Effective July 19, 2023
Cloud Terms of Service
Service Level Agreement
Data Processing Addendum
Cloud Terms of Service
THESE TERMS OF CLOUD SERVICES (“AGREEMENT”) ARE A LEGAL AGREEMENT BETWEEN YOU OR THE COMPANY YOU REPRESENT INCLUDING ANY OF YOUR OR THEIR AFFILIATES (COLLECTIVELY “YOU” OR “YOUR”), AND VenueLytics, INC. (“US,” “WE” OR “OUR”) GOVERNING YOUR ACCESS TO OR USE OF OUR CLOUD SERVICES.
PLEASE READ THIS AGREEMENT CAREFULLY TO ENSURE THAT YOU UNDERSTAND EACH PROVISION. THIS AGREEMENT CONTAINS A MANDATORY ARBITRATION PROVISION THAT REQUIRES THE USE OF ARBITRATION TO RESOLVE DISPUTES ON AN INDIVIDUAL CLAIM BASIS ONLY AND WITHOUT A JURY TRIAL.
- Use of the Cloud Services. Our “Cloud Services” include for the purposes of this Agreement one or more of the following, depending on Your Order: (i) Our cloud-based application, mobile app, and platform (collectively “Platform”) for guest engagement and management; (ii) Our support and maintenance Cloud Services; and (iii) Our Professional Cloud Services. Your ordering documents will specify the Subscription Term, Cloud Services, and related fees (an “Order Form”). “Professional Cloud Services” means any consulting, architecture, training, configuration, or other similar ancillary Cloud Services set forth in an Order Form. You must configure the Platform in accordance with the applicable product and Cloud Services descriptions (the “Documentation”) in order for the Platform to function properly. You want the Platform to provide messaging, and other guest engagement Cloud Services to Your customers who have consented to receive such messages via the Cloud Services (each a “Client”) with their Client Information. You will need to designate individuals authorized to maintain the Platform, configure the Cloud Services, and access reports, insights from the Cloud Services, (each a “User”), subject to usage limits and restrictions herein and as specified in the Order Form, such as limits on the number of messages, rooms, or properties. We may suspend or terminate Your use of the Cloud Services at any time if You breach any terms of this Agreement, including without limitation failing to timely pay Fees due. “Client Information” means the names, email addresses, telephone numbers, and other required personal information of your clients who have consented to You to provide such information and receive such messages in order to use the Platform. You will need to designate individuals authorized to maintain the Client Information and configure the Cloud Services.
- Affiliates. If any of Your Affiliates use the Cloud Services under this Agreement, then all the terms and conditions of this Agreement that apply to You shall apply to such Affiliate and its activities hereunder. You will remain responsible for the acts and omissions of Your Affiliates in connection with each Affiliate’s use of the Cloud Services during the Subscription Term of its/their orders, including, without limitation, breach of the terms of this Agreement applicable to such Affiliate, even if such Control is no longer maintained. Any claim from any Affiliate that uses the Cloud Services under the terms of this Agreement shall only be brought against Us by You on behalf of such Affiliate. Notwithstanding the foregoing, We may refuse to provide the Cloud Services to any Affiliate that fails to pass, in Our reasonable business judgment, a background check or financial history audit. “Affiliate” means any entity which directly or indirectly Controls, is Controlled by, or is under common Control with the party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the party.
- Trial Period and Beta Products. If You ordered a “trial” or other limited period plan, You may use the Cloud Services for a thirty (30) day trial period, or as otherwise expressly set forth in the order (the “Trial Period”), solely for evaluation purposes, starting on the date that You registered with Our Cloud Services and accepted this Agreement. The Platform will automatically renew at the end of the Trial Period unless You provide notice of your intent not to continue prior to the end of the Trial Period. After the end of the Trial Period, if You elect not to renew a subscription to the Cloud Services, all hosted Customer Data You provide to the Cloud Services will no longer be available. During the Trial Period You are free to add and remove Users as needed for the evaluation. However, any Users included in a paid subscription to the Cloud Services, can only be added or removed in accordance with the terms of the specific plan or term You elect. DURING THE TRIAL PERIOD, YOU WILL HAVE NO CLAIM OR REMEDY FOR THE FAILURE OF THE Cloud Services. THESE LIMITATIONS ARE IN ADDITION TO THE WARRANTY DISCLAIMERS AND LIABILITY LIMITS IN THIS AGREEMENT. We may offer the right to use certain experimental features or products from time to time (“Beta Products”). All Beta Products are provided on an “as is” and “as available” basis, without any representations, warranties, covenants or obligations of any kind, and may be terminated by Us at any time. Any use of Beta Products by You is solely at Your own risk.
- Subscription Terms. Subject to payment of all Fees and the terms and conditions of this Agreement, We hereby grant You a limited, non-exclusive, non-sublicensable and non-transferable right during the Subscription Term of this Agreement to use the Cloud Services ordered only in accordance with the Documentation, solely for Your internal purposes. The Cloud Services may also be subject to certain limitations, such as on the number of Users, messages, rooms, properties each as specified on Our website or in Your Order Form (“Usage Limits”). You will be charged the applicable Fees for any use in excess of the Usage Limits. You may add Platform licenses throughout the Subscription Term as needed through an amendment, subject to paying applicable additional Fees. Subscriptions to Cloud Services cannot be shared by Users, (but may be reassigned to a new User replacing a person who no longer requires access to the Cloud Services) and are licensed based on a per room or property model. You are solely responsible for selecting secure account and User passwords, changing passwords frequently, maintaining the confidentiality of User logins and passwords, and restricting access to the Cloud Services. We assume no responsibility for damage or loss arising from unauthorized access to the Cloud Services and Your account due to Your failure to protect Your account through proper maintenance of User logins and passwords. The Cloud Services may be subject to other limitations as set forth in the Documentation, including, but not limited to, limits on disk storage space, the rate of incoming email requests, the number of inbound calls permitted to the API within a specified period of time, the number of outbound calls the Cloud Services will make to a client API within a specified period of time, the number of messages the Cloud Services will send to Your Client within a specified period of time. You acknowledge that exceeding these other limitations may cause the Cloud Services to malfunction, may accrue additional Fees, or may result in suspension of the Cloud Services until compliance has occurred.
