Emptor, Inc. – Reseller

Software as a Service (SaaS) Agreement

This Agreement is entered into between Emptor, Inc., 251 Little Falls Dr., Wilmington, Delaware 19808 (“Company”) and you, the Reseller.  It should be noted that certain portions of the SaaS Agreement are only applicable to certain products or countries (as affirmatively indicated within this Agreement).  The Annexes are one such portion of the Agreement that may or may not apply, based on the locus of the information or data subject.  For any Resellers whose place of incorporation is within the European Union, or Data Subjects who are EU citizens, the Standard Contractual Clauses shall apply by operation of law.  For Data Subjects whose presence in a jurisdiction that requires similar Standard Contractual Clauses as defined and required by the law of that jurisdiction, such Standard Contractual Clauses shall apply either as written in this Agreement or by law if not already included by this Agreement’s Annexes.  The Terms and Conditions of this SaaS Agreement will, from time to time, be updated to reflect changes at Company or with Company’s services.  If material or significant changes are made, Reseller may be required to affirmatively consent to these changes.  If Reseller does not protest the changes or Reseller otherwise continues to use Company’s services, Reseller will have consented to the changes made.  The Terms and Conditions of this SaaS Agreement shall govern Reseller’s use of Company services and shall go into effect upon Reseller clicking the box affirmatively stating they accept these Terms and Conditions at the time of signing up for Company’s services, or by signing the applicable Work Order Form.

This SaaS Agreement (the terms and conditions stated herein, any applicable work order form, the annexes listed below, and Emptor’s API manual https://docs.emptor.io/), applicable in its entirety, constitutes the entire agreement between the parties and governs all work contracted under, and performed by, Emptor, Inc. as articulated in the applicable Work Order Form(s) and any applicable addendums thereto.  The following terms the Reseller and agrees to include, but are not limited to:

• The Reseller warrants that informed consent has been given by any and all data subjects for the use of their information in Emptor’s services, or that use otherwise falls within lawful purposes and use under any and all relevant and applicable laws.

• The Reseller warrants that upon written request by Emptor, the above informed consent shall be evidenced or otherwise that lawful use of the information can be demonstrated.

• Company’s news reports are composed of unaffiliated third party sources,  and Company disclaims liability to the fullest legal extent, and does not warrant the veracity or accuracy of the substantive information provided by these sources.

The Reseller further agrees to the following:

Terms and Conditions

1. SERVICES AND SUPPORT

1. Subject to the terms of this Terms and Conditions, the API Manual (https://docs.emptor.io/), Data Protection Agreement for Emptor Inc. (Annex I), Data Protection Agreement for services in Brazil (Annex II), Service Level Agreement found in the API manual), External Software Usage Policy (Annex III), and any applicable Work Order Form (collectively referred to as “SaaS Agreement” or “Agreement”), Company will use commercially reasonable efforts to provide Reseller the Services in accordance with the Service Level Agreement(found in the API Manual), as well as any additional Service Level Terms agreed to by the parties, the terms of which are governed by this Agreement.

2. Subject to the terms hereof, Company will provide Reseller with reasonable technical support services in accordance with the terms set forth in Service Level Agreement, as well as any additional Service Level Terms agreed to by the parties, the terms of which are governed by this Agreement. 

2. RESTRICTIONS, RESPONSIBILITIES AND COMPLIANCE

1. Reseller will not, directly or indirectly (through itself or any third party): reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or any software, documentation or data related to the Services (“Software”); modify, translate, or create derivative works based on the Services or any Software (except to the extent expressly permitted by Company or authorized within the Services); use the Services or any Software for timesharing or service bureau purposes or otherwise for the benefit of a third; or remove any proprietary notices or labels.

2. Export and Import Control Compliance.  Further, Reseller may not remove or export from the United States or allow the export or re-export of the Services, Software or anything related thereto, or any direct product thereof in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority.  As defined in FAR section 2.101, the Software and documentation are “commercial items” and according to DFAR section 252.2277014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.”  Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of this Agreement and will be prohibited except to the extent expressly permitted by the terms of this Agreement.  

Furthermore, Reseller acknowledges Company adherence to the Export Administration Regulations (EAR, 15 CFR Section 740 et al.).  Company processes information that is otherwise publicly available in compliance with not only US regulations, but also the relevant and applicable laws of the jurisdiction in which the Data Subject is located.  Company does not collect or process information that is private or otherwise unavailable to public access.  The importation, processing, and re-exportation of Personal Identifying Information, as well as the use of Company proprietary information, are in accordance with the principles and restrictions and permissible use of the Export Administration Regulations (15 CFR 740.13, 15 CFR 734.3(b)(3)), or that is otherwise in the public domain as defined by ITAR (22 CFR Section 120.34).  

3. OFAC Compliance. Reseller acknowledges that Company is beholden to OFAC regulations, and in particular, the OFAC Cyber-Related Sanctions program, implemented under E.O. 13694 and E.O. 13757.  As such, Company is prohibited from engaging in business with, or furthering the interests of, any individual, group, or entity designated by the U.S. Government as a Specially Designated National.  Reseller warrants that, to the best of its knowledge, Reseller is not identified by the United States Office of Foreign Asset Control (OFAC) as an entity, nor is it owned or controlled by (either controlled by through entity charter, or through 50% or more ownership of the entity), or acting on behalf of, targeted countries, or any entity otherwise designated as a Specially Designated National, nor is Reseller engaging in business with individuals or entities with such classification.  Reseller also warrants that it is not knowingly employing Emptor for the purpose of doing business with, or furthering the interests of, third party companies, entities, groups, or individuals that are identified by OFAC as Specially Designated Nationals.  If Reseller discovers that an individual or entity directly under its employ, or a Reseller it services, or a third party individual or entity for whom Reseller engages in Company’s services to provide business to, is a Specially Designated National, then Reseller is under an affirmative obligation to notify Company.

4. Compliance with use of Company’s API Manual. Reseller represents, covenants, and warrants that Reseller will use the Services only in compliance with Company’s standard published policies, which are articulated in Company’s API manual (found at https://docs.emptor.io/), the External Software Usage Policy incorporated into this Agreement, as well as all applicable laws and regulations. Reseller hereby agrees to indemnify and hold harmless Company against any damages, losses, liabilities, settlements and expenses (including without limitation costs and attorneys’ fees) in connection with any claim or action that arises from an alleged violation of the foregoing or otherwise from Reseller’s use of Services. Although Company has no obligation to monitor Reseller’s use of the Services, Company may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing.

2.5 FCRA Compliance and FCRA 607 Notice of Reseller Reseller’s Client Responsibilities.  The parties acknowledge that for purposes of this Agreement, Company is operating as a consumer reporting agency, as that term is defined in the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.). The parties acknowledge that the Data will be used for consumer reporting purposes pursuant to the FCRA.  Company and Reseller certify that they have established and implemented written policies and procedures regarding the accuracy and integrity of information furnished, pursuant to any and all applicable provisions in the FCRA.  By signing this Agreement, Reseller further acknowledge and certify the following:

1.        That Reseller has engaged Company for information processing services that are legal and in compliance with the local employment and hiring laws in any of the following that are relevant and applicable: 

The jurisdiction of the position for which the Reseller or Reseller’s Client is hiring;

The jurisdiction of the Data subjects residence or citizenship;

The jurisdiction in which the Reseller and/or Reseller’s Client is incorporated and operating; 

2.         That the purpose for which Reseller has engaged Company’s services is compliant with the permissible purposes for which services can be rendered under FCRA Section 604, or that Reseller and Reseller’s Client have otherwise has informed and received written consent from the Data Subject for the processing of their information and rendering services; and

3. Should Company request or require evidence of written consent or permissible purpose from Company, Reseller and Reseller’s Client are able to provide such evidence upon request of either Company or Data Subject;

4. The Reseller has informed the data subject clearly and conspicuously in writing of the purpose and nature of the use of their information in a standalone format;

5.         Reseller is not using Data Subject information or Company services in an unlawful manner.

2.6 FCPA Compliance.   Company does not, and shall not permit any of its subsidiaries and Affiliates or any of its or their respective directors, officers, managers, employees, independent contractors, representatives or agents (collectively, “Representatives”) to, promise, authorize or make any payment to, or otherwise contribute any item of value to, directly or indirectly, any non-U.S. government official, in each case, in violation of the U.S. Foreign Corrupt Practices Act (“FCPA”) or any other applicable anti-bribery or anti-corruption law. The Company shall, and shall cause each of its subsidiaries and Affiliates to, cease all of its or their respective activities, as well as remediate any actions taken by the Company, its subsidiaries or Affiliates or any of its or their respective Representatives in violation of the FCPA or any other applicable anti-bribery or anti-corruption law. The Company shall, and shall cause each of its Affiliates and subsidiaries to, maintain systems or internal controls (including, but not limited to, accounting systems, purchasing systems and billing systems) to ensure compliance with the FCPA or any other applicable anti-bribery or anti-corruption law.

2.7 General Data Security and Privacy Law Compliance.  The Parties acknowledge that the data to which they will have access pursuant to this Agreement will contain Personal Identifying Information, the use of and access to which is subject to various privacy and data security laws in various jurisdictions.  The Parties agree to comply with any and all such applicable Privacy and Data Security laws, and to implement appropriate mechanisms to comply therewith as part of their own internal Information Security program.  Furthermore, parties agree to implement and execute any and all supplementary or incidental agreements, notices, consents, and other documents as is required by law or this Agreement to further ensure compliance with such Privacy and Data Security Laws.

