Varicent Subscription Services Agreement

This Subscription and Services Agreement (the “Agreement”) is entered into and effective by and between you and the Varicent entity described in Section 12.6 below (“Varicent,” “we” or “us”). You are agreeing to this Agreement not as an individual but on behalf of your company, then “Customer” or “you” means your company, and you are binding your company to this Agreement. By clicking on the “I agree” (or similar) button that is presented to you at the time of your Order, or by using or accessing the Service, you indicate your agreement to be bound by this Agreement. This Agreement governs your initial purchase of the Service and related Support Services, as well as any future purchases made by you that reference this Agreement. This Agreement includes any Orders, and any other policies and attachments referenced in this Agreement.

1. Definitions

1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the Customer entity signing this Agreement. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2 “Customer Data” means all data or information submitted by or on behalf of Customer to the Service.

1.3 “Order Form” means an ordering document executed by the parties that specifies the Service and certain Professional Services purchased by Customer under this Agreement. Each Order Form shall incorporate this Agreement by reference.

1.4 “Professional Services” means Consulting Services. Professional Services shall not include the Service.

1.5 “Service“ means the online, web-based application set forth in an Order Form and provided by Varicent via http://www.concertfinance.com or other designated websites or IP addresses as communicated to Customer by Varicent The Service as defined in this Agreement shall not include the Professional Services.

1.6 “Statement of Work” means a document executed by the parties that describes certain Professional Services purchased by Customer under this Agreement. Each Statement of Work shall incorporate this Agreement by reference.

1.7 “Subscriber” or “Payee” means an individual (i) who is authorized by Customer to use or access the Service and who has been supplied an identification and password by Customer or at Customer’s direction or (ii) whose information is stored on the Service for compensation calculation, reporting or territory optimization purposes. Customer shall purchase a subscription to the Service for each Subscriber (a “Subscription”). A Subscriber may include Customer’s or Customer’s Affiliates’ employees, consultants, representatives and agents.

1.8 “Subscription Term“ means the period identified in the Order Form during which Customer’s Subscribers are authorized to use or access the Service pursuant to the terms set forth in this Agreement, unless earlier terminated as set forth in Section 10.

1.9 “Support Services” means the support services provided by Varicent in accordance with Varicent’s then-current support policy for the Service and as identified on an Order Form. In the event that the level of support is not identified on the Order Form, Customer shall receive a “standard” level of support that is included in the Service.

1.10 “Varicent Reference Guide” means the applicable user guide documentation provided by Varicent to Customer. For certain Varicent products, the Varicent Guide is accessible from within the Service.

1.11 “Varicent Materials” means any materials that Varicent provides to Customer as part of, or in the course of providing, the Service or the Professional Services, including but not limited to the Insights Reports. Customer agrees that Varicent Materials are Varicent’s Confidential Information, as defined in Section 7 . Customer shall use the Varicent Materials only as expressly permitted in this Agreement, or the applicable Order Form or Statement of Work.

2. Service

2.1 Provision of Service. Varicent shall make the Service available to Customer pursuant to this Agreement and all Order Forms during the Subscription Term, solely for Customer’s own internal business purposes. Customer agrees that its purchase of the Service or the Professional Services is neither contingent upon the delivery of any future functionality or features nor dependent upon any oral or written public comments made by Varicent with respect to future functionality or features.

2.2 Additional Subscribers; Add-Ons. Customer may reassign Subscriptions from time to time to new Subscribers who replace former Subscribers who no longer use or need access to the Service or for whom Customer is no longer optimizing territories, or calculating, processing, modeling or storing compensation. Customer, however, may not allow more than one individual Subscriber to use or otherwise share a single Subscription. Unless otherwise specified in the relevant Order Form, Varicent shall charge Customer for a full billing month if Customer adds or purchases additional Subscriptions during a Subscription Term (such Subscriptions, “add-ons”) on or before the 20th day of a billing month. For add-ons purchased after the 20th day of a billing month, Varicent shall charge Customer commencing on the following month. By using any additional Subscriptions during a Subscription Term, Customer agrees to be responsible for payment of the additional fees in relation thereto. The rate for add-ons shall be the same as the per-Subscriber rate applicable to Customer’s existing Subscription in effect at the time Customer purchases the add-on.

2.3 Customer Affiliates. Customer Affiliates may purchase and use Subscriber subscriptions and Professional Services subject to the terms of this Agreement by executing Order Forms or Statements of Work hereunder that incorporate by reference the terms of this Agreement, and in each such case, all references in this Agreement to Customer shall be deemed to refer to such Customer Affiliate for purposes of such Order or SOW.

3. Mutual Rights and Responsibilities

3.1 Varicent’s Responsibilities. Varicent shall: (i) not use or modify the Customer Data except as otherwise set forth in this Agreement; (ii) use commercially reasonable efforts to maintain the security and integrity of the Service and the Customer Data; (iii) provide Support Services to Customer in accordance with its then-current support policies for the Service; (iv) comply with all applicable laws in providing the Service and Professional Services; and (v) use commercially reasonable efforts to make the Service available in accordance with its Service Levels. Varicent reserves the right to update its support policies and its Service Levels at any time in its sole discretion provided that any updates shall not materially diminish the level of support provided to Customer during the Term in which Varicent updates such policies or Service Levels. Varicent will provide notices directed to its customer base generally by means of a general notice on the Service, or by electronic mail to Customer’s administrator e-mail address on record in Varicent’s account information.

3.2 Customer’s Responsibilities. Customer is responsible for all activity that occurs in its Subscriber accounts and for its Subscribers’ compliance with this Agreement. Customer shall: (i) have sole responsibility for the accuracy, quality, integrity, legality, reliability and appropriateness of all Customer Data; (ii) prevent unauthorized access to, or use of, the Service, and notify Varicent promptly of any such unauthorized access or use; (iii) comply with all applicable laws in using the Service; and (iv) Customer shall not provide Varicent with any Customer Data that is personally identifying information subject to specialized security regimes, including without limitation the Health Insurance Portability and Accountability Act (“HIPAA”), the standards promulgated by the PCI Security Standards Council (“PCI”), and the requirements promulgated by IRS Publication 1075 related to Federal Tax Information data (“FTI”). Varicent is not a “Business Associate” under HIPAA, and Customer shall not provide any protected health information to Varicent Customer acknowledges that social security numbers, government identification numbers, credit card data, and similarly sensitive information are not required for use of the Service and Customer agrees not to provide Varicent with any such information.

4. Fees and Payment.

4.1 Fees. Customer shall pay all fees specified in all Order Forms and Statements of Work executed by the parties hereunder. Except as otherwise specified herein or in any Order Form or Statement of Work, all fees are quoted and payable in United States dollars, payment obligations are non-cancelable, and fees paid are non-refundable. Subject to Section 2.2, fees for the Service are based on Subscriptions purchased and not actual usage. The number of Subscriptions purchased cannot be decreased during a Subscription Term. Varicent reserves the right to increase subscription fees year over year, as indicated in the applicable Order Form.

