Book a demo

Book a demo

Screenshot 2024-01-17 at 18.37.39-1

 

THIS MASTER SUBSCRIPTION AGREEMENT (“MSA”) (in the version dated 2024-05-09) GOVERNS THE USE BY ANY PERSON OR ENTITY (“CUSTOMER”) OF THE SERVICES (AS DEFINED BELOW) PROVIDED BY ADVERITY GMBH (“ADVERITY”) WITH COMPANY REGISTRATION NUMBER 448481 g. BY ENTERING A COMMERCIAL AGREEMENT (AS DEFINED BELOW) THAT REFERENCES THIS MSA, CUSTOMER AGREES TO THE TERMS AND CONDITIONS OF THIS MSA.

Customer and Adverity may be referred to herein individually as a “Party” and collectively as the “Parties”. The MSA shall enter into force upon conclusion of the Commercial Agreement.

The plain language descriptions in this MSA are for reference purposes only, and shall not in any way define, limit, or extend the scope of this Agreement.


Table of Contents

Business Matters

I. SaaS Description and Subscription
II. The Parties’ Roles and Responsibilities
III. Fees and Payment
IV. Term and Termination 

Legal Matters

V. Intellectual Property Rights 
VI. Warranties
VII. Indemnification
VIII. Liability
IX. Sub-contractors
X. Mutual Confidentiality Clauses
XI. Miscellaneous 
XII. Definitions 



Business Matters 

Our MSA in plain language

Talk legal to me - here is the full text of our MSA


I. SaaS Description and Subscription 

Back to top

Adverity’s Integrated Data Platform is a SaaS solution that streamlines data integration and governance processes.

1. SaaS Description 

Adverity’s Integrated Data Platform is a SaaS (Software-as-a-Service) data Platform for connecting, managing, and using data at scale. Adverity automates complex data integration and governance processes, before transferring data to the destination selected by the Customer.

Adverity only processes the following personal data by default on behalf of the Customer: login credentials (name, email, IP-address and time-stamp) belonging to the User(s) of Adverity. Adverity`s DPA stipulates the mutual rights and obligations with regards to data protection.

Access to the SaaS is obtained through Subscriptions. Services and features can be added during the Term upon mutual Agreement.

2. SaaS Subscription

Adverity will provide Customer with access to the SaaS as per this Master Subscription Agreement (“MSA”) and the terms outlined in the Commercial Agreement and the Data Processing Agreement (“DPA”) for each Subscription Term.

Unless otherwise specified in the Commercial Agreement:

a. Adverity's SaaS is Subscription-based;

b. additional Services can be added during the applicable Subscription Term, subject to mutual Agreement;

c. any added Services will terminate on the same date as the pre-existing Subscriptions, unless agreed otherwise.


II.
The Parties' Roles and Responsibilities

Back to top

Adverity aims for 24/7 availability, except for planned downtime and uncontrollable events, and will provide support as needed during the Subscription Term. Issues reported by Customer are resolved within timeframes as specified in the Commercial Agreement.

1. Adverity's Responsibilities

a.  Adverity's obligations include the following:

i. Providing Customer Technical and User Support for the SaaS at no extra cost, or upgraded support if purchased.

ii. Use commercially reasonable efforts to ensure the SaaS is available 24/7, except for planned downtime or unavailability due to circumstances beyond Adverity's reasonable control, such as acts God, acts of government, floods, fires, earthquakes, civil unrest, acts of terror, pandemic or widespread illness as identified by the World Health Organization, strikes or other labor problems, failures, downtime or delays by an Internet service provider, hosting provider, or third-party platform, or "denial of service attacks".

b. Technical and User Support:

i. Adverity will provide Technical and User Support as defined in the Commercial Agreement during the Subscription Term. Issues reported by Customer will be resolved within the restoration time specified in the Commercial Agreement, starting from Adverity's awareness of the issue.

ii. Customer Support does not cover Implementation/Professional Services/Managed Services/Premium Services, programming, detailed or specialized maintenance, provision of enhancements, or support in different components that are not part of the SaaS.

Here are some Do’s and Don’ts to ensure Customer’s full enjoyment of our Services: 

Do's:

  • Follow the Agreement and applicable laws.

  • Verify data legality before sharing.

  • Restrict access to authorized Users.

Don'ts:

  • Allow unauthorized access.

  • Sell our Services.

  • Share illegal or malicious content.

  • Interfere or disrupt our Services.

  • Copy, modify, or reverse-engineer.

If necessary, Adverity may check if Customer is following the terms at Adverity’s expense.

2. Customer Responsibilities 

a. Customer is responsible for:

i. Complying with the Agreement

ii. Ensuring the accuracy, quality, and legality of Customer Data and how it is obtained and shared with Adverity.

iii. Using all reasonable efforts to prevent unauthorized access to /or use of the SaaS and promptly notifying Adverity of any such incidents.

iv. Using the SaaS in line with the Documentation and applicable laws and regulations.

v. Ensuring that each registration and User-Account is used exclusively by one User; sharing or transferring accounts is forbidden.

b. Customer must not:

i. Make the SaaS available to anyone other than its employees or contractors who are authorized by Customer to use them.

ii. Sell, resell, rent, or lease the SaaS or the right to use them.

iii. Modify, reverse engineer, or use the SaaS to build competitive products.

iv. Use the SaaS to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party rights.

v. Use the SaaS to store or transmit Malicious Code.

vi. Interfere with or disrupt the integrity or performance of the SaaS or third-party data contained therein.

vii. Attempt to gain unauthorized access to the SaaS.

viii. Use the SaaS beyond the scope permitted in writing. 

c. Adverity may verify Customer's compliance at its own cost. If Customer breaches any provision of this section, Adverity may, in addition to any other rights that Adverity may have under this MSA or by law, suspend Customer’s access to the SaaS.

Customer subscribes to the SaaS for their own use. However, sharing SaaS-generated data with third parties through the SaaS features created to that effect may be allowed with mutual written consent.

3. Transfer of SaaS

a. Customer subscribes to the SaaS for its own use and shall not enable access to any third party (e.g. Customer’s Clients, Customer’s Affiliates, etc.), either against payment or free of charge. For such purposes, a separate Commercial Agreement or an extension of the Subscription is necessary and can be provided.

b. However, nothing in this MSA shall prevent the Customer from making any data and information obtained from the SaaS available to third parties via the data provisioning features or the dashboard sharing and export functionalities of the SaaS, if this is mutually agreed by the Parties in writing. Additional Fees may apply.


III. Fees and Payment

Back to top

Customer is responsible for paying specified Fees based on Services purchased. Fees may increase annually, and Queries exceeding limits may incur higher Fees.

