MASTER SUBSCRIPTION AGREEMENT (WEB TERMS)
This Master Subscription Agreement (“Agreement”) is effective on the date of Customer’s Order (the “Effective Date”) by and between Samasource Impact Sourcing, Inc., an organization registered in the State of Delaware and having its offices at 2017 Mission St, Suite 301, San Francisco, CA, 94110 (“Samasource”), and Customer as defined on the Order (“Customer”, and together with Samasource, the “Parties” and each a “Party”).
Whereas, Samasource provides information technology services including the delivery of image annotation through a subscription service and Customer desires to engage Samasource for such services as detailed in one or more Orders to be executed by both Parties pursuant to this Agreement;
Whereas, Samasource is willing to provide the services under the terms of this Agreement and executed Orders; and
Now, therefore, in consideration of the mutual promises of the Parties and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
"Confidential Information" means all confidential information, including source code, algorithms, formulas, methods, know-how, processes, designs, new products, developmental work, marketing requirements, marketing plans, customer names, prospective customer names, disclosed by a Party to the other Party, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Customer Confidential Information includes Customer Data. Samasource Confidential Information includes the Service and the terms of this Agreement. Confidential Information (other than Customer Data) shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the disclosing Party; (ii) was known to the receiving Party prior to its disclosure by the disclosing Party without breach of any obligation owed to the disclosing Party, (iii) is received from a third party without knowledge or reason to know that such disclosure would result in the breach of any obligation owed to the disclosing Party, or (iv) was independently developed by the receiving Party, without use of the disclosing Party's Confidential Information.
“Customer” as used herein shall mean the entity identified as the Customer in the preamble of this Agreement.
"Customer Data" means any electronic data or information submitted by Customer or Users to the Service.
"Documentation" means the electronic and hard copy user guides for the Service published by Samasource, as may be updated from time to time.
"Malicious Code" means viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs.
"Order” means a document governed by this Agreement and executed by each of the Parties that sets forth the particular Service for which Customer has purchased a subscription, and other transaction-specific information.
"Service" or “Samasource Service” as used herein means the software-as-a-service application(s) offered by Samasource as described in the Documentation and subscribed to pursuant to an Order.
"SLA" means the service levels set forth in Attachment A to this Agreement.
“Tenant’ means an instance of the Service implemented on servers maintained by Samasource (or by a Samasource third party such as AWS) for Customer’s Customer Data.
"Users" are employees of, or third party individuals providing services to, Customer that are authorized by Customer to access or receive Customer Data from Customer’s Tenant of the Service.
- Access to Service.
- Access to the Service. Subject to the terms of this Agreement, Samasource hereby grants to Customer, a non-exclusive, non-transferable, right, through the Users, to access and use the Service and Documentation during the subscription term set forth on the applicable Orders solely for Customer's internal business purposes, and solely in accordance with the terms of this Agreement.
- Customer shall not, and shall ensure Users do not: (i) copy, duplicate, modify or incorporate in any other work any portion of the Service; (ii) reverse compile, disassemble, reverse engineer or otherwise reduce to human perceivable form any of the Service; (iii) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share, offer in a service bureau, or otherwise make the Service or Documentation available to any third party, other than to Users as permitted herein; (iv) attempt to access the Service or the networks and/or infrastructure except as permitted pursuant to the Documentation and this Agreement; (v) use the Service to store or transmit obscene, threatening, infringing information, or information in violation of applicable laws, or use the Service, or submit Customer Data, in violation of applicable laws; (vi) send or store Malicious Code in connection with the Service; (vii) disrupt or interfere with the Service or any information contained therein; (viii) share User names or passwords with others; or (ix) use the Service in a manner inconsistent with the Documentation.
- System Availability and Maintenance. Samasource shall provide the Service in accordance with the SLA.
- Customer Obligations.
- Designation of Users. Customer shall: (i) enable access of the Service only to Users, and only for Customer's internal business purposes and not for the benefit of a third party, only in accordance with the terms of this Agreement and the Documentation; and (ii) be liable for the acts and omissions of each User as if they were the acts and omissions of Customer; and (iii) be solely responsible for the legality, accuracy and quality of all Customer Data.
- Cooperation and Assistance. Customer shall: (i) provide Samasource with full, good faith cooperation and such information as may reasonably be required by Samasource in order to offer the Service; (ii) provide such assistance, including support services, information and other assistance, as may be reasonably requested by Samasource from time to time; and (iii) timely and fully carry out all other Customer responsibilities set forth herein.
- Fees and Expenses.