4.2 Invoicing and Payment. Except as otherwise specified in an Order Form or Statement of Work, all fees and charges under this Agreement will be invoiced in advance and are due net thirty (30) days from the invoice date. Customer agrees to accept invoices via email at the billing contact email address specified in the applicable Order Form, as may be updated by Customer upon written notice. Invoices shall be emailed on the day of the date of invoice. In the event that the email date is later, such later date shall apply. Customers located outside of the U.S. shall submit payment to Varicent via wire transfer. Customer is responsible for providing complete and accurate billing address and contact information to Varicent If Customer believes a particular invoice is incorrect, Customer must contact Varicent in writing within sixty (60) days of such invoice date to be eligible to receive an adjustment or credit.

4.3 Overdue Payments. Any payment not received by Varicent by the due date and not subject to a reasonable and good faith dispute may accrue, at Varicent’s option, late charges at the lesser of 1.0% of the outstanding balance per month, or the maximum rate permitted by law, from the date such payment was due until the date paid.

4.4 Suspension of Service. If Customer’s account is thirty (30) days or more overdue (except for charges then under reasonable and good faith dispute), then, following five (5) business days’ written notice and opportunity to cure (which notice may be provided via email), in addition to any of its other rights or remedies, Varicent reserves the right to suspend Customer’s access to the Service until such amounts are paid in full.

4.5 Taxes. Unless otherwise stated, Varicent’s fees do not include any direct or indirect local, state, federal or foreign taxes, levies, duties or similar governmental assessments of any nature, including value-added, use or withholding taxes (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases hereunder, excluding taxes based on Varicent’s net income or property. If Varicent has the legal obligation to pay or collect Taxes for which Customer is responsible under this section, the appropriate amount shall be invoiced to and paid by Customer, unless Customer provides Varicent with a valid tax exemption certificate authorized by the appropriate taxing authority.

5. Proprietary Rights.

5.1 Access to Service. In exchange for payment of the fees listed on the Order Form, and subject to the terms of this Agreement and any applicable Order Form and/or SOW, Varicent grants Customer (a) a nonexclusive, royalty-free, non-transferable right, solely during the Subscription Term (i) to access and use the Service solely for Customer’s internal business purposes and (ii) to use the Varicent Materials solely in conjunction with Customer’s authorized use of the Service, and (b) a nonexclusive, royalty free, perpetual license to copy and use the Insights Reports, without modification, solely for Customer’s internal business purposes. Customer shall not alter or remove, or permit any third party to alter or remove, any proprietary trademark or copyright markings incorporated in, marked on or affixed to any Varicent Materials.

5.2 Reservation of Rights. Except for the limited rights expressly granted to Customer hereunder, Varicent reserves all rights, title and interest in and to the Service, the underlying software, the Varicent Materials, and the Professional Services and any deliverables in connection therewith, including all related intellectual property rights inherent therein. No rights are granted to Customer hereunder other than as expressly set forth in this Agreement.

5.3 Restrictions. Customer shall not (i) modify, copy, display, republish or create derivative works based on the Service or the underlying software; (ii) modify, copy or create derivative works of the Varicent Materials, except Customer may copy the Insights Reports as expressly permitted in 5.1(b) above; (iii) frame, scrape, link to or mirror any content forming part of the Service, other than on Customer’s own intranets or otherwise for its own internal business purposes; (iv) reverse engineer the Service or the underlying software; (v) access the Service in order to build a competitive product or service, or copy any ideas, features, functions or graphics of the Service; (vi) license, sublicense, sell, resell, rent, lease, transfer, assign (except as permitted in 11.6), distribute, time share or otherwise commercially exploit or make the Service available to any third party, other than to Subscribers or as otherwise contemplated by this Agreement; (vii) use the Service to send spam or otherwise duplicative or unsolicited messages in violation of applicable laws; (viii) use the Service to send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material harmful to children or violative of third-party privacy rights; (ix) upload to the Service or use the Service to send or store viruses, worms, time bombs, Trojan horses or other harmful or malicious code, files, scripts, agents or programs; (x) interfere with or disrupt the integrity or performance of the Service or the data contained therein; (xi) attempt to gain unauthorized access to the Service or its related systems or networks; or (xii) conduct any platform or system level testing of the Service.

5.4 Customer Data. As between Varicent and Customer, Customer retains ownership of all rights, title and interest in and to all Customer Data. Customer Data is deemed the Confidential Information of Customer under this Agreement. Customer grants Varicent a nonexclusive, worldwide, royalty-free, license to reproduce, display, adapt, modify, transmit, distribute, and otherwise use such Customer Data as necessary or reasonable to provide the Service and to use the Customer Data in anonymized and aggregated form for generating “Benchmarking Statistics” relating to industry trends, provided that the anonymized data does not include information that identifies or provides a reasonable basis to identify a company or an individual, where, without limitation, the following identifiers have been removed: company names and the names of individuals, addresses, phone numbers, e-mail address(es) and any other information which could reasonably be anticipated to identify, when taken in the aggregate, a specific company, organization or individual.

5.5 Intellectual Property Rights Definition. “Intellectual Property Rights” means unpatented inventions, patent applications, patents, design rights, copyrights, trademarks, service marks, trade names, domain name rights, mask work rights, know-how and other trade secret rights, and all other intellectual property rights, derivatives thereof, and forms of protection of a similar nature anywhere in the world.

5.6 Intellectual Property Rights Ownership, Use. Varicent alone (and its suppliers, where applicable) shall own all right, title and interest, including all related Intellectual Property Rights, in and to all of Varicent’s proprietary technology (including software, hardware, products, processes, algorithms, user interfaces, know-how, techniques, designs and other tangible or intangible technical material or information) (hereafter, “Varicent Technology”) made available to Customer by Varicent in providing the Service and the Varicent Technology, and Customer hereby assigns to Varicent any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer relating to the Service or the Varicent Technology. Varicent may use such submissions as it deems appropriate in its sole discretion. This Agreement is not a sale and does not convey to Customer any rights of ownership in or related to the Service, the Varicent Technology or the Intellectual Property Rights owned by Varicent and its suppliers. The Varicent name, the Varicent logo, and the product names associated with the Service are trademarks of Varicent or its suppliers, and unless expressly granted herein, no right or license is granted to use them. Customer will not accrue any residual rights to the Varicent technology or the Service, including any rights to the Intellectual Property Rights in connection therewith.

5.7 Suggestions. Varicent shall have a royalty-free, worldwide, transferable, sublicensable, irrevocable, perpetual license to use or incorporate into the Service any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer or its Subscribers relating to the features, functionality or operation of the Service, or the Professional Services.

6. Data Protection.

The data protection terms outlined in the Data Security Standards Schedule shall be applicable to this Agreement.

7. Confidentiality.

7.1 Definition of Confidential Information. As used herein, “Confidential Information” means all confidential and proprietary information of a party (“Disclosing Party”) disclosed to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information or the circumstances of disclosure, including (a) the terms and conditions of this Agreement (including pricing and other terms reflected in all Order Forms and Statements of Work hereunder), (b) the Customer Data, (c) a Party’s proprietary technology or computer software in all versions and forms of expression and the Service, whether or not the same has been patented or the copyright thereto registered, is the subject of a pending patent or registration application, or forms the basis for a patentable invention (collectively the “Proprietary Technology”), (d) the Varicent Materials, Varicent’s security information and reports, and (e) each party’s respective business and marketing plans, technology and technical information, product designs, and business processes. The obligations in this Section 6 shall not apply to any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party; (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party and without an obligation of confidentiality; (iii) was independently developed by the Receiving Party without the use of or reference to the Confidential Information of the Disclosing Party; or (iv) is lawfully received from a third party without breach of any obligation owed to the Disclosing Party and without an obligation of confidentiality.