1. Service Fees

Customer is responsible for paying the Fees specified in the Commercial Agreement. Except as otherwise specified in the Commercial Agreement, Fees are based on the Services purchased and not actual usage. The Services purchased cannot be decreased during the relevant Subscription Term.

If a discounted Subscription Fee is agreed for an initial Subscription Term, the List Price applies thereafter. Additional Services purchased separately during the initial Subscription Term are billed separately and are not part of the List Price.

2. Price Increase

At any time after the initial 12 months, maximum once per calendar year, Adverity may, at its own discretion, increase the Fees by either 7% or the official inflation rate (based on the Consumer Price Index published in Austria by STATISTIK AUSTRIA Bundesanstalt Statistik Österreich in the month preceding Adverity’s notice of increase), whichever is higher, to support Adverity's continual efforts to expand and enhance its SaaS. Adverity will notify the Customer about an increase in Fees 60 days in advance.

3. Query Limit

The number of Queries allowed for each calendar month is subject to Adverity’s Fair Use Limit, which is calculated at 50 times the monthly Subscription Fee, translated into Queries (for example, EUR/GBP/USD 3000 monthly Subscription Fee = up to 150k Queries).  If Customer exceeds the said monthly Fair Use Limit, Adverity will not immediately increase Customer’s Subscription Fee or limit access to the SaaS.  Adverity will evaluate Customer's requirements and assess Customer´s specific needs regularly and reserves the right to increase Fees in case of consistent overuse.

Adverity provides its Services remotely. In the event that Customer requests Adverity’s consultants to be on-site, Customer will have to  reimburse Adverity for all the travel and out-of-pocket expenses.

4. Expenses

Customer must reimburse Adverity for reasonable travel and other expenses related to Implementation Services, Professional Services, Managed Services or Premium Services. Travel costs shall be agreed with the Customer in advance.

Adverity invoices the Customer for all Services with payment due as agreed in the Commercial Agreement. Late payments may incur interest and debt collection costs, and suspension of Services may occur if payments are 30 days overdue.

5. Invoicing and Payment

Adverity will invoice Customer for all Services in the Commercial Agreement for the initial Subscription Term and renewals as specified in the Commercial Agreement. Customer is responsible for providing complete and accurate billing and contact information to Adverity and notifying Adverity of any changes to such information.

 

6. Overdue Charges

If any amounts invoiced are not received by Adverity by the due date, then, without limiting Adverity’s rights or remedies,

a. such charges may accrue late interest at the statutory commercial interest rate;

b. Adverity is entitled to a no-fault and no-damage lump-sum compensation of 40  EUR/GBP/USD for reimbursement of debt collection costs for each outstanding debt; and

c. Adverity may condition future Subscription renewals and Commercial Agreements on payment terms different than those specified in Section III.5. 

 

7. Suspension and Acceleration

If Customer is 30 days or more overdue on any payments, Adverity may, without limiting Adverity’s other rights and remedies, accelerate unpaid Fees and suspend Services until payment is received. Customer will receive at least 7 days' notice before Services are suspended.

 

8. Payment Disputes

Adverity will not exercise its rights under Sections III.6. and III.7. if Customer is disputing charges reasonably and in good faith and cooperating to resolve the dispute. However, Customer is not entitled to offset its claims against any claim of Adverity under this MSA (or to claim any right of retention) unless Customer’s counterclaim is:

a. undisputed by Adverity; or

b. confirmed by a binding court decision that cannot be appealed.

 

9. Litigation Costs 

In case of litigation regarding overdue charges, the prevailing Party is entitled to reasonable legal Fees and court costs. 

Adverity's Fees don't include taxes. Customer is responsible for paying all relevant taxes.

10. Taxes

Unless otherwise stated, Adverity’s Fees do not include any taxes, levies, duties, or similar governmental assessments of any nature, including but not limited to value-added, sales, use, or withholding taxes, assessable by any local, state, provincial, federal or foreign jurisdiction (collectively, “Taxes”). Customer is responsible for paying all taxes associated with Customer’s purchases hereunder. If Adverity has the legal obligation to pay or collect taxes for which Customer is responsible, the appropriate amount shall be invoiced to and paid by Customer in addition, unless Customer provides Adverity with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, Adverity is solely responsible for taxes assessable against Adverity based on Adverity’s income, property, and employees.


IV. Term and Termination

Back to top

The Agreement's duration depends on the Subscription Term agreed in the Commercial Agreement.

1. Term of Agreement

The Term of the Agreement is governed by the Subscription granted by the Commercial Agreement. The Agreement commences on the Effective Date and remains in effect until all Subscriptions granted under the Commercial Agreement have either expired or been terminated ("Term").

The Agreement automatically renews for equal periods unless either Party provides at least 90 days' notice before the end of a Subscription Term.

2. Term of Subscriptions

Subscriptions for the SaaS start on the specified Subscription Start Date in the relevant Commercial Agreement and continue for the specified Subscription Term. Unless stated otherwise in the Commercial Agreement, all Subscriptions automatically renew for additional periods equal to the expiring Subscription Term or one year (whichever is longer), unless either Party gives the other notice of non-renewal at least 90 days before the end of the relevant Subscription Term. 
If the Customer continually uses and pays for the SaaS Subscription in the absence of an automatic renewal clause, Adverity deems the Subscription to have been factually renewed as per the conditions of this Section. 

The Agreement can be terminated for cause at any time upon 30 days written notice.

3. Termination for Cause

Either Party can terminate the Agreement for cause at any time, in particular:

a. upon 30 days written notice to the other Party of a material breach if such breach remains uncured at the expiration of such period; or

b. if the assets of the other Party become the subject of a petition in bankruptcy or any other similar proceeding.

 

4. Refund or Payment upon Termination

Upon Termination for Cause by Customer, Adverity refunds prepaid Fees covering the remainder of the Term after the Effective Date of Termination. Upon Termination for Cause by Adverity, Customer must pay unpaid Fees covering the remainder of the Term of all Commercial Agreements after the Effective Date of Termination. Termination never exempts Customer from paying Fees incurred before Termination.

 

5. Return of Customer Data

For 30 days after Termination, Customer Data remains in the SaaS. After 30 days, Adverity will delete Customer Data and destroy any corresponding documents under its control unless required by law to keep the data.

 

6. Surviving Provisions

Sections III (Fees and Payment), IV.4 (Refund or Payment upon Termination), IV.5 (Return of Customer Data), IV.6 (Surviving Provisions), V (Intellectual Proprietary Rights), VI (Warranties), VII (Indemnification), VIII (Liability), X (Mutual Confidentiality Clauses) and XI (Miscellaneous) continue in effect after termination or expiration of this MSA.


Legal Matters

Our MSA in plain language

Talk legal to me - here is the full text of our MSA

 

V. Intellectual Property Rights 

Back to top

The SaaS and any improvements to the SaaS belong to Adverity.

