Syntax Supplier General Terms & Conditions
The provisions of these Syntax Supplier General Terms and Conditions (the “SGTC”) constitute a binding agreement between the legal entity (whether in its individual capacity or as the organization) identified in an applicable Purchase Order (“PO”) or SOW (defined below) (the “Supplier”) and Syntax Systems USA, LP or any of its Affiliates (“Syntax”). These SGTC are the complete and binding Agreement between Syntax and Supplier, except to the extent the Parties mutually executed an agreement, such as a Syntax Supplier Master Services Agreement. If a conflict arises between these SGTC and such agreement, the terms of such agreement will apply. Supplier and Syntax are referred to herein individually as a “Party” and collectively as the “Parties.”
1. DEFINED TERMS. When used in the Agreement, the terms below shall have the meaning stated:
1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the entity referred to, but only for so long as such control exists. As used in this definition, “Control” means the right to control more than fifty percent (50%) of the voting interests of the entity.
1.2 “Agreement” means: (i) these SGTC, (ii) a SOW, and (iii) any exhibits, appendices and other documents attached to or incorporated by reference in these SGTC or a SOW.
1.3 “Business Day” means Monday – Friday, excluding federal public holidays in the United States.
1.4 “Deliverable” means any work product that Supplier may create as a result of or in connection with the Services, whether finished or in draft form, including but not limited to documents, reports, analyses, test results, designs, drawings, specifications, computer data, software, inventions, discoveries, improvements, customizations, concepts, information, techniques, and know-how.
1.5 “Intellectual Property Right” or “Intellectual Property” means patents, copyrights, trademarks, trade secrets, trade names, service marks and any other proprietary intellectual property rights.
1.6 “Statement of Work” or “SOW” means a document signed by both Parties or a purchase order issued by Syntax to Supplier that describes the purchase terms for the Services.
1.7 “Syntax” means the Syntax group entity who issues the PO or signs the SOW.
1.8 “Services” means services provided by Supplier to Syntax, as outlined in the SOW.
2. THE AGREEMENT
2.1 No Obligation to Place or Accept SOWs. Nothing in these SGTC requires the Parties to enter into any SOWs. However, once entered into, each SOW is a binding agreement for the provision and purchase of the Service(s) and the delivery of any Deliverables described in the SOW on the terms stated in the Agreement.
2.2 SOWs Subject to SGTC. These SGTC shall govern each SOW and PO between Syntax and the Supplier.
2.3 Varying Terms of SGTC for Particular SOW/ Modifications to SGTC. These SGTC may only be modified by a written amendment signed by both Parties. The pre-printed terms of each Party’s business forms shall have no effect whatsoever.
2.4 Order of Precedence of Documents. In the event of a conflict, the documents shall govern in the following order of precedence: (i) these SGTC, and (ii) the SOW.
3. SERVICES
3.1 Supplier will provided the Services set forth in a SOW and supply all Deliverables to Syntax.
3.2 Acceptance/Rejection of Services. Syntax shall have thirty (30) days following the delivery or completion of the Services, or such other period agreed to by the Parties in the SOW (“Acceptance Period”), to evaluate the Services for conformance with the applicable SOW or other agreed specifications and requirements (“Acceptance Criteria”). If the Services fail to materially conform to the applicable Acceptance Criteria, or other agreed specifications and requirements, Syntax may reject the Services by a written notice given before the end of the applicable Acceptance Period. Supplier shall have ten (10) days from Syntax’s notice of rejection to cure the items of non-conformance and/or re-perform the Services. Syntax shall then have an additional ten (10) day period to evaluate the Services, and may again reject the Services for non-conformance by written notice given before the end of the ten (10) day period. In the event that Syntax rejects the Services in accordance with this provision, no fees shall be due for that portion of the Services so rejected and not cured by Supplier.
4. PERSONNEL
4.1 Supplier shall conduct reasonable due diligence on its employees and contractors, which at minimum will include reference, employment, and background checks. For a professional or consulting services engagement, Syntax, in its sole discretion, may accept or reject any person proposed by Supplier.
4.2 Syntax may require Supplier to remove any person from performing Services. In this event, Supplier must take appropriate action to ensure timely replacement of such resource, generally within five (5) calendar days unless otherwise agreed by the Parties.
4.3 Supplier will not, without the prior written consent of Syntax, remove any person named in the applicable SOW from performing Services until completion of Services, unless Syntax requests the removal of such person or such person ceases to be employed by Supplier. Supplier must take appropriate action to ensure timely replacement of such resource, generally within five (5) calendar days unless otherwise agreed by the Parties.
4.4 If requested by Syntax, Supplier and its assigned personnel agree to utilize Syntax-assigned Syntax email address(es) for all Syntax and Syntax end client communication for the Services.
4.5 Supplier will advise any of its employees or contractors who performs Services of the terms of these SGTC and ensure each such person’s compliance with such terms.
5. PAYMENT
5.1 Invoicing. All fees for Services must be agreed by both Parties in the applicable SOW or PO. Invoices shall include sufficient detail so that invoiced amounts can be matched to the applicable SOW. If the SOW establishes hourly “time and materials”, or other cost based pricing, then on request, Supplier shall provide documentation for the hours and materials for which Syntax is invoiced, including the timesheets of its personnel. Supplier’s invoices shall be due no later than ninety (90) days from receipt. Syntax shall not be required to pay any invoices that are issued more than one-hundred eighty (180) days following the calendar month in which the fee accrued. If there is a dispute with respect to any portion of an invoice, Syntax shall pay the undisputed portion and provide written details specifying the basis of any dispute.
5.2 Sales Tax. The prices stated in each SOW are exclusive of sales, use, VAT/GST or similar tax (“Sales Tax”). Syntax shall remit to Supplier any Sales Tax that Supplier is required by law to collect, provided that the Sales Tax is invoiced with the fee(s) for the Services giving rise to the tax. If Syntax is exempt from the Sales Tax, or is permitted to remit the Sales Tax directly to the taxing authority, then Syntax shall not be required to remit Sales Tax to Supplier. Syntax must provide Supplier with reasonable documentation for any Sales Tax exemption on which it relies. If taxes are required by law to be withheld on payments made by Syntax to Supplier (“Withholding Tax”), Syntax may deduct the Withholding Tax from payments it makes to Supplier. Syntax must pay the Withholding Tax directly to the appropriate taxing authority. Syntax will promptly secure and deliver to Supplier an official receipt for the withheld taxes and any other documents needed from Syntax for Supplier to claim a foreign tax credit.
5.3 Expenses. Syntax shall not pay or reimburse Supplier for its travel or other expenses unless specifically agreed in the SOW or otherwise agreed in writing in advance by the authorized representative of Syntax, and then only those expenses that are reasonable and accompanied with appropriate documentation.
5.4 Offset. Notwithstanding anything herein to the contrary, Syntax reserves the right of offset against payment due to Supplier for any and all claims arising from the Agreement or Supplier’s provision of Services thereunder.
6. SECURITY
6.1 Supplier’s Access to Secure Information Systems and Data. Supplier shall not attempt to access Syntax’s secure network(s) or other information systems, without Syntax’s prior written consent, either via its personnel performing Services onsite or remotely. If Syntax consents to such access, and if such consent includes access to Secure Information (as that term is defined in Section 10.1.2), then such access shall be subject to the terms of Exhibit A (Secure Information Addendum), to this Agreement and where Secure Information also includes Personal Data (as that term is defined in Exhibit B) then such access shall also be subject to the terms of Exhibit B (Data Processing Addendum). Syntax’s consent for such access may be revoked at any time in Syntax’s sole discretion.
