Last Updated: August 15, 2024
In consideration of the mutual promises herein, the Parties agree as follows:
1. Grant of Rights, Intellectual Property
a. License. Subject to the terms of this Agreement, Arist hereby grants Company and its Users the limited, non-exclusive, non-transferable, non-assignable and non-sublicensable right to access and use the Services for its internal business use as set forth in an Order. Except as set forth in the preceding sentence, Arist retains all worldwide rights, title and interest in and to the Services, Usage Metadata, and Intellectual Property Rights embodied therein or related thereto, whenever developed. "Intellectual Property Rights" means all patents, copyrights, trade secrets, trademarks and service marks, and all other worldwide intellectual property or proprietary rights (registered or not). “Usage Metadata” means aggregated data sets, reports and analyses that Arist may create relating to the Services, in a form that is anonymized and does not identify Company or any individual user.
b. Users. “User” means any individual whom Company authorizes to use the Services. Users may be administrative users (“Admin Users”) who configure, create, deliver, and analyze courses or learners (“Learner Users”) who complete courses. Company agrees that the maximum number of Users that Company authorizes to access and use the Services will not exceed the number of seat licenses Company has purchased for its Users (the “User Subscriptions”). User Subscriptions may not be used or shared by more than one individual. Any use in excess of the of User Subscriptions shall be invoiced at the applicable rate for the additional User Subscriptions, and such additional subscriptions shall be co-terminus with Company’s current Order term.
c. User Content. The Services enable Users to store, post and share content such as texts (in posts or communications with others), files, documents, images, music, software, audio and video (collectively, “User Content”). By providing User Content, Company represents and warrants that: (i) Company owns or has all necessary licenses, rights, consents and permissions to grant the license herein; and (ii) neither the User Content, nor any access or use of the User Content via the Services, will infringe, misappropriate or otherwise violate a third party’s intellectual property rights or rights of publicity or privacy, or result in the violation of any other applicable law or regulation. We reserve the right to remove or disable access to any content, including User Content, at any time and without notice or liability, if we, at our sole discretion, consider it in violation of this Agreement including our Copyright Policy, available at https://arist.co/legal/copyright-policy for further information. Company grants to Arist, its affiliates and their respective agents, suppliers and subcontractors, a non-exclusive, transferable, worldwide, royalty-free license, with the right to sublicense through multiple tiers, during the applicable Subscription term to (i) access and use, reproduce, format, store, distribute, display and perform the User Content and associated metadata in order to provide the Services, and (ii) generate Usage Metadata. Subject to the foregoing license, Company retains all Intellectual Property Rights to its User Content.
d. Feedback. Company agrees that Arist owns all Intellectual Property Rights in any feedback, comments, ideas, proposals, suggestions, recommendations or enhancement requests provided by Company or its Users (“Feedback”).
e. Third Party Resources. The Services may allow Company to access and/or integrate with certain third-party products, services, websites or other resources, including any content, products or services that they display, link to, or make available (“Third Party Resources”). If Company chooses to use any Third Party Resources in connection with the Services, access and use of such Third Party Resources will be subject to any applicable agreement between Company and the third party provider. We are not responsible for acts, omissions or any access to or use of Company’s information by such third party providers.
2. Fees, Payments, Cancellations
a. Subscription Fees. Company may purchase a Services subscription from Arist (“Subscription”) by execution of an Order indicating the subscription fee (“Subscription Fee”), term and scope. Company’s Subscription will continue until Company or Arist cancels or terminates in accordance with this Agreement.
b. Fee Payments. Unless otherwise specified on an Order payment terms shall be net thirty (30) days after the date of invoice. All fees, charges and taxes are payable in U.S. Dollars. All payments are non-refundable and non-creditable except as expressly provided in this Agreement or applicable Order. Company shall notify Arist within two (2) weeks of receipt of invoice if Company disputes any fee or charge. If an undisputed portion of an invoice becomes delinquent and such delinquency is not remedied within fourteen (14) days of notice, Arist may (i) suspend or terminate Services, (ii) apply a late charge on the unpaid amount equal to the lesser of 1% interest per month or the maximum rate allowed by law, and/or (iii) pursue any other available remedy.
c. Taxes. Company is responsible for sales, use, GST, value-added, withholding or similar taxes or levies that apply to the Services covered by each Order, whether domestic or foreign (“Taxes”), other than Arist’s income tax. If Arist has a legal obligation to pay or collect Taxes for which Company is responsible under the Agreement, the appropriate amount shall be computed based on Company’s “ship to” address, unless Company provides Arist with a valid tax exemption certificate authorized by the appropriate taxing authority.
