indyRIOT MASTER SERVICE AGREEMENT
IndyRIOT Platform as a Service (PaaS)1. Description of the Service
- IndyRIOT offers a community platform-as-a-service that enables businesses to build their own online social networking community, (the "Service").
- The Service is offered, as is, on a white label basis. The Customer is free to offer its own services to the Customer's end-users based on the Service that are made available by IndyRIOT at any given time on the Service.
- Subject to the terms set forth in this Master Service Agreement ("MSA") and the applicable Order Form (defined below), indyRIOT AS will provide Customer the Service (defined below) for the Fees listed on the applicable Order Form ("Fees").
"Service" means the platform-as-a-service product specified in the applicable Order Form, but for clarity excludes Third-Party Products, Integrations (defined below), and could also include collectively any Professional Services (defined below).
"Third-Party Products, Integrations" mean a non-indyRIOT product or Web-based, mobile, offline or other software application or service that Customer chooses to integrate with or use in connection with the indyRIOT Services.
"Order Form" means an order form or other similar document specifying the Services to be provided hereunder and the Fees to be paid by Customer.
"Agreement" means, collectively, the MSA, DPA (defined below), Order Forms, SOWs (defined below), End User Licence Agreement ("EULA") (defined below), the Appendices and general provisions in this document and amendments to any of the foregoing.
The following appendices are incorporated:
Appendix A - End User License Agreement ("EULA")
Appendix B - Data Processing Agreement ("DPA")
Appendix C - Service Level Agreement ("SLA")
- In case of any conflict, the following priority order shall apply:
- Rule 1: The Order Form shall prevail over the MSA.
- Rule 2: Appendix B prevails over the MSA.
- IndyRIOT grants to the Customer, for the term set out in the applicable Order Form or SOW, a non-exclusive and non-transferable right to access the Service. The access right is strictly limited to the user interface made intentionally available by IndyRIOT at any given time.
- The access rights granted in Clause 3.1 do not include the right to access the source code or object code, or otherwise access parts of the Service which are not intentionally made available by IndyRIOT. The access rights do not include the right to reproduce, reverse-engineer, copy or imitate the Service.
- The access right granted in Clause 3.1 includes the right to provide access to the Service for the Customer's employees, sub-contractors, customers and any other third parties ("End Users"). Such access is conditioned on the End User's acceptance of the end user license agreement ("EULA") included in Appendix A. The Customer shall notify IndyRIOT immediately upon becoming aware of any violations of the end user license agreement. The Customer is entitled to supplement the end user license agreement with the Customer's own terms and conditions, provided that the end user license agreement is included verbatim in the Customer's own terms and conditions.
- The Customer is responsible for End Users that have been provided access to the Service by Customer. Violation of the EULA included in Appendix A may result in suspension or permanent deletion of the associated user accounts. Repeated violations or gross violations shall be deemed as a material breach of this Agreement, which provides IndyRIOT the right to early termination of the Agreement.
- IndyRIOT reserves the right to perform revisions and update to the Service from time to time. New versions of the Service do not necessarily include all the functions or features available in the previous version. The license granted in Clause 3.1 includes all future versions of the Service, unless otherwise is expressly stated in writing by IndyRIOT.
- IndyRIOT retains all right, title and interest (including but not limited, to intellectual property rights) in and to the indyRIOT Service, Professional Services, Materials, Beta Services (defined below) and all improvements, enhancements or modifications to the foregoing. No rights are granted to the Customer or the End User unless expressly set out in the Agreement.
- Customer may from time to time provide indyRIOT suggestions or comments for enhancements or improvements, new features, new feature requests or functionality or other feedback (collectively, "Feedback") with respect to the Service and/or Beta Services (defined below). indyRIOT will have full discretion to determine whether or not to proceed with the development of any requested enhancements, new features or functionality. Customer hereby grants indyRIOT AS an unlimited, irrevocable, perpetual, sublicensable, royalty-free licence, without any obligation to compensate or reimburse Customer, to use, incorporate and otherwise fully exercise and exploit any such Feedback without restriction.
- As part of the registration process, Customer will identify an administrative username and password ("Administrator Credentials"). Customer may use the Administrative Credentials to create Users (each with their own separate usernames and passwords) ("User(s)"), in accordance with the provisions of the applicable Order Form or SOW. Customer is responsible for maintaining the security of the Administrator Credentials and the usernames and passwords for all of its Users. Customer may permit its Users to use the indyRIOT Service, provided their use is for Customer's benefit only and they remain in compliance with the Agreement. Customer shall be responsible for all acts or omissions taken under the Administrator Credentials and those taken under the usernames and passwords of all Users. "User" means an individual Customer invites, allows to access and use the indyRIOT Service pursuant to the Agreement, including employees, contractors, agents and consultants of Customer.
