law of the Republic of Ireland.
3.3. In Section IV (Final Provisions), Clause 18(b) for MODULE TWO: Transfer controller to processor: The Parties agree that those shall be the courts of the EU member state’s town in which the Organization is established, or, if the Organization is not established in any EU member state, then the courts of Dublin, Ireland.
3.4. In Annex I, for MODULE TWO: Transfer controller to processor:
3.4.1. Data Exporter: Organization.
126.96.36.199. Activities relevant to the data transferred under these Clauses: an organization using the Software which involve processing personal data and seeking of technical support for the Software (including, without limitation, the provision of such data to the data importer, including transfers outside of the European Economic Area).
188.8.131.52. Role: Controller.
3.4.2. Data Importer: CyArx.
184.108.40.206. Activities relevant to the data transferred under these Clauses: Developer, operator and provider of the Sofware, including the provision of technical support for the Software.
220.127.116.11. Role: Processor.
3.5. Description of Transfer:
3.5.1. Categories of data subjects whose personal data is transferred: employees and contractors of the Organization.
3.5.2. Categories of personal data is transferred: Names, usernames, email addresses and other information contained in log files.
3.5.3. Sensitive data transferred: None.
3.5.4. The frequency of the transfer: on a continuous basis (if the Software used is in a cloud-based configuration operated by CyArx), or at discrete eventualities during technical support inquiries (if the Software is used on-premise at the Organization).
3.5.5. Nature of the processing: recording, storage, consultation, use, disclosure by transmission and erasure.
3.5.6. Purpose(s) of the data transfer and further processing: the provision of the Software’s cybersecurity functionality to the Organization (if the Software used is in a cloud-based configuration operated by CyArx), or the provision of technical support for the Software (if the Software is used on-premise at the Organization).
3.5.7. The period for which the personal data will be retained: the period of the Agreement (if the Software used is in a cloud-based configuration operated by CyArx) or for the duration of a technical support request, and until it is completed (if the Software is used on-premise at the Organization).
3.5.8. Transfers to (sub-) processors: see at https://www.siemplify.co/list-of-sub-processors/
3.5.9. Competent Supervisory Authority: the data protection authority in the EU member state in which the Organization is established, or the Organization’s lead supervisory authority for GDPR purposes, but if the Organization is not established in any EU member state, then the supervisory authority of the EU member state in which the Organization’s EU representative pursuant to Article 27 of the GDPR is located.
3.6. In Annex II, for MODULE TWO (TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA): Transfer controller to processor – See Exhibit 1 below.
4. The Organization will comply with its obligations under the GDPR.
5. If CyArx’s assistance to the Organization under Clause 10 of the SCCs entails material costs, expenses or resources to Organization, then the parties shall first discuss and agree on the fees payable to Organization for such assistance.
6. Audit and inspections conducted under Clause 8.9 of the SCCs shall be conducted during ordinary business hours of CyArx and with minimal disruption to CyArx’s ordinary course of business, shall not extend to any activities of CyArx with other customers or parties, and if conducted by an independent auditor, such auditor shall be made subject to appropriate confidentiality undertakings satisfactory to CyArx. If such inspections or audits entail material costs, expenses or resources to CyArx, then the parties shall first discuss in good faith and agree on the fees payable to CyArx for such inspections or audits.
Exhibit 1 to Parts 1 and 2
(a) deny unauthorised persons access to processing equipment used for processing (‘equipment access control’);
(b) prevent the unauthorised reading, copying, modification or removal of data media (‘data media control’);
(c) prevent the unauthorised input of personal data and the unauthorised inspection, modification or deletion of stored personal data (‘storage control’);
(d) prevent the use of automated processing systems by unauthorised persons using data communication equipment (‘user control’);
(e) ensure that persons authorised to use an automated processing system have access only to the personal data covered by their access authorisation (‘data access control’);
(f) ensure that it is possible to verify and establish the bodies to which personal data have been or may be transmitted or made available using data communication equipment (‘communication control’);
(g) ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input (‘input control’);
(h) prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (‘transport control’);
(i) ensure that installed systems may, in the case of interruption, be restored (‘recovery’);
(j) ensure that the functions of the system perform, that the appearance of faults in the functions is reported (‘reliability’) and that stored personal data cannot be corrupted by means of a malfunctioning of the system (‘integrity’).
(k) implement a process for regularly testing, assessing, evaluating and enhancing the effectiveness of technical and organizational measures for ensuring the security of the Processing (‘assessments’)
1. Capitalized terms used in this Part 3 of the Data Processing Addendum (“DPA”) but not defined in the DPA or in the Agreement have the meaning ascribed to them in the California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code §1798.140.
2. This Part 3 applies only where CyArx is processing Personal Information as a Service Provider on behalf of the Organization where the Organization in a Business subject to the CCPA. It does not apply to CyArx’s Processing Personal Information of Organization’s representatives to market or promote its products, to administer the business or contractual relationship between CyArx and the Organization, CyArx’s use of Performance Information as specified in subsection 6.1 of the Agreement, or in other instances where CyArx operates in a capacity other that a Service Provider of the Organization.
3. The Parties acknowledge and agree that CyArx is a Service Provider. To that end, and unless otherwise requires by law:
3.1. CyArx is prohibited from retaining, using or disclosing Organization’s Personal Information for: (a) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to provide, the technical support for the Product or as otherwise permitted under 11 CCR §999.314(c); (b) Selling the Organization’s Personal Information; and (c) retaining, using or disclosing the Organization’s Personal Information outside of the direct business relationship between the Parties, except as permitted under 11 CCR §999.314(c). CyArx certifies that it understands the restriction specified in this subsection and will comply with it.
3.2. If CyArx receives a request from a California Consumer of the Organization, about his or her Personal Information, CyArx shall not comply with the request itself, but shall inform the Consumer that CyArx’s basis for denying the request is that the CyArx is merely a service provider that follows Organization’s instruction, and inform the Consumer that they should submit the request directly to the Organization and provide the Consumer with the Organization’s contact information.
4. CyArx shall delete the Personal Information it has Processed on Organization’s behalf under this Addendum from its own and its service provider’s systems, shortly after it completes the technical support request, and upon Organization’s request, will furnish written confirmation that the Personal Information has been deleted pursuant to this section.
5. CyArx shall assist Organization by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Organization’s obligation to respond to requests for exercising Consumer rights under the California Consumer Privacy Act of 2018.
6. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of CyArx’s processing of Personal Information of the Organization, as well as the nature of personal information processed for Organization, CyArx shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).