1. GENERAL TERMS
- This document contains the terms and conditions for using the Omniconvert Reveal Service (hereinafter referred to as “Terms and Conditions”). Omniconvert Reveal is a retail data analytics software that helps ecommerce businesses understand, monitor and leverage their customer data.
- Within the meaning of the present Terms and Conditions:
- “Omniconvert Reveal” software or “Service” hereinafter refers to access to Omniconvert Reveal as defined at https://www.omniconvert.com/reveal/, available directly or via an ecommerce platform (such as Shopify, Magento etc.) as an add-on application/extension, or through performing a custom integration, by generating some data feeds or using the API;
- “Provider” or “Omniconvert” hereinafter refers to Omniconvert SRL, VAT ID: RO 31411197, J40/3841/2013 Address: Str. Vasile Stroescu nr 14, District 2, Postal code: 021374, Bucharest, Romania
- “Beneficiary” hereinafter refers to any legal person who creates an account with Omniconvert Reveal , uses the Service or wants to use it, in any way.
- By registration, the Beneficiary entirely and unconditionally accepts the provisions of these Terms and Conditions and understands to use the Service pursuant thereto, including the use of the Service for a Trial period. Beneficiaries who create an account with Omniconvert Reveal understand and accept that using their account, as well as any access or visit of the Service, as well as any component thereof constitutes an acceptance, entirely and unconditionally, of the Terms and Conditions and of any provision thereof; non-acceptance of the Terms and Conditions by Beneficiaries mentioned above draws their obligation to stop accessing the Service.
- Beneficiaries undertake to provide, when registering with Omniconvert Reveal, when accessing and using the Service, as well as in any access and use of the Service, valid, accurate, reliable and correct data and information, properly benefit from Omniconvert Reveal services.
- Beneficiaries understand and accept that in case of violation in any way and to any extent of any of the provisions of the Terms and Conditions, the Provider shall be able to choose, at its sole discretion, to fully or partially suspend the access of the Beneficiary to the Service, or not to publish any content sent by the Beneficiary, for posting, to Omniconvert Reveal, or to permanently ban the access to one or several facilities offered by the Service, or to cancel the account of the Beneficiary on Omniconvert Reveal, without any warnings or notice and without requiring any other formalities in this regard.
- This Service is dedicated to ecommerce shop owners that are looking to leverage retail analytics and their customer data to grow their business. Due to the inherent nature of these services, these are offered only in a B2B format – only to businesses or private persons acting in their professional quality.
- The Beneficiaries’ customer data is stored within the secured Omniconvert infrastructure. All personal data from the Beneficiaries will be processed according to the Data Processing Annex.
In brief, we don’t, under any circumstances, sell your data, contact people, market to people on your data, steal your data, or share your data with any other party, unless it’s specifically allowed by you.
2. SPECIFIC TERMS ON USING THE SERVICE OMNICONVERT REVEAL
- Beneficiaries may benefit from services offered by the Provider by opening an account and thus becoming a Beneficiary.
- In order to use the Omniconvert Reveal service, the Beneficiary must either import its data in our service, as described in our technical documentation, or install an application/extension/module that connects the platform the Beneficiary uses with our service (eg: Shopify, Magento, BigCommerce etc.). The Omniconvert Reveal service will present the Beneficiaries data related to its customers, products, categories, and orders placed. It then transforms the raw data into customer insights, segments customers based on their behaviour and also computes other relevant information that is being displayed in the Reveal web interface and also available via API. All this is meant to help you build your customer retention strategy by focusing on optimizing Customer Lifetime Value
- To use Omniconvert Reveal services, the data provided by the Beneficiary is being presented in a different visualization, however it doesn’t affect, alter or modify the integrity of the Beneficiary’s data. Given that the Provider does not alter or modify the Beneficiary’s data integrity, the entire liability belongs to the Beneficiary for the content of its provided data, including sending the data to other services that the Beneficiary is using.
- The Provider bears no responsibility for the decisions taken based on your interpretation of the data from Reveal. Although we aim to ensure your efforts have the maximum impact towards getting to know your customers better, the decisions taken in relation to your customers are yours and the Provider cannot be held liable for any direct or indirect damage caused by using the Service. The entire liability belongs to the Beneficiary.
- Omniconvert may publish, in an anonymised form, any data, screenshots or case studies from our Beneficiaries’ account without their consent, except if they object to this usage in writing to Omniconvert.