- Customer shall be responsible for:
(a) its Users' compliance with the Agreement;
(b) compliance with any and all applicable third-party terms of service, privacy policies and similar documents for platforms, networks and/or websites that Customer uses in connection with the indyRIOT Service;
(c) the legality, accuracy and quality of Customer Data & Content, including ensuring that Customer's use of the indyRIOT Service to collect, process, store and transmit Customer Data & Content is compliant with all applicable laws and regulations as well as any and all privacy policies, agreements or other obligations Customer may maintain or enter into with its end users such as all legally required consents and permissions; and
(d) use commercially reasonable efforts to prevent the unauthorized access to or use of the indyRIOT Service.
(e) In addition, in the event indyRIOT AS is legally or contractually required to change or modify the indyRIOT Service in order to ensure the indyRIOT Service comply with the terms of service or privacy policies of various platforms, networks and/or websites, then Customer shall be responsible for making all necessary changes to Customer's applications and websites in order to continue using the indyRIOT AS Services. Customer also maintains all responsibility for determining whether the indyRIOT AS Services or the information generated thereby is accurate or sufficient for Customer's purposes.
- Customer may choose to use or procure Third-Party Integration, Products in connection with the indyRIOT Service. Any acquisition and use by Customer of such Third-Party Integrations or Products is solely the responsibility of Customer and the applicable third-party provider. IndyRIOT in its sole discretion may or may not decide to integrate with 3rd party tools that Customer uses. If Customer enables or uses Third-Party Products with the indyRIOT Service, Customer acknowledges the interoperation of the Third-Party Products and indyRIOT Service may require the exchange of Customer Data as required for the interoperation of the Third-Party Product and the indyRIOT Service and Customer hereby grants indyRIOT permission to allow the Third Party Product and its provider to access Customer Data in connection with such integration. This may include transmitting, transferring, modifying or deleting Customer Data. indyRIOT shall not be responsible for any use, disclosure, modification, or deletion of such Customer Data or for any act or omission on the part of the third-party provider or its Third-Party Products. indyRIOT cannot guarantee the continued availability of integrations of Third-Party Products & Integrations with the indyRIOT Service, and may cease providing them without entitling Customer to any refund, credit, or other compensation, if, for example and without limitation, the provider of a Third-Party Product or Integration ceases to make the Third Party Product available.:
- From time to time, the parties may enter into a Statement of Work ("SOW") that describes the consulting and/or training services to be performed by indyRIOT (the "Professional Services").
- Each SOW will be subject to the terms of this MSA. indyRIOT will perform the Professional Services specified in the SOW in a professional and workmanlike manner in accordance with the SOW and this MSA. No changes to a SOW will be effective without the written agreement of each party.
- If Customer purchases Professional Services, indyRIOT may share documentation and training materials (collectively, the "indyRIOT Professional Services Materials") with Customer. If indyRIOT Professional Services Materials are provided to Customer in connection with the Professional Services, indyRIOT grants Customer, during the term of the applicable SOW, a non-exclusive, non-transferable, non-sublicensable right and licence to use the indyRIOT Professional Services Materials internally in connection with the Professional Services and to support Customer's permitted use of the indyRIOT Service. Notwithstanding anything to the contrary in the Agreement, indyRIOT Professional Services Materials are the sole and exclusive property of indyRIOT.
- From time to time, indyRIOT may provide Customer with access to "alpha," "beta" or other "early-stage", "early access" indyRIOT services, products, integrations, functionality or features (collectively, "Beta Services"), which are optional for Customer to use.
- The Beta Services are not generally available and may contain bugs, errors, defects or harmful components. indyRIOT does not provide any indemnities, security commitments, service level commitments or warranties, express or implied, including warranties of merchantability, title, non-infringement, and fitness for a particular purpose, in relation to the Beta Services.
- indyRIOT shall have no liability for any harm or damage arising out of or in connection with the Beta Services. Beta Services may be subject to additional terms which may supplement, but not supersede the terms in the MSA.
- Customer or indyRIOT may terminate Customer's access to Beta Services at any time.
- The Beta Services, including without limitation Customer's assessment or Feedback (defined above) of any Beta Services, are the Confidential Information of indyRIOT.