2.8 Notice of Limited Use of PII.  Company does not use any Personal Identifying Information of the data subject given to it by Reseller, including but not limited to the Reseller Data, any other personal data of the data subjects and any data derived from it, other than for the provision and improvement of the Services rendered, the Services of which are defined by this Agreement.  Reseller, as the direct point of contact with the data subject, is responsible for placing the data subject on notice and receiving requisite consent from the data subject for the processing and use of their information.

2.9 Reseller Responsibilities.  Reseller shall maintain marketing and customer service standards that are appropriate in order to maintain high-quality Services and to reflect favorably on Reseller’s and Company’s reputation.  Reseller shall provide customers with prompt, courteous, and efficient service, shall take every reasonable precaution not to disclose any Customer information, other than as permitted or compelled by any applicable legislation, and shall deal with Customers honestly and fairly.  

2.10 Mutual Obligations.  Neither party shall by way of statement, act or omission, discredit or reflect adversely upon the reputation of or the quality of the other party or the products or services provided by the other party.

2.11 Customer Contracts.  The Reseller shall not enter into contracts with customers on behalf of Company except as explicitly articulated within this Agreement, and in accordance with any applicable regulations.  The terms and conditions of each resale, for the purpose of compliance, safety and security of the data transferred and processed,  must conform to the means of servicing and conditions set forth herein.  Reseller shall not make any representations or warranties on behalf of Company that are not explicitly and affirmatively stated in this agreement, nor shall it in any way bind or attempt to bind Company contractually or otherwise with any Customers.  Reseller shall use good faith to coordinate marketing efforts with the business development component of Company.

2.12 Reseller Marketing.  Reseller may, without the prior written consent of Company, market, promote and/or re-sell the Services, provided that Reseller shall continue to be responsible for all of its duties and obligations under this Agreement and for any acts or omissions. Reseller shall be liable to Company for all losses, costs, damages and expenses of whatsoever nature, that Company may sustain or incur as a result or in connection with any act or omission of Reseller in the course of its marketing Company’s Services, provided that Reseller shall be entitled to the benefit of any limitations in this Agreement.  Reseller shall, however, only use marketing materials given to it by Company explicitly for marketing purposes. In addition, Company is allowed to use Reseller’s logo on its website as a “reseller of Company’s services.” Reseller may use Company’s logo on Reseller’s website as a “service provider.”

2.13 Launch of the Services with Reseller.  Upon execution of this Agreement, the parties will co-operate and use commercially reasonable efforts to integrate the Services with any Reseller software or infrastructure with which the Services need to interact in order to allow the Services to be marketed by Reseller to Customers. Once the Services have been integrated with Reseller’s software or infrastructure and the parties agree that the integrated Services are of a reasonable quality (measured by the standards enumerated in the Service Level Agreement), the Reseller shall be entitled to begin reselling the Services to Customers.

3. CONFIDENTIALITY; PROPRIETARY RIGHTS

1. Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party).  Proprietary Information of Company includes, but is not limited to, non-public information regarding features, functionality and performance of the Service.  Proprietary Information of Reseller includes non-public data provided by Reseller to Company to enable the provision of the Services (“Reseller Data”). The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information.  The Disclosing Party agrees that the foregoing shall not apply with respect to any information after five (5) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law. Such five (5) year term will be extended in the event of renewal of this Agreement for additional periods of the same duration as the renewal term of this agreement. Reseller affirms that it implements information security systems, measures, and protocols both internal, and between Reseller and third party service providers, sufficient to safeguard sensitive and proprietary information from inadvertent disclosure or malicious acquisition.  

2. Reseller shall own all right, title and interest in and to the Reseller Data. Company owns any data that is based on or derived from the Reseller Data and provided to Reseller as part of the Services.  Company shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto, (b) any software, applications, inventions or other technology developed in connection with Implementation Services or support, and (c) all intellectual property rights related to any of the foregoing. 

3. Notwithstanding anything to the contrary, Company shall have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Reseller Data and data derived therefrom), and  Company will be free (during and after the term hereof) to (i) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Company offerings, and (ii) disclose such data solely in aggregate or other de-identified form in connection with its business, provided that such use and disclosure shall be in compliance with any applicable laws and regulations and shall not cause any detriment to the Reseller or any of its affiliates. If Reseller wishes to engage in Emptor services regarding data subjects that are residents or citizens of Brazil, Reseller must sign and adhere to Exhibit Annex II, in which Reseller must acknowledge and acquiesce to compliance with Brazil’s data protection regime,  “Lei Geral de Proteção de Dados” (hereafter, LGPD).   

4. No rights or licenses are granted unless expressly set forth herein. Any use and disclosure of any Proprietary Information and any confidentiality obligation with respect to the Proprietary Information on part of the Disclosing Party shall be governed by and subject to the requirements of the confidentiality requirements of this SaaS Agreement, as well as any additional written and signed Non-Disclosure Agreements between the Parties. In addition, the Company shall not disclose to any other third parties whose primary business competes with that of the Reseller or its affiliates, the existence of this Agreement, the identity of the Reseller, the fact that the parties hereto are considering the transactions contemplated hereunder, including the status thereof and the existence of discussions or agreements between the parties hereto or between the Company and any other person in relation to the transactions contemplated hereunder, or any other fact relating to the transactions or any communications related thereto, without the prior written consent of the Reseller. However, Company may include Reseller in their Reseller references, along with a logo and a description of Reseller’s company for the purposes of fundraising and marketing on Company’s website.

5.  Reseller shall be responsible for all activities of the subsequent resellers, affiliates, and customers to whom Reseller resells, or otherwise makes available thereto, Company’s services.  No Services will be rendered unless Reseller provides proof of, or legally warrants that Reseller requires or has otherwise received, the necessary consent from its clients or the data subjects that is required under any and all applicable laws and regulations of any jurisdiction in which the Services are to be rendered.  The Consent given by the data subject will be for the sole purpose of rendering Services to Reseller.  In the event that the data is collected by Reseller through its own applications, Reseller must be held responsible for developing and integrating the relevant consent collecting functions into its applications.  If such personal data is collected directly by either Party, then the Party shall be responsible for developing the relevant consent collecting functions and shall ensure the integration of such functions into the automated interface provided by it to Reseller for the purpose of rendering services.  The manner in which Reseller offers and implements Company’s services shall at all times be in compliance with the terms of this Agreement.

6. It is acknowledged Reseller owns the input data and the result data. Company owns the process and all processed data. 

3.7 All data, regardless of how it was shared or made available must be duly and completely destroyed, eliminated, or returned to Reseller upon Reseller’s request. Furthermore, upon termination of this Agreement, or upon the written request of the Reseller, the data must be deleted in its entirety using industry best practices.  Reseller further acknowledges that once Reseller Data is destroyed, Company is no longer liable for destroyed data. 

3.8 If applicable, Reseller shall be responsible for complying with any laws pertaining to “ARCO” rights as required by law. In the event that Reseller shall need for Company to provide to any Data Subject the rights of access, cancellation, and/or opposition regarding any Data Subject Personally Identifiable Information (“PII”) in Emptor’s possession, Reseller must submit such request, on Data Subject’s behalf, in writing. Company shall respond as soon as is practicable. Company is not responsible for rectifying information not located within its own data stores. Therefore, to do so, the Reseller should instruct the Data Subject to go directly to the source.

3.9 During the term of this Agreement, neither Party shall (either directly or through any third party, affiliates, or agents) use the information exchanged or disclosed during the course of this Agreement to attempt to undermine or solicit from the other, potential Resellers or opportunities which would not have otherwise been identified, if not for the disclosure of such a Reseller or opportunity by the initial party.  Furthermore, neither Party shall solicit or entice or endeavour to solicit or entice any program, Reseller, or opportunity to transfer to it such business that the other party has already undertaken and is an existing program, Reseller or opportunity, by means of breach of Contract or in any other way. This shall not apply in cases where the business contact, or potential relationship or Reseller would not have otherwise engaged in, or considered engaging in, business with the Disclosing Party.  The parties shall assess their capabilities to pursue and bid on programs, Resellers, and opportunities in good faith.

Each Party hereby undertakes and covenants to and for the benefit of the other Party that it shall not, during the term of this Contract, solicit or entice away or endeavour to solicit or entice away from the other Party any person who is an employee or consultant of that Party, whether or not such person would commit a breach of contract by reason of leaving the employment of the other Party.  However, for the avoidance of doubt, the Parties agree that neither Party may hire the employees of the other Party within two (2) years after their labor contract has been terminated.

Each undertaking contained in this Contract shall be read and construed independently of the other covenants contained in this Contract so that if one or more of such covenants should be held to be invalid for any reason whatsoever, then the remaining covenants shall be valid to the extent that they are not held to be so invalid.  Each Party acknowledges that the restrictions contained in this section are reasonable by it, but if any such restriction shall be found to be void or voidable, but would be valid if some part or parts thereof were deleted or the period or area of application reduced, such restriction shall apply with such modification as may be necessary to make it valid, effective, and enforceable.

4. PAYMENT OF FEES

4.1 Reseller will pay Company the applicable fees described in any applicable Work Order Form agreed to by both parties for the Services outlined therein (the “Fees”). All test data and re-runs processed will be billed at the regular pricing quotes specified in the Work Order Form. Reseller shall be responsible for all taxes associated with Services other than U.S. taxes based on Company’s net income.

4.2 Company may choose to bill through an invoice, in which case, full payment for invoices issued in any given month must be received by Company thirty (30) days after receipt date of the invoice by Reseller.  For the avoidance of doubt, if services commence seven (7) business days prior to the end of a given month, Company acknowledges and agrees that the fees for the services provided during the period from the date when the services start to the end of the month shall be billed to the billing of the following month. Unpaid amounts are subject to a finance charge of 2.0% per week on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and may result in immediate termination of Service. In the event that Company chooses to bill through an invoice, Reseller agrees to pay Company through the information explicitly provided in the Work Order Form. Invoices that may be issued by Company must comply with any and all applicable requirements set forth in the laws and regulations of the country of issuance.