- Omniconvert may use statistical data from the accounts of the Beneficiaries in order to improve its services or to create benchmarks for internal use or for public presentations of relevant aggregated information for the selected domains. These will be always based on aggregated data that would be impossible to link to one or several Beneficiaries.
- Omniconvert may also use the logo of the Beneficiary using the Service, their website address and/or name of the company in order to showcase the list of clients, except if the Beneficiary objects in writing.
- The Beneficiary is responsible for keeping the account names and passwords confidential. This includes the responsibility for any account that you have access to, whether or not you have authorized its use. The Beneficiary shall immediately notify Omniconvert of any unauthorized use of its accounts. Omniconvert is not responsible for any losses due to stolen or hacked passwords. Omniconvert doesn’t have access to your current password for security reasons, thus Omniconvert may only reset your password in case it is forgotten.
- The Beneficiary is the only one responsible for providing access and credentials (e.g API keys) to other companies where the Beneficiary has an account and wants Omniconvert to send the selected data from the Service account to another account that belongs to another company. This option is technically available for the companies that are listed in the Reveal documentation, in the Reveal dashboard, or by performing custom integrations that pull data out of Reveal via API and send it elsewhere.
- Omniconvert doesn’t know the inner workings of the Beneficiary organization or the nature of personal relationships, therefore Omniconvert doesn’t arbitrate disputes over who owns an account. Omniconvert may decide who owns an account based on the content of the emails in that account, and if multiple people or entities are identified in the content, then Omniconvert will rely on the contact information listed for that account.
- The Beneficiary represents and warrants that its use of Omniconvert Reveal will comply with all laws and regulations applicable to its activities.
- The Provider may offer a free trial version for certain periods of time, but not all features of the Service might be available. This offer would be usually valid only for new clients and may be withdrawn for any reason by the Provider. This offer may be presented on a public webpage or be offered in a personalized offer to certain Beneficiaries.
- The Provider may also provide Demo accounts, available free of charge, for relevant Beneficiaries. All data imported in these accounts is not real and is being presented for information purposes only to understand the benefits of the Service.
- The prices of Omniconvert Reveal Services may be available on the Service presentation webpage or will be identified in a personalized offer to Beneficiaries and do not include VAT. VAT will be added to EU customers during checkout.
- The Beneficiary will pay in advance for the Service. The lack of confirmed payment to Omniconvert will lead to the automatic suspension of access to the Service. The access will be restored once the Service has been paid.
3. INTELLECTUAL PROPERTY RIGHTS
- Notwithstanding the preceding provisions, the Provider or its partners do not own those materials for which another right holder was indicated on Omniconvert Reveal, or another holder or another source, information provided by Beneficiaries, or opinions and/or comments of any type expressed by the Beneficiaries of the Site regarding materials of any type posted on Omniconvert Reveal or regarding the Site content in general.
- The content and graphical elements of Omniconvert Reveal, including but not limited to, belong to the Provider and its partners and represent the content of Omniconvert.
- The Beneficiary undertakes to comply with all copyright and any other intellectual property rights which the Provider and its partners hold on/in relation to Omniconvert, its content, Service, any module or component thereof or in connection with their use.
- The copy, takeover, reproduction, publication, transmission, sale, partial, full or modified distribution of the content of Omniconvert Reveal or any part thereof for purposes other than personal or that expressly indicated by the Provider are prohibited.
- The Provider reserves the right to sue any person and/or entity that violates in any way the above provisions.
- Any Beneficiary that sends in any way information or materials to Omniconvert Reveal undertakes not to prejudice in any way the copyright, intellectual property rights or any other rights that a third party could invoke in connection to materials and information send in any way to Omniconvert Reveal and Beneficiaries that send in any in any way information or materials understand and accept that violation in any way of this obligation cannot engage in any way the liability of the Provider, but only the liability of the respective persons.
- Any copyright-related claim shall be sent by email to [email protected]
4. PERSONAL DATA
4.1 Processing of personal data as a Data Processor
In accordance with the EU legal framework on data protection (GDPR), the Provider is a Data Processor that processes the personal data of the Beneficiary (which is the Data Controller). A specific data processing contract between the two entities – based on art 28 of the GDPR is available as Data Processing Annex – Annex 1 for these Terms and Conditions and can also be found in the Beneficiaries account.