1. Adverity IP

Adverity reserves all rights, title, and interest in and to the SaaS, including all related intellectual property rights. 
In addition, Adverity owns all rights, title, and interest, including all intellectual property rights, in and to any improvements to the SaaS or any new programs, upgrades, modifications or enhancements developed by Adverity in connection with rendering the SaaS to Customer, even when refinements and improvements result from Customer’s request or suggestion. 

Except for the limited rights expressly granted herein, Adverity does not transfer to Customer any proprietary right or interest in the Services. All rights not expressly granted to Customer in the Agreement are reserved to Adverity.

Customer Data and reports generated from Customer Data belong to Customer.

2. Customer IP

Customer owns Customer Data, including all reports, statistics, and other data to the extent generated solely from Customer Data, and all intellectual property rights therein. Notwithstanding the foregoing, Adverity shall have the right to collect and use Customer Data in relation to the provision of the Services to Customer, including in order to improve and enhance the Services.

Adverity can acknowledge Customer in lists (incl. website and press releases) as a customer. Adverity can use Customer's trademarks for the provision of Services.

3. Publicity; Trademarks

During the Term, Adverity may include the name and logo of the Customer in lists (including on its website and press releases) of customers per Customers' standard logo and/or trademark usage guidelines. In addition, Adverity may use the trademarks and trade names of Customer solely in connection with its authorized provision of the Services. Except as set forth herein, neither Party may use the trademarks and trade names of the other Party without the prior written consent of the other Party.


VI. Warranties

Back to top

 

1. Representations

Each Party represents that it has validly entered into this MSA and has the legal power to do so, that the signatory of the Commercial Agreement that references this MSA has the authority to bind the applicable organization, and the Agreement constitutes the legal, valid, and binding obligation of each Party, enforceable under its terms.

Adverity promises that the Services work as Adverity says they will, and there is no Malicious Code in the Services.

2. Adverity Warranties

Adverity warrants that:

a. the SaaS shall perform materially following the Documentation and as outlined in the Commercial Agreement; and

b. Adverity will not transmit Malicious Code to Customer, provided that Adverity is not in breach of this subpart b. if Customer uploads a file containing Malicious Code into the SaaS and later downloads that file containing Malicious Code.

For any breach of a warranty above, Customer’s exclusive remedy shall be as provided in Sections IV.3, IV.4, and IV.5 above.

Customer promises that the data they give Adverity is legit and Customer is not going to do anything illegal with the SaaS.

3. Customer Warranties

Customer represents and warrants that:

a. Customer Data shall not infringe on any copyright, patent, trade secret, or other proprietary right held by any third party; and

b. Customer shall not use the SaaS in a manner that violates any applicable legislation or any regulation relating to individual privacy.

The reports generated by the SaaS are based on the data Customer provides, and it’s for Customer’s reference only. If Customer makes any business decision based on the reports, they are still responsible for their own decisions.

4. Disclaimer

a. Any (optimization) recommendations, suggestions, or forecasts created by the SaaS and based on the data provided by the Customer are not guaranteed to be correct. Adverity makes no warranties or representations, express, implied, or otherwise regarding the accuracy, completeness, or performance of the provided information. Customer acknowledges that Adverity cannot be held liable at any time for any losses due to decisions or transactions made based on this information.

b. Except as expressly provided in this MSA, Adverity makes no representations, warranties, terms, conditions, or statements, express or implied, statutory or otherwise regarding any matter, including the merchantability, suitability, or fitness for a particular use or purpose, or that the operations of the SaaS will be uninterrupted or error-free.

c. Customer acknowledges that their purchases are not dependent on future features or functionality and are not influenced by any public statements, written or oral, made by Adverity regarding future features or functionality.


VII. Indemnification

Back to top

Adverity indemnifies Customer for infringement or misappropriation of a third party’s IP by the SaaS.

1. Indemnification by Adverity

Adverity shall defend Customer against any claim, demand, suit, or proceeding made or brought against Customer by a third party alleging that the use of the SaaS as permitted hereunder infringes or misappropriates the intellectual property rights of a third party (a “Claim Against Customer”), and shall indemnify Customer for any damages, attorneys’ fees and other costs finally awarded against Customer as a result of, and for amounts paid by Customer under a court-approved settlement of, a Claim Against Customer; provided that Customer:

a. promptly gives Adverity written notice of the Claim Against Customer;

b. gives Adverity sole control of the defense or settlement of the Claim Against Customer (provided that Adverity may not settle any Claim Against Customer unless the settlement unconditionally releases Customer of all liability); and

c. provides to Adverity reasonable assistance, at Adverity’s expense. If Adverity receives information regarding an infringement, misappropriation, or other claim, Adverity may in Adverity’s discretion, and at no cost to Customer

i. modify the SaaS, so that they no longer infringe, misappropriate, or give rise to any other claim, without breaching Adverity’s warranties under Section VI. above;

ii. obtain a license for Customer’s continued use of the SaaS under this MSA; or

iii. terminate Customer’s Subscriptions for the SaaS upon 30 days written notice and refund to Customer any prepaid Fees covering the remainder of the Term of the terminated Subscriptions.

Adverity shall have no obligation to indemnify Customer to the extent any Claim Against Customer arises from Customer’s breach of the terms of the Agreement.

Customer indemnifies Adverity for infringement of third-party IP or violation of the law resulting from the use of Customer Data or misuse of the SaaS.

2. Indemnification by Customer

Customer shall defend Adverity against any claim, demand, suit or proceeding made or brought against Adverity by a third party alleging that Customer Data, or Customer’s use of the Services in breach of this MSA, infringes or misappropriates the intellectual property rights of a third party or violates applicable law (a “Claim Against Adverity”), and shall indemnify Adverity for any damages, attorneys’ fees and other costs finally awarded against Adverity as a result of, or for any amounts paid by Adverity under a court-approved settlement of, a Claim Against Adverity; provided that Adverity:

a. promptly gives Customer written notice of the Claim Against Adverity;

b. gives Customer sole control of the defense or settlement of the Claim Against Adverity (provided that Customer may not settle any Claim Against Adverity unless the settlement unconditionally releases Adverity of all liability); and

c. provide to Customer all reasonable assistance, at Customer’s expense.

 

3. Exclusive Remedy

This Section VII. defines the indemnifying Party’s sole liability to, and the indemnified Party’s exclusive remedy against, the other Party for any type of claim described in this Section.


VIII. Liability 

Back to top

 

Adverity limits its liability to (1) the total of fees you have paid to us in the previous 12 months or (2) EUR 50,000, whichever is higher.

 

 

 

 

 

Adverity is not liable for indirect damages or loss of Data that Customer could have prevented.

