Service Level Agreements
The information provided here is for UVATION clients, subscribers and suppliers
who have questions about our terms, policies, intellectual property, and compliance.
Service Level Agreements
General terms
These terms applies to all our existing and new customers as of Jan 01, 2020 and onwards.
Scope.
These General Terms of Service (“Terms”) will be applied to an agreement between Uvation, LLC, (Uvation), and a customer (“Customer”) to whom Uvation provides cloud-based infrastructure and software services for the Customer’s commercial purposes (“Service”). In these Terms, Uvation and Customer are referred to jointly as the “Parties” and individually as a “Party”. The Parties expressly acknowledge that the Service is neither intended nor fit for use by consumers.
These terms are a general agreement between us at Uvation and you the user. They exist to protect both you as a user of the provided services and us as a service provider, and help you understand your rights and obligations as a customer.
Agreement Documents.
An agreement is formed between the Parties when Uvation receives an appropriately filled-in registration or order form (“Order”) which the Customer has submitted through a registration and/or purchasing procedure on Uvation’s website. In connection with the registration procedure the Customer will create a service account. Any referral herein to “Agreement” includes the Order, service descriptions attached or referred to in the Order, the service level agreement (“SLA”), the acceptable use policy (“AUP”) and these Terms. The SLA and the AUP are available on Uvation’s website.
You agree to these terms when registering for an account through our website.
Provision of Service.
Uvation shall provide the Customer with the Service, which is specified in the Order. If the provided Service differs from the specifications, Uvation shall correct the Service promptly after a notification by the Customer.
We promise to provide your services as you requested. And if not, let us know and we’ll be happy to remedy it.
Service Levels.
Uvation shall offer compensation to the Customer for all unscheduled interruptions in the provision of the Service in accordance with the SLA in force from time to time.
If we fail to provide you with your services, we will provide you with a compensation according to our SLA – service level agreement.
Support.
Uvation shall provide the Customer’s administrative users with technical support with respect to the Service through the means described under the Support page on Uvation’s website. Contact details and service hours are provided on Uvation’s website.
We will assist you with technical issues related to our services, and provide you with the details and means to reach our support team.
Access to Service Account.
The Customer will be responsible for activities that occur under the Customer’s service account, including actions taken by the Customer’s employees and other representatives (“User”) as well as their compliance with user instructions and the AUP. The Customer must promptly notify Uvation if the Customer suspects that an unauthorised third party is using, or may have access to, the Service or the Customer’s service account.
You need to make sure to follow our acceptable usage policy (AUP) and inform us if you think someone else might have accessed your account without permission.
Third-Party Software.
The Customer must comply with third-party software license terms if the use of such software is offered by Uvation for the provision of the Service, or if such software is obtained and uploaded in the Service by the Customer, with Uvation’s separate instructions. Certain third-party software cannot be uploaded by the Customer but must always be offered by Uvation.
You can use third-party software on your servers as long as you have a valid license, but with the exception of certain software (such as Windows Server) that must be provided by us. If in doubt, contact us for more information.
Paid subscription and free trials.
The Service and the prices for the Service (“Service Fee”) are described in the service descriptions available on Uvation’s website. Uvation may from time to time offer trials of the Service for a specified period without payment. Uvation reserves the right, in its sole discretion, to determine Customer’s eligibility for a free trial and, subject to applicable laws, to withdraw or to modify an offer trial at any time without prior notice and with no liability, to the greatest extent permitted under the law. For a free trial of the Service, Uvation may require Customer to provide payment details to start the trial. At the end of such trial, Uvation may automatically start to charge the applicable service fees for the Service immediately after the end of the free trial in accordance with Section Payment Terms and according to the price list on Uvation’s website. The applicable subscription to the Service must be cancelled through Customer’s account’s subscription page, or the Service must be terminated in its entirety, before the end of the trial period in case Customer does not accept the applicable prices provided on Uvation’s website. Customer shall ensure that the authorized Users use the Service in compliance with this Agreement. Misuse of the Service by Customer or any User may lead to termination of the Agreement or suspension or denial of access to the Service.
We may offer time limited free trials but are not obligated to provide one. And while the trial is completely free, you might be required to verify your payment details to start your trial. If you wish to continue using the services after your trial, you will need to make a payment.
Right to use the Service and eligibility.
Subject to due subscription to the Service and compliance with the Agreement, Uvation grants to Customer a non-exclusive, nontransferable and limited right to enter and use the Service and grant Users access rights to the Service.
You are welcome to use our services as long as you follow these terms.
External Back-Up Copies.
The Customer is responsible for making appropriate back-up copies of the Customer Data (as defined below) stored in the Service. Such back-up copies shall be stored outside the Service.
Make sure to keep backups of your data and store them at an external location, outside of Uvation’s services.
Changes to the Service.
Uvation is entitled to develop its services and business offerings. In case of a change in the Service, Uvation will notify the Customer in advance. If Uvation considers that a change will have a material effect in the Service, Uvation will notify the Customer at least 30 days before the change will be effected and reserve the Customer a possibility to terminate the Agreement.
We are continuously developing our services and sometimes need to make changes that will affect you and the services you use. We will always notify you at least 30 days before any significant changes, such as the prices of the services you use.
Prices.
The prices of the Service are specified in the Order. Unless otherwise agreed, Uvation charges the Customer in advance for each one-hour period of the Service according to Uvation’s price list which is valid at the time and is available on Uvation’s website. Applicable value added tax and other duties will be added to the prices unless the prices are specified VAT inclusive.
All services provided by us are charged by the hour and at the start of each hour. To see a complete pricing list for our services, please visit our website.
Payment Terms.
Uvation shall charge the Service by debiting credits from the Customer’s service account on a pre-paid basis after the Customer has submitted the Order. Invoices are made available on the Customer’s service account. With the exception of credits offered by Uvation free-of-charge for a trial period, the Customer will purchase credits that will be deposited into the Customer’s service account. The Customer cannot order the Service unless the Customer has sufficient credits on the service account. The credits are not refundable unless otherwise decided by Uvation at its sole discretion.
To use our services, you will need to have a positive credits balance on your Uvation account. Please note that payments are non-refundable unless otherwise stated.
Customer’s obligations and rights.
