This Master Cloud Services Agreement (“Agreement”) is between Asset Management Technologies, LLC. (“AMTdirect”), a Delaware corporation, and Customer. It should be read together with each Order Form and, if applicable, the Statement of Work.
PART ONE – SUBSCRIPTION SERVICES.
1.1. The Software is located on servers that are controlled by AMTdirect. Customer may access the Software but has no right to receive a copy of the object code or source code to the Software.
1.2. Customer must have a high-speed Internet connection, hardware and software that is compatible with the Subscription Services, as set out in the Documentation. None of these things are AMTdirect’s responsibility.
1.3. AMTdirect regularly upgrades and updates the Subscription Services.
1.4. AMTdirect solely owns the intellectual property in the Software (except for third party components) and the Documentation.
1.5. The Subscription Services will generally be available twenty-four (24) hours per day, seven (7) days per week and three hundred and sixty-five (365) days per year excluding Scheduled Maintenance. If the Subscription Services availability is less than ninety-eight (98%) percent during a calendar month (Downtime Threshold) excluding Scheduled Maintenance, Customer’s account will be credited for one (1) day of annual Subscription Fees. For each additional one (1%) percent below the Downtime Threshold within a calendar month, Customer’s account will be credited for an additional one (1) day of annual Subscription Fees. If the Subscription Services availability is less than ninety (90%) percent over three (3) consecutive months or any four (4) months in a twelve (12) month period, excluding Scheduled Maintenance, Customer shall have the right to terminate the Agreement and receive a refund for any prepaid Subscription Service fees. AMTdirect will make commercially reasonable efforts to perform Schedule Maintenance between the hours of 12am EST and 6am EST during weekdays and on weekends. Scheduled Maintenance is defined as modifications, upgrades, planned maintenance, or other mutually agreed upon discretionary service activity. Subscription Services availability shall be calculated on an annual contract year basis with any applicable credit applied to the following contract year’s Subscription Fees , except that in the event this Agreement is terminated before such credits are applied, AMTdirect will issue Customer a check in the amount of any accrued credits within thirty (30) days of termination.. System downtime caused by circumstances beyond AMTdirect’s control, including but not limited to, acts of God, negligence, misuse, Customer network, power, Internet and environmental failures, will be excluded from the calculations.
1.6. AMTdirect shall provide technical support for the Subscription Services between the hours of 8am EST and 8pm EST, Monday through Friday excluding weekends and standard US holidays (Business Day). After hours support will be available for emergency requests only. Support services include errors, failures and malfunctions of the Subscription Services which are not functioning as defined in the Documentation. AMTdirect will respond to support requests with fifteen (15) minutes during Business Day hours. Customer shall provide AMTdirect with all reasonably available information concerning the support request. If a support request is related to a complete Subscription Services outage or material functionality or module is unavailable, AMTdirect will respond immediately and work on the support issue until resolved. AMTdirect will communicate and provide updates to Customer as reasonably warranted for each support issue.
1.7. AMTdirect shall conduct its own audits pertaining to the Subscription Services consistent with companies that provide similar products and perform similar services. AMTdirect will perform a security audit at least annually and will cause a SSAE 16 SOC 1 Type II audit (or equivalent audit) (“SSAE 16 Audit”) to be conducted annually for each shared services facility at or from which the Subscription Services are provided or performed. Upon written request, AMTdirect will provide Customer and its independent auditors with a summary of the SSAE 16 Audit findings as soon as reasonably possible after completion of the audit report. To the extent the resulting audit report reveals an actual or potential adverse effect on Customer, AMTdirect will correct any material errors or problems identified in the audit report as soon as reasonably possible.
Customer may not:
2.1. transfer to any other person any of its rights to use the Subscription Services;
2.2. sell, rent or lease the Subscription Services;
2.3. make the Subscription Services available to anyone who is not an “Authorized User”. An Authorized User is an employee of Customer, or a person to whom Customer has outsourced services, who is authorized to access the Software as either a named or concurrent user;
2.4. create any derivative works based upon the Subscription Services or Documentation;
2.5. copy any feature, design or graphic in, or reverse engineer the Software;
2.6. access the Subscription Services (i) in order to build a competitive solution or to assist someone else to build a competitive solution; or
2.6.1. (ii) grant access to any consultant or an employee working for an AMTdirect competitor;
2.7. use the Subscription Services in a way that violates any criminal or civil law; or
2.8. load test the Subscription Services in order to test scalability.