6.2 Supplier Performance of Services On Syntax Premises. Supplier personnel who perform Services on Syntax’s premises must comply with Syntax’s on-site security and facility requirements, as they may be modified from time to time.
6.3 Background Checks. To the extent permitted by applicable law, Vendor shall conduct reasonable background checks, including criminal history, employment and education checks, on all personnel (including employees, contractors, and subcontractors) who will have access to Customer facilities, systems, confidential information, or otherwise perform services under this Agreement. Such background checks shall be conducted prior to the commencement of any services and shall be sufficient to confirm that personnel do not pose an unreasonable risk to Customer, its personnel, or its operations. Vendor shall retain documentation of such checks and provide confirmation of completion upon Customer’s reasonable request, subject to applicable privacy laws. Vendor shall not assign any individual to perform services under this Agreement who fails to meet these standards.
7. OWNERSHIP AND LICENSING
7.1 Ownership of Intellectual Property Rights in Deliverables. Except as otherwise provided in an applicable SOW, all Deliverables are and will remain the sole and exclusive property of Syntax as “works made for hire” for which Syntax is deemed the author and copyright owner. To the extent that any Deliverables are not deemed “works made for hire,” Supplier agrees to assign and hereby assigns to Syntax all right, title, and interest in and to any and all such Deliverables, whether or not protected by statute, that are conceived, created, made, or developed by Supplier in the performance of its obligations under this Agreement. Supplier will cooperate with and assist Syntax in the application for and the execution of any applications and/or assignments reasonably necessary to register any Intellectual Property right.
7.2 Exceptions to Syntax’s Ownership of the Deliverables. Syntax may from time to time agree that Supplier shall retain ownership of the Deliverable(s) that Supplier creates pursuant to this Agreement (the “Retained Deliverables”); provided, however, that any such agreement must be in writing, must specifically identify the portion of the Deliverable that is the “Retained Deliverables,” and must be signed by an authorized signatory of Syntax. Supplier agrees that Syntax shall have an unconditional, perpetual, worldwide, non-revocable, fully paid, royalty-free, transferable, non-exclusive, sub-licensable license to use and distribute the Retained Deliverables.
7.3 Supplier’s Intellectual Property and Third Party Components. As set forth in the applicable SOW, Syntax may from time to time agree that Supplier may include in Deliverables software or other work product which Supplier created prior to this Agreement (the “Supplier IP”) or software which Supplier has licensed from third parties (“Third Party Components”); provided, however, that the SOW must specifically identify the portion of the Deliverable that includes Supplier IP and/or Third Party Components. Upon Syntax request, Supplier shall provide Syntax with copies of its third party license agreements and evidence of payment of the appropriate license fees. Syntax acknowledges that the Supplier IP and the Third Party Components are not Deliverables as defined above. Supplier hereby grants Syntax a perpetual, worldwide, non-revocable, fully paid, royalty-free, transferable, non-exclusive, sub-licensable license to use the Supplier IP and Third Party Components in order to make full use of the associated Deliverables.
7.4 Syntax’s Pre-Existing Intellectual Property. Syntax may permit Supplier to use Syntax’s Intellectual Property Rights including rights in source code, trade secrets, undisclosed inventions, and other proprietary information, and/or with copies of Syntax’s trademarks, service marks and other identifying indicia and/or other intellectual property (collectively the “Syntax Pre-Existing IP”). Any such license to Supplier to use the Syntax Pre-Existing IP shall be on a limited term, non-exclusive, revocable, non-transferable, non-sublicensable basis solely for the purpose of creating the Deliverables and performing the Services, and Syntax retains all other right, title and interest in and to the Syntax Pre-Existing IP.
7.5 No Other Rights. Except as described in this Section, neither Party shall have any license or other interest in the other Party’s intellectual property by reason of this Agreement or the performance or use of the Services.
8. WARRANTIES
8.1 Services. Supplier represents and warrants that:
8.1.1 the Services will be provided in a timely, professional and skillful manner, consistent with industry best practices for the services;
8.1.2 the Services and the Deliverables will be provided in accordance with any documentation provided by the Supplier, and in accordance with any specifications or requirements outlined in a SOW;
8.1.3 its personnel assigned to provide the Services have appropriate training, skill, and experience to provide the Services in accordance with the representations and warranties stated in this Section;
8.1.4 neither the Services nor the Deliverables shall introduce into any Syntax information technology system any virus, disabling code, malware, trap, or other set of computer instructions that are designed to usurp or damage the normal operation of, or allow covert access to, a computer, computer system or computer network, or deny access to or corrupt data;
8.1.5 it has and shall maintain all licenses, permits, qualifications, insurance, and approvals required to perform the Services including the right to license any Third Party Components to Syntax for use permitted by the Agreement without payment of any royalty or fee, or if subject to a royalty or fee, Supplier has fully disclosed such royalty or fee to Syntax; and
8.1.6 neither the Deliverables, the Services, nor the Supplier IP will infringe on the Intellectual Property Rights of a third party.
Supplier agrees that for a period of one (1) year from Syntax’s acceptance of the Services, Supplier will promptly correct any breach of the above warranties.
8.2 SLAs. If the Services are provided with response time guaranties, uptime guaranties or other specific service levels that require Supplier to meet a higher standard for any part of the Services than the warranties stated above, then those service levels shall govern as to that part of the Services. If the SOW includes a specific remedy for breach of a service level, such as a dollar credit, and such remedy is stated to be the exclusive remedy, then such remedy shall be the exclusive monetary remedy for a breach of the service level only, and shall not exclude Syntax’s remedies at law or equity for any other breach of the Agreement, or Syntax’s right to terminate the Agreement for breach as provided in Section 9 (Term and Termination) below.
8.3 Compliance with Laws. The Vendor shall at all times comply with all applicable federal, state, and local laws, regulations, ordinances, and codes in connection with its performance under this Agreement. This includes, but is not limited to, laws relating to labor and employment, health and safety, data privacy, anti-corruption, and import/export controls.
9. TERM AND TERMINATION
9.1 Term. These SGTC are effective upon either (i) Supplier’s commencement of performance of the Services or Deliverables, or (ii) the date of Supplier’s signature on the applicable SOW, whichever is earlier. These SGTC shall survive as to any SOW that is executed until the expiration or termination of the SOW.
9.2 Termination for Breach. If Supplier materially fails to perform Services and does not cure the failure within ten (10) days following Syntax’s written notice (or such fewer number of cure days as may be stated in the applicable SOW), Syntax may terminate the applicable SOW, or may terminate all SOWs, for breach. If Supplier fails to perform any obligation stated in a SOW or these SGTC other than the performance of the Services, and does not cure the failure within thirty (30) days of Syntax’s written notice, then Syntax may terminate the applicable SOW, or may terminate all SOWs, for breach. If Syntax materially fails to perform any obligation under this Agreement and does not cure the failure within thirty (30) days of Supplier’s written notice, Supplier may terminate the applicable SOW, for breach.