1. Limitation of Liability

a. General Limitation of Liability: In case of material or pecuniary damages caused by not more than ordinary negligence, Adverity and its assistants shall only be liable for breaches of essential contractual obligations, but limited to an amount of damages which could have been anticipated upon signing and which are typical for the contract.  

b. Limitation of Amount of Liability: Irrespective of Section VIII.1.a., Adverity's total liability in any contract year under this MSA is limited to the Fees paid by Customer in the preceding 12 months or 50,000 EUR/GBP/USD, whichever is higher.

c. Indirect Damages: Adverity is not liable for indirect, consequential damages, or loss of profit.

2. Application of Limitations of Liability

The limitations contained in Section VIII.1. do not apply to:

a. contractual guarantees;

b. damages caused by intentional or gross negligence;

c. damages to life or limb;

d. either Party’s liability for fraud, fraudulent misrepresentation, or any other liability not excludable or limitable by law.

3. Loss of Data

Adverity shall not be liable for any loss of, or damage to, data or programs to the extent that such loss or damage would have been avoided or mitigated by adequate preventative measures of Customer.

 

4. Application of Direct Claims

These limitations also apply to direct damage claims against Adverity's employees or representatives.

Adverity is adequately covered by insurance.

5. Insurance

Adverity undertakes to maintain adequate insurance cover for potential liability claims that may arise under or in connection with the Agreement.


IX. Subcontractors

Back to top

Adverity may engage subcontractors while providing Services to the Customer  either with Customer’s consent or a written Agreement safeguarding Customer Data.

Adverity may use subcontractors to perform the Services if:

a. Customer agrees in advance; or,

b. Adverity has a written Agreement with the subcontractor to protect Customer and Customer Data to the same extent as required by Adverity. Adverity will disclose such subcontractors to Customer upon request.

Adverity is responsible for the subcontractor's actions as if Adverity performed the Services.


X. Mutual Confidentiality Clauses 

Back to top

This confidentiality section includes a customary definition of Confidential Information, encompassing typical exceptions.

1. Definition of Confidential Information

a. “Confidential Information” means all information disclosed by a Party (“Disclosing Party”) to the other Party (“Receiving Party”) that reasonably should be understood to be confidential. Customer Confidential Information shall include Customer Data; Adverity Confidential Information shall include the SaaS; and Confidential Information of each Party shall include the terms and conditions of this MSA and all Commercial Agreements.

b. Confidential Information also includes:

i. technical and business information of any kind, regardless of whether such information is designated as “Confidential Information” at the time of its disclosure;

ii. any SaaS or product-related information of Adverity Platforms as well as data transferred via the Platforms.

c. Confidential Information shall not include any information that:

i.  is in possession of the Receiving Party prior to receipt from the Disclosing Party;

ii. is or becomes publicly known, otherwise than as a consequence of a breach of this MSA;

iii. is developed independently by the Receiving Party;

iv. is disclosed by the Receiving Party to satisfy a legal demand by a competent court of law or governmental body or by any applicable regulatory authority or security exchange; or

v. is disclosed to a third party pursuant to written authorization from the Disclosing Party.

Both parties commit to safeguarding the Confidential Information of the other Party as if it were their own, restricting access to a need-to-know basis and to achieve the purpose of this Agreement. 

2. Protection of Confidential Information

The Receiving Party shall:

a. use the same degree of care that it uses to protect the confidentiality of its own Confidential Information (but in no event less than reasonable care);

b. not disclose, utilize, employ, exploit, or in any other manner use the Confidential Information disclosed by the Disclosing Party for any reason or purpose other than to fulfill its (pre-contractual) obligations arising out of cooperation between the Parties;

c. except as otherwise authorized by the Disclosing Party in writing, limit access to Confidential Information of the Disclosing Party to those of its and its Affiliates’ employees, contractors, and agents who need such access for purposes consistent with this MSA and who have signed agreements with the Receiving Party containing protections no less stringent than those herein. Neither Party shall disclose the terms of this MSA or any Commercial Agreement to any third party, other than its Affiliates and their legal counsel and accountants, without the other Party’s prior written consent.

The obligations under Section X. of each of the Parties shall continue, even if the contractual relationship between them has ended, without any restriction. Regarding the end of the contractual relationship, reference is made to Section X.5 below.

Compelled disclosure is explicitly excluded. 

3. Compelled Disclosure

The Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information.

 

4. Unintentional Disclosure and Remedies

a. If the Receiving Party discloses Confidential Information in violation of the Terms of this Section X., the Disclosing Party shall be promptly notified of such disclosure in writing after such disclosure.

b. The Parties each expressly agree that due to the unique nature of the Disclosing Party’s Confidential Information, monetary damages may be inadequate to compensate the Disclosing Party for any breach by the Receiving Party of its covenants and Agreements outlined in this Section X. Accordingly, the Parties each agree and acknowledge that any such violation or threatened violation shall cause irreparable injury to the Disclosing Party and that, in addition to any other remedies that may be available, in law, in equity, or otherwise, the Disclosing Party shall be entitled to seek injunctive relief against the threatened breach of this Section X. or the continuation of any such breach by the Receiving Party.

c. Each Party warrants that it has the right to disclose all Confidential Information that it discloses to the other Party. Each Party will indemnify and defend the other from all third-party claims resulting from the negligent or wrongful disclosure by the indemnifying Party of a third party’s Confidential Information.

 

 

At the request of the Disclosing Party, the Receiving Party will either return or destroy the Confidential Information.

5. Request for Return

The Disclosing Party may request in writing at any time that any Confidential Information disclosed to the Receiving Party be returned with a written statement to the effect that upon such return it has not retained in its possession or under its control, either directly or indirectly, any Confidential Information. The Receiving Party shall comply with any such request within thirty (30) days of receipt of such request. If the Receiving Party objects to such a request for return, the Confidential Information shall be destroyed upon request by the Disclosing Party. In such a case, the Receiving Party shall provide the Disclosing Party with a written statement under oath certifying that the respective Confidential Information has been destroyed.

 

6. Proprietary Rights concerning Confidential Information

Section V. shall apply mutatis mutandis.

Additionally, upon request, the Receiving Party will furnish the Disclosing Party with a roster of personnel who have access to the Confidential Information.

7. Right to Control

The Receiving Party will provide the Disclosing Party upon request with a complete and updated list of those of its employees and professional advisors, agents, and consultants who are or will be provided with the Confidential Information.


XI. Miscellaneous

Back to top

All notices will be made in writing (email suffice).

1. Notice

Except as otherwise specified in this MSA, all notices hereunder shall be in writing (email suffice). 
If to Adverity, billing related notices to Adverity shall be addressed to AR@adverity.com and legal notices, such as notices of termination shall be addressed to contracts@adverity.com. All other notices to Adverity  shall be addressed to the relevant Account Manager designated by Adverity. 

