Optimy SaaS License
Standard Terms and Conditions
This Software as a Service (SaaS) Agreement (this “Agreement“), is by and between you (“Customer“, “you“, or “your“) and Optimy.ai, a division of Kognitive Tech Inc. (“Provider”). Provider and Customer may be referred to herein collectively as the “Parties” or individually as a “Party.” This Agreement governs your access to and use of the Services.
Unless otherwise defined herein, the capitalized terms used herein are defined in Section 11.
1. Access and Use.
- Provision of Access. Subject to and conditioned on Customer’s payment of Fees and compliance agree with all the terms and conditions of this Agreement, Provider hereby grants Customer a non-exclusive, non-transferable (except in compliance with Section 12(k) right to access and use the Services during the Term, solely for use by Authorized Users in accordance with the terms and conditions herein. Such use is limited to Customer’s internal use. Provider shall provide to Customer the necessary passwords and network links or connections to allow Customer to access the Services.
- Documentation Licence. Subject to the terms and conditions contained in this Agreement, Provider hereby grants to Customer a non-exclusive, non-sublicenseable, non-transferable (except in compliance with Section 12(k) licence to use the Documentation during the Term solely for Customer’s internal business purposes in connection with its use of the Services.
- Use Restrictions. Customer shall not use the Services for any purposes beyond the scope of the access granted in this Agreement. Customer shall not at any time, directly or indirectly, and shall not permit any Authorized Users to: (i) copy, modify, or create derivative works of the Services or Documentation, in whole or in part; (ii) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services or Documentation; (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Services, in whole or in part; (iv) remove any proprietary notices from the Services or Documentation; or (v) use the Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law.
- Reservation of Rights. Provider reserves all rights not expressly granted to Customer in this Agreement. Except for the limited rights and licences expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Provider IP.
- Suspension. Notwithstanding anything to the contrary in this Agreement, Provider may temporarily suspend Customer’s and any Authorized User’s access to any portion or all of the Services if: (i) Provider reasonably determines that (A) there is a threat or attack on any of the Provider IP, (B) Customer’s or any Authorized User’s use of the Provider IP disrupts or poses a security risk to the Provider IP or to any other customer or vendor of Provider, (C) Customer, or any Authorized User, is using the Provider IP for fraudulent or illegal activities or contrary to the terms of this Agreement, (D) subject to applicable Law, Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding, or (E) Provider’s provision of the Services to Customer or any Authorized User is prohibited by applicable law; (ii) any vendor of Provider has suspended or terminated Provider’s access to or use of any third-party services or products required to enable Customer to access the Services; or (iii) in accordance with Section 5(a) (any such suspension described in subclause (i), (ii), or (iii), a “Service Suspension”). Provider shall use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Services following any Service Suspension. Provider shall use commercially reasonable efforts to resume providing access to the Services as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Provider will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Service Suspension.
- Aggregated Statistics. Notwithstanding anything to the contrary in this Agreement, Provider may monitor Customer’s use of the Services and collect and compile Aggregated Statistics. As between Provider and Customer, all right, title, and interest in Aggregated Statistics, and all intellectual property rights therein, belong to and are retained solely by Provider. Customer acknowledges that Provider may compile Aggregated Statistics based on Customer Data input into the Services. Customer agrees that Provider may (i) make Aggregated Statistics publicly available in compliance with applicable Law, and (ii) use Aggregated Statistics to the extent and in the manner permitted under applicable Law; provided that such Aggregated Statistics do not identify Customer or Customer’s Confidential Information.
2. Customer Responsibilities.
- General. Customer is responsible and liable for all uses of the Services and Documentation resulting from access provided by Customer, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Without limiting the generality of the foregoing, Customer is responsible for all acts and omissions of Authorized Users, and any act or omission by an Authorized User that would constitute a breach of this Agreement if taken by Customer will be deemed a breach of this Agreement by Customer. Customer shall use all reasonable efforts to make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Services and shall cause Authorized Users to comply with such provisions.
- Third-Party Products. Provider may from time to time make Third-Party Products available to Customer. For purposes of this Agreement, such Third-Party Products are subject to their own terms and conditions which you hereby agree to be bound by and comply with. If Customer does not agree to abide by the applicable terms for any such Third-Party Products, then Customer should not install or use such Third-Party Products.
- Technical Requirements. In accordance with the requirements set forth on EXHIBIT A, Customer must have required equipment, software, and Internet access to be able to use the Services. Acquiring, installing, maintaining and operating equipment, any Customer software, and Internet access is solely Customer’s responsibility, except as otherwise expressly provided in a Schedule. Provider neither represents nor warrants that the Provider Software will be accessible through all web browser releases or all versions of tablets, smartphones, or other computing devices, except as expressly set forth on EXHIBIT A.