9.3 Termination for Convenience
9.3.1 Syntax may terminate a SOW on notice to Supplier if the Services subject to such SOW were for a specific Syntax end client or set of Syntax end clients and such end client(s) terminate the agreement with Syntax for the Services. In the event of such termination, Syntax shall pay Supplier for Services performed up to the date of termination.
9.3.2 Syntax may terminate an SOW for convenience on thirty (30) days notice unless expressly stated otherwise in the specific SOW. In the event of such termination, Syntax shall pay Supplier for Services performed up to the date of termination.
9.4 Refund of Pre-paid Fees. In the event a SOW is terminated for any reason whatsoever, Supplier will return to Syntax any pre-paid fees for unperformed Services.
9.5 Survival. The following provisions shall survive expiration or termination of this Agreement: Confidential Information, Security, Ownership and Licensing, Insurance, Limitation of Liability, Indemnification, General, and any other provisions that by their nature are intended to survive expiration or termination.
10. CONFIDENTIAL INFORMATION
10.1 Definitions.
10.1.1 “Confidential Information” means the information that is maintained in reasonable confidence by or on behalf of a Party (“Disclosing Party”), disclosed to or obtained by another Party (“Recipient”) in any manner or form whatsoever, that Recipient should reasonably understand to be confidential. Confidential Information of Syntax includes, without limitation: non-public technical, product, and business information; non-public details about Syntax’s facilities; information about or related to Syntax’s employees; information about, belonging to, or stored by any Syntax end client; and information developed by Supplier to the extent it incorporates Syntax’s Confidential Information. Confidential Information does not include information generally available to the public other than through breach of this Agreement; information known to Recipient prior to disclosure under this Agreement, but only to the extent such information was rightfully disclosed or obtained; or information developed independently and without reference to Confidential Information as shown by Recipient’s contemporaneous written business records. Recipient’s rights and obligations with regard to Confidential Information under this Agreement shall be interpreted as rights and obligations solely with regard to the Disclosing Party’s Confidential Information. This Agreement shall not limit either Party’s rights, or impose any obligations, with regard to a Party’s own Confidential Information, and each Party retains all right, title, and interest in and to their respective Confidential Information.
10.1.2 “Secure Information” means (i) information belonging to Syntax which is subject to legislative or regulatory requirements, or protected by any means other than enforcement of a contract, including (but not limited to) any material, non-public information; trade secrets; information covered by the Payment Card Industry Data Security Standard; health or medical information of an individual; and information subject to privacy or data protection laws; and (ii) any information about, belonging to, or stored by a Syntax end client. Syntax shall not disclose Secure Information except as reasonably required to comply with the terms, obligations, and purpose of the Agreement. When so disclosed, Secure Information shall be deemed Confidential Information and subject to all applicable terms herein.
10.2 Use; Disclosure. Recipient may only use or disclose Confidential Information in order to exercise its rights or perform its obligations under this Agreement, applicable law, or by order of a court of competent jurisdiction. Recipient shall not reverse engineer, decompile, or disassemble Confidential Information. Recipient shall not disclose Confidential Information to any third party except to Recipient’s employees, contractors, suppliers, agents, attorneys, accountants, professional advisors, or representatives who need to know the information and who are bound by written non-disclosure obligations at least as stringent as those stated in this Agreement, and Recipient shall remain responsible to the Disclosing Party for all treatment of Confidential Information by such third parties. To the extent allowed, Recipient shall notify the Disclosing Party of any legally imposed obligation to disclose Confidential Information and shall cooperate with any reasonable attempt by the Disclosing Party to limit such disclosure.
10.3 Protection. Neither Party shall attempt to gain unauthorized access to any Confidential Information of the other Party. Recipient shall protect Confidential Information using the same care it uses to protect its own information of like nature, which shall be no less than reasonable care, from any unauthorized use or disclosure.
10.4 Return or Destruction. Upon expiration or termination of this MSA, or at such earlier time as the Disclosing Party may request, Recipient promptly must, at Disclosing Party’s option, either return or destroy all or, if so requested, any part, of the Confidential Information in Recipient’s possession or control, and upon the Disclosing Party’s request, the Recipient must certify in writing as to its compliance with the foregoing. Notwithstanding the foregoing, the Recipient (i) will not be required to return or destroy electronic versions of the Confidential Information that are backed up on its information management and communications systems or servers and are not available to an end user to the extent such return or destruction is not reasonably practical and (ii) may retain a copy of the Confidential Information (including the Confidential Information stored in electronic form) in accordance with its bona fide policies and procedures of record retention. Any such Confidential Information shall remain subject to the restrictions outlined herein.
10.5 Notice. Recipient agrees to promptly notify the Disclosing Party in the event of any unauthorized use or disclosure of Confidential Information and provide all reasonable assistance in limiting or mitigating any resulting harm or risk of harm to the Disclosing Party.
10.6 Survival. Recipient’s obligations under this Section shall continue for so long as it has possession of Confidential Information. Thereafter, Recipient’s obligations related to notice shall continue for an additional two years. These obligations shall survive the Agreement’s termination or expiration.
10.7 Breach. Any breach of this Section shall constitute a material breach of the Agreement. A Party may seek injunctive relief, without the posting of bond, in addition to any other relief that may be owed under the Agreement, in any court of competent jurisdiction as appropriate to enforce the terms of this Section.
11. DATA PRIVACY
11.1 Supplier agrees that if, as part of performing the Services, it processes any data that is subject to privacy or security law, it shall comply with such laws, and shall not do anything or omit to do anything which would cause Syntax (including without limitation a Syntax end client) to breach any such laws. Supplier represents and warrants that if it processes any data that is Syntax Personal Data (as that term is defined in Exhibit B (Data Processing Addendum) to this Agreement), then such processing shall be subject to the terms of Exhibit B.
12. INSURANCE
Without limiting Supplier’s indemnification obligations above, or other obligations under this Agreement, Supplier shall maintain during the Term, and for one year following the Term, at its own cost and expense, the following types of insurance coverage with coverage amounts at or above the following:
- General Liability – $1,000,000 per occurrence/$2,000,000 in the aggregate
- Auto Liability – $1,000,000 per occurrence
- Workers Compensation – statutory limits
- Employers Liability – $1,000,000 per occurrence
- Excess/Umbrella Liability – $5,000,000
- Crime Liability – $2,000,000 per occurrence and in the aggregate
- Errors & Omissions – $5,000,000 per occurrence and in the aggregate
The insurance must be provided by carriers licensed to provide insurance in New York having current A.M. Best and Company ratings of A or better and financial size rating of class X or higher. Supplier’s policies must be primary with regard to loss and defense obligations. With respect to the General Liability, Workers Compensation, and Auto Liability policies, Supplier shall cause its insurers to issue endorsements expressly waiving any right of recovery against Syntax by subrogation or otherwise. With respect to the General Liability and Auto Liability policies, Supplier shall cause its insurers to issue endorsements expressly naming Syntax as “additional insured.” Supplier must require its insurers to provide Syntax with at least thirty (30) days written notice of policy cancellation. Supplier must provide Syntax with certificates of insurance, including evidence of the additional insured and waiver of subrogation endorsements, on the Effective Date, and at other times as reasonably requested by Syntax.