- Restrictions on Use. You may not use the Cloud Services or Documentation except as permitted in this Agreement. You may not cause or permit any third party to: (i) alter, modify or create any derivative works of the Cloud Services, the underlying source code, or the Documentation in any way, including without limitation customization, translation or localization; (ii) rent, lease, license, sublicense, encumber, sell, offer for sale, or otherwise transfer rights to the Cloud Services or Documentation, including for timesharing or as a Cloud Services bureau; (iii) port, reverse compile, reverse assemble, reverse engineer, decompile, disassemble or otherwise attempt to discover the source code of the Cloud Services; (iv) copy, distribute, link, frame, mirror or otherwise make available any portion of the Cloud Services to any third party other than a third-party contractor who may only use the Cloud Services to support Your internal purposes; (v) remove or alter any logos, trademarks, links, copyright or other notices, legends or markings from the Cloud Services or Documentation; (vi) attempt to bypass or tamper with the security, operation, use limits, or access control technology of the Cloud Services; (vii) attempt to access the accounts or data of any other customer, Client or User; (viii) use the Cloud Services for benchmarking purposes or otherwise to analyze its workings and features for competitive purposes or in a manner that imposes unusual demands on a Cloud Services outside of normal functions and operations; (ix) use, or allow the use of, the Cloud Services by anyone located in, under the control of, or a national or resident of a U.S. embargoed country or territory or by a prohibited end user under export control laws (as described in Section 23 below); (x) use the Cloud Services in a manner that interferes with the use or enjoyment of it by others, including using the Cloud Services to create, use, send, store, or run viruses or other harmful computer code, files, scripts, agents, or other programs, or circumventing or disclosing the user authentication or security of the Cloud Services or any host, network, or account related thereto; or (xi) use the Cloud Services or Documentation in a way that: violates applicable law or infringes upon the rights of a third party, including those pertaining to contract, intellectual property, privacy, or publicity; or that violates Our Acceptable Use Policy (the “AUP”), found here: https://www.sojern.com/acceptable-use-policy, which is incorporated herein and found on our website (the “AUP”); or that effects or facilitates the storage or transmission of libelous, tortious, or otherwise unlawful material including, but not limited to, material that is harassing, threatening, or obscene. Notwithstanding any other provision of this Agreement, in the event of Customer’s breach of any restrictions in this Section 5, We shall have the right upon notice to immediately suspend Cloud Services until such breach is corrected.
- Proprietary Rights.
- Customer Data & Customer Materials. You will retain all right, title and interest in and all data delivered by You to Us, including Client Information (“Customer Data”) and all intellectual property rights therein. Nothing in this Agreement will confer to Us any right of ownership or interest in the Customer Data, other than the limited license set forth herein. You agree to provide Us with reasonable access to Your Customer Materials as reasonably necessary for Our provision of Cloud Services You have ordered. “Customer Materials” means Your materials, systems, accounts, personnel and other resources.
- Company Intellectual Property. We shall retain all right, title and interest in and to the Company Intellectual Property, and any changes, derivatives, corrections, developments, bug fixes, enhancements, updates and other modifications, improvements thereto, and as between the parties all such rights shall vest in and be assigned to Us. Nothing in this Agreement will confer on You any right of ownership or interest in any Company Intellectual Property, other than the limited license set forth herein. “Company Intellectual Property” means Our proprietary technology, including the Cloud Services and Documentation, websites, software tools, hardware designs, algorithms, software, APIs, user interface designs, architecture, documentation, network designs, know-how, and trade secrets, improvements, materials, methods, processes, formulas, techniques, deliverables and other information developed or otherwise made in whole or part by Us in the performance of the Cloud Services, and all intellectual property rights therein and thereto throughout the world (whether owned by Us or licensed to Us by a third party).
- Feedback. We encourage You to provide suggestions, proposals, ideas, recommendations, or other feedback regarding improvements to the Cloud Services and related resources (“Feedback”). To the extent You provide Feedback, You grant Us a non-exclusive, royalty-free, fully paid, sub- licensable, transferable, irrevocable, perpetual, worldwide right and license to make, use, sell, offer for sale, import and otherwise exploit Feedback (including by incorporation of such Feedback into the Cloud Services without restriction), provided that such Feedback does not identify You or Your Users or include any Client Information without Your prior written consent.
- Warranty Related to SMS Use in the United States.
-
By signing up to the Platform, You may have the ability to send and receive SMS and other types of messages through the Platform (“Messaging”), and You represent and warrant that You shall (i) receive and will maintain consents from each Client who will receive messages, (ii) maintain procedures for each Client to opt out of participating in Messaging, and once opted-out, You will not re-enroll any Client to Messaging until You have obtained renewed consent from Contact Person to receive Messaging through the Platform, and (iii) comply with all applicable law relating to Messaging in Your use of the Platform, including without limitation, the Telephone Consumer Protection Act and CAN-SPAM. You shall be responsible for compliance with Messaging and related data privacy laws.
- Support, Security and Privacy.
- Support. We shall provide support for the Cloud Services as selected by You, depending upon the applicable plan when You enroll in a Cloud Services. The applicable support policies can be found on the Order Form.
- Security. We shall maintain administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Customer Data.
- Privacy. We and You undertake to comply with our respective obligations under applicable laws and regulations, including, but not limited to, laws governing privacy and data protection. You acknowledge that We will, and You permit Us to, collect, use, and disclose statistical or aggregate information about You and Your Clients’, Users use of the Cloud Services, including information about the performance of the Cloud Services and other data derived from the use of the Cloud Services, for industry analysis, benchmarking, analytics, marketing, to improve or enhance the Cloud Services, and other business purposes; provided, that all data disclosed will be in statistical or aggregate form only and will not identify You, Affiliates, Clients or Users. We own all right, title, and interest in and to such derived anonymous data; provided, that You retain all of Your right, title, and interest in and to any underlying Customer Data. Customer Data shall be treated in accordance with Our Privacy Policy set forth on Our website for each Cloud Services. We and You agree that the processing of any personal data under the Cloud Services shall be carried out in accordance with the provisions of the DPA, which is incorporated herein by reference, in accordance with the relevant Data Processing Addendum (“DPA”), set forth here, Exhibit B.
- Fees and Payment Terms.
- You shall pay all Fees associated with Your use of the Cloud Services as set forth on our Order Form (“Fees”). “Subscription Term” means the subscription period You contract for Your use of the Cloud Services as set forth in the applicable Order Form.
- Order Forms: Except as set forth in the applicable Order Form, You will pay all Fees associated with an Order Form in accordance with the following: (a) Fees are invoiced in advance for annual, pre-paid plans; (b) the first invoice will coincide with the Subscription Start Date (as defined in the Order Form); (c) payment will be due within fifteen (15) days from the date of the invoice. Once accepted by Us, Your order is non-cancellable and nonrefundable except as provided in this Agreement, and the Subscription Term as set forth in the Order Form is a continuous and non-divisible commitment for the entire duration of the Subscription Term. The Order Form is incorporated in this Agreement by reference. Capitalized terms used herein but not defined shall have the meaning set forth in the Order Form. In the event of a conflict between an Order Form and this Agreement, the terms of the Order Form shall supersede the terms of this Agreement. ii. You are responsible for keeping all account information accurate and up to date, including payment card, bank account information address, and account contact information. You hereby represent that You have the right to provide Us with Your payment card information and authorize Us to charge the payment card for all Fees. You agree to pay all charges incurred by Users of Your credit card, debit card, or other payment methods used in connection with a purchase or transaction or other monetary transaction interaction with the Cloud Services at the prices in effect when such charges are incurred. All Fees are payable in United States dollars and are non-cancelable and non-refundable except as otherwise set forth herein. You shall be responsible for paying all sales, use, value added or other taxes, except for taxes based on Our income. For unpaid payments, not properly disputed, We may without waiving or prejudicing any other rights or remedies available to Us, a) charge the lesser of 1% per month or the maximum rate permitted by applicable law, b) suspend the Cloud Services immediately until Your Fees is brought current, and/or c) where applicable, automatically accelerate all remaining payments such that the total Fees under the order become immediately due and payable. You will reimburse any costs or expenses (including, but not limited to, reasonable attorneys’ fees) incurred by Us to collect any amount that is not paid when due, and not properly disputed. If You are paying by a payment card, and if Your payment card is declined for any installment, beginning five (5) days after the unsuccessful charge, We may suspend the Cloud Services immediately until Your payment is brought current. If a PO number is required by You in order for an invoice to be paid, then You must provide such a number by emailing Accounting@sojern.com within three (3) days of execution of an order form. However, You agree that a failure to provide a PO does not relieve You of Your obligations to pay Your Fees.