If to Customer, billing-related notices to Customer shall be addressed to the relevant billing contact designated by Customer, and legal notices, such as notices of termination or an indemnifiable claim, to Customer shall be addressed to Customer. All other notices to Customer shall be addressed to the relevant Administrator designated by Customer.

 

2. Relationship of the Parties

The Parties are independent contractors. This MSA does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between them.

Governing law will be Austrian law with a forum in Vienna, Austria. 

3.  Agreement to Governing Law and Jurisdiction

This MSA and the Commercial Agreement are governed by Austrian law (without regard to its conflict of law rules and to CISG), and disputes are resolved in the courts of Vienna, Austria, except for dunning proceedings and cases with mandatory statutory venues.

Adverity complies with all relevant export control and anti-corruption laws.

4. Export Control

The SaaS may be subject to export control laws. Both Parties confirm they are not on any US government or EU denied-party list. Customer must not use the SaaS or permit Users to access the SaaS in US- or EU-embargoed countries or in violation of export control laws.

5. Anti-Corruption

Adverity commits to complying with all applicable laws, including anti-corruption laws. No illegal bribes, kickbacks, or gifts have been offered to Customer in connection with this MSA. 

 

6. No Third-Party Beneficiaries

There are no third-party beneficiaries to this MSA.

 

7. Waiver

No failure or delay in exercising any right under this MSA constitutes a waiver of that right.

 

8. Severability Clause

If any provision of this MSA is or becomes invalid, the other clauses remain unaffected. The Parties will replace the invalid provision with one that aligns with their original intent. This also applies if there is an unintentional contractual gap.

Customer can assign this Agreement to another entity with Adverity’s consent. This is important for data protection purposes.

9. Assignment

Customer can assign its rights or obligations with Adverity's written consent, which shall not be unreasonably withheld. Adverity may assign this Agreement in its entirety without consent to its Affiliate or as part of a merger, acquisition, reorganization, or sale of assets not involving a direct competitor of the other Party.

This MSA, the Commercial Agreement, and the DPA cover the entire Agreement between the Parties.

10. Entire Agreement

This MSA and connected Commercial Agreements and DPA constitute the entire Agreement regarding Customer's use of the Services, replacing all prior Agreements, written or oral. The application of any terms and conditions of Customer deviating from or exceeding these provisions is excluded. This applies even if Adverity accepts a Commercial Agreement which refers to the terms and conditions of Customer and/or the terms and conditions of Customer are attached to the Commercial Agreements, even if Adverity does not explicitly contradict such terms and conditions of Customer.

 

11. Amendments

No changes to this MSA are effective unless made in writing.

 

12. Written Form

Statements that must be in writing can be transmitted as scanned, personally signed documents by fax or email attachment, or digitally signed using a system such as DocuSign or the like. Either Party may subsequently request a personally signed paper document.

 

13. Order of Precedence

In the event of any conflicts between the Commercial Agreement and this MSA, the Commercial Agreement prevails unless required by law.

XII. Definitions

Back to top

“Administrator” 

means a natural person who is designated by the Customer to administer the SaaS on behalf of the Customer, including granting access to the SaaS as well as enabling features and functions on the Platform, that could incur additional costs.

“Affiliate” 

means an affiliated entity that is directly or indirectly, through one or more intermediaries, controlled by, or is under common control with, another person or entity. The term “controlled” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through the ownership of voting stock, by contract, or otherwise.

"Agreement” 

means the Commercial Agreement, this Master Subscription Agreement and the Data Processing Agreement (DPA), agreed between the Parties.

“Commercial Agreement” 

means the documents for placing orders for SaaS hereunder that are entered between Customer and Adverity, including addenda and supplements thereto. By entering into a Commercial Agreement, an Affiliate of Customer agrees to be bound by the Terms of this Commercial Agreement as if it was an original Party hereto. This MSA forms an integral part of the Commercial Agreement.

“Confidential Information” 

shall have the meaning set forth in Section X.

“Customer Data” 

means all electronic data or information submitted by Customer to the SaaS.

“Customer Support” 

shall have the meaning set forth in the Commercial Agreement and Section II of this MSA.

“Documentation”

means online help, training, how-to documents, and explanatory materials that assist Customers in using the SaaS (as such materials may be updated from time to time), accessible via log-in to the SaaS or otherwise as made available by Adverity.

“Effective Date” 

means the date on which the Commercial Agreement is concluded between the Parties.

"Fees" 

means the Fees as specified in the Commercial Agreement.

“List Price” 

means the List Price as specified in the Commercial Agreement.

“Malicious Code” 

means viruses, worms, time bombs, trojan horses, and other harmful or Malicious Code, files, scripts, agents, or programs.

“Platform” 

refers to a specific URL, provided by Adverity, where the SaaS is operating.

“Query” 

means a request for data from the Adverity Storage database by different means like Dashboards, Data Explorer, Data Shares, or SQL Interface.  Any action that leads to viewing or changing visualized data (such as the addition or removal of a field or the application of a filter) will be deemed as a Query.

“SaaS”

means Adverity Integrated Data Platform, a SaaS data Platform for connecting, managing, and using data at scale, which Customer orders based on a Commercial Agreement and Adverity makes available online via a password-protected customer login.

"Services” 

means the SaaS, Onboarding Support, Customer Support, Managed Services, Premium Services and Professional Services collectively.

“Subscription” 

means the provision of the SaaS from Adverity to Customer via the Platform.

“Subscription Start Date” 

means the date on which Adverity will make the SaaS available to Customer as outlined in an applicable Commercial Agreement.

"Subscription End Date”

means the date on which Adverity will withdraw the SaaS from Customer as outlined in an applicable Commercial Agreement.

“Subscription Term”

means the Subscription period outlined in an applicable Commercial Agreement.

“Term”  

 shall have the meaning outlined in Section IV.1.

“User” 

 means anyone who is authorized by Customer to use the SaaS.

“User-Account” 

means the account for the Platform, created by each User to access the SaaS. The User-Account is strictly limited to the use by one User.

 

 

Document Information

Document Owner

VP Legal & Compliance

Version

V3.0

Date of Version

2024-05-09

 

View outdated Master Subscription Agreements

v2.0 (2020-06-01)
v2.1 (2021-04-26)
v2.2 (2021-06-22)
v2.3 (2021-10-08)
v2.4 (2022-09-02)
v2.5 (2023-01-23)
v2.6 (2023-09-11)

 

Screenshot 2024-02-29 164125-1

THIS DATA PROCESSING AGREEMENT (“DPA”) (in the version dated 2024.05.09) GOVERNS THE DATA PROCESSING OPERATIONS BETWEEN THE CUSTOMER (“DATA CONTROLLER”) AND ADVERITY GMBH (“DATA PROCESSOR”) WITH COMPANY REGISTRATION NUMBER 448481 g. BY ENTERING A COMMERCIAL AGREEMENT THAT REFERENCES THIS DPA, THE CUSTOMER AGREES TO THE TERMS AND CONDITIONS OF THIS DPA.