4.3 Company shall obtain approval from Reseller prior to incurring travel expenses that Company requests be reimbursed. If approved, Reseller shall reimburse Company for such travel expenses provided that Company provide Reseller with an itemised description of expenses claimed and receipts for such expenses.

4.4 Billing Policy

1. Definitions

1. Successful Execution: when all the enabled reports for a given Person (an individual whose data Emptor will use to perform a Background Check) have returned a state COMPLETED.  

2. Incomplete: when any of the reports enabled for a given Person have returned a state INCOMPLETE.

3. Error: when any of the reports enabled for a given Person have returned a state or an outcome as ERROR.

2. Billing Practices

1. Emptor charges its Resellers (prices outlined in the applicable Work Order Form) for all successful executions of a folder (set of reports), i.e., when all the enabled reports have returned a state COMPLETED.

2. Emptor charges its Resellers 50% of the prices outlined in the applicable Work Order Form for any INCOMPLETE results. This occurs when  PASSED, FAILED, or BODY could not be reached due to the information provided by the Reseller.

3. Emptor does not charge its Resellers for  ERROR results. 

4.5 In the event that Reseller believes Reseller has been incorrectly billed by Company, Reseller has two (2) calendar weeks from the date that the Reseller has received the invoice with the balance in question, to dispute the amount by notifying Company (“Billing Dispute”).  Reseller then has two (2) calendar weeks from the date that Reseller notified Company of a potential Billing Dispute to do its due diligence (“Due Diligence Period”) in determining whether Company has in fact billed Reseller incorrectly.  Company shall assist Reseller in providing any documentation as is reasonably necessary to confirm whether or not the amount in question is in error.  Depending on the percentage of the amount that Reseller believes is billed in error, the following shall apply:

1. For amounts in dispute that are equal to or less than 10% of the total amount of the relevant invoice, the total amount of the invoice shall, regardless of the billing error, be paid by Reseller to Company within the time period specified in section 4.2. This means that payment for the total amount of the invoice must be received by Company within thirty (30) days from the date that Reseller received the invoice.   If error is proven by Reseller, then the amount in error shall be credited to Reseller for the following month.

2. For amounts in dispute that are in excess of 10% of the total amount of the relevant invoice, then the amount that is not in dispute shall be paid by Reseller to Company within the time period specified in section 4.2.This means that payment for the amount of the invoice that is not in dispute must be received by Company within thirty (30) days from the date that Reseller received the invoice. If Reseller proves and Company agrees that the amount in dispute is in error, Company shall absolve Reseller of payment of the amount in dispute.  If Reseller fails to prove that Company erred in the billing amount, then the amount outstanding shall be paid to Company.  If the outstanding amount is paid within the billing period described in section 4.2, no late fees shall attach.  However, if the outstanding amount is paid after the billing period in section 4.2 has lapsed, then whatever outstanding amount Reseller owes to Company shall be subject to the late fees described herein.

3. If no such resolution is reached between the Parties with regards to the amount in dispute, then Parties shall proceed with discussions in good faith and with efforts commensurate to the amount in dispute for resolution, within a reasonable time period.  If no resolution can be reached, then external dispute resolution in accordance with the terms of this Agreement may be pursued.

5. TERM AND TERMINATION

This Agreement shall go into effect on the date that both parties sign the applicable Work Order Form (“Effective Date”). Furthermore, this Agreement shall be valid for a period specified in the applicable Work Order Form. Reseller or Company may terminate the Work Order Form and this Agreement for any reason if a written notice of termination is provided to the other party at least sixty (60) days prior to the intended date of termination. If the term outlined in the applicable Work Order Form is for a period of fewer than sixty (60) days, Reseller or Company can terminate the Work Order Form and this Agreement with seven (7) days’ written notice. In addition to any other remedies it may have, either party may also terminate the Work Order Form and this Agreement immediately if the other party materially breaches any of the terms and/or conditions of the Work Order Form and/or this Agreement. Reseller will pay in full for the Services up to and including the last day on which the Services are provided in accordance with the standards and requirements under the Service Level Agreement. All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, and limitations of liability. 

6. WARRANTY AND DISCLAIMER

Company shall use reasonable and necessary efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and shall perform the Services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control, but Company shall use reasonable and necessary efforts to provide advance notice in writing or by e-mail of any scheduled service disruption.  OUTSIDE OF THE REQUIREMENTS AND STANDARDS OUTLINED IN THE SLA, COMPANY DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES.  EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES AND ARE PROVIDED “AS IS” AND COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.  

7. INDEMNITY 

Unless otherwise provided for in this Agreement and subject to the remedies available to the Reseller as specified in any applicable Work Order Form agreed to by the parties, Company shall indemnify Reseller for any losses or damages suffered or incurred by Reseller for the Company’s failure in rendering services in accordance with the standards and requirements as specified in the Service Level Agreement agreed to by the parties and a breach of warranties set forth in Section 6. Company shall hold Reseller harmless from liability to third parties resulting from infringement by the Service of any patent or any copyright or misappropriation of any trade secret, provided Company is promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the opportunity to assume sole control over defense and settlement; Company will not be responsible for any settlement it does not approve in writing.  The foregoing obligations do not apply with respect to portions or components of the Service (i) not supplied by Company, (ii) made in whole or in part in accordance with Reseller specifications and Company has informed Reseller of the potential infringement in connection with such portions of components, (iii) that are modified after delivery by Company, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where Reseller continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where Reseller’s use of the Service is not strictly in accordance with this Agreement.  If, due to a claim of infringement, the Services are held by a court of competent jurisdiction to be or are believed by Company to be infringing, Company may, at its option and expense (a) replace or modify the Service to be non-infringing provided that such modification or replacement contains substantially similar features and functionality, (b) obtain for Reseller a license to continue using the Service, or (c) if neither of the foregoing is commercially practicable, terminate this Agreement and Reseller’s rights hereunder and provide Reseller a refund of any prepaid, unused fees for the Service.

Subject to the terms and conditions set forth herein, each Party shall indemnify, hold harmless, and defend the other party, its affiliates and their respective owners, officers, directors, employees, agents, successors and permitted assigns from and against any and all claims, losses, deficiencies, judgments, settlements, interest, awards, fines, causes of action, damages, liabilities, costs, penalties, taxes, assessments, charges, punitive damages and expenses of whatever kind, including reasonable attorney’s fees that are incurred by the indemnified party (collectively, “losses”) as a result of any (i) breach or non-fulfillment of any representation, warranty or covenant under this agreement by the indemnifying party, (ii) acts or omissions of indemnifying party (any reckless or willful misconduct) in performing its obligations under this agreement, or (iii) failure by indemnifying party to comply with any applicable federal, state, or local laws, regulations, or codes in the performance of its obligations under this Agreement.

8. LIMITATION OF LIABILITY

NOTWITHSTANDING ANYTHING TO THE CONTRARY, THE PARTIES AND THEIR SUPPLIERS (INCLUDING BUT NOT LIMITED TO ALL EQUIPMENT AND TECHNOLOGY SUPPLIERS), OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS AND EMPLOYEES SHALL NOT BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS AGREEMENT OR TERMS AND CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (A) FOR ERROR OR INTERRUPTION OF USE OR FOR LOSS OR INACCURACY OR CORRUPTION OF DATA OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR LOSS OF BUSINESS; (B) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING LOST INCOME, LOST PROFITS, PRESENT AND FUTURE; (C) FOR ANY MATTER BEYOND COMPANY’S REASONABLE CONTROL; OR (D) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY RESELLER TO COMPANY FOR THE SERVICES UNDER THIS AGREEMENT IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, IN EACH CASE, WHETHER OR NOT COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.  ANY FRAUDULENT OR INTENTIONAL ACTS, OR WILLFUL MISCONDUCT, ARE NOT SUBJECT TO THE LIMITATIONS SET FORTH IN THIS SECTION.  

EXCEPTION TO THE LIMITATION OF LIABILITY.  RESELLER AND COMPANY FURTHER AGREE THAT, FOR ANY CLAIM OR LEGAL ACTION REGARDING INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR BREACH OF CONFIDENTIALITY, (INCLUDING ANY VIOLATION OF THE TERMS OF SECTION 3 OF THE SAAS AGREEMENT REGARDING ANY AND ALL INFORMATION, PROPRIETARY OR OTHERWISE, DISCUSSED BETWEEN THE PARTIES OR PRESENT WITHIN THE WORK ORDER FORM OR ITS GOVERNING SAAS AGREEMENT, EACH PARTY’S LIABILITY WILL BE LIMITED TO $750,000 (USD) FOR ANY TWELVE (12) MONTH PERIOD OR THE AVERAGE MONTHLY PAYMENT TO THE COMPANY OVER A PERIOD OF ONE YEAR TIMES TWELVE, WHICHEVER IS HIGHER

9. MISCELLANEOUS

If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable.  This Agreement is not assignable, transferable or sublicensable by Reseller except with Company’s prior written consent.  Company may transfer and assign any of its rights and obligations under this Agreement without consent. This Agreement is the complete and exclusive statement of the mutual understanding of the parties in connection with the provision of the services, and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement, and that all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein.  No agency, partnership, joint venture, or employment is created as a result of this Agreement and Reseller does not have any authority of any kind to bind Company in any respect whatsoever.  In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees.  All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested. This Agreement shall be governed by the laws of the state of New York without regard to its conflict of laws provisions.  