- Customer will pay indyRIOT the Fees for the Service as listed on the applicable Order Form and/or SOW. The Fees for the renewal term shall be the then current Fees for the Service in effect at the time of the renewal, unless otherwise agreed in the Order Form or SOW.
- Customer agrees to pay all Fees in the currency agreed on the Order Form.
- All payment obligations are non cancelable before the end of the current term and, unless provided for in the Agreement, all Fees paid under the Agreement are non refundable.
- Payment for all invoices is due within fourteen (14) days of receipt of the invoice or the service may be suspended or terminated. All renewal are automatic.
- Any delayed payment is subject to delayed interest charge in accordance with the Norwegian Late Payment Act. The current interest rate is 8% and adjusted on January 1 and July 1 by the Norwegian government.
- If Customer fails to remit payment of a non-disputed Invoice by the due date set forth in the Order Form or SOW, or the MSA, all outstanding Fees due under such Order Form and / or SOW will become due and payable immediately without further action or notice
- If Customer believes that indyRIOT has billed Customer incorrectly, Customer must contact indyRIOT no later than fifteen (15) days after the receipt of the invoice. All inquires should be directed to indyRIOT Finance Department at billing@indyRIOT.com. indyRIOT will respond to the Customer promptly after receiving such inquiries.
- Customer may subscribe to additional features, upgrades or add-ons of the Subscription Service by placing an additional Order, speaking to you Customer Success contact, or activating the additional features, upgrades or add-ons from within your indyRIOT account (if this option is made available by us.). This Agreement will apply to all additional Order(s) and all additional features, upgrades or add-ons that you order and/or activate from within your indyRIOT account. Additional features, upgrades or add-ons may also include additional fees, including usage & transaction fees incurred by Customer for the use of additional features, upgrades or add-ons (if this option is made available by us). These fees will be detailed in the Order Form.
- Customer shall be responsible for all taxes, duties and other governmental charges associated with the Service. If Customer is required by law to withhold any taxes, Customer must provide indyRIOT with an official tax receipt or other appropriate documentation, and all Fees are payable hereunder without any deduction for such withheld taxes or otherwise. If indyRIOT has the legal obligation to pay or collect taxes for which Customer is responsible under the terms of the Agreement, the appropriate amount shall be invoiced to and paid by Customer, unless Customer provides indyRIOT with a valid tax exemption certificate authorized by the appropriate taxing authority.
- All fees are subject to a yearly percentage increase no less than 3.5% or the current Norwegian CPI - which ever is greater. Link to the Norwegian CPI can be found here:
This applied automatically to the invoice for any successive or rolling payments, after the 1st year.
- IndyRIOT warrants and represents that IndyRIOT has either secured the rights or ownership to all Intellectual Property Rights and Know-How related to the Service, including, but not limited to rights and ownership to algorithms, source code, object code and accompanying documentation, user interface design, graphics, illustrations, drawings, images, sound music, videos, concepts, techniques and specifications. In addition, IndyRIOT has secured either rights or ownership to the trademark IndyRIOT and any other trademarks used to market the Service and all domain names where the Service is hosted.
- "Intellectual Property Rights" includes, but is not limited to patent rights, design rights, and copyrights.
- "Know-How" includes, but is not limited to all industrial, technical, marketing and commercial information and techniques in any form, and all designs and artistic creations, regardless of whether it is patentable, registered as an Intellectual Property Right or protected as trade secrets.
- The Customer retains the right to all data uploaded to the Service by the Customer and all End Users that have been authorized to access the Service by the Customer ("Customer Data"). The Customer has the right to access all Customer Data and shall have the data delivered in a machine-readable format upon request.
- IndyRIOT has a non-exclusive access right to the Customer Data to provide the Service to Customer and the End Users, including providing personalized and customized functionality and options offered for the individual Customer or End Users for the duration of this Agreement. IndyRIOT may also convert the Customer Data to System Data (defined below) which may be used to improve and develop the Service or new services offered by IndyRIOT in the future. All Customer Data (excluding System Data) will be deleted upon expiration of this Agreement.
- IndyRIOT is situated in Norway and is thereby subject to Regulation 2016/679 (EU) - General Data Protection Regulation (hereafter referred to as the "GDPR"). All data processed by IndyRIOT shall be processed in accordance with the GDPR.
- The Customer is free to determine the purposes and what types of data that are shared on the Service by itself and the End User. The Customer shall therefore be considered to be a Controller in line with Article 4 (7) of the GDPR. IndyRIOT shall have the role of Processor on behalf of the Customer, in line with Article 4 (8) of the GDPR. A Data Processing Agreement ("DPA") (Appendix B) is entered into between IndyRIOT and the Customer and shall form an integral part of this Agreement.