DPA InfographicTable of Contents

Data Controller's Processing Instructions

Data Processor's Processing Obligations

I. Background
II. Processing of Personal Data
III. Sub-processors
IV. Transfer to Third Countries
V. Security of Processing
VI. Audit Rights
VII. Indemnification
VIII. Term
IX. Notices
X. Measures Upon Completion of Processing Personal Data
XI. Definitions
XII. Final provisions

Appendix I - Technical and Organizational Measures (TOMs)


 

Data Controller's Processing Instructions

Back to top

Purposes

Provide access to and enable the use of the Data Processor’s Software-as-a-Service (SaaS) and additional services as agreed between the Data Controller and the Data Processor.

Categories of Personal Data to be Processed by Default

(If the Data Controller intends to process other categories of Personal Data with the Data Processor’s SaaS, the Data Controller must notify the Data Processor and an additional agreement must be concluded.)

  • Email Address

  • IP Address

  • Timestamps 

  • Name (voluntarily)

Special Categories of Personal Data

(If the Data Controller instructs the Data Processor to process special categories of Personal Data on its behalf, the Data Controller shall ensure that all legal requirements for the processing of such special categories of Personal Data by the Data Processor (esp. those outlined in art. 9 (2) GDPR) are met at all times.)

The Data Controller does not intend to and will not instruct the Data Processor to process any special categories of Personal Data. 

Data Subjects by Default

(If the Data Controller intends to process Personal Data of additional Data Subjects with the Data Processor’s SaaS, the Data Controller must notify the Data Processor and an additional agreement must be concluded.)

  • Users of the SaaS

Processing Operations

Collect, store, and process data to enable access to and use of the Data Processor’s SaaS.

Sub-processor(s)

Applicable in case of SaaS hosting by Data Processor: 

If the Data Controller processes personal data of additional Data Subjects or additional Categories of Personal Data with the SaaS, the following Sub-processor is mutually agreed between the Parties:

  • Snowflake Computing Netherlands B.V. (Gustav Mahlerlaan 300, 1082 ME Amsterdam, The Netherlands).

    Purpose: Cloud-based data warehouse, that provides the infrastructure, storage and processing engine to power data reporting and analysis.

Applicable in case of SaaS hosting by Data Controller:

If  the Data Controller processes personal data of additional Data Subjects or additional Categories of Personal Data with the SaaS, the following Sub-processor is mutually agreed between the Parties:

  • Snowflake Computing Netherlands B.V. (Gustav Mahlerlaan 300, 1082 ME Amsterdam, The Netherlands).

    Purpose: Cloud-based data warehouse, that provides the infrastructure, storage and processing engine to power data reporting and analysis.

Location of Processing Operations

Applicable in case of SaaS hosting by Data Processor:

  • If the Data Controller is based in the EU, the data will be hosted on servers located in a data center in the EU.

  • If the Data Controller is located outside the EU, the data might be hosted on servers inside or outside the EU.

At the request of the Data Controller, the specific location will be communicated to the Data Controller.

Applicable in case of SaaS hosting by Data Controller:

  • Hosting location is determined by the Data Controller.

 

 

Data Processor's Processing Obligations

Our DPA in plain language

Talk legal to me - here is the full text of our DPA


I. Background 

Back to top

As provided under the Commercial Agreement, the Data Processor will process certain Personal Data while providing services to the Data Controller. This DPA will govern the Data Processor’s data processing activities.

1. Within the scope and for the performance of the services defined in the Commercial Agreement, the Data Processor will process certain Personal Data on behalf of the Data Controller.

2. In addition to what may be provided in the Commercial Agreement, the following shall apply to the Data Processor’s processing of Personal Data on behalf of the Data Controller to fulfill the requirements under Applicable Data Protection Legislation. Data Subjects, data categories as well as the extent, nature, and purpose of data processing are determined by the Commercial Agreement and “Data Controller’s Processing Instructions” of this DPA.

 

II. Processing of Personal Data 

Back to top

The Data Processor will comply with all relevant requirements under Applicable Data Protection Legislation while following the Data Controller’s instructions, including  assisting the Data Controller in meeting legal obligations, refraining from actions that could breach Applicable Data Protection Legislation, and promptly notifying the Data Controller of any relevant communications or requests received from competent authorities. 

 

The Parties will update “Data Controller’s Processing Instructions” to reflect any changes if needed.

1. The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors, and persons acting under the Sub-processor’s authority) undertake to only process Personal Data as instructed in writing by the Data Controller (see the “Data Controller’s Processing Instructions” above). The Data Processor shall only process Personal Data to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation.

2. If the services are altered during the term of the Commercial Agreement and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the Data Controller shall instruct the Data Processor to update the “Data Controller’s Processing Instructions" as appropriate before or at the latest in connection with the commencement of such processing or change.

3. The Data Processor shall comply with any Applicable Data Protection Legislation. The Data Processor shall keep itself updated on and comply with any changes in the Applicable Data Protection Legislation. The Data Processor shall make any necessary changes and amendments to this DPA required under Applicable Data Protection Legislation.

4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to:

  • protection of the rights of Data Subjects;

  • security of processing (Art. 32 GDPR);

  • notification of a personal data breach (Art. 33, 34 GDPR);

  • data protection impact assessment and the prior consultation (Art. 35, 36 GDPR); and

  • timely response to requests for exercising the Data Subject’s rights to information regarding the processing of its Personal Data.

The Data Processor shall not carry out or omit any act that would cause the Data Controller to be in breach of Applicable Data Protection Legislation.

5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable it to respond to such request, complaint, message, or other communication following Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements, or press releases in the event of a breach of data protection as defined in Section XI. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately unless prohibited by law.

 

III. Sub-processors

Back to top

The Data Controller authorizes the Data Processor to engage Sub-processors to operate under the Data Controller's instructions. If the Data Processor intends to make changes to the current list outlined in the "Data Controller’s Processing Instructions”, it will notify the Data Controller in advance and the Data Controller can object within 8 weeks.

1. The Data Controller authorizes the Data Processor to engage Sub-processors. All Sub-processors authorized by the Data Controller are acting under the authority and subject to direct instructions of the Data Controller. A list of the current Sub-processors is set out in the “Data Controller’s Processing Instructions” for the purposes specified therein. The Data Processor shall notify the Data Controller in writing in advance of any changes, in particular before engaging other Sub-processors in which event the Data Processor shall without undue delay and no less than 8 weeks before transferring any Personal Data to a Sub-processor, inform the Data Controller in writing of the identity of such Sub-processor as well as the purpose for which it will be engaged.

