Member User Policy
This ICM Member Service Agreement (“Agreement”) is between You (both the individual using the Service and any single legal entity on behalf of which such individual is acting) (“You,” “Your” or “User”) and KiRegistry / Covenantz, Inc. (hereinafter “KiR / CVTZ” “CVTZ," “Our,” “Us” or “We”).
​
IT IS IMPORTANT THAT YOU READ CAREFULLY AND UNDERSTAND THIS AGREEMENT. BY CLICKING THE “I ACCEPT” BUTTON, YOU AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH ALL OF THE TERMS OF THIS AGREEMENT AND DO NOT AGREE TO BE BOUND BY THIS AGREEMENT, CLICK THE “I DO NOT ACCEPT” BUTTON. IF YOU DO NOT ACCEPT THIS AGREEMENT, YOU WILL NOT BE REGISTERED TO USE OR PERMITTED ACCESS TO THE ICM SERVICE AND ANY UPDATES ASSOCIATED WITH THE ICM SERVICE (HEREINAFTER COLLECTIVELY THE “ICM SERVICE”).
​
BY CLICKING ON THE “I ACCEPT” BUTTON BELOW, YOU ACKNOWLEDGE THAT (1) YOU HAVE READ AND REVIEWED THIS AGREEMENT IN ITS ENTIRETY, (2) YOU AGREE TO BE BOUND BY THIS AGREEMENT, (3) THE INDIVIDUAL SO CLICKING HAD THE POWER, AUTHORITY AND LEGAL RIGHT TO ENTER INTO THIS AGREEMENT ON BEHALF OF YOU AND, (4) BY SO CLICKING, THIS AGREEMENT CONSTITUTES BINDING AND ENFORCEABLE OBLIGATIONS ON YOU.
ALSO, WE RESERVE THE RIGHT, AT OUR SOLE DISCRETION, TO UPDATE, MODIFY, OR REPLACE THIS AGREEMENT AT ANY TIME. IF A REVISION OR CHANGE TO THIS AGREEMENT IS MATERIAL WE WILL PROVIDE AT LEAST THIRTY (30) DAYS GENERAL NOTICE POSTED ON THE KiR / CVTZ WEB SITE PRIOR TO THE NEW TERMS TAKING EFFECT. WHAT CONSTITUTES A MATERIAL REVISION OR CHANGE WILL BE DETERMINED AT OUR SOLE DISCRETION. BY CONTINUING TO ACCESS AND USE THE ICM SERVICE AFTER THE REVISIONS OR CHANGES BECOME EFFECTIVE, YOU AGREE TO BE BOUND BY THE REVISED OR CHANGED TERMS. IF YOU DO NOT AGREE TO THE NEW TERMS, YOU ARE NO LONGER AUTHORIZED TO USE THE ICM SERVICE.
​
KiR / CVTZ and You are sometimes herein referred to each individually as a “Party” and collectively as the “Parties.”
​
RECITALS
WHEREAS, KiRegistry (“KiR”) powered by Covenantz and Covenantz, Inc. (“CVTZ”) is the developer and owner of the proprietary Intelligent Covenant ManagementTM system (“ICM Service”) which is a web-based, artificial intelligent SaaS technology platform that offers globally impactful covenant management, real-time data exchanges, compliance and lifecycle management of supply chains and building development projects within the building construction industry, enabling authorized users of the ICM Service to improve project profitability, increase speed of payment, introduce collaboration and data accuracy, reduce project risk, cost overruns and project delays and eliminate communication delays;
​
WHEREAS, should You accept the terms and conditions of this Agreement, KiR powered by CVTZ agrees to license to You as a project stakeholder access to the ICM Service for the project at hand under the terms and conditions set forth in this Agreement.
​
NOW, THEREFORE, in consideration of the mutual covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
​
1. Definitions. The following terms, as used herein, will have the meanings set out below:
“KiRegistry” is a platform powered by Covenantz for financiers, owners, architects, engineers, specifiers, manufacturers, suppliers, contractors and maintenance professionals who need to access information, from big picture to details, in order to make better and more efficient decisions. KiRegistry is a digital geo-based collaboration platform for sustainable outcomes that provides transparency, validation, and record keeping for faster and more profitable projects by connecting specifiers and suppliers, from conception to onboarding. Unlike traditional proptech, fintech, ERP, or supplier management systems, KiRegistry offers a financial and specifying transactional platform, with risk and lifecycle management to inform sustainable project design.
“Covenantz” developed the Intelligent Covenant Management (ICM™) network to revolutionize the construction ecosystem by providing communication, collaboration and transparency to all key participants, reducing costs and increasing profitability. The ICM™ is a network-based “digital data exchange” for the design, construction and lifecycle management of real estate assets. ICM™ members will connect in real time with self-auditing, best practices, and efficient oversight of their assets. Within the ICM™ network is an Enterprise Analytics Platform (EAP) called C-CISTERN™ that provides a dynamic, cloud-integrated “Data Lake” to create groundbreaking assets that coordinate 120 industry silos.
“Additional Custom Built Products” means any custom-built or customized products or services that KiR powered by CVTZ conceives, develops or creates for You under this Agreement, either alone or in collaboration with You, or in connection with the performance of any Additional Services.
“Additional Services” means the additional offered services and other revenue generating opportunities as may be described in Exhibit A and made available to a particular User by CVTZ.
“Affiliate” means, with respect to any legally recognizable entity, any other entity Controlling, Controlled by, or under common Control with such entity. “Control” means direct or indirect (i) ownership of more than fifty percent (50%) of the outstanding shares representing the right to vote for members of the board of directors or other managing officers of such entity, or (ii) for an entity that does not have outstanding shares, more than fifty percent (50%) of the ownership interest representing the right to make decisions for such entity. An entity will be deemed an Affiliate only so long as Control exists.
“Configuration” means the creation and implementation of a dedicated and customized User interface within the ICM Service created especially for a particular type of User to enable the User’s personalized access to the ICM Service.
“CVTZ Data Analytical Project Reports” means those custom made proprietary CVTZ data analytical project reports stored on CVTZ’s own servers and/or servers of its cloud computing vendor and prepared especially for a User’s business organization that is a subscribing good standing member of the ICM Service and which can be accessed and downloaded by the User either through User’s ICM Service membership account or in response to a request made to CVTZ’s application programming interface (API).
“Documentation” means the training materials, specifications, and technical information regarding the ICM Service, Configuration and User Software provided by KiR and/or CVTZ to Users, and all other information and User instructions regarding the capabilities, operation, installation and access to the User Software, Configuration and ICM Service but excluding such materials, specifications and technical information that has been superseded by CVTZ or that is otherwise considered by CVTZ to be obsolete.
“ICM Service” means the proprietary SaaS technology platform developed and owned by CVTZ that enables a User to access and manage a User’s Project work flows, Project schedules, Project cost overruns and many other Project related matters electronically as described in more detail in the Specifications.
“Project” means each construction building project identified by You using the form referenced in Ki Registry and /or CVTZ for which You are currently involved and wish to utilize the ICM Service during the Term.
​
“Project Participants” means some or all those participants involving a designated Project which may include without limitation employees or directors of Build Partners, Project owners, general contractors, sub-contractors, specifiers, architects, designers, material suppliers, engineers, tradesmen, safety and building inspectors, consultants, underwriters, financial institutions, other financiers and bond / insurers.
​
“Specifications” means the KiR / CVTZ specifications set forth in Exhibit A.
​
“Subscription Fees” means the annual membership fees paid every month for the right of User to access and use the ICM Service and User Software under the terms of this Agreement as set forth in Exhibit C.
​
“Updates” means corrections, bug fixes, patches, modifications, updates and enhancements that KiR / CVTZ, in its sole discretion, makes generally available to its User base at no additional cost.
​
“User(s)” means You, the individual(s) who is/are an/the employee(s), officer(s) or director(s) of a business organization, including the business organization or entity itself under whom such individual(s) is/are acting and who is a good standing member of the ICM Service, has been identified and licensed by that business organization as authorized to access and use the ICM Service, receive KiR / CVTZ Data Analytical Reports and be a member of the ICM Service membership network of Project Participants for any given designated Project.
​
“User Data” means the information and documents of User that are successfully uploaded to the ICM Service and stored on the servers of KiR / CVTZ’s cloud computing vendor in response to an API request received from KiR / CVTZ, which data may be updated or amended.
“User ID” means a unique alphanumeric identifier assigned to a User so that the User can access User Data and use the corresponding authorized features of the ICM Service.
​
“User Software” means any software or User interface application provided by KiR / CVTZ to User for installation and use on a personal computer, tablet or mobile device to enable a User’s access to the ICM Service, including any Updates thereto provided by KiR / CVTZ during the Term.
​
2. Term. Unless earlier terminated pursuant to Section 11, the term of this Agreement begins on the Effective Date and will continue for one (1) year thereafter (“Initial Term”). The term of this Agreement will automatically renew for consecutive one (1) year terms (“Renewal Term”), unless either Party provides the other written notice of non-renewal no later than thirty (30) days prior to the expiration of the Initial Term or any Renewal Term. KiR / CVTZ may implement revised pricing for any Renewal Term by giving written notice of the new pricing to Build Partner at least sixty (60) days prior to the commencement of a Renewal Term and the pricing will apply to the Renewal Term unless Build Partner provides written notice of non-renewal in accordance with this Section. Collectively the Initial Term and each Renewal Term (if any) constitute the “Term.”
3. Service Access Rights; Intellectual Property; Restrictions and Responsibilities.
3.1. Service Access Rights. During the Term and conditioned upon Your compliance with all the terms of this Agreement, KiR / CVTZ grants to You, a limited, non-exclusive, revocable, non-royalty-bearing, non-transferable, and non-sublicensable right in accordance with the terms of this Agreement, access and use of the ICM Service for Your internal business Project purposes only. You may only access the ICM Service through KiR / CVTZ’s web site and the User Software.
3.2. User Software. During the Term and conditioned upon Your compliance with all the terms of this Agreement, KiR / CVTZ grants You a limited, non-exclusive, revocable, non-transferable, and non-sublicensable right (i) to install and use the User Software on the hardware platform described in the corresponding Documentation in order for You to access the ICM Service as permitted under Section 3.1; (ii) to use the Configuration in order to access and use the ICM Service; and (iii) to use the KiR / CVTZ Data Analytical Reports and any Additional Custom Built Products for Your internal business Project purposes only.
3.3. Designation and Addition of Users. As part of the Configuration, You will identify in writing the Users and who will be assigned User IDs. KiR / CVTZ will issue User IDs to the Users who will be permitted access to the ICM Service for the number of Users corresponding with the Subscription Fees paid by You as specified in Exhibit C. You may, during the Term, request to add Users, and KiR / CVTZ will issue an amendment to this Agreement with the number of additional Users, as well as the corresponding fees owed in accordance with Exhibit C. Thereafter, KiR / CVTZ will charge You for and You will pay the Subscription Fees for the additional Users and KiR / CVTZ will issue corresponding User IDs. If You add Users mid-year during the Term, the annual Subscription Fees for the additional Users will be prorated based on the time remaining in the Initial Term or Renewal Term. Notwithstanding Section 17.1, orders for new Users that are issued by KiR / CVTZ, executed by You in the form so issued and confirmed by KiR / CVTZ shall be enforceable by both Parties. You represent and warrant that the authorized representative executing the T&C’s has all necessary authorization to purchase and pay for the Subscription(s) indicated in each T&C’s.