When subscribing to the Service, Customer shall provide true, accurate and complete information as prompted by the Order and update such information when required. Please note that this Agreement only covers the Service and the use thereof and any and all linked third party services and platforms are provided by the relevant third parties and covered by their terms of service or other agreement or license. Uvation does not assume any liability in regard to use of such third-party services and platforms, whether or not they are linked to the Service.
When using our services, it’s your responsibility to keep your contact information up to date. In addition, we can’t be held responsible for any third-party services you might use together with our services.
Use restrictions.
Customer is not permitted and not entitled to permit the Users or any other parties to do any of the following:
- copy, redistribute, reproduce, record, transfer, perform or display to the public, broadcast, or make available to the public any part of the Service, or otherwise make any use of the Service which is not expressly permitted under the Agreement or applicable law or which otherwise infringes the intellectual property rights (such as copyright) in the Service or any part of it or any other intellectual property rights of third parties;
- use the Service in any manner that could damage, disable, overburden or impair the Service available through the Service;
- use any data mining, robots, scraping, or similar data gathering or extraction methods;
- sign up for an account on behalf of someone else;
- use, sell, rent, transfer, license or otherwise provide anybody with the Service, except as provided herein;
- interfere with other Customers’ use and enjoyment of the Service;
- circumvent or try to circumvent any usage control or anti-copy functionalities of the Service;
- reverse engineer or decompile the Service or access the source code thereof, except as permitted by law;
- use the Service for transmitting any unauthorised advertising, promotional materials, junk mail, spam, chain letters, contests, pyramid schemes, or any other form of solicitation or mass messaging;
- use the Service in violation of applicable law;
- use the Service in ways that violate intellectual property rights, business secrets or privacy of third parties;
- use the Service to transmit any material that contains adware, malware, spyware, software viruses, worms or any other computer code designed to interrupt, destroy, or limit the functionality of computer software or equipment.
You must not use our services for anything illegal or that would cause problems to us or our users. Please contact us if you are uncertain, and we will be happy to clarify this for you.
Indemnification.
Uvation will defend Customer against any claim that the Service infringes the intellectual property rights of a third party and pay any damages finally settled or awarded in a trial to the third party with respect to any such claim, provided that Uvation is notified promptly in writing of the claim and given sole control of the defense and all related settlement negotiations in relation to the claim as well as reasonable assistance and necessary authorisations from Customer to defend or settle the claims on behalf of Customer. At any time, if Uvation reasonably deems that any part of the Service infringes the intellectual property rights of any third party, Uvation has the right at its own expense to (i) modify/replace the Service to eliminate the infringement in such a manner that the modified Service complies with this Agreement, or (ii) procure to Customer a right to use the Service. If none of the aforementioned alternatives are reasonably possible, Uvation shall have the right to terminate this Agreement and Uvation shall refund to Customer the prices paid for the Service by Customer less the price corresponding the time Customer has been able to use the Service in accordance with this Agreement. Uvation shall, however, not be liable for any infringement or claim thereof in the event the claim (i) is made by any affiliates of Customer; (ii) has resulted from Customer’s or Customer’s supplier’s or User’s use or modification of or addition to the Service; (iii) could have been avoided by using the latest version of the Service provided by Uvation; or (iv) is not related to the Service or any part of the Service for which Uvation is not responsible for pursuant to this Agreement or statutory requirements. This section contains Uvation’s entire liability and Customer’s sole and exclusive remedy in case of intellectual property rights infringements. Customer shall indemnify, defend, and hold Uvation harmless from and against all liabilities, damages and costs (including settlement costs and reasonable attorneys’ fees) arising out of any breaches of this Agreement by Customer, Customer’s personnel and/or Users.
We will defend you against any claim that our services infringe on someone else’s intellectual property rights, as long as you have followed these rules. If you receive such a claim, please notify us as soon as possible so that we can assist you with it.
Customer Data.
Customer data shall mean all Customer’s data that a Customer or another party acting on Customer’s behalf generates in or submits to the Service (“Customer Data”) or the data Customer submits to a third-party service or platform which might be accessed by the Service, subject to and on the basis of the permissions or consents Customer has granted. Customer agrees that Uvation does not assume any liability or responsibility in respect to any Customer Data, with the exceptions relating to Personal Data as set forth in Section Data Processing below. Customer shall at all times ensure that Customer Data does not infringe any third party intellectual property rights or violate any applicable laws or legislation. Customer shall not upload any illegal, offensive, threatening, libellous, defamatory, or otherwise inappropriate data to the Service. For clarity, Uvation is not responsible and shall not be held liable for any Customer Data, nor does it endorse any opinion contained in any Customer Data. Aside from the rights specifically granted herein, Customer retains ownership of all rights, including intellectual property rights, in the Customer Data.
Any data uploaded to or generated on your cloud servers are yours and yours only. We cannot be held responsible for it and we refrain from applying our opinions and values towards it, as long as it’s not illegal or breaking our terms of service. In additional, we promise to keep your personal data safely and privately stored.
Data Processing.
In order to provide the Service, Uvation may process personal data on behalf of the Customer as a data processor for the purposes of providing the Service. Uvation processes certain personal data also as a data controller. Such personal data includes, inter alia, data of the Customer’s contact persons, invoicing details and other personal data of Customer’s contact persons which Uvation processes in order to maintain the customer relationship. The requirements relating to the personal data Uvation processes as data controller are set out in our Privacy Policy available on Uvation’s website. In this section, “Personal Data” refers to any information relating to an identified or identifiable natural person the Customer enters into the Service and Uvation processes on behalf of the Customer in the course and within the scope of providing the Services. In connection with the use of the Service, the Customer may transfer various data to Uvation for processing on behalf of the Customer. Such data might include Personal Data. The Customer shall be considered as the sole data controller and Uvation as the sole data processor with respect to such data. The following terms and conditions set forth in this section concern the data processing activities of Uvation as a data processor with respect to the Personal Data it processes on behalf of the Customer.
We collect and process certain personal data (contact, billing and behavioural) in compliance with GDPR to better be able to provide you with our services. This does not include any personal data you store on your cloud servers, which are not accessible by us and under your sole discretion.
General requirements relating to processing of Personal Data.