3. Confidentiality
"Confidential Information" means proprietary, nonpublic or trade secret information, disclosed in written, oral or visual form, that the disclosing Party, its Affiliates or agents (each, "Disclosing Party") provides to the other Party, its Affiliates or agents (each, "Receiving Party") and which is designated as being confidential or that should reasonably have been understood under the circumstances as being confidential. The Receiving Party will not use, copy or disclose Confidential Information except as permitted herein. Confidential Information remains the sole property of the Disclosing Party. The Receiving Party will protect the Disclosing Party's Confidential Information using no less than reasonable procedures. The Receiving Party may disclose Confidential Information to its employees, consultants and contractors who have a need to know and who are bound by similarly stringent confidentiality obligations. The Receiving Party also may disclose Confidential Information pursuant to a legal requirement (e.g., subpoena) or to establish rights or obligations under this Agreement; provided, that (1) reasonable prior notice, unless legally prohibited, is provided to the Disclosing Party to permit an opportunity to contest the disclosure and (2) the Receiving Party discloses only to the extent necessary to comply with the legal requirement or to establish its rights or obligations. The Receiving Party will notify the Disclosing Party upon discovery of any unauthorized use or disclosure of Confidential Information and will cooperate to help prevent further unauthorized use or disclosure. The Receiving Party acknowledges that the Disclosing Party's Confidential Information is valuable and unique and that unauthorized use or disclosure may result in irreparable injury to the Disclosing Party for which monetary damages are inadequate.
4. Privacy. Arist will process any personal information collected from Company in accordance with the Arist Privacy Policy at https://arist.co/legal/privacy-policy and the Data Processing Addendum (attached as Exhibit 1).
5. Security
a. Arist will implement reasonable physical, technical and organizational safeguards (as set forth at https://arist.co/legal/security) designed to secure the Services from unauthorized access, disclosure, loss, modification, or destruction. Company will implement reasonable physical, technical and organizational safeguards designed to keep Company’s account and Users login credentials confidential and secure. Company is responsible for all activities that occur under Company’s account through its and its Users’ login credentials.
b. If a Party discovers that a Security Incident has occurred, that Party will notify the other Party promptly (and in any event within 72 hours of confirmation) unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. In addition to providing such notice, the notifying Party will promptly take reasonable steps to investigate and mitigate the effects of the Security Incident. “Security Incident” means a breach of security of the Services or Company’s account leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, User Content in the possession or control of Provider.
6. Term & Termination
a. Term. This Agreement will commence on the Effective Date and continue for as long as there are active Orders underneath it unless terminated earlier pursuant to 7 (b) below.
b. Termination. Either Party may terminate this Agreement in whole or part, including any particular Order(s), immediately upon notice to the other Party if the other Party is in material breach of this Agreement and does not cure the breach within thirty (30) days after written notice of the breach
c. Effect of Termination. Upon termination of this Agreement, (i) Company’s rights to access or use the Services will immediately terminate, (ii) if termination is by Company pursuant to 6(b) above, Arist will issue a pro-rated refund of any pre-paid unused fees, otherwise Company shall pay any remaining amounts due hereunder within sixty (60) days of termination, (iii) all liabilities accrued before the date of termination will survive and (iv) upon request, each Receiving Party will return or destroy all copies of Disclosing Party’s Confidential Information.
7. Representations and Warranties
a. Mutual. Each Party represents and warrants that: (i) it possesses the full right, power and authority to enter into and perform the Agreement and grant the rights granted herein; (ii) it is not bound by any obligation that would prevent it from entering into or performing its obligations herein; (iii) the execution, delivery and performance of this Agreement has been duly authorized by all necessary corporate action; and (iv) it will comply with all applicable laws, rules and regulations in its performance hereunder.
b. By Arist. Arist represents and warrants that it will provide the Services in accordance with (i) industry standards, (ii) the specifications included in this Agreement and the Order, and (iii) the service level agreement set forth at https://arist.co/legal/service-level-agreement (the “SLA”). Arist may modify the Services at any time provided that any such modifications shall not materially diminish the core features and functionality of the Services. Should Company notify Arist that the Services fail to meet the foregoing warranty, Arist shall make commercially reasonable efforts to promptly address such non-conformity.