- You will notify Us in writing in the event You have a good faith dispute as to Fees or taxes payable by You under this Agreement by emailing Accounting@Sojern.com. You will provide such notice to Us prior to the due date of the invoice containing such Fees or taxes due that are in dispute and the parties will work together to resolve the applicable dispute promptly. You will pay all amounts that are determined to be payable by resolution of the dispute (by adversarial proceedings, agreement or otherwise) within ten (10) days following such resolution.
- Confidentiality.
- Definition of Confidential Information. As used herein, “Confidential Information” means all confidential information disclosed by a party to this Agreement (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Your Confidential Information shall include Contact Information and any ancillary information, such as account information, and alert priorities. Confidential Information shall not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was or becomes known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party as evidenced by written records, or (iii) is independently developed by the Receiving Party without use of the Disclosing Party’s Confidential Information.
- Protection of Confidential Information. Receiving Party shall not disclose the Disclosing Party’s Confidential Information to any third party except as permitted by this Agreement. Receiving Party shall only use the Disclosing Party’s Confidential Information to fulfill its obligations under this Agreement. Receiving Party shall use the same degree of care to protect the confidentiality of the Confidential Information that it uses to protect its own confidential and proprietary information (but in no event less than reasonable care). Receiving Party may disclose Confidential Information to its employees, consultants and agents who reasonably need to know such Confidential Information for purposes of this Agreement, provided that Receiving Party shall ensure that such employees, consultants and agents are bound by obligations of confidentiality substantially the same as the obligations in this Section. Receiving Party shall be liable for any disclosures of Confidential Information by its employees, consultants and agents in violation of this Section.
- Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law or governmental authority to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. The Receiving Party shall limit any disclosure of Confidential Information pursuant to this Section to the extent strictly necessary to comply with the applicable request by such governmental entity. Any disclosure of Confidential Information pursuant to this Section shall not affect the confidential treatment of such disclosed Confidential Information.
- Remedies. Receiving Party agrees that a breach of this Section may result in immediate and irreparable harm to the Disclosing Party that money damages alone may be inadequate to compensate. Therefore, in the event of such a breach, the Disclosing Party will be entitled to seek equitable relief, including but not limited to a temporary restraining order, temporary injunction or permanent injunction without the posting of a bond or other security.
- Indemnification.
- By Us. We shall defend, indemnify and hold You harmless from and against all claims, losses and damages (including reasonable attorneys’ fees) made by a third party against You that the Cloud Services infringes that third party’s intellectual property rights, except to the extent such a claim arises from Your misuse of the Cloud Services. If We believe that any portion of a Cloud Services may be subject to such a claim, then We may, at Our sole option and expense, procure for You the right to continue using the Cloud Services, modify or replace the infringing portions of the Cloud Services to allow for continued use, or if these alternatives are not commercially reasonable, refund any unused, prepaid Fees and terminate this Agreement. Notwithstanding the foregoing, Our indemnification obligations set forth in this Section 12(a) do not apply to, and We will have no obligation to You for, any claim that arises from (i) modifications to the Cloud Services by anyone other than Us or a third-party expressly instructed on Our behalf, (ii) modifications to the Cloud Services based upon specifications furnished by You (iii) You and/or any of Your Users’ or Clients use of the Cloud Services other than as specified in this Agreement, the Order Form or in the applicable Documentation, (iv) use of the Cloud Services in conjunction with third-party software, hardware, data or any other combination other than that expressly approved by Us, or (v) any combination of the foregoing. THIS SECTION 11 STATES OUR ENTIRE LIABILITY FOR INFRINGEMENT RELATING TO THE SUBJECT MATTER OF THIS AGREEMENT AND SHALL NOT APPLY DURING ANY TRIAL PERIOD. As a condition to being indemnified You shall promptly notify Us of any claim and allow Us sole control of the defense and settlement of the claim.
- By You. You agree to defend, indemnify and hold Us harmless from and against all claims, losses and damages, suits, government investigations, fines, actions, damages, settlements, losses, liabilities, costs and expenses (including reasonable attorneys’ fees) for any breach of Your representations, warranties and covenants set forth in Sections 7 and 8 (Warranty Related to SMS Use in the United States and Support, Security and Privacy) above.
- Indemnification Procedures. As a condition to being indemnified under this Section 11, the party seeking indemnification shall: (i) promptly notify the indemnifying party of the claim; (ii) allow the indemnifying party sole control of the defense and settlement of such claim; and (iii) provide assistance, at the indemnifying party’s expense, in defending or settling the claim. The indemnifying party shall keep the indemnified party informed of and consult with the indemnified party in connection with the progress of such litigation or settlement, and not settle any such claim in a manner that does not unconditionally release the indemnified party without the indemnified party’s written consent, not to be unreasonably withheld or delayed.
- Limited Warranties; Disclaimers
- Platform. We warrant that the Platform will perform in accordance with the Cloud Services Level Agreement (SLA) set forth here, as Exhibit A, however, that the sole remedy for breach of this warranty or failure of the Cloud Services to perform shall be as set forth in that SLA.
- Professional Cloud Services. We warrant to You that the Professional Cloud Services will be performed in a competent and workmanlike manner in accordance with accepted industry practices and the terms and conditions herein. However, if You do not provide Us timely access to Your Customer Materials in Our performance of Professional Cloud Services, then Our performance will be excused until You do so. Your exclusive remedy for breach of this warranty is to notify Us in writing within thirty (30) days of the non-conforming Cloud Services. Upon receipt of such notice, at Our option, We will either use commercially reasonable efforts to re-perform the Professional Cloud Services in conformance with these warranty requirements or will terminate the affected Professional Cloud Services and will refund You the prorated amount of Fees for the unperformed and non-conforming Professional Cloud Services. This Section sets forth Your exclusive rights and remedies and Our sole liability in connection with the performance of Professional Cloud Services.
- EXCEPT FOR THE FOREGOING, WE PROVIDE THE Cloud Services AND DOCUMENTATION “AS IS” WITHOUT ANY WARRANTY WHATSOEVER AND HEREBY DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THAT THE Cloud Services WILL BE FREE FROM ERRORS OR VIRUSES, IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, FITNESS FOR A PARTICULAR PURPOSE, RELIABILITY, ACCURACY, SECURITY OF DATA, OR ACHIEVEMENT OF RESULTS.