- The indyRIOT Data Processing Agreement ("DPA") (located in Appendix A is incorporated by reference into this MSA. The parties agree that the provisions contained in the DPA govern the processing of personal data in connection with this MSA. As set forth in the DPA, indyRIOT will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Customer Data (defined below), including measures designed to prevent unauthorized access to or use or disclosure of Customer Data. "Customer Data" means data and other content submitted by or for Customer to the Service, including Customer's end user data. For the avoidance of doubt, Customer Data does not include System Data (defined below) or any dashboards, report templates or any other technology or components of the indyRIOT Service created, developed, used or provided by indyRIOT.
- "System Data" means data and information collected, derived, or otherwise generated by the Service that has been anonymized, de-identified, and/or aggregated so as not to identify or permit identification of an individual. System Data can be used to deliver annoying improvements to the Service. For the avoidance of doubt, indyRIOT may use, modify, and display System Data, provided, however, indyRIOT will not publicly disclose or distribute System Data unless it is aggregated in a manner that does not permit the identification of an End User or a Customer, without prior written consent.
- IndyRIOT may use the Customer's name and trademark as a customer reference in the marketing of the Service, in addition to any other Terms agreed on the Order Form.
- The Customer may use the IndyRIOT and IndyRIOT trademarks, and any other trademarks used to market the Service, to advertise that the Customer's services are powered by IndyRIOT.
- The initial term of the Agreement is effective from the effective date of the initial Order Form that references this Agreement, or if needed when both parties have signed the Agreement separately ("Effective Date") .
- Subject to the initial subscription term of the applicable Order Form, the Order Form and this Agreement will be automatically renewed for successive terms of twelve (12) months at the end of the initial subscription term and as applicable, at the end of each then current term. Unless subject to termination by either party in writing at least 90 calendar days prior to the expiry of the then-current term.
- indyRIOT AS may modify the terms and conditions of this MSA from time to time, with notice to you or by posting the modified terms on the indyRIOT AS website. Unless otherwise specified by indyRIOT, changes become effective for Customer upon renewal of the then-current Order Form or entry into a new Order Form after the updated version of this MSA goes into effect. Customer's continued use of the Services after the updated version of this MSA goes into effect will constitute Customer's acceptance of such updated version of this MSA
- Notwithstanding the above, the Agreement may be subject to early termination in the event of a material breach of the Agreement by either parties. A material breach includes, but is not limited to, insolvency, bankruptcy, or payments being overdue by more than 30 calendar days. The Agreement shall remain in force for 30 calendar days following written termination notice from the party requesting early termination.
- If the Agreement is terminated as a result of a material breach by Customer, then Customer shall pay in full all remaining Fees payable through the remainder of each outstanding Order Form or SOW; or if Customer has prepaid any Fees, then those Fees are nonrefundable. If the Agreement is terminated by Customer due to a material breach by indyRIOT, then indyRIOT shall refund Customer on a pro-rata basis any prepaid Fees covering the remainder of each outstanding Order Form or SOW after the effective date of termination.
- During the term of the applicable Order Form, indyRIOT will make available to Customer as part of the indyRIOT Service, product support, as follows: Customer can submit support inquiries via email at support@indyRIOT.com or on the indyRIOT website 24 hours per day. indyRIOT standard support hours are 09:00 to 17:00 Central European Time Monday through Friday for technical information, technical advice and technical consultation regarding Customer's use of the indyRIOT Service.
- Our SLA (Appendix C) will also apply during the term of the applicable Order Form.
- The Service is provided on an "as is" and "as available" basis. IndyRIOT does not warrant that the Service will fulfill any of Customer's particular purposes or needs, nor that it is provided without faults.
- IndyRIOT does not warrant that the Service will be uninterrupted or error free. No oral or written information given by IndyRIOT or its authorized representatives shall create any warranty in deviation of this Clause 12.
14. Limitation of liability
- IndyRIOT shall in no event be liable for any lost profits, lost savings, loss of reputation, loss of goodwill, indirect, incidental, punitive, special or consequential damages arising out of or in connection with this Agreement or the use of the Service, whether or not such damages are based on tort, warranty, contract or other legal theory, even if IndyRIOT has been advised or is aware of the possibilities of such damages.
- IndyRIOT's aggregate and cumulative liability towards the Customer shall in no event exceed the total amount paid by the Customer under this Agreement, during the last 12 months prior to the claim being notified to IndyRIOT in writing.