- Use of Website and Services. Customer shall not and shall ensure that the Authorized Users do not, and shall not otherwise knowingly permit others in using the Provider website or Services to: (i) defame, abuse, harass, stalk, threaten or otherwise violate or infringe the legal rights (such as rights of privacy, publicity and intellectual property) of others or Provider; (ii) publish, ship, distribute or disseminate any harmful, inappropriate, profane, vulgar, infringing, obscene, false, fraudulent, tortious, indecent, unlawful, immoral or otherwise objectionable material or information (including any unsolicited commercial communications); (iii) publish, ship, distribute or disseminate material or information that encourages conduct that constitutes a criminal offense; (iv) misrepresent or in any other way falsely identify Customer’s identity or affiliation, including through impersonation or altering any technical information in communications using the Services; (v) knowingly transmit or upload any material through the Software Services containing viruses, trojan horses, worms, time bombs, cancelbots, or any other programs with the intent or effect of damaging, destroying, disrupting or otherwise impairing Provider’s, or any other person’s or entity’s, network, computer system, or other equipment; (vi) interfere with or disrupt the Services, networks or servers connected to the Provider systems or violate the regulations, policies or procedures of such networks or servers, including unlawful or unauthorized altering of any of the information submitted through the Software Services; (vii) attempt to gain unauthorized access to the Software Services, other Provider customers’ computer systems or networks using the Software Services through any means; (viii) copy, modify or create derivative works or improvements of the Services or Provider Software; (ix) reverse engineer, disassemble, decompile, decode, adapt or otherwise attempt to derive or gain access to the source code of the Services or Provider Software, in whole or in part; (x) bypass or breach any security device or protection used by the Services or Provider software or access or use the Services or Provider software other than through the use of then valid access credentials; (xi) remove, delete, alter or obscure any trademarks, Documentation, warranties or disclaimers, or any copyright, trademark, patent or other Intellectual Property Rights notices from any Services or Provider software; (xii) access or use the Services or Provider software for purposes of competitive analysis of the Services or Provider software, the development, provision or use of a competing software service or product or any other purpose that is to Provider’s detriment or commercial disadvantage; or (xiii) interfere with another party’s use of the Services. Provider has no obligation to monitor Customer’s use of the Provider software and Services; however, Provider reserves the right, at all times, to monitor such use, and to review, retain and disclose any information as necessary to ensure compliance with the terms of this Agreement, and to satisfy or cooperate with any applicable law, regulation, legal process or governmental request.
- Account Activation. Provider will provide Customer with a Provider account in order to use the Services. Customer may then choose an account name for its web space (e.g., myname.Providersaas.com) that is not already in use by another customer. Customer and Authorized Users are fully responsible for all activities performed on or through their account. Customer agrees that Customer and each Authorized User will: (a) provide true, accurate, current and complete information as prompted by the registration form, (b) maintain and promptly update the Registration Data to ensure the information is always true, accurate, current and complete, (c) immediately inform Provider of any unauthorized use of an account or any other breach of security, and (d) exit from the account at the end of each work session. Provider undertakes no obligation to verify the data provided by Customer or its Authorized Users. However, if Provider finds or suspects that the provided information is untrue, inaccurate, not current or incomplete, Provider may suspend or terminate Customer’s or and Authorized User’s account and refuse any and all current or future use of the Services (or any part of them).
- Password Confidentiality. Each Authorized User that uses the Software Services must choose a password when registering. Customer will cause such Authorized Users to maintain the confidentiality of the passwords. Customer will also be assigned a password or passwords for access to and use of the Software Services. Customer acknowledges that once the initial password provided to the Customer is changed, Provider does not retain the technical ability to retrieve such passwords. Customer is fully responsible for all activities that occur using Customer and Authorized User passwords. Customer acknowledges and agrees that Provider shall not be liable for any loss that Customer or any Authorized User may incur as a result of someone else using a password that has been assigned to or obtained by Customer or its Authorized Users, either with or without the knowledge of Customer or the applicable Authorized User; nor shall Provider be liable or responsible for any unauthorized access or misuse of the Software Services by Customer or any of its Authorized Users.
- Authorized Users. In relation to the Authorized Users, Customer undertakes that: (i) it will not allow or knowingly suffer any user subscription to be used by more than one individual Authorized User unless it has been reassigned in its entirety to another individual Authorized User, in which case the prior Authorized User shall no longer have any right to access or use the Services and/or Documentation; (ii) it shall maintain an up to date list of current Authorized Users; (iii) it shall permit Provider to audit the Services in order to establish the name and password of each Authorized User, where such audit may be conducted no more than once per quarter, at Provider’s expense, and this right shall be exercised with reasonable prior notice, in such a manner as not to substantially interfere with Customer’s normal conduct of business; (iv) if any audits reveal that any password has been provided to any individual who is not an authorized Authorized User, then without prejudice to Provider’s other rights, Customer shall promptly disable such passwords and Provider shall not issue any new passwords to any such individual; and (v) if any audits reveal that Customer has underpaid Fees to Provider, then without prejudice to the Provider’s other rights, Customer shall pay to Provider an amount equal to such underpayment within ten (10) Business Days of the date of the relevant audit.
- Application Programming Interface Provisions.
- An instance of the Provider Software (“Provider Instance”) may be accessible through an Application Program Interface (API) requiring login and API credentials (“Provider Credentials”). Customer expressly understands and agrees that Provider does not control, track, or monitor the dissemination of any of “Provider Credentials”, and, therefore, any misappropriation of those Provider Credentials may neither be apparent to nor discoverable by Provider without notice.
- Provider provides documentation disclosing certain aspects of its software functionality (“API Software and Protocols”). The API Software and Protocols may allow customers to pull and insert specific data elements into and out of their Provider instance (“Code Snippet”). Provider expressly disclaims and shall have no liability with respect to how the API Software and Protocols or Code Snippets are used. Further, unless otherwise specified in an applicable SOW, Provider takes no ownership interest in or rights to any third-party software code that incorporates the API Software and Protocols or Code Snippets, unless otherwise agreed by the parties upon in writing.
- In order to enable the functionality provided by the API Software and Protocols, a requesting party must serve licensed Provider Credentials to the Provider Instance. Customer expressly understands that Provider does not go beyond a verification of proper Provider Credentials to validate whether or not access or use of a customer’s Provider Instance is authorized. Accordingly, an unauthorized party may use misappropriated, although valid, Provider Credentials to gain access to and employ the functionality of an otherwise properly licensed Provider Instance. Once the Provider Credentials are validated by the Provider Instance, any software code that is written in accordance to Provider’s API Protocols will function with the Provider Instance as designed. Thus, any unauthorized dissemination and distribution of the Provider Credentials may lead to an unauthorized use of a Provider Instance. Provider expressly disclaims and shall have no liability to Customer or any third party for how the API Software and Protocols or Code Snippets are used, whether authorized or not authorized by Customer.
- Provider allows Customer to control, track, and monitor end-users with access to the API credentials. Customer expressly understands and acknowledges, therefore, that it is an obligation upon Customer to govern all Authorized Users under its license with policies and procedures that conform to an authorized use of their subscribed Provider Instance.