The Customer shall be responsible for the lawful collection, processing and use, and for the accuracy of the Personal Data, as well as for preserving the rights of the individuals concerned. If and to the extent legally required, the Customer shall inform the individuals concerned regarding the processing of their Personal Data by Uvation, and shall obtain their consent if necessary. The Personal Data processed by Uvation on behalf of the Customer may include e.g. Personal Data of the Customer’s employees and end-customers, such as contact details of the aforementioned data subjects. The Customer acknowledges that due to the nature of the Service, Uvation cannot control and has no obligation to verify Personal Data the Customer transfers to Uvation for processing on behalf of the Customer when the Customer uses the Service. The Customer ensures that the Customer is entitled to transfer the Personal Data to Uvation so that Uvation may lawfully process the Personal Data on behalf of the Customer in accordance with this Agreement. Uvation shall not use Personal Data for any purpose other than that of rendering and providing the Service and will not assert liens or other rights over, or sell or disclose the Personal Data to any third parties, without the Customer’s prior written approval. Uvation shall process Personal Data in accordance with this Agreement and documented instructions from the Customer. The Customer’s instructions must be commercially reasonable, compliant with applicable data protection laws and consistent with this Agreement. Uvation shall not be obliged to verify whether any instructions given by the Customer are consistent with applicable laws, as the Customer is responsible for such compliance verification of its instructions. However, if Uvation detects that any instruction given by the Customer is non-compliant with the requirements of any data protection legislation applicable to Uvation’s operations, Uvation shall inform the Customer in writing. Uvation and the Customer shall comply with the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“Regulation”) and any applicable European or foreign data protection laws as amended, as well as data protection authorities’ orders and guidelines. Uvation and the Customer shall implement and maintain appropriate technical and organizational security measures to protect the Personal Data within their area of responsibility, in order to safeguard the Personal Data against unauthorised or unlawful processing or access and against accidental loss, destruction or damage. Such measures include where necessary and appropriate, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons the following measures:
- access right controls to systems containing Personal Data;
- the pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
If you collect or process any personal data using our services, you are required to follow the General Data Protection Regulation.
Uvation’s assistance obligations.
To respond to requests from individuals exercising their rights as foreseen in applicable data protection law, such as the right of access and the right to rectification or erasure, the Customer shall primarily use the corresponding functions of the Services, such as the Uvation Control Panel. Uvation shall provide the Customer with commercially reasonable assistance, without undue delay, taking into account the nature of the processing. Uvation shall further provide the Customer with commercially reasonable assistance in ensuring compliance with the Customer’s obligations to perform security and data protection assessments, breach notifications and prior consultations of the competent supervisory authority, as set out in the applicable data protection law, taking into account the nature of the processing and the information available to Uvation. In case such assistance requires extensive measures from Uvation, the Customer shall pay additional reasonable remuneration to Uvation for handling such assistance requests. In addition, Uvation shall, and shall procure that its personnel (including its subcontractors’ personnel) shall:
- only process Personal Data in accordance with the Customer’s written instructions and not for Uvation’s own purposes;
- ensure that individuals processing Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
You can exercise your right to view, modify, or delete your personal data through the Uvation control panel. In cases where you collect and process any personal data, we can help you to ensure compliance with GDPR. Please note that extensive work may include additional costs.
Transfers of Personal Data.
The Customer accepts that Uvation may have Personal Data processed and accessible by its subprocessors outside the Customer’s country of domicile to provide the Service. In case the processing is subject to any EU data protection law and Personal Data is transferred from the European Economic Area (“EEA”) to a subprocessor for processing in any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, Uvation provides for appropriate safeguards by standard contractual clauses, adopted or approved by the European Commission and applicable to the processing by the non-EEA subprocessor or by any other appropriate safeguard as foreseen under Regulation.
If we need to transfer your personal data to another country outside the EU we’ll ensure the data remains secure.
Audits.
The Customer shall have the right to audit the facilities and processing activities of Uvation under this Agreement to examine the level of protection and security provided for Personal Data processed under this Agreement and to assess the compliance of Uvation with the terms and conditions relating to Personal Data set out herein. Each Party shall bear its own costs for any such audit. Where an audit may lead to the disclosure of business or trade secrets of Uvation or threaten intellectual property rights of Uvation, the Customer shall employ an independent expert to carry out the audit, and the expert shall agree to be bound to confidentiality to Uvation’s benefit.
You have the right to audit our personal data protection and security processes. If the audit would contain confidential information, you will need to employ an independent expert to do the audit.
Subprocessors.
General authorization. The Customer gives its general authorization to allow Uvation to involve Uvation’s affiliated companies and other subcontractors as subprocessors to process Personal Data in connection with the provision of the Service, to the extent such appointment does not lead to non-compliance with any applicable law or Uvation’s obligations under this Agreement. Uvation ensures that the involved subprocessors are properly qualified, will be under a data processing agreement with Uvation, and comply with data processing obligations similar to the ones which apply to Uvation under this Agreement. Uvation shall be liable towards the Customer for the processing of Personal Data carried out by Uvation’s subprocessors.
We might use third-parties that need to process your personal data to provide you with our services. In such case we’ll make sure they secure your data according to the same requirements as we do.
Change of subprocessor.
Uvation is free to choose and change its subprocessors. Upon request, Uvation shall inform the Customer of subprocessors currently involved. In case there is a later change of subprocessor (addition or replacement), Uvation shall notify the Customer of such change. In case the Customer objects such change of subprocessor on reasonable grounds, the Customer has the right to request change of the subprocessor. If Uvation is not willing to change the subprocessor the Customer has objected, the Customer shall have the right to terminate the Service and this Agreement.
We can change partners when needed. You can ask about our current partners that might process your personal data and we’ll let you know if they change in the future.
Breaches.
Uvation shall, without undue delay after having become aware of it, inform the Customer in writing about any data breaches relating to Personal Data and any other events where the security of Personal Data processed on behalf of the Customer has been compromised. Uvation’s notification about the breach to the Customer shall include at least the following:
- description of the nature of the breach;
- name and contact details of Uvation’s contact point where more information can be obtained;
- description of the measures taken by Uvation to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
We’ll inform you of any security breach where your personal data might have been compromised.
Deletion and return of Personal Data.