- Any claims for damages must be notified to IndyRIOT within ninety (90) calendar days of the date of the event giving rise to any such claim, and any lawsuit relative to any such claim must be filed within one (1) year of the date of the claim.
- IndyRIOT shall indemnify and hold the Customer (and the Customer's directors, officers, employees and agents) harmless from and against all losses, liabilities, damages, and expenses, including reasonable attorneys' fees and costs, incurred as a result of any claims, demands, actions or other proceedings by any third party to the extent caused by breach of the warranty included in Clause 7.1.
- The Customer shall indemnify and hold IndyRIOT (and IndyRIOT's directors, officers, employees and agents) harmless from and against all losses, liabilities, damages, and expenses, including reasonable attorneys' fees and costs, incurred as a result of any claims, demands, actions or other proceedings by End Users in connection with this Agreement or from any third party to the extent caused by Customer Data representing an infringement of Intellectual Property Rights or Know How, or Customer Data being of defamatory, derogatory or unlawful nature, or other unlawful actions or omissions by Customer or End Users who have been provided access to the Service by Customer.
- If a party claims an indemnity contained in this clause ("Indemnified Party") against the other Party ("Indemnifying Party"), the Indemnified Party shall notify the Indemnifying Party no later than five (5) calendar days after the Indemnified Party becomes aware of the claim, demand or action made by any third party in respect of which the Indemnified Party is claiming against the Indemnifying Party. The Indemnified Party shall provide the Indemnifying Party all necessary assistance relating to the defense of third-party claim, demand or action, including providing necessary information. The Indemnifying Party shall cover all costs and expenses relating to the defense of third-party claim, including the reasonable costs and expenses incurred by the Indemnified Party in respect thereof.
- The indemnity obligation contained in this clause is only valid insofar the Indemnified Party fulfills all the requirements forgoing. Disputes between the Parties relating to liability for third party claims shall be resolved in accordance with Clause 20.
- "Confidential Information" means any and all technical, financial, commercial and other information of a confidential or sensitive nature contained in any information disclosed, directly or indirectly, by either party, in whatever form, including Intellectual Property Rights and Know-How as defined in Clause 7.2 and 7.3 and financial records, with the exception of that part of such information which can be demonstrated:
- was, at the time of disclosure, in the public domain;
- was, after the time of disclosure, published or otherwise became part of the public domain through no fault of the party receiving the Confidential Information; or,
- was already in legal possession of the party receiving the Confidential Information at the time of disclosure.
- Each of the parties acknowledges that the other party's Confidential Information is of highly confidential and valuable nature and in no event shall a party claim or acquire any ownership rights in the Confidential Information of the other party.
- The party receiving the Confidential Information ("Receiving Party") shall keep the Confidential Information confidential, shall not disclose the same to any third party, and shall not use the same for any purpose other than permitted fulfilling the Receiving Party's obligations under this Agreement.
- The Receiving Party shall confine access to the Confidential Information to only those of its employees and officers who have a well-reasoned need to receive it in order to perform this Agreement, and who are bound to secrecy as far as legally permissible by suitable employment agreements. The Receiving Party shall have implemented internal policies for handling Confidential Information on the Effective Date of this Agreement, including, but not limited to, access restriction protocols, regular employee trainings and adequate technical information security measures. The Receiving Party shall ensure that employees and officers are:
- informed of the fact that they will be handling Confidential Information prior to accessing the Confidential Information, and
- receive proper training in handling Confidential Information prior to accessing the Confidential Information.
- The Receiving Party shall be entitled to disclose Confidential Information to its subcontractors on a strictly need to know basis, provided that such subcontractors have first entered into an agreement containing confidentiality, non-disclosure and restricted use obligations no less stringent than those contained in this Agreement. The Receiving Party shall be fully responsible for its subcontractors' implementation of and compliance with the confidentiality obligations hereunder.
- The Receiving Party may only disclose the Confidential Information to relevant authorities when required by operation of law, regulation or court order, provided that the Receiving Party:
- gives the disclosing party immediate notice unless such notice is unlawful; and,
- refrains from disclosing Confidential Information other than what is strictly required by law, regulation or court order.
- The Receiving Party shall inform the other party about all applicable laws, regulations or court orders that may force the Receiving Party to disclose the Confidential Information to authorities. Such information shall be given on the Effective Date and be updated when applicable laws are amended.
- This Clause shall survive the termination of this Agreement.