10. DISPUTE RESOLUTION

Any dispute, controversy, or claim (each, a “Dispute”) arising out of or relating to this Agreement, or the interpretation, breach, termination, validity, or invalidity thereof, shall be referred to arbitration upon the demand of either party to the Dispute with notice (the “Arbitration Notice”) to the other. The Dispute shall be settled by arbitration in Mexico City by the International Centre for Dispute Resolution in accordance with the arbitration rules thereof in force when the Arbitration Notice is submitted. The arbitration language is English and the arbitration proceedings shall be conducted in English. The award of the arbitral tribunal shall be in writing, and final and binding upon the parties hereto.  The choice of law by which this contract is governed is New York Law, without regard to its conflict of law provisions.  The parties agree that the terms of the arbitration award, once final, can be implemented and enforced by any court of competent jurisdiction.

11. PARENT COMPANY OR AFFILIATE ASSUMPTION OF LIABILITY AND GUARANTEE OF FINANCIAL OBLIGATIONS

The undersigned of this document warrant that they have the requisite authority to bind Company and Reseller as respectively identified in the signature block. If the Work Order Form is signed by a Reseller (Parent, Subsidiary, Affiliate, Subsequent etc.) who is not listed as the beneficiary for whom work is to be performed and/or from whom payment is to be remitted for services rendered by Company, then the signor, by signing these agreements, shall act as guarantor.  As guarantor, the Reseller who has signed the Work Order Form willingly assumes liability for any breach of this Agreement or the Work Order Form by the intended beneficiary identified in the Work Order Form for whom Emptor is providing services, and willingly assumes liability for any billing, fees, or other financial obligations incurred from Emptor, Inc. having provided its services to that beneficiary.  This guarantee is unconditional and absolute.  This guarantee is enforceable against guarantor despite any other circumstance which might otherwise constitute a defense to the guarantee.  The signing Reseller, as guarantor providing this guarantee, is not relying on any explicit or implicit representations by Emptor, Inc. or by the affiliate, subsidiary, etc. on whose behalf the guarantor is signing.  This guarantee is governed by the laws of the state of New York, and any conflict arising from this clause shall be subject to arbitration in Mexico City through the International Center for Dispute Resolution.  NOTE THAT THIS CLAUSE ONLY APPLIES IF THE Reseller SIGNING IS NOT THE INTENDED BENEFICIARY FOR WHOM SERVICES WILL BE RENDERED, OR THE PARTY BY WHOM PAYMENT WILL BE REMITTED.

12. MANUAL REVIEW SPECIFICATIONS

Where Company possesses Manual Review capabilities, Company operates a manual review component that is included in the background check services that Company provides to Reseller and the Reseller’s Client. The manual review, where applicable, is a means to ensure that Company’s services are performed as fairly and accurately as possible in returning the results of the background checks.  For example, a manual review can ensure that a data subject does not improperly fail a background check due to imperfect or limitations on available  information. However, as Company retrieves its information from public databases, Company cannot guarantee or warrant that such information contained within those databases is accurate. Please see the API Manual (https://docs.emptor.io/) for country-specific information. 

13. ACKNOWLEDGEMENT OF PASS/FAIL CRITERIA

Company utilizes existing internal criteria that determine “pass” or “fail” conditions that vary by Country.  These criteria comprise various searches, coupled with filtering criteria, which may include crimes and fines or other review criteria.  The Reseller’s Client, by way of Reseller, is able to implement its own pass/fail criteria for Company to utilize in performing its background check services. If Reseller does not make such a request, then Reseller accepts the existing criteria as well as the fact that Company does not make any warranty as to completeness or accuracy of information.  In the event that the criteria are accepted, the criteria shall become part of the Agreement between Reseller and Company and shall be integrated into the background check process.  If the existing criteria are used, then the Reseller, as well as the Reseller’s Client, is under the obligation to learn and understand the criteria to ensure that the criteria do not infringe on any relevant labor or employment laws applicable to the client. It should be noted that, due to the sources of information being implemented differently in each market, the pass/fail criteria will differ accordingly.  

Ultimately, the parameters of the background checks and hiring decisions are made by the Reseller’s Client who will be responsible for complying with regulations regarding the conditions of hiring and employment within their respective market.  As such, Company provides its services in a manner that is compliant with, but is not responsible for the Reseller’s Client’s compliance with, any applicable laws of the Country in which Company is providing services, unless the Reseller gives Company parameters for background check pass conditions that are in violation of such laws in which case Company will refuse to perform background checks in such a manner.  Engaging Company’s services is no guarantee of Reseller or Reseller’s Client’s compliance with the laws of the jurisdiction in which Reseller and Reseller’s Client are operating, which is the sole responsibility of Reseller.  Decisions of employment, and the legal compliance of the manner in which such decisions are made, are the responsibility and liability of the Reseller’s Client.

14. FORCE MAJEURE AND MATERIAL CHANGE OF LAW

Force Majeure means all events which are beyond the reasonable control of a Party to this Agreement, and which are unforeseen, or if foreseen reasonably unavoidable, which arise after the effective date of this Agreement and which prevent total or partial performance of this Agreement by such Party.  Such events shall include, but not be limited to, natural disasters, war, threat of war, blockade, embargo, act of vandalism or theft that could not have otherwise through the implementation of reasonable security measures have been prevented, prevention of performance by acts of government or public agencies or the implementation of regulations by these institutions that render this contract illegal or invalid or performance impossible, epidemics, strikes, acts of god, and any other events which are recognized as Force Majeure in general international commercial practice.

If a Party is aware of the likelihood of a situation constituting Force Majeure arising, or is claiming Force Majeure, it shall notify the other Party as soon as is practicable in writing forthwith of the same, the cause and extent of non-performance or likely non-performance occasioned thereby, the date or likely date of commencement thereof and the means proposed to be adopted to remedy or abate the Force Majeure; and the Parties shall, without prejudice to the other provisions of this Agreement, consult each other with a view to taking such steps as may be appropriate to prevent and/or mitigate the effects of such Force Majeure.

The Party subject to or claiming Force Majeure shall:

1. Resume performance as expeditiously as possible after the termination of the Force Majeure or the Force Majeure has abated to an extant which permits resumption of such performance;

2. Notify the other Party when the Force Majeure has terminated or abated to an extent which permits resumption of performance to occur; and 

3. Keep the other Party regularly informed during the course of the Force Majeure as to when resumption of performance shall or is likely to occur.

If the Parties are not in agreement that an event of Force Majeure has occurred, the matter shall be handled in accordance with the terms of this Agreement regarding Term and Termination to the extent possible.  If, upon the execution of this Agreement, any Party’s interest is negatively affected by promulgation or abolition of any law, or amendment or change to any law, or any competent authority’s change to, withdrawal of, or refusal to renew, any license, approval, permit or other consent (collectively can be referred to as “Material Change of Law”), the Parties shall negotiate for the necessary adjustment so as to maintain each Party’s benefit under this Agreement to a level no inferior to the status prior to such Material Change of Law. 

Annex I

Data Processing Agreement (DPA)

This Data Processing Agreement (hereafter, “the DPA”) is entered into between Emptor, Inc. (hereafter, “Company”), and Reseller, (hereafter, “Reseller”).  The Reseller’s Client (hereafter, “Client”) acts as a Data Controller, per the definitions listed below, and Reseller wishes to contract data processing services from the Company, each party of which acts as Data Processor or Subprocessor, per the definitions listed below.  Both Parties acquiesce and commit to adhere to the principles, rights, and obligations as listed within the DPA as articulated herein.  

DEFINITIONS AND INTERPRETATION

Unless otherwise denied herein, capitalized terms and expressions used in the DPA and corresponding Agreement shall have the following meaning:

1. “Agreement” means the SaaS Agreement between the Parties, as well as the DPA and any other corresponding agreements or annexes relevant to the agreement between the Parties.

2. “Client Data” means any Personal Data processed by the Processor on behalf of the Controller, or Subprocessor on behalf of the Controller pursuant to or in connection with the Agreement.

3. “Data Protection laws” means any relevant and applicable Data Protection Laws within the jurisdictions relevant to the presence, transfer, or processing of data per the terms of the Agreement.

4. “Data Transfer” means:

1. A transfer of Client Personal Data from the Client to Company or Contracted Processor, or;

2. An onward transfer of Client Personal Data from a Contracted Processor to any other Subprocessor;

5. “Services” means the SaaS services provided in accordance with the Agreement provided by Company.

6. “Subprocessor” means any person or company appointed as a third party by or on behalf of Processor or subsequently by Controller to process Personal Data on behalf of the Controller in connection with the Agreement.

7. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

8. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of such processing are determined by the purposes and means of such processing.

9. “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physician, physiological, genetic, mental, economic, cultural or social identity of that natural person.

10. “Personal Data” means any information relating to an identified or identifiable natural person (see “Data Subject”).

11. “Personal Data Breach” means a breach of security legend to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

12. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

13. “Supervisory Authority” means an independent public authority which is established as the relevant, recognized, and competent authority for the creation, administration and application of Data Protection Laws and related matters within the jurisdictions relevant to the provisioning of services under the Agreement.

DATA PROCESSING AGREEMENT TERMS

1. Processing of Client Personal Data

1. The Processor and Subprocessor Shall comply with all applicable Data Protection Laws in the Processing of Client Data.  Furthermore, Processor and Subprocessor shall not Process Client Data other than on the relevant Controller’s documented instructions.  The Controller shall instruct the Processor and Subprocessor to process its Client Data.

2. Processor Personnel

1. Processor and Subprocessor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Client Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Client Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Processor and Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

3. Security

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor and Subprocessor shall, in relation to the Client Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.  This includes, as appropriate:

1. The pseudonymisation and encryption of personal data;

2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security, Processor and Subprocessor shall take account in particular of the risks that are presented by processing, in particular from a Personal Data Breach.