13. LIMIT OF LIABILITY
13.1 LIMITATIONS. EXCEPT FOR THE EXCLUSIONS SET FORTH IN SECTION 13.2, NEITHER PARTY (NOR ITS EMPLOYEES, AGENTS, SUPPLIERS OR AFFILIATES) SHALL BE LIABLE TO THE OTHER FOR ANY LOST PROFITS OR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL LOSS OR DAMAGE OF ANY KIND ARISING IN CONNECTION WITH THE AGREEMENT, EVEN IF THE PARTY HAS BEEN ADVISED OR SHOULD BE AWARE OF THE POSSIBILITY OF SUCH DAMAGES; AND THE MAXIMUM AGGREGATE MONETARY LIABILITY OF EITHER PARTY OR ITS AFFILIATES (INCLUDING EACH OF THEIR RESPECTIVE DIRECTORS, OFFICERS, AGENTS, AND EMPLOYEES) IN CONNECTION WITH THE AGREEMENT, UNDER ANY THEORY OF LAW, SHALL NOT EXCEED THE TOTAL AMOUNT PAID OR PAYABLE BY SYNTAX UNDER THIS AGREEMENT DURING THE 12 MONTHS PRIOR TO THE EVENT GIVING RISE TO THE LIABILITY.
13.2 EXCEPTIONS TO LIMITATIONS. NOTHING IN THIS AGREEMENT EXCLUDES OR LIMITS EITHER PARTY’S LIABILITY FOR (I) GROSS NEGLIGENCE, WILLFUL MISCONDUCT, OR FRAUD; (II) DEATH OR PERSONAL INJURY CAUSED BY NEGLIGENCE, (III) BREACH OF SECTION 10 (CONFIDENTIAL INFORMATION), 11 (DATA PRIVACY), EXHIBIT A, OR EXHIBIT B; (IV) ITS INDEMNIFICATION OBLIGATIONS; (V) CLAIMS FOR BREACH OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS; AND (VI) CLAIMS WHICH MAY NOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.
14. INDEMNIFICATION
14.1 Supplier Indemnification. Supplier will defend Syntax, Syntax’s Affiliates, and each of their respective directors, officers, agents, and employees (collectively, the “Syntax Indemnitee”) against: (i) a claim asserted by an individual assigned by Supplier to perform the Services, regardless of whether the claim alleges facts that constitute a breach by Supplier of its obligations under this Agreement, except to the extent such claim is not related to the subject matter of this Agreement, or is based on Syntax’s violation of applicable law or regulation, gross negligence or willful misconduct, (ii) any third party claim that the Services or Deliverables infringe the third party’s patent, trademark, copyright, trade secret or other intellectual property right, or (iii) a claim arising from or related to Supplier’s gross negligence or Supplier’s breach of its obligations under this Agreement, (each, an “Indemnified Claim”), and indemnify the Syntax Indemnitee from all resulting losses, damages, costs, and expenses (including reasonable attorneys’ fees) (collectively referred to as “Damages”). In addition to the foregoing, should any Services or Deliverables become, or are likely to become, in Syntax’s reasonable opinion, the subject of such a claim, Supplier shall, at its expense either: (1) procure for Syntax the right to make continued use thereof; or (2) replace or modify such with a non-infringing replacement or modification that is functionally equivalent or better than the replaced Services or Deliverables.
14.2 Procedure. A Party seeking indemnification under this Section shall provide prompt notice of its claim for indemnification to the indemnifying Party, provided, however, that failure to give prompt notice shall not affect the indemnifying Party’s obligations under this Section unless the failure materially prejudices the defense of the matter. The indemnified Party will have the right to select counsel to defend it in respect of any indemnified matter under this Section, provided, however, that the counsel selected must be reasonably satisfactory to the indemnifying Party. The indemnified Party will keep the indemnifying Party informed of the status of any litigation or dispute resolution procedure, will give reasonable consideration to the suggestions and requests of the indemnifying Party with respect to the conduct of the litigation or dispute resolution procedure, and will not settle any matter covered by this Section without the prior consent of the indemnifying Party, which shall not be unreasonably withheld. Amounts due under this Section shall be paid as incurred and may be offset against other amounts due under this Agreement.
15. SOLICITATION
15.1 Solicitation of End Clients. Supplier agrees that during the term of these SGTC and for a period of one (1) year following termination that it shall not, solicit or attempt to solicit, directly or indirectly for itself, or for the benefit of any other party, provide services, obtain business or trade from any of Syntax’s current end clients, or prospective end clients, that were introduced at any time, including prior to the Effective Date of this Agreement, by Syntax to Supplier, in competition for similar services with Syntax, or help any person or entity do so or attempt to do so, regardless of whether Supplier provided such services or products to said end client as a result of its association with Syntax or performance of Services on behalf of, or for, Syntax.
15.2 Solicitation of Employees. Supplier agrees that during the term of these SGTC and for a period of one (1) year following termination that it shall not, directly or indirectly, for itself, or for the benefit of any other party, solicit (or in any way knowingly assist another in soliciting), or otherwise disrupt, impair, damage, or interfere with Syntax’s relationships with its employees and consultants, or encourage to leave Syntax’s employ, any Syntax employee or consultant of Syntax, who provided services to Syntax within the six (6) month period prior to the termination of these SGTC. If any applicable Syntax employee or consultant of Syntax is hired or engaged, either directly or indirectly in accordance with this paragraph, during the non-solicitation period specified above and in violation of this Section, Supplier must pay, as liquidated damages, an amount equal to one hundred percent (100%) of the employee’s or consultant’s earnings with the new employer to a maximum of the employee’s or consultant’s first year compensation, including base salary, bonuses, and other monetary compensation rights, payable within ten (10) calendar days of the employee’s or consultant’s right to any such compensation.
16. GENERAL
16.1 Relationship Between the Parties. Each Party is an independent contractor of the other and nothing in this Agreement shall be construed to create a partnership, joint venture, or agency relationship between the parties. Although the parties may refer to each other colloquially as “partners” they do not intend to create a partnership, and neither Party has any fiduciary duty to the other or any obligation to share profits and losses.
16.2 Controlling Law, Venue. The laws of the State of New York (exclusive of its choice of law principles) and the United States of America govern this Agreement. This Agreement shall not be governed by the United Nations Convention on the International Sale of Goods. Exclusive venue for all disputes arising out of the Agreement shall be the state or federal courts of New York, New York, and each Party agrees not to bring an action in any other venue.
16.3 Dispute Resolution. Prior to bringing a claim in accordance with Section 16.4, for a period of at least thirty days, the parties shall attempt in good faith to resolve any dispute arising out of or relating to the Agreement. Such resolution efforts shall be conducted by executives of each Party who have authority to settle the controversy. All communications pursuant to this clause are confidential and shall be treated as compromise and settlement negotiations for purposes of applicable rules of evidence. Notwithstanding anything to the contrary in this Agreement, neither Party shall be required to pursue the procedures described in this Section or Section 16.4 prior to filing a request of injunctive or other equitable relief.
