Software as a Service (SaaS) Agreement
This Agreement is entered into between Emptor, Inc., 251 Little Falls Dr., Wilmington, Delaware 19808 (“Company”) and you, the Client. It should be noted that certain portions of the SaaS Agreement are only applicable to certain products or countries (as affirmatively indicated within this Agreement). The Annexes are one such portion of the Agreement that may or may not apply, based on the locus of the information or data subject. For any Clients whose place of incorporation is within the European Union, or Data Subjects who are EU citizens, the Standard Contractual Clauses shall apply by operation of law. The Terms and Conditions of this SaaS Agreement will, from time to time, be updated to reflect changes at Company or with Company’s services. If material or significant changes are made, Client may be required to affirmatively consent to these changes. If Client does not protest the changes or Client otherwise continues to use Company’s services, Client will have consented to the changes made. The Terms and Conditions of this SaaS Agreement shall govern Client’s use of Company services and shall go into effect upon Client clicking the box affirmatively stating they accept these Terms and Conditions at the time of signing up for Company’s services.
This SaaS Agreement (the terms and conditions stated herein, any applicable work order form, the annexes listed below, and Emptor’s API manual https://docs.emptor.io/), applicable in its entirety, constitutes the entire agreement between the parties and governs all work contracted under, and performed by, Emptor, Inc. as articulated in the applicable Work Order Form(s) and any applicable addendums thereto. The following terms the User agrees to include, but are not limited to:
The User warrants that informed consent has been given by any and all data subjects for the use of their information in Emptor’s services, or that use otherwise falls within lawful purposes and use under any and all relevant and applicable laws.
The User warrants that upon written request by Emptor, the above informed consent shall be evidenced or otherwise that lawful use of the information can be demonstrated.
Emptor’s news reports are composed of unaffiliated third party sources, and Emptor disclaims liability to the fullest legal extent, and does not warrant, the veracity or accuracy of the substantive information provided by these sources.
The User further agrees to the following:
Terms and Conditions
SERVICES AND SUPPORT
Subject to the terms of this Terms and Conditions, the Annexes, the API Manual (https://docs.emptor.io/), and any applicable Work Order Form (collectively referred to as “SaaS Agreement” or “Agreement”), Company will use commercially reasonable efforts to provide Client the Services in accordance with the Service Level Agreement( see https://docs.emptor.io/) the terms of which are governed by this Agreement.
Subject to the terms hereof, Company will provide Client with reasonable technical support services in accordance with the terms set forth in the Service Level Agreement.
RESTRICTIONS AND RESPONSIBILITIES
Client will not, directly or indirectly: reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or any software, documentation or data related to the Services (“Software”); modify, translate, or create derivative works based on the Services or any Software (except to the extent expressly permitted by Company or authorized within the Services); use the Services or any Software for timesharing or service bureau purposes or otherwise for the benefit of a third; or remove any proprietary notices or labels.
Export and Import Control Compliance. Further, Client may not remove or export from the United States or allow the export or re-export of the Services, Software or anything related thereto, or any direct product thereof in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. As defined in FAR section 2.101, the Software and documentation are “commercial items” and according to DFAR section 252.2277014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.” Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of this Agreement and will be prohibited except to the extent expressly permitted by the terms of this Agreement.
OFAC Compliance. Client acknowledges that Company is beholden to OFAC regulations, and in particular, the OFAC Cyber-Related Sanctions program, implemented under E.O. 13694 and E.O. 13757. As such, Company is prohibited from engaging in business with, or furthering the interests of, any individual, group, or entity designated by the U.S. Government as a Specially Designated National. Client warrants that, to the best of its knowledge, Client is not identified by the United States Office of Foreign Asset Control (OFAC) as an entity, nor is it owned or controlled by (either controlled by through entity charter, or through 50% or more ownership of the entity), or acting on behalf of, targeted countries, or any entity otherwise designated as a Specially Designated National, nor is Client engaging in business with individuals or entities with such classification. Client also warrants that it is not knowingly employing Emptor for the purpose of doing business with, or furthering the interests of, third party companies, entities, groups, or individuals that are identified by OFAC as Specially Designated Nationals. If Client discovers that an individual or entity directly under its employ, or a client it services, or a third party individual or entity for whom Client engages in Company’s services to provide business to, is a Specially Designated National, then Client is under an affirmative obligation to notify Company.
Compliance with use of Company’s API Manual. Client represents, covenants, and warrants that Client will use the Services only in compliance with Company’s standard published policies, which are articulated in Company’s API manual (found at https://docs.emptor.io/), the External Software Usage Policy incorporated into this Agreement, as well as any and all applicable laws and regulations. The API Manual is updated regularly to reflect changes in Emptor’s service capabilities and to consistently improve security measures. As such, Client should review the API manual regularly. Client hereby agrees to indemnify and hold harmless Company against any damages, losses, liabilities, settlements and expenses (including without limitation costs and attorneys’ fees) in connection with any claim or action that arises from an alleged violation of the foregoing or otherwise from Client’s use of Services. Although Company has no obligation to monitor Client’s use of the Services, Company may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing.
FCRA Compliance. The parties acknowledge that for purposes of this Agreement, Company is operating as a consumer reporting agency, as that term is defined in the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) (FCRA). The parties acknowledge that the Data will be used for consumer reporting purposes pursuant to the FCRA. Company and Client certify that they have established and implemented written policies and procedures regarding the accuracy and integrity of information furnished, pursuant to any and all applicable provisions in the FCRA.
FCPA Compliance. Each Party warrants that it does not, and shall not permit any of its subsidiaries and Affiliates or any of its or their respective directors, officers, managers, employees, independent contractors, representatives or agents (collectively, “Representatives”) to, promise, authorize or make any payment to, or otherwise contribute any item of value to, directly or indirectly, any non-U.S. government official, in each case, in violation of the U.S. Foreign Corrupt Practices Act (“FCPA”) or any other applicable anti-bribery or anti-corruption law. Each Party shall, and shall cause each of its subsidiaries and Affiliates to, cease all of its or their respective activities, as well as remediate any actions taken by it, its subsidiaries or Affiliates or any of its or their respective Representatives in violation of the FCPA or any other applicable anti-bribery or anti-corruption law. Each Party shall, and shall cause each of its Affiliates and subsidiaries to, maintain systems or internal controls (including, but not limited to, accounting systems, purchasing systems and billing systems) to ensure compliance with the FCPA or any other applicable anti-bribery or anti-corruption law.
General Data Security and Privacy Law Compliance. The Parties acknowledge that the data to which they will have access pursuant to this Agreement will contain Personal Identifying Information, the use of and access to which is subject to various privacy and data security laws in various jurisdictions. The Parties agree to comply with any and all such applicable Privacy and Data Security laws, and to implement appropriate mechanisms to comply therewith as part of their own internal Information Security program. Furthermore, parties agree to implement and execute any and all supplementary or incidental agreements, notices, consents, and other documents as is required by law or this Agreement to further ensure compliance with such Privacy and Data Security Laws. The Data Processing Agreements can be found for Company Generally (Annex I) and Brazil (Annex II) attached hereto.
Notice of limited Use of PII. Company does not use any Personal Identifying Information of the data subject given to it by Client, including but not limited to the Client Data, any other personal data of the data subjects and any data derived from it, other than for the provision and improvement of the Services rendered, the Services of which are defined by this Agreement. Client, as the direct point of contact with the data subject, is responsible for placing the data subject on notice and receiving requisite consent from the data subject for the processing and use of their information or otherwise establishing the legal basis for use of the data subject information.
Notice of Submission to Vetting Process and Right to Audit Use of Company Services. Prior to Company’s making available to Client the use of Company’s platform and services, Company may and shall have the right to perform a background check on Client, and to request from Client any information or documentation it may need for the purposes of such vetting or audit (including but not limited to proof of Data Subject Consent). The purpose of this process is to determine the legality or otherwise permissiveness of Client in use of data subject information or Company platform and services. Company has the right to perform this vetting and audit both prior to making its services available, and at any time thereafter in the event that reasonable suspicion or cause exists to question the legality of Client’s use of Emptor’s services. If Company discovers that Client’s use of data subject information or Company services is illegal or harmful to Company’s image or goodwill, Company has the absolute right to refuse or terminate Client’s use of Company services immediately.
