1. Definitions. Capitalized terms shall have their meaning as defined or as otherwise set forth in Section 15.
2. Services.
2.1 Services.
(a) Subject to and conditioned on Customer’s and its Authorized Users’ acceptance of and compliance with the Agreement, Provider shall provide to Customer and its Authorized Users the services described in the Agreement (collectively, the “Services”), in accordance with the terms of the Agreement.
(b) If Customer purchases a subscription to the TTS Tech Solutions API as part of the Services:
(i) Provider will provide the TTS Tech Solutions API via a TTS Tech Solutions API key or password, and Customer may access and use the TTS Tech Solutions API (including any credentials and certificates) solely in connection with the products and services provided by Provider to its customers.
(ii) Customer will be responsible for all uses of its TTS Tech Solutions API key or password and will notify Provider immediately of any unauthorized use of Provider’s TTS Tech Solutions API key or password.
(iii) The TTS Tech Solutions API will not include archived databases.
(iv) In connection with all Integrations, Provider may impose rate limits in accordance with Exhibit A.
(v) Customer and Provider will comply with Exhibit B if Customer’s use of the TTS Tech Solutions API involves accessing or utilizing “Personal Data” (as defined in Exhibit B) that Provider maintains or makes available to Customer.
(vi) Customer’s use of the TTS Tech Solutions API will be subject to the restrictions set forth in Exhibit C.
(vii) Customer must notify Provider in writing of any new Integrations before work begins on the Integration. The notice must describe (1) the proposed Integration’s workflow, and (2) the problem or initiative that the Customer intends the Integration to address or resolve. This notice must be given sufficiently in advance to allow Provider to review the Integration. Customer will not implement any Integration, or allow any Integration to be implemented, until Provider has reviewed the proposed Integration. Provider reserves the right to see and validate the built integration before it is deployed to production.
(viii) Before a third party may begin work on any Third-Party Integration, the notice required by Section 2.1(b)(vii) must identify the third party providing the Third-Party Integration. After conducting its review of the Integration under Section 2.1(b)(vii), Provider will issue credentials for the TTS Tech Solutions API directly to the third party. Provider reserves the right to all see and validate the built integration before it is deployed to production.
(ix) In connection with any Third-Party Integrations: (1) before the third party begins work on the Third-Party Integration, Customer will inform the third party of the requirements imposed by Exhibits A, B, and C of this agreement, and will obtain written verification from the third party that the third party will comply with all such requirements; and (2) Customer will implement transaction-level logging of all traffic to Provider, which, for each transaction, should at a minimum include the call type, destination Provider customer, date and time, and overall response time. These logs should be retained by Customer as long as practical, but no less than 90 days. Customer will provide evidence of logging to Provider within 7 business days of initial traffic.
(x) Customer may not use the TTS Tech Solutions API in more than three Integrations without first discussing with Provider for permission to perform additional Integrations.
(xi) If an Integration violates this Section 2.1 or Exhibit A, B, or C (to the extent Exhibit A, B, or C is applicable to the Integration), Provider may disable the Integration and neither the Customer nor any Third-Party will have any recourse against Provider in connection with the disabled Integration.
2.2 Subcontractors. Provider may from time to time in its discretion engage third parties to perform Services (each, a “Subcontractor”), provided that such Subcontractors agree in writing to confidentiality terms at least as protective as those in the Agreement and provided that Provider shall remain responsible for its Subcontractors.
3. Restrictions. Neither Customer, nor its employees, contractors or other Persons within Customer’s control (collectively, “Customer Personnel”), shall access or use the Services or Provider Materials except as expressly permitted by the Agreement and, in the case of Third-Party Materials, the applicable third-party license agreement. For purposes of clarity and without limiting the generality of the foregoing, neither Customer nor Customer Personnel shall:
(a) copy, modify or create derivative works or improvements of the Services or Provider Materials, except as the Agreement expressly permits;
(b) rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer or otherwise make available any Services or Provider Materials to any Person, including on or in connection with the internet or any time-sharing, service bureau, software as a service, cloud or other technology or service, except as the Agreement expressly permits;
(c) reverse engineer, disassemble, decompile, decode, adapt or otherwise attempt to derive or gain access to the source code of the Services or Provider Materials, in whole or in part;
(d) bypass or breach any security device or protection used by the Services or Provider Materials or access or use the Services or Provider Materials other than by an Authorized User through the use of his or her own then valid Access Credentials;
(e) input, upload, transmit or otherwise provide to or through the Services or Provider Systems, any information or materials that are unlawful or injurious, or contain, transmit or activate any Harmful Code;
(f) damage, destroy, disrupt, disable, impair, interfere with or otherwise impede or harm in any manner the Services, Provider Systems or Provider’s provision of services to any third party, in whole or in part;
(g) remove, delete, alter or obscure any trademarks, Documentation, warranties or disclaimers, or any copyright, trademark, patent or other intellectual property or proprietary rights notices from any Services or Provider Materials, including any copy thereof;
(h) access or use the Services or Provider Materials for purposes of competitive analysis of the Services or Provider Materials, the development, provision or use of a competing software service or product or any other purpose that is to Provider’s detriment or commercial disadvantage;
(i) use the Services for any purpose that may (i) menace or harass any person or cause damage or injury to any person or property, (ii) involve the publication of any material that is false, defamatory, harassing or obscene, (iii) violate privacy rights or promote bigotry, racism, hatred, or harm, (iv) constitute an infringement of intellectual property or other proprietary rights, or (v) otherwise violate applicable laws, ordinances, or regulations;
(j) send unsolicited text messages, commonly known as spam;
(k) otherwise access or use the Services or Provider Materials beyond the scope of the authorization granted under Section 2.1.
4. Fees; Payment Terms.
4.1 Fees. The Customer shall pay Provider the fees set forth in the Agreement (“Fees”) in accordance with this Section 4. Unless otherwise set forth in the Agreement or otherwise agreed to in writing by Customer and Provider, the Fees will increase annually on the Agreement’s anniversary by the greater of 3% or the increase in CPI.
4.2 Taxes. All Fees and other amounts payable by Customer under the Agreement are exclusive of sales, use and similar taxes. Customer is responsible for all such taxes imposed by any federal, state or local governmental or regulatory authority on any amounts payable by Customer hereunder, excluding, for the avoidance of doubt, any taxes imposed on Provider’s income.
4.3 Payment. Customer shall pay all Fees within 30 days after the date of the invoice therefor. Customer shall make all payments hereunder in US dollars. Customer shall make payments to the address or account specified in the Agreement or such other address or account as Provider may specify in writing from time to time.
4.4 No Deductions or Setoffs. All amounts payable to Provider under the Agreement shall be paid by Customer to Provider in full without any setoff, recoupment, counterclaim, deduction, debit or withholding for any reason (other than any deduction or withholding of tax as may be required by applicable Law).
4.5 Data Storage. Included with Customer subscription is Data Storage up to 2 GB. Additional Data Storage may be purchased by Customer for a fee.
5. Intellectual Property Rights.
5.1 Services and Provider Materials. Except as explicitly set forth herein, all right, title and interest in and to the Services and Provider Materials, including all Intellectual Property Rights therein, are and will remain with Provider and the respective rights holders in the Third- Party Materials.
5.2 Customer Data. As between Customer and Provider, Customer is and will remain the sole and exclusive owner of all right, title and interest in and to all Customer Data, including all Intellectual Property Rights relating thereto, subject to Provider’s, its Subcontractor’s and the Provider Personnel’s use of the data solely to perform the Services.