16.4 Arbitration. Any controversy that arises between the Parties and that is not resolved in a mutually satisfactory manner by the Parties under Section 16.3, Dispute Resolution, will be settled by binding arbitration. Such arbitration will be before one (1) disinterested arbitrator if one can be agreed upon, otherwise before three (3) disinterested arbitrators as follows: one (1) will be named by Syntax, one (1) named by Supplier, and one (1) by the two arbitrators thus chosen. The arbitration must be conducted in accordance with the rules of the American Arbitration Association (“AAA”). The arbitrators designated and acting under these SGTC will make their decision in strict conformity with such rules and regulations and their decision will be final and binding upon both Parties, to the extent provided by law. The arbitrators will decide the dispute in accordance with the substantive law of the State of New York, without regard to principles of conflict of laws and in place of the Federal Arbitration Act. Each Party will bear its own costs of discovery, deposition, attorney, and witness fees, but the arbitrator(s) will be empowered to make a different allocation of such fees and costs in the award. The arbitrator’s award shall be a final and binding resolution of any and all disputes or claims submitted for resolution and judgment of the court may be entered on the award pursuant to the rules of the AAA. All arbitration proceedings hereunder will be conducted in New York, New York.
16.5 Assignment; Subcontractors; Change of Control. Supplier may not assign this Agreement without Syntax’s prior written consent, and any attempted assignment in violation of this sentence shall be void. Any use of Subcontractors shall not relieve Supplier of any of its obligations under this Agreement. Supplier shall be responsible for the performance or nonperformance of its Subcontractors as if such performance or nonperformance were that of Supplier. Supplier shall require all Subcontractors, as a condition to their engagement, to agree to be bound by provisions substantially the same as those included in this Agreement. In the event of a change in control of Supplier, Syntax may, at its option, terminate any SOWs in effect at the time of the change of control. Supplier agrees that it shall give Syntax at least thirty (30) days advance written notice of a change in control. For purposes of this Section, a change in control shall be any event that results in a change in the majority ownership of the voting securities of Supplier, or a material change in the management of Supplier. This Agreement shall inure to the benefit of the parties permitted successors and assigns.
16.6 Publicity. Supplier may not issue any press release or other publicity regarding the subject matter of this Agreement, or publicly disclose that it is providing Services to Syntax, without Syntax’s prior written consent.
16.7 Trademarks. Neither Party may use the other Party’s name, logo, trade or service marks, or similar indicia (each a “Trademark”) without the other Party’s prior written consent. Any authorized use shall be subject to the Trademark owner’s mark usages guidelines provided to the other.
16.8 Intellectual Property. Except as expressly stated herein, each Party retains all right, title and interest in and to its pre-existing intellectual property.
16.9 Notices. Legal notices shall be sent via electronic mail and certified mail, nationally recognized overnight mail or courier service, or by hand delivery to the individuals named in the SOW, and for notice to Syntax, copied to:
Syntax Systems Limited
Attn: Legal Department
[email protected]
111 Blvd Robert-Bourassa #4500,
Montréal, Québec H3C 2M1
Canada
With additional copy to:
Syntax Systems USA LP
Attn: Legal Department
601 Keystone Park Drive, Suite 600,
Morrisville, NC 27560
Any notice or other communication hereunder will be sufficiently given when sent by certified mail, overnight mail or courier service, electronic mail, or by hand to the other Party at the electronic or physical addresses specified above.
16.10 Supplier Personnel. Supplier’s personnel are not eligible to participate in any of the employee benefit or similar programs of Syntax. Syntax shall not be liable to Supplier’s employees as an employer for any claims or causes of action arising out of or relating to their assignment. Syntax shall not be liable to withhold any federal income tax, state income tax, social security tax or state disability insurance tax from amounts to be paid to Supplier under this Agreement, or pay any social security for federal or state unemployment on or any other taxes on Supplier’s behalf, and will not cover Supplier or any of its employees under any worker’s compensation insurance, unemployment insurance, retirement plan, health care plan, disability or life insurance plan or any other benefit plan which Syntax provides for its employees.
16.11 Supplier shall maintain, at no additional cost to Syntax all records pertaining to its compliance with this Agreement and applicable law with respect to the Services provided to Syntax under this Agreement. Syntax may perform an audit of such Supplier records referenced above and Supplier’s Information Technology Systems (as that term is defined in Exhibit A), during normal business hours and at such reasonable times as Syntax and Supplier may determine. Supplier agrees to cooperate fully with any such request or audit.
16.12 Interpretation. The headings in this Agreement are for purposes of convenience only and shall not affect the meaning or construction of the clauses to which they relate. Any use in this Agreement of words denoting the singular include the plural and vice versa. The word “including” shall be read to mean “including, without limitation.” Any reference to dollar amounts refers to US Dollars unless expressly stated to the contrary. In the event an ambiguity or question of intent or interpretation arises, this Agreement shall be construed as if drafted jointly by the parties and no presumption or burden of proof shall arise favoring or disfavoring any Party by virtue of the authorship of any of the provisions of this Agreement.
16.13 Other. In the event any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions of this Agreement will remain in full force. The failure to exercise or delay in exercising a right or remedy under this Agreement shall not constitute a waiver of the right or remedy or a waiver of any other or subsequent right or remedy. Specially, but without limitation, Syntax’s payment of fees is not a waiver of any claims for breach of this Agreement. Unless expressly described as an “exclusive remedy,” any remedy stated in this Agreement is cumulative, and not exclusive, of any other remedy available to a Party under this Agreement, at law or equity.
16.14 Signatures. Any documents signed in connection with the Agreement may be signed in multiple counterparts which, taken together, will constitute one original. Facsimile signatures, signatures on an electronic image (such as .pdf or .jpg format), and electronic signatures shall be deemed to be original signatures.
16.15 Syntax Affiliates. Supplier agrees that it shall permit Syntax’s Affiliates to purchase from Supplier pursuant to the terms of this Agreement, by referencing this Agreement into any SOW, and in such event, the term “Syntax” shall be read to mean the respective Syntax Affiliate and not any other Syntax Affiliate. No provision of this Agreement shall be construed to create joint and several liability among any of the parties or their respective Affiliates. Each party shall be solely responsible for its own obligations and those of its Affiliates it expressly causes to perform under this Agreement.
17. COUNTRY UNIQUE TERMS
17.1 Notwithstanding the other terms of this Agreement, if Supplier’s principal place of business is located in Canada, the terms set forth below in this Section 17 shall apply.
17.1.1 Any reference to Syntax Systems USA LP shall be deemed deleted and replaced respectively with the following: “Syntax Systems Limited”
17.1.2 THIS AGREEMENT IS DRAFTED IN THE ENGLISH LANGUAGE AT THE REQUEST OF BOTH PARTIES. CETTE ENTENTE EST RÉDIGÉE EN LANGUE ANGLAISE À LA DEMANDE DES DEUX PARTIES.
17.1.3 In Section 1.3 “excluding federal public holidays in the United States” shall be replaced with “excluding public holidays in Canada”.
17.1.4 In Section 7.1 reference to 17 U.S.C. §101 and § 201(b) is removed.
17.1.5 In Section 12 “licensed to provide insurance in New York having current A.M. Best and Company ratings of A or better and financial size rating of class X or higher” shall be replaced with “licensed to provide insurance in Canada.”
17.1.6 Section 16.2 shall be replaced with “The laws of Quebec shall govern this Agreement and jurisdiction and venue in any matter arising out of this Agreement will be exclusively filed in a provincial court proceeding located in Montreal, Quebec, or in any Federal District Court located in Quebec.”