CONFIDENTIALITY; PROPRIETARY RIGHTS
Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party). Proprietary Information of Company includes, but is not limited to, non-public information regarding features, functionality and performance of the Service. Proprietary Information of Client includes non-public data provided by Client to Company to enable the provision of the Services (“Client Data”). The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information. The Disclosing Party agrees that the foregoing shall not apply with respect to any information after five (5) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law. Such five (5) year term will be extended in the event of renewal of this Agreement for additional periods of the same duration as the renewal term of this agreement. Client affirms that it implements information security systems, measures, and protocols both internal, and between Client and third party service providers, sufficient to safeguard sensitive and proprietary information from inadvertent disclosure or malicious acquisition.
Client shall own all right, title and interest in and to the Client Data. Company owns any data that is based on or derived from the Client Data and provided to Client as part of the Services. Company shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto, (b) any software, applications, inventions or other technology developed in connection with Implementation Services or support, and (c) all intellectual property rights related to any of the foregoing.
Notwithstanding anything to the contrary, Company shall have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Client Data and data derived therefrom), and Company will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Company offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business, provided that such use and disclosure shall be in compliance with any applicable laws and regulations and shall not cause any detriment to the Client or any of its affiliates. No rights or licenses are granted except as expressly set forth herein. Any use and disclosure of any Proprietary Information and any confidentiality obligation with respect to the Proprietary Information on part of the Disclosing Party shall be governed by and subject to the requirements of the NDA. In addition, the Company shall not disclose to any other third parties whose primary business competes with that of the Client or its affiliates, the existence of this Agreement, the identity of the Client, the fact that the parties hereto are considering the transactions contemplated hereunder, including the status thereof and the existence of discussions or agreements between the parties hereto or between the Company and any other person in relation to the transactions contemplated hereunder, or any other fact relating to the transactions or any communications related thereto, without the prior written consent of the Client. However, Company may include Client in their client references, along with a logo and a description of Client’s company for the purposes of fundraising and marketing on Company’s website.
The Client acknowledges and agrees that it shall be responsible for acquiring the necessary consent that is required under the applicable laws and regulations of any countries or regions covered by this Agreement to enable the relevant personal data to be provided to and reviewed by the Company for the sole purpose of rendering the Services to the Client. In the event such personal data is collected by the Client through its own applications, Client will be responsible for developing and integrating the relevant consent collecting functions into its applications. If such personal data is collected by the Company, the Company shall be responsible for developing the relevant consent collecting functions and shall ensure the integration of such functions into the automated interface provided by it to Client for the purpose of rendering services to Client.
3.5 It is acknowledged Client owns the input data and the result data. Company owns the process and all processed data.
3.6 All data, regardless of how it was shared or made available must be duly and completely destroyed, eliminated, or returned to Client upon Client’s request. Furthermore, upon termination of this Agreement, or upon the written request of the Client, the data must be deleted in its entirety using industry best practices. Client further acknowledges that once Client Data is destroyed, Company is no longer liable for destroyed data.
3.7 If applicable, Client shall be responsible for complying with any laws pertaining to «ARCO» rights as required by law. In the event that Client shall need for Company to provide to any Data Subject the rights of access, cancellation, and/or opposition regarding any Data Subject Personally Identifiable Information («PII») in Emptor’s possession, Client must submit such request, on Data Subject’s behalf, in writing. Company shall respond as soon as is practicable. Company is not responsible for rectifying information not located within its own data stores. Therefore, to do so, the Client should instruct the Data Subject to go directly to the source.
PAYMENT OF FEES
4.1 Client will pay Company the applicable fees described in any applicable Work Order Form agreed to by both parties for the Services outlined therein (the “Fees”). All test data and re-runs processed will be billed at the regular pricing quotes specified in the Work Order Form. Client shall be responsible for all taxes associated with Services other than U.S. taxes based on Company’s net income.
4.2 Company may choose to bill through an invoice, in which case, full payment for invoices issued in any given month must be received by Company thirty (30) days after receipt date of the invoice by Client. For the avoidance of doubt, if services commence seven (7) business days prior to the end of a given month, Company acknowledges and agrees that the fees for the services provided during the period from the date when the services start to the end of the month shall be billed to the billing of the following month. Unpaid amounts are subject to a finance charge of 2.0% per week on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and may result in immediate termination of Service. In the event that Company chooses to bill through an invoice, Client agrees to pay Company through the information explicitly provided in the Work Order Form. Invoices that may be issued by Company must comply with any and all applicable requirements set forth in the laws and regulations of the country of issuance.
4.3 Company shall obtain approval from Client prior to incurring travel expenses that Company requests be reimbursed. If approved, Client shall reimburse Company for such travel expenses provided that Company provide Client with an itemised description of expenses claimed and receipts for such expenses.
4.4 Billing Policy
Successful Execution: when all the enabled reports for a given Person (an individual whose data Emptor will use to perform a Background Check) have returned a state COMPLETED.
Incomplete: when any of the reports enabled for a given Person have returned a state INCOMPLETE.
Error: when any of the reports enabled for a given Person have returned a state or an outcome as ERROR.
Emptor charges its Clients (prices outlined in the applicable Work Order Form) for all successful executions of a folder (set of reports), i.e., when all the enabled reports have returned a state COMPLETED.
Emptor charges its Clients 50% of the prices outlined in the applicable Work Order Form for any INCOMPLETE results. This occurs when PASSED, FAILED, or BODY could not be reached due to the information provided by the Client.
Emptor does not charge its Clients for ERROR results.
Forms Billing Policy: Clients shall pay to Emptor the equivalent of 1 (one) incomplete profile for each Pre-Candidate (definition at https://docs.emptor.io/docs/emptor-forms) added to Emptor’s Dashboard still in the Pre-Candidate status at the time of invoicing. That is, for each Pre-Candidate created by Clients and not yet filled out (with the required data for further action) by a third party in order to reach profile status. If a Pre-Candidate is created and filled out within the same billing period (e.g. a given month) no amount will be charged for the Pre-Candidate status, however, subsequent actions taken will be billed according to the agreement (e.g. Background check and/or ID Validation).
4.5 In the event that Client believes Client has been incorrectly billed by Company, Client has two (2) calendar weeks from the date that the Client has received the invoice with the balance in question, to dispute the amount by notifying Company (“Billing Dispute”). Client then has two (2) calendar weeks from the date that Client notified Company of a potential Billing Dispute to do its due diligence (“Due Diligence Period”) in determining whether Company has in fact billed Client incorrectly. Company shall assist Client in providing any documentation as is reasonably necessary to confirm whether or not the amount in question is in error. Depending on the percentage of the amount that Client believes is billed in error, the following shall apply:
For amounts in dispute that are equal to or less than 10% of the total amount of the relevant invoice, the total amount of the invoice shall, regardless of the billing error, be paid by Client to Company within the time period specified in section 4.2. This means that payment for the total amount of the invoice must be received by Company within thirty (30) days from the date that Client received the invoice. If error is proven by Client, then the amount in error shall be credited to Client for the following month.
For amounts in dispute that are in excess of 10% of the total amount of the relevant invoice, then the amount that is not in dispute shall be paid by Client to Company within the time period specified in section 4.2. This means that payment for the amount of the invoice that is not in dispute must be received by Company within thirty (30) days from the date that Client received the invoice. If Client proves and Company agrees that the amount in dispute is in error, Company shall absolve Client of payment of the amount in dispute. If Client fails to prove that Company erred in the billing amount, then the amount outstanding shall be paid to Company. If the outstanding amount is paid within the billing period described in section 4.2, no late fees shall attach. However, if the outstanding amount is paid after the billing period in section 4.2 has lapsed, then whatever outstanding amount Client owes to Company shall be subject to the late fees described herein.
If no such resolution is reached between the Parties with regards to the amount in dispute, then Parties shall proceed with discussions in good faith and with efforts commensurate to the amount in dispute for resolution, within a reasonable time period. If no resolution can be reached, then external dispute resolution in accordance with the terms of this Agreement may be pursued.
