Zift Platform

Terms of Service (v1.05.27.2022)

BEFORE USING THE ZIFT PLATFORM OR RECEIVE PROFESSIONAL SERVICES, PLEASE READ THESE TERMS OF SERVICE. THESE TERMS ARE INCORPORATED BY REFERENCE INTO THE ORDER FORM AND/OR STATEMENT OF WORK (“SOW”) EXECUTED BY THE PARTY IDENTIFIED AS CUSTOMER IN THE ORDER FORM (THE “CUSTOMER”) AND ZIFT SOLUTIONS, INC., AND ITS SUBSIDIARIES AND AFFILIATES (“ZIFT”). PURSUANT TO THESE TERMS, CUSTOMER SHALL RECEIVE THE RIGHT TO ACCESS AND USE THE ZIFT PLATFORM AND/OR RECEIVE PROFESSIONAL SERVICES (COLLECTIVELY REFERRED TO AS THE “SERVICES”) FROM ZIFT. THESE TERMS, THE ORDER FORM, STATEMENT OF WORK AND ALL THE SCHEDULES, TOGETHER FORM A BINDING AND EXECUTED WRITTEN AGREEMENT BETWEEN CUSTOMER AND ZIFT, EFFECTIVE AS OF THE LAST DATE OF EXECUTION OF THE ORDER FORM (THE “AGREEMENT”).