4.2. Processing of personal data as a Data Controller
- According to the provisions of the Romanian applicable legislation on data protection, Omniconvert Reveal has the obligation to manage the personal data in a secure technical environment and only for the notified purposes the personal data of the Beneficiaries, in order to be able to use the services requested by the Beneficiary and provided by the Data Controller. Please note that our Service and services are exclusively Business to Business (B2B) and, for these services, we do not target any physical persons or individual Beneficiaries for both our services. However, we might collect personal data as contacts of our Beneficiaries.
- The information processed is to be used only by the Data Controller and it may be disclosed to our contractual partners and public authorities, according to the law. We process the collected personal data when this is needed for the purposes mentioned above through other companies that are considered Data Processors and have strict contractual obligations to keep the confidentiality of the processed data and to offer at least the same level of security as Omniconvert does. Data Processors have the obligation not to allow third parties to process personal data on behalf of Omniconvert and to access, use and/or keep the data secure and confidential.
- The data processed may be transferred internationally, according to the applicable legal provisions.
- According to the current legislation, the data subjects have the right to access data, right to rectification, right to erasure, and the right not to be subject to automated decisions. Data subjects also have the right to restrict personal data processing and to request the deletion of the collected personal data, as well as the right to data portability and to reject profiling. To exercise these rights, send a written request, dated and signed to the email address: [email protected] The data subjects also have the right to lodge a complaint with a competent data protection supervisory authority and the right to address a court.
5. LINK TO OTHER SERVICES
- Beneficiaries/understand and accept that Omniconvert Reveal may contain links or reference to other internet sites, including the sites of product and/or service providers to which the advertising banners posted on Omniconvert Reveal or advertising microsites, personal sites (blogs) send, but without limited to, which are considered by the Provider useful in relation to the content of Omniconvert Reveal, but which are not under its control or guidance.
- The Provider is exempt from any liability regarding the content or opinions expressed on all internet sites mentioned above, as well as their correctness and accuracy, and Beneficiaries understand and accept that these internet sites are not monitored, controlled or verified in any way by the Provider. Including a link or reference to other internet sites does not involve their service in any way by the Provider. At the time when Beneficiaries access such internet sites, they do so at their own risk, knowing that the use of services offered by these sites is subject to conditions set by the administrators of these sites.
LIMITATION OF LIABILITY
- Considering that the Provider provides a hosting platform for data analysis and presentation, the Beneficiary assumes all civil and criminal liability for the content of data submitted and the consequences of using them.
- Under no circumstance, regardless of circumstances invoked, shall the Provider be held liable before the Beneficiary in relation to services for any additional amount compared to the amounts actually paid by the Beneficiary to the Provider.
- By using the services, the Beneficiary declares that it has the right to send that data to Omniconvert and it has complied with all relevant personal data legislation. The Beneficiaries agrees that this data would be processed according to the Data Processing Annex.
- The Provider assumes no obligation and does not guarantee, implicitly or deliberately, for services rendered. The Provider shall make all reasonable efforts to ensure the provision of services and try to correct errors and omissions as soon as possible.
- The Provider does not offer any guarantees and has no responsibility for the result of services rendered at the request of the Beneficiary, for information made available through Omniconvert Reveal by Beneficiaries and in no circumstance can it be held liable for any loss or damage that may result from the use of either section of Omniconvert Reveal, of the Service or from the impossibility to use it, regardless of its cause, or from the misinterpretation of any provision of Omniconvert Reveal.
- Beneficiaries understand and accept that the Provider makes available for Beneficiaries a hosting platform, so all services and facilities related to the use of Omniconvert Reveal, as well as all data, information contained therein are provided “as is”, “as available”, and Beneficiaries use them at their own risk. Beneficiaries understand and accept that the Service made available on Omniconvert Reveal is provided “as is”, “as available” and use it at their own risk. Beneficiaries understand and accept that rendering the Service may be affected by certain objective conditions. Consequently, the Provider cannot be held liable regarding any information and data included in the content of Omniconvert Reveal or received from Beneficiaries, including but without limitation to those regarding offers, services, data and information related to the use of the Service, or any other activity regarding the use and access of the Service and/or of Omniconvert Reveal, as well as any other legal effect deriving therefrom.
- Beneficiaries understand and accept that the Provider is exempt from any liability in the event of any stoppage, interruption, hindering, malfunctions or errors in the operation of Omniconvert Reveal, in case of technical failures of any kind or any errors in the provision of the Service, and in any situation in which it wouldn’t be proven with certainty that any errors or technical problems of the above are due directly and exclusively to the serious fault of the Provider.