TERM AND TERMINATION
This Agreement shall go into effect on the date that both parties sign the applicable Work Order Form (“Effective Date”). Furthermore, this Agreement shall be valid for a period specified in the applicable Work Order Form. Client or Company may terminate the Work Order Form and this Agreement for any reason if a written notice of termination is provided to the other party at least sixty (60) days prior to the intended date of termination. If the term outlined in the applicable Work Order Form is for a period of fewer than sixty (60) days, Client or Company can terminate the Work Order Form and this Agreement with seven (7) days’ written notice. In addition to any other remedies it may have, either party may also terminate the Work Order Form and this Agreement immediately if the other party materially breaches any of the terms and/or conditions of the Work Order Form and/or this Agreement. Client will pay in full for the Services up to and including the last day on which the Services are provided in accordance with the standards and requirements under the Service Level Agreement. All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, and limitations of liability.
WARRANTY AND DISCLAIMER
Company shall use reasonable and necessary efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and shall perform the Services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control, but Company shall use reasonable and necessary efforts to provide advance notice in writing or by e-mail of any scheduled service disruption. OUTSIDE OF THE REQUIREMENTS AND STANDARDS OUTLINED IN THE SLA, COMPANY DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES AND ARE PROVIDED “AS IS” AND COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
Company pulls information from third party sources for the creation of its reports. Company does not guarantee or warrant the currentness, accuracy, or completeness of the materials and will not be responsible for any claim of any person attributable to errors, omissions or other inaccuracies of any part of such materials, nor shall company be liable for any loss or injury arising out of or caused, in whole or in part, by acts or omissions in procuring, compiling, collecting, interpreting, reporting, communicating or delivering such information, reports, or services.
Unless otherwise provided for in this Agreement and subject to the remedies available to the Client as specified in any applicable Work Order Form agreed to by the parties, Company shall indemnify Client for any losses or damages suffered or incurred by Client for the Company’s failure in rendering services in accordance with the standards and requirements as specified in the Service Level Agreement agreed to by the parties. Company shall hold Client harmless from liability to third parties resulting from infringement by the Service of any United States patent or any copyright or misappropriation of any trade secret, provided Company is promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the opportunity to assume sole control over defense and settlement; Company will not be responsible for any settlement it does not approve in writing. The foregoing obligations do not apply with respect to portions or components of the Service (i) not supplied by Company, (ii) made in whole or in part in accordance with Client specifications and Company has informed Client of the potential infringement in connection with such portions of components, (iii) that are modified after delivery by Company, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where Client continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where Client’s use of the Service is not strictly in accordance with this Agreement. If, due to a claim of infringement, the Services are held by a court of competent jurisdiction to be or are believed by Company to be infringing, Company may, at its option and expense (a) replace or modify the Service to be non-infringing provided that such modification or replacement contains substantially similar features and functionality, (b) obtain for Client a license to continue using the Service, or (c) if neither of the foregoing is commercially practicable, terminate this Agreement and Client’s rights hereunder and provide Client a refund of any prepaid, unused fees for the Service.
LIMITATION OF LIABILITY
NOTWITHSTANDING ANYTHING TO THE CONTRARY, COMPANY AND ITS SUPPLIERS (INCLUDING BUT NOT LIMITED TO ALL EQUIPMENT AND TECHNOLOGY SUPPLIERS), OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS AND EMPLOYEES SHALL NOT BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT OR TERMS AND CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (A) FOR ERROR OR INTERRUPTION OF USE OR FOR LOSS OR INACCURACY OR CORRUPTION OF DATA OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR LOSS OF BUSINESS; (B) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (C) FOR ANY MATTER BEYOND COMPANY’S REASONABLE CONTROL; OR (D) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY CUSTOMER TO COMPANY FOR THE SERVICES UNDER THIS AGREEMENT IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, IN EACH CASE, WHETHER OR NOT COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sublicensable by Client except with Company’s prior written consent. Company may transfer and assign any of its rights and obligations under this Agreement without consent. This Agreement is the complete and exclusive statement of the mutual understanding of the parties in connection with the provision of the services, and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this Agreement and Client does not have any authority of any kind to bind Company in any respect whatsoever. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested. This Agreement shall be governed by the laws of the state of New York without regard to its conflict of laws provisions.
10. DISPUTE RESOLUTION
Any dispute, controversy, or claim (each, a “Dispute”) arising out of or relating to this Agreement, or the interpretation, breach, termination, validity, or invalidity thereof, shall be referred to arbitration upon the demand of either party to the Dispute with notice (the “Arbitration Notice”) to the other. The Dispute shall be settled by arbitration in Mexico City by the International Centre for Dispute Resolution in accordance with the arbitration rules thereof in force when the Arbitration Notice is submitted. The arbitration language is English and the arbitration proceedings shall be conducted in English. The award of the arbitral tribunal shall be in writing, and final and binding upon the parties hereto. The choice of law by which this contract is governed is New York Law, without regard to its conflict of law provisions. The parties agree that the terms of the arbitration award, once final, can be implemented and enforced by any court of competent jurisdiction.
11. PARENT COMPANY OR AFFILIATE ASSUMPTION OF LIABILITY AND
GUARANTEE OF FINANCIAL OBLIGATIONS
The signatories of this document warrant that they have the requisite authority to bind Company and Client as respectively identified in the signature block of the applicable Work Order Form. If the Work Order Form is signed by a client (Parent, Subsidiary, Affiliate, etc.) who is not listed as the beneficiary for whom work is to be performed and/or from whom payment is to be remitted for services rendered by Emptor, Inc., then the signor, by signing these agreements, shall act as guarantor. As guarantor, the Client who has signed the Work Order Form willingly assumes liability for any breach of this Agreement or the Work Order Form by the intended beneficiary identified in the Work Order Form for whom Emptor is providing services, and willingly assumes liability for any billing, fees, or other financial obligations incurred from Emptor, Inc. having provided its services to that beneficiary. This guarantee is unconditional and absolute. This guarantee is enforceable against guarantor despite any other circumstance which might otherwise constitute a defense to the guarantee. The signing Client, as guarantor providing this guarantee, is not relying on any explicit or implicit representations by Emptor, Inc. or by the affiliate, subsidiary, etc. on whose behalf the guarantor is signing. This guarantee is governed by the laws of the state of New York, and any conflict arising from this clause shall be subject to arbitration in Mexico City through the International Center for Dispute Resolution. NOTE THAT THIS CLAUSE ONLY APPLIES IF THE CLIENT SIGNING IS NOT THE INTENDED BENEFICIARY FOR WHOM SERVICES WILL BE RENDERED, OR THE PARTY BY WHOM PAYMENT WILL BE REMITTED.
12. MANUAL REVIEW SPECIFICATIONS
Where Company possesses Manual Review capabilities, Company operates a manual review component that is included in the background check services that Company provides to Client. The manual review, where applicable, is a means to ensure that Company’s services are performed as fairly and accurately as possible in returning the results of the background checks to Client. For example, a manual review can ensure that a data subject does not improperly fail a background check due to imperfect or limitations on available information. However, as Company retrieves its information from public databases, Company cannot guarantee or warrant that such information contained within those databases is accurate. Please see the API Manual (https://docs.emptor.io/) for country-specific information.
13. ACKNOWLEDGEMENT OF PASS/FAIL CRITERIA
Company utilizes existing internal criteria that determine “pass” or “fail” conditions that vary by Country. These criteria comprise various searches, coupled with filtering criteria, which may include crimes and fines or other review criteria. Client is able to implement its own pass/fail criteria for Company to utilize in performing its background check services for Client. If Client does not make such a request, then Client accepts the existing criteria as well as the fact that Company does not make any warranty as to completeness or accuracy of information. In the event that the criteria are accepted, the criteria shall become part of the Agreement between Client and Company and shall be integrated into the background check process. If the existing criteria are used, then Client is under the obligation to learn and understand the criteria to ensure that the criteria do not infringe on any relevant labor or employment laws applicable to Client. It should be noted that, due to the sources of information being implemented differently in each market, the pass/fail criteria will differ accordingly.