3.4. Affiliates. If You desire for any of Your Affiliates to use the ICM Service for Affiliate’s internal business Project purposes pursuant to Section 3.1 separate and apart from You, the Affiliate must execute a separate agreement with KiR / CVTZ on KiR / CVTZ’s then-current terms and conditions. To the extent that You are purchasing access on behalf of Your Affiliates, You irrevocably and unconditionally guarantee the compliance of Your Affiliate with this Agreement and You will be jointly and severally liable with each Affiliate for breach of this Agreement. All remedies available to KiR / CVTZ, including the ability to obtain injunctive relief, will apply to Your Affiliates, and You will reasonably assist KiR / CVTZ in enforcing KiR / CVTZ’s rights and remedies against Your Affiliates.
3.5. Intellectual Property Rights. Except for the limited rights set forth in Sections 3.1 and 3.2 above, You do not acquire any intellectual property or other rights, express or implied, in or relating to the User Software, ICM Service, Configuration, Documentation, the KiR / CVTZ Data Analytical Reports, Additional Services or Additional Custom Built Products. KiR / CVTZ retains all title, ownership, and all other rights and interest to the User Software, ICM Service, Configuration, Documentation, KiR / CVTZ Data Analytical Reports and Additional Custom Built Products. To the extent that You acquire any right, title, interest or intellectual property rights in the User Software, ICM Service, Configuration, Documentation, KiR / CVTZ Data Analytical Reports, Additional Services and/or Additional Custom Built Products, You hereby assign to KiR / CVTZ all of Your acquired right, title, interest and intellectual property rights associated with these products and services, including any right to sue for infringement and recover damages. You will also not remove, obscure, or alter KiR / CVTZ’s copyright or patent notices, trademarks, other proprietary rights notices, or any other content of any kind appearing in the ICM Service, User Software, Configuration, KiR / CVTZ Data Analytical Reports, Documentation or Additional Custom Built Products.
3.6. Restrictions. You must not, and You represent and warrant You will not use the ICM Service, Configuration, User Software, KiR / CVTZ Data Analytical Reports or Additional Custom Built Products in any manner that is not described in the Documentation or in any manner that is prohibited by this Agreement. You must not and must ensure that You do not, directly or indirectly, nor encourage, contribute or induce others on Your behalf to (i) reverse engineer, disassemble, decipher, translate, decompile, prepare derivative works of the ICM Service, User Software, Configuration, KiR / CVTZ Data Analytical Reports or Additional Custom Built Products, attempt to access, imitate, derive or discover any source code thereof or otherwise disclose, modify, alter or circumvent and KiR / CVTZ authentication, verification or security protocols; (ii) upload any User Data or any content, data or information that is unlawful, harmful, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, libelous, invasive of another’s privacy or right of publicity, hateful, or racially, ethnically or otherwise objectionable; (iii) infringe the intellectual property rights of any third party in connection with Your unauthorized use of the ICM Service, User Software, Configuration, KiR / CVTZ Data Analytical Reports, Documentation (including by uploading User Data to the ICM Service) or Additional Custom Built Products; (iv) interfere with or disrupt any KiR / CVTZ software, application, data processing, report generation, product development or systems used to host the ICM Service, User Software or other products of KiR / CVTZ, other equipment or networks connected to the ICM Service, or disobey, modify or alter any requirements, procedures, policies or regulations of networks connected to the ICM Service made known to You; (v) license, sell, rent, lease, lend, transfer, outsource, sublicense or otherwise provide access to the ICM Service, User Software, or other products of KiR / CVTZ or utilize the ICM Service for the benefit of a third party, including through a service bureau, commercial time-sharing arrangement, or application service provider (ASP) arrangement; (vi) provide publicly, or make publicly available, any links, hypertext (Universal Resource Locator (URL) address) or otherwise (other than a “bookmark” from a Web browser) to the ICM Service, or any part thereof; (vii) circumvent the User authentication or security of the ICM Service or any host, network, or account related thereto; (viii) perform any penetration testing on or with respect to the ICM Service, including use of any tools, code or instruction intended to manipulate, damage, interfere or tamper with, hack, conduct a denial of service attack, destroy, disrupt, alter, reveal any portion or expose vulnerability or errors of the ICM Service or any product of KiR / CVTZ; (ix) mirror the ICM Service on any server; (x) make any use of the ICM Service that KiR /CVTZ reasonably believes is abusive or that violates any applicable local, state, national, international or foreign law; (xi) fail to use commercially reasonable efforts to prevent the unauthorized license, sale, transfer, lease, transmission, distribution or other disclosure of the ICM Service; or (xii) allow any non-Users to use any User IDs, code(s), password(s), or other mechanisms issued to, or selected by, You for access to the ICM Service. You shall promptly notify KiR / CVTZ after becoming aware of the violation of any of the aforementioned restrictions.
3.7. Responsibilities. You are responsible for all access and use of the ICM Service, Configuration, User Software, Data Analytical Reports and Additional Custom Built Products by You and any person that gains access through You or through Your User IDs. You shall be solely responsible for ensuring the delivery or transmission of the requested User Data to KiR / CVTZ, including the accuracy, timeliness, completeness, reliability, relevance and applicability of the User Data. You shall also be solely responsible for Your failure to download and use any Update that was made available by KiR / CVTZ or if You permit an unauthorized individual to use Your account credentials in order to gain access and use the ICM Service or User Software. You agree to provide at its own expense the necessary electric service, wiring, computer equipment and data communication line access for access to the Services.
3.8. User IDs. Your rights to utilize the ICM Service cannot be shared or used by more than one individual. You must not and will ensure that Users do not permit any other individual or entity to access (through User ID and password sharing or otherwise) the ICM Service or User Software. You may on a permanent basis transfer a User’s access right purchased by You to another User; provided that You submit a transfer request to and obtain a new User ID from KiR / CVTZ and the original User is no longer a User and is not permitted access to the ICM Service or User Software.
3.9. Feedback. You are not required to provide KiR / CVTZ any feedback, comments or suggestions about the ICM Service or any of KiR / CVTZ’s technologies, products, or services (“Feedback”). However, if You provide Feedback, You agree that even if it is designated confidential, the Feedback is not confidential and KiR / CVTZ is free to use, disclose, reproduce, license or otherwise distribute the Feedback without any obligations or restrictions of any kind, including intellectual property rights.
3.10. Expanding the User Base. Once You as a Project Participant become a User and receive an assigned User account to access the ICM Service, You are encouraged to identify other Project Participants for the Project and provide their respective contact information to the ICM Service. The ICM Service will then automatically contact those Project Participants so that all Project Participants involved in a currently designated Project are invited to become Users. You represent that You will make the effort to provide the contact information of Your Project colleagues to KiR / CVTZ through the ICM Service and that You have received valid authorizations from such Project Participants to have their personal data shared with KiR / CVTZ for the purpose of being invited to be a User of the ICM Service.
3.11. Updates and Changes. You shall use commercially reasonable efforts to promptly download any Updates that KiR / CVTZ makes available. You acknowledge that KiR / CVTZ reserves the right to update and change the ICM Service, Configuration, User Software, KiR / CVTZ Data Analytical Reports, Additional Services and Additional Custom Built Products, including discontinuing, limiting or modifying their features, capabilities and functions or otherwise suspend, alter or limit any service, application, user interface or report in order to prevent harm to KiR / CVTZ’s systems, a User’s system or to any third-party, within KiR / CVTZ’s sole discretion and without providing any advance notice.
4. User Data.
4.1. Title to and Storage of User Data. As between the Parties, User retains all title and ownership in the User Data. KiR / CVTZ will take the security measures outlined in Exhibit A with respect to the storage and transmission of User Data to KiR / CVTZ.
4.2. Access Rights to and Duty to Update User Data. You hereby grant KiR / CVTZ a non-exclusive, worldwide, royalty-free, fully paid-up, perpetual, irrevocable, sub-licensable and transferable license and right to access, store, use, reproduce, distribute to other Users, make derivative works of, perform and display the User Data made available to KiR / CVTZ by User for the purposes of providing the ICM Service and delivering KiR / CVTZ Data Analytical Reports, Additional Services and Additional Custom Built Products to You and to other Users. You agree to promptly notify KiR / CVTZ should there be any updates or amendments to the User Data and upon notification, You shall also make such data immediately available to KiR / CVTZ in accordance with the provisions of this Agreement. If User furnishes to KiR / CVTZ any content or materials (including graphics, logos, trademarks, etc.) other than User Data (collectively “User Materials”), KiR / CVTZ may also use, reproduce, perform and display the User Materials in connection with the provision of the ICM Service and for the delivery of KiR / CVTZ Data Analytical Reports, Additional Services and Additional Custom Built Products under this Agreement.
4.3. White Labeling. You agree that KiR / CVTZ and its Affiliates may reference You as a KiR / CVTZ customer and/or the provider of the ICM Service (including using and displaying Your name and logos), including on KiR / CVTZ’s web site or the web site of any Affiliates of KiR / CVTZ. KiR / CVTZ will comply with Your reasonable written instructions that are provided to KiR / CVTZ related to such use of name and logos.
4.4. Configuration Requirements. You are solely responsible for and will comply with the Configuration Requirements in Exhibit B.
5. Pricing and Payment.
5.1. The KiR Platform is free for many of the services provided to its community members and allows the members to also onboard projects specs, scope and specifiers that allow validation of any proposed project.
5.2. Project submissions for collaboration and/or financing under various PPP Platforms may incur additional fees established by the various participating banks or other financiers.
5.3. Fees. KiR / CVTZ Network members agree to pay any and all fees that may be required in excess of the free tools / services provided by KiR. Payment of all such fees shall be made in US currency and in accordance with the terms set forth in this Section and in Exhibit C and Exhibit C-1.
5.4. The Member / User understands that any projects onboarded and then submitted through the KiR / CVTZ Platform, are subject to the following:
-
All Contract Fees are paid as authorized funds are disbursed through the platform as part of a project contract administration. Contract fees are 2.8% of the authorized disbursements where no build partner is involved and 3.5% in situations where there is a build partner providing additional services to the project.
-
All membership Subscription Fees are paid monthly using User credit card information that CVTZ maintains on file.
-
Advertising Fees are paid on submission at the current market rates within the KiR / CVTZ Platform.
-
Other fees may be applicable if the User / Member decides to use other software partner products available through KiR / CVTZ marketplace.
-
Other services added to the KiR / CVTZ platform as allowed in this agreement, may incur additional fees which will be identified when the services become available to Members / Users.
5.5. If Member / User who is involved in a an active project is found to be the cause of delay in performing its obligations or work, or cause any delay in the performance of obligations or work by others, or otherwise fail to perform its obligations under this Agreement, Member / User maybe subject to liquidated damages (whether direct, liquidated, consequential, incidental or otherwise) assessed against or suffered by other ecosystem project participants, including but not limited to, any increased general conditions costs. The Agreement contains a liquidated damages clause in the amount of $ 5,500 per day or as pre-determined by the project ownership. Should the Member / User default in the proper performance of their obligations or work, thereby causing delay to the entire work, the Member / User shall be liable for any and all loss and damages including liquidated damages sustained therefore by KiR / CVTZ. The Member / User shall not be liable under this Paragraph if the Agreement allows relief for such default caused by strikes, lockouts, acts of God, or other reasons beyond the control of Member / User, concerning which, however, notice of occurrence of same shall be given in writing immediately by Member / User to KiR / CVTZ. Member / User shall not make any claims against KiR / CVTZ for any delay caused by any action or order of KiR / CVTZ, and Member / User expressly waives all claims for damages for any such delays, except for remedies allowed in the Agreement.
