Terms of Service & DPA

Published on March 26th, 2021

1. DEFINITIONS

Add-ons” means any new releases of new products/modules, provided to customers on the Roadie Subscription at the prices agreed between the parties.

“Agreement” means the Order Form and these Terms of Service and any other documents incorporated by reference.

Bespoke Modifications” means any customer-specific development work agreed upon in a separate Order Form or Statement of Work (“SOW”) that is explicitly identified in writing as Bespoke Modifications in the Order Form or SOW.

Bribery Laws” means the Criminal Justice (Corruption Offences) Act 2018 and all other applicable Irish laws, legislation, statutory instruments and regulation in relation to bribery or corruption and any similar or equivalent laws in any other relevant jurisdiction.

Customer Data” means Materials provided to Roadie by Customer or uploaded or hosted on or integrates with any part of the Product by Customer, excluding Non-Roadie Materials.

“Documentation” means the description and instructions of the relevant Product and/or Professional Services available at https://roadie.io/docs/.

Fees” means the fees as described in the Order Form.

“Intellectual Property Rights” means all patents, copyrights, design rights, trademarks, service marks, know-how, database rights and other rights in the nature of intellectual property rights (whether registered or unregistered) and all applications for the same, anywhere in the world.

“Non-Roadie Materials” means Materials provided, (i) controlled or owned by or on behalf of a third party or (ii) open source software, the use of which is subject to a separate agreement or licence between the Customer and the relevant third party (including such Non-Roadie Materials which may be linked to, interact with or used by the Product or Professional Services);

“Malicious Code” means viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs.

Materials” means all services, data, information, content, software code, Intellectual Property Rights, websites, software, tools and other materials;

Order Form” means the order form, agreed to by the Parties in connection with this Agreement.

Product” means the ‘Roadie Platform’ a cloud-based developer tooling platform and service catalogue based on the opensource technology, Backstage, as described in the Documentation.

Professional Services” means the Professional Services as detailed in the Order form.

Roadie Materials” means Materials provided by or on behalf of Roadie in connection with the Product or Professional Services, but excluding all Customer Data.

“Roadie Platform Subscription” means the subscription to use the Product commencing on the Commencement Date.

“Roadie Platform Subscription Fee” means the fee for the Roadie Platform Subscription set out in the Order Form.

Subscription Term” shall be three (3) years from the Commencement Date, unless terminated earlier or renewed or extended as provided in this Agreement.

Term” means the period beginning on the Commencement Date (as defined in the Order Form) and continuing until terminated as provided in this Agreement.

“Third Party Solution” means any product, service, content or item of a third party contracted to provide products or services to Customer or code or content licensed on a proprietary or non-proprietary basis to Customer that was not developed by Customer.

“Tools” means (i) Materials used in providing the Product and Professional Services which constitutes pre-existing proprietary material owned by Roadie (or some other third party, as applicable); and/or (ii) Materials which have been newly developed by Roadie in the case of performing the Professional Services for the Customer but which does not contain information confidential to Customer or is of a routine generic or non-customer specific nature.

“Update” means a maintenance update, patch or bug fix which does not constitute an Add-On.

Users” means individuals who are authorised by Customer to access and use the Product on behalf of Customer, and who have been supplied user identifications and login credentials by Customer. Users may include employees, consultants, contractors and agents of Customer.

2. THE PRODUCT AND SERVICES

2.1 Provision of the Roadie Platform Subscription. Subject to the terms and conditions of this Agreement and the applicable Order Form, and upon Customer’s payment of the applicable Fees, Roadie (i) grants Customer, a non-exclusive, non-transferable, license for the duration of the Subscription Term, for Users to access and use the Product and Updates (including the Documentation) in support of the Customer’s internal business operations and (ii) grants Customer a non-exclusive, non-transferable, licence to use the results of the Professional Services as set out in the Order Form for the Subscription Term. Customer’s right to access and use the Product is limited to Customer’s internal business use only. Customer agrees that its purchase of the Product is neither contingent on the delivery of any future functionality or features nor dependent on any oral or written comments made by Roadie regarding future functionality or features.

2.2 Customer Responsibilities. Customer shall (i) be responsible for its Users’ compliance with any User instructions set out in the Documentation and with the terms of this Agreement, (ii) use commercially reasonable efforts to prevent unauthorized access to or use of the Product, and notify Roadie promptly of any such unauthorized access or use, (iii) be responsible for Customer’s and Users’ use of any Customer Data including without limitation any use of Customer Data in violation of applicable laws and regulations, (iv) use the Product and related Professional Services only in accordance with the terms of this Agreement and applicable laws and government regulations, (v) be responsible for obtaining the appropriate licences for any Third Party Solution, ensuring that such licences cover Roadie’s use for the performance of the Product and Professional Services and to comply with the terms and conditions of such licences. Customer acknowledges that Roadie makes no comment and accepts no responsibility in relation to the suitability of the services and/or security provided by any Third Party Solution, the Customer is responsible for ensuring that all Third Party Solution services and security procedures are adequate for their needs. If individual consents are required to collect, use, transfer or otherwise process any Customer Data, including without limitation Customer Data subject to data privacy laws and regulations, Customer shall be solely responsible for obtaining all such consents. Customer shall not (a) make the Product or results of Professional Services available to anyone other than Users, (b) sell, resell, rent or lease the Products or Professional Services, (c) interfere with or disrupt the integrity or performance of the Product or Professional Services or any content contained therein, or (d) attempt to gain unauthorized access to the Product or Professional Services or the underlying systems or networks.

2.3 Third-Party Solutions. When the customer accesses any Third Party Solution in connection with the use of the Product or Professional Services, the Customer agrees and acknowledges that (a) Roadie are not responsible for interruptions of services or to the Product caused by the Third Party Solution provider or Customer Data and (b) the Customer is solely responsible for licensing the use of Third Party Solutions and Customer Data accessed in connection with the Product and Professional Services.