Ultimately, the parameters of the background checks and hiring decisions are made by Client who will be responsible for complying with regulations regarding the conditions of hiring and employment within their respective market. As such, Company provides its services in a manner that is compliant with, but is not responsible for the ultimate client’s compliance with, any applicable laws of the Country in which Company is providing services, unless the Client gives Company parameters for background check pass conditions that are in violation of such laws in which case Company will refuse to perform background checks in such a manner. Engaging Company’s services is no guarantee of Client’s compliance with the laws of the jurisdiction in which Client is operating, which is the sole responsibility of Client. Decisions of employment, and the legal compliance of the manner in which such decisions are made, are the responsibility and liability of Client.
14. FORCE MAJEURE OR MATERIAL CHANGE OF LAW
Force Majeure means all events which are beyond the reasonable control of a Party to this Agreement, and which are unforeseen, or if foreseen reasonably unavoidable, which arise after the effective date of this Agreement and which prevent total or partial performance of this Agreement by such Party. Such events shall include, but not be limited to, natural disasters, war, threat of war, blockade, embargo, act of vandalism or theft that could not have otherwise through the implementation of reasonable security measures have been prevented, prevention of performance by acts of government or public agencies or the implementation of regulations by these institutions that render this contract illegal or invalid or performance impossible, epidemics, strikes, acts of god, and any other events which are recognized as Force Majeure in general international commercial practice.
If a Party is aware of the likelihood of a situation constituting Force Majeure arising, or is claiming Force Majeure, it shall notify the other Party as soon as is practicable in writing forthwith of the same, the cause and extent of non-performance or likely non-performance occasioned thereby, the date or likely date of commencement thereof and the means proposed to be adopted to remedy or abate the Force Majeure; and the Parties shall, without prejudice to the other provisions of this Agreement, consult each other with a view to taking such steps as may be appropriate to prevent and/or mitigate the effects of such Force Majeure.
The Party subject to or claiming Force Majeure shall:
Resume performance as expeditiously as possible after the termination of the Force Majeure or the Force Majeure has abated to an extant which permits resumption of such performance;
Notify the other Party when the Force Majeure has terminated or abated to an extent which permits resumption of performance to occur; and
Keep the other Party regularly informed during the course of the Force Majeure as to when resumption of performance shall or is likely to occur.
If the Parties are not in agreement that an event of Force Majeure has occurred, the matter shall be handled in accordance with the terms of this Agreement regarding Term and Termination to the extent possible. If, upon the execution of this Agreement, any Party’s interest is negatively affected by promulgation or abolition of any law, or amendment or change to any law, or any competent authority’s change to, withdrawal of, or refusal to renew, any license, approval, permit or other consent (collectively can be referred to as “Material Change of Law”), the Parties shall negotiate for the necessary adjustment so as to maintain each Party’s benefit under this Agreement to a level no inferior to the status prior to such Material Change of Law.
Data Processing Agreement (DPA)
This Data Processing Agreement (hereafter, “the DPA”) is entered into between Emptor, Inc. (hereafter, “Company”), and Client, (hereafter, “Client”). The Client acts as a Data Controller, per the definitions listed below, and wishes to contract data processing services from the Company which acts as Data Processor or Subprocessor, per the definitions listed below. Both Parties acquiesce and commit to adhere to the principles, rights, and obligations as listed within the DPA as articulated herein.
DEFINITIONS AND INTERPRETATION
Unless otherwise denied herein, capitalized terms and expressions used in the DPA and corresponding Agreement shall have the following meaning:
“Agreement” means the SaaS Agreement between the Parties, as well as the DPA and any other corresponding agreements or annexes relevant to the agreement between the Parties.
“Client Data” means any Personal Data processed by the Processor on behalf of the Controller, or Subprocessor on behalf of the Controller pursuant to or in connection with the Agreement.
“Data Protection laws” means any relevant and applicable Data Protection Laws within the jurisdictions relevant to the presence, transfer, or processing of data per the terms of the Agreement.
“Data Transfer” means:
A transfer of Client Personal Data from the Client to Company or Contracted Processor, or;
An onward transfer of Client Personal Data from a Contracted Processor to any other Subprocessor;
“Services” means the SaaS services provided in accordance with the Agreement provided by Company.
“Subprocessor” means any person or company appointed as a third party by or on behalf of Processor or subsequently by Controller to process Personal Data on behalf of the Controller in connection with the Agreement.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of such processing are determined by the purposes and means of such processing.
“Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physician, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data” means any information relating to an identified or identifiable natural person (see “Data Subject”).
“Personal Data Breach” means a breach of security legend to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Supervisory Authority” means an independent public authority which is established as the relevant, recognized, and competent authority for the creation, administration and application of Data Protection Laws and related matters within the jurisdictions relevant to the provisioning of services under the Agreement.
DATA PROCESSING AGREEMENT TERMS
Processing of Client Personal Data
The Processor Shall comply with all applicable Data Protection Laws in the Processing of Client Data. Furthermore, Processor shall not Process Client Data other than on the relevant Controller’s documented instructions. The Controller shall instruct the Processor to process its Client Data.
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Client Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Client Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall, in relation to the Client Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk. This includes, as appropriate:
The pseudonymisation and encryption of personal data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
Processor shall not appoint (or disclose any Client Personal Data to) any Subprocessor unless otherwise required, or authorized by the Controller.
Data Subject Rights
Taking into account the nature of the Processing, Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller obligations, as reasonable understood by the Controller, to respond to requests to exercise Data Subject Rights under the relevant Data Protection Laws.
Promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data, and;
Ensure that it does not respond to that request except on the documented instructions of Controller, or as required by the relevant applicable laws to which Processor is subject, in which case Processor shall to the extent permitted by the relevant applicable laws inform Controller of that legal requirement before any Contracted Processor responds to the request.
Client acknowledges and agrees that Data Subject has various rights with respect to how their information is processed. These rights include, but are not limited to, rights of access, rectification, cancellation, and opposition. For any inquiries regarding the exercise of such rights or information regarding the processing of the Subject’s data, Client, as point of contact, shall forward to Company the Data Subject’s inquiries. Such inquiries shall be submitted to email@example.com.
Personal Data Breach
Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Client Personal Data, providing Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under any and all relevant and applicable Data Protection Laws.
Processor shall cooperate with the Controller and take reasonable commercial steps as directed by Controller to assist in tigation, mitigation, and remediation of each such Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers required or necessary by any relevant and applicable Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
Deletion or return of Client Personal Data
Subject to this section 8, Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Client Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of Client Personal Data.
Processor shall provide written certification to Controller that it has fully complied with this Section 8 within 10 business days of the “Cessation Date”.
This section 9 and the audit rights pertaining herein shall only apply where necessitated by relevant and applicable Data Protection Laws. If no such laws are otherwise applicable to the Parties, services, or transaction articulated herein, then this section shall not apply, and no such audit rights shall be granted.
If such Rights are mandated by applicable and relevant data protection laws, subject to this section 9, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.
Information and audit rights of the Company only arise under section 9.2 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
The processor may not transfer or authorize the transfer of Data to countries or territories not otherwise required for the Processing of its data without the prior written consent of the Controller. Both Parties commit to ensure that personal data is adequately protected in any given transfer, using industry best practices.
Confidentiality. Each Party must keep this DPA and the corresponding Agreement, and any information received about the ther Party and its business in connection with this DPA and Agreement confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that the disclosure is required by law, or that the relevant information is already in the public domain, in a manner consistent with the terms of the Agreement.
All notices and communications relating or relevant to this DPA and Agreement must be in writing, as required by the terms of the Agreement.
Brazil LGPD Data Protection Addendum
These Data Protection Clauses are agreed upon between Emptor Inc (hereafter, «Emptor») and Client (hereafter, «Client»), and shall integrate the SaaS Agreement («SaaS Agreement»).