5.6. Except as specifically provided to the contrary in this Agreement, in the event of the cancellation, completion of, expiration or termination of this Agreement, all monies paid or due or owing to KiR / CVTZ by You shall be deemed non-refundable. You agree to immediately provide to KiR / CVTZ new credit card information if the existing card on file should be cancelled or expired. Any reduction in the number of Users or purchased licensed seats as described in Exhibit C shall take effect as of the commencement of the next Renewal Term. KiR / CVTZ will not be required to issue any invoices to You for the membership Subscription Fee or any other fees either for the Initial Term or for any Renewal Term. For any amount not paid when due, KiR / CVTZ may charge a 1.5% per month finance charge or, if lower, the maximum amount allowed by law. You will reimburse CVTZ for its costs incurred (including reasonable attorney’s fees) in the collection of Your past due amounts. You will be responsible for all travel, accommodation and meal expenses incurred in connection with any on-site training or instruction or attendance at board meetings at Your request. All amounts payable to KiR / CVTZ hereunder are payable in full in United States Dollars without deduction or set off, and shall be in addition to all taxes, bank fees or duties, including any foreign withholding taxes which are also Your sole responsibility.
5.7. Taxes. You are responsible for payment of all applicable value-added, sales, use, license and other transaction-based taxes (such as gross receipts, excise taxes or foreign withholding taxes) and all applicable export and import fees, customs duties, and similar charges (other than taxes based on KiR / CVTZ's net income) which are levied or imposed by reason of the transactions contemplated by this Agreement. You agree to pay all taxes levied by a duly constituted taxing authority against or upon the products and services provided pursuant to this Agreement, or arising out of this Agreement (exclusive, however, of taxes based on KiR / CVTZ’s net income) regardless of whether such taxes become due or payable at the time of delivery or use of the ICM Service or at the time of payment of the Subscription Fee or, in any instance, subsequent thereto. You agree to pay any tax for which it is responsible hereunder, which may be levied on or assessed against You directly, and, if any such tax is paid by KiR / CVTZ, to reimburse KiR / CVTZ therefor, upon receipt of proof of payment reasonably acceptable to You. You agree to indemnify, defend and hold CVTZ harmless with respect to all taxes or duties which any foreign, federal, state or local taxing authority that requires KiR / CVTZ to pay on Your behalf.
5.8. Audit. During the Term and for a period of at least three (3) years after termination of the Agreement for any reason, You shall maintain complete and accurate business and accounting records in accordance with generally accepted accounting principles to substantiate Your performance and compliance under the terms of this Agreement, including without limitation, Your compliance with respect to payments, number of licenses purchased and other Agreement and legal requirements. Not more than once per year during the Term and for three (3) years after termination of the Agreement for any reason, KiR / CVTZ itself, or through its agent selected by KiR / CVTZ, shall be permitted access to Your records related to this Agreement in order to determine Your compliance with its obligations, responsibilities, representations and warranties under this Agreement. Notwithstanding the above, KiR / CVTZ may conduct such audit or review more frequently than once per year upon any reasonably suspected breach of this Agreement by You. Any such audit or review may be conducted during Your normal business hours upon providing reasonable advance written notice to You. KiR / CVTZ agrees to exercise commercially reasonable efforts to minimize any disruption to Your business during the course of such audit or review. You agree to cooperate with KiR / CVTZ and its agent with respect to requests for information and documentation, including requests to correct any deficiencies in compliance that were revealed as a result of conducting the audit or review. KiR / CVTZ reserves the right to suspend or terminate access to or use of any KiR / CVTZ service until the deficiencies have been corrected to KiR / CVTZ’s reasonable satisfaction. CVTZ’s right to audit and review under this Section are without prejudice to KiR / CVTZ’s right to exercise any other rights or remedies under this Agreement. In the event that any such audit or review by KiR / CVTZ or its agent discloses an underpayment, such underpayment shall be promptly paid and, if the amount of such underpayment is greater than 5% of the amount that was due, You shall be responsible for paying the cost of such audit or review.
1. Warranties and Disclaimers.
1.1. KiR / CVTZ Warranty for Software and Services. During the Term, KiR / CVTZ represents and warrants that the ICM™ Service, User Software, Configuration, KiR / CVTZ Data Analytical Reports, Additional Services, and Additional Custom-Built Products will materially conform to the Specifications. The warranty will not apply: (i) if the ICM™ Service, Configuration, User Software, KiR / CVTZ Data Analytical Reports, Additional Services and Additional Custom Built Products are not used in accordance with the Documentation; (ii) if the defect is caused by User Data or User Materials or any third party systems, services, content or products; or (iii) if any unauthorized modification or customization was made to the ICM™ Service, Configuration, User Software, Data Analytical Reports, Additional Services or Additional Custom Built Products.
1.2. Remedy for Breach of Warranty. If notified in writing of a valid warranty claim under Section 6.1, KiR / CVTZ will, at its option, (i) correct the non-conforming ICM™ Service, Configuration, User Software, KiR / CVTZ Data Analytical Report, Additional Service or Additional Custom Built Product so that it materially complies with the Specifications; (ii) provide a replacement with substantially equivalent functionality; or (iii) terminate or cancel this Agreement or any portion thereof and refund a pro-rata portion of any prepaid Subscription Fee based on the number of months remaining in the Initial Term or Renewal Term as of the date that USER provided written notice of the warranty claim under Section 6.1. This Section states KiR / CVTZ's entire liability and USER’s sole and exclusive remedy for breach of warranty under Section 6.1.
1.3. Viruses. KiR / CVTZ will take reasonable precautions to protect against any person acting by, under, or through KiR / CVTZ from introducing any software virus, worm, “back door,” “Trojan Horse,” or similar harmful code into the User Software.
1.4. KiR / CVTZ WARRANTY DISCLAIMERS. EXCEPT AS SPECIFICALLY PROVIDED IN THIS SECTION 6, AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ICM™ SERVICE, USER SOFTWARE, CONFIGURATION, KIR / CVTZ DATA ANALYTICAL REPORTS, ADDITIONAL SERVICES, AND ADDITIONAL CUSTOM BUILT PRODUCTS ARE PROVIDED “AS IS” ON AN “AS AVAILABLE” BASIS WITHOUT ANY REPRESENTATIONS OR WARRANTIES WHATSOEVER. KIR / CVTZ DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT AND NON-INFRINGEMENT OR WARRANTIES ARISING OUT OF ANY COURSE OF DEALING OR USAGE OF TRADE. KIR / CVTZ MAKES NO WARRANTY THAT THE ICM™ SERVICE, USER SOFTWARE, CONFIGURATION, KIR / CVTZ DATA ANALYSIS REPORTS, ADDITIONAL SERVICES, ADDITIONAL CUSTOM BUILT PRODUCTS, ANY THIRD PARTY PRODUCT, SERVICE OR CONTENT USED THEREIN, ANY INFORMATION OR DATA ACCESSED OR STORED BY KIR / CVTZ OR ANY MEDIA ON OR THROUGH WHICH THE ICM™ SERVICE, USER SOFTWARE, CONFIGURATION, KIR / CVTZ DATA ANALYTICAL REPORTS, ADDITIONAL SERVICES, ADDITIONAL CUSTOM BUILT PRODUCTS ARE PROVIDED WILL OPERATE WITHOUT INTERRUPTION, MEET USER’S OR ANY OTHER USERS’ REQUIREMENTS OR BE ACCURATE, TIMELY, COMPLETE, CURRENT, ERROR-FREE OR FREE OF HARMFUL COMPONENTS, RELIABLE, USEFUL OR AVAILABLE. USER ACKNOWLEDGES THAT ALL USE OF THE ICM™ SERVICE, USER SOFTWARE, CONFIGURATION, KIR / CVTZ DATA ANALYTICAL REPORTS, ADDITIONAL SERVICES, AND ADDITIONAL CUSTOM-BUILT REPORTS, INCLUDING USE OF ANY THIRD-PARTY PRODUCTS, SERVICES, AND CONTENT THEREIN IS ENTIRELY AT USER’S OWN RISK AND THE RISK OF EACH USER. IF A PARTICULAR JURISDICTION DOES NOT ALLOW FOR THE EXCLUSION OF A WARRANTY, THAT WARRANTY WILL BE LIMITED TO THE MINIMUM PERIOD OF TIME REQUIRED BY LAW STARTING AS OF THE EFFECTIVE DATE, AND THE INVALIDITY OF THE DISCLAIMER WILL NOT AFFECT ANY OTHER DISCLAIMER OR LIMITATION CONTAINED IN THIS AGREEMENT.
1.5. USER’s Additional Warranties. USER additionally represent and warrant to KiR / CVTZ that the exercise by KiR / CVTZ of the license rights granted it with respect to the User Data and User Materials provided by USER in connection with KiR / CVTZ providing the ICM™ Service and delivering KiR / CVTZ Data Analytical Reports, Additional Services and Additional Custom Built Products under this Agreement (i) does not and will not infringe upon, misappropriate or other otherwise violate any U.S. or foreign intellectual property right, data privacy or publicity right of any third party or otherwise violate the law or regulation of any country or jurisdiction; (ii) that the collection and sharing with, use and transmission of such User Data and User Materials to KiR / CVTZ for the purpose of offering the ICM™ Service, KiR / CVTZ Data Analytical Reports, Additional Services and Additional Custom Built Products to USER and to other Users does not violate any foreign, international, national, state, regional and local law, rules, regulations and applicable industry standards (collectively “Applicable Laws”), with no third party consents yet to be obtained; (iii) that USER are in compliance with all Applicable Laws; (iv) that USER have all legal right, power, permission and authority to grant the rights granted to KiR / CVTZ under this Agreement and for KiR / CVTZ to use, store, process and share the User Data with other Users and with other third party service providers in order to provide the ICM™ Service, KiR / CVTZ Data Analytical Reports, Additional Services and Additional Custom Built Products to USER and other Users; (v) that the User Data provided to KiR / CVTZ for any designated Project are the true and complete copies of what the data purports to show and USER are not aware of any defects, compromises or inaccuracies in the User Data; (vi) that USER will promptly notify KiR / CVTZ if any User submits a valid legally permitted request to cease, suspend, restrict process, erase, delete or remove his/her data from the User Data shared by USER with KiR / CVTZ and that USER will work with KiR / CVTZ cooperatively to respond to such requests; (vii) that USER will maintain and preserve written and electronic books and records demonstrating compliance with Applicable Laws with respect to the provision of User Data to KiR / CVTZ and will provide KiR / CVTZ with access to such records upon KiR / CVTZ’s reasonable request; (viii) that USER have implemented appropriate technical and organizational measures to maintain the security and integrity of the User Data transmitted to KiR / CVTZ; and (ix) that either Party’s performance under this Agreement will not violate or breach any other agreement that USER may have entered into with a third party.