6. Confidentiality.
6.1 Confidential Information. In connection with the Agreement, each party (as the “Disclosing Party”) may disclose or make available Confidential Information to the other party (as the “Receiving Party”). Subject to Section 6.2, “Confidential Information” means information in any form or medium (whether oral, written, electronic or other) that the Disclosing Party considers confidential or proprietary, including information consisting of or relating to the Disclosing Party’s technology, trade secrets, know-how, business operations, plans, strategies, customers, and pricing, and information with respect to which the Disclosing Party has contractual or other confidentiality obligations, in each case whether or not marked, designated or otherwise identified as “confidential”. Without limiting the foregoing: all Provider Materials are the Confidential Information of Provider and the terms and existence of the Agreement are the Confidential Information of each of the parties.
6.2 Exclusions. Confidential Information does not include information that the Receiving Party can demonstrate by written or other documentary records: (a) was rightfully known to the Receiving Party without restriction on use or disclosure prior to such information’s being disclosed or made available to the Receiving Party in connection with the Agreement; (b) was or becomes generally known by the public other than by the Receiving Party’s or any of its Representatives’ noncompliance with the Agreement; (c) was or is received by the Receiving Party on a non-confidential basis from a third party that, to the Receiving Party’s knowledge, was not or is not, at the time of such receipt, under any obligation to maintain its confidentiality; or (d) the Receiving Party can demonstrate by written or other documentary records was or is independently developed by the Receiving Party without reference to or use of any Confidential Information.
6.3 Protection of Confidential Information. As a condition to being provided with any disclosure of or access to Confidential Information, the Receiving Party shall:
(a) not access or use Confidential Information other than as necessary to exercise its rights or perform its obligations under and in accordance with the Agreement;
(b) except as may be permitted by and subject to its compliance with Section 6.4, not disclose or permit access to Confidential Information other than to its Representatives who: (i) need to know such Confidential Information for purposes of the Receiving Party’s exercise of its rights or performance of its obligations under and in accordance with the Agreement; (ii) have been informed of the confidential nature of the Confidential Information and the Receiving Party’s obligations under this Section 6.3; and (iii) are bound by written confidentiality and restricted use obligations at least as protective of the Confidential Information as the terms set forth in this Section 6.3;
(c) safeguard the Confidential Information from unauthorized use, access or disclosure using at least the degree of care it uses to protect its sensitive information and in no event less than a reasonable degree of care; and
(d) ensure its Representatives’ compliance with, and be responsible and liable for any of its Representatives’ non-compliance with, the terms of this Section 6.
6.4 Compelled Disclosures. If the Receiving Party or any of its Representatives is compelled by applicable Law to disclose any Confidential Information then, to the extent permitted by applicable Law, the Receiving Party shall: (a) promptly, and prior to such disclosure, notify the Disclosing Party in writing of such requirement so that the Disclosing Party can seek a protective order or other remedy or waive its rights under Section 6.3; and (b) provide reasonable assistance to the Disclosing Party, at the Disclosing Party’s sole cost and expense, in opposing such disclosure or seeking a protective order or other limitations on disclosure. If the Disclosing Party waives compliance or, after providing the notice and assistance required under this Section 6.4, the Receiving Party remains required by Law to disclose any Confidential Information, the Receiving Party shall disclose only that portion of the Confidential Information that the Receiving Party is legally required to disclose and, on the Disclosing Party’s request, shall use commercially reasonable efforts to obtain assurances from the applicable court or other presiding authority that such Confidential Information will be afforded confidential treatment.
6.5 Disclosures to Social Media Platforms. Notwithstanding anything to the contrary in this Agreement, Provider’s disclosure of information received from, regarding, or relating to (a) Customer, (b) Customer’s owners, managers, members, officers, employees, clients, or customers, or (c) this Agreement to WhatsApp, Facebook, any application provided by Meta Platforms, Inc., or any other social media platform or application that Provider currently has a contractual relationship with or that Provider may in the future have a contractual relationship with (collectively, the “Third-Party Social Media Platforms”) as required by Provider’s contractual agreements with the Third-Party Social Media Applications’ providers is not a violation of this Section 6, or any other confidentiality or data security obligations that Provider owes to Customer.
7. Information Security. Provider will comply with the data security requirements set forth on Exhibit D, which is attached hereto and incorporated herein by reference.
8. Term and Termination.
8.1 Term. The term of the Agreement commences as of the effective date set forth in the Agreement and shall continue for the time frame set forth in the Agreement, unless superseded or otherwise terminated by mutual written agreement of the parties or pursuant to the termination provisions hereto.
8.2 Renewal Terms. After the initial term of the Agreement, the term of the Agreement will automatically renew for subsequent one-year periods until a party provides at least 30 days written notice prior to the end of the then-current term.
8.3 Termination. In addition to any other express termination right set forth elsewhere in the Agreement:
(a) either party may terminate the Agreement, effective on written notice to the other party, if the other party breaches the Agreement (including Customer’s failure to pay any amount due under the Agreement), and such breach: (i) is incapable of cure; or (ii) being capable of cure, remains uncured 30 days after the non-breaching party provides the breaching party with written notice of such breach; and
(b) either party may terminate the Agreement, effective immediately upon written notice to the other party, if the other party:
(i) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (ii) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency Law; (iii) makes or seeks to make a general assignment for the benefit of its creditors; or (iv) applies for or has appointed a receiver, trustee, custodian or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.
8.4 Effect of Expiration or Termination. Upon any expiration or termination of the Agreement, except as expressly otherwise provided in the Agreement:
(a) all rights, licenses, consents, and authorizations granted by either party to the other hereunder will immediately terminate;
(b) Provider shall return to Customer, or at Customer’s written request destroy, all documents and tangible materials containing Customer Data or Customer’s Confidential Information;
(c) Customer shall immediately cease all use of any Services or Provider Materials and promptly return to Provider, or at Provider’s written request destroy, all documents and tangible materials containing any Provider Materials or Provider’s Confidential Information;
(d) Provider may immediately disable all Customer and Authorized User access to the Services and Provider Materials; and
(e) if Customer terminates the Agreement pursuant to Section 8.3(a) or Section 8.3(b), Customer will be relieved of any obligation to pay any Fees attributable to the period after the effective date of such termination and Provider will refund to Customer any pre-paid Fees for Services that Provider has not performed as of the effective date of termination.
8.5 Surviving Terms. The provisions set forth in the following sections, and any other right or obligation of the parties in the Agreement that, by its nature, should survive termination or expiration of the Agreement, will survive any expiration or termination of the Agreement: Section 3, Sections 5 through 15.
9. DISCLAIMER OF WARRANTIES. ALL SERVICES AND PROVIDER MATERIALS ARE PROVIDED “AS IS” AND PROVIDER HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHER, AND PROVIDER SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE OR TRADE PRACTICE. WITHOUT LIMITING THE FOREGOING, PROVIDER MAKES NO WARRANTY OF ANY KIND THAT THE SERVICES OR PROVIDER MATERIALS, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER’S OR ANY OTHER PERSON’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE OR ERROR-FREE. ALL THIRD-PARTY MATERIALS ARE PROVIDED “AS IS” AND ANY REPRESENTATION OR WARRANTY OF OR CONCERNING ANY THIRD-PARTY MATERIALS IS STRICTLY BETWEEN CUSTOMER AND THE THIRD-PARTY OWNER OR DISTRIBUTOR OF THE THIRD-PARTY MATERIALS.
10. Indemnification.
10.1 Provider Indemnification. Provider shall indemnify, defend and hold harmless Customer and its officers, directors, employees, successors, and assigns (each, a “Customer Indemnitee”) from and against any and all Losses incurred by Customer arising out of or relating to any claim, suit, action or proceeding (each, an “Action”) by a third party (other than an Affiliate of Customer) alleging that Customer’s use of the Services (excluding Customer Data and Third-Party Materials) in compliance with the Agreement infringes a third party’s U.S. Intellectual Property Rights. The foregoing obligation does not apply to any Action or Losses to the extent arising out of or relating to any:
(a) access to or use of the Services or Provider Materials in combination with any hardware, system, software, network or other materials or service not provided or authorized in writing by Provider;
(b) modification of the Services or Provider Materials other than: (i) by or on behalf of Provider; or (ii) with Provider’s written approval in accordance with Provider’s written specification;
(c) failure to timely implement any modifications, upgrades, replacements or enhancements made available to Customer by or on behalf of Provider; or
(d) matter described in Section 10.2, whether or not the same results in any Action against or Losses by any Customer Indemnitee.