WHEREAS the provision of Services agreed upon by the Parties in the SaaS Agreement may imply in Personal Data treatment over data collected in the brazilian territory or pertaining to an individual located in the brazilian territory, and therefore in the International Transfer of said Personal Data;
WHEREAS Brazil has a data protection law in effect as of september 2020 – Lei Geral de Proteção de Dados (LGPD) [Lei nº 13.709/2018] – which provides that the Personal Data treatment regarding data of individuals located in brazilian territory must abide by certain rules and principles;
WHEREAS the Parties wish to ensure compliance with the rules and principles set forth in LGPD for any data treatment over Personal Data of individuals located in the brazilian territory during the provision of the Services agreed upon in the Saas Agreement and by that also ensure the legality of such data treatment;
WHEREAS both Emptor and Client also with to ensure the adequate safeguards and level of security, confidentiality and protection of privacy for the Personal Data of individuals located in the brazilian territory, as well as put in place mechanisms to prevent any data breach or incident;
The Parties agree upon the following:
For the purpose of this Annex, the following definitions shall apply:
Personal Data: means any personal identifiable information (PII) collected in the brazilian territory or pertaining to an individual (natural person) located in brazilian territory used for the provision os the Services;
Data Subject: the individual (natural person)
Services: the processing of personal data for which the Controller (Client) has contractually engaged the Operator (Emptor)
Cooperator: any third party providers used
Collaborator: any person that works for Emptor at any capacity, contractors, employees
The terms and expressions «Controller’ «Operator» «Data Treatment» «International Data Transfer» shall have the same meaning as assigned to them in LGPD
The Parties hereby undertake to comply with Brazilian Data Protection Regulation during the provision of Services by Emptor on behalf of the Client. Both parties shall abide by the LGPD and any other regulations that are set forth by the National Authority (Autoridade Nacional de Proteção de Dados – ANPD) during the provision of the Services.
For the purposes of this Agreement, as it is for the purpose of Resale and the Client will not be the end user of the product, nor supply or control the information to be processed using Emptor’s services, both Emptor and Client will be considered Operators of the Personal Data. The end user, or ultimate Client of Client, is considered the Controller of the Personal Data. The Operators and the Controller must observe their responsibilities as stated in the data protection regulations from Brazil (Chapter VI, Section III of the LGPD). As Client is the primary point of contact for the Controller, it is Client’s responsibility to ensure the Controller understands and is willing to comply with the responsibilities under the LGPD. No responsibilities are transferred by any means from one party to another through these clauses.
The categories of Personal Data used for the provision of Services include name of the Data Subject, parents name, date of birth, ID number (RG), Taxpayer Number (CPF), city and state of residence or signup. The Parties agree that no Sensible Information or personal data regarding underaged persons will be exchanged for the provision of Services, if any such data is added to the Services they will be disregarded by Emptor, sent back to the Client and eliminated.
The Controller of the Personal Data shall be responsible for acquiring the necessary consent (free and informed consent) for the provision of the Services or guaranteeing that the treatment fits in any of the other legal possibilities set forth by LGPD (article 7). In the case consent is the legal ground used to justify the Data Treatment it must include, at a minimum, information on the purposes for which the data is collected, the sharing of the data with Emptor and the International Data Transfer. The Controller shall be responsible for keeping record of any consent granted by any Data Subject.
Emptor, as an Operator for the Data Treatment, shall be responsible for (a) performing the Data Treatment for the sole purpose of rendering Services to the Client, within the limits and according to the provisions of the SaaS Agreement; (b) processing only such Personal Data as is strictly necessary for the performance of the Services or to comply with legal requirements; (c) keep the Personal Data confidential, disponible only for the use of the personnel responsible for the provision of Services. The use of Personal Data by Emptor for its own purposes or for purposes other than rendering Services to the Client shall represent a breach of this section, in this case Emptor will be considered as liable as the Controller over the damage caused by the treatment of the Personal Data for its own benefit (Article 42, § 1º, I of the LGPD).
Emptor, acting as an Operator, shall refrain from responding to any request made by the Data Subject in regard to the Personal Data treated in the provision of the Services, except to the extent instructed by the Controller or according to LGPD regulations or ANPD decisions. However, Emptor shall inform the Client of any such request and cooperate with the Client to guarantee that the rights of the Data Subject provided by LGPD (Chapter III) are met in a timely manner and in accordance with the procedures set out by the law.
Emptor shall provide Client, at its request, with any reasonably necessary documents to ensure that it is in compliance with the obligations arising from these Data Protection Clauses, including documentation over the use of the Personal Data only for the rightful purpose and over the technical and organisational measures adopted to ensure the protection of the Personal Data.
Both Parties shall keep record of the treatment activities under their responsibility in electronic form. The record shall contain (a) the categories of Personal Data used in the Data Treatment; (b) the categories of Data Treatment carried out on behalf of the Controller; (c) any International Data Transfer taking place due to the Data Treatment
Both parties shall also inform one another immediately about (a) any auditing, investigation ou apprehension of the Personal Data by any competent authority; (b) any other requests from the competent authorities, including the judiciary or Ministério Público; (c) any incident regarding the Personal Data that may affect the other party businesses or demands its action. If any of the parties is subject to auditing by ANPD regarding the Personal Data used for the provision of the Services, it must inform the result of such audit to the other Party no later than ten (10) days after the results are published.
Both Parties shall cooperate with the competent authorities, especially ANPD, providing all the information required to comply with regulations and/or requests made by said authorities.
PERSONAL DATA PROTECTION
Emptor shall adopt administrative and technical measures to ensure the protection of all Personal Data used for the provision of Services (according to article 46 of the LGPD) in order to guarantee an adequate security level and mitigate damages to the data. The security measures put in place by Emptor shall take into consideration the risk of the operation, in particular the risks regarding Security Incidents
Emptor shall keep the Personal Data protected under an Information Security Program that ensures (a) protection against losses, unlawful disclosure or access; (b) reasonably identifies security risks and unauthorized accesses to its softwares; and (c) minimizes security risks, performing regular performance evaluations and tests. Emptor shall designate one or more employees to coordinate and take into effect the Information Security Program.
If a Security Incident takes place, including, without limitation, unlawful or unauthorized access, data breaches or Personal Data losses, regardless of the reason that occasioned the Incident, Emptor shall communicate the Client immediately (a) the date and hour of the incident; (b) the date and hour of the communication; (c) all the Personal Data affected by the incident; (d) the number of Data Subjects affected; (e) the contact information of the person responsible for providing further information on the matter; (f) the measures already taken to mitigate the damage and avoid new incidents. If Emptor is not in possession of all the information listed above at the time of the communication, Emptor shall send them separately as soon as it gets hold of the missing information. The complete report over the Security Incident shall be completed no later than five (5) days after the acknowledgement of the incident.
The Personal Data exchanged between Parties shall be kept Confidential. Emptor must ensure that any Personal Data received is available only to those employees who effectively need access to it for the correct provision of the Services. The employees that have access to the Personal Data shall (a) only treat the data within the limits and under the terms of this Clauses, the SaaS Agreement and LGPD; (b) receive training over Data Protection and Information Security; and (c) have committed in writing to strictly observe the confidentiality over the Personal Data treated.
Each Party shall designate a person responsible for the communications regarding the Personal Data protected by these Clauses as well as any questions that may arise from the provisions set forth in this document.
The Client acknowledges and agrees that, for the correct provision of Services, Emptor may use third party providers to carry out specific Data Treatment activities, including, without limitation, cloud computing and storage. In this case, Emptor shall only enter into agreements with third party providers that ensure the adequate level of protection required by LGPD for the Personal Data.
After the provision of Services takes place effectively, Emptor shall notify the Client about substantial changes in the third party providers, providing a list of any new third party providers contracted by Emptor for the rendition of the Services.
INTERNATIONAL DATA TRANSFER
Any International Data Transfer that takes place due to the provision of Services must abide by the rules set forth in Chapter V of LGPD. The Parties, being both companies with its headquarters located outside Brazil, hereupon agree with the International Data Transfer to the United States of America, where the Data Treatment shall take place, including its components of cloud computing and storage through Cooperators. The Client, as the Controller of the Personal Data, shall be responsible for informing the Data Subject about the International Data Transfer and collecting, as well as keeping record of, the necessary specific and highlighted consent according to LGPD. No provision of Services shall happen without the specific consent set forth in this section, considering all services are rendered outside Brazil.
If any other International Data Transfer is set to take place outside the one already agreed upon in this document, the Party responsible for the transfer shall notify the other party in writing prior to its occurrence. Any International Data Transfer intended by Emptor outside the one already agreed upon depends on the agreement of the Client, that shall, that can deny the request at its sole discretion.
