Term of Service

 Energies Solutions LLC Terms of Service

Last Revised: August, 2023
Version: V1.1

This Terms of Service (“Agreement”) is between Energies Solutions LLC and its affiliates (“Energies Solutions”) and the Client (“Client”). The parties acknowledge receipt and sufficiency of good and valuable consideration and agree as follows:

1. Definitions
Terms used in this Agreement with their initial letters capitalized have the meanings ascribed to them in this section or where they are elsewhere defined in this Agreement. Any term defined in the singular will have the corresponding definition in the plural (and vice versa). As used in this Agreement:

●      “Credentials” refers to the usernames, passwords or similar credentials issued by Energies Solutions to Client and Users, enabling access to the Services.

●      “Client Account” means the accounts Client create to access and use the Services, to log in Hosted Software, and to access Client Data.

●      “Client Data” refers to any information, data, and/or files captured by Client’s use of the Energies Solutions Devices, or entered, transmitted, or uploaded by Client to Apps and Hosted Software, any analysis, alerts, and reports generated by the Products containing such data. For the avoidance of doubt, Client Data does not include any Energies Solutions Software.

●      “Documentation” means Energies Solutions’s online user guides, documentation, and help and training materials that it provides or makes available to Client, as is updated by Energies Solutions from time to time.

●      “Firmware” means software embedded in or otherwise running on the Energies Solutions Devices.

●      “Hosted Software” means Energies Solutions’s web-based software platform, including the interface accessed online at Energies Solutions’s designated website.

●      “Malicious Code” means code, files, scripts, agents, or programs intended to do harm, including, for example, computer viruses, worms, Trojan horses, logic bombs, spyware, adware, and backdoor programs.

●      “Order Form” means an ordering document for the purchase of any Services entered into between Energies Solutions and Client's affiliation/organization from which Client has purchased such Services. The Order Form is incorporated by reference herein.

●      “Energies Solutions Devices” means Energies Solutions’s hardware devices distributed or otherwise made available to the Client pursuant to separate sales, purchase, or distribution agreements between the parties.

●      “Energies Solutions Software” means Energies Solutions’s Apps, Firmware, and Hosted Software, and any improvements, modifications, patches, updates, and upgrades thereto that Energies Solutions develops or provides in connection with this Agreement, and Support Services.

●      “Users” means individuals appointed by Client to access and use the Services, which may include Client’s officers, employees, and/or consultants and agents performing services for Client or on Client’s behalf.

●      “Client's affiliation/organization” means Client's relationship/transaction with a company/organization in which Energies Solutions directly trades, entitling Client to use the Energies Solutions products or services under this Agreement.

●      “Services” means the subscription-based services identified on the Order Form and delivered by Energies Solutions to Client, which services are delivered via the Energies Solutions Devices and the Energies Solutions Software, and also include Professional Services (if purchased by Client).

●      “Support Services” means the Client support services and Documentation, such as training, consulting but excluding any Professional Services.

●      “Professional Services” means any professional services that are provided by Energies Solutions to Client (i) as purchased separately by Client, (ii) in Energies Solutions’s sole discretion, or (iii) as otherwise mutually agreed between the Parties.

2. Services Provided by Energies Solutions
Services and Agreements. Energies Solutions will provide Client with the Services detailed on the Order Form, using Energies Solutions’s Devices and Software. Client acknowledges and agrees that (i) the Services are offered to Client by Client's affiliation/organization; (ii) in order to receive the Services, at all times during the term of this Agreement, Client shall maintain a valid subscription of the Services under its agreement with Client's affiliation/organization; and (iii) the Services may be terminated or may become unavailable if Client violates its agreement with Client's affiliation/organization regarding the Services; and (iv) Energies Solutions has the right to suspend or terminate the Services, by disabling the Energies Solutions Devices or the Energies Solutions Software, or otherwise by making the Services unavailable, if Client's affiliation/organization violates its agreement with Energies Solutions or if Client violates this Agreement. Client acknowledges that Client has read, understood, and agreed to be bound by this Agreement and all of the terms incorporated herein by reference. Client agrees that an authorized representative of Client has accepted this Agreement, that Users are authorized to access the Service and use the Services on behalf of Client, and that Client agrees to be responsible to Energies Solutions if Client, its authorized representative, or any User violates this Agreement.

Provision of Services. Subject to the terms and conditions of this Agreement and any agreement between Client and Client's affiliation/organization, including Client’s payment of all applicable fees to Client's affiliation/organization, Energies Solutions authorizes Client to access and use the Services, and to permit its Users to do the same, during the term and in accordance with applicable Documentation. Energies Solutions will provide reasonable email and telephone support to Client.

Product Updates. Energies Solutions continuously improves the Products and may from time to time (i) update the Energies Solutions Software and cause Firmware updates to be automatically installed onto Energies Solutions Devices, (ii) update the Apps; or (iii) upgrade Energies Solutions Devices to newer models. Energies Solutions may change or discontinue all or any part of the Energies Solutions Devices, at any time and without notice, at Energies Solutions’s sole discretion. Updates or upgrades may include security or bug fixes, or performance enhancements, and may be issued with or without prior notification to Client. Client hereby consents to such automatic updates.

Licenses. Subject to the terms and conditions specified in this Agreement, the agreement between Client and Client's affiliation/organization regarding the Services, and an applicable Order Form, Energies Solutions grants Client a non-sublicensable, non-exclusive, non-transferable license to use and access the Energies Solutions Software in accordance with the Documentation, until the subscription term and the license term on an applicable Order Form expire or the earlier termination of this Agreement or the agreement between Client and Client's affiliation/organization regarding the Services. The Support Services and the Hosted Software SLA under Exhibit B are included as part of the license grant and contingent upon Client purchasing and maintaining a valid subscription of the Services with Client's affiliation/organization. The Firmware license for each item of Energies Solutions Devices that the Client purchases is contingent upon Client purchasing and maintaining a valid subscription of the Services with Client's affiliation/organization.

Delegation/Subcontracting. Client acknowledges that Energies Solutions, for the provisioning of the Services, may use the services of third-party subcontractors, and Client consents to the corresponding subcontracting of Energies Solutions’s obligations under this Agreement.

License Restrictions. Client agrees not to do any of the following without Energies Solutions’s express prior written consent: (i) resell, or reproduce (including white-label) the Energies Solutions Software or any individual element within the Energies Solutions Software, Energies Solutions’s name, any Energies Solutions trademark, logo or other proprietary information, or the layout and design of any part of the Energies Solutions Software; (ii) reverse engineer, reverse assemble, or decompile any portion of the Energies Solutions Software; (iii) tamper with, or use non-public areas of the Energies Solutions Software, Energies Solutions’s computer systems, or the technical delivery systems of Energies Solutions’s providers; (iv) avoid, bypass, remove, deactivate, impair, descramble or otherwise circumvent any technological measure implemented by Energies Solutions or any of Energies Solutions’s providers or any other third party (including another user) to protect the Energies Solutions Software; (v) transfer, copy, modify, sublicense, lease, lend, rent or otherwise distribute the Firmware to any third party; or (vi) encourage or enable any other individual to do any of the foregoing.