2.4 Additional Services. To the extent that Customer requires any additional products or services, such as Bespoke Modifications, program modifications or additions, new modules (which add new functionality), Add-Ons (which have different names and different functionality from the Product and Professional Services), professional services or professional consulting services, Customer may order such additional products and/or services pursuant to an Order Form or written statement of work mutually agreed to by the Parties. Additional services (including, without limitation, professional services or professional consulting services) may be provided by Roadie upon payment of additional fees agreed by the parties.

3. FEES AND PAYMENT

3.1 Fees. The fees payable for the Roadie Platform Subscription and Professional Services are as set forth in the Order Form. Except as otherwise specified herein or in an Order Form, (i) fees are quoted and payable in Euro, (ii) exclude VAT and sales taxes (iii) payment obligations are non-cancellable and fees paid are non-refundable.

3.2 Expenses. Customer shall reimburse Roadie for all reasonable expenses incurred by Roadie with the prior approval of Customer in the performance of implementation or requested Professional Services. Records of reimbursable expenses including statements and receipts shall be provided to Customer along with the invoice to which they pertain.

3.3 Overage. If the Customer is using the Product over the amount of seats or licences purchased, Roadie shall invoice the Customer and Customer shall pay Roadie an amount equal to such underpayment in accordance with the prices set out in the Order Form pro rata from the date overage commenced until the end of the Subscription Term.

3.4 Invoicing and Payment. Fees will be invoiced in advance in accordance with the relevant Order Form. Unless otherwise stated in the Order Form, fees are due thirty (30) days from the invoice date. All fees shall be paid by electronic funds transfer. If any amounts invoiced hereunder are not received by Roadie by the due date, then such amounts shall accrue interest at the rate of 8% above the base rate of the ECB on the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid.

3.5 Suspension of access to the Product or the provision of Professional Services. If any charge owing by Customer is thirty (30) days or more overdue, Roadie may, without limiting its other rights and remedies, suspend Customer’s ability to access and use the Product and suspend the delivery of the Professional Services until such amounts are paid in full. Notwithstanding the foregoing, Roadie shall not be able to suspend the access to and use of the Product for overdue invoices that are the result of a good faith dispute between the Parties, provided such dispute is resolved within 60 days of the invoice becoming overdue.

3.6 Taxes. Customer agrees to pay all applicable taxes levied by any tax authority on the Product or Professional Services or on Customer’s use thereof, which shall be separately invoiced, excluding taxes based on the net income of Roadie. Customer shall provide to Roadie any certificate of exemption or similar document required to exempt any transaction under this Agreement from sales tax or other tax liability.

4. PROPRIETARY RIGHTS

4.1 Reservation of Rights. Except as detailed below in section 4.2 and 4.3, as between the Parties, the Product and Professional Services and all Intellectual Property Rights therein, are and will remain the sole property of Roadie or its licensors, and no rights are granted to Customer with respect to the Product or Professional Services, or the Intellectual Property Rights therein, other than the limited rights and licenses specified in this Agreement. Customer will not access or use the Product or Professional Services, or the Intellectual Property Rights therein, except as expressly permitted by this Agreement. Roadie uses reasonable efforts to ensure that all open source components provided by Roadie in connection with the Product or Professional Services are licensed under one of the the following licences: Apache-2.0 or MIT. Customer agrees to comply with the terms of the relevant open source licence.

4.2 Bespoke Modifications. Subject to section 4.3 below and provided Roadie has received payment in full for the Professional Services, the Intellectual Property Rights in any Bespoke Modifications shall automatically vest in the Customer. At the Customer’s request, Roadie shall execute any deed or document or do anything that may be reasonably required to give effect to the assignment and transfer of the intellectual property rights in such Bespoke Modifications.

4.3 The Customer understands and accepts that Roadie (or the third party, as appropriate) shall be the owner of and shall at all times retain ownership of the Intellectual Property Rights in the Tools. Roadie hereby grants (or shall procure to grant) Customer a perpetual, royalty free, transferable, sublicensable, worldwide license to use the Tools in relation to the Bespoke Modifications.

4.4 Bespoke Modifications are Bespoke Modifications only if explicitly identified as such in the applicable Order Form or SOW. Where not identified as Bespoke Modifications, all IP in any developments by Roadie are as described in section 4.1.

4.5 Restrictions. Customer shall not at any time, directly or indirectly, and shall not permit any User to (i) permit any third party to access or use the Product and/or Professional Services except as permitted herein or in an Order Form, (ii) copy, modify or create derivative works based on the Product, Professional Services or the Documentation, (ii) rent, lease, lend, sell, license, sublicense, publish, frame, mirror or otherwise distribute any part or content of the Product, Professional Services or Documentation, (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Product and/ or Professional Services, in whole or in part, or (iv) access the Product and/or Professional Services in order to (a) build a competing product or service, or (b) copy any content, features, functions or graphics of the Product and/or Professional Services.

4.6 License to Feedback. Roadie shall have a royalty-free, worldwide, transferable, sublicenseable, irrevocable, perpetual license to use or incorporate into the Product and/or Professional Services any suggestions, enhancement requests, recommendations or other feedback provided by Customer, including Users, relating to the operation of the Product and/or Professional Services.

4.7 Customer Data. As between the Parties, Customer owns all right, title and interest in and to all Customer Data; provided that Customer grants Roadie the right to use the Customer Data to perform its obligations under this Agreement.

4.8 Non-Roadie Materials. To the extent Non-Roadie Materials are made available to, or used by or on behalf of the Customer in connection with the use or provision of the Product or Professional Services, such use of Non-Roadie Materials (including all licence terms) shall be exclusively governed by applicable third party terms notified or made available by Roadie or the third party and not by our Agreement. Roadie grants no Intellectual Property Rights or other rights in connection with any Non-Roadie Materials. It is the Customer’s sole responsibility to appropriately license any third party data sources accessed in connection with the Product or any Professional Services.