Any International Data Transfer that happens in order to ensure the provision of Services – including Clause 6.1. – shall observe the level of Data Protection required by LGPD, as set forth in these Clauses. No company, organisation or entity shall receive access to the Personal Data without ensuring security levels adequate to what is agreed upon in this document.
The Parties hereby undertake to adopt the pertinent mechanisms regarding International Data Transfer whenever they are made available, including amend ANPD future Standard Contractual Clauses as well as clauses provided by the destination countries for the Persona Data.
WHEN AGREEMENT ENDS
The Parties agree that on the termination of the provision of the Services, the Data Treatment shall be discontinued. The remaining Personal Data at that time as well as any copies (in digital or physical format) shall, at the choice of the Client, be eliminated or returned no later than thirty (30) days after the termination, except in the cases the storage of the Personal Data is required by law or allowed within the terms of LGPD (Chapter II, Section IV).
International Data Transfer
Argentina Standard Contractual Clauses
This annex is for the international transfer of personal data for the provision of services, specifically and only applicable to personal data that originates in and is transferred from Argentina, or otherwise involves Argentinian natural or legal persons. Client (hereafter, “the data exporter”) and Company (hereafter, “the data exporter”), jointly referred to as “the parties”, agree to this contract for the international transfer of personal data for the provision of services, subjecting it to the terms and conditions detailed within this Annex.
The following definitions shall apply to this annex, with English being the prevailing language in the event of a conflict or confusion regarding terminology. Wherever appropriate, a singular term shall be construed to mean the plural where necessary, and the plural term the singular.
“Personal Data”. Information of any kind referring to certain or ascertainable physical persons or legal entities.
“Sensitive Data”. Personal data revealing racial and ethnic origin, political opinions, religious, philosophical or moral beliefs, labor union membership, and information concerning health conditions or sexual habits or behavior.
“Data Treatment” or “Treatment”. Systematic operations and procedures, either electronic or otherwise, that enable the collection, preservation, organization, storage, modification, relation, evaluation, blocking, destruction, and in general, the processing of personal information, as well as its communication to third parties through reports, inquiries, interconnections or transfers.
“Responsible”. Physical person or legal entity, public or private, owning a data file, data register, data bank or database.
“Data Owner”. A physical person or legal entity having a legal domicile or local offices or branches in Argentina, whose data is subject to the treatment and processing referred to in this Contract, its Annexes, or the relevant Data Protection Legislation.
“Agreement”. The Company-Client SaaS Agreement to which this Annex is attached.
“Authority” or “Control Authority”. This refers to the National Directorate of Personal Data Protection of the Argentine Republic.
“Exporter”, “Data Exporter”, or “Data Controller”. The person responsible for defining the parameters and objectives of data processing, who is also responsible for the exportation of data. Data transferor.
“Importer”, “Data Importer”, or “Data Processor”. The service provider under the applicable law located outside the Argentine jurisdiction that receives the personal data from the data exporter for the processing in accordance with the terms of the Agreement.
“Data Protection Legislation”. Shall mean Argentine Law No. 25,326 and relevant associated regulations.
Purpose and Terms of Transfer
The Data Exporter’s is responsible for the following:
Accumulating all necessary information to be processed.
Affirmatively establishing consent of the data subject or otherwise establishing legal basis for use of data subject information.
Secure handling of information (both data subject and confidential company information) using any and all reasonable means.
Act as point of contact for various rights of inquiry and correction inherent to data subject.
Compliance with all relevant and applicable laws.
The Data Importer is responsible for the following:
Secure transfer, storage, and processing of data using any and all reasonable means.
Return of data or deletion upon conclusion of work or at the request of Client or data subject.
Assistance to Data Exporter’s requests for processing rights of the data subject.
Compliance with all relevant and applicable laws.
The personal data transferred relates to the following categories of data subjects:
Natural and Legal Persons established or residing in Argentina
The personal data transferred refers to the following categories of data:
Personal Identifying Information
Public records relating to the data subjects identified through Personal Identifying Information by Data Owner
The personal data transferred will be subject to the following processing:
Personal Identifying Information will be matched against various public databases for the purpose of validating identity of data subject, as well as any possible manifestations of public administrative or judicial rulings involving the data subject. This includes both automated and manual review methods.
Responsibilities and Third Party Beneficiaries
The Data Owner is given third-party beneficiary status to this contract and as such, may request and compel the Data Importer to comply with the provisions of Law No. 25,326 related to the processing of their personal data, particularly regarding the right to access, rectification, deletion, and other rights contained in Chapter III, articles 13 to 20 of Law No. 25, 326, in accordance with the obligations and responsibilities assumed by the parties to this contract. For the purposes of compliance with obligations to the Data Owner enumerated in this Annex and regarding the rights of the Data Owner, parties to the contract submit to Argentine jurisdiction, both judicial and administrative. In those cases where non-compliance is alleged by the Data Importer, the Data Owner may require the Exporter to take appropriate action in order to cease such non-compliance.
The Importer accepts that the Control Authority may exercise its powers regarding the data processing that it assumes, with the limits and powers granted to the Authority by Law No. 25,326, accepting its powers of control and sanction, and granting it for such purposes and where appropriate, the character of third-party beneficiary.
In the event that the Importer revokes this annex, or does not comply with its terms, despite notice by the Exporter, granting a peremptory term of five (5) business days, with the rights and faculties recognized to third-party beneficiaries in this clause, such dereliction will be grounds for the automatic termination of this Contract.
Data Owners may require the Importer to comply with the obligations assumed in this contract relating to the processing of the data that are specific to the Exporter, when the Exporter has in fact disappeared or has legally ceased to exist, unless any successor entity has assumed all of the legal obligations of the Data Exporter under contract or by operation of law, in which case the owners of the data may demand them from said entity.
The Data Owners may require Subprocessors to comply with this clause and to comply with the obligations assumed in this contract by the Exporter and the Importer, related to the processing of data that are specific to the Exporter, when both have disappeared de facto or have legally ceased to exist, unless a successor entity has assumed all of the legal obligations of either of them under contract or by operation of law, in which case the holders of the data may be required from said entity. The civil liability of the Subprocessor will be limited to its own data processing operations as agreed between the parties and these clauses.
The parties do not object to Data Owners being represented by an association or other entities provided for by Argentine law.
Obligations of the Data Exporter
The Data Exporter agrees and guarantees the following:
The collection, processing and transfer of personal data has been and/or will be carried out in accordance with Law No. 25,326.
That the Data Exporter has made reasonable efforts to determine if the Data Importer is capable of fulfilling its obligations agreed upon in this contract. To this end, the Data Exporter may request the Importer to contract liability insurance for any damages caused by the planned treatment, as specified in this Annex.
During the provisioning of personal data processing services, Data Exporter will give necessary instructions so that the processing of the transferred personal data is carried out exclusively on its behalf and in accordance with Law No. 25,326 and this contract.
Data Exporter will deliver to Importer a copy of the legislation in force in Argentina applicable to the intended data processing.
Data Exporter guarantees that it has complied with informing the Data Owners that their personal information could be transferred to a third country with lower levels of data protection than those of the Argentine Republic.
Data Exporter guarantees that in the case of subprocessing, the activity will be carried out by a subprocessor who must have the express prior consent of the Exporter and who will provide at least the same level of protection of personal data and rights of the holders than those agreed here with the Data Importer, entering into a contract for such purposes, and who will also be under the instructions of the Exporter unless the Importer otherwise explicitly agrees in writing to respond to such inquiries. If the Importer agrees to such responsibilities, it will be the Exporter who must respond, to the extent reasonably possible and based on the information reasonably available, if the Data Importer is otherwise unable to or in fact, does not respond.
Data Exporter will make available to the Data Owners (as third-party beneficiaries in accordance with Clause 3 of this Annex), at their request, a copy of these standard contractual clauses that relate to the processing of their personal data, rights and guarantees, as well as a copy of the clauses of other contracts necessary for the data subprocessing services that must be carried out in accordance with this contract.
Obligations of the Data Importer
The Data Importer agrees to and guarantees the following:
The Data Importer will process the personal data transferred only on behalf of the Data Exporter in accordance with its instructions and the clauses. In the event that the Data Importer cannot meet these requirements for whatever reason, the Importer will immediately inform the Data Exporter, in which case the Data Exporter will have the right and ability to suspend the transfer of data or terminate the contract.