Uvation shall not take any action to intentionally erase any Personal Data processed on behalf of the Customer, without the Customer’s explicit request. Personal Data shall be processed under this Agreement until the Customer has ceased to use the Service. Within a reasonable time after the termination or expiry of this Agreement, or after the Customer has permanently ceased to use the Service, Uvation shall permanently delete Personal Data from its storage media, except to the extent that Uvation is under a statutory obligation to continue storing such Personal Data. On the Customer’s request, Uvation shall confirm the deletion in writing. The obligation to delete Personal Data shall not apply to Personal Data contained in regular back-up copies of comprehensive datasets from which the individual deletion of Personal Data would not be possible without significant efforts or costs.
We will delete your personal data if requested, to the extent we are allowed to, and confirm it to you in writing.
Confidentiality.
The Parties may exchange confidential information during the performance of this Agreement. Confidential information shall mean any information which is marked as confidential or which should be understood as confidential, irrespective of its form of storage or disclosure. All confidential information shall remain the property of the disclosing Party and the receiving Party shall keep confidential and refrain from using such confidential information otherwise than for the purposes of this Agreement, during the term of this Agreement and after the termination of this Agreement. For the avoidance of doubt, any information of or relating to a Party or that Party’s personnel, suppliers, contractors, customers or end-users, which information is obtained or detected by the other Party or processed or generated in the course of providing or receiving the Service shall be deemed confidential information of that Party. Each Party shall promptly upon termination of the Service cease using confidential material and information received from the other Party and use reasonable means to destroy such material. Each Party shall, however, be entitled to retain the copies required by law or regulations.
We will keep any confidential information we have exchanged between each other secured, and we expect you to do the same.
Intellectual Property Rights.
All intellectual property rights to and in the Service as well as intellectual property rights pertaining thereto, are exclusive property of Uvation or its licensors with all rights reserved. All intellectual property rights to the content uploaded into the Service by or on behalf of the Customer will remain the exclusive property of the Customer or its licensors. Customer agrees not to resell the Service or redistribute or transfer the Service. All intellectual property rights relating to the provision of the Services, including suggestions for improvements made by the Customer, will remain the exclusive property of Uvation or its licensors.
You retain your rights to any data uploaded onto our services and we retain the rights to our intellectual property.
Limited Warranty.
Uvation will offer service level compensations to the Customer in accordance with the SLA. In all other respects the Service is provided on “as-is” and “as-available” basis, and Uvation will not give the Customer any warranty or guarantee, express or implied, for the Service, including but without limitation to warranties of merchantability, fitness for any particular purpose, performance, or non-infringement. The parties expressly note that the Service is not designed to be error-free or uninterrupted and therefore they are neither intended nor fit for purposes that require fail-safe performance.
We offer compensation for interruptions to our services according to our Service Level Agreement but cannot provide any warranty or guarantee.
Limited Liability.
Uvation will not be liable for indirect damage or consequential damages caused to the Customer. Uvation’s total aggregate liability under or in connection with this Agreement shall be limited to the aggregate Service Fee paid by the Customer for the Service for the last six (6) months preceding the occurrence for which damages are claimed. These limitations will not apply to damage caused by willful misconduct or gross negligence. In order to be valid and enforceable, all claims for damages must be made within 30 days from the date the damage was or should reasonably have been noticed by the Customer.
If things go really badly, our maximum compensation is up to the amount you have paid us during the past 6 months, unless the issue was caused intentionally by us or through gross negligence on our part.
Assignment and Third-Party Benefits.
Uvation may assign the Agreement in whole or in part to another group company or in connection with the trade sale which includes the provision of the Service. The Customer may assign the Agreement to a third party with Uvation’s prior written consent which Uvation will not unreasonably withhold. The Agreement will not create any third-party beneficiary rights in any third party.
This agreement can be assigned to another company by us or to another user by your request and our written approval.
Temporary Suspension.
If the Customer has breached the provisions of the Agreement or Uvation has justifiable reasons to believe such a breach exists, Uvation may temporarily suspend the provision of the Service.
If you break these rules, we may temporarily suspend access to your account and services.
Termination for Convenience.
The Customer may terminate the Agreement for any reason by issuing 5 days written notice to Uvation. Uvation may terminate the Agreement for any reason by issuing 30 days written notice to the Customer.
If you would like to terminate this agreement, please give us 5 days written notice. In case we decide to terminate this agreement, we will give you 30 days written notice.
Termination for Cause.
Either Party may terminate the Agreement with immediate effect if the other Party has materially breached the provisions of the Agreement.
If either of us breaks this agreement, it can be terminated immediately.
Transition Service.
Uvation will provide the Customer with transition services in order to enable the Customer to transfer the Customer Data to another service provider. The Customer must order the transition services before the termination of the Agreement. The description of the transition services and applicable prices are provided on Uvation’s website.
We can help you transfer your data to another provider for a fee.
Entire Agreement and Amendments.
The Agreement constitutes the entire agreement and supersedes all previous commitments between the parties in respect of the provision of the Service. All amendments to the Agreement must be made in writing. Uvation may modify this Agreement by notifying the Customer in writing, such as by e-mail or by posting a revised document version on Uvation’s website. If Uvation considers that a revision will have a material effect on the Agreement, Uvation will notify the Customer at least 30 days before the revision will be effected and reserve the Customer a possibility to terminate the Agreement.
These terms are agreed to in full and any changes must be made in writing. If any changes would significantly affect you, we will inform you at least 30 days in advance.
Non-Waiver.
A failure by either Party to enforce any provision of the Agreement will not be deemed to constitute a present or future waiver of such provision. All waivers must be made in writing.
These terms will remain effective even if not strictly enforced.
Force Majeure.
Force Majeure is an event that prevents, or makes unduly difficult, the performance of the Service or the fulfilment of the provisions of the Agreement, such as war, rebellion, natural catastrophe, general interruption in energy distribution or telecommunications, fire, strike, embargo, or another equally significant and unforeseen event independent of the parties. Each Party shall be entitled to suspend its duties without liability thereof in case of Force Majeure affecting the Party either directly or through its subcontractor.
Neither of us can be held responsible in a case of a major issue that is out of our hands.
Severability.
Should any provision of the Agreement be declared unenforceable by a court of competent jurisdiction, the remaining provisions of the Agreement will remain in full force and effect to the fullest extent permitted by law. The Parties shall attempt through negotiation in good faith to replace the unenforceable provision with such provisions that correspond as closely as possible to the original intention of the Parties.