c. Disclaimers. EXCEPT AS SET FORTH ABOVE, THE SERVICES, ARE PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND. ARIST EXPLICITLY DISCLAIMS ALL OTHER WARRANTIES OF ANY KIND, EXPRESSED OR IMPLIED, STATUTORY OR OTHERWISE IN LAW, TO THE FULLEST EXTENT PERMITTED BY LAW. FURTHER, ARIST DOES NOT WARRANT OR REPRESENT THAT THE SERVICES OR CONTENT WILL MEET COMPANY’S REQUIREMENTS, BE AVAILABLE ON AN UNINTERRUPTED, SECURE, ERROR-FREE, OR DEFECT-FREE BASIS, BE FREE OF ANY MALICIOUS CODE, OR BE ACCURATE, COMPLETE OR RELIABLE. ARIST, ITS AFFILIATES AND LICENSORS DO NOT GUARANTEE ANY TEXT (SMS) MESSAGE DELIVERY, TIMELINESS OR AVAILABILITY, AND ARE NOT RESPONSIBLE FOR ANY LOST OR MISDIRECTED MESSAGES, OR FOR ANY TEXT MESSAGING OR WIRELESS SERVICE CHARGES INCURRED IN CONNECTION WITH THE SERVICES.
Indemnification
a. Indemnification. Each Party (the “Indemnitor”) agrees to defend, indemnify and hold harmless the other Party, its affiliates, licensors and service providers, and its and their respective officers, directors, employees, contractors, agents, licensors, suppliers, successors and assigns (each, an “Indemnitee”) through final judgment or settlement, from and against any third-party claim, action, suit, proceeding, judgments, settlements, losses, damages, expenses (including reasonable legal fees and expenses) and costs (including allocable costs of in-house counsel) ("Claim") brought against an Indemnitee to the extent arising out of or based upon: (i) the Indemnitor’s violation of law in its performance hereunder; (ii) the Indemnitor’s fraud or intentional misconduct; (iii) an infringement claim based upon the Services (in the case of Arist as the Indemnitor) or the User Content (in the case of Company as the Indemnitor) .
b. Process. The Indemnitee will (i) promptly provide notice to the Indemnitor of any Claim for which indemnity is claimed (provided, that, any delay in providing notice will not relieve Indemnitor of Indemnitor’s obligations hereunder, except to the extent that Indemnitor is materially prejudiced by the delay), (ii) permit Indemnitor to control the defense of any such Claim and (iii) provide reasonable assistance at Indemnitor’s reasonable cost. Indemnitor may control the defense provided that the Indemnitee may fully participate in the defense at its own cost. Notwithstanding the foregoing, Indemnitor may not consent to entry of any judgment or enter into any settlement that imposes liability or obligations on the Indemnitee or diminishes its rights, without obtaining the Indemnitee's express prior consent, such consent not to be unreasonably withheld or delayed.
9. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, SPECIAL, EXEMPLARY OR INCIDENTAL DAMAGES OF ANY KIND, INCLUDING LOST PROFITS, REVENUES, SAVINGS, BUSINESS OPPORTUNITIES, DATA OR GOODWILL, SERVICE INTERRUPTIONS, COMPUTER DAMAGES OR SYSTEM FAILURES, OR REPLACEMENT SERVICES, HOWEVER CAUSED AND REGARDLESS OF THEORY OF LIABILITY, WHETHER OR NOT THE PARTY WAS NOTIFIED OF THE POSSIBILITY OF SUCH DAMAGES, AND WHETHER OR NOT THE REMEDIES PROVIDED FOR HEREIN FAIL OF THEIR ESSENTIAL PURPOSE. COMPANY SPECIFICALLY ACKNOWLEDGES THAT ARIST WILL NOT BE LIABLE FOR ANY USER CONTENT OR USER CONDUCT AND THAT THE RISK OF HARM OR DAMAGE FROM ANY OF THE FOREGOING RESTS SOLELY WITH COMPANY. EXCEPT FOR A PARTY’S FRAUD OR WILLFUL MISCONDUCT, EACH PARTY’S AGGREGATE LIABILITY FOR ANY AND ALL CAUSES OF ACTIONS, CLAIMS AND DAMAGES IN CONNECTION WITH THIS AGREEMENT IS LIMITED TO THE LESSER OF (i) DIRECT DAMAGES PROVEN BY THE OTHER PARTY, OR (ii) THE AMOUNT OF FEES OR CHARGES PAID BY COMPANY TO ARIST DURING THE 12-MONTH PERIOD BEFORE THE DATE ON WHICH ANY CLAIM AROSE, (OR FIFTY THOUSAND U.S. DOLLARS ($50,000) IF COMPANY HAS NOT HAD ANY PAYMENT OBLIGATIONS TO ARIST).