- Nothing in the foregoing shall be construed as a requirement on Provider to follow the same API Software and Protocols in the future, and the parties expressly understand that Provider may change the API Software and Protocols, with or without notice, at any time. Provider shall have no liability to Customer or any third party with respect to any changes, whether announced or unannounced.
- Provider expressly disclaims and shall have no liability for any loss or damages resulting from the use of the API Software and Protocols, with or without misappropriated API Credentials in a software application, and Customer shall indemnify defend, and hold harmless Provider against all claims, actions or proceedings, arising out of any claim related thereto, to the extent of Customer’s action or inaction with respect thereto.
- Subject to and conditioned on Customer’s compliance with all terms and conditions set forth in this Agreement, Provider hereby grant Customer a limited, revocable, non-exclusive, non-transferable, non-sublicensable licence during the term of the Agreement to use the Provider Instance solely for Customer’s internal business purposes in allowing those applications developed by Customer to interact with the Provider Instance (“Your Applications”) to communicate and interoperate with the Provider Offering. You acknowledge that there are no implied licences granted under this Agreement. We reserve all rights that are not expressly granted. You may not use the Provider Instance for any other purpose without our prior written consent. You must obtain an Provider Instance Key through the registration process available at [URL] to use and access the Provider Instance. You may not share your Provider Instance Key with any third party, must keep your Provider Instance Key and all log-in information secure, and must use the Provider Instance Key as your sole means of accessing the Provider Instance. Your Provider Instance Key may be revoked at any time by us.
- Except as expressly authorized under this Agreement, Customer may not: (a) copy, modify, or create derivative works of the Provider Instance, in whole or in part; (b) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Provider Instance; (c) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Provider Instance, in whole or in part; (d) remove any proprietary notices from the Provider Instance; (e) use the Provider Instance in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable law; (f) combine or integrate the Provider Instance with any software, technology, services, or materials not authorized by Provider; (g) design or permit Your Applications to disable, override, or otherwise interfere with any Provider-implemented communications to end users, consent screens, user settings, alerts, warning, or the like; (h) use the Provider Instance in any of Your Applications to replicate or attempt to replace the user experience of the Provider Offering; or (i) attempt to cloak or conceal your identity or the identity of Your Applications when requesting authorization to use the Provider Instance
This Agreement does not entitle you to any support for the Provider Instance. You acknowledge that we may update or modify the Provider Instance from time to time and at our sole discretion (in each instance, an “Update“), and may require you to obtain and use the most recent version of the Provider Instance. Updates may adversely affect how Your Applications communicate with the Provider Offering. You are required to make any changes to the Applications that are required for integration as a result of such Update at your sole cost and expense. Your continued use of the Provider Instance following an Update constitutes binding acceptance of the Update.
3. Service Levels and Support.
Subject to the terms and conditions of this Agreement, Provider shall use commercially reasonable efforts to make the Support Services available in accordance with the service levels set out in EXHIBIT A.
EXHIBIT “A”
SERVICES AND SERVICE LEVELS
DESCRIPTION OF SERVICES: website plug-in to enable video chat between consumers on Customer’s website and the Customer’s employees alongside an employee portal that provide sales enablement functionality to the Customer’s sales staff.
SERVICE LEVELS:
The Provider’s software and Services requires Customer use a modern web browser that supports cookies and JavaScript.
The Provider’s software and Services currently supports the following Browser and Operating Systems (which is subject to change without notice in Provider’s sole discretion).
Browsers
- Microsoft Edge
- Mozilla Firefox
- Google Chrome
- Safari
Operating Systems
- MS Windows 10
- OSX (Last two major releases)
In the event that Company cannot meet the technical requirements listed, then Provider will be under no obligation to provide the support services described in this Exhibit A during the pendency of any such failure.
1. HELPDESK SERVICES.
Provider shall provide to Company the Helpdesk Services specified in an Order, if any. The details related to each of the different Helpdesk Services are set forth below:
HELP DESK AND SUPPORT
- “Taking Charge” means registration of the Incident, including assignment of the ticket number to the Customer and saving the request in the Helpdesk system.
- “Incident” means a support request as defined in the Severity Descriptions below.
- “Production Instance” means a instance which is tied to an Active User subscription.
- “First Response” means the first interaction with Customer (via Ticket) aimed at the diagnosis of the problem. The number of business hours to first reply is calculated using the business hours of the agent assigned to the specific ticket/support request.
- “ETA” means the estimated time for resolution of the problem. Customer will be updated if ETA materially changes.
- “Fixed” means the problem has been resolved in Provider’s reasonable discretion and Customer has been informed about the resolution of the problem.
- “Business Hours” are defined as the operating hours for the Provider Support team, currently 9AM – 6PM CET & 9AM-6PM Eastern Daylight Time.
Table 1 – Severity Descriptions
Urgent | Critical production issue affecting all users, including system unavailability, with no workaround available. |
High | Issue is persistent, affects many users and/or impacts core functionality or results in significant performance degradation with no reasonable workaround available. |
Normal | Errors in functionality within the application, often accompanied by workarounds or affecting some, but not all, users. |
Low | General inquiries on the use of the application or; cosmetic errors or incidents which otherwise do not require immediate attention or; rare errors that appear during unusual conditions or are otherwise unlikely in normal use or; errors which have a sustainable workaround. |
Table 2 – Growth Plan Service Level Targets*
Ticket Severity | First Reply | Resolution/Mitigation ETA |
Urgent | 4 Business Hours | 6 Business Hours or as soon as feasible or practical. |
High | 12 Business Hours | As soon as feasible or practical. |
Normal | 16 Business Hours | As soon as feasible or practical. |
Low | 24 Business Hours | None |
*Notes:
- Urgent SLA applies only to issues submitted via JIRA web form and confirmed as Urgent by Provider.
- This table applies only to Production Instances and only to tickets submitted from the Provider Communication Center (JIRA), the Support Web Form. For the avoidance of doubt, in platform chat and tickets generated from in-platform chat do not apply to these target metrics.