  1. Definitions. As used in this Agreement:
    1. “Authorized Partner” means any third-party sales channel partners of Customer for which Customer has purchased and approved issuance of an Authorized Partner license to enable their access and use of the Zift Platform and the Zift Content.
    2. Customer Content” means information, data, text, content, videos, images, audio clips, photos, graphics, and / or other types of content, information and/or data posted, provided and/or uploaded to the Zift Platform by Customer, or which is provided to Zift by Customer to be uploaded on their behalf as part of a professional service engagement
    3. Documentation” means text and/or graphical materials, whether in print or electronic form, that describe the features, functions training for and use of the Zift Platform and/or professional services provided by Zift.
    4. “Intellectual Property Rights” mean any and all now known or hereafter existing (a) rights associated with works of authorship, including copyrights, mask work rights, and moral rights; (b) trademark or service mark rights (c) trade secret rights; (d) patents, patent rights, and industrial property rights; (e) layout design rights, design rights, and other proprietary rights of every kind and nature other than trademarks, service marks, trade dress, and similar rights; and (f) registrations, applications, renewals, extensions, or reissues of the foregoing, in each case, in any jurisdiction throughout the world.
    5. Partner Content” means information, data, text, content, videos, images, audio clips, photos, graphics, and/or other types of content, information and/or data posted, provided and/or uploaded to the Zift Platform by an Authorized Partner through the Partner Portal or which is provided to Zift by Customer or Authorized Partner to be uploaded on their behalf as part of a professional services engagement.
    6. “Partner Portal” means the interface of the Zift Platform that Authorized Partners are able to access.
    7. Zift Content” means the owned or licensed content available to Customer and Authorized Partners through the Zift Platform, including without limitation any (i) support and training documentation whether in physical or digital format (including videos or other digital media files) or (ii) any analytics derived from aggregated anonymized inputs to and usage of the Zift Platform by its customers.
  2. Zift Platform
    1. Zift Platform. Zift shall make the Zift Platform available to Customer pursuant to the terms and conditions of this Agreement. Customer’s subscription purchase to the Zift Platform is not dependent on any future functionality or features (or any public comments or other disclosure made by Zift with respect thereto).
    2. Customer Access. Zift will make the Zift Platform available, on a subscription basis, to (a) Customer and (b) individuals who are authorized by Customer to use the Zift Platform on behalf of the Customer and who have been supplied user identification and passwords by Customer (or by Zift at Customer’s request), including employees, consultants, contractors, and agents of Customer (“Users” or “Admin Users”). Zift hereby grants Customer and its Users a limited, non-exclusive right to access the Zift Platform and receive support during the Service Term, including the specific access rights and limitations set forth in the Order Form. Professional services may be purchased by Customer at Zift’s then current rates and shall be detailed in the corresponding SOW (the “Professional Services”).
    3. Authorized Partner Access. Customer may invite Authorized Partners to access the Zift Platform through the Partner Portal using the registration process to be established during the initial implementation process, and subsequent updates to this registration process, if any. The number of Authorized Partner licenses initially purchased by Customer will be specified in a separate Order Form to be mutually agreed upon with Zift. If at any time during the Order term, Customer wishes to increase the number of Authorized Partner license, it may by either using the agreed mechanisms within the relevant Order or Zift will issue a new Order Form detailing the Fees for such new licenses. Unless specifically agreed to in the Order Form, Fees for new licenses shall renew at the prevailing rates at the time of renewal. Authorized Partners’ use of the Partner Portal, the Zift Platform and the Zift Content will be subject to the Terms of Service, as amended from time to time (the “Partner Terms of Service”).
  3. License; Customer Content; Ownership
    1. License. Subject to the terms and conditions of this Agreement, Zift grants to Customer a non-exclusive, non-transferable, worldwide, revocable, non-sublicensable right license to use the Zift Platform and the Zift Content during the Service Term.
    2. Customer Content. Customer retains all rights, title and interest in and to any Customer Content uploaded into the Zift Platform and/or provided to Zift in connection with the Professional Services (except for the Zift Content) as well as Customer’s other Confidential Information provided to Zift during the term of this Agreement and/or any related Orders. Customer is responsible for the collection of and nature of its Customer Content and its the Authorized Partner’s content. Customer acknowledges Zift’s Privacy Policy available at http://www.ZiftSolutions.com. Customer hereby grants Zift a limited license, during the term of this Agreement and any related Orders, to use the Customer Content solely in connection with the provision of the Services to be provide to Customer by Zift. Upon termination of Services by Customer shall have up to the effective date of termination, to retrieve its Customer Content from the Zift Platform. After such termination date, Zift shall have no obligation to maintain or provide any Customer Content and shall thereafter, unless legally prohibited, delete all Customer Content in Zift’s systems (the “Systems”) or otherwise in its possession or control.
    3. Zift Content. Zift shall provide Customer and the Authorized Partner access to the Zift Content. Customer: (i) will only use the Zift Content as provided by Zift; (ii) will not and infringe or misappropriate the Intellectual Property Rights Zift or of others in the Zift Content; (iii) will not use the Zift Content to violate the privacy, publicity, or other rights of third parties or any other law, statute, ordinance or regulation; (iv) will not use the Zift Platform or the Zift Content to send unsolicited email messages including unsolicited bulk emails, where such emails could reasonably be expected to provoke complaints (“spam”); (v) will not use or allow the Zift Platform or the Zift Content to become defamatory or harmful to minors, obscene, or pornographic; (vi) will not misrepresent the source of the Zift Content; and (vii) will not violate, or encourage illegal activity or any conduct that would violate, any applicable law or regulation or would give rise to civil liability. Customer will ensure that Authorized Partners comply with the terms of this Section when using the Zift Content.
    4. Service Level Agreement. The service levels applicable to the Zift Platform are set forth in Schedule A (Service Level Agreement).
    5. Zift Property. The Zift Platform, the Zift Content, the Documentation, the Services, and all worldwide Intellectual Property Rights in each of the foregoing and in all derivative works of each of the foregoing, including any analytics generated from the use of the Zift Platform, are the exclusive property of Zift and its licensors (the “Zift Property”). Except for the license granted hereunder, nothing in this Agreement gives Customer any right, title or interest to the Zift Property.
  4. Customer Responsibilities.
    1. Credentials. Customer shall ensure that its Users protect their unique user identification name and not make them available to persons or entities not authorized to use the Services. Zift will only store user’s passwords in encrypted form. Zift personnel will not be able to read User’s passwords.
    2. Security Breach. Customer will notify Zift immediately if it learns of any unauthorized use of the Zift Platform or any other known or suspected breach of security, including as outlined in Schedule B (Data Processing Agreement). Zift reserves the right to take any action Zift deems necessary or reasonable to ensure the security of the Zift Platform and Customer’s account, including suspending Customer’s access, changing passwords, or requesting additional information to authorize activities related to Customer’s account.
    3. Use Guidelines. Customer and its Users shall use the Zift Platform for internal business purposes as contemplated by this Agreement and shall not: (i) wilfully tamper with the security of the Zift systems (the “Systems”) or tamper with other customer accounts of Zift, (ii) access data on the Systems not intended for Customer, (iii) log into a server or account on the Systems that Customer is not authorized to access or otherwise translate any underlying software in the Zift Platform in such a manner that it appears to be part of Customer’s own or a third party website, (iv) attempt to probe, scan or test the vulnerability of any Systems or to breach the security or authentication measures without proper authorization; (v) wilfully render any part of the Systems unusable; (vi) lease, distribute, license, sell or otherwise commercially exploit the Zift Platform or make the Zift Platform available to a third party other than as contemplated in this Agreement; (vii) attempt to reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas or algorithms in the Zift Platform; (viii) share the Zift Platform with any third party not explicitly authorized by Zift or otherwise for the benefit of a third party; (ix) provide to third parties any evaluation version of the Zift Platform without Zift’s prior written consent; or (x) deep link to any page of the Zift Platform or otherwise link in a manner that bypasses Zift’s homepage for the Zift Platform.