- Expressly, Beneficiaries understand and accept that the Provider is exempt from any liability for any direct or indirect damage, including but not limited to loss of profits, commercial venue or other intangible losses, resulting from the use of the Service or any other aspect in connection with the Service and use of Omniconvert Reveal in any way or any legal consequences deriving from it.
- In cases of force majeure, the Provider and/or operators, directors, employees, branches, subsidiaries and its representatives shall be entirely exempt from liability. Force majeure cases include, but are not limited to, errors in operation of technical equipment of the company, no functioning of the internet connection, denial of service attacks, no functioning of telephone connections, computer viruses, hacking attacks of any type and interference with any malicious software, unauthorized access in the Omniconvert Reveal systems, operational errors, strike etc.
- Beneficiaries agree to protect, insure and fully compensate the Provider and/or its operators, directors, employees, branches, subsidiaries and representatives against any demands, claims, actions, charges, losses, damages, costs (including but not limited to attorney’s fees, fees for experts and consultants or executors, legal fees, notary or performance fees), costs, judgments, decisions, fines, regulations or other obligations arising from or related to any other action of the Beneficiary in connection with the use of the Services or any other matter in connection with the Service.
6. DURATION AND TERMINATION
- These Terms and Conditions will become effective at the date of their acceptance by the Beneficiary, for an indefinite period of time.
- The contractual relationship between Omniconvert and the Beneficiary under these Terms and Conditions will be terminated:
- by written consent of both Parties;
- by termination by either Party, at the expiry of the 30 days term from the notification date, based upon a written notification sent to the other Parties without any other formality or the intervention of the court of law if either Party breaches any of the obligations stipulated in the Terms and Conditions and does not remedy the breach within the period specified in the notification:
- by unilateral termination by either Party, complying with a written notice by email of 60 (sixty) days, case in which the Party cannot request damages, compensations or other financial actions to stop the contractual reports.
- by not accessing the Beneficiary account on the Omniconvert Reveal platform or not sending data to Omniconvert Reveal in 13 consecutive months.
- The termination of the contractual relationships, regardless of the way, has no effect on the already outstanding obligations between the Parties.
9 . GOVERNING LAW. DISPUTES
Rights and obligations of Beneficiaries and of the Provider, set forth in the Terms and Conditions, and all legal effects the Terms and Conditions produce shall be construed and governed in accordance with Romanian law in force. The applicable law in relations arising between the Provider and Beneficiary/Beneficiary/other party is the Romanian law. The law applicable to any report or effect arising from the Service or accessing Omniconvert Reveal is the Romanian law. Any dispute or claim arising out of these Terms and Conditions will be resolved by mutual agreement. In the event that it can not be settled by mutual agreement in 30 days from the first notification, the dispute arising out of or in connection with these Terms and Conditions will be settled by an independent arbiter selected by both parties. In case when the parties may not agree in appointing an independent arbiter in 14 days, the dispute will be settled by the competent court in Bucharest.
10. AMENDMENT TO TERMS AND CONDITIONS
The Provider is entitled to amend at any time and in any way any of the provisions of the Terms and Conditions or the Terms and Conditions entirely, without any prior notice and without being required to fulfill any other formality before Beneficiaries. Any amendment shall be considered as fully and unconditionally accepted by any Beneficiary by simply using or accessing any facility offered by Omniconvert Reveal or by using the services, or accessing Omniconvert Reveal, occurred at any moment after the amendment was made, and non-acceptance of any change draws the obligation of the respective Beneficiary to immediately stop accessing Omniconvert Reveal and or using in any way the Service.
- The present Terms and Conditions must be construed and understood in connection with its appendixes:
Annex 1 – Data Processing Annex
The present Terms and Conditions – version 1.0 were published by the Provider on its service on 1.07.2020 and are accessible at the web page www.omniconvert.com/reveal/terms
Data Processing Annex
The present data protection agreement between Omniconvert and the Beneficiary is an annex to the Terms and Conditions Omniconvert Reveal between the two parties and aims to clarify the roles and responsibilities for data protection from both parties, based on obligations imposed by the art 28 from EU Regulation 2016/279 (GDPR).
In the context of this contract, the Beneficiary is the Data Controller and Omniconvert is the Data Processor for all the personal data sent by the Beneficiary to the Service as defined in the Terms and Conditions.
“Applicable Law” shall mean (i) any data protection laws or regulations in the jurisdiction in which the Personal Data is hosted; (ii) Directive 95/46/EC of October 24, 1995, on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data; and (iii) Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (the “GDPR”).