10.2 Customer Indemnification. Customer shall indemnify, defend and hold harmless Provider and its officers, directors, employees, agents, successors and assigns (each, a “Provider Indemnitee”) from and against any and all Losses incurred by such Provider Indemnitee in connection with any Action by a third party (other than an Affiliate of a Provider Indemnitee) alleging that the Customer Data, or any Processing of Customer Data by or on behalf of Provider in accordance with the Agreement, infringes, misappropriates or constitutes the unauthorized use of a third party’s U.S. Intellectual Property Rights or personal information.
10.3 Indemnification Procedure. Each party shall promptly notify the other party in writing of any Action for which such party believes it is entitled to be indemnified pursuant to Section 10.1 or Section 10.2, as the case may be. The party seeking indemnification (the “Indemnitee”) shall cooperate with the other party (the “Indemnitor”) at the Indemnitor’s sole cost and expense. The Indemnitor shall immediately take control of the defense and investigation of such Action and shall employ counsel of its choice to handle and defend the same, at the Indemnitor’s sole cost and expense. The Indemnitee’s failure to perform any obligations under this Section 10.3 will not relieve the Indemnitor of its obligations under this Section 10 except to the extent that the Indemnitor can demonstrate that it has been materially prejudiced as a result of such failure. The Indemnitee may participate in and observe the proceedings at its own cost and expense with counsel of its own choosing. Neither party, as the Indemnitor, shall enter into any settlement that imposes any liability on the Indemnitee without the prior written consent of the Indemnitee to be affected by the settlement.
10.4 Mitigation. If any of the Services or Provider Materials are, or in Provider’s opinion are likely to be, claimed to infringe, misappropriate or otherwise violate any third-party Intellectual Property Right, or if Customer’s or any Authorized User’s use of the Services or Provider Materials is enjoined or threatened to be enjoined, Provider may, at its option and sole cost and expense:
(a) obtain the right for Customer to continue to use the Services and Provider Materials materially as contemplated by the Agreement;
(b) modify or replace the Services and Provider Materials, in whole or in part, to seek to make the Services and Provider Materials (as so modified or replaced) non-infringing, while providing materially equivalent features and functionality, in which case such modifications or replacements will constitute Services and Provider Materials, as applicable, under the Agreement; or
(c) If neither (a) nor (b) are commercially reasonable, terminate the Agreement with respect to all or part of the Services and Provider Materials, require Customer to immediately cease any use of the Services and Provider Materials or any specified part or feature thereof, and Provider shall provide a refund to Customer of any pre-paid Fees for Services that Provider has not performed as of the effective date of termination.
THIS SECTION 10 SETS FORTH CUSTOMER’S SOLE REMEDIES AND PROVIDER’S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED OR ALLEGED CLAIMS THAT THE AGREEMENT OR ANY SUBJECT MATTER HEREOF (INCLUDING THE SERVICES AND PROVIDER MATERIALS) INFRINGES, MISAPPROPRIATES OR OTHERWISE VIOLATES ANY THIRD PARTY INTELLECTUAL PROPERTY RIGHT.
11. Limitations of Liability.
11.1 EXCLUSION OF DAMAGES. EXCEPT AS OTHERWISE PROVIDED IN SECTION 11.3, IN NO EVENT WILL EITHER PARTY BE LIABLE UNDER OR IN CONNECTION WITH THE AGREEMENT OR ITS SUBJECT MATTER UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY AND OTHERWISE, FOR ANY: (a) LOSS OF PRODUCTION, USE, BUSINESS, REVENUE OR PROFIT; OR (b) IMPAIRMENT, INABILITY TO USE OR LOSS, INTERRUPTION OR DELAY OF THE SERVICES CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED OR PUNITIVE DAMAGES, REGARDLESS OF WHETHER SUCH PERSONS WERE ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE, AND NOTWITHSTANDING THE FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE.
11.2 CAP ON MONETARY LIABILITY. EXCEPT AS OTHERWISE PROVIDED IN SECTION 11.3, IN NO EVENT WILL THE AGGREGATE LIABILITY OF PROVIDER AND ITS LICENSORS, SERVICE PROVIDERS AND SUPPLIERS UNDER OR IN CONNECTION WITH THE AGREEMENT OR ITS SUBJECT MATTER, UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY AND OTHERWISE, EXCEED THE TOTAL AMOUNT PAID BY CUSTOMER DURING THE PRIOR 12 MONTHS. THE FOREGOING LIMITATION APPLIES NOTWITHSTANDING THE FAILURE OF ANY AGREED OR OTHER REMEDY OF ITS ESSENTIAL PURPOSE.
11.3 Exceptions. The exclusions and limitations in Section 11.1 and Section 11.2 do not apply to a party’s obligations under Section 6 (Confidentiality), Section 10 (Indemnification) or liability for party’s gross negligence or willful misconduct.
12. Force Majeure. Any delay in the performance of any duties or obligations of either party (except the payment of money owed) will not be considered a breach of the Agreement if such delay is caused by a labor dispute, shortage of materials, fire, earthquake, flood, or any other event beyond the control of such party, including downtime caused by a third-party hosting provider, provided that such party uses reasonable efforts, under the circumstances, to notify the other party of the circumstances causing the delay and to resume performance as soon as possible.
13. Insurance. Provider will maintain the following (a) General Liability Insurance of One Million Dollars ($1,000,000) per occurrence and Two Million Dollars ($2,000,000) in the aggregate; (ii) Automobile Liability Insurance in an amount of One Million Dollars ($1,000,000) per occurrence combined single limit; and (iii) Technology Errors and Omissions Insurance in an amount of One Million Dollars ($1,000,000) per claim and Two Million Dollars ($2,000,000) in the aggregate.
14. Miscellaneous.
14.1 Relationship of the Parties. The relationship between the parties is that of independent contractors. Nothing contained in the Agreement shall be construed as creating any agency, partnership, joint venture or other form of joint enterprise, employment or fiduciary relationship between the parties, and neither party shall have authority to contract for or bind the other party in any manner whatsoever.
14.2 Notices. All notices, requests, consents, claims, demands, waivers and other communications under the Agreement have binding legal effect only if in writing and addressed to a party as set forth in the Agreement (e.g., on the cover page), or to such other address or such other person that such party may designate from time to time in accordance with this Section 14.2. Notices sent in accordance with this Section 14.2 will be deemed effectively given: (a) when received, if delivered by hand, with signed confirmation of receipt; (b) when received, if sent by a nationally recognized overnight courier, signature required; (c) when sent, if by facsimile or e-mail, if sent during the addressee’s normal business hours, and on the next business day, if sent after the addressee’s normal business hours; and (d) on the 3rd day after the date mailed by certified or registered mail, return receipt requested, postage prepaid.
14.3 Headings. The headings in the Agreement are for reference only and do not affect the interpretation of the Agreement.
14.4 Entire Agreement. The Agreement constitutes the sole and entire agreement of the parties with respect to the subject matter of the Agreement and supersedes all prior and contemporaneous understandings, agreements, representations and warranties, both written and oral, with respect to such subject matter. In the event of any inconsistency between the statements made in the body of the Agreement, the related exhibits, schedules, attachments and appendices and these Terms and Conditions, the following order of precedence governs: (a) first, the Agreement, excluding its exhibits, schedules, attachments and appendices; (b) second, the exhibits, schedules, attachments and appendices to the Agreement; and (c) third, any other documents incorporated into the body of the Agreement by reference, including these Terms and Conditions.