Regulatory Compliance. Client represents and warrants that Client’s use of the Services will be in compliance with any and all applicable laws, rules, and regulations (including regulations on the transmission of unsolicited marketing messages), and that Client has sufficient rights, title, and interests in and to any Client Data for uploading and using the same within the scope of the Services, and for granting Energies Solutions the authorization set forth in this Agreement. Without limiting the generality of the foregoing, Client represents and warrants that it has a published privacy policy that adequately discloses Client’s use of the Services to process any applicable Client Data in accordance with applicable law and industry guidelines. Energies Solutions may consult and cooperate with law enforcement authorities to prosecute Users or other parties who violate the law.

3. Client’s Responsibilities and Usage Restrictions

3.1 Client’s Responsibilities. Only Users appointed by Client in accordance with the terms set forth herein are entitled to use the Services. Client is responsible for the use of the Services by its Users, as well as for use of the Services by any third party that uses the Services through the Credentials. Client is responsible for implementing Client’s own security measures in order to safeguard Client’s Credentials and to prevent disclosure of the same to any third party not designated as a User. Client is responsible for (i) its Users’ compliance with this Agreement, (ii) the accuracy, quality, and legality of Client Data and the means by which Client acquired Client Data, and (iii) preventing unauthorized access to or use of Services and Content and notifying Energies Solutions promptly of any such unauthorized access or use. Client is solely responsible for monitoring and controlling access to the Energies Solutions Software and maintaining the Credentials. In the event that Client or any User becomes aware that the security of any Credentials has been compromised, Client shall immediately notify Energies Solutions and de-activate such Client Account or change the applicable Credentials. Client will reasonably cooperate with any of Energies Solutions’ investigations into services outages, unavailability of the Services, security problems, and/or suspected breaches of the Agreement.

3.2 Client’s System and Installation. Client shall be solely responsible for: (i) the provision of its own reliable, high-speed internet connectivity to and from the Services, for each location that needs access to the Services; (ii) its own equipment, including but not limited to administrator and end-user workstations and compatible web browsers; (iii) configuration, use, and operation of the Services to suit Client’s environment; and (iv) providing up-to-date contact information for Client’s primary contacts. Client is responsible for the installation of Energies Solutions Devices. Client understands that improper installation of the Energies Solutions Devices can lead to damage of the Energies Solutions Devices or Client’s or third parties’ system or equipment connected with the Energies Solutions Devices, which can cause property damage, bodily injury, or even death. Client may require professional installation of the Energies Solutions Devices if Client is unable to install the Energies Solutions Devices. Client agrees to consult with a qualified installer.

3.3 Usage Restrictions. Client will not permit any other party to (i) make any Services available to, or use any Services or Content for the benefit of, anyone other than Client or Users, (ii) sell, resell, license, sublicense, distribute, rent or lease any Services, or include any Services or data in a service bureau or outsourcing offering, (iii) use any Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights, (iv) use any Service to store or transmit Malicious Code, (v) interfere with or disrupt the integrity or performance of any Services or third-party data contained therein, (vi) attempt to gain unauthorized access to any Services or Client Data or related systems or networks, (vii) access any Services, Energies Solutions Software or Energies Solutions Devices in order to build a competitive product or service, or (viii) impersonate or misrepresent an affiliation with any person or entity; or (ix) violate any applicable law or regulation.

4. Client Data

4.1 Ownership and Usage. Client Data is delivered via Energies Solutions Devices and is accessible via the Energies Solutions Software. Client owns all Client Data, and Energies Solutions will keep Client Data confidential. Client hereby grants to Energies Solutions a non-exclusive, transferable, sublicensable, worldwide, royalty-free license to use, copy, modify, create derivative works based upon, display, and distribute Client Data in connection with operating and providing the Services. Energies Solutions will maintain reasonable administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Client Data. Energies Solutions will not share Client Data without Client consent, except when the release of data is compelled by law. Energies Solutions may collect analytics, statistics, or other data related to the Client Data and Client’s use of the Energies Solutions Software (i) in order to provide the Energies Solutions Software to Client; (ii) for statistical use (provided that such data is not personally identifiable); or (iii) to monitor, analyze, develop upon, maintain, and improve the Energies Solutions Software. Such use shall survive the termination of this Agreement, unless legally prohibited or Client requests in writing upon termination that such use be limited to non-personally identifiable data. Client acknowledges that some information may not be exportable via the Energies Solutions dashboard or the API.

4.2 Client Data Representation and Warranty. Client represents and warrants that: (i) Client has obtained and will obtain all rights and provide any disclosures to or obtain any consents, approvals, authorizations, and/or agreements from any User, employee, or third party that are necessary for Energies Solutions to collect, use, and share Client Data in accordance with this Agreement and (ii) no Client Data infringes upon or violates any other party’s intellectual property rights, privacy, publicity, or other proprietary rights. TO THE EXTENT PERMITTED BY LAW, CLIENT AGREES TO INDEMNIFY, DEFEND AND HOLD HARMLESS ENERGIES SOLUTIONS AND, IF RELEVANT, ITS SUBPROCESSORS AGAINST ANY LIABILITIES, DAMAGES, DEMANDS, LOSSES, CLAIMS, COSTS, FEES (INCLUDING LEGAL FEES), AND EXPENSES IN CONNECTION WITH ANY THIRD-PARTY CLAIMS AND/OR LEGAL PROCEEDING TO THE EXTENT ARISING FROM OR ANY ACT OR OMISSION OF THE CLIENT IN RELATION TO CLIENT INSTRUCTIONS OR THE CLIENT’S BREACH OF THIS PROVISION.

4.3 Protection of Data. Energies Solutions maintains certain administrative, physical, and technical safeguards designed to improve the security, confidentiality, and integrity of Client Data, as described in Exhibit A (Data Protection Addendum). Client acknowledges and agrees that no such measures are capable of guaranteeing complete security, including with respect to technological failures, human error, and concerted efforts to breach. Energies Solutions disclaims all implied warranties as to the security it provides in connection with the Client Data.

4.4 Client Data Storage. Each Energies Solutions Device subject to the Services is assigned a maximum capacity of 12 gigabytes to store Client Data (the “Storage Limit”). Client Data will be automatically deleted to make storage space available for additional Client Data exceeding the Storage Limit on a first-in first-out basis. Unless otherwise expressly agreed by Energies Solutions, all Client Data will be deleted and no longer accessible six (6) months after such data are uploaded to the Services.

5. Fees and Payment. Client shall pay any fees and payments pursuant to the terms of the agreement between Client and Client's affiliation/organization. If Client fails to pay such fees or payments, the Services may be terminated or may become unavailable. In addition, Energies Solutions has the right to suspend or terminate the Services, by disabling the Energies Solutions Devices or the Energies Solutions Software, or otherwise by making the Services unavailable if Client's affiliation/organization fails to pay any fees or payments to Energies Solutions with respect to the Services. Client agrees that Energies Solutions is not responsible for any damages or losses suffered by Client if the Services are suspended, terminated, or otherwise unavailable due to Client's affiliation/organization’s failure to make any payments to Energies Solutions, and Client may only seek remedies against Client's affiliation/organization under such circumstances.