Helpdesk standard process description
It is possible to contact the helpdesk 24/7 using the helpdesk tool available within the Provider platform, which is fully integrated with the Provider ticket management system.
2. TICKETING REQUIREMENTS.
To receive these support services and for Provider to maintain the Service Level agreed, Customer shall reasonably cooperate with Provider to resolve support incidents. Customer shall have adequate technical expertise and knowledge of their configuration of Provider Services to provide relevant information to enable Provider to reproduce, troubleshoot, and resolve the incident or issue identified by Customer. The following information should be provided at all times as a minimum by Customer, whenever possible, to ensure Provider’s ability to address Support Requests. Tickets lacking this information will not be considered as part of the Service Level reports:
- Detailed description of the issue, with as much detail as can be provided of the problem in a clear step by step format.
- The URL of the platform where the issue is occurring.
- The error message provided, and exact steps to reproduce the error.
- The user(s) that are affected by the issue.
- The applicable screenshot or video capture.
3. CUSTOMER’S GENERAL RESPONSIBILITIES.
Customer will be responsible for: (a) reporting errors promptly; (b) providing sufficient information for Provider to duplicate the error, assess the situation, and undertake any needed or appropriate corrective action; (c) otherwise following instructions or suggestions from Provider regarding use, maintenance, upgrades, repairs, workarounds, or other related matters; and (d) designating one (1) members of its staff to serve as Customer’s system administrators to contact Provider with support issues. Provider’s successful response and provision of Helpdesk Services is subject to Customer’s assistance and compliance, including (i) at Provider’s reasonable request, Customer will provide Provider with reasonable access to Customer’s personnel and equipment during normal business hours to discuss and assess any problems or requests for assistance; and (ii) Customer will document and promptly report to Provider all errors or malfunctions of the Software Services. It is Customer’s responsibility to carry out procedures necessary at Customer’s facilities for the rectification of errors or malfunctions within a reasonable time after such procedures have been received from Provider.
4. REPRODUCING ERRORS
Provider must be able to reproduce errors in order to resolve them. Customer agrees to cooperate and work closely with Provider to reproduce errors, including conducting diagnostic or troubleshooting activities as reasonably requested and appropriate. Also, subject to Customer’s approval, on a case-by-case basis, Users may be asked to provide remote access to their Provider account and/or desktop for troubleshooting purposes.
5. EXCLUSIONS
Issues that arise in the following categories are outside of the scope of support offered above, and will have no Service Level Agreement attached: Internet connectivity or performance issues, or system specific computer issues.
6. ADDITIONAL CHARGES
If a reported problem (or if Customer otherwise requests assistance) is outside the scope of Helpdesk Services, Provider will notify Customer to that effect and reserves the right, upon Customer’s confirmation to move forward, to charge Customer at $180/hour for all associated work, for which Customer agrees to pay Provider promptly upon receiving an invoice; provided, however, that Provider shall inform Customer in advance of the possible incurrence of such fees and Customer shall have pre-approved the same.
7. UPTIME AVAILABILITY
If Provider fails to achieve the Availability Percentage for two (2) consecutive calendar months, then, as the Customer’s sole remedy for such failure, the Customer will be granted Service Credits. Service Credits are calculated as a percentage of the total charges paid by the Customer to Provider in the Region affected by Unavailability in accordance with the schedule below. In the event that the Customer elects to terminate this
Agreement for failure to achieve the Availability Percentage for six (6) consecutive calendar months within the notice period given below, then no refunds shall be issued with respect to such affected months.
Monthly Uptime Percentage Service Credit Percentage
Less than 99.7% but equal to or greater than 99.0% 10%
Less than 99.0% 30%
Provider will apply Service Credits only against future payments due from the Customer. Service Credits will not entitle Customer to a refund or other payment from Provider. Service Credits may not be transferred or applied to any other account. Unless otherwise provided in the Provider Agreement, the Customer’s sole remedy for any unavailability, non-performance, or other failure by Provider to provide Uptime is the receipt of a Service Credit (if eligible) in accordance with the terms of this SLA. To receive a Service Credit, the Customer must submit a claim by within 30 days after the reported issue via a support claim ticket and email to designated Customer Success team reporting ticket number. If the Monthly Uptime Percentage of such request is confirmed by Provider and is less than the Service Commitment, then Provider will issue the Service Credit to Customer within one billing cycle following the month in which your request is confirmed by Provider. Customer’s failure to provide the request and other information as required above will disqualify Customer from receiving a Service Credit.
8. GROWTH ONBOARDING SERVICES
Provider shall provide Customer with its Growth package of Onboarding services, which includes the following features (remotely delivered):
Provider shall provide Customer with its Growth package of Onboarding services, which includes the following features (remotely delivered):
- A customer success team to support up to 3 hours of website installation, onboarding support and training of the Customer’s staff how to use the tool’
- Basic customization of the tool through the configuration document completed during the Onboarding services;
- Access to Provider’s tool sandbox to practice using the tool in a secure learning environment; and
- Access to a directory of pre-recorded, on-demand demos and training sessions.
Customer Responsibilities
During the Delivery Period, Customer shall be responsible for the following:
- Customer shall support Provider personnel, to the best of its ability, in all tasks related to Onboarding.
- Customer shall appoint a project lead representative (the “Customer Representative”) who shall function as the first point of contact with Customer regarding all Onboarding matters and who shall be primarily responsible for
- Customer’s obligations with respect thereto. Customer shall notify Provider promptly upon any change in such Customer Representative.
- Customer shall make critical personnel available for scheduled meetings as the parties shall agree, and reasonably available for all other tasks or meetings determined to be necessary for successful Onboarding.
- In the event that Customer fails to meet the foregoing obligations during the Delivery Period, through no fault of Provider’s, then Provider shall be under no obligation to extend such Delivery Period, even if Onboarding has not yet been fully completed.