- WE DO NOT WARRANT, ENDORSE, GUARANTEE, OR ASSUME RESPONSIBILITY FOR ANY PRODUCT, CLOUD SERVICES OR CONTENT ADVERTISED OR OFFERED BY A THIRD PARTY THROUGH THE Cloud Services OR ANY HYPERLINKED WEBSITE, CLOUD SERVICES OR CONTENT, AND WE SHALL NOT BE A PARTY TO, LIABLE FOR NOR DO WE IN ANY WAY MONITOR, ANY TRANSACTION BETWEEN YOU AND THIRD-PARTY PROVIDERS OF OTHER PRODUCTS OR Cloud Services.
- General Limitation of Liability. EXCEPT FOR CUSTOMER’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 11(b), NEITHER PARTY SHALL BE LIABLE HEREUNDER TO THE OTHER UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING, WITHOUT LIMITATION, CONTRACT, TORT (INCLUDING NEGLIGENCE), OR STRICT LIABILITY, FOR ANY SPECIAL, INDIRECT, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR LOST PROFITS, WHETHER OR NOT FORESEEABLE AND EVEN IF SUCH PARTY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT FOR CUSTOMER’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 11(b) AND WHERE OTHERWISE EXPLICITLY INDICATED, A PARTY’S LIABILITY ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT SHALL NOT EXCEED THE AMOUNTS PAID OR PAYABLE HEREUNDER IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRIOR TO THE EVENT GIVING RISE TO SUCH LIABILITY. WITHOUT LIMITING THE FOREGOING, WE SHALL HAVE NO LIABILITY FOR ANY FAILURE OF A CLOUD SERVICES ARISING FROM OR RELATED TO (I) ANY DAMAGE, LOSS OR INJURY RESULTING FROM HACKING, TAMPERING OR OTHER UNAUTHORIZED ACCESS, (II) YOUR OR YOUR USERS’ FAILURE TO CONFIGURE THE CLOUD SERVICES IN CONFORMANCE WITH THE DOCUMENTATION, OR (II) ANY MESSAGING LAWS. THE FOREGOING LIMITATION OF LIABILITY SHALL APPLY TO THE FULLEST EXTENT PERMITTED BY LAW IN THE APPLICABLE JURISDICTION.
- Third Party Cloud Services.
You may choose to obtain Third-Party Cloud Services from third parties and/or Us (for example, through a reseller arrangement or otherwise). Any acquisition by You of Third-Party Cloud Services is solely between You and the applicable Third-Party Cloud Services provider and we do not warrant, support, or assume any liability or other obligation with respect to such Third-Party Cloud Services, unless expressly provided otherwise in the Order Form or the Agreement. In the event that You choose to integrate or interoperate Third-Party Cloud Services with Our Cloud Services in a manner that requires Us to exchange or access Customer Data with such Third-Party Cloud Services or Third-Party Cloud Services provider, You: (a) grant Us permission to allow the Third-Party Cloud Services and Third-Party Cloud Services provider to access Customer Data and information about Customer’s usage of the Third-Party Cloud Services as appropriate and necessary to enable the interoperation of that Third-Party Cloud Services with the Cloud Services, and will be fully responsible for all fees associated with such access; (b) acknowledge that any exchange of data between You and any Third-Party Cloud Services is solely between You and the Third-Party Cloud Services provider and is subject to the Third-Party Cloud Services provider’s terms and conditions governing the use and provision of such Third-Party Cloud Services; and (c) agree that We are not responsible for any disclosure, modification or deletion of Customer Data resulting.
- Modifications to this Agreement. We reserve the right, at Our sole discretion, to modify or replace any part of this Agreement by (i) posting a revised Agreement on Our site or (ii) providing notice to You of the change. Modifications will take effect at the start of the month following notice for month-to-month plans, and at the end of the prepaid Subscription Term for all other plans.
- Arbitration. READ THIS SECTION CAREFULLY BECAUSE IT REQUIRES THE PARTIES TO ARBITRATE THEIR DISPUTES AND LIMITS THE MANNER IN WHICH YOU CAN SEEK RELIEF FROM US.
For any dispute with Us, You agree to first contact Us at legal@Sojern.com and attempt to resolve the dispute with Us informally. In the unlikely event that We have not been able to resolve a dispute with You after sixty (60) days, any controversy or claim arising out of or relating to this Agreement on an individual basis only and not on behalf of a class, or the breach hereof, shall be settled by arbitration in the city of San Francisco, California, by binding arbitration by JAMS, Inc. (“JAMS”), under the Optional Expedited Arbitration Procedures then in effect for JAMS. JAMS may be contacted and its rules reviewed at www.jamsadr.com. Any award shall be final, binding and conclusive. A judgment upon the award rendered may be entered in any court having jurisdiction thereof. Nothing in this Section shall be deemed as preventing either party from seeking preliminary injunctive or other equitable relief from the courts as necessary to prevent the actual or threatened infringement, misappropriation, or violation of data security requirements, or intellectual property rights or other proprietary rights.
- Term and Termination. This Agreement commences when You accept the terms and expires on the date of expiration or termination of all Subscription Terms (“Term of Agreement”). Each Order Form will state the Subscription Term for the Cloud Services ordered. If none is stated the Subscription Term is one (1) year from the date of the order.
- Platform. At the end of each Platform Subscription Term, the associated order shall automatically renew for an additional annual term at the prices communicated to You at least sixty (60) days prior to the end of that Platform Subscription Term (or the same prices as the prior Subscription Term if no new prices are provided), unless You notify Us of Your intent not to renew by sending an email to Your customer Cloud Services representative at least thirty days (30) before the renewal date. We will send the Platform renewal notice to the contact email listed on the account unless You notify Us to use another email contact with Your account.
- Renewal Charges. If You have Your payment card number on file, Your card will be charged for the Cloud Services renewal term in accordance with the terms set forth in this Agreement.
- Termination. You may choose to terminate this Agreement and all orders at any time for any reason with sixty days (60) written notice, provided that upon such termination: (i) You will not be entitled to a refund of pre-paid Fees; and (ii) all remaining Fees that are outstanding, or incurred during the notice period on a then-current order will become immediately due and payable. Either party may terminate this Agreement upon thirty (30) days’ prior written notice to the other party for a material breach that remains uncured at the expiration of such period. Immediately upon termination of this Agreement for any reason, You will cease use of the Cloud Services, pay in full all Fees due upon termination, and return or destroy all copies of Our Confidential Information. After the expiration or termination of this Agreement for any reason Your account shall be deactivated. All provisions of this Agreement which by their nature should survive cancellation or termination of this Agreement shall survive cancellation or termination.
- Publicity. Neither Party shall refer to the identity of the other Party in promotional material, publications or other forms of publicity relating to the Cloud Services unless the prior written consent of the other Party has been obtained; provided, however, that We may use Your name and logo for the limited purpose of identifying You as a customer of Our Cloud Services on Our websites, and in other marketing materials distributed by Us (which may include emails and other web and print materials), and We agree to comply with any trademark usage policies or brand guidelines You provide to Us for such purposes.