7.2 Confidentiality. The Receiving Party shall not disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, except with the Disclosing Party’s prior written permission. Either party may disclose Confidential Information to its personnel and its auditors who are subject to confidentiality obligations comparable in scope to those herein, which are in no event less than a reasonable standard of care.

7.3 Protection. Receiving Party will use at least the same level of care to prevent unauthorized use of the Confidential Information as it uses for its own confidential and proprietary information of like kind, but in no event less than a reasonable standard of care.

7.4 Compelled Disclosure. If the Receiving Party is compelled by law to disclose Confidential Information of the Disclosing Party, it shall provide the Disclosing Party with prior notice of such compelled disclosure, to the extent legally permitted, and reasonable assistance, at Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure.

7.5 Remedies. If the Receiving Party discloses or uses (or threatens to disclose or use) any Confidential Information of the Disclosing Party in breach of the confidentiality protections hereunder, the Disclosing Party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the parties that any other available remedies are inadequate.

8. Warranties and Disclaimers.

8.1 Warranties. Each party represents and warrants that it has the legal power and authority to enter into this Agreement. Varicent warrants that: (i) it will provide the Service in a manner consistent with general industry standards reasonably applicable to the provision thereof; (ii) the Service will perform materially in accordance with the applicable Varicent Reference Guide under normal use and circumstances; (iii) it will perform all Professional Services in a professional and workmanlike manner; and (iv) it owns or otherwise has sufficient rights in the Service to grant to Customer the rights to use the Service granted herein. Customer warrants that: (a) it owns or otherwise has sufficient rights in the Customer Data to grant to Varicent the rights to use the Customer Data granted herein; and (b) it has not falsely identified itself nor provided any false information to gain access to the Service.

8.2 Remedies. Customer’s exclusive remedy and Varicent’s entire liability for a breach of the warranties set forth in Section 8.1 above shall be as follows: (i) for a breach of the warranties set forth in Section 8.1(i) and 8.1(ii), Varicent shall correct any material reproducible impairments to the features and functionality in the Service so that it materially conforms to this warranty, and if Varicent is unable to provide such Service as warranted within a commercially reasonable time following receipt of written notice of breach, Customer shall be entitled to terminate the applicable Order Form and receive a refund of any prepaid, unused fees applicable to the remaining portion of the Subscription Term following the effective date of termination; (ii) for a breach of the warranty set forth in Section 8.1(iii), Varicent shall re-perform the applicable Professional Services. If Varicent determines that it is unable to perform such Professional Services as warranted within a commercially reasonable time following receipt of written notice of breach, Customer shall be entitled to terminate the applicable SOW and recover the fees paid for the nonconforming Professional Services, provided that Customer discontinues all use of any Varicent Materials delivered under the applicable SOW and certifies that it has done such and has destroyed all copies in Customer control; and (iii) for a breach of the warranty set forth in Section 8.1(iv), Varicent will provide the indemnification described in Section 9.1 below.

8.3 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, CUSTOMER UNDERSTANDS AND AGREES THAT THE SERVICE AND CONTENT ARE PROVIDED “AS IS” AND VARICENT, ITS AFFILIATES, SUPPLIERS, RESELLERS, AND ITS LICENSORS MAKE NO WARRANTIES OF ANY KIND WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. IN ADDITION, CUSTOMER ACKNOWLEDGES AND AGREES THAT (A) THE SERVICE DOES NOT CONSTITUTE THE PROVISION OF LEGAL ADVICE OR SERVICES IN ANY MANNER; (B) THE SERVICE DOES NOT ENSURE CUSTOMER’S COMPLIANCE WITH ALL APPLICABLE LABOR OR EMPLOYMENT LAWS; AND (C) CUSTOMER IS SOLELY RESPONSIBLE FOR ITS COMPLIANCE WITH ALL APPLICABLE LAWS. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY MAY LAST. CUSTOMER MAY HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION.

9. Indemnification.

9.1 Indemnification by Varicent. Provided that Customer complies with the procedures set forth in this Section 9.1, Varicent shall defend Customer, at Varicent’s expense, against any claims, demands, suits or proceedings (“Claims”) made or brought against Customer by a third party alleging that the use of the Service as contemplated hereunder directly infringes a U.S. patent, copyright, or trademark of a third party or misappropriates such third party’s trade secrets. Further, Varicent shall indemnify and hold Customer harmless against all reasonable costs (including reasonable attorneys’ fees) finally awarded against Customer by a court of competent jurisdiction or an arbitrator, or agreed to in a written settlement agreement signed by Varicent, in connection with such Claims. Promptly upon receiving notice of a Claim, Customer shall (a) give Varicent prompt written notice of the Claim; (b) give Varicent sole control of the defense and settlement of the Claim (provided that Varicent may not settle or defend any claim unless it unconditionally releases Customer of all liability); and (c) provide to Varicent, at Varicent’s cost, all reasonable assistance in the defense or settlement of such Claim. Varicent’s indemnification obligation shall be offset to the extent its ability to defend or settle a claim is jeopardized by Customer’s failure to comply with the preceding sentence. Varicent shall have no indemnification obligation for infringement claims arising from the combination of the Service with any services, hardware, data or business processes not provided by Varicent or use of the Service by Customer other than in accordance with this Agreement or the applicable Varicent Reference Guide.

If the Service is held or likely to be held infringing, Varicent shall have the option, at its expense to (i) replace or modify the Service as appropriate, (ii) obtain a license for Customer to continue using the Service, (iii) replace the Service with a functionally equivalent service; or (iv) terminate the applicable Service and refund any prepaid, unused fees applicable to the remaining portion of the Subscription Term of the applicable Service following the effective date of termination. This Section 9.1 states Varicent’s entire liability and Customer’s exclusive remedy for any claim of intellectual property infringement.

9.2 Indemnification by Customer. Subject to this Agreement, Customer shall defend Varicent, at Customer’s expense, against any Claims made or brought against Varicent by a third party alleging that the Customer Data, or Customer’s use of the Service in violation of this Agreement, infringes or otherwise violates a third party’s property, privacy or other rights. Further, Customer shall indemnify and hold Varicent harmless against all costs (including reasonable attorneys’ fees) finally awarded against Varicent by a court of competent jurisdiction or an arbitrator, or agreed to in a written settlement agreement signed by Customer, in connection with such Claims. Promptly upon receiving notice of a Claim, Varicent shall (a) give Customer prompt written notice of the Claim; (b) give Customer sole control of the defense and settlement of the Claim (provided that Customer may not settle or defend any Claim unless it unconditionally releases Varicent of all liability); and (c) provide to Customer, at Customer’s cost, all reasonable assistance in the defense or settlement of such Claim. Customer’s indemnification obligation shall be offset to the extent its ability to defend or settle a claim is jeopardized by Varicent’s failure to comply with the preceding sentence.

10. Limitation of Liability.

10.1 Limitation of Liability. EXCEPT FOR CUSTOMER’S BREACH OF SECTION 5.3, OR EITHER PARTY’S INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTIONS 9.1 AND 9.2 ABOVE, IN NO EVENT SHALL EITHER PARTY’S OR ITS LICENSORS’ AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, EXCEED THE AMOUNTS ACTUALLY PAID BY AND DUE FROM CUSTOMER UNDER THE APPLICABLE ORDER OR SOW IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE LIABILITY. WITH RESPECT TO EITHER PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS IN SECTION 7, IN NO EVENT SHALL EITHER PARTY’S OR ITS LICENSORS’ AGGREGATE LIABILITY EXCEED THE AMOUNTS ACTUALLY PAID BY AND DUE FROM CUSTOMER UNDER THE APPLICABLE ORDER OR SOW IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE LIABILITY.