Exhibit B
Data Privacy Addendum
This Data Privacy Addendum (the “Data Privacy Addendum” or “DPA”) supplements the Terms of Use governing the provision of Services and applies when one or more Data Privacy Laws apply to Provider’s Processing Personal Data as a result of Customer’s access and use of the Services.
1. Definitions
Capitalized terms used and not defined in this Data Privacy Addendum have the respective meanings assigned to them in the Terms of Use.
“Affiliate” means any entity that directly, or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the Party. For purposes of this definition, the term “control” means the power (or, as applicable, the possession or exercise of the power) to direct, or cause the direction of, the management, governance, or policies of a given entity, directly or indirectly, through any applicable means (whether through the legal, beneficial, or equitable ownership, of more than fifty percent (50%) of the aggregate of all voting or equity interests or securities of such entity, through partnership, or through some other form of ownership interest, by contract, or other applicable legal document, or otherwise).
“Applicable Law” means any international, foreign, national, federal, state, or local statutes, ordinances, regulations, rules, executive orders, supervisory requirements, directives, circulars, opinions, judgments, interpretive letters, official releases, and other pronouncements having the effect of law and requirements or standards issued by a self-regulatory organization which apply from time to time to the person or activity in the circumstances in question. Applicable Law includes any of the foregoing as amended from time to time and any successor legislation thereto and any regulations promulgated thereunder.
“Controller” means either: (a) the meaning set forth in the relevant Data Privacy Laws; or (b) absent such a definition, the Party that, alone or jointly with others, determines the means and purpose of the Processing of Personal Data. Without limiting the foregoing, the term “Controller” includes a “business” under the CPRA.
“Data Subject” means either: (a) the meaning set forth in the relevant Data Privacy Laws; or (b) absent such a definition, the individual who is the subject of Personal Data that Provider Processes for Customer. Without limiting the foregoing, the term “Data Subject” includes a “consumer” as defined under the CPRA.
“Personal Data” means any information Provider Processes for Customer that: (a) the relevant Data Privacy Laws otherwise define as “personal information” or “personal data.”; or (b) in absence of such a definition in the relevant Data Privacy Laws, such information that identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Provider’s possession or control or that Provider is likely to have access to. Without limiting the foregoing, the term “Personal Data” includes any “personal data” as defined under the GDPR and any “personal information” as defined under the CPRA.
“Process” means either: (a) the meaning set forth in the relevant Data Privacy Laws; or (b) absent such a definition, any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring Personal Data to third-parties. The terms “Processing” and “Processed” have a correlative meaning.
“Processor” means either: (a) the meaning set forth in the relevant Data Privacy Laws; or (b) absent such a definition, the Party that Processes the Personal Data on behalf of the Controller. Without limiting the foregoing, the term “Processor” includes a “service provider” under the CPRA.
“Security Incident” means any act or omission that materially compromises or is reasonably likely to materially compromise either the security, confidentiality, or integrity of Personal Data or the physical, technical, administrative, or organizational safeguards put in place by Provider, that relate to the protection of the security, confidentiality, or integrity of Personal Data. Without limiting the foregoing, a material compromise includes any accidental, unlawful, or unauthorized use, modification, loss, compromise, destruction, or disclosure of, or access to, Personal Data. Notwithstanding the foregoing, the term “Security Incident” does not include any event that does not result in any unauthorized access to Personal Data or to Provider’s equipment or facilities storing Personal Data, including, without limitation, pings and other broadcast attacks on firewalls or other network equipment, port scans, unsuccessful logon attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond communication headers) or similar incidents.
“Subprocessor” means a third-party engaged by Provider to assist with the provision of the Services which involve the Processing of Personal Data.
2. Relationship with Terms of Use
This DPA is subject to and part of the Terms of Use, and in the event of conflict, an Annex to this DPA shall prevail over the DPA, which in turn shall prevail over the Terms of Use.
3. Relationship of the Parties
Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Privacy Laws, including providing any required notices and obtaining any required consents (except to the extent explicitly set forth in the Terms of Use), and for the Processing instructions it gives to Provider. The Parties acknowledge and agree that with regard to the Processing of Personal Data (other than contact information of Customer or Customer’s personnel, for which the Parties are independent controllers), Provider is the “Processor” and Customer is the “Controller” under this Data Privacy Addendum.
4. Customer Obligations
- Compliance with Laws. Customer shall, in its use of the Services, Process the Personal Data in accordance with the requirements of applicable Data Privacy Laws.
- Licenses and Registrations. Customer shall obtain all material licenses, authorizations, approvals, consents, or permits required of it as a Controller under applicable Data Privacy Laws to Process the Personal Data as set forth in this DPA, the Terms of Use, or as required under Data Privacy Laws and to perform its obligations under this DPA or the Terms of Use.
- Customer Instructions. Customer’s instructions to Provider for the Processing of Personal Data will comply with Data Privacy Laws and Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
- Data Protection Officers and Representatives. To the extent required by applicable Data Privacy Laws, Customer shall appoint data protection representatives and/or data protection officers in all applicable jurisdictions.
5. Provider Obligations
- Scope of Processing. The nature, scope, and purpose of the Processing of Personal Data is set forth in Annex 1.
- Compliance with Data Privacy Laws. Provider will comply in all material respects with applicable Data Privacy Laws with respect to its Processing of Personal Data and provision of the Services.
- Licenses and Registrations. Provider shall obtain all material licenses, authorizations, approvals, consents or permits required of it as a Processor under applicable Data Privacy Laws to perform its obligations and Process the Personal Data under this DPA and the Terms of Use.
- Data Protection Officers and Representatives. To the extent required by applicable Data Privacy Laws, Provider shall appoint one or more data protection representatives and/or data protection officers in the applicable jurisdictions.