4. Subprocessing

1. Processor and Subprocessor shall not appoint (or disclose any Client Personal Data to) any additional subprocessor or third party for the handling of personal data unless otherwise required, or authorized by the Controller.

5. Data Subject Rights

1. Taking into account the nature of the processing, Processor and Subprocessor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller obligations, as reasonable understood by the Controller, to respond to requests to exercise Data Subject Rights under the relevant Data Protection Laws.

2. Processor and Subprocessor shall:

1. Promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data, and;

2. Ensure that it does not respond to that request except on the documented instructions of Controller, or as required by the relevant applicable laws to which Processor is subject, in which case Processor shall to the extent permitted by the relevant applicable laws inform Controller of that legal requirement before any Contracted Processor responds to the request.

3. Reseller, Company and Client acknowledge and agree that the Data Subject has various rights with respect to how their information is processed.  These rights include, but are not limited to, rights of access, rectification, cancellation, and opposition.  For any inquiries regarding the exercise of such rights or information regarding the processing of the Subject’s data, Reseller, as point of contact, shall forward to Company the Data Subject’s inquiries.  Such inquiries shall be submitted to info@emptor.io. 

6. Personal Data Breach

1. Processor and Subprocessor shall notify Controller without undue delay upon Processor or Subprocessor becoming aware of a Personal Data Breach affecting Client Personal Data, providing Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under any and all relevant and applicable Data Protection Laws.

2. Processor and Subprocessor shall cooperate with the Controller and take reasonable commercial steps as directed by Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

7. Data Protection Impact Assessment and Prior Consultation

1. Processor and Subprocessor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers required or necessary by any relevant and applicable Data Protection Law, in each case solely in relation to processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

8. Deletion or return of Client Personal Data

1. Subject to this section 8, Processor and Subprocessor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the processing of Client Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of Client Personal Data.

2. Processor and Subprocessor shall provide written certification to Controller that it has fully complied with this Section 8 within 10 business days of the “Cessation Date”.

9. Audit Rights

1. This section 9 and the audit rights pertaining herein shall only apply where necessitated by relevant and applicable Data Protection Laws.  If no such laws are otherwise applicable to the Parties, services, or transaction articulated herein, then this section shall not apply, and no such audit rights shall be granted.

2. If such Rights are mandated by applicable and relevant data protection laws, subject to this section 9, Processor and Subprocessor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the processing of the Company Personal Data by the Contracted Processors.

3. Information and audit rights of the Company only arise under section 9.2 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

10. Data Transfer

1. Neither the Processor nor Subprocessor may transfer or authorize the transfer of Data to countries or territories not otherwise required for the Processing of its data without the prior written consent of the Controller.  Both Parties commit to ensure that personal data is adequately protected in any given transfer, using industry best practices.

11. General Terms

1. Confidentiality.  Each Party must keep this DPA and the corresponding Agreement, and any information received about the Party and its business in connection with this DPA and Agreement confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that the disclosure is required by law, or that the relevant information is already in the public domain, in a manner consistent with the terms of the Agreement.

12. Notices

1. All notices and communications relating or relevant to this DPA and Agreement must be in writing, as required by the terms of the Agreement.

ANNEX II

Brazil LGPD Data Protection 

These Data Protection Clauses are agreed upon between Emptor Inc (“Emptor”) and Reseller  and shall integrate the SaaS Agreement (“SaaS Agreement”) entered into on the Effective Date between the parties, taking effect during the Term set forth in the referred document.

WHEREAS the provision of Services agreed upon by the Parties in the SaaS Agreement may imply in Personal Data treatment over data collected in the brazilian territory or pertaining to an individual located in the brazilian territory, and therefore in the International Transfer of said Personal Data;

WHEREAS Brazil has a data protection law in effect as of september 2020 – Lei Geral de Proteção de Dados (LGPD) [Lei nº 13.709/2018] – which provides that the Personal Data treatment regarding data of individuals located in brazilian territory must abide by certain rules and principles;

WHEREAS the Parties wish to ensure compliance with the rules and principles set forth in LGPD for any data treatment over Personal Data of individuals located in the brazilian territory during the provision of the Services agreed upon in the Saas Agreement and by that also ensure the legality of such data treatment;

WHEREAS both Emptor and Reseller also with to ensure the adequate safeguards and level of security, confidentiality and protection of privacy for the Personal Data of individuals located in the brazilian territory, as well as put in place mechanisms to prevent any data breach or incident;

The Parties agree upon the following:

1. DEFINITIONS

For the purpose of this Annex, the following definitions shall apply:

1. Personal Data: means any personal identifiable information (PII) collected in the brazilian territory or pertaining to an individual (natural person) located in brazilian territory used for the provision os the Services;

2. Data Subject: the individual (natural person) 

3. Services: the processing of personal data for which the Controller (Reseller) has contractually engaged the Operator (Emptor)

4. Cooperator: any third party providers used 

5. Collaborator: any person that works for Emptor at any capacity, contractors, employees

6. The terms and expressions “Controller’ “Operator” “Data Treatment” “International Data Transfer” shall have the same meaning as assigned to them in LGPD

2. DATA TREATMENT

1. The Parties hereby undertake to comply with Brazilian Data Protection Regulation during the provision of Services by Emptor on behalf of the Reseller. Both parties shall abide by the LGPD and any other regulations that are set forth by the National Authority (Autoridade Nacional de Proteção de Dados – ANPD) during the provision of the Services.

2. For the purposes of this Agreement, as it is for the purpose of Resale and the Reseller will not be the end user of the product, nor supply or control the information to be processed using Emptor’s services, both Emptor and Reseller will be considered Operators of the Personal Data.  The end user, or Reseller’s Client, is considered the Controller of the Personal Data. The Operators and the Controller must observe their responsibilities as stated in the data protection regulations from Brazil (Chapter VI, Section III of the LGPD).  As Reseller is the primary point of contact for the Controller, it is Reseller’s responsibility to ensure the Controller understands and is willing to comply with the responsibilities under the LGPD. No responsibilities are transferred by any means from one party to another through these clauses.

3. The categories of Personal Data used for the provision of Services include name of the Data Subject, parents name, date of birth, ID number (RG), Taxpayer Number (CPF), city and state of residence or signup. The Parties agree that no Sensible Information or personal data regarding underaged persons will be exchanged for the provision of Services, if any such data is added to the Services they will be disregarded by Emptor, sent back to the Reseller and eliminated.

4. The Controller of the Personal Data shall be responsible for acquiring the necessary consent (free and informed consent) for the provision of the Services or guaranteeing that the treatment fits in any of the other legal possibilities set forth by LGPD (article 7). In the case consent is the legal ground used to justify the Data Treatment it must include, at a minimum, information on the purposes for which the data is collected, the sharing of the data with Emptor and the International Data Transfer. The Controller shall be responsible for keeping record of any consent granted by any Data Subject.

5. Emptor, as an Operator for the Data Treatment, shall be responsible for  (a) performing the Data Treatment for the sole purpose of rendering Services to the Reseller, within the limits and according to the provisions of the SaaS Agreement; (b) processing only such Personal Data as is strictly necessary for the performance of the Services or to comply with legal requirements; (c) keep the Personal Data confidential, disponible only for the use of the personnel responsible for the provision of Services. The use of Personal Data by Emptor for its own purposes or for purposes other than rendering Services to the Reseller shall represent a breach of this section, in this case Emptor will be considered as liable as the Controller over the damage caused by the treatment of the Personal Data for its own benefit (Article 42, § 1º, I of the LGPD).

6. Emptor, acting as an Operator, shall refrain from responding to any request made by the Data Subject in regard to the Personal Data treated in the provision of the Services, except to the extent instructed by the Controller or according to LGPD regulations or ANPD decisions. However, Emptor shall inform the Reseller of any such request and cooperate with the Reseller to guarantee that the rights of the Data Subject provided by LGPD (Chapter III) are met in a timely manner and in accordance with the procedures set out by the law.

7. Emptor shall provide Reseller, at its request, with any reasonably necessary documents to ensure that it is in compliance with the obligations arising from these Data Protection Clauses, including documentation over the use of the Personal Data only for the rightful purpose and over the technical and organisational measures adopted to ensure the protection of the Personal Data. 

8. Both Parties shall keep record of the treatment activities under their responsibility in electronic form. The record shall contain (a) the categories of Personal Data used in the Data Treatment; (b) the categories of Data Treatment carried out on behalf of the Controller; (c) any International Data Transfer taking place due to the Data Treatment

9. Both parties shall also inform one another immediately about (a) any auditing, investigation ou apprehension of the Personal Data by any competent authority; (b) any other requests from the competent authorities, including the judiciary or Ministério Público; (c) any incident regarding the Personal Data that may affect the other party businesses or demands its action. If any of the parties is subject to auditing by ANPD regarding the Personal Data used for the provision of the Services, it must inform the result of such audit to the other Party no later than ten (10) days after the results are published.

10. Both Parties shall cooperate with the competent authorities, especially ANPD, providing all the information required to comply with regulations and/or requests made by said authorities.

3. PERSONAL DATA PROTECTION

1. Emptor shall adopt administrative and technical measures to ensure the protection of all Personal Data used for the provision of Services (according to article 46 of the LGPD) in order to guarantee an adequate security level and mitigate damages to the data. The security measures put in place by Emptor shall take into consideration the risk of the operation, in particular the risks regarding Security Incidents

2. Emptor shall keep the Personal Data protected under an Information Security Program that ensures  (a) protection against losses, unlawful disclosure or access; (b) reasonably identifies security risks and unauthorized accesses to its softwares; and (c) minimizes security risks, performing regular performance evaluations and tests. Emptor shall designate one or more employees to coordinate and take into effect the Information Security Program.