6. Proprietary Rights

6.1 Energies Solutions Software. As between Energies Solutions and Client, Energies Solutions owns all right, title, and interest in and to all elements of the Energies Solutions Software, all other aspects, products, results, and outputs of the Services and the Documentation, including all applicable patents, copyrights, trademarks, and other proprietary and intellectual property rights therein. Except for the limited rights expressly granted in this section, Client has no rights in or to the foregoing, and any rights not expressly granted are reserved by Energies Solutions and its licensors.

6.2 Firmware. The Firmware is licensed, not sold. Client owns the Energies Solutions Devices on which the Firmware is recorded, but Energies Solutions retains ownership of the copy of the Firmware itself, including all intellectual property rights therein. Energies Solutions reserves all rights in the Firmware not expressly granted to Client. Client acknowledges and agrees that portions of the Firmware, including but not limited to the source code and the specific design and structure of individual modules or programs, constitute or contain trade secrets of Energies Solutions and its licensors.

7. Term, Termination and Suspension

7.1 Term. The term of this Agreement will begin upon Client’s purchase of the Services from Client's affiliation/organization. Unless terminated earlier as provided in this Agreement, the term of this Agreement will continue until the expiration of the Service term set forth in the Order Form to which this Agreement is attached.

7.2 Termination for Cause. Notwithstanding the foregoing, Energies Solutions may terminate this Agreement and the applicable Order Form immediately if Client's affiliation/organization breaches the terms of the agreement between Energies Solutions and Client's affiliation/organization, if Client breaches the terms of this Agreement, or if Energies Solutions reasonably believes that Client abuses the Services.

7.3 Suspension of Services. Energies Solutions may suspend any or all Services in case of: (i) Energies Solutions becoming aware of what Energies Solutions deems a credible claim that Client’s use of the Services violates any applicable law, rules or regulations or infringes upon third party rights; (ii) Client’s use of the Services in violation of this agreement, or in a manner that interferes with the normal operation of the Services; (iii) the security of the Services, the Client Data or Client’s access rights being compromised, or in any event wherein Energies Solutions determines that suspension of the Services is needed to protect the integrity of the Services; or (iv) in any event where Energies Solutions is entitled to terminate this Agreement for cause. In each case of suspension as per above, Energies Solutions will give Client an advance twelve (12) hours’ notice, unless Energies Solutions reasonably determines that giving a shorter or no notice is necessary to protect Energies Solutions’ interests, Client’s interests, or the interests of any third party.

7.4 Results of Termination. Following termination of this Agreement, (i) Client’s access rights shall lapse and Energies Solutions shall no longer be required to provide any Services, and (ii) the parties shall return to each other, or destroy, within thirty (30) days from such termination, any Confidential Information received. Termination of this Agreement will not relieve Client from any accrued payment obligations owed to Client's affiliation/organization. Client agrees that Energies Solutions is not responsible for any damages or losses suffered by Client if the Services are suspended, terminated, or otherwise unavailable due to Client's affiliation/organization’s violation of the terms of its agreement with Energies Solutions, and Client may only seek remedies against Client's affiliation/organization under such circumstances.

7.5 Client Data Portability. For a period of no longer than thirty (30) days following the effective date of termination or expiration of this Agreement for any reason whatsoever, Energies Solutions will make Client Data available for download by Client through the Services. After such time, Energies Solutions may delete such data.

7.6 Surviving Provisions. Any obligations and duties which by their nature extend beyond the expiration or termination of this Agreement will survive the expiration or termination of this Agreement.

8. Confidentiality

8.1 Definition of Confidential Information. “Confidential Information” means all information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Client’s Confidential Information includes Data and Content; and Confidential Information of each party includes the terms and conditions of this Agreement and all Order Forms (including pricing), as well as business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party. However, Confidential Information does not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party.

8.2 Protection of Confidential Information. The Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) (i) not to use any Confidential Information of the Disclosing Party except as provided in this Agreement, and (ii) limit access to Confidential Information of the Disclosing Party to those of its and its affiliates’ employees and contractors who need that access for purposes consistent with this Agreement and who have written confidentiality obligations consistent with this Agreement. Receiving Party will remain primarily liable to Disclosing Party for unauthorized use or disclosure of Confidential Information by its affiliates, legal counsel, or accountants.

8.3 Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, in obtaining confidential treatment for any information so disclosed.

9. Representations, Warranties, Exclusive Remedies and Disclaimers

9.1 Mutual. Each party represents that it has validly entered into this Agreement and has the legal power to do so.

9.2 Energies Solutions’ Warranties. Energies Solutions warrants that (i) Energies Solutions will not materially decrease the overall security of the Services during a subscription term, (ii) the Services will perform materially in accordance with the applicable Documentation, and (iii) the Services will not, to Energies Solutions’ knowledge, introduce Malicious Code into Client’s systems. For any breach of an above warranty, Client’s exclusive remedies are to terminate this Agreement for cause as provided above.

9.3 Disclaimers. EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTY OR REPRESENTATION OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. SERVICE IS PROVIDED “AS IS”, EXCLUSIVE OF ANY WARRANTY WHATSOEVER. EACH PARTY DISCLAIMS ALL LIABILITY AND INDEMNIFICATION OBLIGATIONS FOR ANY HARM OR DAMAGES CAUSED BY ANY THIRD PARTY.

9.4 Links to Third-Party Websites or Resources. The Services may contain links to third-party websites or resources. Energies Solutions provides these links only as a convenience and is not responsible for the content, products, or services on or available from those websites or resources or links displayed on such websites. Client acknowledges sole responsibility for and assumes all risk arising from its use of any third-party websites or resources.

10. Limitation of Liability

IN NO EVENT WILL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS, REVENUES, OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, OR PUNITIVE DAMAGES, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW. NEITHER PARTY'S LIABILITY WITH RESPECT TO ANY SINGLE INCIDENT ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL EXCEED THE AMOUNT PAID BY CLIENT FOR THE SERVICES HEREUNDER IN THE 12 MONTHS PRECEDING THE INCIDENT, PROVIDED THAT IN NO EVENT WILL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID BY CLIENT FOR THE SERVICES SUBJECT TO THIS AGREEMENT. THE ABOVE LIMITATIONS WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, AND REGARDLESS OF ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY PROVIDED HEREIN. HOWEVER, THE ABOVE LIMITATIONS WILL NOT LIMIT CLIENT’S OBLIGATION TO PAY FEES UNDER THIS AGREEMENT.

11. Miscellaneous

11.1 Relationship of the Parties. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties.

11.2 Entire Agreement and Order of Precedence; Headings. This Agreement is the entire agreement between Client and Energies Solutions regarding Client’s use of Services and Content and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning its subject matter. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) the applicable Order Form, and (2) this Agreement. The headings and captions used in this Agreement are used for convenience only and are not to be considered in construing or interpreting this Agreement.