- Limited Processing; Confidentiality. Provider agrees and covenants that it shall: (a) not create, collect, receive, access, use, or otherwise Process the Personal Data in violation of any Applicable Law (including Data Privacy Laws); (b) Process the Personal Data solely and exclusively for the purposes for which the Personal Data, or access to it, is provided pursuant to the terms and conditions of the Terms of Use and this DPA; and (c) not collect, retain, use, sell, rent, transfer, distribute, or otherwise disclose or make available Personal Data outside of the direct business relationship with Customer or for Provider’s own purposes or for the benefit of anyone other than Customer’s, in each case, without Customer’s prior written consent. Notwithstanding the foregoing, unless explicitly prohibited by Customer in writing (including under the Terms of Use or this DPA), Provider may use the Personal Data as follows to the extent permitted by applicable Data Privacy Laws: (i) for its internal use to build or improve the quality of the Services provided by Provider, provided, however, that Provider does not use the Personal Data to build or modify a profile about a Data Subject or their household to use in providing services to a third-party, or cleaning or augmenting any Personal Data acquired from another source; (ii) to detect Security Incidents, or to protect against fraudulent or illegal activity; (iii) as otherwise explicitly permitted under Data Protection Law; and (iv) to respond to any Legal Order.
- Instructions from Customer. Provider shall only Process the Personal Data to the extent, and in such a manner, as is necessary to perform the Services in accordance with Customer’s documented instructions. Customer may provide Provider with general or specific data protection-related instructions. Provider shall not Process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Privacy Laws. To the extent permitted by Applicable Law, Provider shall promptly notify Customer if, in its reasonable opinion, Customer’s instruction would not comply with the Data Privacy Laws. Without limiting the foregoing, Customer hereby instructs Provider to Process the Personal Data for the following purposes: (a) as necessary for the provision of the Services and in accordance with this DPA and the Terms of Use; (b) as initiated by Customer’s end users in their use of the Services; (c) to comply with other reasonable instructions provided by Customer to Provider (e.g., via email or via support requests) where such instructions are consistent with the terms of the Terms of Use and this DPA; and (d) to respond to a Legal Order.
- Excess Processing Requirements. In the event Provider is required under any applicable Data Protection Law to Process the Personal Data in excess of Customer’s documented instructions, Provider shall immediately notify Customer of such a requirement, unless such applicable Data Protection Law prohibits such notification, in which case Provider shall notify Customer of this required Processing as soon as the applicable Data Protection Law permits it to do so.
- Inability to Comply. Provider shall promptly inform Customer in the event Provider cannot reasonably provide compliance with this Data Privacy Addendum for whatever reason. In such an event, Customer may immediately suspend any Processing of Personal Data and/or terminate the Services pursuant to the Terms of Use.
- Assistance in Compliance with Obligations under Data Privacy Laws. Taking into account the nature of Provider’s Processing and the information available to Provider, Provider shall reasonably assist Customer in meeting Customer’s compliance obligations under the Data Privacy Laws (including, without limitation, Customer’s security requirements, notifications or other communications related to any Security Incidents, responding to Data Subject Requests, and any data privacy impact assessments and/or prior consultations with supervisory authorities or other competent data privacy authorities provided for under applicable Data Privacy Laws) through appropriate technical and organizational measures. Provider reserves the right to invoice, and Customer shall pay, for any additional costs arising from Provider’s provision of such assistance.
- Cooperation with Regulators. At Customer’s sole cost and expense, Provider and its representatives shall cooperate, upon request from Customer, with any and all requests from data protection authorities and regulators having jurisdiction over Customer, including those with jurisdiction to monitor and ensure compliance with applicable Data Privacy Laws.
- Requests from Customer. Provider shall promptly comply with any Customer request or instruction requiring Provider to amend, transfer, delete, or perform any other lawful Processing of Personal Data, and to stop, mitigate, or remedy any unauthorized Processing.
- Data Analytics; Anonymized Personal Data. Any data collected pursuant to data analytics or monitoring carried out by Provider in connection with the provision of the Services or otherwise connected with Customer’s use of the Services may include Personal Data. Provider may aggregate, de-identify, or anonymize Personal Data and use such aggregated, de-identified, or anonymized data, which shall no longer be considered Personal Data, for its own reasonable purposes. Customer hereby authorizes Provider to Process the Personal Data for the purposes described in this paragraph.
6. Complaints; Data Subject Requests; and Third Party Rights
- Complaints and Other Communication. Provider shall notify Customer in the event it receives any request, complaint, or communication relating to Customer’s obligations under Data Privacy Laws (including from data protection authorities and/or supervisory authorities). To the extent permitted by applicable Data Privacy Laws, Provider shall obtain specific written consent and instructions from Customer prior to responding to such request, complaint, or communication.
- Data Subject Requests Received by Provider. Provider shall, to the extent permitted under Applicable Law, promptly notify Customer if Provider receives a request from a Data Subject or their representative to exercise any rights provided to Data Subject with respect to their Personal Data under applicable Data Privacy Laws, including, but not limited to, any rights of access, rectification, erasure, data portability, or restriction of Processing, right to object to Processing, right to not have their Personal Data shared or sold, or not to be subject to automated decision making (“Data Subject Request”).
- Assistance with Data Subject Requests. Taking into account the nature of the Processing, Provider shall provide all reasonable assistance to Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under applicable Data Privacy Laws. The parties agree and acknowledge that Provider may, but is not required to, fulfill its obligations described in the foregoing sentence by providing Customer with access to features and functions of the Services such that Customer can fulfill the Data Subject Request without assistance from Provider. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Provider shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Provider is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Privacy Laws. To the extent legally permitted, Customer shall be responsible for any reasonable costs arising from Provider’s provision of such assistance.
7. Confidentiality
Unless otherwise required by law, Provider shall keep and maintain all Personal Data in strict confidence, using such a degree of care as is appropriate to avoid unauthorized access, use or disclosure (taking into account the state of the art, costs and implementation, and the nature, scope, context, and purposes of the Processing as well as the risks to the rights of Data Subjects). Unless otherwise required by Applicable Law, Provider shall not disclose or permit access to the Personal Data other than to its employees, officers, directors, attorneys, and agents who need to know or access the Personal Data to meet Provider’s obligations under this DPA and the Terms of Use (each, a “Provider Representative”). Provider shall require that such Provider Representatives: (a) are informed of the confidential nature and use restrictions regarding the Personal Data; and (b) have committed themselves to maintaining the confidentiality of the Personal Data or are under an appropriate statutory obligation of confidentiality.