17.1.7 In Section 16.4 “The arbitration must be conducted in accordance with the rules of the American Arbitration Association (‘AAA’)” shall be replaced with “The arbitration shall be conducted in accordance with Articles 940 and following of the Code of Civil Procedure of the Province of Quebec and shall be final and binding upon the parties” and “The arbitrators will decide the dispute in accordance with the substantive law of the State of New York, without regard to principles of conflict of laws and in place of the Federal Arbitration Act” shall be replaced with “The arbitrators will decide the dispute in accordance with the law of Quebec” and all arbitration proceedings will be conducted in Montreal, Canada.
17.1.8 All references to US Dollar amounts shall be deleted and replaced with references to Canadian Dollars.
Exhibit A
Secure Information Addendum
1. Addendum. This Secure Information Addendum (this “Addendum”) is an addendum to, and is incorporated into, the Agreement to which it is exhibited. In the event of a conflict between this Addendum and the Agreement, the terms of this Addendum shall govern.
2. Defined Terms. The terms below shall have the meanings stated when used in this Addendum. Terms not otherwise defined in this Addendum shall have the meaning stated in the Agreement.
“Information Technology Systems” means any physical or virtual device used to access, process, or store Secure Information; any software used to store or process Secure Information; and any communications infrastructure used to transmit Secure Information.
“Strong Authentication” means the use of authentication mechanisms and methodologies that require a unique login and a Strong Password for each individual; maintain detailed access logs; require users to change passwords at first log-on; enforce regular password changes; store password files separately from application system data; visually obfuscate passwords as they are being entered; store and transmit passwords using Strong Encryption and hashing algorithms; and prohibit default, commonly used, or easily guessed passwords. Examples of Strong Authentication mechanisms and methodologies include digital certificates from approved Certificate Authorities, two-factor authentication, and one-time passwords.
“Strong Encryption” means the use of encryption technologies with key lengths of at least 256-bits Advanced Encryption Standard for symmetric encryption and 2048-bits for asymmetric encryption, whose strength provides reasonable assurance that it will protect the encrypted information from unauthorized access, and is adequate to protect the confidentiality and privacy of the encrypted information, and which incorporates a documented policy for the management of the encryption keys and associated processes adequate to protect the confidentiality of the keys and passwords used as inputs to the encryption algorithm. Insecure versions of Secure Sockets Layer and Transport Layer Security protocols, such as SSL 3.0 and TLS 1.0, are not strong cryptographic protocols.
“Strong Password” means a password comprised of no less than eight (8) characters and shall include at least one each of the following: uppercase letters, lowercase letters, numeric characters, and special characters.
“Supplier Personnel” means Supplier’s employees, officers, directors, members, managers, agents, and others to whom Supplier gives access to Secure Information.
3. Best Practices and Guiding Principles. The following principles shall govern all use and disclosure of Secure Information by Supplier under this Agreement.
i. Minimal Standards. Secure Information shall be treated with at least as much care and diligence as Confidential Information.
ii. Best Practices. Supplier shall at all times follow industry best practices with regard to Secure Information.
iii. Least Access; Limited Duration. When disclosing Secure Information, Supplier shall grant the least amount of access required and for the limited duration such access is needed in order to meet Supplier’s obligations under the Agreement. Logical access controls shall be based on the principles of least privilege and segregation of duties.
iv. Greatest Protection. As between the Agreement, this Addendum, and applicable governing laws, Supplier’s obligations with regards to protecting Secure Information are cumulative. To the extent there is a conflict which prevents Supplier from complying with the conflicting terms, Supplier shall comply with the terms providing the greatest protection for the Secure Information allowed by law.
v. Ultimate Responsibility. Supplier must obtain written authorization from Syntax before disclosing Secure Information to any third party. Supplier shall only disclose Secure Information to Supplier Personnel or authorized third parties who need to know the information, who have been made aware of the obligations herein, and who have entered into an agreement with Supplier that provides materially similar or better protections for the Secure Information as are provided under this Addendum. Supplier shall be at all times responsible to Syntax for the use and disclosure of the Secure Information by anyone to whom Supplier discloses the Secure Information.
vi. Awareness and Training. Supplier Personnel with access to the Secure Information must be provided with information security awareness training and correct information processing requirements prior to gaining access to the Secure Information and, thereafter, on a periodic basis (no less frequently than annually). Any third party to whom Supplier discloses Secure Information should have contractual obligations to provide such training and requirements to its own personnel.
vii. Reasonable Cooperation. Supplier shall comply with Syntax’s reasonable requests and instructions with regard to Secure Information including, at a minimum, fully and accurately responding to Syntax’s security questionnaire regarding Information Technology Systems and taking steps Syntax may reasonably require to use such Information Technology Systems in a secure manner.
4. Documentation. Supplier shall have documented policies and procedures which comply with the requirements of this Addendum and applicable industry standards to address the following:
i. the administration of information security throughout Supplier’s organization, including definitions of information security roles, responsibilities, and accountability;
ii. access control rules and permissions related to the Secure Information, which shall include a process for secure creation, modification, and deletion of user accounts with no less than annual audits of such access rights;
iii. the geographic location and governing jurisdiction of all Information Technology Systems;
iv. to the extent applicable, Supplier’s software development lifecycle process following industry best practices for secure coding methods which shall include, at a minimum, regular code reviews and validation checks prior to any release of software into a production environment;
v. general operating procedures related to the prevention, monitoring, and remediation of any unauthorized access, security breach, or computer virus or malware on any Information Technology System;
vi. disaster recovery related to Information Technology Systems and business continuity of Services provided to Syntax;
5. Physical Security. Supplier shall take the additional precautions below with respect to the physical security of Secure Information in its possession.
i. Supplier shall maintain an asset inventory of Information Technology Systems which includes the designated owner and location. Supplier shall develop and implement an appropriate set of procedures for the labelling and handling of Secure Information.
ii. Any Information Technology System used to store or process Secure Information shall be located in a controlled access facility with physically secure perimeters, external entry points that protect against unauthorized access, and built to standards prescribed under applicable law (including, where applicable, ISO or IEC codes).
iii. Supplier shall restrict access to areas which store the Secure Information to authorized Supplier Personnel using reasonable access controls and authentication mechanisms.
iv. Access to areas which store the Secure Information must be monitored, recorded, and controlled with physical access rights reviewed no less than annually. Physical access logs shall be stored for a period of no less than one year.
v. Supplier Personnel and authorized visitors with access to facilities which store Secure Information must be issued with a unique identification card which must be worn visibly at all times.
vi. Supplier shall prohibit its personnel from copying any part of the Secure Information on to a device of any kind for use outside of Supplier’s controlled access facility.
vii. Specifically, but without limitation, Supplier Personnel shall not access Secure Information while located in any public place, or copy any Secure Information to any portable or physical media for use outside of the controlled access facility, including any laptop, mobile device, removable media, portable external drive, “thumb drive,” or similar media or technology.