11.3 Modifications. Energies Solutions may modify this Agreement at any time, in Energies Solutions’ sole discretion. If Energies Solutions does so, it will provide Client with written notice in accordance with Section 11.7 below. If Client does not agree to be bound by the modified Terms and provide Energies Solutions with written notice stating as such within thirty (30) days of Energies Solutions’ modification notice, then Client may continue to use the Services under the un-modified Terms for the remaining term set forth in the applicable Order Form.

11.4 Force Majeure. Neither party will be responsible for, nor be in default under this Agreement due to any delays or failure of performance resulting from acts or causes beyond its reasonable control, including, without limitation, acts of war, export regulations, third-party labor strikes, power failures, natural disasters, or other similar events (“Force Majeure Events”). In the event that either party is unable to perform any of its obligations under this Agreement because of a Force Majeure Event, the party who has been so affected will promptly give notice to the other and will exercise all reasonable efforts to resume performance.

11.5 Governing Law. This Agreement and any supplemental documents and activities shall be deemed to be a contract made under and subject to and governed by the laws of the State of Texas without regard to conflict of laws principles, and any litigation between the parties shall be brought within the state and federal courts located in Harris County, Texas, United States, and both parties irrevocably consent to the jurisdiction of such courts and agree that Harris County, Texas shall be the proper venue.

11.6 Notices. All notices and communications under this Agreement shall be in writing and shall be delivered in person, mailed (postage prepaid), or delivered by overnight express carrier, to the address of the parties listed on the applicable Order Form, or to any other address as a party shall designate in a written notice to the other party in accordance with this section. All notices sent as provided in this section shall be deemed received if personally delivered or faxed with confirmation of receipt, then on the date of receipt; or if sent by overnight express carrier, on the next business day immediately following the day sent; or if by mail, four days after depositing in the U.S. Mail.

11.7 Assignment. Neither party may assign or transfer any rights or obligations under this Agreement (including by operation of law or otherwise) without the prior written consent of the other party. Notwithstanding the preceding sentence, with the exception of an assignment to a competitor of the nonassigning party (which will require written consent from the nonassigning party), either party may assign this Agreement without obtaining the consent of the other party, to an affiliate or to any entity into which the assigning party is merged, or to an acquirer of all or substantially all of the business or assets of the assigning party, or as part of a business restructuring, change in control, or other similar recapitalization or reorganization. Any purported assignment of rights or transfer of obligations in violation of this section is void. This Agreement will bind each party’s authorized successors and assigns.

11.8 Waiver. Either party’s failure to enforce any right or provision of this Agreement will not be considered a waiver of such right or provision. The waiver of any such right or provision will be effective only if in writing and signed by a duly authorized representative of both parties. Except as expressly set forth in this Agreement, the exercise by either party of any of its remedies under this Agreement will be without prejudice to its other remedies under this Agreement or otherwise.

11.9 Severability. If any court of competent jurisdiction finds any portion of any provision of this Agreement to be unenforceable or contrary to applicable law, the parties agree that the provision will be deemed modified to the least extent necessary to make it enforceable, and all other provisions of this Agreement will remain unaffected.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Exhibit A

 

Data Protection Addendum

 

LAST UPDATED: July 2022

This Data Protection Addendum (DPA) and its applicable DPA Exhibits apply to the Processing of Personal Data by Energies Solutions on behalf of Client (Client Personal Data) subject to the General Data Protection Regulation 2016/679 (GDPR) or any other data protection laws identified at Terms of Service (together ‘Data Protection Laws’) in order to provide services (Services) pursuant to the Agreement between Client and Energies Solutions. DPA Exhibits for each Service will be provided in the applicable Transaction Document (TD). This DPA is incorporated into the Agreement. Capitalized terms used and not defined herein have the meanings given them in the applicable Data Protection Laws. In the event of conflict, the DPA Exhibit prevails over the DPA which prevails over the rest of the Agreement.

1. Definitions

In this Addendum, the following terms will have the meanings set out below:

1. Client is: (a) a Controller of Client Personal Data; or (b) acting as Processor on behalf of other Controllers and has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Client Personal Data by Energies Solutions as Client’s subprocessor as set out in this DPA. Client appoints Energies Solutions as Processor to Process Client Personal Data. If there are other Controllers, Client will identify and inform Energies Solutions of any such other Controllers prior to providing their Personal Data, in accordance with the DPA Exhibit.
2. Client Personal Data means any Personal Data subject to Data Protection Laws contained in Client Data that the Client provides or has made available to Energies Solutions and is Processed by Energies Solutions on Client’s behalf pursuant to the Agreement.
3. Controller refers to a person who either alone or jointly in common with one or more other persons controls the collection, holding, processing or use of Personal Data.
4. Data Breach refers to any misuse, interference with, loss of, improper, unauthorized, unlawful access to, use of, modification or disclosure of Content that is Processed by Energies Solutions in connection with the Terms of Service.
5. Data Protection Laws refers to the data protection law(s) applicable in respect of the collection, storage, processing, transfer, disclosure, and use of any Content in connection with the Services, including the GDPR and the UK GDPR, in each case as amended, consolidated, re-enacted or replaced from time to time.
6. Data Subject has the meaning given to that term or other analogous term in Data Protection Laws.
7. Personal Data has the meaning given to such term or other analogous term in Data Protection Laws.
8. Personal Data Breach means any security breach that Data Protection Laws would require (i) Energies Solutions to report to Client or (ii) Client to report to a Supervisory Authority or affected individuals, or to maintain a record of, that involves Personal Data subject to this Addendum.
9. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data.
10. Privacy Policy refers to the policy located at Energies Solutions’ websites, products, platforms or in any form of services, as updated and notified to Client from time to time.
11. Processor refers to a person who Processes Personal Data on behalf of one or more Controller(s).
12. Services shall have the same meaning ascribed to it as in the Terms of Service.
13. Sub-Processor refers to any Energies Solutions Affiliate or third party appointed from time to time by Energies Solutions to Process Content on its behalf.
14. Supervisory Authority means a government or regulatory authority responsible for administering, overseeing compliance with, and/or enforcing Data Protection Laws.
15. Terms of Service refers to the terms located at Energies Solutions’ websites, products, platforms or in any form of services.
16. Transaction Document means the agreement between Client and Energies Solutions that sets forth the terms and conditions pursuant to which Client will access certain Energies Solutions solutions and contract for certain services from Energies Solutions.