4.9 Suspension. Notwithstanding anything to the contrary in this Agreement, Roadie may temporarily suspend Customer’s licence to use and/or any User’s access to any portion or all of the Product and/or Professional Services if: (i) Roadie reasonably determines that: (A) Customer’s or any User’s use of the Product and/or Professional Services disrupts or poses a security risk to Roadie or to any other customer of Roadie; (B) Customer, or any User, is using the Product and/or Professional Services in breach of this Agreement or in violation of applicable law; (C) Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding in any relevant jurisdiction; or (D) Roadie’s provision of the Product and/or Professional Services to Customer is or becomes prohibited by applicable law; (ii) any third party has suspended or terminated Roadie’s access to or use of any third-party services or products required to enable Customer to access and use the Product and/or Professional Services; (iii) in accordance with section 3.4 (any such suspension described in subsection (i), (ii), or (iii), a “Suspension”). Roadie shall use commercially reasonable efforts to provide written notice of any Suspension to Customer and to provide updates regarding resumption of access to the Product and/or Professional Services following any Suspension. Roadie shall use commercially reasonable efforts to resume providing access to the Product and/or Professional Services as soon as reasonably possible after the event giving rise to the Suspension is cured. Roadie will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer may incur as a result of a Suspension.

5. CONFIDENTIALITY AND DATA PROTECTION.

5.1 Confidential Information. As used herein “Confidential Information” shall mean all confidential or proprietary information disclosed orally or in writing by one party to the other that is identified as confidential or whose confidential nature is reasonably apparent. Confidential Information of Customer shall include without limitation Customer Data; Confidential Information of Roadie shall include without limitation all information relating to the Product and Professional Services; and Confidential Information of each party shall include the terms and conditions of this Agreement and all Order Forms, as well as business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. Confidential Information shall not include information which: (a) is or becomes a part of the public domain through no fault of the receiving party; (b) was in the receiving party’s lawful possession prior to the disclosure; (c) is lawfully disclosed to the receiving party by a third party without restriction on disclosure or any breach of confidence; (d) is independently developed by the receiving party; or (e) is required to be disclosed by law. “Confidential Information” does not include feedback as described in section 4.6.

5.2 Protection of Confidential Information. Each party agrees to (i) hold the other’s Confidential Information in confidence, (ii) use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care), and (iii) not use or disclose such Confidential Information other than in connection with the performance of its obligations hereunder or as otherwise authorized by this Agreement. Notwithstanding the foregoing, either party may disclose any of the other party’s Confidential Information to its employees or consultants that have a need to know such Confidential Information in connection with such party’s performance under this Agreement and that have agreed to be bound by confidentiality obligations similar to those in this section.

5.3 Compelled Disclosure. The receiving party may disclose the Confidential Information of the disclosing party if it is compelled by law to do so, provided the receiving party gives the disclosing party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the disclosing party’s cost, if the disclosing party wishes to contest the disclosure. If the receiving party is compelled by law to disclose the disclosing party’s Confidential Information as part of a civil proceeding to which the disclosing party is a party, the disclosing party will reimburse the receiving party for its reasonable cost of compiling and providing secure access to such Confidential Information.

5.4 Obligations on Termination. Upon expiration or termination of this Agreement, each party will: (a) immediately cease all use of the other party’s Confidential Information (b) cease use of the Products and Professional Services immediately; and (c) within thirty calendar days after such expiration or termination, confirm in writing to the other party that it has permanently erased from computer memory, destroyed or returned to the other party the other party’s Confidential Information, as well as any copies thereof on any media or in any form. Notwithstanding the foregoing, Roadie may retain any personal data as required by applicable laws, regulations, court orders, subpoenas or other legal process. In addition, any failure of Roadie to return or destroy electronic copies of Customer Data that are automatically generated through data backup and/or archiving systems shall not be deemed to violate the provisions of this section, provided that Roadie shall not use such back-ups or archived copies for any purpose and such copies shall be subject to all confidentiality obligations set forth herein.

5.5 Personal Data. Roadie will process personal data provided by the Customer in accordance with the Data Processing Addendum attached hereto as Annex 1.

5.6 Analytics. Roadie may use Customer Data for internal business purposes such as trend analysis, testing, optimisation, visualisation, support, licence compliance and diagnostics. Roadie will not sell nor publish Customer Data.

6. WARRANTIES, REMEDIES AND DISCLAIMERS

6.1 Roadie Warranties. Roadie warrants that the Product shall materially conform with the Documentation. The Professional Services shall be materially carried out in line with the description set out in the Order Form or Statement of Work. Roadie further states that it has taken commercially reasonable steps to prevent the introduction of any Malicious Code or any other internal components, devices or mechanisms designed to disrupt, disable, harm, or otherwise impair in any material respect the normal and authorized operation of the Product and Professional Services. In the event of any breach of the foregoing warranties, Roadie will use commercially reasonable efforts to promptly repair the Product and Professional Services so as to be conforming.

6.2 Mutual Warranty. Each party represents and warrants that it has the legal power to enter into this Agreement.

6.3 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED HEREIN, THE PRODUCT AND PROFESSIONAL SERVICES ARE PROVIDED ON AN “AS IS” BASIS WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. ROADIE DOES NOT WARRANT THAT THE PRODUCT AND PROFESSIONAL SERVICES WILL SATISFY CUSTOMER’S REQUIREMENTS OR (WITHOUT PREJUDICE TO THE LIMITED WARRANTY ABOVE) THAT IT IS WITHOUT DEFECT OR ERROR OR THAT CUSTOMER’S ACCESS THERETO WILL BE UNINTERRUPTED.