8. Security Measures
Provider shall implement reasonable and appropriate technical, physical, and organizational measures designed to adequately safeguard and protect against a Security Incident (each, a “Security Measure”). Without limiting the foregoing, Provider shall ensure that all such Security Measures comply with all Data Privacy Laws as well as the terms and conditions of the Terms of Use. Provider shall regularly test, assess, and evaluate the effectiveness of its Security Measures.
9. Security Incidents
In the event of a Security Incident, Provider will notify Customer without undue delay after becoming aware of the Security Incident, but in no event later than any periods required by applicable Data Privacy Laws or described in the Terms of Use. Provider shall, as part of the notification provided under this Section 9.1 and to the extent reasonably available at the time of notice, provide all information required under applicable Data Privacy Laws. Provider shall update Customer as additional relevant information set forth in the foregoing sentence becomes available without further undue delay. Provider shall maintain and preserve applicable documents, records, and other data reasonably related to any Security Incident.
10. Subprocessors
Customer authorizes Provider to engage Subprocessors to Process the Personal Data. A list of Provider’s current Subprocessors is set out in Annex 2. Provider shall notify Customer in advance of any changes to the Subprocessors set out in Annex 2. Provider shall impose data protection obligations substantially similar to those set out in this DPA on any approved Subprocessor prior to the Subprocessor Processing any of the Personal Data.
11. Compelled Disclosures
Any disclosure by Provider or its representatives of any of the Personal Data pursuant to applicable federal, state, or local law, regulation, or valid order issued by a court or governmental agency of competent jurisdiction (a “Legal Order”) will be subject to the terms of this Section 12. Prior to making such a disclosure, Provider shall, to the extent permitted under the Legal Order, make commercially reasonable efforts to provide Customer with: (a) prompt written notice of the disclosure requirements set forth in the Legal Order so that Customer may seek, at its sole cost and expense, a protective order or other remedy; and (b) reasonable assistance, at Customer’s sole cost and expense, in opposing such disclosure or seeking a protective order or other limitations on disclosure. If, after providing such notice and assistance as required herein, Provider remains subject to a Legal Order to disclose any Personal Data, Provider shall, upon Customer’s request, use commercially reasonable efforts to obtain assurances from the applicable court or agency that such Personal Data will be Processed solely to the extent necessary and otherwise remain confidential.
12. Cross-Border Transfers of Personal Data
Neither Customer nor Provider shall transfer any Personal Data to another country unless the transfer complies with the Data Privacy Laws. Provider may transfer and process Personal Data anywhere in the world where Provider, its Affiliates or its Subprocessors maintain data processing operations. To the extent that Provider processes (or causes to be processed) any Personal Data originating from the European Economic Union in a country that has not been recognized by the European Commission as providing an adequate level of protection for Personal Data, Provider shall put in place such measures as are necessary to ensure the transfer is in compliance with EU Data Privacy Laws, which may include the execution of standard contractual clauses approved by the European Commission or the putting in place of any other valid transfer mechanism under Data Privacy Laws.
13. Term and Termination
- Term. The term of this DPA will commence on the Effective Date and will remain in force until the earliest date that: (a) this DPA is replaced or repealed by mutual agreement of Customer and Provider; (b) this DPA is replaced by an alternative agreement in order to meet additional or changed rights and obligations under Data Privacy Laws; or (c) the Terms of Use is terminated or expires (the “Term”).
- Survival. In the event Provider retains Personal Data after the Term for any reason, Provider shall continue to comply with the confidentiality and privacy obligations hereunder until it is no longer in possession of Personal Data, and such obligations shall survive past the Term of this Data Privacy Addendum until such time that Processor and all of its Subprocessors no longer Process such Personal Data. In addition, any provision of this DPA that expressly or by implication should come into or continue in force on or after such period described in the foregoing sentence in order to protect Personal Data will remain in full force and effect.
- Changes in Data Privacy Laws. If a change in any of the Data Privacy Laws prevents either Party from fulfilling all or part of its obligations under the Terms of Use or this DPA, the Parties shall negotiate a change to this DPA, the Services, or the Terms of Use in good faith and shall suspend the Processing of Personal Data until that Processing complies with the new requirements. If the Parties are unable to bring the Processing of Personal Data into compliance with the Data Privacy Laws within a reasonable period, they may terminate the Terms of Use upon written notice to the other Party.
14. Personal Data Return and Destruction
- Return or Destroy Personal Data. Within a reasonable time after the termination or expiration of this Data Privacy Addendum for any reason as set forth in the Terms of Use: (a) Provider shall, and shall require all Subprocessors to, cease Processing Personal Data except as otherwise set forth hereunder; and (b) Provider shall, and shall require all Subprocessors to, securely destroy all or any Personal Data related to this agreement in its possession or control.
- Retention of Data on Backup; Retention Required by Law. Notwithstanding the foregoing, to the extent it is not commercially reasonable for Provider or its Subprocessors to remove Personal Data from archive or other backup media, Provider may retain Personal Data on such media in accordance with its backup or other disaster recovery procedures. If any Applicable Law or Legal Order requires Provider to retain any Personal Data that Provider would otherwise be required to return or destroy, it shall notify Customer in writing of that retention requirement, giving details of the Personal Data that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
15. Records; Audits
- Records. Provider shall keep, and shall require its Subprocessors to keep, reasonably detailed, accurate, and up-to-date books, records, and other documents (including computer files) regarding any Processing of Personal Data it carries out for Customer, including but not limited to, the access, control, and security of the Personal Data, approved Subprocessors and Affiliates, the Processing purposes, and any other records required by the applicable Data Protection Law (collectively, the “Records”). Such Records shall be maintained during the Term and, unless Data Protection Law requires a longer retention period, for a period of at least ninety (90) days after the Term.