10.2 Exclusion of Consequential and Related Damages. IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY OR ITS LICENSORS FOR ANY LOST PROFITS OR FOR ANY INDIRECT, PUNITIVE, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OR INACCURACY OF DATA, LOSS OF PROFITS OR REVENUE, BUSINESS INTERRUPTION, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, HOWEVER ARISING AND, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, WHETHER OR NOT THE PARTY FROM WHICH DAMAGES ARE BEING SOUGHT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

11. Term and Termination.

11.1 Term of Agreement. This Agreement commences on the Effective Date and continues until all Subscriptions granted in accordance with this Agreement have expired or been terminated.

11.2 Term of Subscriptions. Subscriptions commence on the start date specified in the relevant Order Form and continue for the Subscription Term specified therein. Subscriptions will automatically renew for a period equal to the previous Subscription Term upon the expiration of the initial Subscription Term or any renewal Subscription Term unless either party gives the other notice of non-renewal at least thirty (30) days prior to the expiration of the relevant Subscription Term. Except as otherwise provided in an Order Form, renewal fees will be equal to the then-current number of Subscriptions Customer has purchased multiplied by Varicent’s then-current Subscriber fee in effect at the time of renewal. Varicent reserves the right to increase the fees for the Service at the anniversary date of the commencement of each Subscription Term.

11.3 Termination for Cause. A party may terminate this Agreement, an Order Form or a Statement of Work for cause: (i) if the other party is in material breach under this Agreement and fails to cure such breach within thirty (30) days of receipt of written notice of such material breach from the non-breaching party; or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors and such proceeding is not favorably resolved within sixty (60) days. This Agreement constitutes an executory contract in accordance with Section 365 of the U.S. Bankruptcy Code. If Customer files or has filed against it by a third party any petition under the U.S. Bankruptcy Code, Customer must either assume or reject this Agreement. Upon an assumption, Customer shall comply with 11 U.S.C. § 365(b)(1); upon a rejection, all of Customer’s rights hereunder will terminate. Upon any termination for cause by Customer, Varicent shall refund to Customer any prepaid, unused fees applicable to the remaining portion of the Subscription Term following the effective date of termination. Upon any termination for cause by Varicent, Customer’s right to access or use Customer Data in the Service immediately ceases.

11.4 Outstanding Fees. Termination shall not relieve Customer of its obligation to pay any fees accrued or payable to Varicent relating to the Service or the Professional Services prior to the effective date of termination, and Customer shall immediately pay to Varicent all such fees upon the effective date of termination.

11.5 Return of Customer Data. Upon request by Customer made within thirty (30) days after the effective date of termination, Varicent will make available to Customer for download a file of Customer Data in comma separated value (.csv) format. After such 30-day period, Varicent shall have no obligation to maintain or provide any Customer Data and shall thereafter, unless legally prohibited, be entitled to delete all Customer Data in its systems or otherwise in its possession or under its control. Upon Customer’s written request and subject to Customer’s payment of applicable fees at Varicent’s then prevailing professional services rates, Varicent will download Customer Data for Customer.
11.6 Surviving Provisions. The following provisions shall survive any termination or expiration of this Agreement: Sections 1, 4.1, 4.2, 4.3, 4.5, 5.2, 5.3, 5.4, 5.5, 5.6, 7, 8.2, 8.3, 9, 10, 11.4, 11.5, 11.6, and 12.

12. General Provisions.

12.1 Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties.

12.2 Notices. Except as specified in Section 3.1, all notices required to be sent hereunder shall be in writing and shall be deemed to have been given upon (i) the date it was delivered by courier, or (ii) if sent by certified mail return receipt requested, on the date received, in each case addressed to the addresses set forth above and, if to Varicent, to the attention of General Counsel, and, if to Customer, to the attention of the signatory of this Agreement, or to such other address or individual as the parties may specify from time to time by written notice to the other party.

12.3 Waiver and Cumulative Remedies. No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right. Other than as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity.

12.4 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in full force and effect.

12.5 Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including all Order Forms and Statements of Work), without the consent of the other party, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets not involving a direct competitor of the other party. Any attempt by a party to assign its rights or obligations under this Agreement in breach of this section shall be void and of no effect. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.

12.6 Varicent Contracting Entity, Governing Law, and Venue. The Varicent entity entering into this Agreement, the law that will apply in any dispute or lawsuit arising out of or in connection with this Agreement, and the courts that have jurisdiction over any such dispute or lawsuit, depend on where Customer is domiciled. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement.

Customer’s domicile	Varicent entity entering into this Agreement	Governing law	Courts with exclusive jurisdiction
United States of America, Mexico, Central or South America or Caribbean, Asia or the Pacific region	Varicent US OpCo Corporation	New York and controlling United States federal law	Borough of Manhattan, New York, New York, USA
Canada	Varicent Canada OpCo Ltd.	Province of Ontario and the federal laws of Canada applicable therein	Toronto, Ontario, Canada
Europe (excl. Romania) or Middle East	Varicent UK OpCo Limited	England and Wales	London, England
Romania	Varicent ROM OpCo S.R.L.	Romania	Bucharest, Romania
Australia or New Zealand	Varicent Australia OpCo Pty Ltd	Australia	Sydney, New South Wales, Australia

12.7 Force Majeure. Neither party shall be liable for delay or non-performance of its obligations hereunder (or part thereof) if the cause of delay or non-performance is an event which is unforeseeable, beyond the control of the party affected, and cannot be remedied by the exercise of reasonable diligence, including without limitation acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes, computer, telecommunications, Internet service provider or hosting facility failures or delays involving hardware, software or power systems not within Varicent’s possession or reasonable control, and denial of service attacks (each a “Force Majeure Event”). The party affected shall be relieved from its obligations (or part thereof) as long as the Force Majeure Event lasts and hinders the performance of said obligations (or part thereof), it being understood that a Force Majeure Event shall not excuse any obligation of Customer to pay invoices due in accordance with the provisions hereof. The party affected shall promptly notify the other party and make reasonable efforts to mitigate the effects of the Force Majeure Event with reasonable dispatch. Either party may terminate this Agreement in the event the Force Majeure Event continues for more than forty-five (45) days.

12.8 Publicity. Either party may reference the name and logo of the other party in lists of customers or vendors. Either party may issue press releases relating to this Agreement with the other party’s prior written consent.

12.9 Entire Agreement. This Agreement, including all exhibits and addenda hereto and all Order Forms and Statements of Work, constitutes the entire agreement between the parties, and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. The parties are not relying and have not relied on any representations or warranties whatsoever regarding the subject matter of this agreement, express or implied, except for the representations and warranties set forth in this Agreement. This Agreement may not be modified or amended by you without Varicent’s written agreement (which may be withheld in Varicent’s complete discretion without any requirement to provide any explanation). To the extent of any conflict or inconsistency between the provisions in the body of this Agreement and any exhibit or addendum hereto or any Order Form or Statement of Work, the terms of such exhibit, addendum, Order Form or Statement of Work shall prevail. No terms or conditions set forth on any purchase order, preprinted form or document shall add to or vary the terms and conditions of this Agreement, and all such terms or conditions shall be null and void.