2. Processing of Client Personal Data

As between the parties, Energies Solutions acts as a Processor of the Client Personal Data on Client’s behalf. As a Processor, Energies Solutions will:

1. Process Client Personal Data in accordance with this Addendum (including, without limitation, Appendix A), Documentation and/or Client’s documented instructions as set forth in the Agreement, or as otherwise required by applicable law to which Energies Solutions is subject (the “Client Instructions”). If Energies Solutions is required by applicable Union and Member State law to Process Client Personal Data other than in accordance with the Client Instructions, Energies Solutions will to the extent permitted by applicable Union and Member State law inform the Client of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest.
2. Not be responsible for obtaining consent, authorization, approval, agreement as may be required under applicable laws or policies, or for providing notices with regard to Client Personal Data, in order to enable Energies Solutions to receive and Process the Client Personal Data in accordance with the Agreement. It will be the Client's sole responsibility for the accuracy, quality and legality of the Client Personal Data, the means by which it acquires and uses the Client Personal Data, and for the Client Instructions regarding the Processing of Client Personal Data. Client shall ensure that its acts or omissions, including its Client Instructions, do not put Energies Solutions in breach of any applicable laws or regulations. Where Energies Solutions believes that an instruction would be in breach of applicable Union or Member State data protection provisions, Energies Solutions shall notify Client of such belief without undue delay. Energies Solutions shall be entitled to suspending performance on such instruction until Client confirms or modifies such instruction.

3. Energies Solutions Personnel

Energies Solutions will hold Client Personal Data in confidence pursuant to the confidentiality provisions of the Agreement and will require Energies Solutions personnel granted access to Client Personal Data to protect all Client Personal Data accordingly. Any person entitled to Process Client Personal Data on behalf of Client has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Processing.

4. Security

Energies Solutions will implement appropriate technical and organizational measures designed to safeguard Client Personal Data and to ensure the adequate protection of Client Personal Data, which measures shall fulfill the requirements of applicable data protection laws and regulations. Energies Solutions shall at least implement measures contained in the attached Security Description herein at Appendix B. Energies Solutions may modify such measures from time to time, provided that such modifications will not materially reduce the overall level of protection for Client Personal Data.

5. Subprocessing

Client authorizes each Energies Solutions affiliates, as well as such other third parties noted in Documentation, to be sub-processors (each a “Subprocessor”). Energies Solutions may disclose Client Personal Data to its Subprocessor for the purposes of providing the Products provided that Energies Solutions will impose substantially similar obligations on its Subprocessors regarding the security and confidentiality of Client Personal Data as those set forth in this Addendum to meet the requirements of Data Protection Laws.

To the extent required under Data Protection Laws, Client shall be entitled to contradict any change of Subprocessors as notified by Energies Solutions from time to time within thirty (30) calendar days of such notification, and only for materially important reasons. Where Client fails to contradict such change within such period of time, Client shall be deemed to have consented to such change. Where a materially important reason for such contradiction exists and is provided in writing to Energies Solutions, and failing an amicable resolution of this matter by the parties (each party acting reasonably and in good faith), Client shall be entitled to terminate the Agreement by providing written notice to Energies Solutions.

Energies Solutions will remain responsible for the acts or omissions of Subprocessors to the same extent required by Data Protection Laws as if the acts or omissions were performed by Energies Solutions (“Subprocessor Liability”), and shall be permitted to re-perform or to procure the re-performance of any such obligations and Client acknowledges and accepts that such re-performance shall diminish any claim that Client has against Energies Solutions in respect of any Subprocessor Liability.

6. Data Subject Requests

Where Energies Solutions directly receives requests from Data Subjects, or anyone acting on their behalf, to exercise their rights under Data Protection Laws (“Data Subject Request”), and provided Energies Solutions can reasonably identify from the information provided that such request relates to the Client and/or Client Personal Data, then unless prohibited by applicable law, Energies Solutions will (a) promptly notify Client of such request; and (b) not respond to any such request unless required by applicable law to which Energies Solutions is subject, in which case Energies Solutions will, to the extent permitted by applicable law, inform Client of that legal requirement before the responding to such request. Energies Solutions may require the Client to bear the actual costs incurred as a result of the assistance provided in accordance with this Section based on the then currently applicable service rates of Energies Solutions.

For avoidance of doubt, Client is responsible as Data Controller for responding to Data Subject Requests. Energies Solutions’ Services include technical and organizational measures that have been designed, taking into account the nature of its Processing, to assist Client, insofar as this possible, in fulfilling its obligations to respond to Data Subject requests.

If Energies Solutions receives a request from a law enforcement or government agency for Client Data, Energies Solutions will assess its legality and shall comply with it only if and to the extent Energies Solutions assesses it is valid, lawful, and compulsory (a “Law Enforcement or Government Agency Request”). To the extent Energies Solutions is legally permitted to do so, Energies Solutions will inform the Client and/or, as required, the relevant Supervisory Authority of such Law Enforcement or Government Agency Request without undue delay. Energies Solutions is not responsible for the provision of legal advice to the Client.

7. Assistance with Client’s Compliance

To the extent that Client is unable to independently access Client Personal Data within the Services, Energies Solutions will (taking into account the nature of the Processing of Client Personal Data and the information available to Energies Solutions) provide reasonable cooperation to assist Client in responding to any requests from individuals or applicable data protection authorities relating to the Processing of Client Personal Data under the Agreement. In the event that any such request is made directly to Energies Solutions, Energies Solutions will not respond to such communication directly without Client's prior authorization, unless legally compelled to do so. If Energies Solutions is required to respond to such a request, Energies Solutions will promptly notify Client and provide Client with a copy of the request unless legally prohibited from doing so.

Upon Client’s request, Energies Solutions will (taking into account the nature of the Processing and the information available to Energies Solutions) provide Client with such assistance as Client may reasonably require ensuring its compliance with Data Protection Laws, including assistance with conducting data protection impact assessments or otherwise meeting its legal obligations regarding Client Personal Data under applicable Data Protection Laws.

Client will reimburse Energies Solutions for any such assistance as described in this Section at Energies Solutions' then-current professional services rates, which shall be made available to Client upon request.

8. Personal Data Breach

In the event of a Personal Data Breach, Energies Solutions will promptly notify Client. Such notification will include, to the extent known to Energies Solutions, the following: (a) the nature of the Personal Data Breach; (b) the estimated risk and likely consequences of the Personal Data Breach; and (c) the measures taken or proposed to be taken by Energies Solutions to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

If and to the extent it is not possible to provide the notification above within such timeframes, Energies Solutions shall provide an initial notification with the information available at such time and then supplement it with further information as it becomes available. Client acknowledges that Energies Solutions has no obligation to assess the content of Client Personal Data in order to identify information subject to any specific legal requirements.

Client will notify Energies Solutions without undue delay, and in any event within 24 hours, of becoming aware of a Personal Data Breach. Client will be responsible for fulfilling any third-party notification obligations required under applicable law and related to such a Personal Data Breach.

9. Data Deletion

Upon termination or expiration of the Agreement, or at any time upon Client’s written request, Energies Solutions will, within a reasonable period of time, delete all Client Personal Data (including copies thereof) in its possession, except to the extent Energies Solutions is required by applicable law to retain some or all of the Client Personal Data, or Client Data.

In such case, Energies Solutions will maintain the Client Personal Data and Client Data securely and limit its Processing to the extent necessary to comply with applicable laws.

10. International Data Transfers

To the extent that Energies Solutions Processes any Client Personal Data protected by applicable Data Protection Laws in a country that does not provide an adequate level of protection under the Data Protection Laws, the parties agree that Energies Solutions will be deemed to provide adequate protection (within the meaning of Data Protection Laws) for such Client Personal Data by virtue of:

a. Energies Solutions having implemented such measures as may be required under applicable Data Protection Laws to provide an adequate level of protection for Client Personal Data, such as, as appropriate, binding corporate rules, standard contractual clauses, or other similar measures; or

b. Client and Energies Solutions having entered into such written agreement, including data protection terms as Energies Solutions may reasonably require.

