|
<br />Submittable Customer Terms of Service
<br />v1.4
<br /> Page 15 of 28
<br />9.3. Unless applicable law requires otherwise, or any notice which Submittable deems necessary or appropriate
<br />and which does not include any reference to Customer, Submittable agrees that Customer has the sole
<br />right to determine: (1) whether to provide notice of the Security Breach to any Data Subjects, regulators,
<br />Supervisory Authority, law enforcement agencies, or others, as required by applicable law or in Customer’s
<br />discretion, including the contents and delivery method of the notice; and (2) whether to offer any type of
<br />remedy to affected Data Subjects, including the nature and extent of such remedy.
<br />9.4. Subject to any limitations in the TOS, Submittable will cover all reasonable expenses associated with the
<br />performance of the obligations under Section 9.2 and Section 9.3, unless the matter arose from (a)
<br />Customer’s specific instructions; (b) any negligenc e, willful default, or breach of this DPA or the TOS by
<br />Customer, or any employee, agent, contractor, representative, or Authorized Affiliate of Customer; (c) any
<br />breach or unauthorized access of the system, server(s), network(s), website(s), information, data, or
<br />records of Customer which were not in the possession or control of Submittable or its Sub -processors; or
<br />(d) any Security Breach which originated with, was caused by, or resulted from any Customer owned and
<br />operated server, website, system, software, or network, which were not the result of any actions or inactions
<br />of Submittable or its Sub-processors, which in any of the foregoing cases Customer will cover all reasonable
<br />expenses.
<br />9.5. In the event of a Security Breach, each Party shall use reasonable efforts in good faith to mitigate any
<br />reputational and brand damage to the other affected Party.
<br />10. Cross-Border Transfers of Personal Information.
<br />10.1. For purposes of the GDPR, the Parties acknowledge and agree that with regard to the Processing of
<br />Personal Information, Customer is the Controller and Submittable is a Processor.
<br />10.2. If the Privacy and Data Protection Requirements restrict cross -border Personal Information transfers,
<br />Customer will only transfer or cause to be transferred that Personal Information to Submittable under the
<br />following conditions:
<br />10.2.1. Submittable, either through its location or participation in a valid cross -border transfer
<br />mechanism under the Privacy and Data Protection Requirements, may legally receive that
<br />Personal Information;
<br />10.2.2. Customer obtained valid Data Subject consent to the transfer under the Privacy and Data
<br />Protection Requirements; or
<br />10.2.3. the transfer otherwise complies with the Privacy and Data Protection Requirements.
<br />10.3. Transfers out of the EEA or Switzerland. By signing this DPA, the Parties conclude Module 2 (controller-to-
<br />processor) of the Standard Contractual Clauses for personal data that is transferred outside of the EEA or
<br />Switzerland, which are hereby incorporated into this DPA and completed as follows: the “data exporter” is
<br />Customer; the “data importer” is Submittable; the optional docking clause in Clause 7 is implemented;
<br />Clause 9(a) Option 1 is struck and Option 2 is kept; in Clause 11 the optional language is struck; in Clause
<br />17 and 18, the Governing law and the competent cour ts are those of the data exporter; Annex 1, 2, and 3
<br />to Module 2 of the Standard Contractual Clauses are Appendix 1 to this DPA.
<br />10.4. Transfers out of the United Kingdom. By signing this DPA, the Parties conclude the UK Standard
<br />Contractual Clauses for Personal Data that is transferred outside of the United Kingdom, which are hereby
<br />incorporated into this DPA and completed as follows: the “data exporter” is Customer; the “data importer”
<br />is Submittable; the governing law in Clause 9 and Clause 11.3 of the UK Stan dard Contractual Clauses is
<br />the law of England and Wales; Appendix 1 to this DPA contain the information for Appendix 1 to the UK
<br />Standard Contractual Clauses, respectively; and the optional indemnification clause is struck. In addition,
<br />the following changes apply: (i) references to Data Protection Law are replaced with references to
<br />applicable UK data protection law, (ii) references to the EU or Member States are replaced with references
<br />to the United Kingdom, (iii) references to EU authorities are replac ed with references to the competent UK
<br />authorities.
<br />10.5. Subject to the terms of this DPA, Submittable makes available the transfer mechanisms listed on Appendix
<br />1 to any transfers of Personal Information under this DPA from the European Union, the European
<br />Economic Area and/or their member states, Switzerland and the United Kingdom to countries or territories
<br />which do not ensure an adequate level of data protection within the meaning of Privacy and Data Protection
<br />Requirements of the foregoing territories, to the extent such transfers are subject to such Privacy and Data
<br />Protection Requirements.
<br />DocuSign Envelope ID: 367666E5-0A49-40C9-BFB5-74D495BAB8F1
|