- Professional Cloud Services. If You purchase Professional Cloud Services You will be responsible for certain obligations and acknowledge that failure to fulfill Your obligations may result in a delay in performance hereunder. Any such delay caused by You may result in additional charges. If We terminate the Professional Cloud Services component of the Order Form for breach of this Section, no refunds of Professional Cloud Services fees will be provided. You will:
- provide access as needed for Us to fulfill the Professional Cloud Services.
- provide Us with reasonable support, including, for example, access to facilities, resources and employees, and timely decisions or approvals as necessary for Us to complete the tasks agreed to between the parties within ninety (90) days of the Order Form Effective Date. c. assign specific personnel (“Project Sponsor”) who will serve as Our executive-level contact. The Project Sponsor will have full authority to act on behalf of You with respect to: (1) make major project decisions related to Professional Cloud Services; (2) identify and secure timely resources to perform responsibilities outlined in the order, subsequent project resource plans, or roles and responsibilities document; and (3) communicating the goals and benefits of the project to the organization. d. be responsible for configuration of Your management systems to send Customer Materials to Us. e. provide the relevant onboarding information for set-up.
- Export laws. You represent and warrant that (a) You are not located in or a national of a country subject to a United States Government embargo, (b) You will not access or use the Cloud Services (and will not permit any third parties including Your Users to do so either) in any country embargoed by the United States, (c) neither You, nor Your Users are a foreign military end-user, military-intelligence end-user or other foreign person or entity blocked or denied by the United States Government, (d) that You will not place any information in the Cloud Services that is controlled under the U.S. International Traffic in Arms Regulations, (e) You will not use the Cloud Services for any purpose prohibited by United States or applicable international import and export laws and regulations, including without limitation the development and creation of nuclear, chemical, or biological weapons, or rocket systems, space launch vehicles, sounding rockets, or unmanned aerial vehicle systems, or military and military-intelligence end-uses, and (f) You are entirely responsible for Your compliance with all applicable United States laws and regulations and with all applicable local laws and regulations related to export and import.
- Audits. You agree that We shall have the right, at Our expense and on reasonable prior notice, to audit Your relevant books, records, and logs relating to use of the Cloud Services to confirm Your compliance with this Agreement. At Our discretion We may also conduct the audit by requesting Your certification in writing of compliance with the applicable Usage Limits. If any audit discloses an underpayment of fees for the period under review based on actual usage, then, without limiting Our remedies, You agree to immediately pay Us the amount of the underpayment. This Section 21 (Audits) will survive termination or expiration of this Agreement for two (2) years.
- Miscellaneous. You will only use the Cloud Services in accordance with Our policies, including Our Acceptable Use Policy (“AUP”) and with applicable law, including without limitation all export control laws. This Agreement shall be governed by and interpreted in accordance with the laws of the State of California without regard to its conflict of laws provisions. You may not assign, sublicense, delegate or otherwise transfer any of Your rights or obligations under this Agreement without Our prior written consent. We may assign this Agreement at Our sole discretion. This Agreement shall be binding upon and shall inure to the benefit of the parties, their successors and permitted assigns. If any provision of this Agreement is held to be invalid or unenforceable, such provision shall be construed to reflect the parties’ original intent, and the remainder of this Agreement shall remain in full force and effect. This Agreement constitutes the entire understanding and Agreement of the parties with respect to its subject matter and supersedes all prior and contemporaneous Agreements or understandings. The failure of either party to enforce any of the provisions of this Agreement shall not be construed to be a waiver of the right of such party thereafter to enforce such provisions. The parties to this Agreement are independent contractors and no agency, partnership, joint venture, employment or similar relationship exists between them. Neither party has the authority to bind the other or incur any obligation on its behalf. Notices required hereunder shall be effective upon their delivery by email, courier or delivery Cloud Services, or first class United States mail, return receipt requested (effective upon receipt).
Exhibit "A"
Service Level Agreement
This VenueLytics Level Agreement (“SLA”) applies to your use of the VenueLytics Cloud Service and is governed by the VenueLytics Terms of Service (the “Agreement”).
Except where we specifically state something different in this SLA, this SLA is subject to the terms of the Agreement, and you can look to the Agreement to define capitalized terms. VenueLytics reserves the right to change the terms of this SLA in accordance with the Agreement.
- Definitions.
- “Client” means the individual clients of the Customer who have consented to receive the messages at the election of the Customer from VenueLytics’s Cloud Services.
- “Client Information” means the names, email addresses, and telephone numbers of Customers Clients.
- “Delivery Service '' means a third-party service provider used to send messages to Client, for example a telephone service, messaging (e.g., What’s App), push notification provider (e.g., Google, Apple), SMS provider, or email provider.
- “Client Outreach” means messages sent to a Client with their Client Information by the Customer through the Cloud Service, which is triggered upon the requirements set by the Customer. The Customer must configure the Cloud Service and supply the Client Information in accordance with the Documentation.
- “Cloud Services” means VenueLytics’s cloud-based guest engagement and management platform purchased by the Customer.
- Service Commitment.
- VenueLytics will use commercially reasonable efforts to meet the following service level commitments for the stated functions from the VenueLytics Cloud Service:
- Platform Application SLA: VenueLytics’s ability to provide basic acknowledgement and resolution functionality via our web, mobile application for Client Outreach and other services will be available 99.9% of the time during any calendar month.
- VenueLytics is not responsible for failures caused by factors not in VenueLytics’s control including but not limited to failures caused by:
- Problems beyond or outside of the VenueLytics Cloud Service including (i) Customer’s own telecommunications, Delivery Service or internet service providers, email domain server availability or mobile push notification providers; (ii) a Force Majeure Event; or (iii) intentional or accidental filtering of network traffic by national governments, carriers or regulatory bodies; or iv). that result from Maintenance of which VenueLytics has provided a minimum seventy- two hours notice for. “Force Majeure Event” means (i) compliance with any act, order, demand or request of any government, governmental authority, or government agency; (ii) labor disputes, work stoppages or slowdowns of any kind; (iii) fires or hurricane, earthquake, flood and other natural disasters or fires; (iv) war, rebellion, act of terrorism, or civil disorder; (v) systemic internet issues or any other act or omission of any telecommunication or services provider; (vi) any other cause beyond VenueLytics’s reasonable control. “Maintenance” means scheduled Unavailability of the VenueLytics Platform. Maintenance will be no greater than an average of four (4) hours per month or a maximum of forty-eight hours (48) per year and will not exceed seven (7) hours in any calendar month.
- Issues that arise from VenueLytics’s suspension or termination of Customer’s right to use the Service as allowed or required by the Agreement, Acceptable Use Policy, government or court orders, or other agreements.
- Customer Responsibilities. Customer will (i) configure and use the Cloud Service correctly in accordance with the Documentation. VenueLytics’s ability to meet its obligations in this SLA are dependent upon Customer performing its responsibilities.
- Service Credits.
- If VenueLytics fails to meet the SLA set forth herein, Customer may receive a service credit. Customer will be eligible for a credit toward future fees owed to VenueLytics for the VenueLytics Cloud Service. The Service Credit is calculated as ten percent (10%) of the fees paid for or attributable to the month when the alleged SLA breach occurred.