3.1. Customer must provide all data for use in the Subscription Services, and AMTdirect is not obliged to modify or add to the Customer Data. Customer is solely responsible for the content and accuracy of the Customer Data.
3.2. The Customer Data belongs to Customer, and AMTdirect makes no claim to any right of ownership in it.
3.3. AMTdirect must keep the Customer Data confidential in accordance with Section 13 of this Agreement.
3.4. AMTdirect must use the Customer Data strictly as necessary to carry out its obligations under this Agreement, and for no other purpose. However, AMTdirect:
3.4.1. may observe and report back to Customer on Customer’s usage of the Subscription Services, and make recommendations for improved usage of the Subscription Services;
3.4.2. may identify trends and publish reports on its findings provided the reports include data aggregated from more than one customer site and do not identify Customer; and,
3.4.3. must maintain security practices (which include adequate and appropriate administrative, physical and technical safeguards, including underlying operating system and network security controls) designed to meet or exceed industry best practices. Such security practices shall include (i) continuous monitoring for Security Threats and Security Incidents; (ii) use of firewalls and real-time intrusion detection systems, encryption and other secure technologies to collect, store and/or transmit Customer Data; (iii) physical security procedures, including security guards, and regular monitoring of all areas in which Customer Data is stored; (iv) restriction on access to and copying of Customer Data on a “need-to-know” basis and only at authorized locations; (v) background checks on AMTdirect personnel with access to Customer Data; and (vi) regular monitoring of password procedures used to gain access to Customer Data; and,
3.4.4. must ensure that the data center containing the Customer Data meets the following physical and electronic security requirements: (i) single point of entry; (ii) main access monitored with additional access for emergency purposes only; (iii) surveillance cameras in facility; (iv) access validation with identity check; (v) access only to persons on AMTdirect approved access list; (vi) log-in validation; (vii) creation of accounts only as verified by AMTdirect or sub-contracted hosting provider; (viii) access to servers via encrypted means; and, (ix) servers running behind secure firewall.
3.5. AMTdirect must take reasonable technical and organizational measures to keep personal data secure and to protect it against accidental loss or unlawful destruction, alteration, disclosure or access; and, must deal with the information only in accordance with Customer’s instructions, provided they are reasonable and lawful.
3.6. AMTdirect must back up Customer Data once in each 24-hour period.
3.7. AMTdirect shall maintain and implement, or cause to be maintained and implemented, a written disaster avoidance and recovery plan (“Disaster Plan”) with procedures designed to safeguard and to recover after a disaster event: (i) Customer Data, (ii) AMTdirect’s processing capability, and (iii) the availability of the Subscription Services. AMTdirect shall provide Customer a copy of the Disaster Plan upon written request. AMTdirect shall regularly review the Disaster Plan and update or change the Disaster Plan as necessary in accordance with industry best practices. AMTdirect shall notify Customer of any updates or changes to the Disaster Plan and upon written request, provide Customer with a copy of such updated or changed Disaster Plan.
3.7.1. In the event of any event of unplanned interruption in the availability of the Subscription Services or any loss or corruption of any Customer Data (each, a “Disaster Event”), AMTdirect shall restore availability of the Subscription Services and Customer Data within a reasonable amount of time. AMTdirect shall perform disaster recovery testing at least once every calendar year and provide to Customer copies of such test results upon written request.
4.1. If the Subscription Services do not function substantially in accordance with the Documentation, AMTdirect must, at its option, either (i) modify the Subscription Services to conform to the Documentation; or (ii) provide a workaround solution that will reasonably meet Customer’s requirements. If neither of these options is commercially feasible, either party may terminate the relevant Order Form under this Agreement, in which case AMTdirect shall refund to Customer all fees pre-paid to AMTdirect under the relevant Order Form for unused Subscription Services.
4.2. If the normal operation, possession or use of the Subscription Services by Customer is found to infringe any third party U.S. intellectual property right or AMTdirect believes that this is likely, AMTdirect must, at its option, either (i) obtain a license from such third party for the benefit of Customer; (ii) modify the Subscription Services so that they no longer infringe; or (iii) if neither of these options is commercially feasible, terminate the relevant Order Form under this Agreement, in which case AMTdirect shall refund to Customer all fees pre-paid to AMTdirect under the relevant Order Form for unused Subscription Services.