- Fees, Taxes. Customer shall pay Samasource an annual subscription fee based on the volume of transactions performed as part of the Service, as set forth in each Order. In addition to the fees set forth in each Order, Customer shall reimburse Samasource for all taxes assessed against Samasource related to the sale or use of the Service pursuant to this Agreement, provided, Customer shall not be obligated to pay for taxes for which Customer has provided Samasource with a valid tax exemption certificate authorized by the appropriate taxing authority. Samasource shall be responsible for taxes assessable against Samasource based on Samasource's income, real or tangible property and employees. All payment obligations under any and all Orders are non-cancelable and all payments made are non-refundable.
- Invoices and Payment, Right to Suspend. Samasource shall invoice Customer as set forth in each Order. Unless otherwise agreed upon in an Order, each invoice is due and payable thirty (30) days after the invoice date. If Samasource has not received payment (except for payments which are the subject of a good faith and reasonable dispute) within thirty (30) days after the due date, Samasource reserves the right to: (i) assess interest on past due amounts at the rate of one percent (1%) per month or the maximum amount allowed by law, whichever is less, commencing with the date payment was due; and (ii) in addition to any other rights or remedies it may have under this Agreement or by law, Samasource reserves the right to suspend the Service upon thirty (30) days’ notice, without liability to Customer, until such amounts are paid in full.
- Proprietary Rights.
- Samasource Intellectual Property Rights. Samasource and/or its licensors own all right, title and interest in and to the Service and Documentation, including but not limited to all modifications thereto, and all intellectual property rights therein. Except as expressly stated herein, this Agreement does not grant Customer any rights related to the Service, Documentation, or any modifications thereto, or any intellectual property rights therein.
- Customer Data. As between the Parties, Customer retains all rights to the Customer Data.
- Customer Input. Samasource shall have the royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual license to use any recommendations or feedback offered by Customer or Users related to the functioning of the Service, including requests for enhancements and improvements. Samasource is not obligated to incorporate recommendations or feedback into the Service, and Customer is not obligated to provide any requests, recommendations or feedback to Samasource.
- Aggregated Data. As between Samasource and Customer, Samasource shall own all information regarding the Service, its operation and use and including statistical data regarding its customers’ use of the Services provided such data does not reveal the identity, whether directly or indirectly, of Customer or any individual or any specific Customer Data entered by any individual into the Service.
- Each Party agrees to protect the other's Confidential Information with the same standard of care such Party uses to protect its own Confidential Information, but in no event with less than a reasonable standard of care. Neither Party shall use the Confidential Information of the other Party for any reason other than as contemplated under this Agreement. Neither Party shall disclose the Confidential Information of the other Party to any employee or third Party except those who have a need to know and who are subject to non-disclosure obligations no less restrictive than those set forth herein. Disclosure of Confidential Information pursuant to a court order shall not be considered a breach of this provision provided the Party provides, to the extent not prohibited by law, makes the other Party aware of the disclosure requirement.
- Customer Data.
- Unauthorized Disclosure. Samasource shall not access Customer Data except to provide the Service, prevent or address service or technical problems, or as requested by Customer. Each Party shall promptly notify the other Party of any unauthorized disclosure of Customer Data, and shall work cooperatively with the other Party to mitigate the impact of such disclosure.
- System Security. Samasource shall provide the Service in accordance with a reasonable and appropriate security program designed to ensure the security, including protection against threats, hazards and unauthorized disclosure, and integrity of the Customer Data consistent with the provisions of the Information Protection Addendum in Attachment B of this Agreement. Notwithstanding anything to the contrary in this Agreement, including Attachment B hereto: (i) Customer is solely responsible for maintaining the security and confidentiality of its Customer Data, User name(s) and passwords; and (ii) Samasource shall have no liability to Customer or any third party for any unauthorized disclosure or access to Customer's account or Customer Data which results from Customer's misuse, loss or theft of any User name or password. The Parties acknowledge and agree that Samasource has no control of the communication lines used to transmit information between the Service and Customer and Users, and Samasource shall have no liability for any issues arising from the operation of the communication lines. Customer understands that its use of the Service and compliance with any terms hereunder does not ensure Customer’s compliance with laws applicable to Customer. Customer acknowledges and agrees that it has an independent duty to comply with any and all laws applicable to it.
- Location of Customer Data. Subject to the terms of this provision, Customer Data will be stored in a data center located in the United States. Customer Data may also be accessed, transmitted, and temporarily stored outside the United States as reasonably necessary to: (i) prevent or address service or technical problems; and/or (ii) maintain and support the Service.