6.4 ROADIE MAY MAKE NON-ROADIE MATERIALS AVAILABLE FOR THE CUSTOMER’S USE OR USE CUSTOMER DATA IN CONNECTION WITH THE PRODUCT OR PROFESSIONAL SERVICES. THE CUSTOMER AGREES THAT: (A) ROADIE HAS NO RESPONSIBILITY FOR THE USE OR CONSEQUENCES OF USE OF ANY NON-ROADIE MATERIALS OR CUSTOMER DATA; (B) THE CUSTOMER’S USE OF ANY NON-ROADIE MATERIALS SHALL BE GOVERNED BY THE APPLICABLE TERMS BETWEEN THE CUSTOMER AND THE OWNER OR LICENSOR OF THE RELEVANT NON-ROADIE MATERIALS OR CUSTOMER DATA; (C) THE CUSTOMER IS SOLELY RESPONSIBLE FOR ANY NON-ROADIE MATERIALS OR CUSTOMER DATA USED IN CONNECTION WITH THE PRODUCT OR PROFESSIONAL SERVICES AND FOR COMPLIANCE WITH ALL APPLICABLE THIRD PARTY TERMS WHICH MAY GOVERN THE USE OF SUCH NON-ROADIE MATERIALS OR CUSTOMER DATA; AND (D) THE CONTINUED AVAILABILITY, COMPATIBILITY WITH THE PRODUCT AND PROFESSIONAL SERVICES AND PERFORMANCE OF THE NON-ROADIE MATERIALS OR CUSTOMER DATA IS OUTSIDE THE CONTROL OF ROADIE AND ROADIE HAS NO RESPONSIBILITY FOR ANY UNAVAILABILITY OF OR DEGRADATION IN THE PRODUCT AND PROFESSIONAL SERVICES TO THE EXTENT RESULTING FROM THE AVAILABILITY, INCOMPATIBILITY OR PERFORMANCE OF ANY OF THE NON-ROADIE MATERIALS OR CUSTOMER DATA.

7. INDEMNIFICATION

7.1 Roadie Indemnification. Roadie agrees to defend Customer against any claims, demands, suits, or proceedings made or brought against Customer by a third party (each, a ”Claim”) alleging that Customer’s use of the Product or Professional Services infringes or misappropriates the intellectual property rights of such third party and to indemnify Customer from any damages finally awarded by a court of competent jurisdiction against Customer or amounts agreed to in settlement in connection with any such Claim. Roadie’s obligations under this paragraph shall only apply to the extent that: (a) Customer promptly notifies Roadie in writing of the Claim; (b) Roadie has control of the defense and all related settlement negotiations relating to the Claim; and (c) Customer provides Roadie with the assistance, information and authority reasonably necessary to perform the above. In no event will Roadie have any obligation or liability under this paragraph for any Claim or action under any legal theory if the Claim or action is caused by, or results from: (i) Customer’s combination, operation or use of the Product or Professional Services with software or other materials not supplied by Roadie, (ii) any alteration or modification of the Product or Professional Services by Customer, (iii) Customer’s continued allegedly infringing activity after being notified thereof or after being provided modifications that would have avoided the alleged infringement, (iv) any Non-Roadie Materials (v) any Customer Data or (vi) the actions or omissions of any person or entity other than Roadie.

7.2 Remedy for Infringement. Should Customer’s right to use the Products or Professional Services pursuant to this Agreement be subject to a Claim of infringement or if Roadie reasonably believes such a Claim of infringement may arise, Roadie may, at its option and in its sole discretion (i) procure for Customer the right to continue to access and use the Product and Professional Services; (ii) modify the Product or Professional Services to render them non-infringing but substantially functionally equivalent to the Product or Professional Services prior to such modification; or (iii) if the alternatives described in sections (i) and (ii) of this paragraph are not commercially practicable, then Roadie may terminate this Agreement and as applicable refund to Customer any amounts pre-paid by Customer for the Professional Services for the unused portion of Professional Services and the prorated amount pre-paid by Customer for the Product for the period of time following termination.

7.3 Customer Indemnification. Customer agrees to defend, indemnify and hold harmless Roadie against any Claims made or brought against Roadie: (i) by a third party alleging that the Customer Data or any other information provided by Customer to Roadie for use in connection with the Roadie Platform Subscription, Product or Professional Services, infringes or violates the intellectual property rights or privacy/data protection rights of a third party or (ii) relating to a breach of the Customer Responsibilities as set out in section 2.2, and to indemnify Roadie from any damages finally awarded by a court of competent jurisdiction against Roadie or amounts agreed to in settlement in connection with any such Claims. Roadie shall: (a) promptly notify Customer in writing of the Claim; (b) ensure Customer has control of the defense and all related settlement negotiations relating to the Claim, provided however the settlement of any Claim shall not be made without advance written permission of Roadie, which shall not be unreasonably withheld; and (c) provide Customer with the assistance, information and authority reasonably necessary to perform the above. Roadie shall promptly provide Customer with written notice of any Claim which Roadie believes falls within the scope of this section. Roadie’s failure to provide written notice to Customer shall not affect Customer’s indemnification obligations hereunder except to the extent that Customer is materially prejudiced thereby. At any time after Customer becomes aware of any such Claim, Customer may procure for Roadie the right to continue to use the information for use in connection with the Product or Professional Services at its own expense. Roadie shall not be responsible for any delay or disruption to the Customer’s use of the Product or Professional Services, including any damages stemming therefrom, caused by a Claim falling under this section.

8. LIMITATION OF LIABILITY.

IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER FOR ANY LOST PROFITS OR REVENUES, LOSS OF DATA (EXCLUDING PERSONAL DATA) OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER OR PUNITIVE DAMAGES, HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT FOR ITS LIABILITY ARISING OUT OF ROADIE’s (I) FRAUD, OR WILLFUL MISCONDUCT; OR (II) NEGLIGENCE LEADING TO DEATH OR PERSONAL INJURY, IN NO EVENT SHALL ROADIE’S LIABILITY FOR DAMAGES UNDER THIS AGREEMENT FOR ANY CAUSE WHATSOEVER, AND REGARDLESS OF THE FORM OF THE ACTION, EXCEED THE FEES PAID BY CUSTOMER FOR THE ROADIE PLATFORM SUBSCRIPTION DURING THE 12-MONTH PERIOD IMMEDIATELY PRECEDING THE INCIDENT. CUSTOMER ACKNOWLEDGES THAT THE AMOUNT OF FEES PAYABLE BY CUSTOMER TO ROADIE HEREUNDER REFLECT THE ALLOCATION OF RISK SET FORTH IN THIS AGREEMENT AND THAT ROADIE WOULD NOT HAVE ENTERED INTO THIS AGREEMENT WITHOUT THE LIMITATIONS ON ITS LIABILITY CONTAINED IN THIS SECTION. THESE LIABILITY LIMITATIONS APPLY EVEN IF CONTRACTUAL REMEDIES FAIL OF THEIR ESSENTIAL PURPOSE.