Data Importer will arrange for the necessary and effective security and confidentiality measures to avoid adulteration, loss, consultation or unauthorized treatment fo the data, and that make it possible to detect deviations, intentional or otherwise, whether the risk is through human action or technical processes, verifying that they are not inferior to those provided by current regulations, in such a way that Importer guarantees the level of security appropriate to the risks involved in the treatment and the nature of the data to be protected.
Data importer guarantees that it has and maintains procedures that guarantee that all access to the transferred data will be carried out only by authorized personnel, establishing access levels and passwords, who will comply with their duty of confidentiality and security, signing agreements for such purposes.
Data Importer has verified that local legislation does not prevent compliance with the obligations, guarantees and principles set forth in this contract regarding the processing of personal data and its owners, and will inform the Data Exporter immediately if Importer becomes aware of the existence of any provision of this nature, in which case the Exporter may suspend the transfer.
Data Importer will process personal data following the express instructions given by the Exporter in accordance with the purposes and manner described in this Annex.
Data Importer will notify the Data Exporter of a contact point within their organization authorized to respond to inquiries related to the processing of personal data and will cooperate in good faith with the Exporter, the Data Subject, and the Authority with respect to such inquiries or communications. In the event that the Exporter has legally ceased to exist, or if the parties have so agreed, the Importer will assume the tasks related to its compliance in accordance with the provisions of Clause 3(d).
Data Importer will make available, at the request of the Exporter or the Authority, its data processing facilities, its files, and all documentation necessary for processing, for review, audit or certification purposes. These tasks will be carried out, upon reasonable notification and during normal business hours, by an impartial and independent inspector or auditor appointed by the Exporter or the Authority, in order to determine if the guarantees and commitments provided for in this contract and Annex are met.
Data Importer will treat personal data in accordance with Law No. 25,326, on the protection of personal data.
Data Importer will promptly notify the Data Exporter of:
Any legally binding request to transfer personal data made by a law enforcement authority, unless prohibited by applicable law (to the extent not exceeding what is necessary in a democratic society following the guidelines of Clause 5(j)(ii).
Any accidental or unauthorized access.
Any unanswered request received directly from the data owners, unless otherwise authorized to respond directly to the request.
Data Importer will not assign or transfer personal data to third parties, except in the case of:
Where it is specifically established in this Annex or is necessary for compliance purposes, verifying in both cases that the recipient is bound by the same terms as the Data Importer at the time of the data transfer and with the prior knowledge and agreement of the Exporter.
The assignment is required by law or competent authority, to the extent that it does not exceed what is necessary, for example but not exclusively, when it constitutes a necessary measure for the safeguarding of state security, defense, public safety, prevention, investigation, detection and repression of criminal or administrative offenses, or the protection of the Data Owner or the rights and freedoms of other people, when they could hinder ongoing judicial or administrative actions related to the investigation into compliance with obligations subject to state control and related to public order, including but not limited to tax or social security, the development of health and environmental control functions, the investigation of criminal offenses and verification of administrative offenses.
Notwithstanding the other provisions of Clause 5(j), access to the data must be provided when the affected party has to exercise their right of defense and, in the event that the requesting authority does not grant or offer the guarantees of safe handling and transfer of information, Argentine law and protections will control.
Data Importer will recognize requests from Data Owner as a third-party beneficiary, as well as requests from the Exporter, and recognizes rights to access, rectification, deletion, as well as the other rights contained in Chapter III, articles 13 to 20 of Law No. 25,326, respecting the legal deadlines and providing the means for this purpose. It will respond within the terms provided by Law No. 25,326 to the queries of the data holders and the authority regarding the processing of personal data by the Data Importer, regardless of any agreements between Importer and Exporter to the contrary, in following the instructions of the Authority.
Data Importer will delete or otherwise destroy, certifying such fact, and or return to the Exporter the personal data that is the object of transfer, when for any reason this Contract is terminated.
In the case of subprocessing of the data, Importer will inform the Exporter and obtain written consent prior to engaging in subprocessing.
Treatment or processing by subprocessor will be carried out in accordance with Clause 10 of this Annex.
Data Importer will promptly send the Exporter a copy of the contract that it enters into with the subprocessor under this contract and in which the Exporter will be granted the status of third-party beneficiary in order to give the instructions it deems necessary and authority to resolve it.
Data Importer will keep a record of compliance with the obligations assumed in this clause, the report of which will be available at the request of the Exporter or the Authority.
The parties agree that the owners of the data that have suffered damages as a result of the breach of the obligations agreed to in this Agreement and Annex by either party or subprocessor, will have the right to receive compensation from the Data Exporter to compensate for damage suffered.
In the event that the Data Owner cannot file against the Exporter referred to in Clause 6(a) for breach by Data Importer or Subprocessor of their obligations in Clause 5 and/or Clause 10, by having de facto disappeared, ceased to exist legally or is insolvent, the Data Importer agrees that the Data Subject can sue him in the place of the Data Exporter, unless any successor entity has assumed all legal obligations of the Exporter by virtue of a contract or by operation of law, in which case the Data Owners ma demand their rights from said entity. The Importer may not rely on a breach by a Subprocessor of its obligations to avoid its own responsibilities (unless any successor entity has assumed all of the Exporter’s or Importer’s legal obligations under contract or by operation of law, in which case Data Subjects may enforce their rights against such entity). The responsibility of the Subprocessor will be limited to its own data processing operations in accordance with these clauses.
Applicable Law and Jurisdiction
This Contract will be governed by the law of the Argentine Republic, in particular Law No. 25,326, its regulations and provisions of the National Directorate of Personal Data Protection, and will understand in case of related conflict to the protection of personal data the judicial and administrative jurisdiction of the Argentine Republic.
Resolution of Conflicts with Owners of the Data
The Importer agrees that if the Data Owner invokes third-party beneficiary rights against the Importer, or claims compensation for damages in accordance with the clauses, Importer will accept the decision of the Data Owner to:
Submit the conflict to mediation by an independent person;
File a complaint with the National Directorate of Personal Data Protection; and
Submit conflict to the competent Argentine courts.
The parties agree that the options of the Data Subject will not impede their substantive or procedural rights to obtain redress in accordance with other provisions of national or international law.
Cooperation with Data Protection Authorities
The parties agree that the supervisory authority is empowered to audit the Importer, or any Subprocessor, to the same extent and under the same conditions as it would do with respect to the Exporter in accordance with Law No. 25,326, making its audit facilities available. The audit tasks may be carried out both by personnel of the control authority and by suitable third parties designated by it for said act or by local authorities with similar powers in collaboration with the authority.
The Data Importer shall promptly inform the Data Exporter in the event that existing legislation applicable to it or any Subprocessor does not allow auditing of the Importer or Subprocessors.
The Data Importer shall not subcontract any of its processing operations carried out on behalf of the Data Exporter in accordance with this Annex without the prior written consent of the Data Exporter. If the Importer subcontracts its obligations, it must be done through a written agreement in which the Subprocessor assumes the same obligations as the Importer, insofar as it is compatible, to the Data Exporter, and the Data Owner and the Control Authority as third-party beneficiaries.
In cases where the Subprocessor is unable to fulfill its data protection obligations by manner of this Annex, the prior written contract between the Data Importer and Subprocessor will also contain a third-party beneficiary clause that includes those cases in which the Data Owner cannot file the claim for compensation referred to in Clause 6(a) against the Exporter or Importer because they have de facto disappeared, ceased to exist legally or are insolvent, and no successor entity has assumed the full legal obligations of the Exporter or Importer under contract or by operation of law. Such civil liability of the Subprocessor will be limited to its own data processing operations according to the subcontracted tasks.
The provisions on aspects of data protection in the case of contracts with a Subprocessor, operations will be governed by Argentine law. This requirement can be satisfied by means of a contract between the importer and the Subprocessor in which the Subprocessor is a co-signatory of this Contract.
The Data Exporter shall keep a list of subprocessing agreements entered into by the Importer, a list that will be updated at least once a year. The list will be available to the Control Authority.