4.3. However, AMTdirect has no warranty obligations for problems in the Subscription Services caused by any third-party software or hardware, by accidental damage or by other matters beyond AMTdirect’s reasonable control.
PART TWO – PROFESSIONAL SERVICES.
5.1. If the Professional Services do not conform to the Order Form or a Statement of Work or are not performed with reasonable skill, care and diligence, AMTdirect shall re-perform the Professional Services to the extent necessary to correct the defective performance.
PART THREE – GENERAL.
9.1. Customer must pay a finance charge on any overdue payment of one and one-half percent (1-1/2%) for each month or portion of a month that the payment is overdue, or the highest interest rate permitted by applicable law, whichever is the lower. Interest shall compound monthly. The fees do not include any taxes, and Customer shall pay any sales, use, value added or other taxes or import duties (other than corporate income taxes payable by AMTdirect) due because of any amounts paid to AMTdirect. Customer shall bear all of AMTdirect’s costs of collection of overdue fees, including reasonable attorneys’ fees.
9.2. During the Term, if Customer purchases additional features from AMTdirect, the purchase price for the additional features shall be added to the current license rates, multiplied by the current license count and pro-rated so that the added feature subscription will terminate on the same day as the initial subscription.
9.3 During the Term, if Customer exceeds the Min. Units as defined in the Order Form, Customer will purchase additional License (Lic.) Blocks as defined in the Order Form. The new License Blocks will be pro-rated so that the added License Block subscription will terminate on the same day as the initial license subscription.
10.1. Either party may terminate rights granted under a particular Order Form if the other breaches any material term of the Order Form (including a material term of this Agreement insofar as it applies to the Order Form) and the breach is not cured within 30 days of written notice. Customer’s breach of Section 2 of this Agreement shall be considered a material breach.
10.2. Instead of terminating rights granted to a Customer under an Order Form, AMTdirect may suspend the provision of Subscription Services to Customer for a period of up to 45 days. At any time during that period, AMTdirect may terminate the rights granted to Customer.
10.3. Sections 2.4, 2.5, 3.3, 7, 9, 11, 12, 13, 14, 15 and 17 continue after this Agreement ends.
10.4. If AMTdirect terminates an Order Form under this Agreement because of non-payment by Customer, all unpaid fees for the remainder of the Subscription Term immediately fall due for payment.
10.5. Upon termination of Customer’s Subscription Service, AMTdirect must promptly provide Customer with all Customer Data in comma separated value (CSV) format. However, AMTdirect may retain Customer Data in backup media for an additional period of up to 12 months, or longer if required by law.
13.1. The Subscription Services, Software, Documentation and Work Product contain valuable trade secrets that are the sole property of AMTdirect, and Customer agrees to use reasonable care to prevent other parties from learning of these trade secrets. Customer must take reasonable care to prevent unauthorized access to or duplication of the Subscription Services, Software, Documentation, and Work Product.
13.2. The Customer Data may include valuable trade secrets that are the sole property of Customer. AMTdirect must take reasonable care to prevent other parties from learning of these trade secrets.
13.3. Sections 13.1 and 13.2 do not apply to any information that (i) is now, or subsequently becomes, through no act or failure to act on the part of receiving party (the “Receiver”), generally known or available; (ii) is known by the Receiver at the time of receiving such information, as evidenced by the Receiver’s records; (iii) is subsequently provided to the Receiver by a third party, as a matter of right and without restriction on disclosure; or (iv) is required to be disclosed by law, provided that the party to whom the information belongs is given prior written notice of any such proposed disclosure.
14.1. However, AMTdirect shall have no indemnification obligations for any Legal Action arising out of: (i) a combination of the Subscription Services, Software or Work Product with software or products not supplied, or approved in writing by AMTdirect; (ii) any repair, adjustment, modification or alteration to the Subscription Services by Customer or any third party, unless approved in writing by AMTdirect; or (iii) any refusal by Customer to install and use a non-infringing version of the Subscription Services, or Work Product offered by AMTdirect under Section 4.2(ii). Section 4.2(ii) and this Section 14 state the entire liability of AMTdirect with respect to any intellectual property infringement by the Subscription Services, Software or Work Product.