9. TERM AND TERMINATION

9.1 Term of Agreement. Unless otherwise terminated as provided herein, this Agreement commences on the Commencement Date or the date of Customer’s signature of the Order Form, whichever is the earlier, and continues until the end of the Subscription Term unless terminated earlier or renewed or extended as provided in this Agreement.

9.2 Termination for Cause. A party may terminate this Agreement for cause (i) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. Upon termination for cause by Customer under part (i) above, Roadie shall pay any pro-rated amounts pre-paid by Customer in relation to the Subscription Term for the period of time following termination. Upon any termination for cause by Roadie under part (i) above, Customer shall pay any unpaid fees covering the remainder of the Roadie Platform Subscription after the effective date of termination. In no event shall any termination relieve Customer of its obligation to pay any Fees payable to Roadie for any period prior to the effective date of termination.

9.3 Surviving Provisions. Sections 1, 3, 4, 5, 6, 7, 8 and 10 shall survive any termination or expiration of this Agreement.

10. GENERAL PROVISIONS.

10.1 Export Compliance. Each party shall comply with the export laws and regulations of the United States and other applicable jurisdictions in providing and using the Product and/or Professional Services. Without limiting the foregoing, (i) each of Roadie and Customer represents that it is not named on any U.S. government list of persons or entities prohibited from receiving exports, and (ii) Customer shall not permit Users to access or use Product nor Professional Services in violation of any U.S. export embargo, prohibition or restriction.

10.2 Update to Terms of Service. Roadie reserve the right to modify these Terms of Service at any time, in Roade’s sole discretion. Material changes will be notified to Customer by email and acceptance of changes to the Terms of Service is constituted by: (i) continued use of the Roadie Platform fifteen (15) days after the modified Terms of Service have been notified or (ii) your indication of agreement to the updated Terms of Service.

10.3 Force Majeure. Neither party shall be in default if a failure to perform any obligation hereunder is caused solely by supervening conditions beyond that party’s reasonable control, including acts of God, civil commotion, strikes, labor disputes and governmental demands or requirements. When a party’s delay or non-performance continues for a period of sixty (60) days or more, the other party may terminate this Agreement without penalty. Any prepaid amounts for Professional Services shall be refunded on a prorated basis.

10.4 Relationship of the Parties. The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties.

10.5 No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.

10.6 Notices. Except as otherwise specified in this Agreement, all notices, permissions and approvals hereunder shall be in writing and delivered to the addresses set forth on the Order Form and shall be deemed to have been given upon: (i) the date of delivery by hand, (ii) the second business day after overnight delivery, (iii) the first business day after sending by email.

10.7 Publicity. Neither party will use the other party’s name, logo, or trademarks, or issue any press release or public announcement regarding this Agreement, without the other party’s written consent which may be contained within the Order Form, unless specifically permitted under this Agreement or required by law.

10.8 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect.

10.9 Anti Corruption. Customer shall ensure that it and each person referred to in section 10.9(i) to 10.9(iii) does not, by any act or omission place Roadie in breach of any Bribery Laws in connection with the provision of Product and or Professional Services and this Agreement, ensure that it has in place adequate procedures to prevent any breach of this section 10.8 and ensure that: (i) all of the Customer’s personnel and all direct and indirect subcontractors, suppliers, agents and other intermediaries of the Customer, (ii) all others associated with the Customer, and (iii) each person employed by or acting for or on behalf of those listed in sections 10.8(i) to (iii) involved in performing services or this Agreement so comply.

10.10 Assignment. Customer may not assign the rights granted under this Agreement, in whole or in part and whether by operation of contract, law or otherwise, without the other party’s prior written consent. Such consent shall not be unreasonably withheld or delayed. For purposes of this provision, a change of control shall constitute an assignment. All terms and conditions of the Agreement shall be binding upon any assignee hereunder; assignee’s acceptance of these terms shall be evidenced by its performance hereunder.

10.11 Order of Precedence. Where there is a conflict between these terms and conditions and the Order Form, the Order Form shall apply to the extent of the conflict.

10.12 Governing Law; Venue. This Agreement, and any disputes arising out of or related hereto, shall be governed exclusively by the laws of Ireland and the Parties hereby agree to submit any dispute arising therefrom to the exclusive jurisdiction of the Irish Courts.

Annex 1 Data Processing Addendum (“DPA”)

1. PURPOSE

This Data Processing Addendum forms part of the Agreement entered into by and between Customer and Roadie. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of Personal Data in the course of the provision of or Professional Services in accordance with the requirements of Data Protection Laws.

2. DEFINITIONS

Agreement: the Agreement between Customer and Roadie to which this Addendum is appended.

Controller: the person who, either alone or with others, determines the purpose and means of the processing of Personal Data.

Processing and process: has the meaning given to that term in the GDPR.

Processor: a person which processes Personal Data on behalf of the Controller.

Data Protection Laws: any data protection laws applicable to processing of Personal Data contemplated by this agreement including, without limitation, in particular the European Union General Data Protection Regulation (“GDPR”) or the European Union Directive on Privacy and Electronic Communications (“E-Privacy Directive”) and any related decisions or guidelines and subsequent legislation of a similar nature, and all privacy, security, and data protection laws, rules, and regulations of any applicable jurisdiction including any jurisdiction in which the or Professional Services are being provided or the Personal Data is being processed and any jurisdiction from which Supplier or any subprocessor provides any of the or Professional Services or from which Customer provides Customer’s products or services.

Data Subject: an identified or identifiable natural person about whom the Personal Data relates.

EEA: the European Economic Area.

Personal Data Breach: means any breach of security leading to the accidental or un-lawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data;

SCC Agreement: the standard contractual sections for the transfer of personal data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as set out at Schedule2.

Supplier: Roadie as defined in the Agreement.

Supplier Personnel: employees, agents and independent contractors of the Supplier or of a Supplier Affiliate.

Personal Data: Customer Data that is “personal data” as such term is understood under the GDPR.

Note: Capitalised Terms not defined in the DPA are as defined in the Agreement.