- Demonstrating Compliance. Upon Customer’s request, Provider shall make available to Customer Records and other information as necessary to demonstrate Provider’s (and its Subprocessors’) material compliance with this DPA and any applicable Data Privacy Laws.
- Customer Audits. Customer shall have the right to request or mandate an audit by instructing Provider to carry out an audit or permit Customer or its designated representative to carry out an audit of Provider, provided that no such audit has been requested by Customer or performed by Provider in the past twelve (12) month period.
16. Miscellaneous
- Amendment. This Data Privacy Addendum may not be amended or modified except in writing signed by authorized representatives of both Parties.
- Severability. If any provision in this Data Privacy Addendum is determined to be ineffective or void by any court or body of competent jurisdiction or by virtue of any legislation to which it is subject, it shall be ineffective or void to that extent only and the validity and enforceability of the remaining provisions of the Data Privacy Addendum and the Terms of Use shall not be affected. The Parties shall promptly and in good faith replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. The Parties shall similarly promptly and in good faith add any necessary appropriate provision where such a provision is found to be missing by any court or body of competent jurisdiction or by virtue of any legislation to which this Data Privacy Addendum is subject.
- Governing Law. This Data Privacy Addendum shall be governed by and construed in accordance with law that governs the Terms of Use.
- Headings. The headings in this Data Privacy Addendum are for reference only and shall not affect the interpretation of this Data Privacy Addendum.
ANNEX 1
DETAILS OF PROCESSING OF YOUR PERSONAL DATA
This Annex 1 includes certain details of the processing of thePersonal Data:
The categories of data subject to whom the Personal Data relates
Customer may submit the Personal Data to Provider, the extent of which is determined and controlled by Customer in Customer’s sole discretion. The categories of data subject you Customer elect to include in the Personal Data submitted to Provider includes, but is not limited to, your employees, customers, users, consumers, and/or members, as applicable.
Subject matter and duration of the processing of thePersonal Data
Processing of the Personal Data by Provider shall be for the duration as requested by Customer, provided that the Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).
The nature and purpose of the processing of the Personal Data
The context and purpose for the Processing of the Personal Data is Provider’s provision of services and functionality that optimize conversational artificial intelligence platforms enabling chat-box, live chat, voice chat, and video chat capabilities.
The types of the Personal Data to be processed, including Special Categories
Provider may Process the following types/categories of Personal Data:
- Name and contact information (e.g. email or phone);
- Product/service user or use information;
- User communications;
- Location information; and
- Outcome information (e.g. purchase history).
ANNEX 2
APPROVED SUBPROCESSORS
Subprocessors:
- Amazon Web Services
- Snowcat Cloud
- Twilio
- Mailgun
- LogRocket
- Microsoft
- Atlassian
- Snowflake
Subject matter and duration of the processing ofthe Personal Data
The subject matter and duration of the processing are set forth in the applicable agreement between Provider and the above-named subprocessors.
The nature and purpose of the processing of the Personal Data
- Amazon Web Services: short and long-term data storage of Personal Data
- Snowcat Cloud: processing of Personal Data in transit only for purposes of website tracking
- Twilio: processing of Personal Data for the provision of chat, voice, video, SMS and related services and functions
- Mailgun: processing of Personal Data for email communications
- LogRocket: processing of Personal Data for diagnosing application errors
- Microsoft: processing of Personal Data for internal operational purposes only, including reporting, troubleshooting, or exporting data to you
- Atlassian: processing of Personal Data for internal operational purposes only, including troubleshooting or exporting data to you
- Snowflake:short and long-term data storage of Personal Data
The types of the Personal Data to be processed, including Special Categories
The subprocessors may Process the following types/categories of the Personal Data:
- Amazon Web Services: name, contact information (e.g. phone number or email address), and technical and usage information (e.g. IP address)
- Snowcat Cloud: technical and usage information (e.g. IP address)
- Twilio: name, contact information (e.g. phone number or email address), and technical and usage information (e.g. IP address)
- Mailgun: name and contact information (e.g. phone number or email address)
- LogRocket: name, contact information (e.g. phone number or email address), and technical and usage information (e.g. IP address)
- Microsoft: name, contact information (e.g. phone number or email address), and technical and usage information (e.g. IP address)
- Atlassian: name, contact information (e.g. phone number or email address), and technical and usage information (e.g. IP address)
- Snowflake: name, contact information (e.g. phone number or email address), and technical and usage information (e.g. IP address)
The categories of data subject to whom the Personal Datarelates
Customer may submit the Personal Data to Provider, the extent of which is determined and controlled by Customer in Customer’s sole discretion. The categories of data subject Customer may elect to include in the Personal Data submitted to Provider includes, but is not limited to,your employees, customers, users, consumers, and/or members, as applicable.
Exhibit C
Payment Policy
In an effort to ensure the prompt payment of the clients of Optimy.ai we accept payment by the following methods:
- Credit Card
- Please fill out the Credit Card Authorization Form sent to you by Optimy.
- Authorized payments will be processed on the 1st business day of the service month and applied to the applicable invoice.
- Pre-authorized Auto Withdrawal
- Please fill out the Pre-Authorized Debit Form sent to you by Optimy.
- The payment will be processed on the 1st business day of the service month and applied to the applicable invoice.
- Cheque Payment of Annual invoice
- Payment by Cheque for the annual service fee is due on or before the service start date and applied to the applicable invoice.
- Cheque Payment of Monthly Invoice
- Payment by cheque for the monthly service fee is due upon receipt of the monthly invoice.
- A processing fee of $15.00 applies to each payment.
Overdue invoice balances will be subject to a late payment fee of 2% per month.
If you have any inquiries or encounter any challenges, please do not hesitate to reach out to your Account Manager or our Finance Team at ar@optimy.ai . We are here to assist you.
Thank you once again for choosing Optimy.ai.