- Service Credits are subject to the following:
- Customer must submit a written Service Credit request to their Customer Service Representative within fifteen (15) days of occurrence of the alleged SLA breach. Customer must include reasonable evidence that they were affected by the alleged SLA breach.
- *Service Credits are not cumulative, that is, there shall only be a single Service Credits given for all Delivery Failures with a single cause.
- Service Credits are capped at a maximum of thirty percent (30%) of total fees paid for or attributable to the calendar month when the alleged SLA breach occurred.
- Customers who are past due on any payments owed to VenueLytics are not eligible to receive Service Credits.
- Service Credits cannot be exchanged for cash. Service Credits don’t entitle customer to a refund or any other payment from VenueLytics.
- THIS SERVICE LEVEL AGREEMENT SETS FORTH CUSTOMER’S SOLE AND EXCLUSIVE REMEDY FOR ANY FAILURE OF SERVICE AVAILABILITY OR NON- PERFORMANCE OR FAILURE TO CONTACT THE DESIGNATED PERSONNEL.
Exhibit "B"
Cloud Data Processing Addendum
THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into as of the Addendum Effective Date by and between: (1) VenueLytics, Inc. (“VenueLytics”); and (2) the entity or other person who is a counterparty to the Agreement (as defined below) into which this DPA is incorporated and forms a part (“Customer”), together the “Parties” and each a “Party”.
1. INTERPRETATION
1.1 In this DPA the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise;
- “Addendum Effective Date” means the effective date of the Agreement.
- “Agreement” means the agreement under which VenueLytics has agreed to provide services to Customer entered into by and between the Parties.
- “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data under the Agreement, including, without limitation, GDPR and the CCPA (as and where applicable).
- “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”), and any binding regulations promulgated thereunder.
- “Controller” means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, including, as applicable, any “business” as that term is defined by the CCPA.
- “Customer Personal Data” means any Personal Data Processed by VenueLytics or its Sub-Processors on behalf of Customer to perform the Services under the Agreement (including, for the avoidance of doubt, any such Personal Data comprised within Customer Data).
- “Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
- “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
- “EEA” means the European Economic Area.
- “GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
- “Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar term defined in Applicable Data Protection Laws.
- “Personal Data Breach” means a breach of VenueLytics’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data in VenueLytics’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
- “Personnel” means a person’s employees, agents, consultants or contractors.
- “Process” and inflection thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” means the entity that Processes Personal Data on behalf of the Controller, including, as applicable, any “service provider” as that term is defined by the CCPA.
- “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
- “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
- “Service Data” means any data relating to the use, support and/or operation of the Services, which is collected directly by VenueLytics from and/or about users of the Services and/or Customer’s use of the Service for use for its own purposes (certain of which may constitute Personal Data).
- “Services” means those services and activities to be supplied to or carried out by or on behalf of VenueLytics for Customer pursuant to the Agreement.
- “Sub-Processor” means any third party appointed by or on behalf of VenueLytics to Process Customer Personal Data.
- “Supervisory Authority” means any entity with the authority to enforce Applicable Data Protection Laws, including, (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
- “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof.
1.2 Unless otherwise defined in this DPA, all capitalised terms in this DPA shall have the meaning given to them in the Agreement.
2. SCOPE OF THIS DATA PROCESSING ADDENDUM
2.1 This DPA applies to VenueLytics’s Processing of Customer Personal Data under the Agreement.
2.2 Annex 2 (European Annex) to this DPA applies only if and to the extent VenueLytics’s Processing of Customer Personal Data under the Agreement is subject to the GDPR.
2.3 Annex 3 (California Annex) to this DPA applies only if and to the extent VenueLytics’s Processing of Customer Personal Data under the Agreement is subject to the CCPA with respect to which Customer is a “business” (as defined in the CCPA).
3. PROCESSING OF CUSTOMER PERSONAL DATA
3.1 VenueLytics shall not Process Customer Personal Data other than on Customer’s instructions or as required by applicable laws.
3.2 Customer instructs VenueLytics to Process Customer Personal Data as necessary to provide the Services to Customer under and in accordance with the Agreement.
3.3 The Parties acknowledge and agree that the details of VenueLytics’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.
4. VENUELYTICS PERSONNEL
VenueLytics shall take commercially reasonable steps to ascertain the reliability of any VenueLytics Personnel who Process Customer Personal Data, and shall enter into written confidentiality agreements with all VenueLytics Personnel who Process Customer Personal Data that are not subject to professional or statutory obligations of confidentiality.
5. SECURITY
5.1 VenueLytics shall implement and maintain technical and organisational measures in relation to Customer Personal Data designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access as described in Annex 4 (Security Measures) (the “Security Measures”).
5.2 VenueLytics may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
6. SUB-PROCESSING
6.1 Customer generally authorizes VenueLytics to appoint Sub-Processors in accordance with this Section 6.
6.2 VenueLytics may continue to use those Sub-Processors already engaged by VenueLytics as at the date of this DPA (as those Sub-Processors are shown, together with their respective functions and locations, in the Sub-Processor list contained in Annex 5 (the “Sub-Processor List”).
6.3 VenueLytics shall give Customer prior written notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor, by updating Customer with the changes to the Sub-Processor List via email sent to Customer’s contact point as set out in Annex 1 (Data Processing Details). Company may object to a new sub-processor by submitting an objection by email to sojernprivacy@Sojern.com with subject line “Sub-processor Objection,” along with a contact’s name, company’s name, name of the VenueLytics product or service, name of the sub-processor, and a justifiable ground for objection. If Client does not object within ten (10) days following an update to the list of sub-processors, the new sub-processor(s) will be deemed accepted. If Company reasonably objects to a change and VenueLytics is unable to resolve such objection, Company may terminate the Agreement and DPA.
6.4 With respect to each Sub-Processor, VenueLytics shall maintain a written contract between VenueLytics and the Sub- Processor that includes terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA (including the Security Measures).
7. DATA SUBJECT RIGHTS
7.1 VenueLytics, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests. If VenueLytics receives a Data Subject Request, Customer will be responsible for responding to any such request.
7.2 VenueLytics shall:
- promptly notify Customer if it receives a Data Subject Request; and
- not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except on the written instructions of Customer or as required by Applicable Data Protection Laws.
8. PERSONAL DATA BREACH
Breach notification and assistance
8.1 VenueLytics shall notify Customer without undue delay upon VenueLytics’s discovering a Personal Data Breach affecting Customer Personal Data. VenueLytics shall provide Customer with information (insofar as such information is within VenueLytics’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by VenueLytics) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. VenueLytics’s notification of or response to a Personal Data Breach shall not be construed as VenueLytics’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
8.2 VenueLytics shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Personal Data Breach.
8.3 Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
Notification to VenueLytics
8.4 If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies VenueLytics, where permitted by applicable laws, Customer agrees to:
- notify VenueLytics in advance; and
- in good faith, consult with VenueLytics and consider any clarifications or corrections VenueLytics may reasonably recommend or request to any such notification, which: (i) relate to VenueLytics’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
9. RETURN AND DELETION
9.1 Subject to section 9.2, in the event of termination of the Agreement, VenueLytics shall, at the choice of the Customer, delete or irreversibly anonymize all Customer Personal Data processed for the Services, or return all such Customer Personal Data to Customer.