14.5 Assignment. Neither party shall assign or otherwise transfer the Agreement without the other party’s prior written consent; provided that either party may assign the Agreement in connection with a merger, or sale of all or substantially all of its assets, provided that the assignee agrees in writing to be bound by the terms of the Agreement. Any assignment in contravention of this Section 14.8 shall be null and void.
14.6 No Third-party Beneficiaries. The Agreement is for the sole benefit of the parties hereto and their respective successors and permitted assigns and nothing herein, express or implied, is intended to or shall confer upon any other Person any legal or equitable right, benefit or remedy of any nature whatsoever under or by reason of the Agreement.
14.7 Amendment and Modification; Waiver. No amendment to or modification of the Agreement is effective unless it is in writing, identified as an amendment to the Agreement and signed by each party. No waiver by any party of any of the provisions hereof shall be effective unless explicitly set forth in writing and signed by the party so waiving.
14.8 Severability. If any term or provision of the Agreement is invalid, illegal or unenforceable in any jurisdiction, such invalidity, illegality or unenforceability shall not affect any other term or provision of the Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal or unenforceable, the parties hereto shall negotiate in good faith to modify the Agreement so as to effect the original intent of the parties as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.
14.9 Governing Law; Submission to Jurisdiction. The Agreement is governed by and construed in accordance with the internal laws of the State of Delaware without giving effect to any choice or conflict of law provision.
14.10 Waiver of Jury Trial. Each party irrevocably and unconditionally waives any right it may have to a trial by jury in respect of any legal action arising out of or relating to the Agreement or the transactions contemplated hereby.
14.11 Equitable Relief. Each party acknowledges and agrees that a breach or threatened breach by such party of any of its obligations under Section 6 or, in the case of Customer, Section 3, would cause the other party irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, the other party is entitled to seek equitable relief, including a restraining order, an injunction, specific performance and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity or otherwise.
14.12 Counterparts. The Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement. A signed copy of the Agreement delivered by facsimile, e-mail or other means of electronic transmission is deemed to have the same legal effect as delivery of an original signed copy of the Agreement.
14.13 Not Construed Against Drafter. The language of the Agreement shall not be interpreted in favor of or against any Party as the drafter of the Agreement.
15. Definitions.
“TTS Tech Solutions API” means optional application programming interfaces provided by Provider under this Agreement.
“Access Credentials” means any user name, identification number, password, license or security key, security token, PIN or other security code, method, technology or device used, alone or in combination, to verify an individual’s identity and authorization to access and use the Services.
“Affiliate” means an entity that now or hereafter controls, is controlled by or is under common control with a specified entity, where “control” means beneficial ownership, directly or indirectly, of more than 50% of the outstanding shares or other ownership interest (representing the right to vote for the election of directors or other managing authority or the right to make the decisions for such entity, as applicable) of an entity. Such entity shall be deemed an Affiliate only so long as such control exists.
“Agreement” means the agreement entered into between Customer and Provider for the provision of the Services. All references to the Agreement are meant to include the Agreement and these Terms and Conditions unless the reference is made specifically to the body of the Agreement (which reference would be intended to exclude these Terms and Conditions).
“Authorized User” means each of the individuals authorized to use the Services pursuant to the Agreement.
“CPI” means the Consumer Price Index presently designated as the United States Department of Labor, Bureau of Labor Statistics Consumer Price Index for all Urban Consumers, U.S. City Average, All Items (1982-1984=100).
“Customer Data” means information, data and other content, in any form or medium, that is collected, downloaded or otherwise received, directly or indirectly from Customer or an Authorized User by or through the Services or that incorporates or is derived from the Processing of such information, data or content by or through the Service.
“Documentation” means any manuals, instructions or other documents or materials that Provider provides or makes available to Customer in any form or medium and which describe the functionality, components, features or requirements of the Services or Provider Materials, including any aspect of the installation, configuration, integration, operation, use, support or maintenance thereof.
“Harmful Code” means any software, hardware or other technology, device or means, including any virus, worm, malware or other malicious computer code, the purpose or effect of which is to (a) permit unauthorized access to, or to destroy, disrupt, disable, distort, or otherwise harm or impede in any manner any (i) computer, software, firmware, hardware, system or network or (ii) any application or function of any of the foregoing or the security, integrity, confidentiality or use of any data Processed thereby, or (b) prevent Customer or any Authorized User from accessing or using the Services or Provider Systems as intended by the Agreement. Harmful Code does not include any Provider Disabling Device.
“Integration” means using the TTS Tech Solutions API to connect (a) an external system or application to (b) a system or application that the Provider provides to the Customer. “Integrations” include Proprietary Integrations and Third-Party Integrations.
“Intellectual Property Rights” means any and all registered and unregistered rights granted, applied for or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, database protection or other intellectual property rights laws, and all similar or equivalent rights or forms of protection, in any part of the world.
“Law” means any statute, law, ordinance, regulation, rule, code, order, constitution, treaty, common law, judgment, decree or other requirements of any federal, state, local or foreign government or political subdivision thereof, or any arbitrator, court or tribunal of competent jurisdiction.
“Losses” means any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs or expenses of whatever kind, including reasonable attorneys’ fees and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.
“Person” means an individual, corporation, partnership, joint venture, limited liability entity, governmental authority, unincorporated organization, trust, association or other entity.
“Process” means to take any action or perform any operation or set of operations that the Services are capable of taking or performing on any data, information or other content, including to collect, receive, input, upload, download, record, reproduce, store, organize, compile, combine, log, catalog, cross-reference, manage, maintain, copy, adapt, alter, translate or make other derivative works or improvements, process, retrieve, output, consult, use, perform, display, disseminate, transmit, submit, post, transfer, disclose or otherwise provide or make available, or block, erase or destroy.
“Processing” and “Processed” have correlative meanings.
“Proprietary Integration” means an Integration in which the external system or application is developed and owned by the Customer.
“Provider” means TTS Tech Solutions, Inc.
“Provider Disabling Device” means any software, hardware or other technology, device or means used by Provider or its designee to disable Customer’s or any Authorized User’s access to or use of the Services automatically with the passage of time or under the positive control of Provider or its designee.
“Provider Materials” means the Service Software, Documentation and Provider Systems and any and all other information, data, documents, materials, works and other content, devices, methods, processes, hardware, software and other technologies and inventions, including any deliverables, technical or functional descriptions, requirements, plans or reports, that are provided or used by Provider or any Subcontractor in connection with the Services or otherwise comprise or relate to the Services or Provider Systems. For the avoidance of doubt, Provider Materials do not include Customer Data.
“Provider Personnel” means all individuals involved in the performance of Services as employees, agents or independent contractors of Provider or any Subcontractor.
“Provider Systems” means the information technology infrastructure used by or on behalf of Provider in performing the Services, including all computers, software, hardware, databases, electronic systems (including database management systems) and networks, whether operated directly by Provider or through the use of third-party services.
“Representatives” means, with respect to a party, that party’s and its Affiliates’ employees, officers, directors and legal advisors.
“Service Software” means the Provider software application or applications and any third-party or other software, and all new versions, updates, revisions, improvements and modifications of the foregoing, that Provider provides remote access to and use of as part of the Services.
“Third-Party Integration” means an Integration in which a third party provides the external system or application to the Customer.
EXHIBIT A
API Rate Limits Overview
TTS Tech Solutions API usage is subject to rate limiting. These limits mitigate denial-of-service attacks and abusive actions such as rapidly updating configurations, aggressive polling and concurrency, or excessive API calls.