3. If a Security Incident takes place, including, without limitation, unlawful or unauthorized access, data breaches or Personal Data losses, regardless of the reason that occasioned the Incident, Emptor shall communicate the Reseller immediately (a) the date and hour of the incident; (b) the date and hour of the communication; (c) all the Personal Data affected by the incident; (d) the number of Data Subjects affected; (e) the contact information of the person responsible for providing further information on the matter; (f) the measures already taken to mitigate the damage and avoid new incidents. If Emptor is not in possession of all the information listed above at the time of the communication, Emptor shall send them separately as soon as it gets hold of the missing information. The complete report over the Security Incident shall be completed no later than five (5) days after the acknowledgement of the incident.   

4. COLLABORATORS

1. The Personal Data exchanged between Parties shall be kept Confidential. Emptor must ensure that any Personal Data received is available only to those employees who effectively need access to it for the correct provision of the Services. The employees that have access to the Personal Data shall (a) only treat the data within the limits and under the terms of this Clauses, the SaaS Agreement and LGPD; (b) receive training over Data Protection and Information Security; and (c) have committed in writing to strictly observe the confidentiality over the Personal Data treated. 

2. Each Party shall designate a person responsible for the communications regarding the Personal Data protected by these Clauses as well as any questions that may arise from the provisions set forth in this document.

5. COOPERATORS

1. The Reseller acknowledges and agrees that, for the correct provision of Services, Emptor may use third party providers to carry out specific Data Treatment activities, including, without limitation, cloud computing and storage. In this case, Emptor shall only enter into agreements with third party providers that ensure the adequate level of protection required by LGPD for the Personal Data.

2. After the provision of Services takes place effectively, Emptor shall notify the Reseller about substantial changes in the third party providers, providing a list of any new third party providers contracted by Emptor for the rendition of the Services.

6. INTERNATIONAL DATA TRANSFER

1. Any International Data Transfer that takes place due to the provision of Services must abide by the rules set forth in Chapter V of LGPD. The Parties, being both companies with its headquarters located outside Brazil, hereupon agree with the International Data Transfer to the United States of America, where the Data Treatment shall take place, including its components of cloud computing and storage through Cooperators. The Reseller, as the Controller of the Personal Data, shall be responsible for informing the Data Subject about the International Data Transfer and collecting, as well as keeping record of, the necessary specific and highlighted consent according to LGPD.  No provision of Services shall happen without the specific consent set forth in this section, considering all services are rendered outside Brazil.

2. If any other International Data Transfer is set to take place outside the one already agreed upon in this document, the Party responsible for the transfer shall notify the other party in writing prior to its occurrence. Any International Data Transfer intended by Emptor outside the one already agreed upon depends on the agreement of the Reseller, that shall, that can deny the request at its sole discretion. 

3. Any International Data Transfer that happens in order to ensure the provision of Services – including Clause 6.1. – shall observe the level of Data Protection required by LGPD, as set forth in these Clauses. No company, organisation or entity shall receive access to the Personal Data without ensuring security levels adequate to what is agreed upon in this document.

4. The Parties hereby undertake to adopt the pertinent mechanisms regarding International Data Transfer whenever they are made available, including amend ANPD future Standard Contractual Clauses as well as clauses provided by the destination countries for the Persona Data.

7. END OF THE AGREEMENT

1. The Parties agree that on the termination of the provision of the Services, the Data Treatment shall be discontinued. The remaining Personal Data at that time as well as any copies (in digital or physical format) shall, at the choice of the Reseller, be eliminated or returned no later than thirty (30) days after the termination, except in the cases the storage of the Personal Data is required by law or allowed within the terms of LGPD (Chapter II, Section IV).

Annex III

International Data Transfer

Argentina Standard Contractual Clauses

This annex is for the international transfer of personal data for the provision of services, specifically and only applicable to personal data that originates in and is transferred from Argentina, or otherwise involves Argentinian natural or legal persons.  The Ultimate Client (hereafter, “the data exporter” or “data controller”) and Company and Reseller (hereafter, collectively or individually “the data importer(s)” or “data processor(s)”), jointly referred to as “the parties”, agree to this contract for the international transfer of personal data for the provision of services, subjecting it to the terms and conditions detailed within this Annex.

1. Definitions

The following definitions shall apply to this annex, with English being the prevailing language in the event of a conflict or confusion regarding terminology.  Wherever appropriate, a singular term shall be construed to mean the plural where necessary, and the plural term the singular.

1. “Personal Data”.  Information of any kind referring to certain or ascertainable physical persons or legal entities.

2. “Sensitive Data”.  Personal data revealing racial and ethnic origin, political opinions, religious, philosophical or moral beliefs, labor union membership, and information concerning health conditions or sexual habits or behavior.

3. “Data Treatment” or “Treatment”.  Systematic operations and procedures, either electronic or otherwise, that enable the collection, preservation, organization, storage, modification, relation, evaluation, blocking, destruction, and in general, the processing of personal information, as well as its communication to third parties through reports, inquiries, interconnections or transfers.

4. “Responsible”.  Physical person or legal entity, public or private, owning a data file, data register, data bank or database.

5. “Data Owner”.  A physical person or legal entity having a legal domicile or local offices or branches in Argentina, whose data is subject to the treatment and processing referred to in this Contract, its Annexes, or the relevant Data Protection Legislation.

6. “Agreement”.  The Company-Client SaaS Agreement to which this Annex is attached.

7. “Authority” or “Control Authority”.  This refers to the National Directorate of Personal Data Protection of the Argentine Republic.

8. “Exporter”, “Data Exporter”, or “Data Controller”.  The person responsible for defining the parameters and objectives of data processing, who is also responsible for the exportation of data.  Data transferor.

9. “Importer”, “Data Importer”, or “Data Processor”.  The service provider under the applicable law located outside the Argentine jurisdiction that receives the personal data from the data exporter for the processing in accordance with the terms of the Agreement.

10. “Data Protection Legislation”.  Shall mean Argentine Law No. 25,326 and relevant associated regulations.

2. Purpose and Terms of Transfer

1. The Data Exporter’s is responsible for the following:

1. Accumulating all necessary information to be processed.

2. Affirmatively establishing consent of the data subject or otherwise establishing legal basis for use of data subject information.

3. Secure handling of information (both data subject and confidential company information) using any and all reasonable means.

4. Act as point of contact for various rights of inquiry and correction inherent to data subject.

5. Compliance with all relevant and applicable laws.

2. The Data Importer is responsible for the following:

1. Secure transfer, storage, and processing of data using any and all reasonable means.

2. Return of data or deletion upon conclusion of work or at the request of Client or data subject.

3. Assistance to Data Exporter’s requests for processing rights of the data subject.

4. Compliance with all relevant and applicable laws.

3. The personal data transferred relates to the following categories of data subjects:

1. Argentine Citizens

2. Natural and Legal Persons established or residing in Argentina

4. The personal data transferred refers to the following categories of data:

1. Personal Identifying Information

2. Public records relating to the data subjects identified through Personal Identifying Information by Data Owner

5. The personal data transferred will be subject to the following processing:

1. Personal Identifying Information will be matched against various public databases for the purpose of validating identity of data subject, as well as any possible manifestations of public administrative or judicial rulings involving the data subject.  This includes both automated and manual review methods.

3. Responsibilities and Third Party Beneficiaries

1. The Data Owner is given third-party beneficiary status to this contract and as such, may request and compel the Data Importer to comply with the provisions of Law No. 25,326 related to the processing of their personal data, particularly regarding the right to access, rectification, deletion, and other rights contained in Chapter III, articles 13 to 20 of Law No. 25, 326, in accordance with the obligations and responsibilities assumed by the parties to this contract.  For the purposes of compliance with obligations to the Data Owner enumerated in this Annex and regarding the rights of the Data Owner, parties to the contract submit to Argentine jurisdiction, both judicial and administrative.  In those cases where non-compliance is alleged by the Data Importer, the Data Owner may require the Exporter to take appropriate action in order to cease such non-compliance.

2. The Importer accepts that the Control Authority may exercise its powers regarding the data processing that it assumes, with the limits and powers granted to the Authority by Law No. 25,326, accepting its powers of control and sanction, and granting it for such purposes and where appropriate, the character of third-party beneficiary.

3. In the event that the Importer revokes this annex, or does not comply with its terms, despite notice by the Exporter, granting a peremptory term of five (5) business days, with the rights and faculties recognized to third-party beneficiaries in this clause, such dereliction will be grounds for the automatic termination of this Contract.

4. Data Owners may require the Importer to comply with the obligations assumed in this contract relating to the processing of the data that are specific to the Exporter, when the Exporter has in fact disappeared or has legally ceased to exist, unless any successor entity has assumed all of the legal obligations of the Data Exporter under contract or by operation of law, in which case the owners of the data may demand them from said entity.

5. The Data Owners may require Subprocessors to comply with this clause and to comply with the obligations assumed in this contract by the Exporter and the Importer, related to the processing of data that are specific to the Exporter, when both have disappeared de facto or have legally ceased to exist, unless a successor entity has assumed all of the legal obligations of either of them under contract or by operation of law, in which case the holders of the data may be required from said entity.  The civil liability of the Subprocessor will be limited to its own data processing operations as agreed between the parties and these clauses.

6. The parties do not object to Data Owners being represented by an association or other entities provided for by Argentine law.

4. Obligations of the Data Exporter

The Data Exporter agrees and guarantees the following:

1. The collection, processing and transfer of personal data has been and/or will be carried out in accordance with Law No. 25,326.