11. Additional Provisions for California Personal Data

If Client Personal Data includes Personal Data of individuals who reside in California, the following additional provisions apply with respect to such California Personal Data:

a. For purposes of the CCPA, Client is the Business and Energies Solutions is the Service Provider.

b. Energies Solutions will not (i) sell any Client Personal Data or (ii) retain, use or disclose any Client Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing Client Personal Data for a commercial purpose other than providing the Services, or as otherwise permitted by the CCPA.

c. Energies Solutions certifies that it understands its obligations under this section and will comply with them.

12. General

a. This DPA will terminate simultaneously and automatically upon termination of the Agreement. The parties agree that any liability arising in connection with this DPA is subject to the limitations of liability under the Agreement, and that such limitations are agreed to be adequate and appropriate.

b. The parties may amend this DPA by written agreement at any time, including to comply with applicable law.

c. Energies Solutions may modify this DPA to comply with changes in applicable law or to ensure that it provides an adequate level of protection for Client Personal Data, provided that such modifications do not materially diminish the overall level of protection for Client Personal Data. Energies Solutions will provide notice of such modifications to Client, and such modifications will become effective upon notice unless otherwise specified.

Appendix A - Description of Processing

This Appendix A describes the Processing activities performed by Energies Solutions on behalf of Client pursuant to this Addendum.

●      Subject matter and duration of the Processing: Energies Solutions will Process Client Personal Data as necessary to provide the Services and for the duration of the Agreement, unless otherwise agreed upon in writing.

●      Nature and purpose of the Processing: Energies Solutions will Process Client Personal Data as necessary to provide the Services, including, but not limited to, managing and supporting the Services, analyzing usage of the Services, and fulfilling other contractual obligations as set forth in the Agreement.

●      Types of Client Personal Data: The types of Client Personal Data that may be Processed may include, but are not limited to, names, contact information, account details, usage data, and other personal data provided by Client or collected by Energies Solutions in connection with the Services.

●      Categories of Data Subjects: The categories of Data Subjects whose Client Personal Data may be Processed include, but are not limited to, Client's employees, contractors, agents, and end users.

Appendix B - Security Measures

Energies Solutions will implement and maintain the following technical and organizational measures designed to protect Client Personal Data against unauthorized access, disclosure, or use:

1. Access Control: Implement measures to ensure that only authorized personnel have access to Client Personal Data and that such access is granted based on the principle of least privilege.
2. Encryption: Use appropriate encryption measures to protect Client Personal Data in transit and at rest.
3. Audit Logs: Maintain audit logs to track access to and modification of Client Personal Data.
4. Incident Response: Implement an incident response plan to promptly address and mitigate the effects of any Personal Data Breach.
5. Training and Awareness: Provide regular training to personnel on data protection and privacy obligations.
6. Data Minimization: Collect and retain only the minimum amount of Client Personal Data necessary to fulfill the purposes for which it was collected.
7. Security Assessments: Conduct regular security assessments to identify and address potential vulnerabilities.
8. Physical Security: Implement physical security measures to protect data centers and other facilities where Client Personal Data is stored.

These measures may be updated from time to time to reflect the latest security practices and technologies, provided that such updates do not materially diminish the overall level of protection for Client Personal Data

 

 

ANNEX TO EXHIBIT A

 

 

ANNEX

 

STANDARD CONTRACTUAL CLAUSES

 

SECTION I

Clause 1

Purpose and scope

 

The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

The Parties:
the natural or legal person(s), public authority/ies, agency/ies, or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).
These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2
Effect and invariability of the Clauses
These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, concerning data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract and/or from adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
These Clauses are without prejudice to the obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3
Third-party beneficiaries
Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions: Clause 1, Clause 2, Clause 3, Clause 6, Clause 7; Clause 8 - Module One: Clause 8.5(e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d), and (e); Module Three: Clause 8.1(a), (c), and (d) and Clause 8.9(a), (c), (d), (e), (f), and (g); Module Four: Clause 8.1(b) and Clause 8.3(b); Clause 9 - Module Two: Clause 9(a), (c), (d), and (e); Module Three: Clause 9(a), (c), (d), and (e); Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d), and (f); Clause 13; Clause 15.1(c), (d), and (e); Clause 16(e); Clause 18 - Modules One, Two, and Three: Clause 18(a) and (b); Module Four: Clause 18. Paragraph (a) is without prejudice to the rights of data subjects under Regulation (EU) 2016/679.

Clause 4
Interpretation
Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
These Clauses shall be read and interpreted in light of the provisions of Regulation (EU) 2016/679.
These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.

MODULE ONE: Transfer controller to controller
8.1 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:
(i) where it has obtained the data subject’s prior consent;
(ii) where necessary for the establishment, exercise, or defense of legal claims in the context of specific administrative, regulatory, or judicial proceedings; or
(iii) where necessary to protect the vital interests of the data subject or another natural person.

8.2 Transparency
(a) To enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:
(i) of its identity and contact details;
(ii) of the categories of personal data processed;
(iii) of the right to obtain a copy of these Clauses;
(iv) where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer, and the ground therefore pursuant to Clause 8.7.
(b) Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.
(c) On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
(d) Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.3 Accuracy and data minimization
(a) Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.
(b) If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
(c) The data importer shall ensure that the personal data is adequate, relevant, and limited to what is necessary in relation to the purpose(s) of processing.

8.4 Storage limitation
The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organizational measures to ensure compliance with this obligation, including erasure or anonymization (of the data and all backups at the end of the retention period).

8.5 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
(b) The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(c) The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(d) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.
(e) In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.
(f) In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.
(g) The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.

8.6 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter ‘sensitive data’), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.

8.7 Onward transfers
The data importer shall not disclose the personal data to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:
(i) it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;
(iii) the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;
(iv) it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;
(v) it is necessary in order to protect the vital interests of the data subject or of another natural person; or
(vi) where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.8 Processing under the authority of the data importer
The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.

8.9 Documentation and compliance
(a) Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.
(b) The data importer shall make such documentation available to the competent supervisory authority on request.

MODULE TWO: Transfer controller to processor
8.1 Instructions
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of noncompliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

MODULE THREE: Transfer processor to processor

8.1       Instructions

(a) The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing. 

(b) The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.

(c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.

(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter^[1].

 8.2      Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.

8.3       Transparency 

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.4       Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.

8.5       Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a). 

8.6       Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing

can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. 

(a)            The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(b)           In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. 

(c)            The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7       Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.

8.8       Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union^[2] (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if: 

(i)             the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)           the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;

(iii)the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9       Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses. 

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.

(c) The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.

(d) The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer. 

(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.

(f) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice. 

(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

                                            

Clause 9

Use of sub-processors

 

MODULE TWO: Transfer controller to processor

(a)            The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of subprocessors in advance as specified in       Annex III “Subprocessors” , thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object. 