14.2. Customer must give written notice to AMTdirect of any Legal Action no later than 30 days after first receiving notice of a Legal Action, and must give copies to AMTdirect of all communications, notices and/or other actions relating to the Legal Action. Customer must give AMTdirect the sole control of the defense of any Legal Action, must act in accordance with the reasonable instructions of AMTdirect and must give AMTdirect such assistance as AMTdirect reasonably requests to defend or settle such claim. AMTdirect must conduct its defense at all times in a manner that is not averse to Customer’s interests. Customer may employ its own counsel to assist it with respect to any such claim. Customer must bear all costs of engaging its own counsel, unless engagement of counsel is necessary because of a conflict of interest with AMTdirect or its counsel, or because AMTdirect fails to assume control of the defense. Customer must not settle or compromise any Legal Action without AMTdirect's express written consent. AMTdirect shall be relieved of its indemnification obligation under Section 14 if Customer materially fails to comply with Section 14.2.
15.1. AMTdirect must give written notice to Customer of any Legal Claim no later than 30 days after first receiving notice of a Legal Claim, and must give copies to Customer of all communications, notices and/or other actions relating to the Legal Claim. AMTdirect must give Customer the sole control of the defense of any Legal Claim, must act in accordance with the reasonable instructions of Customer and must give Customer such assistance as Customer reasonably requests to defend or settle such claim. Customer must conduct its defense at all times in a manner which is not averse to AMTdirect’s interests. AMTdirect may employ its own counsel to assist it with respect to any such claim. AMTdirect must bear all costs of engaging its own counsel, unless engagement of counsel is necessary because of a conflict of interest with Customer or its counsel, or because Customer fails to assume control of the defense. AMTdirect must not settle or compromise any Legal Claim without Customer’s express written consent. Customer shall be relieved of its indemnification obligation under Section 15 if AMTdirect materially fails to comply with Section 15.1.
17.1. This Agreement together with the Order Form represents the entire agreement of the parties, and supersedes any prior or current understandings, whether written or oral. If there is a conflict between the Agreement and an Order Form, the Order Form will prevail.
17.2. This Agreement may not be changed, or any part waived except in writing by the parties.
17.3. This Agreement will be governed by the laws of North Carolina (excluding its choice of law rules). The parties consent to the exercise of exclusive jurisdiction by the state or federal courts in the State of North Carolina for any claim relating to this Agreement.
17.4. Neither party may assign or otherwise transfer any of its rights or obligations under this Agreement without the prior written consent of the other party. Neither party may withhold such consent in the case of an assignment by the other of its rights and obligations to an entity that has acquired all, or substantially all of the assets of the other party, or to an assignment that is part of a genuine corporate restructure. Any assignment in breach of this Section is void.
17.5. Customer must not export or re-export, directly or indirectly, any Subscription Services, Documentation or confidential information to any countries outside the United States except as permitted under the U.S. Commerce Department’s Export Administration Regulations.
17.6. The Subscription Services and Documentation provided to the U.S. Government are "Commercial Items", as that term is defined at 48 C.F.R. 2.101, consisting of "Commercial Computer Software" and "Commercial Computer Software Documentation", within the meaning of 48 C.F.R. 12.212 or 48 C.F.R.227.7202, as applicable. Consistent with 48 C.F.R. 12.212 or 48 C.F.R. 227.7202-1 through 227.7202-4, as applicable, the Commercial Computer Software and Commercial Computer Software Documentation are being licensed to U.S. Government end users (a) only as Commercial Items and (b) with only those rights as are granted to all other end users pursuant to the terms and conditions herein, as provided in FAR 12.212, and DFARS 227.7202-1(a), 227.7202-3(a), 227.7202-4, as applicable.
17.7. Before commencing any work, and as a condition precedent for payment, AMTdirect shall purchase and maintain insurance at its sole cost and expense, in conformance with the provisions indicated below. This insurance will provide a defense and indemnify Customer and its affiliated companies, their respective directors, officers, agents, and employees against any and all claims of any nature whatsoever, arising out of AMTdirect’s services under this Agreement. Said insurance shall be primary, not contributory, and no excess of any other coverage of AMTdirect or Customer.