12.10 Modifications to this Agreement. Varicent reserves the right to modify the terms and conditions of this Agreement, including any referenced policies and other documents, effective upon the commencement of any renewal term. If Varicent modifies the Agreement during your Subscription Term, the modified version will be effective upon your next renewal of the Subscription Term. In this case, if you object to the updated Agreement, as your exclusive remedy, you may choose not to renew, including cancelling any terms set to auto-renew. You may be required to click through the updated Agreement to show your acceptance. If you do not agree to the updated Agreement after it becomes effective, you will no longer have a right to use the Service. For the avoidance of doubt, any Order Form or Statement of Work is subject to the version of the Agreement in effect at the time of such Order Form or Statement of Work.

DATA SECURITY STANDARDS SCHEDULE

Customer acknowledges that (a) Varicent may modify these Data Security Standards from time to time at Varicent’s sole discretion upon written notice to Customer and (b) such modifications shall supersede prior versions provided that such modified Data Security Standards shall be, except to the extent required to comply with applicable Law, no less protective of the Customer Data than the Data Security Standards in place as of the Effective Date.

Varicent shall implement the following technical and organizational measures (“TOMs”) in its provision of the Service, including any underlying applications, platforms, and infrastructure components operated and managed by Varicent in providing the Service (“Components”).

1. DEFINITIONS

Capitalized terms shall have the meanings set forth in this Schedule or elsewhere in the Agreement.

The terms “Data Subjects”, “Processing”, “Personal Data”, “Personal Data Breach”, “Data Protection Impact Assessment”, “Processor” and “Controller” shall have the meanings given to them in the GDPR. “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR as implemented under United Kingdom (“UK”) laws (“UK GDPR”), data protection laws of Switzerland (“Swiss Data Protection Laws”), the California Consumer Privacy Act, and any other applicable similar privacy or data protection laws. The term “Supervisory Authority” shall mean a regulatory or other governmental body or authority with jurisdiction or oversight over Data Protection Laws. The term “C2P SCCs” shall mean the Standard Contractual Clauses between Controllers and Processors (Module Two) as approved by the European Commission Implementing Decision 2021/914 of June 4, 2021 (“Decision”). The term “P2P SCCs” shall mean the Standard Contractual Clauses between Processors (Module Three) as approved by the Decision. The P2P SCCs together with the C2P SCCs shall be referred to as the “EU SCCs”. The EU Standard Contractual Clauses (2010/87/EU) shall be referred to as the “2010 SCCs”. Unless otherwise indicated, references in this Schedule to Sections or Attachments means the Sections of, and Attachments to, this Schedule.

2. DATA PROTECTION

2.1. The security and privacy measures for the Service are designed to protect Customer Data input therein and to maintain the availability of such Customer Data pursuant to the Agreement. Varicent shall treat all Customer Data as confidential by not using, maintaining, or disclosing Customer Data except for purposes of providing the Service pursuant to the Agreement or as otherwise required by applicable Law, and specifically shall not disclose Customer Data except to Varicent Personnel, and only to the extent necessary to deliver the Service, unless otherwise specified in the Agreement.

2.2. Varicent shall securely sanitize physical media intended for reuse prior to such reuse and shall destroy physical media not intended for reuse.

2.3. The TOMs set forth in this Schedule shall be subject to audits as set forth in the applicable Software Schedule for the Software Order Formed by Customer in an Order Form. Upon request, Varicent shall provide evidence of stated compliance and accreditation, such as certificates, attestations, or reports resulting from accredited independent Third Party audits, and other industry standards as specified in the Agreement.

2.4. Additional security and privacy information specific to the Service may be available elsewhere in the Agreement or the Documentation to aide in Customer’s initial and ongoing assessment of the Service’s suitability for use. Varicent shall direct Customer to available standard Documentation and/or audit reports/certifications if asked to complete Customer-preferred questionnaires or forms and Customer agrees such Documentation shall be used in lieu of any such request. Varicent may charge an additional fee to complete any Customer-preferred questionnaires or forms or to provide consultation to Customer for such purposes.

3. SECURITY POLICIES

3.1. Varicent shall maintain and follow IT security policies and practices that are integral to Varicent’s business and mandatory for all Varicent employees. Varicent’s management shall maintain responsibility and executive oversight for such policies, including formal governance and revision management, employee education, and compliance enforcement.

3.2. Varicent shall review its IT security policies at least annually and amend such policies as Varicent deems reasonable to maintain protection of the Service and Customer Data processed therein.

3.3. Varicent shall maintain and follow its standard mandatory employment verification requirements for all new hires. In accordance with Varicent internal processes and procedures, these requirements shall be periodically reviewed and include criminal background checks, proof of identity validation, and additional checks as deemed necessary by Varicent and permitted under applicable Law.

3.4. Varicent employees shall complete security and privacy education annually and certify each year that they shall comply with Varicent security and privacy policies. Additional policy and process training may be provided to individuals depending on their role in supporting the business and as required to maintain compliance and certifications stated in the Agreement.

4. SECURITY INCIDENTS

4.1. Varicent shall maintain and follow documented incident response policies for computer Security Incident handling and shall comply with the data breach notification terms of the Agreement.

4.2. Varicent shall investigate unauthorized access and unauthorized use of Customer Data in connection with or through the Service of which Varicent becomes aware (a “Security Incident”) and Varicent shall define and execute an appropriate response plan. Customer may notify Varicent of a suspected vulnerability or Security Incident by submitting a support ticket.

4.3. Varicent shall notify Customer without undue delay upon confirmation of a Security Incident that is known or reasonably suspected by Varicent to affect the Customer Data, as may be required by applicable Law or the terms of the Agreement. Varicent shall provide Customer with reasonably requested information about such Security Incident and the status of any Varicent remediation and restoration activities.

4.4. Varicent shall notify Customer without undue delay after becoming aware of a Personal Data Breach with respect to the Service. Varicent shall promptly investigate the Personal Data Breach if it occurred on Varicent infrastructure or in another area for which Varicent is responsible and shall assist Customer as set forth in Section 9.

5. ACCESS, INTERVENTION, TRANSFER, AND SEPARATION CONTROL

5.1. Varicent shall maintain documented security architecture of networks managed by Varicent in its operation of the Service. Varicent shall separately review such network architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with its secure segmentation, isolation, and defense-in-depth standards prior to implementation.

5.2. Varicent shall maintain measures for the Service that are designed to logically separate and prevent Customer Data from being exposed to or accessed by unauthorized Persons. Varicent shall maintain appropriate isolation of its production and non-production environments, and, if Customer Data is transferred to a non-production environment (for example, in Order Form to reproduce an error at Customer's request), security and privacy protections in the non-production environment shall be equivalent to those in production.

5.3. Varicent shall encrypt Customer Data in transit using industry accepted cryptographic algorithms when transferring Customer Data over public networks and enable use of a cryptographic protocol, such as HTTPS, SFTP, and FTPS, for Customer’s secure transfer of Customer Data to and from the Service over public networks.

5.4. Varicent shall encrypt Customer Data at rest using industry accepted cryptographic algorithms. Varicent manages the cryptographic keys and shall maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use.