Upon expiration or termination of the Agreement, all rights and obligations will immediately terminate except that any accrued payment obligations and other terms or conditions that by their nature should survive such termination will survive, including the licence Restrictions and terms and conditions relating to confidentiality, disclaimers, indemnification, limitations of liability, termination.18. Force Majeure
- No party to this Agreement shall have any liability whatsoever or be in default for any delays or failures in performance under this Agreement resulting from any occurrence of an event of Force Majeure.
- "Force Majeure" means events beyond the reasonable control of the Parties, including but not limited to riots, war, lockouts, civil commotion, blockage, embargo, destruction or production facilities or materials by fire, explosion, earthquake or storm, labour strikes or disturbances, epidemic, failure of public utilities or common carriers, adverse weather or any other event beyond the reasonable control of the party affected by the Force Majeure.
- The occurrence or existence of any event of Force Majeure shall be notified by the party affected thereby to the other party. The affected party shall use all reasonable endeavors to remedy as quickly as possible the effect of the said event of Force Majeure.
Indyriot As Does Not Warrant That The Services Will Be Uninterrupted Or Error Free Or Meet Customer's Requirements; Nor Does It Make Any Warranty As To The Results That May Be Obtained From Use Of The Services. Except As Expressly Set Forth In The Agreement, The Services Are Provided "As Is" And Indyriot As Expressly Disclaims All Warranties, Express Or Implied, Including, But Not Limited To, Implied Warranties Of Merchantability And Fitness For A Particular Purpose, Quality And Accuracy. Indyriot As Does Not Warrant Against Interference With The Enjoyment Of The Services Or That Any Information Provided Through The Services Is Accurate Or Complete Or Will Always Be Available.
In Addition, Customer Acknowledges That Indyriot As Does Not Control The Transfer Of Data Over Communications Facilities, Including The Internet, And That The Services May Be Subject To Limitations, Delays, And Other Problems Inherent In The Use Of Such Communications Facilities. Indyriot As Is Not Responsible For Any Delays, Delivery Failures, Or Other Damage Resulting From Such Problems. Indyriot As Is Not Responsible Or Liable For Any Third Party Products, Does Not Guarantee The Continued Availability Thereof Or Any Integration Therewith, And May Cease Making Any Such Integration Available In Its Discretion20. Miscellaneous
- Assignment and set off: The Customer shall not assign any rights or obligations under his Agreement without prior written consent from IndyRIOT. The Customer shall have no right to withhold or reduce any payments or to offset existing and future claims against any payments due under this Agreement.
- Applicability: If any part of this Agreement is found to be invalid due to mandatory statutory law or a final legal judgment, it shall only affect those parts found to be invalid. The remaining parts of this Agreement will still be enforceable.
- Entire agreement: This Agreement constitutes the entire understanding and bargain struck between the Parties and supersedes any arrangements, promises or agreements made or existing between the Parties prior to or simultaneously with this Agreement.
- All disputes arising out of or in connection with this Agreement shall be finally settled under the laws of Norway. If a dispute is not resolved by negotiation or mediation, either party may require that the dispute be resolved with final effect before the Norwegian courts of law.
- Oslo District Court shall be the court of first instance for all disputes related to or arising out of this Agreement.
INDYRIOT AS CUSTOMER: Name, Title, Date, Signature
END USER LICENSE AGREEMENT ("EULA")
The Customer is responsible for any unauthorized use of the Service by its End Users. All End Users shall accept the following terms and conditions prior to accessing the Service.
Your account is personal and is only meant for you. You shall not share your log in details with third parties, nor register other people's names, addresses or other contact information to your personal profile. The name, e-mail address and phone number that you submit to your personal profile shall be your own. You are responsible for ensuring that your information is correct and up to date. Your password and log-in details shall be stored in a safe location.
IndyRIOT is not responsible for any content that you upload to the Service. You are responsible and fully liable for all the content shared on the Service. You hereby agree that you will refrain from uploading any content that is:
- Factually wrong, misleading or deceptive, e.g. in terms of the quality, quantity or price or other terms related to any goods or services offered on the Service,
- Infringing the intellectual property rights of any third parties, including us. This entails that you may not upload images, videos, text, illustrations, designs, concepts or other technical or creative work without securing the right to such content prior to uploading the content to the Service,
- Offensive, derogatory, defamatory, or
- Pornographic in nature.
If you are in violation of the above restrictions, IndyRIOT reserves the right to suspend your user account, or permanently delete your account in case of repeated or gross violations. We will provide you with written notice prior to suspension or deletion of your account.
IndyRIOT has either secured the rights or owns all intellectual property rights related to the service, including, but not limited to source code, object code and accompanying documentation, user interface design, graphics, illustrations, images, videos, concepts, data, know-how, trade secrets, the trade mark IndyRIOT and any other trademarks used to market the platform and all domain names where the Service is hosted.