(i) General Liability insurance in an amount not less than one million dollars ($1,000,000) per occurrence and three million dollars ($3,000,000) in the aggregate.
(ii) Workers Compensation insurance, as applicable, in accordance with the laws of the State of North Carolina for employees, with Employer’s Liability limits of one million dollars ($1,000,000).
(iii) Cyber Liability insurance in an amount not less than five million dollars ($5,000,000).
(iv) Errors and Omissions coverage in an amount not less than five million dollars ($5,000,000).
17.8. Both parties shall abide by all applicable federal and state statutes, rules, regulations, orders and directives of any and all applicable government and regulatory bodies having jurisdiction.
PART FOUR – DEFINITIONS.
18.1. “Customer Data” means any electronic information stored in the Software database.
18.2. “Documentation” means user documentation provided electronically by AMTdirect for use with the Subscription Services, as periodically updated.
18.3. “Order Form” means a document provided by AMTdirect and signed by Customer that describes AMTdirect’s service offering.
18.4. “Professional Services” means the training, consulting, development and other professional services identified on a Statement of Work but does not include the Subscription Services.
18.5. “Statement of Work” means a document provided by AMTdirect and signed by Customer that describes the Professional Services to be provided by AMTdirect to Customer.
18.6. “Software” means the software whose functionality is described in the Order Form.
18.7. “Subscription Services” means the hosted customer experience solutions identified in an Order Form, and any modifications periodically made by AMTdirect, but does not include the Professional Services.
18.8. “Subscription Term” means the period of time during which AMTdirect is required to provide Customer with the Subscription Services.
18.9. “Work Product” means object code, source code, flow charts, documentation, information, reports, test results, findings, ideas and any works and other materials developed by AMTdirect in providing the Professional Services to Customer.
DATA PROCESSING APPENDIX
This Data Processing Appendix (“Appendix”) forms part of the Asset Management Technologies, LLC. Master Cloud Services Agreement with Customer (“Master Agreement”) between: (i) Asset Management Technologies, LLC (“AMTdirect”) acting on its own behalf and in the name and on behalf of each AMTdirect Affiliate; and (ii) [______________] (“Customer”) acting on its own behalf and in the name and on behalf of each Customer Affiliate authorized pursuant to the Master Cloud Services Agreement to access the Subscription Services (as defined in the Master Cloud Services Agreement).
The parties hereby agree that the terms and conditions set out below shall be added as an Appendix to the Master Cloud Services Agreement.
1.1 In this Appendix, the following terms shall have the meanings set out below:
(a) “Appendix Effective Date” has the meaning given to it in section 2;
(b) “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either AMTdirect or Customer (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
(c) “Data Protection Laws” means applicable legislation protecting the personal data of natural persons, including the national legislation implementing Directive 95/46/EC (and, from 25 May 2018, the GDPR and any national legislation which supplements the GDPR), together with binding guidance and codes of practice issued from time to time by relevant supervisory authorities;
(d) “Customer Client” means a third party which is a client of Customer or any Customer Affliate, and a recipient of the Customer Services;
(e) “Customer Services” means services provided by Customer to a Customer Client where Customer Processes Personal Data on behalf of the Customer Client as a Processor;
(f) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the Processing of personal data and on the free movement of such data;
(g) The terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process/Processing”, and “Sub-Processor” have the same meaning as described in the Data Protection Laws;
(h) “Restricted Transfer” means a transfer of Personal Data from Customer or its Affiliate to AMTdirect or its Affiliate, where such transfer would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses;
(i) “Services” means the services supplied by AMTdirect to Customer under the Master Cloud Services Agreement;
(j) “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of protection as set out in Commission Decision 2010/87/EU, as updated, amended, replaced or superseded from time to time by the European Commission; and
(k) “Working Day” means any day (other than a Saturday or Sunday) on which banks in the City of New York are open for general business.
2.1 This Appendix comes into effect on the latest date that this Appendix is signed by both AMTdirect and the Customer below (“Appendix Effective Date”).
The parties acknowledge and agree that the Processing of Customer Personal Data, and as more fully described in Annex 1 hereto, AMTdirect acts as a Processor, on behalf of Customer. AMTdirect acknowledges that Customer may either be (i) a Controller of the Customer Personal Data; or (ii) itself appointed as a Processor of the Customer Personal Data under separate agreements with Customer Clients that require Customer to flow down equivalent data processing obligations to AMTdirect.