2. The Data Controller at its discretion may object with good cause to any such changes within 8 weeks after the Data Processor’s notice.

3. The Data Processor shall impose by written agreement, which includes an electronic form, on all Sub-processors processing Personal Data under this DPA (including inter alia its agents, intermediaries, and sub-contractors) the same obligations as apply to the Data Processor, in particular the obligations defined in Section III.1 (especially the procedure of notification to Data Controller and Data Controller’s right to issue direct instructions to Sub-processors) and Section III.2 of this DPA.

 

IV. Transfer to Third Countries

Back to top

The Data Processor must obtain prior written consent from the Data Controller before transferring Personal Data outside the EU/EEA.  Further, it will ensure compliance with Applicable Data Protection Legislation and incorporate the European Commission's Standard Contractual Clauses for adequate protection.

1. The location(s) of intended or actual processing of Personal Data is set out in the “Data Controller’s Processing Instructions”. The Data Processor must not transfer or otherwise directly or indirectly disclose Personal Data outside the European Economic Area (“EU/EEA”) without the prior written consent of the Data Controller (which may be refused or granted at its discretion) and ensure that the level of protection of Data Subjects guaranteed by the GDPR and as outlined in this DPA is not undermined. Unless otherwise agreed between the Parties, adequate protection in the receiving country shall be secured through an agreement incorporating the European Commission’s Standard Contractual Clauses.



2. If the Data Controller is located in a country, which is not a member of the EU/EEA and in case no Adequacy Decisions exist, the Standard Contractual Clauses (Module 4: Processor-to-Controller) shall apply to the transfer of Personal Data between the Data Processor and Data Controller and incorporated into this DPA by reference, and can be shared with the Data Controller upon request.


V. Security of Processing

Back to top

The Data Processor ensures the security of Personal Data through specified technical and organizational measures (see Appendix 1).  Further, the Data Processor will notify the Data Controller of any security incidents, restrict access to authorized personnel bound by confidentiality obligations, and appoint a designated contact person for data protection matters without undue delay.

1.  The Data Processor guarantees to implement and uphold appropriate technical and organizational measures according to the current state of the art to ensure an appropriate level of security for Personal Data and shall continuously review and improve the effectiveness of its security measures (See Appendix 1 hereunder). The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful loss, alteration, or access. The Personal Data shall also be protected against all other forms of unlawful processing. With regard to the state of the art and the costs of implementation and taking into account the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, the technical and organizational measures to be implemented by the Data Processor shall include, as appropriate:

a. the pseudonymization and encryption of Personal Data;

b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Personal Data;

c. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

d. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational    measures for ensuring the security of the processing.

2. The Data Processor shall without undue delay notify the Data Controller of any Personal Data Breach after becoming aware of such incidents. The notification shall be in written form and shall at least:

a. describe the nature of the Personal Data Breach including where possible, the categories and the approximate number of Data Subjects concerned and the categories and the approximate number of Personal Data records concerned;

b. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

c. describe the likely consequences of the Personal Data Breach;

d. describe the measures taken or proposed to be taken by the Data Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and

e. include any other information available to the Data Processor that the Data Controller is required to notify the Data Protection Authorities and/or the Data Subjects.

3. The Data Processor shall provide reasonable assistance requested by the Data Controller for the Data Controller to investigate the Personal Data Breach and notify  the Data Protection Authorities and/or the Data Subjects as required by Applicable Data Protection Legislation.

4. The Data Processor shall at its own expense immediately take necessary measures to restore and/or reconstruct Personal Data that has been lost, damaged, destroyed, or corrupted as a result of any Personal Data Breach.

5. The Data Processor shall not disclose or otherwise make the Personal Data processed under this DPA available to any third party, without the Data Controller’s prior written approval. For clarity, if the Data Processor is required by applicable laws and regulations to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, section II.5 shall apply.

6. The Data Processor shall ensure that access to Personal Data under this DPA is restricted to those of its personnel who directly require access to the Personal Data to fulfill the Data Processor’s obligations under this DPA and the Commercial Agreement. The Data Processor shall ensure that such personnel (whether employees or others engaged by the Data Processor):

a. has the necessary knowledge of and training in the Applicable Data Protection Legislation to perform the contracted services; and

b. is bound by a confidentiality obligation concerning the Personal Data to the same extent as the Data Processor under this DPA.

7. The Data Processor shall ensure that this confidentiality obligation extends beyond the termination of employment contracts, Sub-processor contracts, service contracts, or the termination of this DPA. This confidentiality obligation shall remain in force after the expiry or termination of the DPA.

8. The Data Processor appoints the following person as a contact point for data protection matters: Mr. Michael Pilz (dpo@adverity.com).

 

VI. Audit Rights

Back to top

The Data Processor grants the Data Controller (or an external auditor of the Data Controller’s choice) the right to conduct audits on data protection and security to ensure compliance with this DPA and relevant data protection laws, and will provide all necessary information and assistance to demonstrate compliance.

1. The Data Processor shall allow the Data Controller or an external auditor appointed by the Data Controller to conduct audits, investigations, and inspections on data protection and/or data security (“audit”) to ensure that the Data Processor or Sub-processors comply with the obligations under this DPA and Applicable Data Protection Legislation and that the Data Processor or Sub-processors have undertaken the required measures to ensure such compliance.

2. The Data Processor makes available all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Legislation and assists the Data Controller in the performance of audits.

 

VII. Indemnification

Back to top

The Data Processor is responsible for indemnifying the Data Controller against claims from third parties arising from breaches caused by the Data Processor's intentional or grossly negligent actions under this DPA up to the fees paid by the Data Controller in the 12 months preceding the incident, except for willful intent, personal injuries, or death.

The Data Processor shall indemnify and hold harmless the Data Controller upon the Data Controller’s first demand insofar as third parties (Data Subjects in particular) make claims against the Data Controller on the grounds of an infringement of their rights or of data protection law where such infringement is caused by actions of the Data Processor in intentional or grossly negligent violation of this DPA. The obligation to indemnify is – except in cases of willful intent or concerning personal injuries or death – capped with the amount of fees paid by the Data Controller in the 12 months immediately before the infringing incidence.

 

VIII. Term

Back to top

This DPA is in effect as long as the Data Processor handles Personal Data on behalf of the Data Controller.

1. This DPA shall remain in force as long as the Data Processor processes Personal Data on behalf of the Data Controller.

2. The Data Controller may terminate the Agreement without notice as a result of a breach of the obligations under this DPA by the Data Processor or one of its Sub-processors.