- Limited Warranties. Each Party warrants that is has the authority to enter into this Agreement, and shall comply with all laws applicable to it related to data security, and the transmission of personal data. Samasource warrants that the Service will materially conform to the Documentation. Upon receipt of written notice from Customer describing a breach of the Service warranty herein in such reasonable detail as is requested by Samasource, as Customer's sole and exclusive remedy, and as Samasource's sole and exclusive obligation, Samasource shall, at Samasource's expense, repair the Service described in such written notice so as to materially conform to the Documentation, or refund the subscription fees paid for such non-conforming Service for the remainder of the subscription term for which Customer has paid. To receive warranty remedies, Customer must promptly report deficiencies in writing to Samasource, but no later than thirty (30) days of the first date the deficiency is identified by Customer. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, SAMASOURCE MAKES NO WARRANTIES, EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. SAMASOURCE DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR FREE.
- Term and Termination.
- Agreement Term. This Agreement shall commence on the Effective Date and shall continue until the subscription terms of all Orders have expired or been terminated pursuant to the terms of this Agreement.
- Subscription Term. Each Order shall specify a Service subscription term.
- Termination for Cause. A Party may terminate this Agreement upon notice in the event the other Party fails to cure a material breach within thirty (30) days of receipt of notice detailing the breach. In the event of any termination of this Agreement, all then-effective Orders will simultaneously terminate.
- Effect of Termination. Upon termination, Customer shall immediately cease use and access of the Service, and each Party shall return any and all Confidential Information of the other Party then in its possession, subject to the provisions of Section 9.5.
- Return of Customer Data. Upon request of Customer within thirty (30) days of the effective date of termination of the Agreement, Samasource shall provide to Customer a copy of its Customer Data in a format generally offered by Samasource to its customers. After ninety (90) days of termination of this Agreement, Samasource shall have no obligation to keep Customer Data.
- Surviving Provisions. The terms of Sections 1, 4 -12 shall survive termination of this Agreement.
- Samasource Indemnification. Samasource shall defend Customer against any third party claim against Customer alleging that the use of the Service in conformance with the terms of this Agreement infringes a U.S. patent, copyright or trade secret, and shall indemnify Customer against damages finally awarded against Customer or agreed in settlement of such claim, and expenses, including attorneys’ fees, reasonably incurred in the defense of such claim. The foregoing indemnify obligation shall not apply in the event the infringement results from (a) modification of the Service by Customer; (b) use of the Service in violation of the terms of this Agreement or in a manner inconsistent with Customer’s obligations hereunder; or (c) use of the Service in combination with a product or service not provided by Samasource. If Customer is enjoined from using the Service or Samasource reasonably believes it will be enjoined, Samasource shall have the right, at its sole option, to obtain for Customer the right to continue use of the Service or to replace or modify the Service so that it is no longer infringing. If neither of the foregoing options is reasonably available to Samasource, then use of the Service may be terminated and Samasource's sole liability shall be to refund any prepaid fees for the Service that were to be provided after the effective date of termination.
- Customer Indemnification. Customer shall defend Samasource against any third party claim against Samasource alleging that the Customer Data is defamatory or otherwise in violation of law and/or infringes a U.S. patent, copyright or trade secret, and shall indemnify Samasource against damages finally awarded against Samasource or agreed in settlement of such claim, and expenses, including attorneys’ fees, reasonably incurred in the defense of such claim.
- Indemnification Process. Each Party's obligation as an indemnifying Party is contingent upon the indemnified Party: (i) promptly giving the indemnifying Party written notice of the claim; (ii) giving the indemnifying Party the sole control of the defense and settlement of the claim (provided that the indemnifying Party may not settle or defend any claim unless it unconditionally releases the indemnified Party of all liability), and (c) provides to the indemnifying Party all reasonable assistance, at the indemnifying Party's expense.
- Exclusive Remedy. This "Indemnification" section states the indemnifying Party's sole liability to the other Party, and the indemnified Party's exclusive remedy for any type of claim described in this section.
- Limitation of Liability. IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS OR REVENUE, LOST SAVINGS, LOSS OF USE, BUSINESS INTERRUPTION, OR COST OF SUBSTITUTE GOODS ARISING OUT OF, OR IN ANY WAY CONNECTED TO, THIS AGREEMENT, WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CUSTOMER WILL NOT ASSERT THAT ITS PAYMENT OBLIGATIONS ARE EXCLUDED AS SAMASOURCE LOST PROFITS.
EXCEPT WITH RESPECT TO CUSTOMER’S PAYMENT OBLIGATIONS, IN NO EVENT SHALL EITHER PARTY'S AGGREGATE LIABILITY ARISING OUT OF, OR IN ANY WAY CONNECTED TO, THIS AGREEMENT (WHETHER IN CONTRACT, TORT OR OTHERWISE), EXCEED THE FEES PAID BY CUSTOMER UNDER THE APPLICABLE ORDER IN THE TWELVE (12) MONTH PERIOD PRECEDING THE CLAIM. The provisions of this Agreement allocate the risks between Samasource and Customer. Samasource's pricing reflects this allocation of risk and the limitation of liability specified herein.