In the current agreement all definitions from GDPR Article 4 will apply accordingly.
- Subject matter and duration
The Subject matter results from the Terms and Conditions between the contracting parties. The duration of this agreement corresponds to the duration of the Terms and Conditions.
- Nature and Purpose of the processing of Data
The processing of personal data by the Data Processor for the Data Controller is presentation of the Beneficiary’s data related to its customers, products, product categories, and orders placed. The Service then transforms the raw data you have into customer relevant information which is being displayed in the Reveal dashboard and exposed over the API, in order to build the Beneficiary’s customer retention strategy.
The processing includes all operations performed on the collected personal data, only by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, alignment or combination, restriction, erasure or destruction.
- Collected data
The data collected for the purposes of this agreement includes all data listed in Omniconvert Reveal technical documentation that has been processed by the Beneficiary in their ecommerce business.
It is highly recommended to the Data Controller to anonymise or pseudonymised all personal data before sending it to the Omniconvert Reveal Service, depending on the actual need in using this data in the Service or further using them within another service offered by another Data Processor.
The Data Processor offers several methods and explanations how to do that and what are the advantages and disadvantages in using anonymised or pseudonymised data, depending on the Data Controllers needs – some of the methods are described publicly, but contact Omniconvert directly for further suggestions.
- Categories of data subjects
The categories of data subjects are customers of the Data Controller.
- Specific Instructions
5.1. The Data Controller instructs the Data Processor on processing all personal data specified in article 3 in order to provide the services in the Terms and Conditions Omniconvert Reveal.
5.2. The Data Controller instructs the Data Processor to directly transfer certain data (that might include personal data) to other companies selected by the Data Controller, by providing them with relevant credentials (e.g. API keys) for each of them, be it by entering these credentials within the application, or by explicitly requesting them in writing. The other companies for which this feature is technically available are provided in the Reveal documentation or in the Reveal dashboard, or should be requested in writing (for custom point-integrations). For the avoidance of the doubt, these companies are not sub-processors based on this contract.
- Obligations of the Data Controller
- confirms and guarantees that, in relation to the processing of personal data for this contract, it acts as a Data Controller;
- complies with Applicable Law when processing personal data, and only gives lawful instructions to Data Processor;
- guarantees that data subjects have been informed of the uses of personal data as required by Applicable Law, including sharing their data with the Data Processor, if required;
- confirms it relies on a valid legal ground for the processing of personal data under Applicable Law, including if required obtaining consent from data subjects;
- complies with Data Subject requests to exercise their rights of access, rectification, erasure, data portability, restriction of processing, and objection to the processing;
- implements appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the processing of personal data is performed in accordance with Applicable Law, including for securing the transfer of data from its data subjects to the Data Processor;
- cooperates with Data Processor to fulfill their respective data protection compliance obligations in accordance with Applicable Law;
- by providing an API key for integration or explicitly requesting a point-integration with other data processors according to art. 5.2, it confirms and guarantees its instruction to send the selected data to these companies and that the security of the transfer is being guaranteed by the Data Controller or the other data processors. It also confirms that it has a proper legal basis for transferring the personal data to these companies.
- Obligations of the Data Processor
The Data Processor only processes personal data on behalf of the Data Controller in accordance with its specific instructions as mentioned in Article 5 and not for any other purposes than those specified in Article 2 or as otherwise agreed by both parties in writing.
For the avoidance of doubt, the Data Controller authorizes the Data Processor to use statistical data, based on information from the accounts of the Beneficiaries in order to improve its services or to create benchmarks for internal use or for public presentations of relevant aggregated information for the selected domains. These will be always based on aggregated data that would be impossible to link to one or several Data Controllers or to any personal data proceed based on this agreement.
The Data Processor will promptly inform the Data Controller if, in its opinion, the Data Controller’s instructions infringe GDPR, and/or if the Data Processor is unable to comply with the Data Controller’ instructions.
The Data Processor will notify the Data Controller without undue delay after becoming aware of a personal data breach when the data is processed by the Data Processor. The Data Processor will take reasonable steps to mitigate the effects and to minimize any damage resulting from the personal data breach.
The Data Processor will assist the Data Controller in complying with data security, data breach notifications, data protection impact assessments and prior consultations with supervisory authorities requirements under GDPR, if necessary, taking into account the nature of the processing and the information available to the Data Processor. To the extent authorized under Applicable Law, the Data Controller shall be responsible for any costs arising from the Data Processor’s provision of such assistance.