 

IX. Notices

Back to top

 

In addition to other notice obligations provided hereunder, in case the Data Processor determines that any instruction to process data of the Data Controller violates Applicable Data Protection Legislation or substantial provisions of this DPA (including technical and organizational measures), it will immediately inform the Data Controller thereof.

 

X. Measures Upon Completion of Processing of Personal Data 

Back to top

Personal data will be deleted or returned after contract fulfillment unless storage is required by law.


Written notice of measures taken can be provided to the Data Controller upon request.

1. Upon expiration or termination of this DPA, the Data Processor shall delete or return all Personal Data (including any copies thereof) to the Data Controller, as instructed by the Data Controller, and shall ensure that any Sub-processors do the same unless otherwise required by applicable law. When returning the Personal Data, the Data Processor shall provide the Data Controller with all necessary assistance.



2. Upon request by the Data Controller, the Data Processor shall provide written notice of the measures taken by itself or its Sub-processors concerning the deletion or return of the Personal Data upon the completion of the processing.

 

XI. Definitions 

Back to top

For clarification purposes, the GDPR definitions of the relevant terms are used.

All terms used in this DPA are to be understood following the EU General Data Protection Regulation ((EU) 2016/679 “GDPR”), unless otherwise expressly agreed. The following terms and expressions in this DPA shall have the meaning set out below:

“Adequacy Decision” means a formal decision made by the EU Commission that recognizes that another country, territory, sector, or international organization provides an equivalent level of protection for personal data as the EU does.

“Applicable Data Protection Legislation” means any national or internationally binding data protection laws or regulations (including but not limited to the GDPR and the Austrian Data Protection Act (“DSG”)) including any requirements, guidelines, and recommendations of the competent data protection authorities applicable at any time during the term of this DPA to, as the case may be, the Data Controller or the Data Processor.

“Data Controller” means the legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data under this DPA.

“Data Processing Agreement” (or “DPA”) refers to this agreement which governs the data processing operations between the Data Controller and the Data Processor.

“Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller under this DPA.

“EU/EEA” means European Union and/or European Economic Area. 

“Personal Data” means any information relating to an identified or identifiable living, natural person (“Data Subject”).

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means.

“Software-as-a-Service” (or “SaaS”) shall have the meaning as defined in Section I. of Adverity’s Master Subscription Agreement.  

“Standard Contractual Clauses” mean standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

“Sub-processor” means any legal or natural person, including any agents and intermediaries, processing Personal Data on behalf of the Data Processor.

 

XII. Final Provisions

Back to top

In the event of a conflict with additional agreements, this DPA shall prevail regarding Personal Data processing, and be governed by Austrian law, with disputes subject to the jurisdiction of the Data Processor's registered seat; ineffective provisions will be replaced.

1. If the Data Controller and the Data Processor have entered into additional agreements in conflict with this DPA, the provisions of this DPA regarding the processing of Personal Data shall take priority, except where such provision is included in the Commercial Agreement to supplement this DPA. All other conflicting provisions shall be governed by the provisions of the Commercial Agreement.

2. This DPA is governed by the law of the Republic of Austria to the exclusion of the conflict law rules under private international law and the UN Convention on the International Sale of Goods. In the event of all disputes arising from a contract – including disputes about its existence or non-existence – the courts with subject-matter jurisdiction at the registered seat of the Data Processor shall be the exclusive forum.

3. The plain language descriptions in this DPA are for reference purposes only, and shall not in any way define, limit, or extend the scope of this DPA.  If a provision or parts of a provision in this DPA is or becomes ineffective under applicable legislation, this will not affect the effectiveness and validity of the remaining provisions. The contracting parties will replace it with a provision which, in terms of content, is as close as possible to the ineffective provision.

 

 

 

Appendix 1 – Technical and Organizational Measures (“TOMs”)

Back to top

The Data Processor confirms that the implemented technical and organizational measures provide an appropriate level of protection for the Data Controller’s Personal Data considering the risks associated with the processing.

 

General Description of Measures 

Description of Measures Implemented 

Physical Access  and Environmental Control 

Suitable physical security and environmental controls are in place and designed to protect, control, and restrict physical access for systems and servers

Used hosting providers comply with:

  • information security standards such as with ISO 27018 and ISO 27001 and can provide certificates for evidence

  • AICPA SOC 2 standard and can provide reports for evidence

Logical Access Control (systems)

Preventing data processing systems from being used without authorization

  • Database security controls restrict access

  • Access rights are granted based on roles and need to know

  • Password policy based on established information security standards such as BSI and NIST

  • Automatic blocking of access (e.g. password, timeout)

  • Protocol of failed log-in attempts

Access Control (data)

Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization

  • Access rights are granted based on roles and need to know

  • Approval process for access rights

  • Periodical reviews of access rights

  • Signed confidentiality undertakings

  • Optional restricted to VPN (Virtual Privacy Networks) access only

Transmission Control

Ensuring that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to review and establish which bodies are to receive the Personal Data

  • Encrypted transfer based on secure management of encryption keys and minimum requirements for encryption algorithm (e.g. AES 256)

  • Log files

Input Control

Ensuring that it is possible to review and establish whether and by whom Personal Data have been input into data processing systems, modified, or removed

  • Access rights granted based on roles and need to know

  • Approval process for access rights

  • Periodical reviews of access rights

  • Log files

Job Control

Ensuring that the Personal Data is processed exclusively in accordance with the instructions

  • Diligently selecting (Sub-)processors and other service providers

  • Documenting selection procedures (privacy and security policies, audit reports, certifications)

  • Backgrounds of service providers are checked, subsequent monitoring

  • Standardized policies and procedures (including clear segregation of responsibilities)

  • Documentation of instructions received from Data Controller

  • Signed confidentiality undertakings

Availability Control

Ensuring that Personal Data is protected from accidental destruction and loss

Used hosting provider comply with:

  • Information security standards such as ISO 27018 and ISO 270001 and can provide certificates for evidence
  • AICPA SOC 2 standard and can provide reports for evidence

Additional managed by Data Processor:

  • Backup procedures based on Business Impact Analysis
  • Disaster recovery plan
  • Routinely tests of disaster recovery plan

Separation Control

Ensuring that data collected for different purposes can be processed separately

  • Separate processing possibilities in the SaaS

  • Separation between productive and test data

  • Detailed management of access rights

 

 

Document Information

Document Owner

VP Legal & Compliance

Version

V6.0

Date of Version

2024-05-09

 

View outdated Data Processing Agreements

v2.0 (2020-06-01)
v2.1 (2020-12-11)
v3.0 (2021-04-26)
v4.0 (2021-10-08)
v4.1 (2022-02-18)
v4.2 (2022-04-07)
v4.3 (2022-09-02)
v5.0 (2023-01-23)
v5.1 (2023-04-21)
v5.2 (2023-10-16)