- Force Majeure. Neither Party shall be liable for any failure or delay in the performance of its obligations hereunder to the extent such failure or delay is beyond the reasonable control of such Party, and without fault or negligence of such Party, including strikes, shortages, riots, insurrection, fires, flood, storm, pandemics, explosions, acts of God, war, governmental action, labor conditions, earthquakes, and material shortages.
- Governing Law, Venue, Waiver of Jury Trial. This Agreement, and all matters arising out of or relating to this Agreement, will be governed by the laws of the State of California. Any legal action or proceeding relating to this Agreement will be instituted in any state or federal court in San Francisco County, California. Samasource and Customer agree to submit to the jurisdiction of, and agree that venue is proper in, the aforesaid courts in any such legal action or proceeding. Each Party waives any right to jury trial in connection with any action or litigation in any way arising out of or related to this Agreement.
- Notices. All notices under this Agreement will be in writing and addressed to the other Party’s required contact as set forth below or on the Order or as otherwise notified by any Party. Notice will be deemed given upon personal delivery, upon delivery by nationally-recognized bonded courier service, or seven (7) days after sending by certified or registered mail, postage prepaid and return receipt requested. Notice can also be by email and will be treated as given on receipt, as verified by written or automated receipt or by electronic log (as applicable).
If to Samasource:
Samasource Impact Sourcing, Inc.
2017 Mission St, Suite 301
San Francisco, CA 94110
- Waiver; Cumulative Remedies. The waiver by either Party of any default or breach of this Agreement shall not constitute a waiver of any other or subsequent default or breach. Except than as expressly stated herein otherwise, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a Party at law or in equity.
- Export Administration. The Service, Documentation, and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Customer shall not permit Users to access or use Service in a U.S.-embargoed country or in violation of any U.S. export law or regulation.
- Relationship Between the Parties. The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties. There are no third-party beneficiaries to this Agreement.
- Assignment. Neither Party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other Party (which consent shall not be unreasonably withheld or delayed). Notwithstanding the foregoing, either Party may assign this Agreement in its entirety (including all Orders hereunder) without consent of the other Party in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets provided the assignee has agreed to be bound by all of the terms of this Agreement and all past due fees are paid in full, except that Customer shall have no right to assign this Agreement to a direct competitor of Samasource. This Agreement shall inure to the benefit of the permitted successors and assigns of Samasource and, subject to the restrictions on transfer or assignment herein set forth, shall be binding upon Customer and Customer's successors and assigns.
- Marketing Activities. Samasource may use Customer's name and logo in general listings of Samasource’s customers. Samasource may use Customer’s name and logo in press releases or white papers only upon prior approval of Customer (which approval shall not be unreasonably withheld or delayed). From time to time, Samasource may request Customer to participate in reference calls and/or site visits with noncompetitive new Customers, partners, media and industry analysts, provided, that, Customer shall have no obligation to participate in any such reference calls or site visits. Samasource will attempt to give Customer a 2-week notice in requesting an upcoming reference.
- Entire Agreement. This Agreement, including all Orders, constitutes the complete agreement between the Parties and supersedes all prior or contemporaneous agreements or representations, written or oral, concerning the subject matter. This Agreement may not be modified or amended except in a writing signed by a duly authorized representative of each Party, and no other act, document, usage or custom shall be deemed to amend or modify this Agreement. In the event of a conflict, the provisions of each Order shall take precedence over provisions of the body of this Agreement. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect. Notwithstanding any language to the contrary therein, no terms or conditions stated in a Customer purchase order or in any other Customer order documentation shall be incorporated into or form any part of this Agreement, and all such terms or conditions shall be null and void.
99.5% Available Uptime
The Samasource Service shall be available and running 99.5% of the time. If such availability service level is not met during the subscription term under an Order, Customer shall be eligible for a service credit as described below.
The Samasource Service will be considered unavailable when it is inaccessible during two or more consecutive 90-second intervals. Availability for the Service for the relevant time period will be calculated as the fraction of Customer’s Service requests that are failing worldwide. Uptime in a month will be calculated across the Service under each Order based on the uptime of the Service used during the month, weighted by the fraction of all service requests accounted for during that month. For purposes of this availability service level, a "month" means a calendar month.
Service credits are calculated as a percentage of the total subscription fees Customer is charged each month under the applicable Order (or Customer’s annual fees divided by 12) as follows:
Total Available Uptime (across all subscribed Services under an Order) per month and the associated service credit:
- 100% - 99.5% - 0% Credit Amount;
- 49% - 99% - 10% Credit Amount; or
- Less than 99% - 25% Credit Amount.