6. Logical Security. Supplier shall follow industry best practices and take the additional precautions below with respect to the logical security of Secure Information in its possession.
i. As applicable, Supplier shall ensure any Information Technology System automatically locks or logs out when left unattended.
ii. Information Technology Systems shall be segregated as necessary and protected by a physical firewall with all ports blocked except those needed for specific Supplier applications, and Supplier shall take such other measures as are reasonable in light of the Secure Information to which it has access. Such additional measures may include, and Syntax, in its sole discretion, may require: virus and malware scanning, intrusion detection and prevention technologies, managed secure patching practices, third party vulnerability testing, and virtual private networking or multi-factor authentication schemes.
iii. Information Technology Systems must be protected by and may only be accessed using Strong Authentication systems.
iv. Supplier shall encrypt Secure Information stored on any Information Technology System using Strong Encryption methods. If Supplier transfers any Secure Information via the internet or any untrusted network, it shall encrypt the Secure Information using Strong Encryption methods while in transit.
v. Supplier shall use cryptographic and hashing algorithm types, strength, and key management processes consistent with industry best practices.
vi. Supplier shall centrally manage access to any Information Technology System and implement an appropriate set of procedures for authorizing logical access to Secure Information that ensures access is appropriate according to the business function of Supplier personnel.
vii. As applicable, access to Information Technology Systems must be monitored, recorded, and controlled to a reasonable standard.
7. Incident Management. Supplier shall notify Syntax immediately if it becomes aware of any access to the Secure Information other than as authorized by this Addendum and shall provide Syntax with all information available to it, as permitted by law, that Syntax may reasonably request in connection with any such incident. Notwithstanding the generality of the foregoing, Supplier shall provide the following within two (2) Business Days of Syntax’s request following an incident: the complete results of any required background screening; signed copies of any written confidentiality obligations; a digital image of each individual to whom Supplier has given access to the Secure Information; and the access logs to the breached Information Technology System(s). Syntax acknowledges that such information is the Confidential Information of Supplier as defined in the Agreement.
8. Retention. Supplier shall not retain the Secure Information longer than is necessary for the fulfillment of the purpose for which the Secure Information is to be used or processed. It shall return all Secure Information to Syntax and/or destroy all copies of the Secure Information when it is no longer necessary for Supplier to retain the Secure Information (at Syntax’s election), or otherwise at the written request of Syntax.
Exhibit B
Data Processing Addendum
1. The DPA sets forth additional duties and obligations of Supplier with respect to its processing of Syntax Personal Data in the course of performing the Services. Unless otherwise defined herein, any capitalized terms shall have the meaning given to them in the MSA. In the event of a conflict between this Addendum and the Agreement, the terms of this Addendum shall govern.
2. Defined Terms. The terms below shall have the meanings stated when used in this Addendum. Terms not otherwise defined in this Addendum shall have the meaning stated in the Agreement.
“Adequate Country” shall mean: (i) a country within the European Economic Area; or (ii) a country or territory which is subject to a current finding of the European Commission that it ensures an adequate level of protection within the meaning of Applicable Data Protection Law;
“Applicable Data Protection Law” means all applicable laws, rules, regulations, orders, ordinances, regulatory guidance, and industry self-regulations in relation to data privacy, including but not limited to the EU General Data Protection Regulation ((EU) 2016/679);
“Client” means any legal entity which has entered into a contract for hosting services and/or other information technology services with Syntax or its Affiliates;
“Controller”, “Processor”, “Data Subject”, “Personal Data” and “Process” or “Processing” shall all have the meanings set out in Applicable Data Protection Law;
“Personal Data” means any Personal Data relating to Syntax or its Affiliates (where Syntax or its Affiliates act as Controller) and/or any Personal Data relating to the Client or the Client’s end-users (where Syntax or its Affiliates acts as a Processor) in relation to which the Supplier is providing the Services or which the Supplier may have access to from time to time in performing the Services and may include without limitation the categories of Personal Data set out in Annex 1 of this DPA; and
“Standard Contractual Clauses” means the Standard Contractual Clauses published in European Commission decision C(2010) 593 for the transfer of personal data to processors established in third countries, which can be found at http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1401799946706&uri=CELEX:32010D0087.
3. Obligations of Supplier.
3.1 To the extent that the Supplier Processes any Personal Data, for or on behalf of Syntax and/or any Client in the course of providing the Services, it shall at its own cost and expense:
3.1.1 comply with the obligations that apply to it under Applicable Data Protection Law;
3.1.2 remain in scope with the subject matter of the Processing; the duration of the Processing (which shall be from the date of this DPA until the Agreement expires or terminates in accordance with its terms); the purpose of the Processing; the type of Personal Data Processed; and the categories of Data Subjects made available to the Supplier as part of the Services, including employees, contractors, individuals to whom we market, partners of Syntax or its Clients or any of their end users or customers who are individuals (as detailed in Annex 1);
3.1.3 process Personal Data only on Syntax’s documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by EU or EU Member State law to which the Supplier is subject; in such a case, the Supplier shall inform Syntax of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Supplier shall immediately inform Syntax if, in its reasonable opinion, an instruction infringes Applicable Data Protection Law;
3.1.4 ensure that all Supplier personnel (including staff, agents and subcontractors) who the Supplier authorizes to Process Personal Data are subject to a strict duty of confidentiality, and the Supplier shall not permit any person to process Personal Data who is not under such a duty of confidentiality. The Supplier shall ensure that all such personnel process the Personal Data only as necessary for the purpose stated in Clause 3.1.2;
3.1.5 maintain and implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access. Such measures shall include (as a minimum) the security measures set out in Annex 2 of this DPA and the appropriate technical and organizational measures to ensure a level of security appropriate to the risk including;
3.1.5.1 the pseudonymisation and encryption of Personal Data;
3.1.5.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
3.1.5.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
3.1.5.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
3.1.6 immediately notify Syntax and provide all necessary assistance in respect of any (i) request from a Data Subject to exercise any of her or his rights under Applicable Data Protection Law (including rights of access, correction, objection, erasure and data portability, as applicable), and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of Personal Data;
3.1.7 immediately report to Syntax any known or suspected breach of security that may lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed (“Security Incident”), and provide to Syntax all necessary information and cooperation as needed so that Syntax can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. The Supplier shall also further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Syntax informed of all developments in connection with the Security Incident;
3.1.8 immediately inform Syntax if the Supplier believes or becomes aware that its Processing of Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, and it shall provide Syntax with all necessary assistance as Syntax may require in order to conduct a data protection impact assessment and, if necessary, consult with the relevant data protection authority or authorities;
3.1.9 upon request, immediately delete or return all Personal Data in its possession or control, including existing copies thereof and any Personal Data subcontracted to a third party for Processing, except to the extent the Supplier is required by European Union or EU Member State law to store all or part of the Personal Data, in which case it shall isolate and protect such Personal Data from any further processing except to the extent required by such law;
3.1.10 maintain a record of all processing of Personal Data it carries out on behalf of Syntax and make available to Syntax all information necessary to demonstrate its compliance with this DPA or Applicable Data Protection Law and allow for and contribute to audits, including inspections conducted by Syntax or other third party;
3.1.11 maintain an online listing or make available to Syntax an up-to-date list of its subprocessors; impose written data protection terms on any subprocessor that processes Syntax’s Personal Data that are no less restrictive than the terms of this DPA and Applicable Data Protection Law; remain liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor. Syntax may object to the appointment or replacement of a subprocessor by terminating its use of the affected Services for convenience upon giving written notice in the manner provided in the Agreement; and
3.1.12 agree that the Supplier’s name, country of location and the Services and the function it performs for Syntax may be included by Syntax in any list of Processors or subprocessors maintained by Syntax and made available to Clients, supervisory authorities or others.