2. Indemnification by KiR / CVTZ. KiR / CVTZ will hold harmless and indemnify USER, USER’s officers, directors, and employees (collectively “User Indemnitees”), against any bonafide third-party claim, suit, action, fines, penalties, damage, loss, or liability, including reasonable attorney fees (collectively “Third Party Claim”) arising from USER’s access and use of the User Software, ICM™ Service or Additional Custom Built Products in accordance with this Agreement if such access and use infringes upon a validly existing United States trademark, copyright, patent right or other US proprietary right of a third party. KiR / CVTZ shall pay any final judgment awarded or KiR / CVTZ negotiated settlement. KiR / CVTZ’s obligations under this Section are conditioned upon USER providing to KiR / CVTZ (i) prompt written notice of any Third Party Claim; (ii) sole and exclusive control over the defense and settlement of the Third Party Claim; and (iii) such cooperation as KiR / CVTZ may reasonably request with respect to the defense or settlement of such Third Party Claim. KiR / CVTZ will defend any Third-Party Claim with counsel of its own choosing and settle such Third-Party Claim as KiR / CVTZ deems appropriate. At its discretion and expense, USER may participate in the defense with counsel of USER’s own choosing and at USER’s own cost and expense. User Indemnitees will not admit liability, take any position adverse or contrary to KiR / CVTZ, or otherwise attempt to settle any Third-Party Claim without the express written consent of KiR / CVTZ. If, in KiR / CVTZ’s sole opinion, a Third Party Claim may have validity, then KiR / CVTZ may modify the User Software, ICM™ Service, and/or Additional Custom Built Products to make them non-infringing, procure any necessary license, or replace the affected item with one that is reasonably equivalent in function and performance. Only if KiR / CVTZ determines in its sole opinion that none of these alternatives are reasonably available, then KiR / CVTZ may terminate this Agreement, User Indemnitees will discontinue using the allegedly infringing User Software, ICM™ Service and/or Additional Custom-Built Products and KiR / CVTZ will issue USER a pro-rata refund of any prepaid Subscription Fees based on the number of months remaining in the then-current Initial Term or Renewal Term. This Section states KiR / CVTZ’s entire liability and USER’s sole and exclusive remedy for Third Party Claims.
3. Indemnification by USER. USER will hold harmless and indemnify KiR / CVTZ, its Affiliates, officers, directors and employees (collectively “KiR / CVTZ Indemnitees”) against, any third-party claim, suit, action, fines, penalties, damage, loss or liability (collectively “Third Party Claim”) including reasonable attorney fees arising from: (i) the User Data and User Materials provided and licensed to KiR / CVTZ by USER or KiR / CVTZ’s compliance with any of USER’s designs, specifications, instructions, or technical information; (ii) modifications to the User Software, Configuration, KiR / CVTZ Data Analytical Reports, ICM™ Service, Additional Services or Additional Custom Built Products not made or authorized by KiR / CVTZ; (iii) USER’s use of the User Software or ICM™ Service that is non-compliant with the Configuration Requirements in Exhibit B; (iv) use of the User Software, Configuration, KiR / CVTZ Data Analytical Reports, ICM™ Service, Additional Services or Additional Custom Built Products that is non-compliant with the Documentation or in any manner that is not authorized or permitted by this Agreement; (v) USER’s use of the User Software, Configuration, ICM™ Service, KiR / CVTZ Analytical Reports, Additional Services or Additional Custom Built Products with any other software, hardware, application, system or services that are not provided or authorized by KiR / CVTZ; (v) breach by USER of any of USER’s representations, warranties, responsibilities and/or obligations under this Agreement or USER’s violation of any foreign, international, national, state or local law; or (vi) USER’s failure to implement changes recommended by KiR / CVTZ if the Third Party Claim would have been avoided by the implementation of the change. USER agrees that KiR / CVTZ Indemnitees and its counsel will have the right to participate in the defense of any Third Party Claim and its own cost and expense and that the Third Party Claim will not be settled without KiR / CVTZ’s consent.
4. DISCLAIMER OF CERTAIN DAMAGES. IN NO EVENT WILL KIR / CVTZ OR ITS AFFILIATES BE LIABLE OR RESPONSIBLE TO THE USER FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES; FOR LOSS OF PROFITS, INVESTMENTS OR OPPORTUNITIES, BUSINESS, GOODWILL, ANTICIPATED SAVINGS, USE OR PRIVACY; LOSS, DESTRUCTION, DAMAGED OR CORRUPTION OF DATA, CONFIDENTIAL OR OTHER INFORMATION; OR PERSONAL INJURY, PROPERTY DAMAGE OR BUSINESS INTERRUPTION ARISING OUT OF OR IN ANY WAY RELATED TO THIS AGREEMENT, THE ICM™ SERVICE, USER SOFTWARE, CONFIGURATION, KIR / CVTZ DATA ANALYTICAL REPORTS, ADDITIONAL SERVICES OR ADDITIONAL CUSTOM BUILT PRODUCTS OR ANY THIRD PARTY PRODUCT, SERVICE OR CONTENT USED THEREIN. IN NO EVENT SHALL KIR / CVTZ OR ITS AFFILIATES BE HELD LIABLE FOR ANY LOSS, DAMAGE OR INJURY OR ANY FAILURE, DELAY OR DEFECT CAUSED BY THE ACTS, ERRORS, OMISSIONS, ILLEGAL OR UNETHICAL BUSINESS PRACTICES OF USER, OTHER USERS OR OTHER THIRD PARTIES. MOREOVER, IN NO EVENT SHALL KIR / CVTZ OR ITS AFFILIATES BE HELD LIABLE FOR ANY LOSS, DAMAGE OR INJURY ASSOCIATED OR IN CONNECTION WITH (A) USER’S INABILITY TO USE ANY KiR / CVTZ PRODUCT, SERVICE OR APPLICATION AS A RESULT OF ANY (I) TERMINATION OR SUSPENSION OF THIS AGREEMENT OR USE OF OR ACCESS TO THE KiR / CVTZ PRODUCTS, SERVICES OR APPLICATIONS, (II) KiR / CVTZ’S DISCONTINUATION OR LIMITATION OF ANY OR ALL OF THE KiR / CVTZ PRODUCTS, SERVICES OR APPLICATIONS, OR (III) WITHOUT LIMITING ANY OBLIGATIONS UNDER ANY SERVICE LEVEL AGREEMENT, ANY UNANTICIPATED OR UNSCHEDULED DOWNTIME OF ALL OR A PORTION OF THE KiR / CVTZ PRODUCTS, SERVICES OR APPLICATIONS FOR ANY REASON; (B) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; (C) ANY INVESTMENTS, EXPENDITURES, OR COMMITMENTS BY USER IN CONNECTION WITH THIS AGREEMENT OR FOR ITS USE OF OR ACCESS TO THE KiR / CVTZ PRODUCTS, SERVICES OR APPLICATIONS; (D) ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, OR THE DELETION, DESTRUCTION, DAMAGE, LOSS OR FAILURE TO STORE ANY OF USER’S OWN USER DATA OR OTHER DATA TO BE STORED OR MAINTAINED ON USER’S SYSTEMS; OR (E) THE PROJECT(S), INCLUDING ANY LOSS, DAMAGE OR INJURY INVOLVING THE PROJECT SITE, PROJECT DEFECTS, DELAYS, COST OVERRUNS OR RESULTS ACHIEVED OR NOT ACHIEVED WITH RESPECT TO THE PROJECT(S). THE FOREGOING DISCLAIMERS WILL APPLY EVEN IF KIR / CVTZ AND ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF THE DAMAGES, THE LIMITED REMEDIES SET FORTH HEREIN FAIL OF THEIR ESSENTIAL PURPOSE, AND REGARDLESS OF WHETHER THE LIABILITY IS BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, PRODUCT LIABILITY OR OTHERWISE.
5. LIMITATIONS OF LIABILITY. IN NO EVENT WILL THE AGGREGATE LIABILITY OF KIR / CVTZ OR ITS AFFILIATES (TO THE EXTENT NOT DISCLAIMED UNDER SECTION 9) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT EXCEED THE FEES RECEIVED BY KIR / CVTZ FROM USER UNDER THIS AGREEMENT DURING THE THREE (3) MONTHS IMMEDIATELY PRIOR TO THE TIME AT WHICH THE LOSS, COST, CLAIM OR DAMAGES AROSE OR $25,000 DOLLARS, WHICHEVER IS GREATER. THE EXISTENCE OF MULTIPLE CLAIMS OR SUITS UNDER OR RELATED TO THIS AGREEMENT, THE ICM™ SERVICE, CONFIGURATION, THE USER SOFTWARE, KIR / CVTZ DATA ANALYTICAL REPORTS, ADDITIONAL SERVICES OR ADDITIONAL CUSTOM-BUILT PRODUCTS OR ANY THIRD PARTY PRODUCTS, SERVICES OR CONTENT USED THEREIN WILL NOT ENLARGE OR EXTEND THE LIMITATION ON MONEY DAMAGES WHICH ARE USER’S SOLE AND EXCLUSIVE REMEDY. WITHOUT LIMITING THE FOREGOING, IN NO EVENT WILL KIR / CVTZ OR ITS AFFILIATES BE LIABLE FOR LOSS, CORRUPTION OR COMPROMISE OF THE CONFIDENTIALITY OR DATA PRIVACY OF USER DATA, UNLESS THE LOSS, CORRUPTION OR COMPROMISE IS DUE SOLELY TO KIR / CVTZ’S BREACH OF SECTION 4.1 OR SECTION 12, KIR / CVTZ’S NEGLIGENCE, OR KIR / CVTZ’S INTENTIONAL MISCONDUCT.
6. Termination; Effect Upon Termination. Either Party may terminate this Agreement if the other Party materially breaches this Agreement and fails to cure the breach (if the breach is curable) within thirty (30) days after receiving the non-breaching Party’s written notice specifying the breach. Notwithstanding the foregoing, USER acknowledges that KiR / CVTZ may be immediately and irreparably harmed in the event of USER’s breach of Sections 3, 12, 13 or any infringement or violation of any intellectual property rights of KiR / CVTZ, and should such a breach or claim arise, money damages or legal remedies may not by itself be a sufficient or adequate remedy. Accordingly, USER acknowledges that KiR / CVTZ may immediately suspend USER’s account including access to and use of the ICM™ Service, the Configuration, the User Software, the KiR / CVTZ Data Analytical Reports, Additional Services and/or Additional Custom Built Products and for any particular Project or any portion of any particular Project or terminate USER’s account or this entire Agreement immediately or any particular Project or any portion of any particular Project (within KiR / CVTZ’s sole discretion) including pursuing injunctive remedies, upon providing written notice to USER if USER breach Section 12 (Confidentiality), Section 13 (Interference), Section 3 (Service Access Rights; Intellectual Property; Restrictions and Responsibilities) or USER otherwise infringe or encourage, contribute or induce others to infringe or violate any intellectual property rights of KiR / CVTZ. Either Party may terminate this Agreement immediately (i) upon the institution by or against the other Party of insolvency, receivership, or bankruptcy proceedings or any other proceedings for the settlement of such Party’s debts; (ii) upon the other Party making an assignment for the benefit of creditors; or (iii) upon the other Party’s dissolution or ceasing to do business. KiR / CVTZ shall also have the right to terminate this Agreement upon convenience by providing USER with sixty (60) days advance written notice. Upon suspension or termination of this Agreement for any reason, all rights and licenses granted to USER will be suspended or be terminated, as applicable, and USER will immediately cease all access and use of the ICM™ Service, User Software, Additional Services, and Additional Custom-Built Products, and pay all unpaid fees. The Parties agree that the license to User Data granted to KiR / CVTZ shall be deemed to be, for the purposes of Section 365(n) of the U.S. Bankruptcy Code, a license of right to “intellectual property” as defined in Section 101 of such Code and accordingly, KiR / CVTZ may elect to retain its right as a licensee to such data notwithstanding the bankruptcy of Build Partner. Should this Agreement terminate for any reason, Sections 1, 3.5, 3.6, 4.1, 4.2 (license grant) and Sections 5 through 17 will survive, including Exhibits E and F.