    4. Restrictions. Customer will not directly or indirectly use the Zift Platform or the Zift Content to create, or assist a third party to create, any software, service, product or solution that competes with the Zift Platform.
  5. Fees and Payment.
    1. Fees. Customer shall pay to Zift the fees specified in the Order Form and/or SOW (the “Fees”). Except as otherwise provided in the Order Form or SOW (i) all Fees are quoted and payable in US currency and all payment obligations are non-cancellable; and Fees are non-refundable; (ii) Fees will be invoiced in advance; and (iii) Fees are due within 30 days from the invoice date. In the event of nonpayment of Fees, Customer agrees to pay the cost of collection including reasonable attorneys’ fees and costs. Any payment not received from Customer by the due date shall accrue (except with respect to charges then under reasonable and good faith dispute), at the lower of 1.5% or the maximum rate permitted by law of the outstanding balance per month from the date such payment is due until the date paid. If Customer’s account is 30 days or more overdue (except with respect to charges then under reasonable and good faith dispute), in addition to any other rights and remedies (including the termination rights set forth in this Agreement), Zift reserves the right to suspend the Customer and/or its Authorized Partner’s access to the Zift Platform (upon prior written notice) without liability to Zift until such account is paid in full.
    2. Taxes. Customer shall be responsible for all sales, use, value added, withholding or other taxes or duties, payable with respect to its purchases hereunder, other than Zift’s income taxes. If Zift pays any such taxes on the Customer’s behalf, Customer agrees to reimburse Zift for such payment unless Customer provides Zift with a valid exemption certificate authorized by the appropriate taxing authority.
  6. Confidentiality.
    1. As used herein, “Confidential Information” means all confidential information of a party (“Disclosing Party“) disclosed to the other party (“Receiving Party“) that is either designated in writing as confidential or due to its subject or content would reasonably be considered confidential in nature. For the avoidance of doubt, the Zift Platform, Zift Content, the terms and conditions of this Agreement, and any Order Form or SOWs as agreed between the parties shall be considered Confidential Information. Confidential Information shall not include information which: (a) is known publicly; (b) is generally known in the industry before disclosure; (c) has become known publicly, without fault of the Receiving Party, subsequent to disclosure by the Disclosing Party; or (d) has been otherwise lawfully known or received by the Receiving Party. The Receiving Party shall not disclose or use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement, except with the Disclosing Party’s prior written permission. The Receiving Party agrees to keep confidential all Confidential Information disclosed to it by the Disclosing Party, and to protect the confidentiality thereof in the same manner as it protects the confidentiality of its own (at all times exercising at least a reasonable degree of care in the protection of Confidential Information). If the Receiving Party is compelled by law to disclose Confidential Information of the Disclosing Party, it shall provide the Disclosing Party with prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. The Receiving Party agrees that monetary damages for breach of confidentiality hereunder may not be adequate and that, if necessary, the Disclosing Party shall be further entitled to injunctive relief.
    2. Confidentiality of Agreement. Neither party will disclose any terms of this Agreement to anyone other than its attorneys, accountants, and other professional advisors under a duty of confidentiality.
  7. DATA PROTECTION
    To the extent Zift processes any personal identifiable information (“PII”) under this Agreement, Zift and Customer shall comply with their respective obligations outlined in Schedule B (Data Processing Agreement) attached hereto. Any PII that constitutes Confidential Information shall be subject to the terms of Schedule B, attached hereto.
  8. Warranties.
    1. Warranties by Both Parties. Each party represents and warrants that: (i) it has full power and authority to enter into and perform this Agreement; (ii) the person signing this Agreement on such party’s behalf has been duly authorized and empowered to enter into this Agreement; and (iii) that it will perform its obligations or exercise its rights hereunder in conformance with all applicable laws, rules, regulations and guidelines, including, without limitation, those related to privacy and data security.
    2. Customer’s Warranties. Customer represents, and warrants Customer has all rights and licenses necessary to upload the Customer Content and to grant the User and Authorized Partner licenses granted hereunder. In addition, Customer represents, warrants that the Customer Content: (i) will not and do not infringe or misappropriate the Intellectual Property Rights of others;(ii) will not and do not violate the privacy, publicity, or other rights of third parties or any other law, statute, ordinance or regulation; (iii) are not and will not become defamatory or harmful to minors, obscene, or pornographic; (iv) will not and do not misrepresent the source of the Customer Content; (v) will not violate, or encourage anyone to use the Zift Platform to conduct illegal activity or any conduct that would violate, any applicable law or regulation or would give rise to civil liability and (vi) will not contain any contain any Malicious Code, as such term is defined below
    3. Zift Warranties. Zift warrants that the Zift Platform will operate in a manner consistent with general industry standards reasonably applicable to the provision hereof and in substantial conformity with the then current version of any applicable Documentation. Zift also warrants that the Zift Content is the property of Zift, or that it has the proper licenses to use and sub-license the Zift Content.
    4. Data Security and Warranty. Zift has implemented Appropriate Security Measures and maintains the Zift Platform at reputable third-party Internet service providers and co-location facilities. “Appropriate Security Measures” means commercially reasonable efforts to ensure that the Customer Content will be maintained accurately as well as technical and physical controls to protect Customer Content against destruction, loss, alteration, unauthorized disclosure to third parties or unauthorized access by employees or contractors employed by Zift, whether by accident or otherwise in accordance with Schedule C attached hereto.
    5. Additional Warranties. Zift represents and warrants that: (i) the Professional Services will be provided in a professional, timely and workman like manner by persons with the proper skill, training and background, and consistent with generally accepted industry standards; (ii) the Professional Services will comply with all written specifications; (iii) the Professional Services will be free of material defects; (iv) Zift’s technology shall not deliver any viruses, Trojan horses, trap doors, back doors, Easter eggs, worms, time bombs, cancelbots or other computer programming routines that are intended to damage, detrimentally interfere with, surreptitiously intercept or expropriate the contents of any databases and/or the normal operation of any computer systems (“Malicious Code”); (v) at the time of delivery, all documentation required hereunder (if any) shall be complete so as to enable Customer’s personnel with ordinary skills and experience to utilize the Zift Platform and the Professional Services for the purposes for which they are being acquired by Customer, (vi) Zift will at all times utilize reasonable and appropriate practices and technologies common and prevalent in Zift’s industry to avoid causing damage to Customer’s computer systems or other technology; and (vii) Zift will comply with all applicable laws and regulations.
    6. Disclaimer of Warranties. Except as expressly provided herein, Customer acknowledges and agrees that the Services are provided on an “As Is”, as available basis. Other than as expressly provided herein, ZIFT DISCLAIMS WARRANTIES, WHETHER EXPRESSED, IMPLIED, STATUTORY OR OTHERWISE AND SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE CONDITIONS AND/OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PURPOSE TO THE MAXIMUM EXTENT PERMITTED BY LAW. ZIFT DOES NOT WARRANT THAT THE ZIFT PLATFORM, OR THE PROFESSIONAL SERVICES WILL MEET CUSTOMER’S REQUIREMENTS OR THAT THEIR OPERATION WILL BE UNINTERRUPTED OR ERROR-FREE. FURTHER, ZIFT DOES NOT WARRANT THAT ALL ERRORS CAN BE CORRECTED.
  9. INDEMNIFICATION.