(b)           Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.^[3] The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c)            The data importer shall provide, at the data exporter’s request, a copy of such a subprocessor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d)           The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the subprocessor to fulfil its obligations under that contract. 

(e)            The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

 

MODULE THREE: Transfer processor to processor

(a)            The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of subprocessors in advance, as specified in Annex III “List of Subprocessors”, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s). 

(b)Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.^[4] The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the subprocessor to fulfil its obligations under that contract. 

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

 

MODULE ONE: Transfer controller to controller

(a)The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request. ( The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.

(b)In particular, upon request by the data subject the data importer shall, free of charge:

(i)provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i);

(ii) rectify inaccurate or incomplete data concerning the data subject;

(iii)erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.

(c)Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.

(d)The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter ‘automated decision’), which would produce legal effects concerning the data subject or similarly significantly affect him/her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject’s rights and legitimate interests. In this case, the data importer shall, where necessary in cooperation with the data exporter:

(i)inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and

(ii)implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.

(e)Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.

(f)The data importer may refuse a data subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.

(g)If the data importer intends to refuse a data subject’s request, it shall inform the data subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.

 

 

MODULE TWO: Transfer controller to processor

 

(a)            The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b)           The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required. 

(c)            In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

MODULE THREE: Transfer processor to processor

(a)            The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.

(b)           The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required. 

(c)            In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

 

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject. 

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

 MODULE THREE: Transfer processor to processor

(a)            In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.   

(c)Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to: 

(i)lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679. 

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

 

MODULE ONE: Transfer controller to controller

(a)Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any

breach of these Clauses.

(b)Each Party shall be liable to the data subject, and the data subject shall be entitled to receive

compensation, for any material or non-material damages that the Party causes the data subject by

breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the

liability of the data exporter under Regulation (EU) 2016/679.

(c)Where more than one Party is responsible for any damage caused to the data subject as a result of

a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data

subject is entitled to bring an action in court against any of these Parties.

(d)The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim

back from the other Party/ies that part of the compensation corresponding to its/their responsibility

for the damage.

(e)The data importer may not invoke the conduct of a processor or sub-processor to avoid its own

liability.

 

 

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

(a)            Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses. 

(b)           The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses. 

(c)            Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d)           The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e)            Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f)            The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

(g)           The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

 

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

(a)            [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority. 

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority. 

(b)           The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

 

 

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY

PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

 

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

(a)            The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)           The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i)the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred; 

(ii)the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards^[5]; 

(iii)any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c)The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d)The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e)The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]

(f)Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.  

Clause 15

Obligations of the data importer in case of access by public authorities

 

MODULE ONE: Transfer controller to controller

 

MODULE TWO: Transfer controller to processor

                                                                                                                                                                                    

15.1     Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: 

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

[For Module Three: The data exporter shall forward the notification to the controller.]

(b)If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter. 

(c)Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.]

(d)The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request. 

(e)Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2     Review of legality and data minimisation

(a)The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b)The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.] 

(c)The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

 

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a)The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason. 

(b)In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i)the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; 

(ii)the data importer is in substantial or persistent breach of these Clauses; or

(iii)the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. 

(d)[For Modules Two and Three: Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.] [For Module Four: Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof.] The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law. 

(e)Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679. 

Clause 17

Governing law

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Netherlands. 

 

Clause 18

Choice of forum and jurisdiction

 

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

(a)Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b)The Parties agree that those shall be the courts of  Netherlands.

(c)A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence. 

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

APPENDIX

ANNEX I

A. LIST OF PARTIES

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Data exporter(s):
Name: The data exporter is an entity (Client) that has contracted with the data importer (Energies Solutions LLC) for Services, unless both Energies Solutions LLC and Client are located in a country considered to have an adequate level of protection pursuant to an adequacy decision under Article 45 of Regulation (EU) 2016/679, in which case these Clauses are not required between Energies Solutions LLC and Client.
Address: As set out in the Transaction Document.
Contact person’s name, position, and contact details: As set out in the Transaction Document.
Activities relevant to the data transferred under these Clauses: As set out in the applicable Transaction Document.
Signature and date: By entering into the Agreement, Client is entering into these Clauses, unless both Energies Solutions LLC and Client are located in a country considered to have an adequate level of protection pursuant to an adequacy decision under Article 45 of Regulation (EU) 2016/679, in which case these Clauses are not required between Energies Solutions LLC and Client.
Role (controller/processor): The role of Client as controller, processor, or both is determined by the circumstances of each case, and Client is responsible for determining the correct role undertaken in order to fulfill the appropriate obligations under the applicable module.

Data importer(s):
Name: The data importer is Energies Solutions LLC if located in a Non-Adequate Country.
Address: As set out in the Transaction Document.
Contact person’s name, position, and contact details: As set out in the Transaction Document.
Activities relevant to the data transferred under these Clauses: As set out in the applicable Transaction Document.
Signature and date: By entering into the Agreement, Energies Solutions LLC is entering into these Clauses, provided Energies Solutions LLC is located in a Non-Adequate Country.
Role (controller/processor): Energies Solutions LLC acts as processor.

 

B.DESCRIPTION OF TRANSFER

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

 

Categories of data subjects whose personal data is transferred:
Data subjects include the individuals whose Personal Data is provided to Energies Solutions LLC via the Products by (or at the direction of) Client or by any employee or end user of the Client, which may include, but is not limited to, Personal Data relating to users, employees, officers, directors, contractors, agents, vendors, Clients, visitors, and such other individuals who may be captured by the Products; the extent of which, in each and every case, is determined and controlled by the data exporter in its sole discretion, depending on its use of the Products.

Categories of personal data transferred:
Personal Data relating to individuals provided to Energies Solutions LLC via the Products, by (or at the direction of) Client or by any employee or end user of the Client, which may include, but is not limited to, Personal Data relating to the following categories: names, contact information (e.g., company, email, address, telephone number), ID data, connection data, location data, profile pictures, images, and video captured by the Products (e.g., images of individuals inside a vehicle operating a dash cam, and other information capable of identifying individuals from such imagery e.g., vehicle registration and license plates, signposts for buildings, houses, and other landmarks); the extent of which, in each and every case, is determined and controlled by the data exporter in its sole discretion, depending on its use of the Products.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers, or additional security measures:
Data exporter may submit special categories of data to the Products and/or Energies Solutions LLC may create special categories of data within the Products, the extent of which is determined and controlled by the data exporter in its sole discretion, depending on its use of the Products. If applicable, data exporter agrees that it has reviewed and assessed the restrictions and safeguards applied to such special categories of Personal Data, including the measures described in Annex II of the Addendum, and has determined that such restrictions and safeguards are sufficient for the purposes of complying with Data Protection Laws.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
Continuous. Energies Solutions LLC will Process Client Personal Data for as long as is necessary in order to provide the Products to the Client in accordance with, and as otherwise permitted by, the Agreement, and for any disclosures compelled by law.