The Data Processor, taking into account the nature of the processing, will assist the Data Controller by appropriate technical and organizational measures, as far as this is possible, to fulfill the Data Controller’s obligations to respond to data subjects’ requests to exercise their rights as provided under Applicable Law.
When the Terms and Conditions will be terminated, the Data Processor will delete or anonymize all personal data in maximum 30 days from the expiration date, unless the Controller will ask them to keep it or if the Romanian laws prevent it from returning or destroying all or part of the personal data or requires storage of the personal data (in which case the Data Processor must keep them confidential).
8.1. Data controller agrees with the usage of the following specific sub-processors by the Data Processors for IT services: Digital Ocean, USA (and has signed adequate Standard Contractual Clauses) on its servers from the Netherlands .
8.2. By this article the Data Controller gives a general authorization to the Data Processor to share personal data to future Sub-Processors under the conditions set below:
- The Data Processor guarantees the existence of an agreement with its Sub-Processors which imposes on the Sub-Processor the same data protection obligations as provided by the Data Processor under this agreement or by Applicable Law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures to ensure the processing will meet requirements under Applicable Law, to the extent applicable to the nature of the service provided by the Sub-Processors. Where the Sub-Processor fails to fulfill its data protection obligations under such agreement, the Data Processor shall remain fully liable towards the Data Controller for the performance of the Sub-Processor’s obligations under such agreement.
- The Data Processor guarantees that all the Sub-Processors will process data exclusively within a Member State of the European Union (EU), within a Member State of the European Economic Area (EEA) or in any state with an adequate data protection regime as recognized by the European Commission or have signed adequated SCCs;
- The Data Processor shall inform the Data Controller of any addition or replacement of Sub-Processors and allow the Data Controller to reasonably object to such changes by notifying the Data Processor in writing within 5 business days after receipt of the Data Processor’s notice of the addition or replacement of a Sub-Processor. The Data Controller’s objection should explain the reasonable grounds for the objection.
- Security of the processing and confidentiality
The Data Processor must implement appropriate technical and organizational measures to ensure standard industry security measures appropriate to the risk, according to art 28 and 82 from GDPR. In assessing the appropriate level of security, the Data Processor must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. The Data Processor shall take steps to ensure that any person acting under its authority who has access to personal data is bound by enforceable contractual or statutory confidentiality obligation.
In the case of transferring data to other companies as requested by the Data Controller per art 5.2. the Data Processor is responsible for the security of the data only until the data has left its server.
- Data Protection Audit
10.1. Upon prior written request by any Data Controller, the Data Processor agrees to cooperate and within reasonable time provide to any Data Controller with:
- (a) a summary of the audit reports demonstrating the Data Processor’s compliance with its obligations under this Exhibit, after redacting any confidential and commercially sensitive information; and
- (b) confirmation that the audit has not revealed any material vulnerability in the Data Processor’s systems, or to the extent that any such vulnerability was detected, that Data Processor has fully remedied such vulnerability.
10.2. If the above measures are not sufficient to confirm compliance with GDPR or reveal some material issues, subject to the strictest confidentiality obligations, the Data Processor allows the Data Controller to request an audit of Data Processor’s data protection compliance program by external independent auditors, which are jointly selected by the parties. The external independent auditor cannot be a competitor of Data Processor, and the parties will mutually agree upon the scope, timing, and duration of the audit. The audit may not start with less than 30 days from the first request of the Data Controller. The Data Processor will make the result of the audit of its data protection compliance program available to the Data Controller. The Data Controller must fully reimburse the Data Processor for all expenses and costs for such an audit.
- Liability to data subjects.
11.1. Each party agrees that it will be liable to data subjects for the entire damage resulting from a violation of Applicable Law.
11.2. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. For that purpose, both parties agree that Data Controller will be liable to data subjects for the entire damage resulting from a violation of GDPR with regard to processing of personal data for which it is a Data Controller, and that Data Processor will only be liable to data subjects for the entire damage resulting from a violation of the obligations of GDPR directed to the Data Processor or where it has acted outside of, or contrary to Data Controller’s lawful instructions.
11.3. The Data Processor will be exempted from liability if it’s proven that it doesn’t have any responsibility in the event giving rise to the damage.
- Enforcing this agreement
This current arrangement will be in force starting with the date of entry into force of the Terms and Conditions, until it is superseded by a new arrangement.