7. Confidentiality. USER will retain in confidence the terms and pricing of this Agreement and all other non-public information, technology, and materials (including information and documentation about the ICM™ Service, User Software, Configuration, Documentation, KiR / CVTZ Data Analytical Reports, Additional Services, and Additional Custom Built Products) provided by KiR / CVTZ during the Term (KiR / CVTZ’s “Confidential Information”). Kir / CVTZ shall retain in confidence the User Data (USER’s “Confidential Information”). Each Party will not disclose the Confidential Information of the other to any third party except for those provided under this Agreement or use it for any purpose other than to carry out the activities contemplated under this Agreement. Each Party may only disclose the other’s Confidential Information to its employees or third parties who assist with the operation of this Agreement (e.g., other Users, contract developers, service providers, etc.), who have a need to know in connection with this Agreement and who have agreed to obligations of confidentiality that are no less restrictive than the obligations in this Agreement. Each Party will take reasonable steps, and in no event will those steps be any less secure than the steps it uses to protect its own similar information to ensure that the other’s Confidential Information is protected. Each Party is responsible for the actions or inactions of its employees and advisors with respect to the use and disclosure of the other’s Confidential Information. The restrictions set forth in this paragraph will not apply to any information that: (a) was known by the receiving Party without obligation of confidentiality prior to disclosure by the disclosing Party; (b) was in or entered the public domain through no fault of the receiving Party; (c) is disclosed to the receiving Party by a third party legally entitled to make the disclosure without violation of any obligation of confidentiality; or (d) is independently developed by the receiving Party without reference to any Confidential Information. To the extent that Confidential Information is required by applicable law or regulations to be disclosed, a receiving Party may disclose such information after providing to the disclosing Party, to the extent permitted by law, prompt notification of such request for disclosure for the purpose of challenging such request. If KiR / CVTZ is required by law to disclose any portion of the User Data or is so directed by USER, USER shall pay any reasonable fees associated with complying with such disclosure. The Parties agree that any violation or threatened violation of this Section will cause irreparable injury to the disclosing Party for which money damages would be an insufficient remedy. Therefore, the disclosing Party will be entitled to seek injunctive relief without the necessity of posting bond or proving actual damages, in addition to other appropriate legal remedies.
8. Non-Interference. USER acknowledges that KiR / CVTZ's relationships with its directors, employees, agents, suppliers, clients, and customers are valuable business assets. Accordingly, USER agrees that, during the Term and for one (1) year after termination of the Agreement for whatever reason, USER shall not (for itself, for its Affiliates, or any third party) divert or attempt to divert, directly or indirectly, from KiR / CVTZ or its Affiliates any business, employee, director, agent, supplier, client or customer, through solicitation of employment, employment, retention or otherwise. USER further acknowledges that USER’s engagement or participation, directly or indirectly, in any business in competition with KiR / CVTZ or its Affiliates would inherently cause damage and diminished value to KiR / CVTZ’s global business. Accordingly, to prevent any such damage or loss of value, USER agrees that USER shall not, during the Term and for one (1) year after this Agreement is terminated for whatever reason, engage or participate, directly or indirectly, in any business that is directly or indirectly competitive to KiR / CVTZ’s business or global partnerships and ventures. Prior to any such engagement or participation in any such competitive business, USER shall notify KiR / CVTZ and shall give KiR / CVTZ a reasonable opportunity to determine the degree of any such damage or loss of value.
9. Data Privacy. It is the intent of the Parties to comply with all applicable data privacy and protection laws with respect to the collection, use, storage, processing, and sharing of personal information and personal data of individuals and businesses, as may be applicable under these laws. The privacy policy of KiR / CVTZ can be found at https://covenantz.com/privacy-policy , which may be amended from time to time. Any additional contract provisions of this Agreement relating to KiR / CVTZ’s processing of personal information of California consumers under the California Consumer Privacy Protection Act, effective January 1, 2020 (“the CCPA”) are referenced in Exhibit E (CCPA Addendum). The additional contract provisions of this Agreement relating to the processing by KiR / CVTZ of personal data of individuals who are located in a member country of the European Union, the UK, Iceland, Liechtenstein, Norway, or Switzerland under the General Data Protection Regulation, effective May 25, 2018 (“the GDPR”) are referenced in Exhibit F (GDPR Data Protection Addendum).
10. Data Breach. Should there be a security breach of or unauthorized access to any User Data, each Party shall notify the other without undue delay of any actual or suspected breach of confidentiality or data security involving the User Data as soon as a Party becomes aware. Each Party shall also cooperate with the other Party in promptly investigating such breach, hack, or unauthorized access (collectively “Data Breach”), deploy diligent efforts to remedy the Data Breach, preserve all evidence and records relating to the Data Breach, and develop a root cause and impact assessment and future mitigation plan as soon as possible. The Parties agree to work together to determine the best timing, content, and method for Data Breach notification under applicable law to government authorities and/or Users. Each Party shall bear its own costs and expenses incurred in investigating or reporting the breach, including notification costs and costs to obtain credit monitoring services and identity theft insurance for affected individuals unless it can be established that the Data Breach was the result of the fault, negligence or intentional misconduct of a particular Party in which case that Party shall remain liable for all such costs.
11. Insurance. During the Term of this Agreement and for at least one (1) year after its termination for any reason, each Party shall maintain, at its own expense, an adequate level of insurance coverage under one or more of the following insurance policies: Commercial General Liability Insurance, Professional Liability Insurance, bonding as applicable and Cyber Liability/Data Breach Insurance).
12. Miscellaneous.
12.1. Amendments. This Agreement, including the incorporated Exhibits and monthly membership Subscription Fees and fees for any Additional Services or Additional Custom-Built Products, may be amended, changed, updated, or modified (collectively “Revision(s)”) within KiR / CVTZ’s sole discretion. If a Revision is material, KiR / CVTZ will provide at least thirty (30) days general notice posted on the KiR / CVTZ website prior to the new terms taking effect, unless it is a price change applicable only to USER, in which case KiR / CVTZ will provide USER with at least thirty (30) days prior personal notice. What constitutes a material Revision will be determined within Our sole discretion. By continuing to access and use the ICM™ Service after the Revision becomes effective, USER agrees to be bound by the Revised terms. If USER does not agree to the new terms, USER is no longer authorized to use the ICM™ Service, and this Agreement shall automatically terminate in accordance with its terms.
12.2. Waiver. All waivers under this agreement must be in writing to be effective. No waiver by a Party of any default or breach will be deemed a waiver of any subsequent default or breach. No failure or delay by a Party to exercise any right it may have due to the default or breach of the other Party will operate as a waiver of such default or breach or prevent the exercise of any right of such Party or the enforcement of any obligation of the other Party, under this Agreement.
12.3. Severability/Interpretation of Agreement. If any provision of this Agreement is found to be invalid or unenforceable by any court of competent jurisdiction, the provision will be enforced to the fullest extent permissible to effect the Parties’ intent, and the invalidity or unenforceability will not operate to invalidate the remaining provisions of this Agreement. This Agreement will be interpreted according to the plain meaning of its terms without any presumption that it should be construed in favor of or against either Party. Any list of examples following “including” or “e.g.,” is illustrative and not exhaustive unless qualified by terms like “only” or “solely.” Unless stated otherwise, all references to sections, parties, terms, Exhibits, and similar references are to the sections of Parties to, terms of, and Exhibits to this Agreement. All captions and headings are intended solely for the Parties’ convenience, and none will affect the meaning of any provision. The words “herein,” “hereof,” and words of similar meaning refer to this Agreement as a whole, including its exhibits. All references to “days” refer to calendar days unless otherwise expressly set forth in this Agreement.
12.4. Governing Law. The interpretation of this Agreement and all matters related to this Agreement will be construed in accordance with the laws of the State of Washington, USA, without reference to the choice-of-law provisions of Washington law. The Parties further agree that the Uniform Computer Information Transactions Act (UCITA) and the Convention on Contracts for the International Sale of Goods do not apply and are expressly excluded from this Agreement.
12.5. DISPUTE RESOLUTION BY MANDATORY BINDING DOMESTIC OR INTERNATIONAL ARBITRATION (AS APPLICABLE) AND CLASS ACTION WAIVER. PLEASE READ THIS DOMESTIC AND INTERNATIONAL ARBITRATION PROVISION CAREFULLY TO UNDERSTAND THE USER’S AND, AS APPLICABLE, THE USER’S BUSINESS RIGHTS. EXCEPT WHERE PROHIBITED BY LAW, THE USER AND THE USER’S BUSINESS AGREE THAT ANY CLAIM THAT THE USER OR USER’S BUSINESS MAY HAVE IN THE FUTURE MUST BE RESOLVED THROUGH FINAL AND BINDING CONFIDENTIAL ARBITRATION. THE USER ACKNOWLEDGES AND AGREES THAT THE USER AND THE USER’S BUSINESS ARE WAIVING THE RIGHT TO A TRIAL BY JURY. THE RIGHTS THE USER AND THE USER’S BUSINESS WOULD HAVE IF THE USER WENT TO COURT, SUCH AS DISCOVERY OR THE RIGHT TO APPEAL, MAY BE MORE LIMITED OR MAY NOT EXIST. THE USER AGREES THAT THE USER AND THE USER’S BUSINESS MAY ONLY BRING A CLAIM IN AN INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF (LEAD OR OTHERWISE) OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING. USERS FURTHER AGREE THAT THE ARBITRATOR MAY NOT CONSOLIDATE PROCEEDINGS OR CLAIMS OR OTHERWISE PRESIDE OVER ANY FORM OF A REPRESENTATIVE OR CLASS PROCEEDING. THERE IS NO JUDGE OR JURY IN ARBITRATION, AND COURT REVIEW OF AN ARBITRATION AWARD IS LIMITED. HOWEVER, AN ARBITRATOR CAN AWARD ON AN INDIVIDUAL BASIS THE SAME DAMAGES AND RELIEF AS A COURT (INCLUDING INJUNCTIVE AND DECLARATORY RELIEF OR STATUTORY DAMAGES) AND MUST FOLLOW THESE TERMS AS A COURT WOULD. USERS UNDERSTAND THAT THE USER AND THE USER’S BUSINESS WOULD HAVE HAD A RIGHT TO LITIGATE THROUGH A COURT, TO HAVE A JUDGE OR JURY DECIDE THE USER’S CASE, AND TO BE PARTY TO A CLASS OR REPRESENTATIVE ACTION. HOWEVER, USERS UNDERSTAND AND AGREE TO HAVE ANY CLAIMS DECIDED INDIVIDUALLY AND ONLY THROUGH BINDING, FINAL, AND CONFIDENTIAL ARBITRATION IN ACCORDANCE WITH THIS DOMESTIC AND INTERNATIONAL ARBITRATION PROVISION.
If the Party has a complaint, dispute, or controversy with the other Party, the Parties agree to contact one another to attempt to resolve the dispute or controversy informally. The Parties agree that any claim arising out of or related to this Agreement that is not resolved through such informal process or through negotiation within 120 days shall be resolved by binding, confidential arbitration administered by the American Arbitration Association or by the International Center for Dispute Resolution, a division of the American Arbitration Association should USER be a foreign organization (collectively “AAA”) in accordance with the applicable AAA Arbitration Rules and judgment on the award rendered may be entered in any court having jurisdiction thereof.
The arbitration will be conducted by a single neutral arbitrator in the English language in Seattle, Washington, USA unless both Parties agree to conduct the arbitration by telephone or through written submissions. The arbitrator shall be selected by agreement of the Parties or, if the Parties cannot agree, chosen in accordance with the rules of the AAA. The arbitration will be conducted in accordance with the provisions of the AAA’s rules and procedures, in effect at the time of submission of the demand for arbitration. The arbitrator shall have the exclusive and sole authority to resolve any dispute relating to the interpretation, construction, validity, applicability, or enforceability of this Agreement, this arbitration provision, and any other terms incorporated by reference into this Agreement. The arbitrator shall have the exclusive and sole authority to determine whether any dispute is arbitrable.