Nature of the processing:
Energies Solutions LLC will Process Client Personal Data for the purposes of providing the Products to the Client in accordance with, and as otherwise permitted by, the Agreement, and for any disclosures compelled by law.
Energies Solutions LLC’s data processing activities may include the following:

●      Collection: Data collection on behalf of Client directly from individuals by manual or automated means, data collection from Client, data collection (acquired or received) on behalf of Client from Third Parties (other than the individual or Client).

●      Creation: Creation of new data by analytics, inference, or analysis, creation of new data via aggregation, combination, or matching.

●      Transformation: Manipulation (parsing, formatting, or transformation) of data, updating, for example, to keep data current, masking and pseudonymization to make it more difficult to identify individuals or anonymization such that individuals cannot be identified.

●      Use: Reading data only, presenting, accessing, using, or copying data.

●      Sharing with third parties, storage of data including backups, deletion of data.

Purpose(s) of the data transfer and further processing:
Energies Solutions LLC will Process Client Personal Data for the purposes of providing the Products to the Client in accordance with, and as otherwise permitted by, the Agreement, and for any disclosures compelled by law.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
The term of the Agreement plus the period from the expiry or termination of the Agreement until deletion of all Client Data by Energies Solutions LLC in accordance with the Agreement. Specific Client Personal Data may have specific data retention and deletion policies in place (e.g., video data from dash cameras utilized by the Clients located in the EEA, which is uploaded to the Hosted Software has a six months retention policy and deletion schedule in place as a default setting; which the Client accepts, which can be amended due to Client requirements).

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the Processing:

SUBPROCESSOR	PURPOSE OF SUB-PROCESSING	PLACE OF PROCESSING
Amazon Web Services, Inc.	Hosting services	USA;FRANCE; JAPAN;SINGAPORE
Chongqing Streamax Information Technology Co., Ltd	Product data analytics and hosting data processing services	P.R.CHINA
Sichuan Streamax Zhitong Technology Co., Ltd	Product data analytics and hosting data processing services	P.R.CHINA

 

 C. COMPETENT SUPERVISORY AUTHORITY

 

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, shall act as competent supervisory authority.

 

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, shall act as competent supervisory authority.

 

             

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

MODULE ONE: Transfer controller to controller

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

 

Energies Solutions LLC, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the legally protected interests of natural persons, shall implement the necessary technical and organizational measures to ensure a level of security appropriate to the risk when processing personal data, in particular as regards the processing of special categories of personal data.

 

These measures may include pseudonymization and encryption of personal data, if such means are possible in view of the purposes of processing.

 

In particular, Energies Solutions LLC takes steps to restrict access to client personal data to the client, its users, and authorized personnel and subprocessors. In addition, Energies Solutions LLC has processes designed to protect its systems containing or accessing the client's personal data against personal data breaches. The underlying infrastructure leverages Amazon AWS, which is ISO 27001 and SOC 1 Type II certified. Network devices, including firewalls and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network.

 

The products employ a Virtual Private Cloud to provide resource isolation and minimize attack surface area. The products are protected by IP- and port-based firewalls. Administrative access to Energies Solutions LLC’s infrastructure is restricted and verified by AWS Identity and Access Management. Distributed Denial of Service (DDoS) attacks can be mitigated with elastic load balancing and highly available DNS services.

 

Energies Solutions LLC implements measures designed to enhance the physical security of its networks, servers, cloud, and other information systems in which client data is stored, processed, transmitted, or accessed, and to maintain them in a secure manner that satisfies the requirements of this appendix.

 

 

ANNEX III – LIST OF SUB-PROCESSORS

 

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

 

 

The controller has authorized the use of the following sub-processors: 

 

SUBPROCESSOR	PURPOSE OF SUBPROCESSING	PLACE OF PROCESSING
Amazon Web Services, Inc.	Hosting services	USA;FRANCE; JAPAN;SINGAPORE
Chongqing Streamax Information Technology Co., Ltd	Product data analytics and hosting data processing services	P.R.CHINA
Sichuan Streamax Zhitong Technology Co., Ltd	Product data analytics and hosting data processing services	P.R.CHINA

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Exhibit B

Hosted Software SLA

This Service Level Agreement (this “SLA”) sets forth Energies Solutions LLC’s obligations and Client's rights with respect to the performance of Energies Solutions LLC’s Hosted Software. This SLA is subject to the terms of service (“Term”) governing Client's use of Energies Solutions LLC products and/or services, which, unless otherwise agreed between Client and Energies Solutions LLC, apply. All capitalized terms used but not defined in this SLA have the meaning set forth in the Terms.

Definitions: For purposes of this SLA, the following terms have the meanings ascribed to each term below:

“Downtime” means when the Client is unable to log into the Hosted Software dashboard due to failure(s) in the Firmware or Hosted Software, as confirmed by both Client and Energies Solutions LLC. Please note that individual device failures are not considered downtime but may be covered under Energies Solutions LLC’s hardware warranty.

“Monthly Uptime Percentage” means the total number of minutes in a calendar month minus the number of minutes of Downtime suffered in a calendar month, divided by the total number of minutes in a calendar month. For clarity, any Downtime caused by scheduled server maintenance and/or system (including firmware, software, and server) upgrades shall not be included in the calculation of Monthly Uptime Percentage.

We are pleased to offer our Clients (each a "Client") the following 99.9% uptime SLA:

Exclusions: The Service Level Warranty does not apply to any services that expressly exclude this Service Level Warranty (as stated in the documentation for such services) or any outages or performance issues:

●      caused by strikes (other than strikes of a party’s own employees), shortages, riots, insurrection, fires, flood, storm, explosions, acts of God, war, governmental action, labor conditions (other than with respect to a party’s own employees), earthquakes, material shortages, epidemic, disease, failure of utilities or communication or electronic systems, or any other causes that are beyond the reasonable control of a party so long as the parties use commercially reasonable efforts, including the implementation of business continuity measures, to mitigate the effects of such force majeure;

●      that resulted from Client's affiliation/organization, Client, and/or third-party equipment, systems, networks, or infrastructure (not within the primary control of Energies Solutions LLC);

●      that result from failure by Client's affiliation/organization, Client, or third-party appointed to take any remedial action in relation to the Services as recommended by Energies Solutions LLC;

●      that result from Client's affiliation/organization or Client’s unauthorized action or lack of action when required, or from your employees, agents, contractors, or vendors, or anyone gaining access to the Platform by means of your passwords or equipment, or otherwise resulting from your failure to follow appropriate security practices;

●      that result from Client's affiliation/organization or Client’s failure to adhere to any required configurations, follow the instructions, or your use of the Platform in a manner inconsistent with the features and functionality of the Platform (for example, attempts to perform operations that are not supported) or inconsistent with guidance from Energies Solutions LLC;

●      that result from errors or changes of input, instructions, scenarios, or arguments incurred or initiated by Client's affiliation/organization or Client;

●      that otherwise result from Client's affiliation/organization or Client’s violation of the restrictions or responsibilities set forth in this agreement; or

●      caused by any scheduled server maintenance and/or system (including firmware, software, and server) upgrades.

 

---

^[1]

^[2]

^[3]

^[4]

^[5]