To receive a service credit, Customer must contact Samasource in writing within 30 days following the end of the unavailability via email at email@example.com and include the dates and times of unavailability. Provided that Samasource confirms that the uptime percentage in a month covered by the request is below 99.5%, Samasource will issue Customer the applicable service credit. Service credits (i) may be applied to any future invoice issued by Samasource to Customer (including renewals, subsequent Orders and overages), (ii) cannot be exchanged for, or converted to, monetary compensation, and (iii) will expire if not used within twelve (12) months of being issued. Notwithstanding anything to the contrary herein, the maximum service credit that shall be issued for downtime in a month is 25% of the fees charged for that month.
This SLA is Customer’s sole and exclusive remedy (and Samasource’s sole liability) for unavailability of the Samasource Service.
Unavailability due to the following instances is not included in the available uptime service level calculation, and will not count towards unavailability calculations for purposes of service credits:
- in the event that the unavailability is due to scheduled maintenance;
- in the event that Customer is in breach of any of the terms of the Agreement, applicable Order (including Customer’s payment obligations thereunder), or the unavailability is otherwise due to Customer’s acts or omissions; or
- in the event that the unavailability is due to a force majeure event under Section 12.1 of the Agreement.
The Parties may agree on additional service levels associated with quality of the Service in individual Orders. .
INFORMATION PROTECTION ADDENDUM
Part A: General Information Security Terms
- Status of the Addendum. This Information Protection Addendum (“IPA”) forms part of the Agreement and incorporates (a) the mandatory terms set out in this Part A (General Information Security Terms), (b) the Supplemental Terms, to the extent applicable, and (c) the Standard Contractual Clauses (as defined below), to the extent applicable.
- Order of Precedence. Unless otherwise stated in the Agreement, if there is any conflict or inconsistency between this IPA and the Agreement, this IPA will prevail.
- Supplemental Terms. In addition to this Part A (General Information Security Terms), the following supplemental terms are part of the IPA to the extent applicable:
- Part B (EU Data Protection Requirements) of this IPA will apply to the extent the Service includes access to Personal Information subject to EU Data Protection Laws.
2. Definitions; Interpretation.
- Definitions. In this IPA:
- “Access” or “Accessing” means to create, collect, acquire, receive, record, consult, use, process, alter, store, maintain, retrieve, disclose, or dispose of. Access also includes “processing” within the meaning of the EU Data Protection Laws.
- “Applicable Laws” means all privacy, data security, and data protection laws, directives, regulations, and rules in any jurisdiction applicable to Samasource Accessing Personal Information in performance of the Service.
- “Applicable Standards” means government standards, industry standards, and best practices applicable to Samasource’s Accessing Personal Information in performance of the Service, including the Privacy Shield.
- “CCPA” means, as applicable: (i) the California Consumer Privacy Act of 2018, California Civil Code 1798.100 et seq. (2018), as amended from time to time; and (ii) any other applicable U.S. state data protection laws modeled on the CCPA.
- “Data Controller” has the same meaning as “controller” in EU Data Protection Laws.
- “Data Processor” has the same meaning as “processor” in EU Data Protection Laws, and includes any party that constitutes a “service provider” within the meaning of the CCPA.
- “Data Subject” has the same meaning as “data subject” in EU Data Protection Laws.
- “GDPR” means the General Data Protection Regulation (EU) 2016/679 on data protection and privacy for all individuals within the European Union (“EU”) and the European Economic Area (“EEA”).
- “EU Data Protection Laws” means, as applicable: (i) the GDPR; and (ii) any other applicable data protection laws or regulations modeled on the GDPR.
- “EU Personal Information” means Personal Information subject to EU Data Protection Laws.
- “includes” or “including” means “including but not limited to”.
- “Personal Information” means (i) any information about an identified or identifiable individual; or (ii) information that is not specifically about an identifiable individual but, when combined with other information, may identify an individual. Personal Information includes names, email addresses, postal addresses, telephone numbers, government identification numbers, financial account numbers, payment card information, credit report information, biometric information, online identifiers (including IP addresses and cookie identifiers), and any information that constitutes “personal data” within the meaning of EU Data Protection Laws, “personal information” within the meaning of the CCPA.
- “Privacy Shield“ means the EU-U.S. and Swiss-U.S. Privacy Shield self- certification programs approved by the European Commission (Decision of 12th July 2016) and operated by the U.S. Department of Commerce.
“Protected Information” means Personal Information and Confidential Information that Samasource or a Third Party Provider may Access in performing Services. Protected Information does not include the parties’ business contact information (specifically, business addresses, phone numbers, and email addresses, including a party’s contact persons’ names used solely to facilitate the parties’ communications for administration of the Agreement).