The service protection limits are high enough that it should be rare for an individual using an API to encounter them during normal usage. However, it is possible if the client application allows for bulk operations. Client application developers should be aware of how service protection API limits are enforced and design the UI to reduce the potential for users to send extremely demanding requests to the server. But they should still expect that service protection API limit errors can occur and be prepared to handle them.
If this limit is exceeded or if CPU or total time limits are exceeded, the app or user may be throttled. API requests made by a throttled user or app will fail or be denied.
Application Rate Limit Categories and Cumulative Rate Limits
Provider enforces limits at the individual API endpoint level as requests per minute or request per second depending on the usage and type of the API.
| Category | Rate Limits (min/second) | Max Records |
| Authentication/End user | 60 (per min) | 1 record per call |
| System Setup -GET | 60 (per min) | 100 records per call |
| System Setup – PUT | 1 (per second) | 1 record per call |
| Announcements – GET | 60 (per min) | 100 records per call |
| Announcements – PUT | 1 (per second) | 1 record per call |
| Documents – GET | 1 (per second) | 1 record per call |
| Events – GET | 60 (per min) | 100 records per call |
| Events – PUT | 1 (per second) | 1 record per call |
| Documents – PUT | 1 (per second) | 1 record per call |
| Associated Person – GET | 60 (per min) | 100 records per call |
| Associated Person – PUT | 1 (per second) | 1 record per call |
| Systems Users – GET | 60 (per min) | 100 records per call |
| System Users – PUT | 1 (per second) | 1 record per call |
| IMS – GET | 60 (per min) | 100 records per call |
| IMS – PUT | 1 (per second) | 1 record per call |
| CMMS – GET | 100 (per min) | 1000 records per call |
| CMMS – PUT | 10 (per second) | 1 record per call |
| Conversations – GET | 100 (per min) | 1000 records per call |
| Conversations – PUT -SMS | 1 (per second) | 1 record per call |
| Conversations – PUT -SMS | Not Available | NA |
| CheckPoint – GET | 100 (per min) | 1000 records per call |
| CheckPoint – PUT | 1 (per second) | 1 record per call |
| Lost & Found – GET | 60 (per min) | 100 records per call |
| Lost & Found – PUT | 1 (per second) | 1 record per call |
| Tasks – GET | 60 (per min) | 100 records per call |
| Tasks – PUT | 1 (per second) | 1 record per call |
| Reports – GET | 1 (per min) | 1 record per call |
| Reports – PUT | Not available | NA |
If an org-wide rate limit is exceeded, an HTTP 429 status code is returned.
Total CPU Time
The amount of CPU time the request takes to process. When total_cputime reaches category limit above, calls may be throttled or denied.
Total Time
The length of time the request takes to process. When total_time reaches category limit above, calls may be throttled or denied.
Retry Operations
When a service protection API limit error occurs, the API will provide an error indicating the duration before any new requests from the user can be processed. Generally, this is either per min or per second.
Exceeding Quota Limits
If the quota of requesting a TTS Tech Solutions API is exceeded, the API returns an error code 403 or 429 and a message that the account has exceeded the quota.
Requesting Additional Quota
Customer can only request to increase the quota of the API by providing a justified use case and evidence of optimized code. Please note that the approval of increased quota will be the decision of the Provider engineering team upon review of the documentation.
EXHIBIT B
PERSONAL DATA SECURITY OBLIGATIONS
DEFINITION: “Personal Data” means information that identifies an individual, including name, address, zip code, email address, phone number, other information which could be used to contact an individual (including in an online or otherwise digital environment) and other identifiers (including IP addresses and device identifiers), sensitive personal information (Social Security numbers, drivers’ license information, government ID numbers), and Protected Health Information (including as defined under HIPAA, such as health care claims).
All other capitalized terms have the meanings set forth in the Agreement.
1. Organizational Security Measures.
1.1. Point of Contact. Customer shall appoint a representative to act as a point of contact for Provider with respect to this Exhibit B. The representative shall be responsible for ensuring Customer’s compliance with this Exhibit B.
1.2. Security Program. Customer represents, warrants, and covenants that Customer has developed and implemented, and will consistently update and maintain as needed: (a) a written and comprehensive information security program in compliance with applicable laws, rules, regulations and industry standards; and (b) reasonable policies and procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft (“Security Program”). Specifically, such Security Program shall include, at a minimum and in addition to the items contained in Section 2 below:
1.2.1. A data loss prevention program, with appropriate policies and/or technological controls designed to prevent loss of Personal Data through personal email, peripheral devices (including USB and CD/DVD media), and other means.
1.2.2. A disaster recovery/business continuity plan that addresses ongoing access, maintenance and storage of Personal Data as well as security needs for back-up sites and alternate communication networks.
1.2.3. Secure transmission and storage of Personal Data.
1.2.4. Personnel security and integrity, including background checks where consistent with applicable law.
1.2.5. Annual training to Customer’s employees on how to comply with the Customer’s physical, technical, and administrative information security safeguards and confidentiality obligations under applicable laws, rules, regulations and guidelines.
1.2.6. Authentication and access control mechanisms over Personal Data, media, applications, operating systems and equipment.
1.2.7. Data retention and destruction procedures in accordance with Section 4 below.
1.3. Training. Customer shall provide appropriate training to its Personnel and subcontractors to ensure their treatment of the Personal Data is in accordance with the Agreement, including this Exhibit B. Customer shall provide such training to Personnel and subcontractors before they are allowed access to Personal Data and no less than annually thereafter. Such training shall be consistent with industry best practices. Upon reasonable notice from Provider, Customer will provide Provider with summaries or copies of Customer’s relevant training program.
1.4. Access. Customer shall limit disclosure of and access to Personal Data to only those Personnel who have a business need to access such Personal Data in order to provide the Services to Provider customer(s) and/or to fulfill the purposes of the Agreement. Customer shall establish, maintain, and enforce the security principles of “segregation of duties” and “least privileged access” with respect to all Personal Data. Customer shall reasonably update all access rights based on personnel or computer system changes and shall periodically review all access rights at an appropriate frequency to ensure current access rights to Personal Data are appropriate and no greater than are required for an individual to perform his or her functions necessary to deliver the Services to Provider customer(s) and/or to fulfill the purposes of the Agreement. Customer shall verify all access rights through effective authentication methods.
1.5. Background Investigations of Personnel. Customer agrees that any Personnel of Customer or of any subcontractor who either are directly providing the Services under the Agreement and/or who have access to Personal Data shall have passed a background check. Each background check shall include the following minimum review of all Personnel: identity verification (utilizing Social Security numbers or other state/national ID number) and a criminal history check. Background checks must be performed by a member of the National Association of Professional Background Screeners or a competent industry-recognized Customer with the same level of professionalism within Customer’s jurisdiction.
2. Physical and Technical Security Measures.
2.1. Server Location. During the term of the Agreement, Personal Data shall at all times during the Term be hosted on servers that are physically located in North America, unless otherwise agreed in writing by the parties. Customer shall comply with and provide Provider with commercially reasonable assistance to comply with, all applicable data privacy, security and cross-border transfer laws, regulations, and guidelines in the country to which and from which Personal Data will be transferred. Customer shall legitimize any cross-border exchange of Personal Data through data transfers mechanisms approved under applicable law, such as EU-approved Standard Contractual Clauses or Binding Corporate Rules with respect to transfers of Personal Data out of the European Union.
2.2. Data Segregation. Customer shall not merge or combine Personal Data with any other data set, unless authorized and/or approved by respective Provider customer(s) and notice given to Provider. Customer shall maintain Personal Data in Provider segregated logical access restricted folders or systems throughout the processing of such data.