The rest of these terms will remain in effect even if deemed unenforceable by a court, and we will instead negotiate a replacement in good faith.
Governing Law and Arbitration.
The Agreement will be governed by the substantive laws of Finland, with the exception of any conflict of law principles. Any and all disputes, which the Parties fail to settle amicably, arising out of or relating to the Agreement will be finally settled by arbitration in English language in accordance with the Rules of the Arbitration Institute of the Finland Chamber of Commerce.
Any disputes will be decided in English and by the Finland Chamber of Commerce.
Service Level Agreement
Scope. This service level agreement (“SLA”) is an integral part of the Contract between Uvation and the Customer.
Service Guarantee. Uvation will guarantee 100% virtual server and network availability to the Customer. The network will be deemed available if Uvation’s routers and switches are available and responding properly. For all unscheduled interruptions in the provision of the Services, which are due to hardware or telecommunications failures that last longer than 5 minutes, Uvation shall offer compensation to the Customer.
Scheduled Interruptions. Uvation will notify the Customer by e-mail or on Uvation’s website about scheduled interruptions in the provision of the Services at least 24 hours in advance, with the exception of important security updates and patches which Uvation may deploy without prior notice.
Error Notifications. In case of an interruption in the Services, the Customer has to notify Uvation by e-mail to [email protected] The interruption is deemed to begin when the failure starts to affect the Customer’s use of the Services, and to end when the failure has been corrected. Uvation will notify the Customer about the correction of the failure.
Payment of Compensation. When a failure in the Services has been corrected, Uvation will offer the Customer compensation which the Customer may reclaim within 15 days. The compensation will be paid to the Customer’s service account in the form of credits and may not be exchanged for cash or other forms of payment.
Amount of Compensation. The amount of compensation will be 50 times Uvation’s charges for the Services allocated for the period of the interruption of the Services. The maximum amount of compensation for an individual interruption is 100% of Uvation’s charges for the Services during 30 calendar days preceding the interruption. The total sum of aggregated compensations cannot exceed 250% of Uvation’s charges for the Services during 30 calendar days preceding the latest interruption.
Sole Remedy. The above-mentioned payment of compensation will be the sole remedy of the Customer for interruptions or other failures in the Services. In case of a disagreement over the amount of the compensation payable to the Customer, Uvation’s decision on the issue will be binding and final.
Exemptions from Service Guarantee. The following situations will be exempt from Uvation’s service guarantee:
- Scheduled interruptions
- Failures caused by errors in third party software utilized in the Services
- Failures in products or services which are not included in the Services
- Failures caused by the Customer’s actions contrary to user instructions or resulting from the Customer’s operating systems or application software used within the Services
- Violations of Uvation’s acceptable use policy
- Failures due to hostile actions by third parties such as denial-of-service attacks
- Interruptions resulting from law and public authority enforced activities
- Customer does not have sufficient pre-paid balance on the Customer’s service account for the use of the Services at the time of the interruption in the Services.
No compensation will be payable to the Customer during a free-of-charge trial period.
Acceptable Use Policy
Scope. This acceptable use policy (“AUP”) is an integral part of the Contract between Uvation and the Customer.
User Instructions. The Customer must comply with separate user instructions concerning the Services. The Customer shall provide reasonable cooperation with regard to investigations on suspected breaches of the Contract.
Customer’s Legal Compliance. The Customer must comply with applicable laws and regulations. For example, the Customer must have necessary rights to use the content which has been uploaded in the Service by or on behalf of the Customer.
Illegal or Offensive Use of Services. The Customer is not entitled to use the Services for purposes which Uvation deems to be illegal or offensive. If the Customer is uncertain whether or not its use of the Services could be deemed illegal or offensive, the Customer should contact Uvation in advance and request permission. For example, Uvation considers the following actions or content to be illegal or offensive:
- Use of the Services in connection with fraudulent activities
- Storage or transfer of, or linking to, content that violates trade secrets, copyrights, trademarks, patents, or other intellectual property rights, or contributes to the said violations
- Storage or transfer of, or linking to, content that is harassing or excessively violent, inciting to hate or violence, or threatening with violence
- Storage or transfer of, or linking to child pornography or content containing non-consensual sexual acts
- Promotion of illegal material or products
- Unauthorized access to, or attempting to access, systems, networks or data
- Use of a user account or computing without the owner’s authorisation
- Collection of user information such as email addresses without the consent of the person identified (phishing)
- Monitoring of network traffic or data without authorization
Mass Emailing. If the Customer wishes to use the Services for sending of bulk e-mail or other mass communications, the Customer must first receive Uvation’s written consent.
Disruptive Use of Services. The Customer may use, investigate, and modify the operating environment of the Services only within the limits of the user instructions. The Customer may not use the Services in any way that causes security risks to the Service or interferes with the operation of the Services. For example, Uvation considers the following actions to be disruptive on the operation of the Services:
- Intentional or careless use of the Services in excess of a typically expected server load, such as continuosly high CPU or I/O use rate
- Intentional or careless configuration of servers that enables unauthorized third party access or otherwise lacks adequate security requirements
- Measures which are mainly aimed to circumvent, or interfere with, the monitoring, controlling, or charging of the Services by Uvation
Acceptable Use Policy
The information provided here is for UVATION clients, subscribers and suppliers
who have questions about our terms, policies, intellectual property, and compliance.
Acceptable Use Policy
Updated September 12, 2019
This Acceptable Use Policy (this “Policy”) describes prohibited uses of the web services offered by Uvation, LLC. and its affiliates (the “Services”) and the website located at https://uvation.com (the “Uvation Site”). The examples described in this Policy are not exhaustive. We may modify this Policy at any time by posting a revised version on the Uvation Site. By using the Services or accessing the Uvation Site, you agree to the latest version of this Policy. If you violate the Policy or authorize or help others to do so, we may suspend or terminate your use of the Services.
No Illegal, Harmful, or Offensive Use or Content
You may not use, or encourage, promote, facilitate or instruct others to use, the Services or Uvation Site for any illegal, harmful, fraudulent, infringing or offensive use, or to transmit, store, display, distribute or otherwise make available content that is illegal, harmful, fraudulent, infringing or offensive. Prohibited activities or content include:
- Illegal, Harmful or Fraudulent Activities. Any activities that are illegal, that violate the rights of others, or that may be harmful to others, our operations or reputation, including disseminating, promoting or facilitating child pornography, offering or disseminating fraudulent goods, services, schemes, or promotions, make-money-fast schemes, ponzi and pyramid schemes, phishing, or pharming.