3. CONTROLLER AND PROCESSOR

3.1 The Customer is the controller of all Customer Data that is Personal Data and the Supplier acts as a processor of Personal Data.

4. DETAILS OF THE PROCESSING CONTEMPLATED UNDER THIS DPA

4.1 The details of the processing contemplated under this DPA are described in Schedule 1.

4.2 The Supplier may provide notice of change to the description of the Personal Data to be processed, or to the remainder of this DPA, where an update is required due to changes to the Product or Professional Services or changes required due to applicable Data Protection Laws, including their interpretation. Such update will apply 30 days from the date of the notice.

5. PROCESSING OF PERSONAL DATA.

Supplier’s obligations as Data Processor

5.1 As the processor with respect to Personal Data, Supplier acknowledges and agrees that:

5.1.1 Supplier must, and shall procure that its subprocessors shall, process Personal Data only for the purposes of fulfilling its obligations under this Agreement and in accordance with relevant documented instructions from Customer (unless required to do so by a Union or member state law to which Supplier is subject; in such a case Supplier shall inform Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest). Customer agrees to provide Supplier with documented instructions relating to Personal Data under the Agreement.

5.1.2 Supplier agrees to make reasonable efforts to assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Supplier.

5.1.3 Supplier will not disclose any Personal Data to a third party, except at Customer’s specific request or where obliged to do so under any statutory or other legal requirement (in which case Supplier will use reasonable endeavours to advise Customer in advance of such disclosure and in any event immediately thereafter); and

5.1.4 Supplier or its sub-processors will transfer Personal Data outside the European Economic Area (“EEA”), under the terms of section “Transfers of Personal Data Outside the EEA” (below).

Customer’s obligations as controller

5.2 In addition to Customer’s other responsibilities set out elsewhere in the Agreement, Customer also acknowledges and agrees that:

5.2.1 Customer has and will continue to abide by an appropriate privacy notice relating to the collection and use of Personal Data.

5.2.2 Customer shall comply with:

(a) all Data Protection Laws in connection with the processing of Personal Data and in the exercise and performance of Customer’s respective rights and obligations under this Agreement; and

(b) the terms of this Data Processing Addendum and the Agreement.

5.2.3 Customer states that:

(a) all data sourced by Customer for use in connection with the Product or Professional Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; and

(b) all instructions given by it to Supplier in respect of Personal Data shall at all times be in accordance with Data Protection Laws.

5.2.4 Customer shall not withhold, delay or condition Customer’s agreement to any change to this Agreement requested by Supplier in order to ensure the Supplier (and each subprocessor) can comply with Data Protection Laws.

6. SECURITY MEASURES

6.1 Each party agrees to take appropriate, and industry standard, technical and organizational measures against unauthorized or unlawful access or processing of Personal Data in connection with this Data Processing Addendum and the Agreement or its accidental loss, destruction or damage. Roadie agree to apply the Roadie Platform Security Measures (available on request), which may be updated from time to time.

6.2 Supplier shall, and shall procure that its subprocessors shall, take all reasonable steps to ensure that Personal Data processed in connection with this Data Processing Addendum and the Agreement is processed in compliance with the obligations under Article 32 of the GDPR relating to security of processing.

7. Personal Data Breach Notifications

7.1 Supplier will promptly notify Customer of any known or reasonably suspected breach of security leading to a Personal Data Breach.

7.2 In respect of any Personal Data Breach, the Supplier shall:

7.2.1 notify the Customer of the Personal Data Breach without undue delay (but in no event later than 72 hours after becoming aware of the Personal Data Breach); and

7.2.2 provide the Customer without undue delay (wherever possible, no later than 72 hours after becoming aware of the Personal Data Breach) with such details as the Customer reasonably requires regarding:

(a) the nature of the Personal Data Breach (including, the categories and approximate numbers of data subjects and Personal Data records concerned);

(b) any investigations into such Personal Data Breach;

7.2.3 the likely consequences of the Personal Data Breach; and

7.2.4 any measures taken, or that the Supplier recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects,

provided that, (without prejudice to the above obligations) if the Supplier cannot provide all these details within the timeframes set out in this section 7.2, it shall (before the end of such timeframes) provide the Customer with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give the Customer regular updates on these matters.

7.3 If a Personal Data Breach occurs the Supplier shall:

7.3.1 take such steps and do all acts and things as the Customer requires in order to mitigate the effects of the Personal Data Breach; and

7.3.2 restore to the last available backup any Customer Data that has been lost, damaged or destroyed by the Personal Data Breach.

8. AUDITS

Supplier will make available to Customer all information necessary to demonstrate compliance with the data processing obligations laid down in this DPA including by allowing for and contributing to reasonable audits to determine Supplier’s compliance with its obligations under this DPA. These audits (of frequency of no more than once per year, except where there is reason to suspect a breach of the obligations may have occurred) may be conducted by Customer, auditors mandated by Customer, or public authorities in competent jurisdictions, subject to Customer and Customer’s auditors (if relevant) undertaking reasonable and appropriate confidentiality obligations.

9. CONFIDENTIALITY

Supplier shall, and shall procure that its subprocessors shall, ensure that any persons to whom Supplier discloses Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to the Personal Data.

10. TRANSFER OF PERSONAL DATA TO THIRD PARTY PROVIDERS.

Subprocessors appointed by Supplier:

10.1 The Product and Professional Services may include an element of hosting. As such, Supplier uses third party providers to provide certain services, including hosting. A list of these third party providers is available at https://roadie.io/legal-notices/sub-processors/ (“Subprocessor Details”).

10.2 These subprocessors will have access to certain data, including relevant Personal Data, however such subprocessors are only permitted to process data, for the purposes of providing their specifically contracted services to Supplier.

10.3 Supplier will use commercially reasonable efforts to ensure that such subprocessors utilize reasonable industry recognized security measures to protect against loss, misuse and unauthorized viewing of the information Customer provides to Supplier.

Third Party Providers Appointed by Customer:

10.4 Customer may elect to subscribe to third party services that may integrate with the Product or Professional Services (Third Party Solutions as defined in the Agreement).