2.3. Network Configuration, Access Control and Limiting Remote Access. Customer shall secure its computer networks by using and maintaining appropriate firewall and security screening technology that is designed to prevent unauthorized access. Customer ensures that the following network security controls are in place: (a) firewall platforms are hardened and have real time logging and alerting capabilities, (b) intrusion detection and prevention systems are in place and maintained at the perimeter and critical server systems, (c) Access lists are implemented on network routers to restrict access to sensitive internal networks or servers, (d) remote access requires two factor authentication and occurs over an encrypted tunnel e.g. IPSec, SSL-VPN, and (e) systems interacting with Provider are segregated from other network zones logically and physically including DMZ, production databases, back office, and software development areas. Customer shall secure access to and from its systems by disabling remote communications at the operating system level if no business need exists and/or by tightly controlling access through management approvals, robust controls, logging, and monitoring access events and subsequent audits. Customer shall identify computer systems and applications that warrant security event monitoring and logging, and reasonably maintain and analyze log files. Customer ensures that privileged accounts (administrator, super user, etc.) will be controlled and reviewed on at least an annual basis. Customer enforces a process to control and manage user accounts upon termination of employment or change in role within 24 hours of such termination or change.
2.4. Labeling. Customer shall, to the extent possible, limit the appearance of Personal Data on physical media, including paper documents. Customer shall control and protect access to such media to avoid loss or damage. Customer shall ensure safe and secure storage, transfer, exchange, and disposal of such media. If Personal Data is stored on media off-site for back-up purposes, such media shall not include any visible label identifying or listing the Provider name.
2.5. Encryption. Customer shall encrypt all sensitive Personal Data in its possession, custody or control while in transit or at rest. For the avoidance of doubt, “encryption” shall be deployed using PGP or other industry best practice for key based encryption protocol. Customer shall have in place appropriate technology to receive, store, and transmit the sensitive Personal Data in an encrypted format in order to provide the Services, and Customer will work with Provider to test Customer’s ability to deliver the data in an encrypted form to Provider.
2.6. Third-Party Data Centers. Where applicable, Customer using a third-party data center to host the Services shall ensure that (a) all application and database servers are physically isolated within the data center and secured from unauthorized physical access, (b) physical and network access is limited to Customer’s Personnel or approved subcontractor, and (c) Personal Data remains logically segregated from other data stored in any shared environment at all times and that use of any shared environment does not compromise the security, integrity, or confidentiality of Personal Data.
2.7. Security Patches. Customer shall deploy all applicable and necessary system security patches to all software and systems that process, store, or otherwise support the Services, including operating system, application software, database software, web server software within industry best practices and in accordance with its information security policies.
2.8. Virus/Malware Scanning. Customer shall use commercial virus/malware scanning software on systems used by Customer to collect, use, disclose, store, retain or otherwise process Personal Data. For purposes of this agreement, “virus/malware” refers to any programming routines intended to damage, surreptitiously intercept or expropriate any system data or personal information. Customer shall run up-to-date industry standard anti-virus software and software that identifies malicious code on all Customer systems that contain Personal Data, including scanning all email attachments for malicious code. Customer shall use commercially reasonable efforts to protect its own information technology against malicious code and ensure that its connection to the Internet and for any other platform or network running the Services is secure, and shall in accordance with industry standards and its own information security practices, acquire and implement new technology, including monitoring hardware and software, as the technology becomes available and is proven stable, in Customer’s reasonable discretion, to ensure a secure and stable environment.
2.9. Vulnerability Testing. Prior to providing any code, hosting services, or network connectivity with Provider, Customer must perform and be able to show proof that external penetration testing has been completed and that any reported vulnerabilities have been remediated. Proof includes the external pen test report or cover letter. For software, this includes tests for security vulnerabilities that are a part of the OWASP Top 10 or SANs Top 25. Customer will promptly address and correct all security vulnerabilities identified in a vulnerability test or report.
2.10. Life Cycle Development. Customer shall implement and maintain a secure software development life cycle for all applications which integrate with Provider’s environment. Customer will observe all industry standard application security guidelines, such as the Open Web Application Security Project (OWASP). Customer will ensure that (a) regular reviews of application source code occur, (b) developers receive detailed coding and design training in application security, (c) development, testing, production and operational facilities are separated to reduce the risk of unauthorized access or changes to the production and operational systems and Personal Data, (d) software developers are restricted from accessing production environment, and (e) data masking functionality is implemented in relation to software processing any financial-related Personal Data (including payment card and banking information).
2.11. System Change Control. Customer ensures that change control procedures are documented and maintained and detail why the change was required, how and why changes were executed and include an emergency change process. The change control process includes considering security control requirements, implementing them where necessary and testing these changes prior to implementation. Customer will notify Provider of any upgrades or configuration changes which may impact the security of Personal Data.
2.12. PCI DSS Compliance. Where Customer provides financial transactional functionality as part of the Services to Provider customer(s), Customer confirms it, and any third party that may perform such functions on its behalf, complies with the latest version of the PCI DSS requirements and will provide such evidence of compliance as required by Provider upon Provider’s request and that it will maintain such certification until termination of this agreement. If at any time Customer loses its compliance status it shall notify Provider immediately and Provider is entitled to immediately suspend and/or terminate the processing of Personal Data and/or terminate this agreement for material breach. Customer acknowledges that it is responsible for monitoring the PCI DSS compliance of all associated third parties Customer may provide with access to cardholder data in accordance with the prior written consent of Provider.
3. Security Reviews by Provider.
3.1. Internal Audits. Upon Provider’s written request, Customer shall provide Provider, at Customer’s expense, with the results of the most recent data security compliance reports or any audit performed by or on behalf of Customer that assesses the effectiveness of Companies, and any relevant third parties performing services on Customer’s behalf, information security program, system(s), internal controls, and procedures relating to the Services (i.e., SSAE16 SOC1 or other) as relevant to the security and confidentiality of Personal Data, including any report summarizing any control issues and associated corrective action plans and any management responses. Such reports shall be of sufficient scope and in sufficient detail as may reasonably be required by Provider to provide reasonable assurance that any material inadequacies would be disclosed by such examination, and, if there are no such inadequacies, the reports shall so state.
3.2. External Audits. During normal hours of business and with reasonable advance written notice to Customer, Provider or its designated agent may, at its own expense, audit Customer’s facilities, networks, systems, procedures, as well as its processing and maintenance of Personal Data and compliance with Customer’s obligations under the Agreement and this Exhibit B one time per year; provided that, Provider or its designated agent shall be permitted to conduct such reviews any time a Security Incident has occurred or is reasonably believed to have occurred, or any time, Provider, in its sole discretion, determines that Customer is not in compliance with the requirements of the Agreement, including this Exhibit B. Customer shall fully cooperate with such audit by providing access to knowledgeable personnel, physical premises (including onsite visits to Customer’s corporate offices and subcontractor facilities including third party data center(s) and through application penetration tests), documentation, infrastructure, and any application software that processes Personal Data or otherwise has access to Provider’s networks and systems. In the event that the Customer is unable to provide on-site access to Provider for audits, Customer shall make available all logs, records, and procedures relating to its information system. Provider shall be responsible for its costs and expenses of such audit (or the fees and costs of the third party performing the assessment), unless such audit reveals a breach of the Agreement or this Exhibit B by Customer, in which case Customer will reimburse Provider for such costs and expenses. Customer will promptly address and correct all deficiencies identified in such audit.
4. Retention and Disposal.
4.1. Data Retention. Customer shall retain material containing Personal Data only so long as necessary to perform the Services or carry out obligations under this Agreement. Upon termination or expiration of this Agreement or earlier as requested by Provider, Customer shall deliver to Provider or, at Provider’s election and in accordance with any instructions from Provider, destroy, any and all materials, documents or other media (whether maintained electronically or otherwise) containing Personal Data, together with all copies thereof in whatever form.