In Annex 1 to this Appendix, the parties have set out their understanding of the Personal Data to be Processed by AMTdirect pursuant to this Appendix (“Customer Personal Data”).
5.1 In the course of performing their mutual obligations pursuant to the Master Cloud Services Agreement, both parties shall duly observe their respective obligations under the Data Protection Laws.
5.2 Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to AMTdirect for the duration and purposes of this Appendix and the Master Agreement.
5.3 In respect of its Processing of Customer Personal Data AMTdirect shall:
5.3.1 Process the Customer Personal Data solely on the documented instructions of Customer, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Master Cloud Services Agreement, unless required by European Union or Member State law to which AMTdirect or any AMTdirect Affiliate is subject, in which case AMTdirect shall inform Customer of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest;
5.3.2 Process only the types of Customer Personal Data, relating to the categories of Data Subjects, and in the manner required to deliver the Services, as is set out in the Annex 1, or as otherwise agreed in writing by the Parties;
5.3.3 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risk of the Processing of Customer Personal Data in accordance with Article 32 of the GDPR and in accordance with any specific requirements mandated by an Customer Client and notified to AMTdirect;
5.3.4 ensure that any staff who may have access to Customer Personal Data commit themselves to contractual or statutory obligations of confidentiality, and take reasonable steps to ensure the reliability of such staff;
5.3.5 be expressly and specifically authorized to use (i) those Sub-Processors already engaged by AMTdirect or any AMTdirect Affiliate as at the date of this Appendix; (ii) any AMTdirect Affiliate as a Sub-Processor;
5.3.6 be generally authorized to engage any other Sub-Processor, subject to AMTdirect:
220.127.116.11 notifying or publishing to Customer any changes to its use of Sub-Processors;
18.104.22.168 including terms in its contract with each Sub-Processor which are materially the same as those set out in this Appendix; and
22.214.171.124 remaining liable to Customer for any failure by each Sub-Processor to fulfil its obligations in relation to the Processing of Customer Personal Data.
In relation to any notice received under clause 5.3.6, Customer shall have a period of 30 (thirty) days from the date of the notice to register any reasonable objection to the use of that Sub-Processor. The parties will then, for a period of no more than 30 (thirty) days from the date of Customer’s objection, work together in good faith to attempt to find a commercially reasonable solution for Customer which avoids the use of the objected-to Sub-Processor. Where no such solution can be found, either party may (notwithstanding anything to the contrary in the Master Cloud Services Agreement) terminate the relevant Services immediately on notice to the other party;
5.3.7 promptly (and in any case within 3 Working Days) notify Customer of any communication from a Data Subject regarding the Processing of their Personal Data which is comprised in Customer Personal Data, or any other communication (including from a supervisory authority) relating to either party's obligations under the Data Protection Laws in respect of Customer Personal Data;
5.3.8 notify Customer without undue delay of any Personal Data Breach, such notice to include all information reasonably required by Customer to comply with its obligations under the Data Protection Laws;
5.3.9 make available to Customer on request all information necessary to demonstrate compliance with this Appendix, and permit Customer (or another auditor mandated by Customer, provided that mandated auditor is not, in the reasonable opinion of AMTdirect, a competitor of AMTdirect or any AMTdirect Affiliate), on reasonable prior notice to inspect and audit the facilities used by AMTdirect to Process Customer Personal Data, and any and all records maintained by AMTdirect relating to that Processing, subject to AMTdirect withholding access to any records containing confidential information pertaining to other clients of AMTdirect; if and only if:
126.96.36.199 AMTdirect has not provided sufficient evidence of its compliance with the technical and organizational measures that protect the systems related to that Processing through providing a valid ISAE3402 and/or ISAE3000 or other SOC1-3 attestation report. Upon Customer’s request audit reports or ISO certifications are available through the third party auditor or AMTdirect;
188.8.131.52 A Personal Data Breach has occurred;
184.108.40.206 An audit is formally requested by Customer’s data protection authority; or
220.127.116.11 Data Protection Laws provide Customer with a direct audit right and provided that Customer shall only audit once in any twelve month period unless mandatory Data Protection Laws require more frequent audits.