    1. Zift Indemnity. Zift shall defend, indemnify, and hold harmless (at Zift’s expense), Customer and its officers, directors and employees from and against any claims, suits, or proceedings brought by a third party (“Claims”) and all expenses, damages, costs, and liabilities relating thereto (including reasonable attorneys’ fees) (“Losses”), in each case alleging that Customer’s use of the Zift Platform in accordance with the Documentation infringes any Intellectual Property rights of a third party. In the event that the Zift Platform or any part thereof is likely to, in Zift’s sole opinion, or do become the subject of an infringement related Claim, and Zift cannot, at its option and expense, procure for Customer the right to continue using the Zift Platform, or any part thereof, or modify the Zift Platform, or any part thereof, to make them non‑infringing, then Zift may terminate this Agreement with notice to Customer and will provide the Customer with a refund of any pre-paid fees for the unexpired portion of the remaining subscription term. Zift shall have no liability for any Claim or demand arising from (i) the use or combination of the Zift Platform or any part thereof with software, hardware, or other materials not developed or authorized by Zift if the Zift Platform or use thereof would not infringe without such combination; (ii) modification of the Zift Platform not authorized by Zift or performed by a party other than Zift, if the use of unmodified Zift Platform would not constitute infringement; (iii) caused by the Customer Content. The foregoing states Zift’s entire liability and Customer’s exclusive remedy for Intellectual Property rights infringement.
    2. Customer Indemnity. Customer agrees to indemnify, defend and hold Zift harmless against any loss, damage or costs (including reasonable attorney’s fees) incurred in connection with Claims made or brought against Zift by a third party arising from or relating to the Customer’s Content or the negligent use of the Zift Content or the Zift Platform by Customer and its Authorized Partners.
    3. Mutual Provisions. Each party’s indemnity obligations are subject to the following: (i) the aggrieved party shall promptly notify the indemnifier in writing of the Claim; (ii) the indemnifier shall have sole control of the defense and all related settlement negotiations with respect to the Claim (provided that the indemnifier may not settle or defend any Claim unless it unconditionally releases the aggrieved party of all liability); and (iii) the aggrieved party shall cooperate fully to the extent necessary, and execute all documents necessary for the defense of such Claim.
  10. Limitation of Liability.EXCEPT FOR DAMAGES ARISING FROM BREACHES OF CONFIDENTIALITY, EITHER PARTY’S INDEMNIFICATION OBLIGATIONS, OR ANY CLAIMS ARISING OUT OF GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT SHALL EITHER PARTY’S LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY EXCEED THE AMOUNT PAID OR PAYABLE BY CUSTOMER HEREUNDER IN THE TWELVE MONTHS PRECEDING THE INCIDENT GIVING RISE TO LIABILITY. IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS OR REVENUES OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER OR PUNITIVE DAMAGES HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING DISCLAIMER SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
    No action against either party arising out of these Terms may be brought by the other party more than two years after the cause of action becomes known.
  11. TERM AND TERMINATION.
    1. Term. Customer’s initial term for the Zift Platform shall commence on the start date as identified on the relevant Order Form(s), or, if none is provided in the Order Form, the day User credentials are issued to Customer (the “Start Date”). The Services will continue for the term specified in the Order Form (the “Term”) and may be renewed as detailed in the Order Form. This Agreement shall remain in effect until all Services have expired and it is terminated in accordance with the terms provided herein.
    2. Termination. This Agreement and the Services may be terminated by either party for cause: (a) upon 30 days written notice of a material breach to the other party if such breach remains uncured at the expiration of such period; or (b) if either party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.
    3. Early Termination. If Customer wishes to terminate the Services prior to the expiration of the then current Term and such termination is not due to Zift’s breach, all Fees that would otherwise be due up until the expiration of the Term in effect at the time, including any applicable taxes shall be due and payable within thirty (30) days of the effective date of termination and no refunds for pre-paid Fees will be provided. The parties agree that these early termination charges are a reasonable estimate of anticipated actual damages and not a penalty. Professional Services may be terminated in accordance with the SOW.
    4. Survival. Sections 3, 4, 5, 6, 7, 8, 10, 11, and 12 shall survive the termination of the Agreement.
  12. GENERAL PROVISIONS
    1. This Agreement, inclusive of the Order Forms, SOW, Schedules and any amendments or additions thereto, constitutes the entire agreement and sets forth the entire understanding between Customer and Zift with respect to the subject matter hereof and supersedes all prior agreements and discussions with respect thereto.
    2. Customer agrees that any Order Form or SOW referenced to this Agreement, for which Customer issues a purchase order (“P.O.”) or provides written approval and authorization to Zift (e.g. via email confirmation) in lieu of a physical or digital signature, shall constitute the same authority and enforcement rights for Zift as if the Order Form or SOW was signed by an authorized representative of the Customer. This Agreement shall supersede any printed terms and conditions included in any P.O. issued by Customer.
    3. Customer agrees that Zift may use Customer’s name and logo on Zift’s website, and as a part of a general list of Zift’s customers for use and reference in corporate, promotional and marketing literature.
    4. The parties to this Agreement are independent contractors and this Agreement does not create a joint venture or partnership between the parties; no party is by virtue of this Agreement authorized as an agent, employee or representative of the other party.
    5. Neither party shall assign its rights or delegate its duties under this Agreement either in whole or in part without the prior written consent of the other party, except to a party that acquires all or substantially all of the assigning party’s assets as part of a corporate reorganization, merger or acquisition, provided the assignee agrees in writing to be bound by the terms of this Agreement, and is not a direct competitor of Customer. This Agreement will bind and inure to the benefit of each party’s successors and permitted assigns.
    6. Any waiver of any right or remedy under this Agreement must be in writing and signed by each party. No delay in exercising any right or remedy shall operate as a waiver of such right or remedy or any other right or remedy. A waiver on one occasion shall not be construed as a waiver of any right or remedy on any future occasion. The rights and obligations of the parties and all interpretations and performance of this Agreement shall be governed by and construed in accordance with the laws of the State of New York, USA, without regard to conflicts of laws principles. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the City of New York in the State of New York, USA, and all courts competent to hear appeals there from.
    7. The parties agree that the provisions of the United Nations Convention on Contracts for the International Sale of Goods do not apply to this Agreement. The parties waive any right to jury trial in connection with any action or litigation in any way arising out of or related to this Agreement.
    8. No modification, amendment or addition to this Agreement is valid or binding unless set forth in writing and fully executed by both parties hereto. However, notices regarding new or modified documentation, including but not limited to Zift’s Service Level Agreement, Privacy Policy and other internal documents that have not been explicitly negotiated with the Customer, will become effective and will be deemed accepted by Customer, (a) immediately for those new Customers who purchase the Services after the updated version is published on Zift’s website, or (b) for those having pre-existing accounts, the updated Terms of Service will be deemed effective with Customer’s continued use of the Service.
    9. Notices regarding: (a) material changes to this Agreement; (b) internal or external changes materially impacting Zift’s ability to do business; (c) breach; (d) termination; or (e) any other material information required to be in writing, will be in writing and deemed to have been given if delivered personally, by confirmed email to legal@ziftsolutions.com , or on the third day after mailing by first-class, registered or certified mail, postage prepaid to either party at the address provided by Customer in the Order Form; for Zift at: 6501 Weston Parkway, Suite 200, Cary, NC 27539, attention: CEO and CFO; or to such other address as a party may, from time to time, communicate to the other party.
    10. If any provision of this Agreement is held to be unenforceable or illegal by a court of competent jurisdiction, such provision shall be modified to the extent necessary to render it enforceable, or shall be severed from this Agreement, and all other provisions of this Agreement shall remain in full force and effect.