5.5. If Varicent requires access to Customer Data, it shall restrict such access to the minimum level required. Such access, including administrative access to any underlying Components (“Privileged Access”), shall be individual, role-based, and subject to approval and regular validation by authorized Varicent Personnel following the principles of segregation of duties. Varicent shall maintain measures to identify and remove redundant and dormant accounts with Privileged Access and shall promptly revoke such access upon the account owner’s separation or the request of authorized Varicent Personnel, such as the account owner’s manager.

5.6. Consistent with industry standard practices, and to the extent natively supported by each Component managed by Varicent within the Service, Varicent shall maintain technical measures enforcing timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases.

5.7. Varicent shall monitor use of Privileged Access and maintain security information and event management measures designed to: (a) identify unauthorized access and activity; (b) facilitate a timely and appropriate response; and (c) enable internal and independent Third Party (as defined herein) audits of compliance with documented Varicent policy.

5.8. Logs in which Privileged Access and activity are recorded shall be retained in compliance with Varicent’s records management plan. Varicent shall maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs.

5.9. To the extent supported by native device or operating system functionality, Varicent shall maintain computing protections for its end-user systems that include endpoint firewalls, encryption, signature-based malware detection and removal, time-based screen locks, and endpoint management solutions that enforce security configuration and patching requirements.

6. SERVICE INTEGRITY AND AVAILABILITY CONTROL

6.1. Varicent shall: (a) perform security and privacy risk assessments of the Service at least annually; (b) perform penetration testing and vulnerability assessments, including automated system and application security scanning and manual ethical hacking, annually; (c) enlist a qualified independent Third Party to perform penetration testing at least annually; (d) perform automated management and routine verification of underlying Components’ compliance with security configuration requirements; and (e) remediate identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. Varicent shall take reasonable steps to avoid Service disruption when performing its tests, assessments, scans, and execution of remediation activities.

6.2. Varicent shall maintain policies and procedures reasonably designed to manage risks associated with the application of changes to the Service. Prior to implementation, changes to the Service, including its systems, networks, and underlying Components, shall be documented in a registered change request that includes a description and reason for the change, implementation details and schedule, and documented approval by authorized Varicent Personnel.

6.3. Varicent shall maintain a reasonably up to date inventory of all information technology assets used in its operation of the Service. Varicent shall monitor and manage the health, including capacity, and availability of the Service and its underlying Components. Varicent shall implement, test, and maintain business continuity and disaster recovery plans consistent with industry standard practices and as described in the Agreement.

6.4. Varicent shall maintain measures designed to assess, test, and apply security advisory patches to the Service and its associated systems, networks, applications, and underlying Components. Upon determining that a security advisory patch is applicable and appropriate, Varicent shall implement the patch pursuant to documented severity and risk assessment guidelines. Implementation of security advisory patches shall be subject to Varicent change management policy.

6.5. Data Back-Up. Varicent shall back up the Service and Customer Data stored therein daily and copy such back-ups to an off-site location. Back-ups shall be encrypted at rest and during transmission to the offsite location.

6.6. Disaster Recovery. If a Force Majeure Event occurs that causes the Service to be unavailable, Varicent shall work to restore Customer’s access to the Service with a return to operation within fourteen (14) days. The environment shall be restored using the most recent data backup, with no more than twenty-four (24) hours of Customer Data loss of the restored Customer Data set.

7. PROCESSING OF CUSTOMER PERSONAL DATA

7.1. Processing.

7.1.1. Customer is (a) a Controller and exporter of any Personal Data that Varicent Processes on behalf of Customer (“Customer Personal Data”) or (b) acting as a Processor and exporter on behalf of other Controllers and has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Customer Personal Data by Varicent as importer and Customer’s Subprocessor as set out in the Agreement. Customer appoints Varicent as a Processor to Process Customer Personal Data. If there are other Controllers, Customer shall identify and inform Varicent of any such other Controllers prior to providing their Personal Data, in accordance with this Schedule.

7.1.2. Customer shall comply with all applicable requirements of the Data Protections Laws and Customer will ensure that it has a lawful basis and all necessary appropriate consents and notice in place to enable the lawful transfer of Personal Data to Varicent for the duration and purposes of the Agreement.

7.1.3. A list of categories of Data Subjects, types of Customer Personal Data, Special Categories of Personal Data and the Processing activities is set out in Attachment A (Personal Data Processing Attachment). The duration of the Processing corresponds to the applicable Subscription Term, unless otherwise stated in Attachment A. The purpose and subject matter of the Processing is the provision of the Service as described in the Agreement.

7.1.4. Varicent shall Process Customer Personal Data according to Customer’s instructions set forth in the Agreement, and, if applicable, Customer’s and its Subscribers’ use and configuration of the features of the Service. Customer may provide further legally required instructions regarding the Processing of Customer Personal Data (“Additional Instructions”) as described in Section 9.2. If Varicent notifies Customer that an Additional Instruction is not feasible, the Parties shall work together to find an alternative. If Varicent notifies Customer that neither the Additional Instruction nor an alternative is feasible, Customer may terminate its use of the Service which cannot be accommodated by Varicent within 14 days of Varicent’s notification to the Customer. If Varicent believes an instruction violates the Data Protection Laws, Varicent shall immediately inform Customer, and may suspend the performance of such instruction until Customer has modified or confirmed its lawfulness in documented form.

7.1.5. Customer shall serve as a single point of contact for Varicent. As other Controllers may have certain direct rights against Varicent, Customer undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other Controllers. Varicent shall be discharged of its obligation to inform or notify another Controller when Varicent has provided such information or notice to Customer. Similarly, Varicent shall serve as a single point of contact for Customer with respect to its obligations as a Processor under the Agreement.

7.1.6. Varicent shall comply with all Data Protection Laws in respect of the Service applicable to Varicent as Processor. Varicent is not responsible for determining the requirements of Laws applicable to Customer’s business or that the Service meets the requirements of any such applicable Laws. As between the Parties, Customer is responsible for the lawfulness of the Processing of Customer Personal Data. Customer shall not use the Service in a manner that would violate applicable Data Protection Laws.

7.2. Data Subject Rights and Requests.

7.2.1. Varicent shall inform Customer of requests from Data Subjects exercising their Data Subject rights (including access, rectification, deletion, and blocking of data) addressed directly to Varicent regarding Customer Personal Data. Customer shall be responsible for handling such requests of Data Subjects. Varicent shall reasonably assist Customer in handling such Data Subject requests in accordance with Section 9.2.

7.2.2. If a Data Subject brings a claim directly against Varicent for a violation of their Data Subject rights, Customer shall reimburse Varicent for any cost, charge, damages, expenses, or loss arising from such claim, to the extent that Varicent has notified Customer about the claim and given Customer the opportunity to cooperate with Varicent in the defense and settlement of the claim. Subject to the terms of the Agreement, Customer may claim from Varicent damages resulting from Data Subject claims for a violation of their Data Subject rights caused by Varicent’s breach of its obligations under Section 7.1 of the Agreement or this Schedule.

7.3. Third Party Requests and Confidentiality.

7.3.1. Varicent shall not disclose Customer Personal Data to any person other than Varicent, Customer or their respective Affiliates (“Third Party”) unless authorized by Customer or required by applicable law. If a government or Supervisory Authority demands access to Customer Personal Data, Varicent shall notify Customer prior to disclosure, unless such notification is prohibited by applicable law.