9.2 VenueLytics may retain Customer Personal Data where permitted or required by applicable law, for such period as may be required by such applicable law, provided that VenueLytics shall:
- maintain the confidentiality of all such Customer Personal Data; and
- Process the Customer Personal Data only as necessary for the purpose(s) specified in the applicable law permitting or requiring such retention.
10. AUDIT RIGHTS
10.1 VenueLytics shall make available to Customer on request, such information as VenueLytics (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA and Applicable Data Protection Laws.
10.2 Subject to Sections 10.3 to 10.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by VenueLytics pursuant to Section 10.1 is not sufficient in the circumstances to demonstrate VenueLytics’s compliance with this DPA, VenueLytics shall allow for and contribute to audits by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by VenueLytics.
10.3 Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and timing of the audit. VenueLytics will work cooperatively with Customer to agree on a final audit plan. After the audit is completed, Customer will promptly share the results of the audit with VenueLytics.
10.4 If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and VenueLytics has confirmed in writing that there are no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures.
11. CUSTOMER’S RESPONSIBILITIES
11. 1 Customer agrees that, without limiting VenueLytics’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Services, including
- making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data;
- securing the account authentication credentials, systems and devices Customer uses to access the Services;
- securing Customer’s systems and devices that VenueLytics uses to provide the Services; and
- backing up Customer Personal Data.
11.2 Customer shall ensure:
- that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by VenueLytics of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws; and
- that all Data Subjects have
- been presented with all required notices and statements and
- provided all required consents, in each case
(i) and (ii) relating to the Processing by VenueLytics of Customer Personal Data. Customer, upon request by VenueLytics, will provide proof that any required consents have been obtained by the Customer.
11.3 Customer agrees that the Service, the Security Measures, and VenueLytics’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
11.4 Customer shall not provide or otherwise make available to VenueLytics any Customer Personal Data that contains any
- Social Security numbers or other government-issued identification numbers;
- protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
- health insurance information;
- biometric information;
- passwords to any online accounts;
- credentials to any financial accounts;
- tax return data;
- any payment card information subject to the Payment Card Industry Data Security Standard;
- Personal Data of children under 13 years of age;
- data relating to criminal convictions and offenses; and/or
- any other information that falls within any special or sensitive categories of personal data (as defined in Applicable Data Protection Laws) (together, “Restricted Data”).
12. LIABILITY
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 12 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
12. LIABILITY
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 12 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
13. SERVICE DATA
13.1 Customer acknowledges that VenueLytics may collect, use and disclose Service Data for its own business purposes, such as:
- for accounting, tax, billing, audit, and compliance purposes;
- to provide, improve, develop, optimise and maintain the Services;
- to investigate fraud, spam, wrongful or unlawful use of the Services; and/or
- as otherwise permitted or required by applicable law.
13.2 In respect of any such Processing described in Section 13.1, VenueLytics:
- Independently determines the purposes and means of such Processing;
- shall comply with Applicable Data Protection Laws (if and as applicable in the context);
- shall Process such Service Data as described in VenueLytics’s relevant privacy notices/policies, as updated from time to time; and
- where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than the Security Measures.
13.3 For the avoidance of doubt, this DPA shall not apply to VenueLytics’s collection, use, disclosure or other Processing of Service Data, and Service Data does not constitute Customer Personal Data.
14. CHANGE IN LAWS
VenueLytics may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time, including by varying or replacing the SCCs in the manner described in Paragraph 3.3 of Annex 2 (European Annex).
15. INCORPORATION AND PRECEDENCE
15.1 This DPA shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date.
15.2 In the event of any conflict or inconsistency between:
- this DPA and the Agreement, this DPA shall prevail; or
- any SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.
Annex 1
Data Processing Details
VenueLytics / ‘DATA IMPORTER’ DETAILS
Name:
VenueLytics, Inc., a U.S. corporation
Address:
575 Market Street, 4th Floor, San Francisco, CA 94105 USA
Contact Details for Data Protection:
Paul Huie, Sojern SVP and General Counsel
sojernprivacy@Sojern.com
VenueLytics Activities:
Under the Agreement, VenueLytics provides AI concierge, reputation management, and/or guest marketing services, depending on the specific capabilities for which Customer has contracted.
Role:
Processor
CUSTOMER / 'DATA EXPORTER' DETAILS
Name:
The entity or other person who is a counterparty to the Agreement.
Address:
- Customer’s address is the address shown in the Agreement entered into by and between the Customer and VenueLytics; or
- if the Agreement does not include the address, the Customer’s principal business trading address unless otherwise notified to sojernprivacy@Sojern.com
Contact Details for Data Protection:
Customer’s contact details are:
- the contact details shown in the Agreement; or
- if the Agreement does not include the contact details, Customer’s contact details submitted by Customer and associated with Customer’s account for the Services – unless otherwise notified to sojernprivacy@Sojern.com
Customer Activities:
Customer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
Role:
- Controller – in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and
- Processor – in respect of any Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person (including its affiliates if and where applicable).
Categories of Data Subjects:
Relevant Data Subjects include any Data Subjects Customer causes VenueLytics to process as part of the provisions of the Service, including:
- Marketing prospects
- Customer’s own guests, customers, website visitors, or mobile app visitors
- End-users and other users of Customer’s products and services
Categories of Personal Data:
Relevant Personal Data includes any Categories of Data Customer causes VenueLytics to process as part of the provisions of the Service, including:
- Contact information – e.g., name, home and/or business address, email address, telephone details and other contact information.
- Booking and stay information – e.g., end users’ booking details and dates, stay preferences, and user ratings and reviews.
Messaging information – e.g., the contents of messages between Customer and end users, contained in email, SMS, or other messaging channels.
Sensitive Categories of Data, and associated additional restrictions/safeguards:
None
Additional safeguards for sensitive data:
N/A
Frequency of transfer:
Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of the Processing:
Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of the Processing:
Customer Personal Data will be processed:
- as necessary to provide the Services as initiated by Customer in its use thereof, and
- to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
Duration of Processing / Retention Period:
For the period determined in accordance with the Agreement and DPA, including Section 9 of the DPA.
Transfers to (sub)processors:
Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List.
Annex 2
European Annex
1. PROCESSING OF CUSTOMER PERSONAL DATA
1.1 Where VenueLytics receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, VenueLytics shall inform Customer.
1.2 Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of VenueLytics pursuant to or in connection with the Agreement shall be in compliance with the GDPR and all other applicable laws.
2. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
2.1 VenueLytics, taking into account the nature of the Processing and the information available to VenueLytics, shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by VenueLytics.
2.2 Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by VenueLytics (at VenueLytics’s then-current professional services rates) in VenueLytics’s provision of any cooperation and assistance provided to Customer under Paragraph 2.1, and shall on demand reimburse VenueLytics any such costs incurred by VenueLytics.