Payment of all filing, administration, and arbitrator fees will be governed by the AAA’s rules. In all other respects, the parties shall each pay their additional fees, costs, and expenses, including, but not limited to, those for any attorneys, experts, documents, and witnesses. The arbitrator shall follow the substantive law of the State of Washington without regard to its conflicts of laws principles. Any award rendered shall include a confidential written opinion and shall be final, subject to appeal under the Federal Arbitration Act, 9 U.S.C. §§ 1-16, as amended. Judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction. USER agrees that any claim by USER will only be arbitrated on an individual basis and shall not be consolidated on a class-wide, representative basis or with any other arbitration(s) or other proceedings that involve any claim or controversy of any other party. USER expressly waives any right to pursue any class or other representative action against KiR / CVTZ. This arbitration provision sets forth the terms and conditions of our agreement to final and binding confidential arbitration and is governed by and enforceable under the Federal Arbitration Act, 9 U.S.C. §§ 1-16, as amended.
Exception to Arbitration for Injunctive Relief. Notwithstanding the above, USER agrees that KiR / CVTZ shall have the right to bring any claim against USER, including without limitation a claim for injunctive relief to prevent or limit irreparable injury to KiR / CVTZ, a claim for breach or threatened breach by USER of the provisions of this Agreement, including a breach or threatened breach of Sections 3, 12, 13 of the Agreement or involving a claim for infringement or threatened infringement by USER of the intellectual property rights of KiR / CVTZ or a third-party, in a court of competent jurisdiction located in Seattle, Washington or in any forum which has personal jurisdiction over Build Partner. USER consents to the personal jurisdiction of and agrees that venue is proper over USER in the U.S. District Court – Western District of Washington for all such claims, and USER forever waive any challenge to said court’s exclusive jurisdiction or venue. In the event of any claim by KiR / CVTZ against USER, the prevailing party shall be entitled to recover its reasonable attorney’s fees, costs, and other expenses.
12.6. Notices. Any notices required or permitted to be given hereunder by either Party to the other will be given in writing (i) by personal delivery, (ii) by bonded courier or a nationally-recognized overnight delivery company, (iii) by prepaid first class, registered or certified mail, postage prepaid, in each case addressed to the other Party at the address set forth on the signature page of this Agreement (or to such other address as the other Party may request in writing by notice given pursuant to this Section) or (iv) by email. Notices will be deemed received: (a) if personally delivered the same day; (b) if sent by courier or overnight delivery company on the second working day after the day it was sent; (c) if sent by mail, five (5) working days following posting; or (d) if sent by email, the date of delivery. Notwithstanding the foregoing, notices terminating this Agreement may not be sent by email.
Notices to Covenantz, Inc.:
Covenantz, Inc.
218 Main Street. Box 379
Kirkland, Washington 98066
Email: Notices@covenantz.com
Notices to USER:
USER acknowledges and agree that the contact information that We have on file for USER shall be deemed the correct contact information for purposes of providing USER with notice under this Agreement.
12.7. Copyright Complaints. We have a policy of limiting access to the ICM™ Service and suspending and/or terminating the accounts of Users who infringe the intellectual property rights of others. If USER believes that anything on our ICM™ Service or on Our website infringes any copyright that USER owns or controls, USER may notify Us at the address indicated in Section 17.6, but please refer to 17 U.S.C. §512(c)(3) for the legal requirements of what constitutes a proper notification to Us. Please also note that if USER knowingly misrepresents that any activity or material on the ICM™ Service or on Our website is infringing, USER may be liable to Us for certain costs and damages.
12.8. Entire Agreement. This Agreement, including all Exhibits (which are incorporated herein by reference and which may be amended or updated from time to time), contains the entire understanding and agreement between KiR / CVTZ and USER with respect to the subject matter of this Agreement and supersedes all other prior and contemporaneous proposals, representations, agreements, understandings, and commitments between KiR / CVTZ and USER with respect to the subject matter of this Agreement. This Agreement supersedes any conflicting terms in USER’s purchase order or other ordering document. Any terms of trade stated or referenced in USER’s purchase order or any other terms to which KiR / CVTZ has not specifically agreed in writing signed by an authorized representative of KiR / CVTZ are not binding on KiR / CVTZ.
12.9. Force Majeure. Neither Party will be responsible for failure of performance, other than for an obligation to pay money, due to causes beyond its control, including but not limited to acts of God or nature; national or international emergency, fires, earthquakes, floods, mud-slides, labor disputes, strikes, boycotts, acts of war, acts of terrorism, sovereign acts of any federal, state, city or foreign governments; network and/or computer failure or shortage of supplied materials, pandemics, epidemics, stay at home or shelter in place orders (“Force Majeure Event”); provided that the affected Party makes a reasonable attempt to remove the impact of the Force Majeure Event as soon as reasonably possible. Either Party will have the right to terminate this Agreement upon written notice if a force majeure occurrence continues to impact the performance of the other Party for more than thirty (30) consecutive days.
12.10. No Assignment or Delegation. USER may not (i) assign this Agreement or rights of access and use to the ICM™ Service, User Software, Additional Services and/or Additional Custom-Built Products, either in whole or in part, or (ii) delegate its duties, or have another assume its responsibilities or liabilities, under this Agreement, to any third party without the prior written consent of KiR / CVTZ. Any attempted assignment in contravention of this provision will be null and void. This Agreement will be binding on all permitted assignees and successors in interest.
12.11. Independent Contractor. KiR / CVTZ is an independent contractor. Nothing in this Agreement will be construed to create a partnership, joint venture, or agency relationship between the Parties, and neither Party will have the power to bind the other with respect to third parties.
12.12. Third-party Beneficiaries. There are no intended third-party beneficiaries to this Agreement.
12.13. Trade Compliance. In connection with this Agreement, each Party will comply with all applicable import, re-import, sanctions, anti-boycott, export, and re-export control laws and regulations, including all such laws and regulations that apply to a U.S. company, such as the Export Administration Regulations, the International Traffic in Arms Regulations, and economic sanctions programs implemented by the Office of Foreign Assets Control. For clarity, USER is solely responsible for compliance related to the way USER chooses to use any of the products or services of KiR / CVTZ, including USER’s transfer and processing of User Data to KiR / CVTZ and any information that is provided to other Users. USER represents and warrants that USER is not subject to sanctions or otherwise designated on any list of prohibited or restricted parties, including but not limited to the lists maintained by the United Nations Security Council, the U.S. Government, the European Union, or its Member States, or other applicable government authority.
12.14. Publicity/Press Releases. USER shall not use KiR / CVTZ’s name, logos, or marks or issue any press release or public communications regarding this Agreement or the subject matter of this Agreement without first obtaining the signed written permission of KiR / CVTZ. All use of KiR / CVTZ’s name, logos, or marks shall inure to the sole benefit of KiR / CVTZ, and any press release or public communication regarding the subject matter of this Agreement shall be approved in advance by KiR / CVTZ.
12.15. Signed Authority. In conjunction with USER’s electronic acceptance of this Agreement, USER hereby represents and warrants that USER has all the necessary authority to enter into and bind USER’s respective Party to this Agreement.
12.16. Electronic Communications. By creating an account with Us, USER consents to receive electronic communications from Us (e.g., via email or by posting notices on the ICM™ Service). These communications may include notices about USER’s account (e.g., payment authorizations, password changes, and other transactional information) and are part of USER’s relationship with Us. USER agrees that any notices, agreements, disclosures, or other communications that We send to USER electronically will satisfy any legal communication requirements, including, but not limited to, that such communications be in writing.
EXHIBIT A
CVTZ SPECIFICATIONS
The ICM™ Service provides an internet-based SaaS platform that allows Users to manage their profiles, products, design components, project workflows, work schedules, costs, risks, communications, and other important critical matters with respect to the currently designated Projects.
1. Security
KiR / CVTZ uses encryption algorithms, consistent with generally accepted standards and practices adopted and implemented by software-as-a-service (“SAAS”) providers, designed to limit unauthorized access to User Data. Each User will have a unique User ID and password, which will be required for the User to access the ICM™ Service. KiR / CVTZ enforces password strength requirements, including the frequency of password changes, according to the USER’s request.
KiR / CVTZ uses a layered approach to security architecture, making use of firewalls, intrusion prevention systems, reverse web proxies, and segregation of specific application functions to provide security and integrity of the overall environment.
Upon request, more detailed information on KiR / CVTZ’s extensive security measures and protocols can be provided. Technical questions may be addressed to the appropriate salesperson or account management teams, who will engage the appropriate persons from KiR / CVTZ’s network, security, and operational departments.
USER may also elect to turn on two-factor capability/device authorization for Users. These features offer enhanced security for Users accessing the ICM™ Service by requiring additional verification of a User’s identity (beyond User ID and password). This can be by means of a separate two factor token or via the User’s device itself. Device authorization, offering authentication for the iPad and other supported devices, is available at no additional cost.
2. USER’s Requirements
In order to use the ICM™ Service, USER must satisfy KiR / CVTZ's minimum technology requirements, which, as of the Effective Date, are available at https//www.covenantz.com/tech-specs. The URL where such requirements are stored may change, but a current version of KiR / CVTZ's minimum technology requirements is also available from KiR / CVTZ at any point upon request. All subscription costs for wireless and Wi-Fi services must be covered by USER.
3. Documentation
KiR / CVTZ will provide USER with access to Documentation relating to the ICM™ Service, User Software, and Configuration. Documentation and Specifications may be delivered using electronic means. USER may make a reasonable number of copies of the documentation to train and support USER’s Users in their use of the ICM™ Service, User Software, and Configuration; however, USER must retain all copyright and proprietary notices on each copy of the Documentation made by USER.
EXHIBIT B
USER’s Configuration Requirements
1. USER is responsible for providing sufficient bandwidth and network connectivity to ensure that all of USER’s Users can access and use the ICM™ Service satisfactorily. KiR / CVTZ will assist in performing diagnostics and identifying problems where requested. The technical requirements set forth in this Exhibit are subject to change upon notice.
2. USER is responsible for ensuring USER’s firewalls and proxies permit access to the KiR / CVTZ web site, the KiR / CVTZ API and that KiR / CVTZ can access USER’s API. In addition to ensuring network and protocol access as indicated, USERs are also required to ensure that SSL inspection or SSL proxy systems do not intercept or otherwise interfere with SSL communications).
3. USER is responsible for determining the security configurations of USER’s systems.
4. USER is responsible for ensuring the confidentiality of USER’s User accounts and passwords assigned to them for use with the ICM™ Service and User Software.
5. USER is responsible for notifying, and USER shall immediately notify KiR / CVTZ of any assigned User accounts that need to be terminated.
6. USER is responsible for promptly notifying KiR / CVTZ of any actual or reasonably suspected information security breaches that USER becomes aware of, including, without limitation, compromised User accounts.
7. USER is responsible for periodically reviewing USER’s security configurations and access rights to determine if they are appropriate for USER’s needs.
8. USER is responsible for defining USER’s authorized approvers, documentation, and validation requirements for changes to USER’s use and access to the ICM™ Service.
9. USER must retain a hard copy and/or electronic copy of all User Data.
10. USER will ensure that USER’s Users do not make available or share their User ID and password with employees or others. Sharing of User IDs and passwords can jeopardize the security of User Data and will also cause USER to violate the Agreement by causing USER to exceed the number of licensed seats that USER has purchased.
​
EXHIBIT C
PRICING AND FEES
-
Annual Membership Subscription Fee for the ICM™ Service Paid Monthly
-
$0 US per month (or $0 US annual) ICM™ Service membership fee – the base rate of $0US per month (or $0US annual) licenses two (2) individuals (employees, officers, and/or Board members of USER) per “seat” with the right to access and use the ICM™ Service for one current designated Project. If there is more than one current designated Project, then an additional $0 per month membership fee is charged for access to services associated with that additional Project and so on.