4.2. Data Disposal and Destruction. In the absence of further instructions from Provider, within 10 calendar days of a written request by Provider, all Personal Data to be disposed of by Customer must be disposed of using confidential waste destruction techniques in accordance with industry practice. Personal Data in electronic format shall be securely destroy and render permanently unreadable and recoverable, including any associated back-up copies. Customer shall ensure that any back-up copies stored off-site or at a third-party location are also securely destroyed. As soon as reasonably practicable, but in no instance later than 90 days after required disposal, Customer shall delete all disposed Personal Data from its systems. For purposes of this paragraph, delete means to physically or logically destroy Personal Data that it could not reasonably be recovered or linked back to a user. Acceptable methods of deletion include, but are not limited to, deletion by encryption, and permanent transformation of data to an anonymous state. Anonymous, for purposes of deletion, means data not reasonably likely to be re-identified by anyone either at Provider or anywhere else, including if publicly disclosed. After the complete destruction of the Personal Data, Customer shall provide a written certification to Provider to acknowledge that all data has been successfully destroyed.
5. Security Incident Response.
5.1. Security Incident Definition. Customer agrees to implement appropriate legal, administrative, technical, physical and organizational measures, including those described in this Exhibit B, to protect Personal Data in accordance with industry standards and practices against unauthorized or unlawful processing, access or disclosure and against unauthorized or accidental loss, destruction and damage, alteration, as well as any breach or attempted breach of Customer’s security measures (collectively “Security Incident”).
5.2. Notification. Customer shall notify Provider at kzaveri@ttstechsolutions.com.pk within 24 hours in the event that Customer learns or has reason to believe that a Security Incident has occurred or is reasonably likely to occur, including at least: (a) the nature of the Security Incident; (b) the types of potentially compromised Personal Data; (c) the duration and expected consequences of the Security Incident; (d) the date the Security Incident took place, and the date on which the Customer discovered the Security Incident; and (e) any mitigation or remediation measures taken or planned in response to the Security Incident.
5.3. Security Incident Response. In connection with any Security Incident, Customer shall immediately and to the extent reasonably possible (a) take all reasonable steps to investigate, remediate, and mitigate the effects of the Security Incident, and (b) provide Provider with assurances reasonably satisfactory to Provider and respective Provider customer(s) that such Security Incident will not recur. Further, Customer shall fully cooperate with Provider’s investigation into the Security Incident and provide all necessary material related to Provider and the Services to satisfy Provider’s investigation and resolution process. Customer shall provide reasonable access to information reasonably required by Provider and shall make Personnel and subcontractors available to the extent reasonably necessary to answer questions or otherwise assist Provider in determining the impact of the Security Incident on the Services and Provider. All information exchanged in connection with this investigation shall be deemed to be Provider’s Confidential Information. Notwithstanding anything to the contrary in this Agreement, Customer understands and agrees that Provider has the right to disclose Customer’s Confidential Information to third parties as necessary to assist the investigation and resolve a Security Incident, provided that Provider requires these third parties to treat the information as Confidential Information.
5.4. Security Incident Remedial Measures. Customer shall be responsible for all costs related to or arising from any Security Incident, including investigating the Security Incident, tracking and recovering Personal Data, and providing notifications (whether in Provider’s, respective Provider customer(s), or Customer’s name) to (a) all individuals affected by the Security Incident and (b) state, federal, or international law enforcement or regulatory agencies/bodies or other remedial measures Provider determines are warranted. The provision of such notifications, if any, including the content thereof, shall be solely at Provider’s discretion. The aforementioned remedial actions may include remedies provided to individuals affected by the Security Incident that are legally required and/or consistent with standard industry practices. In addition to any rights or remedies in the Agreement, including this Exhibit B, Provider may immediately terminate the Agreement in its entirety or a particular SOW upon notice to Customer, without any further liability or obligation to Provider, if Provider reasonably believes there has been a Security Incident.
6. Investigations and Data Subject Requests.
6.1. Regulatory Investigations and Requests. Customer shall provide reasonable assistance and support and assist Provider in the event of an investigation by a data protection regulator or other governmental authority, if and to the extent that such investigation relates to the collection, maintenance, use, processing or transfer of confidential or Personal Data under this Agreement. Should any regulatory body to which Provider is subject also require or request a security audit or review, Customer shall, with Provider’s full involvement (including Provider’s attendance at any related meetings with federal, state or other government officials) cooperate with any such requirement or request and provide to Provider, its authorized representatives, and/or an independent inspection body designated by Provider, on reasonable notice, (a) access to Customer’s information processing premises and records, and (b) reasonable assistance and cooperation of Customer’s relevant Personnel and subcontractors for the purpose of auditing Customer’s compliance with its obligations under this Agreement. If Customer receives a request from a third party in connection with any government, court, or law enforcement investigation or proceeding that Customer believes would require it to produce or disclose any Personal Data, then Customer shall, promptly and, to the extent legally feasible, prior to producing or disclosing such information, notify Provider in writing of such request, and reasonably cooperate with Provider if Provider wants to limit, challenge, or protect against the requested production or disclosure, to the extent permitted by applicable law or regulation.
6.2. Data Subject Requests. Customer shall promptly notify Provider if Customer receives a request from an individual to exercise any of their data protection rights under applicable data protection laws in connection with their Personal Data. Customer shall provide Provider with commercially reasonable cooperation and assistance in relation to any such request. Except as required by applicable data protection laws, Customer shall not respond to the individual other than at the written instruction of Provider. If, upon an individual’s request for access to their Personal Data, Customer is unable to produce the Personal Data requested as a result of an act or omission of Customer in violation of its obligations under the Agreement, including this Exhibit B, Customer shall be responsible for all costs associated with or arising from its inability to produce the Personal Data.
7. Non-Compliance. Customer will not materially lessen the security of any system used to collect, use, disclose, store, retain or otherwise process Personal Data during the term of the Agreement. In the event that Customer determines it is unable to comply with the obligations stated in the Agreement or this Exhibit B, Customer shall promptly notify Provider, and Provider may take any one or more of the following actions: (a) suspend the transfer of Personal Data to Customer; (b) require Customer to cease processing Personal Data; (c) demand the return or destruction of Personal Data; and (d) immediately terminate this Agreement.
8. General Data Protection Regulation. The provisions set out in Appendix 1 (Additional Data Security Provisions) shall also apply if, in the provision of the Services, vendor processes the type of Personal Data defined as “personal data” in EU Regulation 2016/679 (the General Data Protection Regulation) (a) on behalf of Provider in the context of the activities of an establishment in the European Union, or (b) relating to individuals in the European Union on behalf of Provider and such processing is related to (i) offering of goods or services, irrespective of whether a payment of the individual is required, to such individuals in the European Union or (ii) the monitoring of the behavior of such individuals (as far as their behavior takes place within the European Union).
9. Survival. This Exhibit B and all provisions herein shall survive so long as, and to the extent that, Customer retains any Personal Data.
Appendix 1 to Exhibit B
Additional Data Security Provisions
1. Definitions. For the purposes of this Appendix 1 to Exhibit B (Data Security), “controller“, “personal data“, “processing” (and “process“) and “processor” shall have the meanings given under EU Regulation 2016/679 (the General Data Protection Regulation).
2. Data protection role of the Parties. The parties agree that in respect of Customer’s processing of the Personal Data, Provider is the data controller and Customer is the data processor acting on Provider’s instructions.
3. Scope of processing. Upon request, Customer will provide a description of (a) the scope and nature of the Personal Data that Customer will process, as well as the purpose for conducting such processing, (b) the duration of the processing that Customer will conduct, and (c) the types of Personal Data that Customer will process and the categories of individuals whose Personal Data Customer will process.
4. Processing Instructions. Customer shall:
4.1. process the Personal Data on the documented instructions (such instructions being set out in this Agreement and as communicated to Customer from time to time) of Provider unless required to process that Personal Data for other purposes by European Union Law to which Provider or Provider’s Affiliates is subject and, where such a requirement is placed on Provider, it shall provide prior notice to Provider unless the relevant law prohibits the giving of notice on important grounds of public interest); and
4.2. inform Provider if, in its opinion, Provider’s instructions would be in breach of applicable data protection law.