You are granted a non-exclusive and non-transferrable access right to the platform. The access right is strictly limited to the user interface made intentionally available by us at any given time. The access rights granted to you do not include the right to access the source code or object code, or otherwise reproduce, copy, imitate the platform.
DATA PROCESSING AGREEMENT
This data processing agreement ("DPA") forms an integral part of the subscription agreement (the "Agreement"). The DPA shall be affixed to the Agreement as Appendix B and always be read in conjunction with the Agreement. In case of any conflict between the Agreement and the DPA, the DPA shall prevail.
Controller: The Customer as defined in the Agreement.
Processor: IndyRIOT AS
This DPA sets out the rights and obligations of the Processor's processing of personal data on behalf of the Controller pursuant to the Agreement. This DPA shall ensure that the processing complies with the requirements set out in the Regulation 2016/679 (EU) - General Data Protection Regulation (hereafter referred to as the "GDPR").
- Data processing activities
The Controller is granted access to the platform (the "Service") in accordance with the Agreement. Access to the Service enables the Controller and the Controller's End Users to upload and share content of their own choice. The content may include personal data as defined in Article 4 (1) of the GDPR.
The Processor will get access to the content shared on the Service, including personal data, for the purpose of operating and providing the Service to the Controller, and for the purpose of maintaining and developing the Service.
The information processed may be of any type that the Controller or its End Users choose to share on the Service. In addition, when establishing a user account, the user is asked to provide the following information:
- Position or title (for professional users)
- Phone number
- Image (optional)
All the content shared by a user will be deleted upon deletion of the associated user account.
- The Processor's duties
The Processor shall:
- Only process personal data in accordance with the purpose of the processing set out in Section 3 and the documented instructions of the Controller. The Processor shall notify the Controller immediately if any of the instructions are inadequate or in violation of the GDPR or Norwegian data protection legislation. The Processor shall also notify the Controller if the Processor is required by mandatory law to process personal data contrary to the Controller's instructions, unless providing such notification is prohibited by law or applicable legal decision;
- Only transfer personal data to jurisdictions outside the European Economic Area in accordance with the Controller's instructions or approval;
- Notify the Controller if personal data are to be transferred outside the EEA, unless providing such notification is prohibited by law or applicable legal decision, and ensure that the personal data are adequately protected by EU model clauses or other basis for transfer pursuant to the GDPR;
- Ensure that employees and sub-processors or other third parties authorised to process personal data on behalf of the Controller in accordance with Section 5 are subject to obligations of confidentiality, which shall survive the term of this DPA;
- Implement appropriate technical and organisational measures required pursuant to Article 32 of the GDPR, including measures to ensure that data is available to the Controller, to prevent the loss or destruction of data, and prevent unauthorized access to data.
- Keep an updated list of all sub-processors and ensure that any sub-processors processing personal data on behalf of the Processor have entered into a binding agreement with the Processor pursuant to Article 28 (2) and (4) of the GDPR;
- At the request of the Controller make all information necessary to document that the Controller and the Processor fulfil Article 28 of the GDPR available. The Processor shall enable the Controller to perform audits and inspections, either by the Controller or by a third party designated by the Controller;
- Keep a record (log) of the processing activities carried out on behalf of the Controller, which shall at least contain the information required pursuant to Article 30 of the GDPR. The Controller can request a copy of such record at any time;
- Immediately notify the Controller if the Processor receives a request from an authority to disclose personal data processed under this DPA. The Processor is not obliged to notify if the law prohibits such notification. Unless required by law, the Processor shall not comply with such a request without prior written approval from the Controller;
- Assist the Controller in responding to requests from the data subjects pursuant to Chapter III of the GDPR (including the right to information, access, correction and erasure); and
- Assist the Controller in fulfilling its duties pursuant to Article 32-36 of the GDPR.
The scope of the Processor's duty to provide assistance to the Controller under j) and k) shall take the nature of the processing and the information available to the Processor into account.
- The Controller's duties
The Controller is responsible for ensuring that the processing of personal data complies with the requirements set out in Norwegian data protection legislation and the GDPR, hereunder ensuring that the processing of personal data, which the Processor is instructed to perform, has a legal basis.
The Controller has the right and obligation to determine the purpose and means of processing.
The Controller shall provide the Processor with documented instructions on how the personal data should be processed.