- “reasonable” means reasonable and appropriate to (i) the size, scope, and complexity of Samasource business; (ii) the nature of Protected Information being Accessed; and (iii) the need for privacy, confidentiality, and security of Protected Information.
- “Regulator” or “Regulatory” means an entity with supervisory or regulatory authority over Samasource or its affiliate under Applicable Laws.
- “Safeguards” means the technical, organizational, administrative, and physical controls in Section 5 (Safeguards), Section 6 (Encryption Requirements), Section 8.3 (Samasource Self-Assessment), and Section 9.1 (Security Incident Response Program) of this IPA below.
- “Secondary Use” means Access to Protected Information for purposes other than as necessary to fulfill the Agreement and comply with the specific instructions stated in the Agreement, or for any purpose that would be a considered a “sale” of Personal Information as defined by the CCPA.
- “Security Incident” means actual or reasonable degree of certainty of unauthorized use, destruction, loss, control, alteration, acquisition, exfiltration, theft, retention, disclosure of, or access to, Protected Information for which Samasource is responsible. Security Incidents do not include unsuccessful access attempts or attacks that do not compromise the confidentiality, integrity, or availability of Protected Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- “Service(s)” as used in this IPA, means the Samasource Service that Samasource provide(s) to or for Customer under one or more Orders under the Agreement.
- “Standard Contractual Clauses” means the Standard Contractual Clauses attached as Annex 1 to this IPA.
(v) “Third Party Provider” means any parent company, subsidiary, agent, contractor, sub-contractor, sub-processor, or other third party that Samasource authorizes to act on Samasource’s behalf in connection with processing Personal Information exclusively intended for the Services. “Third Party Provider” includes “sub- processor” within the meaning of Standard Contractual Clauses.
- Interpretation. All capitalized terms that are not expressly defined in the IPA will have the meanings given to them in the Agreement or applicable Order. Any examples in this IPA are illustrative and not the sole examples of a particular concept.
3. Compliance with Laws; Use Limitation.
- Compliance with Applicable Laws and Applicable Standards. When Samasource Accesses Protected Information under the Agreement, Samasource will at all times comply with all Applicable Laws and Applicable Standards, including any requirements applicable to the cross-border transfer of Personal Information. Samasource will promptly notify Customer if compliance with this IPA will interfere with Samasource obligations under Applicable Laws.
- Use Limitation. Samasource will Access Protected Information only for the limited and specified purposes stated in the Agreement and to exercise Samasource’s rights and fulfill Samasource’s obligations under the Agreement and not for any Secondary Use.
- CCPA Requirements: To the extent applicable, Samasource shall comply with the requirements of the California Consumer Privacy Act ("CCPA") that apply to Customer in the performance of any obligations or services under the Agreement. Customer is a “Business” and Samasource is a “Service Provider” for purposes of the CCPA. Samasource shall not: (a) sell the Personal Information; (b) retain, use or disclose the Personal Information for any purpose other than for the specific purpose of fulfilling Samasource’s obligations under the Agreement; (c) retain, use, or disclose the Personal Information for a commercial purpose other than fulfilling Samasource’s obligations under the Agreement; or (d) retain, use, or disclose the Personal Information outside of the direct business relationship between Samasource and Customer. Samasource certifies that it understands these restrictions and will comply with them.
- Third Party Providers. Samasource may subcontract the performance of any part of the Services to any Third Party Provider without Customer’s prior written consent or general written authorization. In such event, Samasource will:
- carry out adequate due diligence of Samasource’s Third Party Provider to verify its capability of providing the level of security and privacy required by the Agreement;
- contractually require Samasource’s Third Party Provider to prevent Secondary Use and protect Protected Information using at least the same level of protection required of Samasource under this IPA; and
- retain oversight of and be responsible for Samasource’s Third Party Providers’ acts and omissions in connection with such Third Party Providers’ performance of Services under this Agreement.
- At all times that Samasource accesses Protected Information, Samasource will maintain reasonable technical, organizational, administrative, and physical controls and comply with this IPA, Applicable Standards, and Applicable Laws, including the following:
- Physical Controls. Samasource will maintain physical controls designed to secure relevant facilities, including as applicable, layered controls covering perimeter and interior barriers, individual physical access controls, strongly-constructed facilities, suitable locks with key management procedures, access logging, and intruder alarms/alerts and response procedures.