-
0% discounted cost for adding individuals - each additional “seat” offers the right of access and use of the ICM™ Service for two (2) additional individuals for one current designated Project. So, for example, if USER seeks to license a total of three (3) of USER’s individuals for one current designated Project, USER must purchase one additional seat at the discounted cost of $0 US per month. If USER also seeks a license for the same three individuals to also be Users for two (2) current designated Projects, an additional $o per month membership is charged to cover license rights to the second current designated Project (o for two of the individuals to be licensed on a second Project plus the discounted price of $0 to cover a second seat allowing for the third individual to be licensed).
-
Payment for the Subscription(s).
-
​
Payment by Credit Card. On approval of KiR / CVTZ, the End User is required to make Payment for the Subscription(s) by using a credit card approved by KiR / CVTZ. Upon selecting the payment by credit card option, the User shall provide all information required to be provided on the form. End User authorizes KiR / CVTZ to charge payments to End User’s designated credit card(s) account(s). Each Monthly Subscription Price shall be paid in advance. End User hereby represents and warrants that all credit card information End User provides is correct, that the credit card account entered is and shall continue to be a valid account, that End User is a duly authorized user of such account, and that there is available credit in such account sufficient to cover in full all Subscription Payments at the time any such Payment is charged against any such credit card. End User acknowledges and agrees that KiR / CVTZ reserves the right to add a processing fee of up to 3% on any Subscription payment that End User makes by credit card, which such surcharge shall appear on the electronic invoice as a “credit card surcharge.” End User further agrees to update its credit card information as necessary so that End User’s representations hereunder are, and continue to be, true and accurate. End User acknowledges that KiR / CVTZ may use third-party providers to process End User’s credit card payments. End User agrees that KiR / CVTZ is authorized periodically to request and obtain from third-party credit reporting agencies such information about End User’s credit and payment history as may be deemed by KiR / CVTZ to be necessary for KiR / CVTZ to approve End User’s request to make payments of Installments against invoices.
-
Project Contract Administration fees from authorized project disbursements
Fees on authorized project disbursements are paid as authorized funds are disbursed through the platform as part of a project contract administration. Contract fees are 2.8% of the authorized disbursements where no build partner is involved and 3.5% in situations where there is a build partner providing additional services to the project. Contract fee payments are included in all disbursements made through the platform as disbursements are made.
-
Advertising Fees: Advertising Fees are paid on submission at the current market rates within the KiR / CVTZ Platform.
-
Other Fees: Other fees may be applicable if the User / Member decides to use other software partner products available through the KiR / CVTZ marketplace. Payment methods and arrangements shall be approved by KiR / Covenantz or other service provider as applicable.
-
Other Services: Other services added to the KiR / CVTZ platform, as allowed in this agreement, may incur additional fees, which will be identified when the services become available to Members / Users. Payment methods and arrangements shall be approved by KiR / Covenantz or other service provider as applicable.
EXHIBIT C-1
Ordering the Right Level of ICM™ Service. When USER order and sign up for the ICM™ Service, USER acknowledge and agree that USER will accurately identify the correct number of Users who are to access and use the ICM™ Service, including the number and identity of each Project that will be the subject of the ICM™ Service. This information will determine the required number of license seats that USER will need to purchase, including what USER’s total monthly Subscription Membership Fee will be (in U.S. dollars) or the equivalent total annual Subscription Membership Fee purchased.
Fees for Configuration and Updates
-
Offered free of charge
Fees for Additional Services
-
To be provided to USER under separate written communication from KiR / CVTZ, which shall be deemed to be incorporated by reference into this Agreement
General Notice to all Users of the ICM™ Service: All Subscription Fees and fees for Additional Services are subject to change within KiR / CVTZ’s sole discretion upon the start of a Renewal Term. Only those services selected for purchase are included in the pricing selected under this Agreement. Future additional services and custom-built products offering new functionality, features, and/or access may be made available at additional cost. A KiR / CVTZ representative can provide pricing for such products and services that are not referenced in this Agreement.
EXHIBIT D
FORM OF PROJECT DESIGNATION
FOR SUBSCRIBING MEMBERS OF THE ICM™ SERVICE
USER’s Identity and Contact Information:
Each Project by Name
Total Number of Designated Projects:
EXHIBIT E
CCPA ADDENDUM
Unless otherwise defined by this Agreement, all capitalized terms contained in this Addendum shall have their meanings as set forth in the CCPA.
Applicability. This CCPA Addendum shall only apply and bind the Parties if one or both Parties are deemed to be a covered Business under the CCPA, and this Addendum shall only apply to the Personal Information of California Consumers whose information may be processed by KiR / CVTZ under this Agreement.
Relations of the Parties. To the extent that User Data includes any Personal Information of a User who is a California Consumer (hereinafter a “California User”), USER appoints KiR / CVTZ as its Service Provider to process the Personal Information on USER’s behalf and other Users involved in any currently designated Project. USER is solely responsible for establishing policies for and ensuring USER’s own compliance with the CCPA and its implementing regulations as they relate to the Personal Information that may be contained in USER’s User Data.
Restrictions on Processing. KiR / CVTZ acknowledges that it is prohibited from retaining, using, disclosing, or sharing the Personal Information for any purpose(s) other than for the purpose(s) that support the Agreement or as otherwise permitted by the CCPA. KiR / CVTZ shall not further collect, sell, or use the Personal Information except as necessary to complete the purpose(s) that support the Agreement.
Consumer Requests. The Parties shall cooperate with one another to handle any legitimate request to access or delete Personal Information submitted by a California User. Each Party will provide reasonable assistance to the other in facilitating compliance with such requests. After a California User request to delete has been verified by either Party, each Party shall delete the Personal Information from their respective databases (and/or databases of their cloud computing service provider) within a commercially reasonable period of time or as otherwise required by the CCPA. A Party shall not be required to delete any of the Personal Information in response to a California User’s request to delete made to a Party if it is necessary for that Party to maintain such information in accordance with the CCPA. Under such circumstances, each Party shall promptly inform the other of the exception(s) being relied upon under the CCPA to deny the California User’s request to delete, and each Party shall only use the retained Personal Information in accordance with the applicable CCPA legal exception(s).
EXHIBIT F
GDPR DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) supplements the ICM™ User Service Agreement (“Agreement”) governing USER’s use of KiR / CVTZ services, products, and applications (the “KiR / CVTZ Services”) when the GDPR applies to USER’s use of the ICM™ Service and transmission of User Data to KiR / CVTZ for processing. This DPA is an agreement between USER and KiR / CVTZ. Unless otherwise defined in this DPA, the Agreement, or GDPR, all capitalized terms used in this DPA will have the meanings given to them in Section 17 of this DPA.
1. Data Processing.
1.1 Scope and Roles. This DPA applies when User Data that is transmitted to and then processed by KiR / CVTZ includes “Personal Data” of individuals who are located in the European Union, the UK, Iceland, Liechtenstein, Norway, or Switzerland (hereinafter “EU User Data” of “EU Users”). In this context, KiR / CVTZ will act as “Processor” to USER, who may act either as “Controller” or “Processor” with respect to EU User Data. Each of the quoted terms above is defined in the GDPR.
1.2. Details of Data Processing.
1. Subject matter. The subject matter of the data processing under this DPA is the EU User Data.
-
Duration. As between KiR / CVTZ and USER, the duration of the data processing under this DPA is determined by USER.
-
Purpose. The purpose of the data processing under this DPA is the provision of the KiR / CVTZ Services initiated by the USER from time to time.
-
Nature of the processing: Compute, storage and such other KiR / CVTZ Services as described in the Documentation and initiated by USER from time to time.
-
Type of EU User Data: EU User Data uploaded to the KiR / CVTZ Services utilizing USER’s application programming interface or other means.
-
Categories of Data Subjects: The Data Subjects may include USER’s EU Users.
-
USER’s Instructions. The Parties agree that this DPA and the Agreement (including but not limited to the API, customized user interfaces, and Specifications made available to USER by KiR / CVTZ for the provision of KiR / CVTZ Services) constitutes USER’s documented instructions regarding KiR / CVTZ’s processing of User Data (“Documented Instructions”). KiR / CVTZ will process EU User Data only in accordance with the Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between KiR / CVTZ and USER, including agreement on any additional fees payable by USER to KiR / CVTZ for carrying out such instructions. USER is entitled to terminate this DPA and the Agreement if KiR / CVTZ declines to follow instructions requested by USER that are outside the scope of, or changed from, those given or agreed to be given in this DPA.
3. Confidentiality of EU User Data. KiR / CVTZ will not access or, use, or disclose to any third party any User Data, except, in each case, as necessary to maintain or provide the Services or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends KiR / CVTZ a demand for User Data, KiR / CVTZ will attempt to redirect the governmental body to request that data directly from the USER. As part of this effort, KiR / CVTZ may provide USER basic contact information to the governmental body. If compelled to disclose User Data to a governmental body, then KiR / CVTZ will give USER reasonable notice of the demand to allow USER to seek a protective order or other appropriate remedy unless KiR / CVTZ is legally prohibited from doing so. If the Standard Contractual Clauses apply, nothing in this Section 3 varies or modifies the Standard Contractual Clauses.
-
Confidentiality Obligations of KiR / CVTZ Personnel. KiR / CVTZ restricts its personnel from processing EU User Data without authorization by KiR / CVTZ as described in the KiR / CVTZ Security Standards. KiR / CVTZ imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection, and data security.
5. Security of Data Processing
5.1 KiR / CVTZ has implemented and will maintain the technical and organizational measures for the KiR / CVTZ Network as described in the KiR / CVTZ Security Standards and this Section. In particular, KiR / CVTZ has implemented and will maintain the following technical and organizational measures:
(a) security of the KiR / CVTZ Network as set out in Section 1.1 of the KiR / CVTZ Security Standards;
(b) physical security of the facilities as set out in Section 1.2 of the KiR / CVTZ Security Standards;
(c) measures to control access rights for KiR / CVTZ employees and contractors in relation to the KiR / CVTZ Network as set out in Section 1.1 of the KiR / CVTZ Security Standards; and
(d) processes for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures implemented by KiR / CVTZ as described in Section 2 of the KiR / CVTZ Security Standards.
5.2 USER may elect to implement technical and organizational measures in relation to EU User Data. Such technical and organizational measures include the following, which may be obtained by Build Partner from KiR / CVTZ as described in the Documentation or directly from a third-party supplier:
(a) pseudo-anonymization and encryption to ensure an appropriate level of security;
(b) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of the processing systems and services that are being operated by USER;
(c) measures to allow USER to backup and archive appropriately to restore availability and access to User Data in a timely manner in the event of a physical or technical incident; and
(d) processes for regularly testing, assessing, and evaluating the effectiveness of the technical and organizational measures implemented by USER.
6. Sub-processing.
6.1 Authorized Sub-processors. USER agrees that KiR / CVTZ may use sub-processors to fulfill its contractual obligations under this DPA or to provide certain KiR / CVTZ Services on its behalf, such as providing support services. The KiR / CVTZ website lists sub-processors that are currently engaged by KiR / CVTZ to carry out processing activities on EU User Data on behalf of USER. At least 30 days before KiR / CVTZ engages any new sub-processor to carry out processing activities on EU User Data on behalf of USER, KiR / CVTZ will update the applicable website and provide USER with a mechanism to obtain notice of that update. USER consent to KiR / CVTZ’s use of sub-processors as described in this Section. Except as set forth in this Section, or as USER may otherwise authorize, KiR / CVTZ will not permit any sub-processor to carry out processing activities on EU User Data on USER’s behalf.