7.3.2. Varicent requires all of its Personnel authorized to Process Customer Personal Data to commit themselves to confidentiality and not Process such Customer Personal Data for any other purposes, except on instructions from Customer or unless required by applicable law.

7.4. Return or Deletion of Customer Personal Data. Upon termination or expiration of the Agreement, Varicent shall delete Customer Personal Data in its possession as set out in the Agreement, unless otherwise required by applicable Law.

7.5. Subprocessors.

7.5.1. Customer hereby authorizes Varicent to transfer Customer Personal Data to the United States for provision of the Services and performance under this Agreement provided that Customer and Varicent follow the requirements outlined in Section 7.6 below. Customer authorizes the engagement of other Processors to Process Customer Personal Data (“Subprocessors”). The current Subprocessors includes Varicent US OpCo Corporation (if it is not the contracting party to this Agreement), and the Subprocessors set out at the following link: www.concertfinance.com/subprocessor. The list at the foregoing link is subject to change in Varicent’s discretion, provided that Customer may opt-in to receiving notifications regarding proposed Subprocessors during the term of the Agreement by written notice to Privacy@varicent.com. Within thirty (30) days after Varicent’s notification of the proposed change to Subprocessors, Customer can object to the addition of a Subprocessor. Customer’s objection shall be in writing and include Customer's specific reasons for its objection and options to mitigate, if any. If Customer does not object within such period, the respective Subprocessor may Process Customer Personal Data. Varicent shall impose substantially similar but no less protective data protection obligations as set out in this Schedule on any approved Subprocessor prior to the Subprocessor initiating any Processing of Customer Personal Data as appropriate taking into account factors such as the nature, scope, context, purposes of the Processing, and access to Personal Data.

7.5.2. If Customer legitimately objects to the addition of a Subprocessor and Varicent cannot reasonably accommodate Customer’s objection, Varicent shall notify Customer and Customer may terminate the Service within 14 days of Varicent’s notification to the Customer without penalty and receive a pro-rata refund of any fees paid in advance for Services not yet received; otherwise, the Parties shall cooperate to find a feasible solution in accordance with the dispute resolution process.

7.6. Transborder Data Processing.

7.6.1. In the case of a transfer of Customer Personal Data to a country not providing an adequate level of protection pursuant to the Data Protection Laws (a “Non-Adequate Country”), the Parties shall cooperate to ensure compliance with the applicable Data Protection Laws as set out in this Section 7.6. If either Party believes the measures set out below are not sufficient to satisfy applicable Law, they shall notify the other Party and the Parties shall work together to find an alternative.

7.6.2. By entering into the Agreement, Customer is entering into EU SCCs with Varicent US OpCo Corporation, to the extent Customer Personal Data is transferred to a Non-Adequate Country and is subject to the GDPR, as follows:

if Customer is a Controller of all or part of the Customer Personal Data, Customer is entering into the C2P SCC in respect to such Customer Personal Data; and
if Customer is acting as Processor on behalf of other Controllers of all or part of the Customer Personal Data, then Customer is entering into the P2P SCCs, provided that, Customer has entered into separate EU Standard Contractual Clauses with the Controllers; or (ii) on behalf of the other Controller(s).
Varicent shall enter into P2P SCCs with (other) Subprocessors as legally required.

7.6.3. The following specifications shall also apply to EU SCC clauses between Customer and Varicent:

Docking Clause. The option under clause 7 shall not apply;
Instructions. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data are set out in Section 7.1 of this Schedule;
Certification of Deletion. The certification of deletion of Personal Data described in clauses 8.5 and 16(d) shall be provided by Varicent only upon Customer's written request;
Security of Processing. For the purpose of clause 8.6(a), Customer agrees that the TOMs set forth in this Schedule provide a level of security appropriate to the risk with respect to its Personal Data. For the purpose of clause 8.6(c), Personal Data breaches will be handled in accordance with Section 4 of this Schedule; with respect to P2P SCC clauses 8.6(c) and (d), Varicent shall provide breach notifications only to Customer;
Audits. The audits described in clause 8.9 shall be carried out in accordance with Section 8 of this Schedule; with respect to P2P SCCs, all inquiries from other Controllers shall be provided to Varicent by Customer;
Use of Sub-processors. Option 2 under clause 9 shall apply; Varicent shall be entitled to engage Subprocessors in accordance with Section 7.5 of this Schedule, provided that Customer shall be notified of proposed Subprocessors regardless of its notification opt-in;
Data Subject Rights. For the purpose of clause 10, Data Subject requests and related assistance shall be handled in accordance with Sections 7.2 and 9 of this Schedule, respectively; with respect to P2P SCCs, Varicent shall be required to communicate requests only to Customer;
Liability. For the avoidance of doubt, Varicent liability under clause 12(b) shall be limited as specified in Article 82 of the GDPR;
Supervision. For the purpose of clause 13, data exporter’s competent supervisory authority will be determined in accordance with the GDPR;
Notification of Government Access Requests. For the purpose of clause 15(1), Varicent shall provide notification to Customer only and not individual Data Subjects;
Governing Law and Choice of Forum. For the purpose of clauses 17 and 18, governing law and jurisdiction shall be that which is outlined in the Agreement. If the Agreement is not governed by EU law, the SCCs will be governed by the laws and courts of Ireland; or (ii) where the Agreement is governed by the laws and courts of the United Kingdom, the laws of the England and Wales;
Appendices. With respect to the SCC Annexes, the contents of Attachment A to this Schedule shall form Annex 1B; the contents of Annex 1C shall be determined in accordance with the GDPR; the TOMs herein shall form Annex 2.

7.6.4 To the extent Customer Personal Data subject to UK GDPR or Swiss Data Protection Laws is transferred to Varicent US OpCo Corporation as located in a Non-Adequate Country: (A) Sections 7.6.2-7.6.3 shall apply if the EU SCCs are a legally valid data protection mechanism; or (B) where the 2010 SCCs are a legally valid data protection mechanism, Customer and Varicent US OpCo Corporation are deemed to enter into the 2010 SCCs, with Appendix 1 of the 2010 SCCs being populated with Customer details outlined in the applicable Order Form and the contents of Attachment A to this Schedule, and Appendix 2 of the 2010 SCCs being populated with the TOMs herein; Varicent will enter into back-to-back SCCs with Subprocessesors as legally required and applicable to their Services. The following shall apply to the foregoing options: (i) references and obligations in the EU SCCs and 2010 SCCs shall have the same meaning as the equivalent reference and obligation in the UK GDPR or Swiss Data Protection Laws, as applicable; (ii) references to the EU or member states in the EU SCCs and 2010 SCCs shall be amended to refer to the United Kingdom and Switzerland, as applicable; and (iii) references to supervisory authorities in the EU SCCs and 2010 SCCs shall be amended to refer to the UK Information Commissioner's Office and the Swiss Federal Data Protection and Information Commissioner, respectively.

7.6.5. If Customer is unable to agree to C2P SCCs or 2010 SCCs on behalf of another Controller, as set out in Section 7.6.2 and 7.6.3. Customer shall procure the agreement of such other Controller to enter into those agreements directly with Varicent. Customer agrees on behalf of itself and all other Controllers that the EU SCCs and 2010 SCCs, including any claims arising from them, are subject to the terms set forth in the Agreement including the exclusions and limitations of liability. In case of conflict with the Agreement, the EU SCCs and 2010 SCCs, as applicable, shall prevail.