- Infringing Content. Content that infringes or misappropriates the intellectual property or proprietary rights of others.
- Offensive Content. Content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable, including content that constitutes child pornography, relates to bestiality, or depicts non-consensual sex acts.
- Harmful Content. Content or other computer technology that may damage, interfere with, surreptitiously intercept, or expropriate any system, program, or data, including viruses, Trojan horses, worms, time bombs, or cancelbots.
No Security Violations
You may not use the Services to violate the security or integrity of any network, computer or communications system, software application, or network or computing device (each, a “System”). Prohibited activities include:
- Unauthorized Access. Accessing or using any System without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System.
- Interception. Monitoring of data or traffic on a System without permission.
- Falsification of Origin. Forging TCP-IP packet headers, e-mail headers, or any part of a message describing its origin or route. The legitimate use of aliases and anonymous remailers is not prohibited by this provision.
No Network Abuse
You may not make network connections to any users, hosts, or networks unless you have permission to communicate with them. Prohibited activities include:
- Monitoring or Crawling. Monitoring or crawling of a System that impairs or disrupts the System being monitored or crawled.
- Denial of Service (DoS). Inundating a target with communications requests so the target either cannot respond to legitimate traffic or responds so slowly that it becomes ineffective.
- Intentional Interference. Interfering with the proper functioning of any System, including any deliberate attempt to overload a system by mail bombing, news bombing, broadcast attacks, or flooding techniques.
- Operation of Certain Network Services. Operating network services like open proxies, open mail relays, or open recursive domain name servers.
- Avoiding System Restrictions. Using manual or electronic means to avoid any use limitations placed on a System, such as access and storage restrictions.
No E-Mail or Other Message Abuse
You will not distribute, publish, send, or facilitate the sending of unsolicited mass e-mail or other messages, promotions, advertising, or solicitations (like “spam”), including commercial advertising and informational announcements. You will not alter or obscure mail headers or assume a sender’s identity without the sender’s explicit permission. You will not collect replies to messages sent from another internet service provider if those messages violate this Policy or the acceptable use policy of that provider.
Our Monitoring and Enforcement
We reserve the right, but do not assume the obligation, to investigate any violation of this Policy or misuse of the Services or Uvation Site. We may:
- investigate violations of this Policy or misuse of the Services or Uvation Site; or
- remove, disable access to, or modify any content or resource that violates this Policy or any other agreement we have with you for use of the Services or the Uvation Site.
We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Our reporting may include disclosing appropriate customer information. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this Policy.
Reporting of Violations of this Policy
If you become aware of any violation of this Policy, you will immediately notify us and provide us with assistance, as requested, to stop or remedy the violation. To report any violation of this Policy, please [email protected].
Data Processing Agreement
The information provided here is for UVATION clients, subscribers and suppliers
who have questions about our terms, policies, intellectual property, and compliance.
Data Processing Agreement
This Data Processing Agreement (“DPA“) is incorporated into, and is subject to the terms and conditions of, the Agreement between The Uvation LLC d/b/a Uvation (together with its Affiliates, “Uvation”) and the customer entity that is a party to the Agreement (“Customer” or “you“).
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. For the avoidance of doubt, all references to the “Agreement” shall include this DPA (including the SCCs (where applicable), as defined herein).
- Definitions
“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
“Agreement” means Uvation’s Standard Terms of Use, or other written or electronic agreement, which govern the provision of the Service to Customer, as such terms or agreement may be updated from time to time.
“Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.
“Customer Data” means any personal data that Uvation processes on behalf of Customer via the Service, as more particularly described in this DPA.
“Data Protection Laws” means all data protection laws and regulations applicable to a party’s processing of Customer Data under the Agreement, including, where applicable, EU Data Protection Law and Non-EU Data Protection Laws.
“EU Data Protection Law” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom (“UK“) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union).
“Europe” means, for the purposes of this DPA, the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
“Non-EU Data Protection Laws” means the California Consumer Privacy Act (“CCPA”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); and the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018.
“Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce.
“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles).
“SCCs” means the standard contractual clauses for processors as approved by the European Commission or Swiss Federal Data Protection Authority (as applicable).
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Uvation.
“Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.
“Service Data” means any data relating to the Customer’s use, support and/or operation of the Service, including information relating to volumes, activity logs, frequencies, bounce rates or other information regarding emails and other communications Customer generates and sends using the Service.
“Sub-processor” means any processor engaged by Uvation or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates of Uvation but shall exclude Uvation employees or consultants.
The terms “personal data“, “controller“, “data subject“, “processor” and “processing” shall have the meaning given to them under Data Protection Laws or if not defined thereunder, the GDPR, and “process“, “processes” and “processed” shall be interpreted accordingly.
- Roles and Responsibilities
2.1 Parties’ roles. If EU Data Protection Law or the LGPD applies to either party’s processing of Customer Data, the parties acknowledge and agree that with regard to the processing of Customer Data, Customer is the controller and Uvation is a processor acting on behalf of Customer, as further described in Annex A (Details of Data Processing) of this DPA.
2.2 Purpose limitation. Uvation shall process Customer Data only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”). The parties agree that the Agreement sets out Customer’s complete and final instructions to Uvation in relation to the processing of Customer Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
2.3 Prohibited data. Customer will not provide (or cause to be provided) any Sensitive Data to Uvation for processing under the Agreement, and Uvation will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
2.4 Customer compliance. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any processing instructions it issues to Uvation; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Uvation to process Customer Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Service, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.
2.5 Lawfulness of Customer’s instructions. Customer will ensure that Uvation’s processing of the Customer Data in accordance with Customer’s instructions will not cause Uvation to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. Uvation shall promptly notify Customer in writing, unless prohibited from doing so under EU Data Protection Laws, if it becomes aware or believes that any data processing instruction from Customer violates the GDPR or any UK implementation of the GDPR.