Schedule A

Zift Service Level Agreement

This Zift Service Level Agreement (“Service Level Agreement” or “SLA”) outlines the service level performance targets applicable to the Zift Platform.

  1. Definitions
  • Downtime” means that the Zift Platform are offline and unavailable for the Customer’s use. Downtime excludes downtime and unavailability resulting directly or indirectly from any Service Level Exclusion.
  • Monthly Uptime Percentage” means the total number of minutes in a calendar month minus the number of minutes of Downtime suffered in such calendar month, divided by the total number of minutes in the calendar month. The applicable formula is:

 

Monthly Uptime Percentage = ( (Total Minutes in Month) – (Total Minutes of Downtime) ) X 100
(Total Minutes In Month)

 

For any partial calendar month during which the applicable Customer has access to the Zift Platform, the Monthly Uptime Percentage shall be calculated based on the entire calendar month, not just the portion for which the Customer has access to the Zift Platform. The determination of whether the Zift Platform is available will be made in good faith by Zift based on monitoring performed by Zift.

  • Service Level Credit” means the credit provided by Zift in accordance with Section 2 (Subscription Service Availability and Credits) below.
  • Service Level Exclusions” Downtime does not include unavailability, suspension or termination of the Zift Platform that result from: (a) termination or suspension of the Zift Platform described in Section 10.4 (Suspension of Services) of the Agreement; (b) factors outside of Zift’s reasonable control, including force majeure events, denial of service attacks, or Internet access or related problems beyond the demarcation point of Zift and its third party hosting providers; (c) any actions or inactions of Customer or any third party; (d) Customer infrastructure, equipment, software or other technology and/or third party equipment, software or other technology or Customer’s use of the Zift Platform in a manner inconsistent with the Documentation; (e) any scheduled maintenance of the Zift Platform occurring in the ordinary course of business; (f) Zift’s suspension and termination of a Customer’s right to use the Zift Platform in accordance with the Agreement; or (g) license restrictions or other limitations as set forth in each Order Form.
  1. Subscription Service Availability and Credits
  • Service Levels. Zift will use commercially reasonable efforts to make the Zift Platform available with a Monthly Uptime Percentage of at least 99.5% during any calendar month (the “Availability Service Level”). In the event Zift does not meet the Standard Availability Service Level (a “Service Level Failure”), Customer will be eligible to receive a Service Level Credit as described below.

Standard Service Levels

Monthly Uptime Percentage Service Level Credit Percentage
Less than 99.5% but equal to or greater than 98.5% 5%
Less than 98.5% but equal to or greater than 97.5% 10%
Less than 97.5% but equal to or greater than 96% 20%
Less than 96% 30%

 

  • Calculation of the Credit. Service Level Credits are calculated by multiplying (x) the applicable Service Level Credit Percentage by (y) the product of the total annual Subscription Fees (as defined in an Order Form) actually paid by Customer to Zift for the Zift Platform under an affected Order Form divided by twelve (12) months.
  • Maximum Service Level Credit. The Service Level Credits awarded in any month shall not, under any circumstance, exceed thirty percent (30%) of the total Subscription Fees actually paid by Customer to Zift for access to the Zift Platform under the affected Order Form for the affected month.
  1. Service Level Credit Request and Payment Procedures
  • Requesting a Service Level Credit. To receive a Service Level Credit, Customer must submit a claim by email to service@ziftsolutions.com (a “Service Level Credit Request”). To be eligible, the Service Level Credit Request must be received by Zift within ninety (90) days of the occurrence of the Service Level Failure and must include: (a) the words “Service Level Credit Request” in the subject line; and (b) the dates and times of each Service Level Failure that Customer is claiming, including the dates and times of the Downtime that caused the Service Level Failure.
  • Issuance of Service Level Credits. If the Monthly Uptime Percentage of such request is confirmed by Zift and is less than the applicable Availability Service Level, then Zift will issue the Service Level Credit to Customer within thirty (30) days following the month in which Customer’s request is confirmed by Zift. Customer’s failure to provide the request and other information as required above will disqualify Customer from receiving a Service Level Credit. Zift will notify Customer of the amount of any Service Level Credit, which shall be applied against future amounts owed by Customer. Service Level Credits will not entitle Customer to any refund or other payment from Zift. Service Level Credits are not payable in cash and will only be applied against future amounts owed by Customer to Zift.
  • Sole and Exclusive Remedy. The Service Level Credit is Customer’s sole and exclusive remedy and Zift’s sole and exclusive liability for a Service Level Failure.
  • Notwithstanding the above, should Zift fail to achieve at least 95% general availability over two consecutive calendar quarters, Customer shall have the option to terminate the Services for cause, in which case Zift will refund to Customer any prepaid fees for the remainder of its Term after the effective date of termination.

Schedule b

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) between Zift and Customer (collectively the “Party” or “Parties” to the Agreement and this DPA) and shall be effective on the date both parties execute the Agreement.  All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

With respect to the Processing of Personal Data, the parties agree as follows:

  1. As used in this DPA:
    • “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.
    • “Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data Processed by Zift or a Sub-processor.
    • “Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
    • “Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.
    • “Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including, where and to the extent applicable, GDPR and CCPA.
    • “EEA” means, for the purposes of this DPA, the member states of the European, as well as Iceland, Liechtenstein, and Norway.
    • “EU Standard Contractual Clauses” means the standard contractual clauses annexed to Commission Implementing Decision (EU) (2021/914) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant Regulation (EU) 2016/679 of the European Parliament and of the Council, as entered into by the parties under this DPA.
    • “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and any EU member state law implementing the same, and for the purpose of this DPA includes the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
    • “Personal Data” means any information relating to an identified or identifiable natural person, including information that constitutes “personal information” under CCPA or other Data Protection Laws, that is included in Customer Inputs and that Zift Processes on behalf of Customer in the course of providing the Services (as defined herein).
    • “Processing” has the meaning given to it in the Data Protection Laws and “process,” “processes” and “processed” shall be interpreted accordingly.
    • “Services” means the products and services described in the Agreement and any Order Form, Statement of Work, or Schedule, including Zift Analytics, Zift Platform, Customer use of Zift Technology, and professional services.
    • “Sub-processor” means any Data Processor engaged by Zift to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.
    • “UK Standard Contractual Clauses” means the standard contractual clauses published pursuant to the European Commission Decision of February 2010 (2010/87/EU) for the transfer of personal data to processors established in third countries under Directive 95/46/EC, as modified by the UK Information Commissioner and entered into by the parties under this DPA.
  2. Relationship with the Agreement.
    • The parties agree that this DPA shall replace any existing DPA or other contractual provisions pertaining to the subject matter contained herein the parties may have previously entered into in connection with Services.
    • Except for the changes made by this DPA, the Agreement remains in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the conflict.
    • Any claims brought by the parties under or in connection with this DPA are subject to the terms and conditions, including but not limited to the exclusions and limitations of liability, set forth in the Agreement, provided that in no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
    • Except as may be otherwise provided pursuant to Zift’s compliance with applicable data transfer mechanisms in Section 9, no one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
    • This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
  3. Roles of the Parties; Processing of Personal Data by Customer and Zift.
    • As between Zift and Customer, Customer is the Data Controller of Personal Data and Zift is the Data Processor of Personal Data. Zift shall Process Personal Data only as a Data Processor acting at Customer’s direction. Zift shall not retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services as described in the Agreement and this DPA, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Services.
    • Customer acknowledges that an Authorized Partner of Customer may upload Personal Data (such as contact data for sales leads) to the Zift Platform through the Partner Portal in connection with the Authorized Partner’s use of the Services, and that Zift will Process that Personal Data on the Authorized Partner’s behalf in accordance with the terms of a separate agreement between Zift and the Authorized Partner. The Authorized Partner may choose to make certain of that Personal Data available to Customer through the Zift Platform (such as when the Authorized Partner registers a sales lead or deal with Customer), in which case: (a) Customer acknowledges that the Authorized Partner and Customer are each Data Controllers with respect to that Personal Data, and (b) notwithstanding any terms in this DPA, Zift will also process that Personal Data at that Authorized Partner’s direction in accordance with that separate agreement.
    • Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its Processing of Personal Data and any Processing instructions it issues to Zift; and (ii) it has provided notice and obtained all consents and rights necessary under Data Protection Laws for Zift to Process Personal Data and provide the Services. Customer shall immediately notify Zift and cease Processing Personal Data in the event any required authorization or legal basis for Processing is revoked or terminates.
    • Zift shall Process Personal Data only for the purposes described in the Agreement or in accordance with Customer’s other documented lawful instructions unless Processing is required by applicable law, in which case Zift shall to the extent permitted by applicable laws inform Customer of that legal requirement before the relevant Processing. Customer hereby instructs Zift to Process Personal Data as necessary in order to provide and improve the Services, to fulfill its obligations under the Agreement and this DPA, and for legitimate purposes relating to the operation, support and/or use of the Services such as billing, account management, and technical support.
    • The details of the Processing of Personal Data, including the subject matter, duration, nature, and purposes of the Processing; the categories of Data Subjects; and the types of Personal Data are set forth in Schedule 1 to this DPA.
  4. Data Security. Each Party shall take appropriate technical and organizational measures against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage. Zift shall implement and maintain commercially reasonable technical and organizational security measures designed to protect Personal Data from Data Breaches, to help ensure the ongoing confidentiality, integrity, and availability of the Personal Data and Processing systems, in accordance with Zift’s security standards, including, the security measures described in Schedule 2 to this DPA. Notwithstanding the above, Customer agrees that it is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit, and taking any appropriate steps to securely encrypt or backup Personal Data, as well as the security obligations outlined in the Agreement.
  5. Data Breach Response. Zift shall notify Customer without undue delay and no later than 48 hours after becoming aware of any Data Breach. Zift shall make reasonable efforts to identify the cause of the Data Breach and shall undertake such steps as Zift deems necessary and reasonable in order to remediate the cause of such Data Breach. Zift shall provide information related to the Data Breach as it becomes available to Customer in a timely fashion and as reasonably necessary for Customer to maintain compliance with Data Protection Laws.
  6. Confidentiality of Data Processing. Zift shall ensure that any person who is authorized by Zift to Process Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality.
  7. Return or Deletion of Data. Upon termination or expiration of the Agreement, Zift shall (at Customer’s election) delete or return, if feasible, to Customer all Personal Data remaining in its possession or control, save that this requirement shall not apply: (i) to the extent Zift is required by applicable law to retain some or all of the Personal Data; (ii) if Zift is Processing the Personal Data on behalf of an Authorized Partner acting as a co-Data Controller pursuant to a separate data protection agreement; or (iii) to Personal Data Zift has archived on back-up systems, which will be deleted in accordance with Zift’s standard data retention policies and procedures. In all such cases, Zift shall maintain the Personal Data securely and limit Processing to the purposes that prevent deletion or return of the Personal Data. The terms of this DPA shall survive for so long as Zift continues to retain any Personal Data.
  8. Sub-processing. Customer agrees that this DPA constitutes Customer’s written general authorization for Zift to engage Sub-processors to Process Personal Data on Customer’s behalf, including the Sub-processors. Zift shall: (i) take commercially reasonable measures to ensure that Sub-processors have the requisite capabilities to Process Personal Data in accordance with this DPA; (ii) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by Data Protection Laws; (iii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Zift to breach any of its obligations under this DPA; and (iv) notify Customer in the event that it intends to engage different or additional Sub-processors that will Process Personal Data pursuant to this DPA, which may be done by email or through another mechanism made available by Zift to Customer that enables Customer to receive such notifications. Customer must raise any objection to such Sub-processors within thirty (30) calendar days of Zift’s notification. Customer’s objection shall only be effective if submitted to Zift in writing, specifically describing Customer’s reasonable belief that Zift’s proposed use of the Sub-processor(s) will materially, adversely affect Customer’s compliance with applicable Data Protection Laws. In any such case, the parties will make reasonable efforts to reconcile the matter. In the event Customer’s concern cannot be resolved, Zift may terminate the Agreement with no penalty and Customer shall immediately pay all fees and costs accrued or payable to Zift prior to the effective date of termination.
  9. International Transfers.