8. AUDIT

8.1. Varicent shall allow for, and contribute to, audits, including inspections, conducted by Customer or another auditor mandated by Customer solely in Order Form for Customer to determine that Varicent is processing Personal Data in accordance with the Agreement, in accordance with the following procedures:

8.1.1. Upon Customer's written request, Varicent shall provide Customer or its mandated auditor with the most recent certifications and/or summary audit report(s) which Varicent has procured to regularly test, assess, and evaluate the effectiveness of Varicent’s TOMs.

8.1.2. Varicent shall reasonably cooperate with Customer by providing available additional information concerning the TOMs reasonably required by Customer to help Customer better understand them.

8.1.3. If further information is needed by Customer (acting reasonably) to comply with its own or other Controllers’ audit obligations or a competent Supervisory Authority’s request, Customer shall inform Varicent in writing to enable Varicent to provide such information or to grant access to it. For the avoidance of doubt, Varicent shall be under no obligation to disclose confidential or commercially sensitive information as part of such audits.

8.1.4. To the extent it is not possible to otherwise satisfy an audit right mandated by applicable Law or expressly agreed by the Parties in writing, only legally mandated entities (such as a governmental regulatory agency having oversight of Customer’s operations), Customer, or its mandated auditor may (on no less than 14 days prior written notice to Varicent) conduct an onsite visit of the Varicent facilities used to provide the Service, during normal business hours and only in a manner that causes minimal disruption to Varicent’s business.

8.2. All such audits shall be subject to the auditing party’s execution of a confidentiality agreement acceptable to Varicent and shall be conducted at Customer’s expense.

8.3. Any auditor mandated by the Customer shall not be a direct competitor of Varicent with regard to the Services and shall be bound to an obligation of confidentiality.

8.4. Each Party shall bear its own costs in respect of Section 8.1.1 and Section 8.1.2; otherwise, Section 9.2 applies.

9. ASSISTANCE

9.1. Varicent shall assist Customer by TOMs for the fulfillment of Customer’s obligation to comply with the rights of Data Subjects and in ensuring compliance with Customer’s obligations relating to the security of Processing, the notification and communication of a Personal Data Breach, and the Data Protection Impact Assessment, including prior consultation with the responsible Supervisory Authority, if required, taking into account the nature of the Processing and the information available to Varicent.

9.2. Customer shall make a written request for any assistance referred to in this Schedule. Varicent may charge Customer no more than a reasonable charge to perform such assistance or an Additional Instruction, such charges to be set forth in a Change Order and agreed in writing by the Parties. If Customer does not agree to the Change Order, the Parties agree to reasonably cooperate to find a feasible solution in accordance with the dispute resolution process set forth in the Agreement.
This Schedule is agreed to and accepted by Varicent and Customer as of the Effective Date defined in the Agreement.

ATTACHMENT A TO DATA SECURITY STANDARDS: PERSONAL DATA PROCESSING ATTACHMENT

1. CATEGORIES OF DATA SUBJECTS

Data Subjects of any Customer Personal Data that generally can be processed in the Service may include Customer’s and its Affiliates’ employees, contractors, business partners, or customers, and, to the extent required by applicable Law, any other Persons whose Personal Data is processed by the Service. Varicent shall process Personal Data of all Data Subjects listed above in accordance with the Agreement. Given the nature of the Service, Customer acknowledges that Varicent is not able to verify or maintain the above list of Categories of Data Subjects. Therefore, if Customer shall not use the Service with all the Data Subjects set out above, Customer is responsible for providing complete, accurate, and up-to-date information to Varicent on the actual Data Subjects from within the above list that Customer shall process in the Service via Additional Instructions to Varicent as set forth in the Data Security Standards.

2. PERSONAL DATA

The lists as set out below are the Types of Personal Data and Special Categories of Personal Data that generally can be processed within the Service. Varicent shall process all Types of Personal Data and Special Categories of Personal Data listed below in accordance with the Agreement. Given the nature of the Service, Customer acknowledges that Varicent is not able to verify or maintain the below lists of Types of Personal Data and Special Categories of Personal Data. Therefore, if Customer shall not use the Service for all the Types of Personal Data and Special Categories of Personal Data set out below, then Customer is responsible for providing complete, accurate, and up-to-date information to Varicent on the actual Types of Personal Data and Special Categories of Personal Data from within the below list that Customer shall process in the Service via Additional Instructions to Varicent as set forth in the Data Security Standards.

2.1. Types of Personal Data.

Basic Personal Information (such as name, email, etc.); and
Technically Identifiable Personal Information (such as device IDs, usage based identifiers, static IP address, etc. - when linked to an individual).

Customer should not include Personal Data in text fields that are not intended for or do not request Personal Data.

2.2. Special Categories of Personal Data. The Service was not designed to process any Special Categories of Personal Data.

3. PROCESSING ACTIVITIES

The Processing activities with regard to Customer Data (including Customer Personal Data) within the Service include:

Receipt of Customer Data from Data Subjects and/or third parties;
Computer processing of Customer Data, including data transmission, data retrieval, data access, and network access to allow data transfer if required;
Technical customer support involving Customer Data at Customer request, including monitoring, problem determination, and problem resolution;
Transformation and transition of Customer Data as necessary to deliver the Service;
Storage and associated deletion of Customer Data; and
Backup of Customer Data.

4. DURATION OF PROCESSING

The duration of Processing within the Service corresponds to the duration of the applicable Subscription Term. Varicent shall remove Customer Data (including any Customer Personal Data) that is stored or persisted within the Service at the time of termination or expiration of the applicable Subscription Term and up to sixty (60) days after the expiration of the Subscription Term.

5. TECHNICAL AND ORGANIZATIONAL MEASURES

The TOMs set forth in the Data Security Standards apply to all Customer Data processed by Varicent within the Service, including Customer Personal Data.

6. DELETION AND RETURN OF DATA

6.1. During the term of the Agreement, so long as Customer’s access to the Service is not suspended pursuant to Section 4.4 of the Agreement, Customer may download from the Service a copy of the Customer Data.

6.2. Customer may also request removal of Customer Data (including Customer Personal Data) at any time prior to termination or expiration of the Agreement Term.

7. VARICENT HOSTING AND PROCESSING LOCATIONS

The principal Varicent data hosting and processing locations used for the Service shall be in the United States unless otherwise outlined in the Order Form. Varicent may add additional hosting and processing locations in accordance with the Data Security Standards. For the purposes of the Data Security Standards only, Varicent US OpCo Corporation address for DSS notice purposes is: c/o 4711 Yonge St., Suite 300, Toronto, ON Canada M2N 6K8.

8. THIRD PARTY SUBPROCESSORS

The Service involves third party Subprocessors in the Processing of Customer Data, including Customer Personal Data, as set forth on https://www.concertfinance.com/subprocessor.

9. PRIVACY CONTACT AND CUSTOMER NOTIFICATIONS

The general privacy contact for the Service is privacy@varicent.com

10. DATA PRIVACY OFFICER AND OTHER CONTROLLERS

Customer is responsible for providing to Varicent complete, accurate, and up-to-date information about its data privacy officer and any other Controllers (including their data privacy officer).

Varicent Concert - Terms of Service