- Technical Controls. To the extent Samasource accesses Protected Information using Samasource systems, Samasource will:
- establish and enforce access control policies and measures designed to ensure that only individuals who have a legitimate need to Access Protected Information will have such access, including multi-factor authentication;
- promptly terminate an individual’s access to Protected Information when such access is no longer required for performance under the Agreement;
- maintain reasonable and up-to-date anti-malware, anti-spam, and similar controls on Samasource networks, systems, and devices;
- log the appropriate details of access to Protected Information on Samasource systems and equipment, plus alarms for attempted access violations, and retain such records for no less than 90 days;
- maintain controls and processes designed to ensure that all operating system and application security patches are installed within the timeframe recommended or required by the issuer of the patch; and
- implement reasonable user account management procedures to securely create, amend, and delete user accounts on networks, systems, and devices through which Samasource accesses Protected Information, including monitoring redundant accounts and ensuring that information owners properly authorize all user account requests.
- Personnel Security. Samasource will maintain personnel policies and practices restricting access to Protected Information, including having appropriate use guidelines, written confidentiality agreements, and performing background checks in accordance with Applicable Laws on all personnel who Access Protected Information or who implement, maintain, or administer Samasource Safeguards.
- Training and Supervision. Samasource will provide reasonable ongoing privacy and information security training and supervision for all Samasource personnel who Access Protected Information.
- Encryption Requirements. Using a reasonable encryption standard, Samasource will encrypt all Protected Information that is (a) stored on portable devices or portable electronic media; (b) maintained outside of Customer’s or Samasource’s facilities; (c) transferred across any external network not solely managed by Samasource; and (d) where required by Applicable Law, including Personal Information at rest on Samasource systems.
- Use of Customer Networks, Systems, or Devices. To the extent that Samasource accesses Customer-owned or Customer-managed networks, systems, or devices (including APIs, corporate email accounts, equipment, or facilities) to access Protected Information, Samasource will comply with Customer’s lawful written instructions, system requirements, and policies made available to Samasource.
8. Assessments; Audits; Corrections
- Customer’s Security Assessment. On Customer’s written request Samasource will complete Customer’s written privacy and security questionnaire regarding any network, application, system, or device, or Safeguard applicable to Samasource’s access to Protected Information. Samasource will provide any additional assistance and cooperation that may be reasonably required during any assessment of Samasource Safeguards, including providing Customer with reasonable access to personnel, information, documentation, infrastructure and application software, to the extent any of the foregoing is involved in Samasource’s access to Protected Information.
- Samasource Continuous Self-Assessment. Samasource continuously monitors risk to Protected Information in a manner designed to ensure that the Safeguards are properly designed and maintained to protect the confidentiality, integrity, and availability of Protected Information. As part of Samasource’s continuous self-assessment program, Samasource (1) periodically (but no less than once per year) conducts third party penetration tests and other appropriate vulnerability tests, and documents the effectiveness of Samasource Safeguards; (2) promptly fixes high and critical severity findings, if any; and (3) promptly applies any high or critical severity security patches to Samasource production servers, endpoints, and endpoint management systems as necessary.
- Audits and Certifications; Regulatory Audits.
- Audits and Certifications. Upon written request by Customer, not more than once per year, Samasource will provide a summary of the audit report performed by a qualified third party auditor within the prior twelve (12) months where such audit addresses SSAE 16/SOC1, SOC2, ISO 27001, NIST, PCI DSS, HIPAA or similar certification.
- Regulatory Audit. Notwithstanding Section 8.3(a), if a Regulator requires an audit of the data processing facilities from which Samasource processes Personal Information in order to ascertain or monitor Customer’s compliance with Applicable Law, Samasource will cooperate with such audit.
- Correcting Vulnerabilities. If either party discovers that Samasource Safeguards contain a vulnerability, Samasource will promptly correct or mitigate (a) any vulnerability within a reasonable period, and (b) any material vulnerability within a period not to exceed 60 days. If Samasource is unable to correct or mitigate the vulnerabilities within the specified time period, Samasource will promptly notify Customer and propose reasonable remedies.
9. Security Incident Response.
- Security Incident Response Program. Samasource will maintain a reasonable Security Incident response program.
- Security Incident Notification.
- If Samasource becomes aware of a Security Incident, Samasource will promptly:
- stop the unauthorized access; (ii) secure Protected Information; and (iii) notify Customer (within 24 hours after discovery of the Security Incident) by sending an email to [client email] with the information described in Subsection (b) below.
- Samasource will provide reasonable information about the Security Incident, including:
- a description of Protected Information subject to the Security Incident (including the categories and number of data records and Data Subjects concerned) and the likely consequences of the Security Incident; (ii) the date and time of the Security Incident; (iii) a description of the circumstances that led to the Security Incident (e.g., loss, theft, copying); (iv) a description of the measures Samasource has taken and proposes to take to address the Security Incident; and (v) relevant contact people who will be reasonably available until the parties mutually agree that the Security Incident has been resolved. For Security Incidents involving Personal Information, “reasonably available” means 24 hours per day, 7 days per week.