3.2 EU DATA TRANSFERS. To the extent that EU data transfers occur, Supplier shall comply with the following:
3.2.1 Standard Contractual Clauses. For EU data transfers directly to countries that have not been recognized by the EU Commission as an Adequate Country, the Supplier shall implement EU Standard Contract Clauses or other legally-valid, EU-approved data transfer mechanism, if applicable, in accordance with the notice provision set forth in the Agreement(s) and prior to such transfers.
3.2.2 In relation to the Standard Contractual Clauses, (for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection):
3.2.2.1 subject to clause 3.2.2.2, below, the sub-processor clauses are hereby incorporated by reference as though fully rewritten herein;
3.2.2.2 the Supplier agrees to comply with the clauses of the Standard Contractual Clauses that are applicable to sub-processors, these being clauses 1, 3, 5, 6, 7, 8(2), 8(3), 10, 11 and 12 and appendices 1 and 2 (which are attached to the DPA as Annexes 1 and 2) (the “sub-processor clauses”), for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection. The sub-processor clauses are governed by the law of the member state in which the relevant Controller is established;
3.2.2.3 the Supplier agrees to comply with the obligations described in the sub-processor clauses even if Personal Data is processed in an Adequate Country;
3.2.2.4 where the sub-processor clauses contain any obligation to notify the “data exporter” (as such term is defined in the sub-processor clauses), such notification shall be made via Syntax; and
3.2.2.5 the Supplier acknowledges that any Data Subject shall have the right to enforce the sub-processor clauses against the Supplier, in cases where both the data exporter and the data importer (as such terms are defined in the Standard Contractual Clauses) have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the Data Subject can enforce them against such entity. The Supplier’s liability shall be limited to its processing operations under the Agreement.
4. General. Supplier must, during and after the term of this Agreement, comply with the Privacy Law and must not do anything with any Syntax Personal Data that would be in breach of, or cause Syntax to be in breach of, the Privacy Law.
4.1 All other terms and conditions in the Agreement remain in full force and effect and are binding upon the parties.
4.2 In the event that there are any inconsistencies between this DPA and the Agreement, this DPA shall prevail as it relates to data protection.
4.3 Save as set out at clause 3, the provisions of the governing law clause of the Agreement shall apply to the DPA.
Annex 1
Data Subjects
Personal Data transferred includes but is not limited to the following categories of Data Subjects:
- Prospects, customers, business partners and suppliers of the data exporter (who are natural persons);
- Employees or contact persons of data exporter’s prospects, customers, business partners and suppliers;
- Employees, agents, advisors, contractors, consultants, freelancers of data exporter; and
- Data exporter’s users authorized by the data exporter to use the Services.
Categories of data. The Personal Data transferred includes but is not limited to email, documents and other data in an electronic form as may be transmitted or stored by the data exporter in the context of the Services.
Special categories of data (if appropriate). The Personal Data transferred may concern special categories of data as may be transmitted or stored by the data exporter in the context of the Services.
Processing operations. The Personal Data transferred will be subject to the following basic Processing activities: Transfers are made for the performance of the Services by the Supplier.
Annex 2
Description of the technical and organizational security measures implemented by the Supplier
Defined Terms. The terms below shall have the meanings stated when used in this Addendum. Terms not otherwise defined in this Addendum shall have the meaning stated in the Agreement.
“Information Technology Systems” means any physical or virtual device used to access, process, or store Personal Data; any software used to store or process Personal Data; and any communications infrastructure used to transmit Personal Data.
“Strong Authentication” means the use of authentication mechanisms and methodologies that require a unique login and a Strong Password for each individual; maintain detailed access logs; require users to change passwords at first log-on; enforce regular password changes; store password files separately from application system data; visually obfuscate passwords as they are being entered; store and transmit passwords using Strong Encryption and hashing algorithms; and prohibit default, commonly used, or easily guessed passwords. Examples of Strong Authentication mechanisms and methodologies include digital certificates from approved Certificate Authorities, two-factor authentication, and one-time passwords.
“Strong Encryption” means the use of encryption technologies with key lengths of at least 256-bits Advanced Encryption Standard for symmetric encryption and 2048-bits for asymmetric encryption, whose strength provides reasonable assurance that it will protect the encrypted information from unauthorized access, and is adequate to protect the confidentiality and privacy of the encrypted information, and which incorporates a documented policy for the management of the encryption keys and associated processes adequate to protect the confidentiality of the keys and passwords used as inputs to the encryption algorithm. Insecure versions of Secure Sockets Layer and Transport Layer Security protocols, such as SSL 3.0 and TLS 1.0, are not strong cryptographic protocols.
“Strong Password” means a password comprised of no less than eight (8) characters and shall include at least one each of the following: uppercase letters, lowercase letters, numeric characters, and special characters.
“Supplier Personnel” means Supplier’s employees, officers, directors, members, managers, agents, and others to whom Supplier gives access to Personal Data.
3. Best Practices and Guiding Principles. The following principles shall govern all use and disclosure of Personal Data by Supplier under this Agreement.
i. Minimal Standards. Personal Data shall be treated with at least as much care and diligence as Confidential Information.
ii. Best Practices. Supplier shall at all times follow industry best practices with regard to Personal Data.
iii. Least Access; Limited Duration. When disclosing Personal Data, Supplier shall grant the least amount of access required and for the limited duration such access is needed in order to meet Supplier’s obligations under the Agreement. Logical access controls shall be based on the principles of least privilege and segregation of duties.
iv. Greatest Protection. As between the Agreement, this Addendum, and applicable governing laws, Supplier’s obligations with regards to protecting Personal Data are cumulative. To the extent there is a conflict which prevents Supplier from complying with the conflicting terms, Supplier shall comply with the terms providing the greatest protection for the Personal Data allowed by law.
v. Ultimate Responsibility. Supplier must obtain written authorization from Syntax before disclosing Personal Data to any third party. Supplier shall only disclose Personal Data to Supplier Personnel or authorized third parties who need to know the information, who have been made aware of the obligations herein, and who have entered into an agreement with Supplier that provides materially similar or better protections for the Personal Data as are provided under this Addendum. Supplier shall be at all times responsible to Syntax for the use and disclosure of the Personal Data by anyone to whom Supplier discloses the Personal Data.
vi. Awareness and Training. Supplier Personnel with access to the Personal Data must be provided with information security awareness training and correct information processing requirements prior to gaining access to the Personal Data and, thereafter, on a periodic basis (no less frequently than annually). Any third party to whom Supplier discloses Personal Data should have contractual obligations to provide such training and requirements to its own personnel.
vii. Reasonable Cooperation. Supplier shall comply with Syntax’s reasonable requests and instructions with regard to Personal Data including, at a minimum, fully and accurately responding to Syntax’s security questionnaire regarding Information Technology Systems and taking steps Syntax may reasonably require to use such Information Technology Systems in a secure manner.
4. Documentation. Supplier shall have documented policies and procedures which comply with the requirements of this Addendum and applicable industry standards to address the following:
i. the administration of information security throughout Supplier’s organization, including definitions of information security roles, responsibilities, and accountability;
ii. access control rules and permissions related to the Personal Data, which shall include a process for secure creation, modification, and deletion of user accounts with no less than annual audits of such access rights;
iii. the geographic location and governing jurisdiction of all Information Technology Systems;
[Note: the source DRAFT document provided ends mid-list here (Annex 2, item 4.iii) — this is not a transcription gap, the RTF brief itself is incomplete at this point. Flag with the content team before publishing.]