- Sub-processing
3.1 Authorized Sub-processors. Customer agrees that Uvation may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Uvation and authorized by Customer are available upon request. Uvation shall notify Customer if it adds or removes Sub-processors at least 10 days prior to any such changes if Customer opts in to receive such notifications.
3.2 Sub-processor obligations. Uvation shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Uvation to breach any of its obligations under this DPA.
- Security
4.1 Security Measures. Uvation shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Data from Security Incidents and designed to preserve the security and confidentiality of Customer Data in accordance with Uvation’s security standards described in Annex B (“Security Measures“).
4.2 Confidentiality of processing. Uvation shall ensure that any person who is authorized by Uvation to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
4.3 Updates to Security Measures. Customer is responsible for reviewing the information made available by Uvation relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Uvation may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
4.4 Security Incident response. Upon becoming aware of a Security Incident, Uvation shall: (i) notify Customer without undue delay, and where feasible, in any event no later than 48 hours from becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Security Incident. Uvation’s notification of or response to a Security Incident under this Section 4.4 shall not be construed as an acknowledgment by Uvation of any fault or liability with respect to the Security Incident.
4.5 Customer responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.
- Security Reports and Audits
5.1 Audit rights. Uvation shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Customer in order to assess compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 5.1 and where applicable, the SCCs) and any audit rights granted by Data Protection Laws, by instructing Uvation to comply with the audit measures described in Sections 5.2 and 5.3 below.
5.2 Security reports. Customer acknowledges that Uvation is regularly audited against SSAE 16 and PCI standards by independent third party auditors and internal auditors respectively. Upon written request, Uvation shall supply (on a confidential basis) a summary copy of its most current audit report(s) (“Report“) to Customer, so that Customer can verify Uvation’s compliance with the audit standards against which it has been assessed and this DPA.
5.3 Security due diligence. In addition to the Report, Uvation shall respond to all reasonable requests for information made by Customer to confirm Uvation’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon Customer’s written request to [email protected], provided that Customer shall not exercise this right more than once per calendar year.
- International Transfers
6.1 Data center locations. Customer acknowledges that Uvation may transfer and process Customer Data to and in the United States and anywhere else in the world where Uvation, its Affiliates or its Sub-processors maintain data processing operations. Uvation shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws.
6.2 European Data transfers. To the extent that Uvation is a recipient of Customer Data protected by EU Data Protection Laws (“EU Data”), the parties agree that Uvation makes available the mechanisms listed below:
- (a) Privacy Shield: For as long as Uvation is self-certified to the Privacy Shield: (i) the parties acknowledge and agree that Uvation will be deemed to provide adequate protection (within the meaning of applicable EU Data Protection Laws) for EU Data by virtue of having self-certified its compliance with Privacy Shield; (ii) Uvation agrees to process EU Data in compliance with the Privacy Shield Principles; and (iii) if Uvation is unable to comply with this requirement, Uvation shall inform Customer.
- (b) SCCs: Uvation agrees to abide by and process EU Data in compliance with the SCCs, which are incorporated in full by reference and form an integral part of this DPA. For the purposes of the SCCs: (i) Uvation agrees that it is the “data importer” and Customer is the “data exporter” under the SCCs (notwithstanding that Customer may itself be an entity located outside the EU); (ii) Annexes A and B of this DPA shall replace Appendixes 1 and 2 of the SCCs, respectively; and (iii) Annex C shall form Appendix 3 of the SCCs. The parties further agree that the SCCs will apply to Customer Data that is transferred via the Service from Europe to outside Europe, either directly or via onward transfer, to any country or recipient: (a) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Law); and (b) not covered by Uvation’s Privacy Shield certification.
- Return or Deletion of Data
7.1 Deletion on termination. Upon termination or expiration of the Agreement, Uvation shall (at Customer’s election) delete or return to Customer all Customer Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Uvation is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Uvation shall securely isolate, protect from any further processing and eventually delete in accordance with Uvation’s deletion policies, except to the extent required by applicable law.
- Data Subject Rights and Cooperation
8.1 Data subject requests. As part of the Service, Uvation provides Customer with a number of self-service features, that Customer may use to retrieve, correct, delete or restrict the use of Customer Data, which Customer may use to assist it in connection with its obligations under the Data Protection Laws with respect to responding to requests from data subjects via Customer’s account at no additional cost. In addition, Uvation shall, taking into account the nature of the processing, provide reasonable additional assistance to Customer to the extent possible to enable Customer to comply with its data protection obligations with respect to data subject rights under Data Protection Laws. In the event that any such request is made to Uvation directly, Uvation shall not respond to such communication directly except as appropriate (for example, to direct the data subject to contact Customer) or legally required, without Customer’s prior authorization. If Uvation is required to respond to such a request, Uvation shall promptly notify Customer and provide Customer with a copy of the request unless Uvation is legally prohibited from doing so. For the avoidance of doubt, nothing in the Agreement (including this DPA) shall restrict or prevent Uvation from responding to any data subject or data protection authority requests in relation to personal data for which Uvation is a controller.
8.2 Subpoenas and court orders. If a law enforcement agency sends Uvation a demand for Customer Data (for example, through a subpoena or court order), Uvation shall attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Uvation may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Uvation shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy, unless Uvation is legally prohibited from doing so.
8.3 Data protection impact assessment. To the extent required under applicable Data Protection Laws, Uvation shall (taking into account the nature of the processing and the information available to Uvation) provide all reasonably requested information regarding the Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. Uvation shall comply with the foregoing by: (i) complying with Section 5 (Security Reports and Audits); (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance (at Customer’s expense).
- Jurisdiction-Specific Terms
To the extent Uvation processes Customer Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Annex D, then the terms specified in Annex D with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to Uvation.
- Limitation of Liability
10.1 Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.
10.2 Any claims made against Uvation or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is a party to the Agreement.
10.3 In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
- Relationship with the Agreement
11.1 This DPA shall remain in effect for as long as Uvation carries out Customer Data processing operations on behalf of Customer or until termination of the Agreement (and all Customer Data has been returned or deleted in accordance with Section 7.1 above).
11.2 The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Service.
11.3 In the event of any conflict or inconsistency between this DPA and the Uvation Standard Terms of Use, the provisions of the following documents (in order of precedence) shall prevail: (i) SCCs; then (ii) this DPA; and then (iii) the Uvation Standard Terms of Use.