- Notification routines
In the event of a personal data breach, the Processor shall notify the Controller without undue delay. The notification shall at least describe:
- The nature of the breach of personal data, including, if possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
- The name and contact information of the data protection officer or other contact where further information can be obtained;
- The likely consequences of the personal data breach;
- The measures taken or proposed to be taken to address the personal data breach, including any measures to mitigate its possible adverse effects.
If the Processor is unable to provide all the information above in the first notice, the information shall be provided without undue delay and no later than 72 hoursafter the occurrence of the personal data breach. The Controller shall ensure that an incident report is sent to the relevant Data Protection Authority in accordance with Article 33 of the GDPR.
- Use of sub-processors
The Processor has the right to use the following sub-processors:
In addition, the Controller hereby grants a general authorization for the Processor to use sub-processors. The Processor shall inform the Controller before replacing existing sub-processors or adding new sub-processors, and the Controller shall have the right to object to such changes. The Controller may not reject a new sub-processor without a legitimate reason.
A well-founded suspicion that the level of data protection could be degraded as a result of the change of sub-processor, shall be regarded as a legitimate reason.
If the sub-processor does not fulfill its data protection obligations, the Processor shall remain fully liable to the Controller as regards the fulfillment of the obligations of the sub-processor. This does not affect the rights of the data subjects under the GDPR - in particular those foreseen in Article 79 and 82.
Each party shall cover their own costs related to audits. In the event an audit reveals a material deviation from the obligations of this DPA, all costs including the Controller's and external auditors' reasonable costs shall be covered by the Processor.
- Liability and compensation
Each party is responsible for covering administrative fines and other sanctions imposed as a result of breaches of the data protection legislation. If a party has been held liable for damages under Article 82 of the GDPR for a matter for which the other party is responsible, the party responsible shall cover the damages costs.
- Duration of the agreement
This DPA shall remain in force for as long as the Processor processes personal data on behalf of the Controller pursuant to the Agreement.
In the event of a breach of the DPA or data protection legislation described in Annex 1, the Controller may instruct the Processor to stop further processing of the data with immediate effect.
This DPA may be terminated in accordance with the Agreement between the parties. If the Agreement between the parties is terminated, this DPA shall automatically be terminated.
The Controller may terminate this DPA for cause if the Processor does not fulfill its obligations according to this DPA or the GDPR.
- Return, deletion and/or destruction at the end of the agreement
Upon termination of this DPA, the Processor is obligated to return all personal data received on behalf of the Controller.
The Controller may require that the Processor deletes or destroys all personal data processed under this DPA. The Controller may ask the Processor to confirm in writing that the deletion is completed. The deletion shall be carried out no later than 60 days after the agreement is terminated.
Should the Controller not request return or deletion in accordance with the previous paragraph, the Processor shall nevertheless delete personal data received on behalf of the Controller no later than 60 days after the termination of this DPA, unless the Processor has another legal basis for storing the data, such as having a legal obligation to do so.
Backup copies that contain personal data will be deleted in accordance with the Processor's routines for deletion of backups. If the Controller requires the backup copies to be deleted outside the regular routines, the Processor will do this as a paid service, with remuneration based on the Processor's hourly rates.
- Law and legal venue
The law and legal venue are pursuant to the Agreement.
- Enter into Force
This DPA shall be signed and enter into force at the same time as the Agreement.
SERVICE LEVEL AGREEMENT
This service level agreement ("SLA") applies to the Service detailed in the Order Form and shall be available for the Customer 99.9% of the time, 24 hours a day, 7 days a week throughout the year ("Availability").
Availability entails that the Service is operating and that the functionality of the Service is accessible by the Customer. Availability does not entail that the Service will be free of errors.
Availability shall be calculated in periods of 90 calendar days ("Calculation Period").
The Availability in every Calculation Period shall be based on the following formula:
Availability = (1-(D-S-C-F)/O) *100
D: Downtime in minutes
S: Scheduled downtime in minutes
C: Downtime due to Customer's fault or factors within Customer's control (such as network connectivity, or violations of the end user license agreement
F: Downtime due to a Force Majeure event.
O: Operating time in minutes
Any errors or deficiencies of the Service will be corrected by IndyRIOT on an ongoing basis. Errors shall be categorized as follows:
- Critical; the Service is not available to the Customer
- Serious; deviations resulting in reduced availability of a core function of the services
- Minor: deviations from agreed deliveries that do not involve a core function of the services
IndyRIOT shall use Business Best Efforts to respond to requests for support, and in any case within the following time periods:
- Critical: within 12 hours
- Serious: within 24 hours
- Minor: within 72 hours
Critical errors will always be prioritized.