    • Zift may Process Personal Data anywhere in the world where Zift or its Sub-processors maintain data Processing operations. Zift shall at all times provide an adequate level of protection for the Personal Data Processed, in accordance with the requirements of Data Protection Laws.
    • To the extent Zift’s performance or Customer’s use of the Services requires the transfer of Personal Data from within the EEA or Switzerland to the United States or any other country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data (an “EEA Restricted Transfer”), Zift and Customer hereby enter into the EU Standard Contractual Clauses under Module 2 (Transfer Controller to Processor), which are incorporated by reference herein and will apply to the EEA Restricted Transfer(s), and are hereby completed as follows:
      • Customer is the “data exporter” and Zift is the “data importer.”
      • For the purpose of Section II, Clause 8.1, the Agreement and this DPA constitute the final and complete instructions to Zift for the Processing of Personal Data as of the date of this DPA. Any additional or alternate instructions must be mutually agreed upon separately in writing and signed by both parties.
      • For the purpose of Section II, Clause 8.9, the parties agree that any audits or inspections will be conducted in accordance with Section 13 (“Information to Demonstrate Compliance; Audits and Inspections”) of this DPA.
      • For the purpose of Section II, Clause 9, the parties select Option 2 and agree that Zift may engage Subprocessors in accordance with Section 8 (“Sub-processing”) of this DPA.
      • For the purpose of Section IV, Clause 17, the parties select Option 2, and if the data exporter’s Member State does not allow for third-party beneficiary rights, then the law of Ireland shall apply.
      • For the purpose of Section IV, Clause 18, the parties agree that disputes arising from the Standard Contractual Clauses shall be resolved by the courts of Ireland.
      • Annex I is deemed to be completed with the details set out in Schedule 1 to this DPA.
      • Annex II (Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data) is deemed to be completed with the Technical and Organizational Security Measures set out in Schedule 2 to this DPA.
      • If and to the extent an EEA Restricted Transfer involves Personal Data originating from Switzerland and is subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”), the EU Standard Contractual Clauses are deemed to be supplemented with an additional annex that provides as follows:
    • for purposes of Clause 13 and Annex I.C, the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner;
    • the term “member state” as used in the EU Standard Contractual Clauses must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18.c;
    • references in the EU Standard Contractual Clauses to the GDPR should be understood as references to the FADP; and
    • until entry into force of the revised FADP of 25 September 2020, the EU Standard Contractual Clauses also protect the data of legal entities.
      • In the event of any conflict between this DPA and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will prevail with respect to any EEA Restricted Transfer.
    • To the extent Zift’s performance or Customer’s use of the Services requires the transfer of Personal Data from within the United Kingdom to the United States or any other country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data (a “UK Restricted Transfer”), the terms of this Section 3 will apply.
      • When the parties are lawfully permitted to rely on the UK Standard Contractual Clauses to conduct the UK Restricted Transfer, Zift hereby enters into the UK Standard Contractual Clauses, which are incorporated by reference herein, with Customer. For the purpose of any such UK Restricted Transfer, the UK Standard Contractual Clauses will be completed as follows:
    • Customer will be considered the “Data Exporter” and Zift will be considered the “Data Importer.”
    • References in the UK Standard Contractual Clauses to “the law of the Member State in which the data exporter is established” shall hereby be deemed to mean “the law of the United Kingdom”; and any other obligation in the UK Standard Contractual Clauses determined by the law of the Member State in which the data exporter is established shall hereby be deemed to refer to an obligation under UK data protection laws.
    • The details of Appendix 1 are set forth in Schedule 1.
    • The details of Appendix 2 are set forth in Schedule 2.
      • When Section 3.1 of this Addendum does not apply, but the parties are lawfully permitted to rely on the EU Standard Contractual Clauses to conduct UK Restricted Transfers, subject to the completion and execution of a “UK Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018 (“UK Addendum”), then Zift hereby enters into the EU Standard Contractual Clauses and the UK Addendum, which are incorporated by reference herein, with Customer with respect to such UK Restricted Transfers. For the purpose of any such UK Restricted Transfer, the EU Standard Contractual Clauses will be completed as set forth in Section 9.2, subject to the amendments specified by the UK Addendum.
      • When neither Section 3.1 nor Section 9.3.2 of this Addendum apply, then Zift shall cooperate with Customer to promptly implement appropriate safeguards for the UK Restricted Transfer as required or permitted by the UK GDPR.
  10. Data Protection Authority Inquiries. Zift shall provide commercially reasonable cooperation to assist Customer in its response to any requests from data protection authorities with authority relating to the Processing of Personal Data under the Agreement and this DPA. In the event that any such request is made directly to Zift, Zift shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Zift is required to respond to such a request, Zift shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
  11. Individual Rights and Requests. To the extent Customer does not have the ability to independently correct, amend, or delete Personal Data, or block or restrict Processing of Personal Data, then at Customer’s written direction and to the extent required by Data Protection Laws, Zift shall comply with any commercially reasonable request by Customer to facilitate such actions. To the extent legally permitted, Customer shall be responsible for any costs arising from Zift’s or its Sub-processors’ provision of such assistance. Zift shall, to the extent legally permitted, promptly notify Customer if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person’s Personal Data, or a request to restrict Processing. Zift shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a data subject’s request, to the extent legally permitted and to the extent Customer does not have the ability to address the request independently. To the extent legally permitted, Customer shall be responsible for any costs arising from Zift’s provision of such assistance.
  12. Data Protection Impact Assessments; Prior Consultations with Data Protection Authorities. Upon Customer’s written request, Zift shall provide Customer with commercially reasonable cooperation and assistance as needed to fulfil Customer’s obligation under any Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information and such information is available to Zift.   Zift shall provide reasonable assistance to Customer in the cooperation or prior consultation with a data protection authority, to the extent such consultation is required under any Data Protection Laws.
  13. Information to Demonstrate Compliance; Audits and Inspections.
    • Zift shall provide written responses (on a confidential basis) to all commercially reasonable requests for information made by Customer regarding Processing of Personal Data, including responses to information security reviews, that are necessary to confirm Zift’s compliance with this DPA.
    • Zift shall cooperate with audits and inspections performed by Customer or a vendor of Customer reasonably acceptable to Zift that are necessary to confirm Zift’s compliance with this DPA, provided however, that any such audit or inspection: (i) may not be performed unless necessary to determine Zift’s compliance with this DPA and Customer reasonably believes that Zift is not complying with this DPA; (ii) must be conducted at Customer’s sole expense and subject to reasonable fees and costs charged by Zift; (iii) conducted at a date and time and for a duration mutually agreed by the parties; and (v) must be performed in a manner that does not cause any damage, injury, or disruption to Zift’s premises, equipment, personnel, or business. Notwithstanding the foregoing, Zift will not be required to disclose any proprietary or privileged information to Customer or an agent or vendor of Customer. Customer shall not exercise its rights under this Section more than once per year.
  14. Law Enforcement and Other Governmental Requests. If a law enforcement or other governmental agency sends Zift a demand for Personal Data (for example, through a subpoena or court order), Zift may attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Zift may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then Zift shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Zift is legally prohibited from doing so. Zift will not voluntarily disclose Personal Data in response to a request or demand from a law enforcement or governmental agency unless compelled to do so by applicable law to which Zift is subject.
  15. Customer Obligations. Customer shall ensure that Customer is entitled to transfer the relevant Personal Data to Zift so that Zift may lawfully use, process, and transfer the Personal Data in accordance with the Agreement on the Customer’s behalf, and acknowledges that Zift is reliant on Customer for direction as to the extent to which Zift is entitled to use and process Personal Data. The Customer shall not provide to Zift any “Sensitive Data” or “Special Categories” of Personal Data as defined by GDPR and any national laws adopted pursuant to GDPR, including racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, or the commission or alleged commission of any crime or offense.