2. That the Data Exporter has made reasonable efforts to determine if the Data Importer is capable of fulfilling its obligations agreed upon in this contract.  To this end, the Data Exporter may request the Importer to contract liability insurance for any damages caused by the planned treatment, as specified in this Annex.

3. During the provisioning of personal data processing services, Data Exporter will give necessary instructions so that the processing of the transferred personal data is carried out exclusively on its behalf and in accordance with Law No. 25,326 and this contract.

4. Data Exporter will deliver to Importer a copy of the legislation in force in Argentina applicable to the intended data processing.

5. Data Exporter guarantees that it has complied with informing the Data Owners that their personal information could be transferred to a third country with lower levels of data protection than those of the Argentine Republic.

6. Data Exporter guarantees that in the case of subprocessing, the activity will be carried out by a subprocessor who must have the express prior consent of the Exporter and who will provide at least the same level of protection of personal data and rights of the holders than those agreed here with the Data Importer, entering into a contract for such purposes, and who will also be under the instructions of the Exporter unless the Importer otherwise explicitly agrees in writing to respond to such inquiries.  If the Importer agrees to such responsibilities, it will be the Exporter who must respond, to the extent reasonably possible and based on the information reasonably available, if the Data Importer is otherwise unable to or in fact, does not respond.

7. Data Exporter will make available to the Data Owners (as third-party beneficiaries in accordance with Clause 3 of this Annex), at their request, a copy of these standard contractual clauses that relate to the processing of their personal data, rights and guarantees, as well as a copy of the clauses of other contracts necessary for the data subprocessing services that must be carried out in accordance with this contract.

5. Obligations of the Data Importer(s)

The Data Importer agrees to and guarantees the following:

1. The Data Importer will process the personal data transferred only on behalf of the Data Exporter in accordance with its instructions and the clauses.  In the event that the Data Importer cannot meet these requirements for whatever reason, the Importer will immediately inform the Data Exporter, in which case the Data Exporter will have the right and ability to suspend the transfer of data or terminate the contract.

2. Data Importer will arrange for the necessary and effective security and confidentiality measures to avoid adulteration, loss, consultation or unauthorized treatment fo the data, and that make it possible to detect deviations, intentional or otherwise, whether the risk is through human action or technical processes, verifying that they are not inferior to those provided by current regulations, in such a way that Importer guarantees the level of security appropriate to the risks involved in the treatment and the nature of the data to be protected.

3. Data importer guarantees that it has and maintains procedures that guarantee that all access to the transferred data will be carried out only by authorized personnel, establishing access levels and passwords, who will comply with their duty of confidentiality and security, signing agreements for such purposes.

4. Data Importer has verified that local legislation does not prevent compliance with the obligations, guarantees and principles set forth in this contract regarding the processing of personal data and its owners, and will inform the Data Exporter immediately if Importer becomes aware of the existence of any provision of this nature, in which case the Exporter may suspend the transfer.

5. Data Importer will process personal data following the express instructions given by the Exporter in accordance with the purposes and manner described in this Annex.

6. Data Importer will notify the Data Exporter of a contact point within their organization authorized to respond to inquiries related to the processing of personal data and will cooperate in good faith with the Exporter, the Data Subject, and the Authority with respect to such inquiries or communications.  In the event that the Exporter has legally ceased to exist, or if the parties have so agreed, the Importer will assume the tasks related to its compliance in accordance with the provisions of Clause 3(d).

7. Data Importer will make available, at the request of the Exporter or the Authority, its data processing facilities, its files, and all documentation necessary for processing, for review, audit or certification purposes.  These tasks will be carried out, upon reasonable notification and during normal business hours, by an impartial and independent inspector or auditor appointed by the Exporter or the Authority, in order to determine if the guarantees and commitments provided for in this contract and Annex are met.

8. Data Importer will treat personal data in accordance with Law No. 25,326, on the protection of personal data.

9. Data Importer will promptly notify the Data Exporter of:

1. Any legally binding request to transfer personal data made by a law enforcement authority, unless prohibited by applicable law (to the extent not exceeding what is necessary in a democratic society following the guidelines of Clause 5(j)(ii).

2. Any accidental or unauthorized access.

3. Any unanswered request received directly from the data owners, unless otherwise authorized to respond directly to the request.

10. Data Importer will not assign or transfer personal data to third parties, except in the case of:

1. Where it is specifically established in this Annex or is necessary for compliance purposes, verifying in both cases that the recipient is bound by the same terms as the Data Importer at the time of the data transfer and with the prior knowledge and agreement of the Exporter.

2. The assignment is required by law or competent authority, to the extent that it does not exceed what is necessary, for example but not exclusively, when it constitutes a necessary measure for the safeguarding of state security, defense, public safety, prevention, investigation, detection and repression of criminal or administrative offenses, or the protection of the Data Owner or the rights and freedoms of other people, when they could hinder ongoing judicial or administrative actions related to the investigation into compliance with obligations subject to state control and related to public order, including but not limited to tax or social security, the development of health and environmental control functions, the investigation of criminal offenses and verification of administrative offenses.

3. Notwithstanding the other provisions of Clause 5(j), access to the data must be provided when the affected party has to exercise their right of defense and, in the event that the requesting authority does not grant or offer the guarantees of safe handling and transfer of information, Argentine law and protections will control.

11. Data Importer will recognize requests from Data Owner as a third-party beneficiary, as well as requests from the Exporter, and recognizes rights to access, rectification, deletion, as well as the other rights contained in Chapter III, articles 13 to 20 of Law No. 25,326, respecting the legal deadlines and providing the means for this purpose.  It will respond within the terms provided by Law No. 25,326 to the queries of the data holders and the authority regarding the processing of personal data by the Data Importer, regardless of any agreements between Importer and Exporter to the contrary, in following the instructions of the Authority.

12. Data Importer will delete or otherwise destroy, certifying such fact, and or return to the Exporter the personal data that is the object of transfer, when for any reason this Contract is terminated.

13. In the case of subprocessing of the data, Importer will inform the Exporter and obtain written consent prior to engaging in subprocessing.

14. Treatment or processing by subprocessor will be carried out in accordance with Clause 10 of this Annex.

15. Data Importer will promptly send the Exporter a copy of the contract that it enters into with the subprocessor under this contract and in which the Exporter will be granted the status of third-party beneficiary in order to give the instructions it deems necessary and authority to resolve it.

16. Data Importer will keep a record of compliance with the obligations assumed in this clause, the report of which will be available at the request of the Exporter or the Authority.

6. Responsibility

1. The parties agree that the owners of the data that have suffered damages as a result of the breach of the obligations agreed to in this Agreement and Annex by either party or subprocessor, will have the right to receive compensation from the Data Exporter to compensate for damage suffered.

2. In the event that the Data Owner cannot file against the Exporter referred to in Clause 6(a) for breach by Data Importer or Subprocessor of their obligations in Clause 5 and/or Clause 10, by having de facto disappeared, ceased to exist legally or is insolvent, the Data Importer agrees that the Data Subject can sue him in the place of the Data Exporter, unless any successor entity has assumed all legal obligations of the Exporter by virtue of a contract or by operation of law, in which case the Data Owners ma demand their rights from said entity.  The Importer may not rely on a breach by a Subprocessor of its obligations to avoid its own responsibilities (unless any successor entity has assumed all of the Exporter’s or Importer’s legal obligations under contract or by operation of law, in which case Data Subjects may enforce their rights against such entity).  The responsibility of the Subprocessor will be limited to its own data processing operations in accordance with these clauses.

7. Applicable Law and Jurisdiction

1. This Annex III will be governed by the law of the Argentine Republic, in particular Law No. 25,326, its regulations and provisions of the National Directorate of Personal Data Protection, and will understand in case of related conflict to the protection of personal data the judicial and administrative jurisdiction of the Argentine Republic.

8. Resolution of Conflicts with Owners of the Data

1. The Importer agrees that if the Data Owner invokes third-party beneficiary rights against the Importer, or claims compensation for damages in accordance with the clauses, Importer will accept the decision of the Data Owner to:

1. Submit the conflict to mediation by an independent person;

2. File a complaint with the National Directorate of Personal Data Protection; and

3. Submit conflict to the competent Argentine courts.

2. The parties agree that the options of the Data Subject will not impede their substantive or procedural rights to obtain redress in accordance with other provisions of national or international law.

9. Cooperation with Data Protection Authorities

1. The parties agree that the supervisory authority is empowered to audit the Importer, or any Subprocessor, to the same extent and under the same conditions as it would do with respect to the Exporter in accordance with Law No. 25,326, making its audit facilities available.  The audit tasks may be carried out both by personnel of the control authority and by suitable third parties designated by it for said act or by local authorities with similar powers in collaboration with the authority.

2. The Data Importer shall promptly inform the Data Exporter in the event that existing legislation applicable to it or any Subprocessor does not allow auditing of the Importer or Subprocessors.

10. Data Subproccessing

1. The Data Importer shall not subcontract any of its processing operations carried out on behalf of the Data Exporter in accordance with this Annex without the prior written consent of the Data Exporter.  If the Importer subcontracts its obligations, it must be done through a written agreement in which the Subprocessor assumes the same obligations as the Importer, insofar as it is compatible, to the Data Exporter, and the Data Owner and the Control Authority as third-party beneficiaries.

2. In cases where the Subprocessor is unable to fulfill its data protection obligations by manner of this Annex, the prior written contract between the Data Importer and Subprocessor will also contain a third-party beneficiary clause that includes those cases in which the Data Owner cannot file the claim for compensation referred to in Clause 6(a) against the Exporter or Importer because they have de facto disappeared, ceased to exist legally or are insolvent, and no successor entity has assumed the full legal obligations of the Exporter or Importer under contract or by operation of law.  Such civil liability of the Subprocessor will be limited to its own data processing operations according to the subcontracted tasks.