11.4 Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.
11.5 Notwithstanding anything to the contrary in the Agreement (including this DPA), Uvation shall have a right to collect, use and disclose Service Data for its legitimate business purposes, such as: (i) for accounting, tax, billing, audit, and compliance purposes; (ii) to provide, develop, optimize and maintain the Service; (iii) to investigate fraud, spam, wrongful or unlawful use of the Service; and/or (iiii) as required by applicable law.
To the extent any such Service Data is considered personal data under Data Protection Laws, Uvation shall be responsible for and shall process such data in accordance with the Uvation Privacy Policy and Data Protection Laws. For the avoidance of doubt, this DPA shall not apply to Service Data.
11.6 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
11.7 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
Annex A – Details of Data Processing
(a) Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
(b) Duration of processing: Uvation will process Customer Data as outlined in Section 7 (Return or Deletion of Data) of this DPA.
(c) Purpose of processing: Uvation shall only process Customer Data for the Permitted Purposes, which shall include: (i) processing as necessary to provide the Service in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Service; and (iii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.
(d) Nature of the processing: Uvation provides an email service, automation and marketing platform and other related services, as more particularly described in the Agreement.
(e) Categories of data subjects: (i) Members; and (ii) Contacts, each as defined in the Uvation Privacy Policy.
(f) Types of Customer Data: Customer may upload, submit or otherwise provide certain personal data to the Service, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of personal data:
- Members: Identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility);
- Contacts: Identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address); personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information).
(g) Sensitive Data: Uvation does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Service.
(h) Processing Operations: Customer Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities:
- Storage and other processing necessary to provide, maintain and improve the Service provided to Customer pursuant to the Agreement; and/or
- Disclosures in accordance with the Agreement and/or as compelled by applicable law.
Annex B – Security Measures
The Security Measures applicable to the Service are described on our cloud services portal (as updated from time to time in accordance with Section 4.3 of this DPA).
Annex C
All defined terms used in this Annex C shall have the meaning given to them in the SCCs unless otherwise defined in this Annex.
Appendix 3 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed by the parties.
This Appendix sets out the parties’ interpretation of their respective obligations under specific Clauses identified below. Where a party complies with the interpretations set out in this Appendix, that party shall be deemed by the other party to have complied with its commitments under the Clauses.
For the purposes of this Appendix, “DPA” means the Data Processing Addendum in place between data importer and data exporter and to which these Clauses are incorporated and “Agreement” shall have the meaning given to it in the DPA.
Clause 5(a): Suspension of data transfers and termination
- The parties acknowledge that data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses.
- The parties acknowledge that if data importer cannot provide such compliance for whatever reason, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the Clauses.
- If the data exporter intends to suspend the transfer of personal data and/or terminate these Clauses, it shall endeavour to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”).
- If after the Cure Period the data importer has not or cannot cure the non-compliance then the data exporter may suspend or terminate the transfer of personal data immediately. The data exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to data subjects or their personal data.
Clause 5(f): Audit
- Data exporter acknowledges and agrees that it exercises its audit right under Clause 5(f) by instructing data importer to comply with the audit measures described in Section 5 (Security Reports and Audits) of the DPA.
Clause 5(j): Disclosure of subprocessor agreements
- The parties acknowledge the obligation of the data importer to send promptly a copy of any onward subprocessor agreement it concludes under the Clauses to the data exporter.
- The parties further acknowledge that, pursuant to subprocessor confidentiality restrictions, data importer may be restricted from disclosing onward subprocessor agreements to data exporter. Notwithstanding this, data importer shall use reasonable efforts to require any subprocessor it appoints to permit it to disclose the subprocessor agreement to data exporter.
- Even where data importer cannot disclose a subprocessor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information it reasonably can in connection with such subprocessing agreement to data exporter.
Clause 6: Liability
- Any claims brought under the Clauses shall be subject to the terms and conditions, including but not to limited to, the exclusions and limitations set forth in the Agreement. In no event shall any party limit its liability with respect to any data subject rights under these Clauses.
Clause 11: Onward subprocessing
- The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled “FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC” the data exporter may provide a general consent to onward subprocessing by the data importer.
- Accordingly, data exporter provides a general consent to data importer, pursuant to Clause 11 of these Clauses, to engage onward subprocessors. Such consent is conditional on data importer’s compliance with the requirements set out in Section 3 (Sub-processing) of the DPA.
Annex D – Jurisdiction-Specific Terms
Europe:
- Objection to Sub-processors. Customer may object in writing to Uvation’s appointment of a new Sub-processor within five (5) calendar days of receiving notice in accordance with Section 3.1 of DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Uvation will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
California:
- The definitions of: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under CCPA.
- For this “California” section of Annex D only, “Uvation Services” means the suite of marketing tools and insights available for Uvation Customers to use, including without limitation, email campaign management, advertisements, and direct mailings and other related digital communications, analytics and tools made available through the Uvation online marketing platform, as may be further described in the App and/or on the Uvation Site.
- For this “California” section of Annex D only, “Permitted Purposes” shall include processing Customer Data only for the purposes described in this DPA and in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, or as otherwise may be permitted for “service providers” under the CCPA.
- Uvation’s obligations regarding data subject requests, as described in Section 8 (Data Subject Rights and Cooperation) of this DPA, apply to Consumer’s rights under the CCPA.
- Notwithstanding any use restriction contained elsewhere in this DPA, Uvation shall process Customer Data only to perform the Uvation Services, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, except where otherwise required by applicable law.
- Uvation may de-identify or aggregate Customer Data as part of performing the Service specified in this DPA and the Agreement.
- Where Sub-processors process the personal data of Customer contacts, Uvation takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom Uvation has entered into a written contract that includes terms substantially similar to this DPA or are otherwise exempt from the CCPA’s definition of “sale”. Uvation conducts appropriate due diligence on its Sub-processors.
Canada:
- Uvation takes steps to ensure that Uvation’s Sub-processors, as described in Section 3 (Sub-processing) of the DPA, are third parties under PIPEDA, with whom Uvation has entered into a written contract that includes terms substantially similar to this DPA. Uvation conducts appropriate due diligence on its Sub-processors.
- Uvation will implement technical and organizational measures as set forth in Section 4 (Security) of the DPA.
Effective January 1, 2020