Termination of Contract
In the event that the Data Importer fails to comply with its obligations under these clauses, the Data Exporter must temporarily suspend the transfer of personal data to the Importer until the cause of the breach is remedied and the seriousness assessed, and the controlling authority notified Authority.
The contract will be deemed terminated, and the exporter must so declare it prior to the intervention of the Control Authority, in the event that:
The transfer of personal data to the data importer has been temporarily suspended by the Exporter for a period of time greater than thirty (30) calendar days in accordance with the provisions of Clause 11(a);
Compliance by the Importer of this contract and the applicable law are contrary to legal or regulatory provisions in the importing country;
The Data Importer substantially or persistently breaches any guarantee or commitment provided for in this Annex;
A final and firm decision against which no recourse can be filed by an Argentine court or by the National Directorate for Personal Data Protection, which establishes that the Importer or Exporter has breached the Contract; or
The Exporter, without prejudice to the exercise of any other right that may assist him against the Importer, may resolve these clauses when the judicial administration or liquidation of the Importer has been requested and said request has not been dismissed within the period established for this purpose in accordance with the applicable legislation; a liquidation order is issued or its bankruptcy is decreed; a manager of any of its assets is appointed; the Importer has requested the declaration of bankruptcy; or is in a similar situation before any jurisdiction.
In the cases contemplated by subparagraphs i), ii), or iv), the Importer may also proceed with the resolution without the need for intervention by the Control Authority.
The parties agree that the termination of this contract for whatever reason will not exempt them from compliance with the obligations and conditions related to the processing of personal data transferred.
Obligations upon completion of Processing
The parties agree that, once the provision of personal data processing services has been completed, for whatever reason, the importer and the sup-processor must, at the discretion of the Exporter, either return all transferred personal data and their copies, or destroy them completely and certify their deletion to the Exporter, unless the legislation applicable to the Importer prevents him from returning or destroying all or part of the personal data transferred, verifying that said conservation period is not contrary to the applicable personal data protection principles, and if they are contrary, then the Control Authority will be notified.
External Software Usage Policy
This External Software Usage Policy (the “Policy”) pertains to any Client that contracts with Emptor to use Emptor’s Services. In addition to any and all obligations stated in any Agreement signed between Client and Emptor, this Policy outlines additional terms and conditions with which Client must comply in order to use Emptor’s services. Client understands that by entering into an Agreement with Emptor and accepting the Emptor API Key to use Emptor’s Services to perform background checks, Client agrees to abide by this Policy and that failure to comply with this Policy shall be deemed a breach of the Agreement between Client and Emptor.
Emptor’s Services – Emptor has created software that can perform background checks on individuals in several countries in Latin America
Emptor API – Emptor’s application programming interface that Client uses in order to perform background checks on Data Subject
Emptor API Key – application programming interface key that Emptor will give to its clients for the sole purpose of using Emptor’s software to perform background checks
Client – Any entity or individual that signs an Agreement with Emptor is a Client of Emptor
Agreement – Any relationship between Emptor and another party (Client) will be governed by terms and conditions within an Agreement, which includes any and all relevant Service Level Agreement
Emptor Background Checks API Documentation – this is the documentation provided to Client that explains how to access the Emptor API
Termination Date – When Emptor and Client terminate any contractual relationship, a Termination and Settlement Agreement will be executed between the parties that will state the Termination Date, which is the date in which Emptor will cease providing any services to Client
Client Report – This report indicates whether the Data Subject has passed or failed any part of the background check
Data Subject – third party individual whose personal information is being used to perform the background check
Use of the Emptor API and/or G Sheet(s)
Emptor G Sheet(s)
In certain instances, in order for Client to be able to use Emptor’s Services, Client shall gain access to Emptor’s API via G Sheets whereby Client can input a Data Subject’s personally identifiable information (“PII”) in the G Sheets and Emptor’s API will produce a result as outlined in the API documentation that will be indicated on the G Sheets. By using the G Sheet product, Client shall not be able to directly access the Emptor API.
Emptor API Usage via Direct Integration
In certain instances, in order for Client to be able to use Emptor’s Services, Client shall gain access to Emptor’s API via Direct Integration. In this case, Client shall have direct access to the Emptor API whereby Client can input a Data Subject’s PII and Emptor’s API will produce a result as outlined in the API documentation that will be indicated in a report sent to Client.
Emptor API key
In order for Client to be able to use the Emptor API, Emptor shall send to Client an Emptor API key. Emptor shall send the Emptor API Key in plain text in a Google Doc to an email address designated by Client. Client shall use the Emptor API key in order to be able to access and use the Emptor API. Client is responsible for maintaining the security and confidentiality of the Emptor API key using industry-standard security measures. Client is prohibited from sharing the Emptor API key with any third party without written consent from Emptor. In the event that the Emptor API key is lost or stolen, Client must notify Emptor immediately at which point Emptor shall suspend the Emptor API and change the Emptor API Key. Furthermore, if the API key is stolen, any checks performed as a result of the stolen key shall be paid by Client in accordance with the pricing terms outlined in the Agreement between Client and Emptor.
Compliance with all applicable laws and regulations
Client agrees to comply with all applicable laws, regulations, and third party rights in any and all relevant jurisdictions while using the Emptor API and/or G Sheet(s). Client will not use the Emptor API and/or G Sheet(s) to promote or engage in any illegal activities. Furthermore, Client will not use the Emptor API and/or G Sheet(s) to violate any third party rights. As also stated in the Agreement between Client and Emptor, Client agrees and warrants that it has received the necessary consent from the relevant third party in order to perform the background check using the Emptor API and/or G Sheet(s). Client is solely responsible for obtaining the data subject’s consent and recording such consent if necessary in compliance with any and all applicable laws and regulations.
Client agrees to access (or attempt to access) the Emptor API only through the instructions contained in the Emptor Background Checks API Documentation. Client shall not misrepresent or hide its identity when accessing the Emptor API.
Prohibitions on Use of the Emptor API
In addition to not using the Emptor API and/or G Sheet(s) to break any applicable laws and regulations, Client shall refrain from engaging in the following prohibited activities. Client shall not access the Emptor API and/or G Sheet(s) in order to introduce to Emptor’s Services any worms, viruses, or any other item of a destructive nature. Client shall not access the Emptor API and/or G Sheet(s) to interfere with or disrupt the Emptor API or the servers or networks providing the Emptor API. Client shall not use the Emptor API to defame, abuse, harass, stalk, or threaten others. Client shall not use the Emptor API or G Sheet(s) to remove, obscure, or alter any Emptor terms of service or any links to or notices of those terms.
Terms governing rate limits are articulated in Emptor’s API manual found at https://docs.emptor.io/.
Client is responsible for maintaining the security of the Emptor API and/or G Sheet(s) and will not make it available to any third party any login credentials including, but not limited to, any key, password, or token to the Emptor API and/or G Sheet(s). Client shall use industry-standard security measures to prevent unauthorized access or use of the Emptor API and/or G Sheet(s) whether by worms, virus, or any other harmful means. In the event that Client reasonably believes that there has been any unauthorized access to the Emptor API, Client must immediately notify Emptor and cooperate with Emptor in any way necessary.
Emptor monitoring of Client use of Emptor API
Client understands and agrees that Emptor may, if it so desires, monitor use of the Emptor API and/or G Sheet(s) in order to ensure quality and improve Emptor’s Services. Monitoring includes, but is not limited to, accessing the Emptor API and/or G Sheet(s). Client shall not interfere with Emptor’s monitoring.
Updates to the Emptor API
Emptor may update the Emptor API and/or G Sheet(s) at any time in its sole discretion, and Client is obligated to use the most current version.
Termination of Use of the Emptor API
In the event that the Agreement between Client and Emptor is terminated for any reason, Client must cease using the API and/or G Sheet(s) on the Termination Date. On this Termination Date, Emptor will cease providing services and access to the Emptor API to Client. In addition, Emptor will rotate the relevant Emptor API Key.
Emptor owns the Emptor API and/or G Sheet(s) and Client shall have no ownership interest whatsoever in the Emptor API and/or G Sheet(s). Client owns the input data as well as the output data (Client Reports). Emptor owns all processed data.