DPA – SCHEDULE B-1

DETAILS OF THE PROCESSING

  1. List of Parties

The data exporter is Customer, acting as a Controller and using the Services provided by Zift, including the Zift Platform, pursuant to the Agreement.

The data importer is Zift, acting as a Processor and the provider of Services used by Customer pursuant to the Agreement.

  1. Description of Transfer

Categories of Data Subjects

The Categories of Data Subjects may include the following:

  • Employees, contractors, and contact persons of:
    • Customer
    • Customer’s Authorized Partners
  • Prospects and customers of Customer and Authorized Partners who are natural persons and who will receive communications and content on Customer’s behalf through the use of the Services.

Types of Personal Data

The Personal Data may include the following categories of data:

  • Business contact details
  • Personal contact details
  • Social media identifiers
  • Professional information such as job function, title, and employee identification number; and user enrolment in the Services
  • Device information, such as device identifiers
  • Analytics information, such as cookie IDs and data concerning internet usage and engagement with communications

The Personal Data will not contain any sensitive or special categories of data.

Nature and Purposes of Processing

Zift will Process Personal Data as necessary to perform the Services under the Agreement, including for the purposes of: (a) setting up, operating, monitoring, and providing the Services; (b) communicating with Customer Users; and (d) executing other agreed-upon written instructions of Customer.

Period for which Personal Data Will be Retained

Personal Data will be retained for the duration of the Agreement and subject to Section 7 (Return or Deletion of Data) of the DPA.

Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)

Transfers will be made on a continuous basis

For transfers to Subprocessors, the subject matter, nature, and duration of the processing

The subject matter, nature, and duration of processing undertaken by Subprocessors will be the same as set forth in the DPA and this Schedule 1 with respect to Zift.

  1. Competent Supervisory Authority

Under the EU Standard Contractual Clauses entered by the parties pursuant to the DPA under Module 2 (Transfer Controller to Processor), the supervisory authority will be the competent supervisory authority that has supervision over Customer in accordance with Clause 13 of the EU Standard Contractual Clauses. 

SCHEDULE C

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Zift has implemented and shall maintain an information security program designed to protect against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage, including the measures described below.

Physical Security Controls – policies, procedures, and physical and technical controls designed to limit physical access to information systems and facilities in which they are housed to properly authorized persons, including:

  • A badge-based access control system to control physical access and movement into and throughout Zift’s facilities; and
  • Processes and procedures to promptly remove facility access rights from terminated personnel.

Access Controls – policies, procedures, and technical controls to ensure that all members of Zift’s workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access, including:

  • Role-based access policies that restrict user access to systems and resources based on job responsibilities;
  • Processes to grant and revoke access rights based on business need, and to regularly review user access rights to ensure ongoing alignment with business needs;
  • Strong authentication procedures for production environments that require a username, password, and multifactor authentication; and
  • The use of firewall and intrusion detection systems to log access events for review by authorized Zift personnel.

Security Awareness and Training – a security awareness and training program for members of Zift’s workforce (including management), which includes training on how to implement and comply with Zift’s security program, and which all workforce members are required to undergo upon initial hire and annually thereafter.

Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including:

  • deployment of an intrusion detection system to log access events and to monitor and restrict inbound internet traffic;
  • documented procedures to identify, escalate, and respond to suspected or known security incidents, mitigate harmful effects of security incidents; and
  • documented procedures to analyze the root cause of security incidents and to implement changes to existing controls, where appropriate, to better respond to future threats.

Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including:

  • documented business continuity and disaster recovery plans that include procedures to restore data and the functionality of affected systems, including procedures to rebuild systems, update software, install patches, and change configurations, as needed;
  • documented policies and procedures for the backup and recovery of data maintained in cloud-based environments, including periodic backups of production services, files, and databases, and the storage of backups in a separate data center; and
  • periodic testing of Zift’s business continuity and disaster recovery plans.

Device and Media Controls – policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of a Zift facility, and the movement of these items within a Zift facility, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.

Audit controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including:

  • logging of system access activity, including user authentication, failed user login attempts, and access control list changes; and
  • regular reviews of the logs for unusual or suspicious activity.

Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.

Transmission Security – technical security measures to guard against unauthorized access to Personal Data that is being transmitted over an electronic communications network, including:

  • the use of encrypted VPNs to help ensure the security and integrity of the data passing over public networks;
  • protection of web-based traffic through industry-standard encryption protocols; and
  • deployment of antivirus software on servers, laptops, and desktops to detect and prevent the transmission of data or files that contain virus signatures recognized by the antivirus software.

Storage Security – technical security measures to guard against unauthorized access to Personal Data in storage, including:

  • encryption of data at rest in hosted environments;
  • use of a key management system to securely manage the lifecycle of encryption keys; and
  • use of full-device hard drive encryption to protection the confidentiality and integrity of information maintained on approved mobile devices.

Assigned Security Responsibility – designation of a security official responsible for the development, implementation, and maintenance of Zift’s security program.

Testing – Regular testing and monitoring of the effectiveness of Zift’s security program, including through AICPA SOC 2 Type II audits of Zift’s solution performed by an external third-party auditor, and through periodic vulnerability scans and risk assessments designed to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Data, and to ensure that these risks are addressed.

Adjustments to the Program – Monitoring, evaluation, and adjustment, as appropriate, of Zift’s security program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Zift or the Personal Data, and Zift’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.