5.3.10 provide reasonable assistance requested by Customer in relation to (i) any communication received under clause 3.7, as well as any similar communication received by Customer directly; (ii) any Personal Data Breach, including by taking any appropriate technical and organizational measures reasonably directed by Customer; and (iii) any data protection impact assessment which Customer or any Customer Affiliate is required to perform under Article 35 of the GDPR in respect of Processing undertaken by AMTdirect, taking into account the nature of the Processing and the information available to AMTdirect;
5.3.11 except to the extent required by this clause 3.11, cease Processing Customer Personal Data upon the termination or expiry of the Master Agreement and:
18.104.22.168 subject to clauses 3.11.1, 22.214.171.124, and the terms of the Principle Agreement, delete Customer Personal Data;
126.96.36.199 when instructed by Customer within 90 days of the termination or expiry of the Master Cloud Services Agreement, securely return to Customer or destroy the Customer Personal Data and all copies. If AMTdirect is required to destroy Customer Personal Data then AMTdirect will do so in accordance with the standards of the National Institute of Standards and Technology and provide an attestation to Customer upon completion that it has destroyed the Personal Data in compliance with those standards;
188.8.131.52 where required by European Union or Member State law to which AMTdirect or any AMTdirect Affiliate is subject, retain Customer Personal Data to the extent and for the duration reasonably required by that law.
5.4 AMTdirect may charge a reasonable fee for any assistance provided by AMTdirect to Customer under this clause 5; provided, that AMTdirect shall notify Customer in advance of any such fee and ensure that Customer agrees in writing to such fee Customer prior to the incurring of the relevant costs for which recovery is sought by AMTdirect.
6.1 In respect of any Restricted Transfer, the parties hereby enter the Standard Contractual Clauses. Appendix 1 to the Standard Contractual Clauses shall be deemed to be prepopulated with the relevant sections of Annex 1 to this Appendix and the Processing operations are deemed to be those described in the Master Cloud Services Agreement. Appendix 2 to the Standard Contractual Clauses shall be deemed to be prepopulated with the following “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood for the rights and freedoms of natural persons, AMTdirect shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate the specific controls described in Article 32(1), (a) to (d) inclusive of the GDPR and including any other controls mandated by applicable Data Protection Laws”.
6.2 The Standard Contractual Clauses shall come into effect on the commencement of a Restricted Transfer among any parties to the Standard Contractual Clauses.
The provisions of this Appendix are supplemental to the provisions of the Master Cloud Services Agreement. In the event of inconsistencies between the provisions of this Appendix and the provisions of the Master Cloud Services Agreement, the provisions of this Appendix shall prevail. To the extent that there is any conflict or inconsistency between the terms of the Standard Contractual Clauses and the terms of this Appendix, the terms of the Standard Contractual Clauses shall take precedence.
Should any provision of this Appendix be invalid or unenforceable, then the remainder of this Appendix shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible; or (ii) if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
Annex 1: Description of Personal Data Processing
This Annex includes certain details of the Processing of the Personal Data as required by Article 28(3) GDPR.
1. Subject matter and duration of the Processing of the Personal Data
The subject matter and duration of the Processing of the Personal Data are set out in the Master Cloud Services Agreement and this Appendix.
2. The nature and purpose of the Processing of the Personal Data
AMTdirect is engaged to provide Services to Customer (which may, in turn, by engaged to provide the Customer Services to Customer Client), which involve the Processing of Personal Data. The scope of the Services is set out in the Master Cloud Services Agreement, and Customer Personal Data will be Processed by AMTdirect to deliver those Services and to comply with the terms of the Master Agreement and this Appendix.
3. The types of the Personal Data to be Processed
Customer or employee information (or information pertaining to Customer Clients' customers or employees) which may be collected during delivering services to Customer, including name, title, gender, personal contact details (address, telephone number, email address), work address, work email, work telephone numbers, job title, and other types of Personal Data supplied by Customer to AMTdirect pursuant to the Master Cloud Services Agreement.
The categories of Data Subject to whom the Personal Data relates
The categories of Data Subjects are determined by the nature of the client engagement, the details of which are covered in the Master Cloud Services Agreement.
The obligations and rights of Client
The obligations and rights of Customer are set out in the Master Cloud Services Agreement and this Appendix.