3. The provisions on aspects of data protection in the case of contracts with a Subprocessor, operations will be governed by Argentine law.  This requirement can be satisfied by means of a contract between the importer and the Subprocessor in which the Subprocessor is a co-signatory of this Contract.

4. The Data Exporter shall keep a list of subprocessing agreements entered into by the Importer, a list that will be updated at least once a year.  The list will be available to the Control Authority.

11. Termination of Contract

1. In the event that the Data Importer fails to comply with its obligations under these clauses, the Data Exporter must temporarily suspend the transfer of personal data to the Importer until the cause of the breach is remedied and the seriousness assessed, and the controlling authority notified Authority.

2. The contract will be deemed terminated, and the exporter must so declare it prior to the intervention of the Control Authority, in the event that:

1. The transfer of personal data to the data importer has been temporarily suspended by the Exporter for a period of time greater than thirty (30) calendar days in accordance with the provisions of Clause 11(a);

2. Compliance by the Importer of this contract and the applicable law are contrary to legal or regulatory provisions in the importing country;

3. The Data Importer substantially or persistently breaches any guarantee or commitment provided for in this Annex;

4. A final and firm decision against which no recourse can be filed by an Argentine court or by the National Directorate for Personal Data Protection, which establishes that the Importer or Exporter has breached the Contract; or

5. The Exporter, without prejudice to the exercise of any other right that may assist him against the Importer, may resolve these clauses when the judicial administration or liquidation of the Importer has been requested and said request has not been dismissed within the period established for this purpose in accordance with the applicable legislation; a liquidation order is issued or its bankruptcy is decreed; a manager of any of its assets is appointed; the Importer has requested the declaration of bankruptcy; or is in a similar situation before any jurisdiction.

6. In the cases contemplated by subparagraphs i), ii), or iv), the Importer may also proceed with the resolution without the need for intervention by the Control Authority.

3. The parties agree that the termination of this contract for whatever reason will not exempt them from compliance with the obligations and conditions related to the processing of personal data transferred.

12. Obligations upon completion of Processing

1. The parties agree that, once the provision of personal data processing services has been completed, for whatever reason, the importer and the sup-processor must, at the discretion of the Exporter, either return all transferred personal data and their copies, or destroy them completely and certify their deletion to the Exporter, unless the legislation applicable to the Importer prevents him from returning or destroying all or part of the personal data transferred, verifying that said conservation period is not contrary to the applicable personal data protection principles, and if they are contrary, then the Control Authority will be notified.

ANNEX IV

External Software Usage Policy

This External Software Usage Policy (the “Policy”) pertains to any Reseller that contracts with Emptor to use Emptor’s Services. In addition to any and all obligations stated in any Agreement signed between Reseller and Emptor, this Policy outlines additional terms and conditions with which Reseller must comply in order to use Emptor’s services. Reseller understands that by entering into an Agreement with Emptor and accepting the Emptor API Key to use Emptor’s Services to perform background checks, Reseller agrees to abide by this Policy and that failure to comply with this Policy shall be deemed a breach of the Agreement between Reseller and Emptor. 

1. Definitions 

1. Emptor’s Services – Emptor has created software that can perform background checks on individuals in several countries in Latin America 

2. Emptor API – Emptor’s application programming interface that Reseller uses in order to perform background checks on Data Subject

3. Emptor API Key – application programming interface key that Emptor will give to its Resellers for the sole purpose of using Emptor’s software to perform background checks

4. Reseller – Any entity or individual that signs an Agreement with Emptor is a Reseller of Emptor 

5. Agreement – Any relationship between Emptor and another party (Reseller) will be governed by terms and conditions within an Agreement, which includes any and all relevant Service Level Agreement(s)

6. Emptor Background Checks API Documentation – this is the documentation provided to Reseller that explains how to access the Emptor API

7. Termination Date – When Emptor and Reseller terminate any contractual relationship, a Termination and Settlement Agreement will be executed between the parties that will state the Termination Date, which is the date in which Emptor will cease providing any services to Reseller

8. Reseller Report – This report indicates whether the Data Subject has passed or failed any part of the background check

9. Data Subject – third party individual whose personal information is being used to perform the background check

2. Use of the Emptor API and/or G Sheet(s)

1. Emptor G Sheet(s)

In certain instances, in order for Reseller to be able to use Emptor’s Services, Reseller shall gain access to Emptor’s API via G Sheets whereby Reseller can input a Data Subject’s personally identifiable information (“PII”) in the G Sheets and Emptor’s API will produce a result as outlined in the API documentation that will be indicated on the G Sheets. By using the G Sheet product, Reseller shall not be able to directly access the Emptor API. 

2. Emptor API Usage via Direct Integration

In certain instances, in order for Reseller to be able to use Emptor’s Services, Reseller shall gain access to Emptor’s API via Direct Integration. In this case, Reseller shall have direct access to the Emptor API whereby Reseller can input a Data Subject’s PII and Emptor’s API will produce a result as outlined in the API documentation that will be indicated in a report sent to Reseller. 

3. Emptor API key

In order for Reseller to be able to use the Emptor API, Emptor shall send to Reseller an Emptor API key. Emptor shall send the Emptor API Key in plain text in a Google Doc to an email address designated by Reseller. Reseller shall use the Emptor API key in order to be able to access and use the Emptor API. Reseller is responsible for maintaining the security and confidentiality of the Emptor API key using industry-standard security measures. Reseller is prohibited from sharing the Emptor API key with any third party without written consent from Emptor. In the event that the Emptor API key is lost or stolen, Reseller must notify Emptor immediately at which point Emptor shall suspend the Emptor API and change the Emptor API Key. Furthermore, if the API key is stolen, any checks performed as a result of the stolen key shall be paid by Reseller in accordance with the pricing terms outlined in the Agreement between Reseller and Emptor. 

4. Compliance with all applicable laws and regulations

Reseller agrees to comply with all applicable laws, regulations, and third party rights in any and all relevant jurisdictions while using the Emptor API and/or G Sheet(s). Reseller will not use the Emptor API and/or G Sheet(s) to promote or engage in any illegal activities. Furthermore, Reseller will not use the Emptor API and/or G Sheet(s) to violate any third party rights. As also stated in the Agreement between Reseller and Emptor, Reseller agrees and warrants that it has received the necessary consent from the relevant third party in order to perform the background check using the Emptor API and/or G Sheet(s). Reseller is solely responsible for obtaining the data subject’s consent and recording such consent if necessary in compliance with any and all applicable laws and regulations. 

5. Permitted Access

Reseller agrees to access (or attempt to access) the Emptor API only through the instructions contained in the Emptor Background Checks API Documentation. Reseller shall not misrepresent or hide its identity when accessing the Emptor API. 

6. Prohibitions on Use of the Emptor API

In addition to not using the Emptor API and/or G Sheet(s) to break any applicable laws and regulations, Reseller shall refrain from engaging in the following prohibited activities. Reseller shall not access the Emptor API and/or G Sheet(s) in order to introduce to Emptor’s Services any worms, viruses, or any other item of a destructive nature.  Reseller shall not access the Emptor API and/or G Sheet(s) to interfere with or disrupt the Emptor API or the servers or networks providing the Emptor API. Reseller shall not use the Emptor API to defame, abuse, harass, stalk, or threaten others. Reseller shall not use the Emptor API or G Sheet(s) to remove, obscure, or alter any Emptor terms of service or any links to or notices of those terms.

7. Rate Limits

Reseller agrees to inform the Reseller’s Client not to attempt to exceed or circumvent the limitations (defined below) placed on use of the Emptor API and/or G Sheet(s).  These limitations are set by Emptor in its sole discretion. In order to use the Emptor API and/or G Sheet(s) in excess of the rate limits, Reseller must receive written consent from Emptor. The limits described below also pertain to the G Sheet(s). For country-specific rate limits, please see the API Manual (https://docs.emptor.io/). 

8. Security

Reseller is responsible for maintaining the security of the Emptor API and/or G Sheet(s) and will not make it available to any third party any login credentials including, but not limited to, any key, password, or token to the Emptor API and/or G Sheet(s). Reseller shall use industry-standard security measures to prevent unauthorized access or use of the Emptor API and/or G Sheet(s) whether by worms, virus, or any other harmful means. In the event that Reseller reasonably believes that there has been any unauthorized access to the Emptor API, Reseller must immediately notify Emptor and cooperate with Emptor in any way necessary. 

9. Emptor monitoring of Reseller use of Emptor API

Reseller understands and agrees that Emptor may, if it so desires, monitor use of the Emptor API and/or G Sheet(s) in order to ensure quality and improve Emptor’s Services. Monitoring includes, but is not limited to, accessing the Emptor API and/or G Sheet(s). Reseller shall not interfere with Emptor’s monitoring.

10. Updates to the Emptor API

Emptor may update the Emptor API and/or G Sheet(s)  at any time in its sole discretion, and Reseller is obligated to use the most current version.

11. Termination of Use of the Emptor API

In the event that the Agreement between Reseller and Emptor is terminated for any reason, Reseller must cease using the API and/or G Sheet(s) on the Termination Date. On this Termination Date, Emptor will cease providing services and access to the Emptor API to Reseller. In addition, Emptor will rotate the relevant Emptor API Key. 

3. Content

Emptor owns the Emptor API and/or G Sheet(s) and Reseller shall have no ownership interest whatsoever in the Emptor API and/or G Sheet(s). Reseller owns the input data as well as the output data (Reseller Reports). Emptor owns all processed data.