10.5 Where Customer chooses to integrate with a Third Party Solution, this may entail providing Supplier with access to Personal Data held by such Third Party Solution, and may require the providers of such Third Party Solution to have access to Personal Data. Customer must notify Supplier and put in place a written contract between Customer and Supplier as required under Article 28 GDPR relating to any extra categories of Personal Data that Supplier will process on behalf of Customer due to such integration. Customer shall not send any personal data to Supplier unnecessarily.

10.6 With regard to Third Party Solution, Customer acknowledges and agrees that:

10.6.1 Supplier has no contractual relationship with such third parties, and no responsibility for Personal Data once such a transfer commences, nor for the duration such third party holds the relevant data. Supplier does not audit the adequacy or otherwise confirm the security or organizational measures employed by such third parties, which is Customer’s sole responsibility.

10.6.2 Customer is responsible for ensuring that Customer’s and Supplier’s use of the Product and Professional Services and integration with a Third Party Solution complies with any service terms of the applicable Third Party Solution. Supplier is not required to maintain Personal Data collected in breach of any relevant data protection or other applicable laws.

10.6.3 Customer is responsible for obtaining consent from its personnel for the use and deployment of all Third Party Solutions or Customer Data subject to the E-Privacy Directive that will process data regulated by the E-Privacy Directive on the Product.

10.7 Supplier makes no representations as to the appropriateness or legality of Customer’s choice to permit such third parties to have access to its Personal Data, and Customer is responsible for ensuring that it has all requisite consents and has provided any required notices to data subjects with respect to this processing of their data. Supplier is not responsible for the processing of Personal Data by Third Party Solutions.

10.8 SUPPLIER HEREBY DISCLAIMS ALL RESPONSIBILITY FOR THE ACTIONS OF SUCH THIRD PARTIES OR FOR LOSS, DAMAGES, OR CLAIMS ARISING AS A RESULT OF DEPLOYING INTEGRATION CODE FACILITATING TRANSFERS OF PERSONAL DATA OR MAKING A TRANSFER OF PERSONAL DATA ON CUSTOMER’S BEHALF. SUPPLIER MAKES NO REPRESENTATIONS OR WARRANTIES AS TO THE SUITABILITY OF SUCH THIRD PARTY FOR RECEIPT OF PERSONAL DATA NOR OF THE SUITABILITY OF THE THIRD PARTY SOLUTIONS TO PROCESS PERSONAL DATA.

11. PROCESSING OF PERSONAL DATA BY SUBPROCESSORS OF SUPPLIER

11.1 Supplier may only authorise a subprocessor to process Personal Data provided that Supplier has entered into a written agreement with such subprocessor on terms which are substantially the same as those set out in this DPA. Where a subprocessor fails to fulfil its data protection obligations, Supplier shall remain liable to Customer for the performance of the data protection obligations of the relevant subprocessor.

11.2 Customer provide a general authorisation to Supplier to engage the subprocessors as are appointed on the date this DPA comes into force.

11.3 Supplier will with thirty (30) days’ notice inform Customer of any intended change in the subprocessors that will process Personal Data under this agreement and Customer shall be entitled to make any objections thereto. If no objections have been received within ten (10) days, the proposed subprocessor shall be deemed accepted. If Customer does not agree to the subprocessor, the parties shall attempt to settle the disagreement and if the parties cannot agree on the use of a subprocessor, Supplier may terminate this agreement by providing written notice, such termination to take effect on the later of (i) the date on which Supplier will commence using the services of the relevant subprocessor in relation to the Product and/or Professional Services provided to Customer or (ii) one (1) month after the date of Customer’s written notice.

12. TRANSFERS OF END USER PERSONAL DATA OUTSIDE THE EEA:

12.1 Personal Data may be transferred or stored outside the country where the Customer is located in order to carry out the Product or Professional Services and our other obligations under the Agreement.

12.2 Other than with respect to the transfer of Personal Data to subprocessors listed in the Subprocessor Details, Supplier will only transfer Personal Data outside the EEA on Customer’s specific request. Examples of why Customer may make such a request are transfers of such data to Customer or Customer’s affiliates, where Customer or Customer’s affiliate is based outside the EEA; a transfer to a third party outside of the EEA for further processing of the data; a specific request by Customer that Supplier uses an third party hosting provider or where Customer opts to integrate with a Third Party Solution outside of the EEA.

12.3 Where Customer opts to send Personal Data to Third Party Solutions via integration or plug-in, Customer agrees that providers of third party services are not subprocessors of Supplier for data protection purposes and such providers are Customer’s directly-contracted data processors acting under Customer’s instructions.

12.4 In making a request for Supplier to transfer Personal Data, subject to GDPR and related privacy regulations outside of the EEA, Customer confirms that there is “an adequate level of protection” in place for such transfer as such term in understood under GDPR.

12.5 Customer will indemnify and hold harmless Supplier, its subsidiaries and affiliates (and their respective employees, directors, officers, shareholders, attorneys, agents and representatives) from and against any and all claims, costs, losses, damages, judgments, penalties, interest and expenses (including reasonable attorneys’ fees and costs) from any claim, action, audit, investigation, regulatory action, inquiry or other proceeding that arises out of or relates to use of Personal Data by Third Party Solutions, or other transferees, or Customer’s failure to comply with any applicable laws and regulations in connection with the transfer of the Personal Data outside the EEA including any applicable data protection legislation or that arises out of or relates to any subsequent use of the Personal Data by the relevant transferee. This indemnification obligation set forth herein shall survive the termination of the Agreement.

12.6 Supplier agrees to enter into a SCC Agreement with Customer where reasonably required to ensure an “adequate level of protection” is in place for the transfer of such Personal Data outside the EEA.

12.7 The parties agree to cooperate where, due to changes in law or practice, an alternate data transfer mechanism is required to be put into operation to ensure an “adequate level of protection” is in place for transfer of data outside the EEA under GDPR.

12.8 Customer notes that the SCC Agreement is expected to be updated by the European Commission in early 2021 (the New SCC Agreement). The Customer will have an opportunity to convey to Roadie any concerns with respect to the terms of the New SCC Agreement for a period of one month following the publication of the final form of the New SCC Agreement. After that period has elapsed, the SCC Agreement at Schedule 1 will be deemed to be replaced by the New SCC Agreement and all references to the SCC Agreement in this Agreement shall from that date refer to the New SCC Agreement.