3. RESTRICTED TRANSFERS
EU Restricted Transfers
3.1 To the extent that any Processing of Customer Personal Data under this DPA involves an EU Restricted Transfer from Customer to VenueLytics, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
- populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex); and
- entered into by the Parties and incorporated by reference into this DPA.
UK Restricted Transfers
3.2 To the extent that any Processing of Customer Personal Data under this DPA involves a UK Restricted Transfer from Customer to VenueLytics, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
- varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to Annex 2 (European Annex); and
- entered into by the Parties and incorporated by reference into this DPA.
Adoption of new transfer mechanism
3.3 VenueLytics may on notice vary this DPA and replace the relevant SCCs with:
- any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
- another transfer mechanism, other than the SCCs, that enables the lawful transfer of Customer Personal Data to VenueLytics under this DPA in compliance with Chapter V of the GDPR.
Attachment 1
To Annex 2 (European Annex)
POPULATION OF SCCs
Note
- In the context of any EU Restricted Transfer, the SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 3.1 of Annex 2 (European Annex) to the DPA).
- In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 3.2 of Annex 2 (European Annex) to the DPA).
PART 1: POPULATION OF THE SCCs
1. SIGNATURE OF THE SCCs:
Where the SCCs apply in accordance with Paragraph 3.1 of Annex 2 (European Annex) to the DPA each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.
2. MODULES
The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 2 (European Annex) to the DPA):
- Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and/or
- Module Three of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person.
3. POPULATION OF THE BODY OF THE SCCs
3.1 For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
- In Clause 9, OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 6.3 of the DPA; and
- In Clause 11, the optional language is not used and is deleted.
- In Clause 17, OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and
- For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
4. POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
4.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with:
- Customer being ‘data exporter’; and
- VenueLytics being ‘data importer’.
4.2 Part C of Annex I to the Appendix to the SCCs is populated as below:
The competent supervisory authority shall be determined as follows:
- Where Customer is established in an EU Member State: the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.
- Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).
- Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to VenueLytics’s contact point for data protection identified in Attachment 1 to Annex 2 (European Annex) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
4.3 Annex II to the Appendix to the SCCs is populated as below:
General:
- Please refer to Section 5 of the DPA and Annex 4 (Security Measures) to the DPA.
- In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from VenueLytics, Customer should email VenueLytics’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA.
Sub-Processors: When VenueLytics engages a Sub-Processor under these Clauses, VenueLytics shall enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:
- applicable information security measures;
- notification of Personal Data Breaches to VenueLytics;
- return or deletion of Customer Personal Data as and where required; and engagement of further Sub- Processors.
PART 2: UK RESTRICTED TRANSFERS
1. UK TRANSFER ADDENDUM
1.1
Where relevant in accordance with Paragraph 3.2 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below -
- Part 1 to the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree:
- Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) and the foregoing provisions of this Attachment 1 (subject to the variations effected by the Mandatory Clauses described in (b) below); and
- Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
- Part 2 to the UK Transfer Addendum. The Parties agreed to be bound by the Mandatory Clauses of the UK Transfer Addendum.
1.2
In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.
Annex 3
California Annex
1. Definitions. In this Annex, the terms “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” shall have the respective meanings given thereto in the CCPA. CCPA and other capitalized terms not defined in this Schedule are defined in the DPA.
2. VenueLytics’s Obligations.
2.1 The business purposes and services for which VenueLytics is Processing personal information are for VenueLytics to provide the services to and on behalf of Customer as set forth in the Agreement.
2.2 It is the Parties’ intent that with respect to any personal information, VenueLytics is a service provider. VenueLytics (a) acknowledges that personal information is disclosed by Customer only for the limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to personal information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 10 (Audit Rights) of this DPA to help ensure that VenueLytics’s use of personal information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by VenueLytics that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
2.3 VenueLytics shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose the personal information outside of the direct business relationship between VenueLytics and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from VenueLytics’s own interaction with any consumer to whom such personal information pertains.
2.4 VenueLytics shall implement reasonable security procedures and practices appropriate to the nature of the personal information received from, or on behalf of, Customer, in accordance with Section 5 (Security) and Annex 4 (Security Measures) of the DPA.
2.5 When VenueLytics engages any Sub-Processor, VenueLytics shall notify Customer of such Sub-Processor engagements in accordance with Section 6 (Sub-Processing) of the DPA.
Annex 4
Security Measures
As from the Addendum Effective Date, VenueLytics will implement and maintain the Security Measures as set out in this Annex 4.
- General. VenueLytics will establish, implement, and maintain appropriate administrative, technical and organizational measures that are designed to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. These measures will be adequate to comply with applicable data protection laws and VenueLytics will comply at all times with its information security policies and information security program.
- Information Security Policies and Standards. VenueLytics will maintain information security policies, standards, and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
- Vulnerability Management. VenueLytics will maintain a vulnerability management program for all systems that process Personal Data that includes without limitation internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities.
- Risk Assessment. VenueLytics will conduct periodic risk assessments to identify and assess reasonably foreseeable risks to the security, confidentiality, and integrity of records containing Personal Data and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those risks.
- Data Classification. VenueLytics will maintain policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees.
- Encryption. VenueLytics will implement industry standard encryption mechanisms and strong cipher suites (AES 256- bit is recommended) for storage and transmission. VenueLytics will accept connections over encrypted channels (TLS is recommended).
- Network Security. VenueLytics will secure its network by employing a defense-in-depth approach that utilizes commercially available equipment and industry standard techniques, including without limitation firewalls, intrusion detection systems, access control lists, and routing protocols.
- Virus and Malware Controls. VenueLytics will protect Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
- Access Control. VenueLytics will practice the principle of least privilege where access to Personal Data is only granted to those within the organization who have a business need for such access and permissions will be limited to the minimum amount required to perform the specific job function.
- Processing Location. Personal Data will be Processed by VenueLytics in the United States, subject to applicable data protection laws that may require otherwise.
- Incident Response. VenueLytics will maintain a data security incident response program and will document all suspected data security incidents. VenueLytics will investigate any data security incidents and take all necessary steps to eliminate or contain the data security incident.
- Personnel. VenueLytics will maintain an information security awareness and training program and will train critical VenueLytics personnel on data protection measures and general cybersecurity protections.
- Vendor. VenueLytics will maintain a vendor management program that will assess all vendors with whom VenueLytics exchanges Personal Data. Such vendors will be held to data security standards no less restrictive than those set forth herein.
VenueLytics may update or modify these Security Measures from time to time provided that such updates and modifications do not decrease the overall security of Customer Personal Data.
Annex 5
Sub-Processor List
To support delivery of our Services, VenueLytics engages certain Sub-Processors to Process Customer Personal Data in accordance with the terms and conditions of the VenueLytics Cloud Data Processing Agreement (the “DPA”). This list contains information about such Sub-Processors engaged by VenueLytics from time to time to Process Customer Personal Data.
Name |
Purpose |
Location |
Amazon Web Services |
Data storage, email service provider |
United States |
Bandwidth |
SMS messaging services |
United States |
Redis |
Data storage |
United States |
Stripe |
Payment processing services |
United States |
Twilio |
SMS messaging services |
United States |