6.2 Sub-processor Obligations. Where KiR / CVTZ authorizes any sub-processor as described in Section 6.1:
(i) KiR / CVTZ will restrict the sub-processors access to User Data only to what is necessary to maintain the KiR / CVTZ Services or to provide the KiR / CVTZ Services to USER and any other Users in accordance with the Documentation or Agreement and KiR / CVTZ will prohibit the sub-processor from accessing the EU User Data for any other purpose;
(ii) KiR / CVTZ will enter into a written agreement with the sub-processor and, to the extent that the sub-processor is performing the same data processing services that are being provided by KiR / CVTZ under this DPA, KiR / CVTZ will impose on the sub-processor the same contractual obligations that KiR / CVTZ has under this DPA; and
(iii) KiR / CVTZ will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that cause KiR / CVTZ to breach any of KiR / CVTZ’s obligations under this DPA.
7. Data Subject Rights.
Considering the nature of the KiR / CVTZ Services, KiR / CVTZ may offer USER certain controls as described in Sections 1.2 and 5.2 that USER may elect to use to comply with USER’s obligations towards data subjects. Should a data subject contact KiR / CVTZ regarding correcting or deleting his/her personal data, KiR / CVTZ will use commercially reasonable efforts to also forward such requests to the USER.
8. Optional Security Features. KiR / CVTZ may make available a number of security features and functionalities that the USER may elect to use. USER is responsible for (a) implementing the measures described in Section 5.2, as appropriate, (b) properly configuring the KiR / CVTZ Services, (c) using the controls available in connection with the KiR / CVTZ Services (including the security controls) to allow USER to restore the availability and access to EU User Data in a timely manner in the event of a physical or technical incident (e.g. backups and routine archiving of EU User Data), and (d) taking such steps as USER consider adequate to maintain appropriate security, protection, and deletion of EU User Data, which includes use of encryption technology to protect EU User Data from unauthorized access and measures to control access rights to EU User Data.
9. Security Breach Notification.
9.1 Security Incident. KiR / CVTZ will (a) notify USER of a Security Incident without undue delay after becoming aware of the Security Incident and b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
9.2 KiR / CVTZ Assistance. To assist USER in relation to any personal data breach notifications USER is required to make under the GDPR, KiR / CVTZ will include in the notification under section 9.1(a) such information about the Security Incident as KiR / CVTZ is reasonably able to disclose to USER, taking into account the nature of the KiR / CVTZ Services, the information available to KiR / CVTZ, and any restrictions on disclosing the information, such as confidentiality.
9.3 Unsuccessful Security Incidents. USER agrees that:
(i) An unsuccessful Security Incident will not be subject to this Section 9. An unsuccessful Security Incident is one that results in no unauthorized access to EU User Data or to any of KiR / CVTZ’s equipment or facilities storing EU User Data and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
(ii) KiR / CVTZ’s obligation to report or respond to a Security Incident under this Section 9 is not and will not be construed as an acknowledgment by KiR / CVTZ of any fault or liability of KiR / CVTZ with respect to the Security Incident.
9.4 Communication. Notification(s) of Security Incidents, if any, will be delivered to one or more of the USER’s administrators by any means KiR / CVTZ selects, including via email. It is USER’s sole responsibility to ensure USER’s administrators maintain accurate contact information on the user interface with KiR / CVTZ Services and secure transmission at all times.
10. KiR / CVTZ Certifications and Audits.
10.1 KiR / CVTZ Certifications. In addition to the information contained in this DPA, upon USER’s request, and provided that the parties have an applicable NDA in place, KiR / CVTZ will make available the following documents and information: Any certificates and/or system and organization controls that KiR / CVTZ maintains for information system security.
10.2 KiR / CVTZ Audits. Should KiR / CVTZ periodically use external auditors to verify the adequacy of its security measures, including the security of the physical data centers from which KiR / CVTZ provides the Services. This audit, when conducted:
(a) will be performed periodically;
(b) will be performed according to standards that are substantially equivalent to ISO 27001;
(c) will be performed by independent third-party security professionals at KiR / CVTZ’s selection and expense; and
(d) will result in the generation of an audit report (“Report”), which will be KiR / CVTZ’s Confidential Information.
10.3 Audit Reports. At USER’s written request, and provided that the parties have an applicable NDA in place, KiR / CVTZ will provide USER with a copy of the Report so that USER can reasonably verify KiR / CVTZ’s compliance with its obligations under this DPA.
10.4 Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the KiR / CVTZ Services and the information available to KiR / CVTZ, KiR / CVTZ will assist USER in complying with USER’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by providing the information KiR / CVTZ makes available under this Section 10.
11. USER’s Audits. USER agrees to exercise any right USER may have to conduct an audit or inspection, including under the Standard Contractual Clauses if they apply, by instructing KiR / CVTZ to carry out the audit described in Section 10. If the USER wishes to change this instruction regarding the audit, then the USER has the right to request a change to this instruction by sending KiR / CVTZ written notice as provided for in the Agreement. If KiR / CVTZ declines to follow any instruction requested by USER regarding audits or inspections, USER is entitled to terminate this DPA and the Agreement. If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses nor affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses.
12. Transfers of Personal Data. Application of the Standard Contractual Clauses (Annex 2). The Standard Contractual Clauses (Annex 2) will apply to EU User Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR). The Standard Contractual Clauses will not apply to EU User Data that is not transferred, either directly or via onward transfer, outside the EEA. Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply if KiR / CVTZ has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for the lawful transfer of personal data (as defined in the GDPR) outside the EEA.
13. Termination of the DPA. This DPA shall continue in force until the termination of the Agreement (the “Termination Date”).
14. Return or Deletion of User Data. The KiR / CVTZ Services may provide USER with controls that USER may use to retrieve or delete EU User Data as described in the Documentation. Up to the Termination Date, USER will continue to have the ability to retrieve or delete EU User Data in accordance with this Section. For 90 days following the Termination Date, USER may retrieve or delete any remaining EU User Data from the KiR / CVTZ Services, subject to the terms and conditions set out in the Agreement, unless prohibited by law or the order of a governmental or regulatory body or it could subject KiR / CVTZ or its Affiliates to liability. No later than the end of this 90-day period, USER will close all KiR / CVTZ accounts. KiR / CVTZ will delete EU User Data when requested by the USER by using any KiR / CVTZ Service controls provided for this purpose by KiR / CVTZ.
15. Duties to Inform. Where EU User Data becomes subject to confiscation during bankruptcy or insolvency proceedings or similar measures by third parties while being processed by KiR / CVTZ, KiR / CVTZ will inform the USER without undue delay. KiR / CVTZ will, without undue delay, notify all relevant parties in such action (e.g., creditors, bankruptcy trustee) that any EU User Data subjected to those proceedings is USER’s property and area of responsibility and that EU User Data is at USER’s sole disposition.
16. Entire Agreement; Conflict. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the Parties, including the Agreement and this DPA, the terms of this DPA will control with respect to EU User Data.
17. Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:
“KiR / CVTZ Network” means KiR / CVTZ’s and/or KiR / CVTZ’s third-party cloud computing service provider’s data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within KiR / CVTZ’s control or the control of its third-party cloud computing service provider and are used to provide the KiR / CVTZ Services.
“KiR / CVTZ Security Standards” means the security standards attached to the Agreement, or if none are attached to the Agreement, attached to this DPA as Annex 1.
“You” or “USER” means You or the entity You represent.
“EU User Data” means the “Personal Data” (as defined in the GDPR) of individuals located in a member country of the European Union, the UK, Iceland, Liechtenstein, Norway, or Switzerland that is uploaded to the KiR / CVTZ Services using USER’s API or through other means.
“EEA” means the European Economic Area.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Processing” has the meaning given to it in the GDPR, and “process,” “processes,” and “processed” will be interpreted accordingly.
“Security Incident” means a breach of KiR / CVTZ’s security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, EU User Data.
“Standard Contractual Clauses” means Annex 2, attached to and forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC.
Annex 1
KiR / CVTZ Security Standards
Capitalized terms not otherwise defined in this document have the meanings assigned to them in the Agreement.
1. Information Security Program. KiR / CVTZ, by and through its third-party cloud computing service provider, will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help USER secure EU User Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the KiR / CVTZ Network, and (c) minimize security risks, including through risk assessment and regular testing. KiR / CVTZ will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures:
1.1 Network Security. The KiR / CVTZ Network will be electronically accessible to employees, contractors, and any other person as necessary to provide the KiR / CVTZ Services. KiR / CVTZ will maintain access controls and policies to manage what access is allowed to the KiR / CVTZ Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. KiR / CVTZ will maintain corrective action and incident response plans to respond to potential security threats.
1.2 Physical Security
1.2.1 Physical Access Controls. Physical components of the KiR / CVTZ Network are housed in nondescript facilities (the “Facilities”). Physical barrier controls are used to prevent unauthorized entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.
1.2.2 Limited Employee and Contractor Access. KiR / CVTZ provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of KiR / CVTZ or its Affiliates.
1.2.3 Physical Security Protections. All-access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. KiR / CVTZ also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability with door contacts, glass breakage devices, interior motion detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
2. Continued Evaluation. KiR / CVTZ and/or its third-party cloud computing service provider will conduct periodic reviews of the security of its KiR / CVTZ Network and the adequacy of its information security program as measured against industry security standards and its policies and procedures. KiR / CVTZ and/or its third-party cloud computing service provider will continually evaluate the security of its KiR / CVTZ Network and associated KiR / CVTZ Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
​
Annex 2
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries, which do not ensure an adequate level of data protection
The entity identified as “You” or “USER” in the DPA (the “data exporter”) and Covenantz, Inc. 218 Main Street, Box 379, Kirkland, WA, 98066, USA. (the “data importer”) each a “party”; together, “the parties.”
HAVE AGREED on the following Contractual Clauses (the Clauses) to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) 'personal data,' 'special categories of data,' 'process/processing,' 'controller,' 'processor,' 'data subject', and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the sub-processor' means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, where the processing involves the transmission of data over a network and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and, in particular, the special categories of personal data, where applicable, are specified in Appendix 1, which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country, not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of the data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer[1]
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation, which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about the following:
1. (i) any legally binding request for disclosure of personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
2. (ii) any accidental or unauthorized access, and
3. (iii) any request received directly from the data subjects without responding to that request unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority regarding the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses, which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, except for Appendix 2, which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
1. The parties agree that any data subject who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes third-party beneficiary rights or claims compensation for damages under the clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests it or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer or any sub-processor, pursuant to paragraph 2. In such a case, the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business-related issues where required if they do not contradict the Clause.
Clause 11
Sub-processing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter.
Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor, which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfill its data protection obligations under such written agreement, the data importer shall remain fully liable to the data exporter for the performance of the sub-processor's obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
​
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
Data exporter
The data exporter is the entity identified as “You” in the DPA
Data importer
The data importer is Covenantz, Inc., a provider of KiR / CVTZ Services.
Data subjects
Data subjects are defined in Section 1.3 of the DPA.
Categories of data
The personal data is defined in Section 1.3 of the DPA.
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify): The processing operations are defined in Section 1.3 of the DPA.
​
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
The technical and organizational security measures implemented by the data importer are as described in the DPA.
-
Mandatory requirements of the national legislation applicable to the data importer do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defense, public security, the prevention, investigation, detection, and prosecution of criminal offenses or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements that do not go beyond what is necessary in a democratic society are, inter alia, internationally recognized sanctions, tax-reporting requirements, or anti-money-laundering reporting requirements.