- Remediation; Investigation. Samasource will take appropriate steps to promptly remediate the root cause(s) of any Security Incident, and will reasonably cooperate with Customer with respect to the investigation and remediation of such incident, including providing such assistance as required to enable Customer to satisfy its obligation to notify individuals and cure an alleged violation related to a Security Incident. Samasource will provide Customer the results of the investigation and any remediation already undertaken. Samasource will not engage in any action or inaction that unreasonably prevents Customer from curing an alleged violation of Applicable Law.
- No Unauthorized Statements. Except as required by Applicable Laws, Samasource will not make (or permit any third party to make) any statement concerning the Security Incident that directly or indirectly references Customer, unless Customer provides its explicit written authorization.
- Legal Process. If Samasource or anyone to whom Samasource provides access to Protected Information becomes legally compelled by a court or other government authority to disclose Protected Information, then to the extent permitted by law, Samasource will promptly inform Customer of any request and reasonably cooperate with Customer’s efforts to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action as Customer may deem appropriate. Unless required by Applicable Laws, Samasource will not respond to such request, unless Customer has authorized Samasource to do so.
11. Records; Destruction; Responding to Access Requests; Sanitization
- Records. Samasource will keep accurate, and up-to- date records relating to Samasource’s access to Protected Information and sufficient to meet Samasource’s obligations under this IPA.
- Return or Deletion of Information. Upon the termination or expiration of the Agreement or the relevant Order for the Services, Samasource will promptly return to Customer all copies, whether in written, electronic or other form or media, of Personal Information in Samasource’s possession or the possession of Third Party Provider; where permitted delete and render Protected Information unreadable in the course of disposal, securely dispose of all such hard copies, and where requested certify in writing Samasource’s compliance.
- Subject Access Requests. Upon Customer’s request, Samasource will (i) provide to Customer a particular individual’s Personal Information in an agreed upon format, and (ii) securely delete, modify, or correct a particular individual’s Personal Information from Samasource’s records. In the event Samasource is unable to delete the Personal Information for reasons permitted under the Applicable Laws, Samasource will (i) inform Customer of the reason(s) for Samasource’s refusal, including the legal basis of such refusal, (ii) maintain the ongoing privacy, confidentiality, and security of such Personal Information, and (iii) delete the Personal Information promptly after the expiry of the reason(s) for Samasource’s refusal.
- Samasource’s obligations under this IPA will survive expiration or termination of the Agreement and completion of the Services as long as Samasource continues to have access to Protected Information.
Part B: EU Data Protection Requirements
- Introduction. This Part B will only apply to the extent the Services require that Samasource accesses Personal Information subject to EU Data Protection Laws.
- Types and Categories of Personal Information. The Statement(s) of Work associated with the Services will specify the subject matter and duration of the processing, the categories of Data Subjects, and the types and categories of Personal Information Accessed.
3. Roles and Responsibilities.
- If EU Data Protection Laws apply to the Services, the parties acknowledge and agree that:
- the subject matter and details to the processing are as described in the Agreement;
- Customer or its affiliate is a controller of the Personal Information;
- Samasource is a processor of the Personal Information; and
- Samasource will comply with Customer’s lawful written instructions with respect to the Personal Information.
- Samasource Obligations as a Data Processor. Samasource will:
- Access Personal Information on behalf of Customer and in accordance with Customer’s documented lawful instructions unless Samasource is otherwise required by EU Data Protection Law, in which case Samasource will inform Customer of that legal requirement before Accessing the Personal Information, unless informing Customer is prohibited by law on important grounds of public interest.
- implement and maintain appropriate technical and organizational measures designed to meet Samasource obligations under Applicable Laws and this IPA;
- promptly correct, amend, or delete the Personal Information at Customer’s direction;
- where requested, reasonably assist Customer in the conduct of data protection impact assessments and prior consultations with Regulatory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required prior to Accessing Personal Information;
- cooperate with and assist Customer in investigating Data Subjects’ exercise of their legal rights; and
- maintain adequate records of processing activities as set out more fully in Art. 30 of the GDPR.
4. Data Transfers.
4.1. Transfers of Data Out of the European Economic Area and Switzerland. Samasource may transfer EU Personal Information outside the European Economic Area or Switzerland,if Samasource complies with the provisions on the transfer of personal data to third countries in EU Data Protection Laws.
4.2. Transfers Under Standard Contractual Clauses. To the extent Standard Contractual Clauses are applicable to the transfer of EU Personal Information from the EU and Switzerland, Samasource expressly agree that Samasource’s signature on the Agreement will be treated as Samasource’s acceptance of the Standard Contractual Clauses.