12.9 Further to the above, Customer agrees to cooperate with Roadie where reasonable Supplementary Measures are required to be implemented to ensure compliance with the EU level of protection of Personal Data including in respect of additional data processing terms in Customer contracts.

12.10 In the event that the United Kingdom is not deemed to provide an “adequate level of protection” for the protection of personal data as such term is understood under the GDPR and the transition period for transfers of personal data between EU and UK has expired, the SCC Agreement (or, by agreement of the parties, any subsequent applicable data transfer mechanism agreed between the UK and EU) shall apply to any transfers of personal data to or from the United Kingdom during the term of the Agreement and Supplier agrees to be bound by the attached SCC Agreement in full in such circumstances in order to ensure the lawful transfer or personal data between the United Kingdom and the EEA.

13. SUBJECT ACCESS REQUESTS

13.1 Supplier will promptly assist Customer with all notices, requests or other enquiries relating to the data protection rights which may be received by Customer or Supplier, at Customer’s reasonable expense.

13.2 Supplier will not respond to any subject access request without the Customer’s prior written approval unless required to do so by law or direction of a relevant regulator.

14. RETURN OR DELETION OF PERSONAL DATA

Immediately on termination or expiry of this Agreement, or otherwise on Customer’s request, Supplier must and shall procure that its subprocessors shall:

14.1 return all Personal Data to Customer; or

14.2 delete all the Personal Data, in a manner agreed to by Customer;

at Customer’s election, unless a law binding on Supplier or its subprocessors prevents it from doing as requested or unless otherwise agreed in the Agreement (for example, where the Customer has requested Supplier continue to store Personal Data in order to ensure compliance with a legal obligation). If Customer has not made their election within 30 days of termination of the Agreement, Supplier shall delete the Personal Data.

15. OBLIGATIONS INDEPENDENT OF OTHER PROVISIONS

The obligations contained in this DPA are without prejudice to Supplier’s other obligations under this Agreement and apply notwithstanding any permitted use or disclosure of confidential information in this Agreement.

16. COSTS

16.1 Subject to sections 16.2 and 16.3, the costs of Supplier and its subprocessors to comply with their respective obligations as data processors under Data Protection Laws applicable in a specific jurisdiction shall be borne by Supplier and its subprocessors to the extent compliance with such obligations is necessary for Supplier and/or its subprocessors’ compliance with applicable Data Protection Laws in their role as data processors in the jurisdiction in question.

16.2 Notwithstanding section 16.1, if Customer request Supplier to take on compliance activities which go beyond the activities that Supplier is required to do as a processor under applicable Data Protection Laws, Supplier shall be entitled to its reasonable costs and the above shall be notified to Supplier and agreed pursuant to a further Order Form.

16.3 Should changes to applicable Data Protection Laws, including the interpretation thereof, entail increased costs for Supplier or its subprocessors, Supplier may, subject to providing written notice Customer, increase the rates charged to Customer to reflect the increased costs. The increase to Customer should be fair and reasonable and should be proportional to what other similar customers are being asked to pay.

17. WARRANTY and SUPPLIER LIABILITY

17.1 By using the Product to process Personal Data, Customer states, that Customer’s collection and processing of Personal Data does not breach the rights of any person or entity, including rights of publicity, privacy or under applicable Data Protection Laws, that Customer is entitled to transfer the relevant Personal Data to Supplier, and that Supplier is entitled to transfer Personal Data to its subprocessors and all Third Party Solutions so that they each respectively may lawfully use, process and transfer such Personal Data in accordance with this DPA and the Agreement.

17.2 The liability of the Supplier relating to Personal Data processed in connection with the Product and/or Professional Services is limited to direct losses related to:

17.2.1 any breach by the Supplier of any of its Personal Data obligations under this DPA; or

17.2.2 the Supplier (or any person acting on its behalf) acting outside or contrary to the lawful processing Instructions of the Customer in respect of the processing of Personal Data.

17.3 Any claims brought under or in connection with this DPA shall be subject to the Agreement, including but not limited to, the exclusions and limitations of liability set forth in the Agreement.

18. INTERPRETATION

18.1 The parties agree that this DPA shall replace any existing data protection terms the parties may have previously entered into in connection with the Product or Professional Services relating to Personal Data.

18.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

Schedule 1 to Annex 1 – SCC Agreement

The subject matter of the processing is: log-in details and usage data for Users

The duration of the processing is: the duration of the Agreement plus 30 days for Customer to elect return/deletion of the Personal Data

The nature and purpose of the processing is: to manage access to and use of the Roadie Platform

The type of Personal Data is: email address, password, name, company, log data related to the User.

The categories of data sujects are: Users

Schedule 2 to Annex 1 – SCC Agreement

Commission Decision C(2010)593 Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: Customer name as detailed in the Order Form.

Address: Customer address as detailed in the Order Form

Tel.: Customer contact information as detailed in the Commercial Terms

(the data exporter)

And

Data importer: Larder Software Limited t/a Roadie

Address: Roadie address as detailed in the Order Form

Other information needed to identify the organisation: N/A

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ’the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘*the applicable data protection law**’*** means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Signature: Deemed signed upon Customer signature of the Order Form.

On behalf of the data importer:

Signature: Deemed signed upon Customer signature of the Order Form.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is engaged in activities relating to management of its internal business systems.

Data importer

The data importer is engaged in activities relating to provision of the Roadie Platform to the data exporter.

Data subjects

The personal data transferred concerns the following categories of data subjects (please specify):

  • Users

Categories of data

The personal data transferred concern the following categories of data (please specify):

  • See Schedule 1 to Annex 1

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

  • N/A

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

  • The provision of the Roadie Platform to Users

On behalf of the data exporter:

Signature: Deemed signed upon Customer signature of the Order Form.

On behalf of the data importer:

Signature: Deemed signed upon Customer signature of the Order Form.

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

See Roadie Platform Security Measures (available on request).