5. Confidentiality of processing. Customer shall ensure that any person that it authorizes to process the Personal Data (including Customer’s staff, agents and subcontractors) (an “Authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Personal Data who is not under such a duty of confidentiality.
6. Sub-processors.
6.1. Upon request, Customer will give Provider a list of sub-processors that Customer will use to process Personal Data.
6.2. Provider provides a general authorization to Customer to engage further processors to process the Personal Data on the condition that Customer shall give Provider prior notice of any intended addition to or replacement of those further processors. Provider has the right to object to any intended addition or replacement of those further processors. If Provider objects to that change, Provider may terminate this Agreement for convenience.
6.3. Customer shall ensure that it has a written contract with any processors it engages to process the Personal Data. That contract must impose obligations on the processor equivalent to those set out in the Data Security exhibit and Customer shall ensure the processor complies with those obligations (including by auditing or otherwise taking steps in accordance with good industry practice to confirm such compliance at least annually). On request from Provider and from time to time, Customer shall confirm the timing, scope and findings of any such audit or confirmation exercise.
6.4. Customer shall remain fully liable for the acts, omissions and errors of its processors as if such acts, omissions or errors were performed by Customer.
7. Data Subject Rights. Customer shall assist Provider to respond to requests from individuals exercising their rights under data protection legislation.
8. DPIAs. If Customer believes or becomes aware that its processing of the Personal Data is likely to result in a high risk to the data protection rights and freedoms of individuals, it shall promptly inform Provider and provide Provider with all such commercially reasonable and timely assistance as Provider may require in order to conduct a data protection impact assessment and, if necessary, consult with the relevant data protection authority(s).
EXHIBIT C
TTS Tech Solutions API Use Restrictions
By accepting and using the TTS Tech Solutions API, Customer will use the TTS Tech Solutions API solely as authorized in the Agreement and, specifically, will not:
1. Use the TTS Tech Solutions API for any illegal or unauthorized purpose or that violates any intellectual property right or other right of any person.
2. Circumvent, reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the TTS Tech Solutions API, in whole or in part, or modify any software code or other security mechanism employed by TTS Tech Solutions, including without limitation any authentication technologies
3. Transmit any viruses, worms, defects, Trojan horses, time-bombs, malware, spyware, or any other computer code of a destructive or interruptive nature in connection with Customer’s use of the TTS Tech Solutions API.
4. Attempt to cloak or conceal Customer’s identity or the identity of the Customer Program when requesting authorization to use the TTS Tech Solutions API.
5. Use the TTS Tech Solutions API to create any product or service that is in competition with any product or service of Provider or its affiliates, or that otherwise replicates or attempts to replace the user experience of the software, systems and services performed and provided by Provider in connection with sporting and entertainment events, convention centers, attractions, and amusement parks for Provider customers.
6. Combine or integrate the TTS Tech Solutions API with any software, technology, services, or materials not authorized by Provider.
7. Design or permit the products or services provided by Customer to Provider’s customers independent of the Agreement (the “Customer Program”) to disable, override, or otherwise interfere with any Provider-implemented communications to end users, consent screens, user settings, alerts, warning, or the like.
8. Use the TTS Tech Solutions API in connection with offering or promoting services that are damaging to, disparaging of, or otherwise detrimental to Provider or its affiliates.
9. Use the TTS Tech Solutions API for the purpose of aggregating, analyzing, extracting, or repurposing any content therein (“Content”), except as otherwise authorized by Provider or a Provider customer.
10. Use, copy, distribute or modify the TTS Tech Solutions API in any “service bureau” or “timesharing” business.
11. Interfere with or disrupt any services offered by Provider.
12. Create, place, or disseminate any advertisements immediately before or during the presentation of any Content.
13. Post, email or transmit or otherwise make available through the Customer Program or otherwise, or position any Content around, near, or next to, any content that is inappropriate, defamatory, obscene, pornographic, abusive, hateful, infringing, unlawful or otherwise offensive.
14. Edit, add to, delete from, remove hyperlinks to, add hyperlinks to, or otherwise modify the Content or any attribution therein (including by adding additional information).
15. Restrict or inhibit any other user from using the TTS Tech Solutions API, or violate any requirements, procedures, policies, or regulations of networks connected to the TTS Tech Solutions API.
16. Modify or delete any author attributions, legal, or other proper notices or proprietary designations or labels of the origin or source of software or other material (including Content).
17. Consumer Erasure Request: Customer must provide an email address to which Provider will send user delete from database requests (e.g., CCPA compliance, etc.).
EXHIBIT D
Data Security
1. Definitions. In addition to any defined terms set forth in the Agreement, with respect to this Exhibit D, the following additional defined terms shall apply:
“Authorized Persons” means Provider, Provider’s subcontractors, and their respective Representatives who have a need to know or otherwise access Customer Data to enable Provider to perform its obligations under the Agreement.
“Security Breach” means: any unauthorized or unlawful access to, acquisition of or other Processing of Customer Data.
2. Standard of Care
(a) Provider acknowledges and agrees that, in the course of its engagement by Customer, Provider may receive or have access to Customer Data. Provider shall comply with the terms and conditions set forth in the Agreement and all applicable Law in its collection, receipt, transmission, storage, disposal, use, disclosure and other Processing of such Customer Data. Provider shall be responsible for, and remain liable to Customer for, the actions and omissions of all Authorized Persons as if they were Provider’s own actions and omissions.
(b) Customer shall ensure that (i) all Customer Data has been, and will continue to be, collected and used in accordance with the notice, consent and other requirements of applicable Law and the Agreement; (ii) it has, and will continue to have, the right to transfer Customer Data to Provider for the purpose(s) set forth in the Agreement; and (iii) its instructions to Provider with respect to Customer Data are lawful and will not cause Provider to be in breach of any applicable Law nor create legal or regulatory liability on the part of Provider if such instructions are followed.
(c) As between the parties, Customer and/or any of Customer’s applicable Affiliate(s) is the sole owner of all Customer Data. For clarity, Customer Data is deemed to be Confidential Information of Customer and is not Confidential Information of Provider.
(d) In recognition of the foregoing, Provider agrees that it shall: (i) keep and maintain all Customer Data in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, disclosure or other Processing; and (ii) not, directly or indirectly, disclose Customer Data to any person other than its Authorized Persons without express written consent of Customer.
3. Information Security
(a) Provider shall implement and maintain a written information security program that includes administrative, physical, and technical safeguards designed to protect Customer Data and Provider’s facilities, systems, networks and assets against external and internal threats. All such safeguards will comply with applicable Law and the terms and conditions of the Agreement.
(b) During the term of each Authorized Person’s work for Provider, Provider shall at all times cause such Authorized Persons to abide by Provider’s obligations under the Agreement.
4. Security Breach Procedures
In the event of a Security Breach caused by Provider’s breach of its obligations in the Agreement, Provider shall: (i) provide Customer with the name and contact information for an employee of Provider who shall serve as Customer’s primary information security contact and shall be available to assist Customer as a contact in resolving obligations associated with a Security Breach; and (ii) notify Customer of the Security Breach without undue delay.
5. Return or Destruction of Customer Data
At any time during the Term at Customer’s request for any reason or upon the termination or expiration of the Agreement, Provider shall, and shall instruct all Authorized Persons to, promptly return to Customer all copies, whether in written, electronic, or other form or media, of Customer Data in its possession or the possession of such Authorized Persons, or securely dispose of all such copies, and certify in writing to Customer that such Customer Data has been returned to Customer or disposed of securely. Provider shall comply with all reasonable directions provided by Customer with respect to the return or disposal of Customer Data.