10. Acceptable Use Policy. Company agrees not to do, or permit any of its Users to do, any of the following: (i) Post, upload, publish, submit or transmit any User Content that infringes, misappropriates or violates Intellectual Property Rights, or any applicable law or regulation or contains any malicious computer code, file or program; (ii) Disrupt the security or stability of the Services or otherwise circumvent any technological measure implemented to protect the Services or Content; (iii) Send any unsolicited or unauthorized advertising, promotional materials, spam, emails, junk mail, chain letters or other forms of solicitation, (iv) Rent, lease, distribute, license, sublicense, sell, loan, transfer, assign, distribute, network or otherwise provide access or use of the Services or Content to, or for the benefit of, any third party in any manner not permitted by this Agreement, including without limitation to create a competitive service or product; (v) Forge any TCP/IP packet header or any part of the header information in any email or newsgroup posting, or in any way use the Services or Content to send altered, deceptive or false source- identifying information; or (vi) Attempt to reproduce, modify, adapt or create derivative works of the Services or to decipher, decompile, disassemble, reverse engineer, exchange or translate any software on the Site or used to provide the Services, or remove or tamper with any disclaimers, Intellectual Property Rights notices, proprietary rights notices or other legal notices in the Services. We reserve the right, but are not obligated, to monitor access to or use of the Services, or to monitor, review, censor or edit any User Content, to confirm compliance with the foregoing restrictions.
11. Miscellaneous
a. Force Majeure. Neither Party will be liable in damages or have the right to terminate this Agreement for any delay or default in performing hereunder (except for failure to timely pay) if such delay or default is caused by conditions beyond its reasonable control including acts of God, government restrictions (including the denial or cancellation of any export or other necessary license), acts of terrorism, wars, disease, or insurrections.
b. Governing Law and Forum. This Agreement will be construed and enforced in accordance with the laws of the State of Delaware, without regard to its conflict of laws provisions. Each Party agrees that any action, suit or other proceeding arising from or based upon this Agreement will be brought and maintained only in a state or federal court of competent jurisdiction located in the venue of the headquarters of the defendant in the action.
c. Export Compliance. The Services and, other technology Arist makes available, and derivatives thereof, may be subject to export laws and regulations of the U.S. and other jurisdictions. Company represents that Company and its Users are not named on any U.S. government denied-party list. Company will not permit its Users to access or use the Services in a U.S. embargoed country (currently Cuba, Iran, North Korea, Sudan or Syria) or in violation of any U.S. export law or regulation.
d. Entire Agreement. This Agreement constitutes the entire and exclusive understanding and agreement between Arist and Company regarding the Services and supersedes and replaces all prior oral or written understandings or agreements between Arist and Company regarding the Services. Any terms contained in Company’s purchase order or vendor registration process are expressly disclaimed and shall not apply. We may amend this Agreement from time to time by posting the amended Agreement on our website. Such new terms shall apply to Company’s continued use of the Services. The Parties’ rights and obligations which by their nature should survive termination will survive termination of this Agreement. Failure or delay to enforce any right or provision of this Agreement will not be considered a waiver of that right or provision. Any waiver will be effective only if in writing and signed by a duly authorized representative of the waiving party. Except as expressly set forth in this Agreement, the exercise by either Party of any of its remedies hereunder will be without prejudice to its other available remedies.
e. Severability; Interpretation. If any provision of this Agreement is held invalid or unenforceable by an arbitrator or a court of competent jurisdiction, that provision will be enforced to the maximum extent permissible and the other provisions will remain in full force and effect. The headings to Sections are for convenience or reference only and do not form a part of this Agreement and will not affect their interpretation. Neither Party will be afforded or denied preference in the construction of this Agreement, whether by virtue of being the drafter or otherwise. For purposes of the Agreement, the words and phrases “include”, “includes”, “including”, and “such as” are deemed to be followed by the words “without limitation”.
f. Relationship of Parties, Assignment. Nothing herein will be deemed to create, or be construed as creating, a joint venture, partnership, employment or agency relationship between the parties. Neither Party may assign, delegate or otherwise transfer this Agreement, by operation of law or otherwise, in whole or in part, without our prior written consent of the other party; provided that either party may assign to a successor in interest through the sale or transfer of all or substantially all of its assets or stock on notice to the other Party. Any attempt to assign or transfer the Agreement without such consent, will be null and void. This agreement will bind and inure to the benefit of the parties, their successors and permitted assigns.
g. Notices. Arist may give general notices related to the Services by posting to the Services. Any legal notices shall be provided to Arist at: Arist Holdings, Inc., 2261 Market Street, #4320’ San Francisco, CA 94114, Attn: Legal Department, with a copy via email to legal@arist.co; and to Company at the address provided on the Order.
Exhibit 1
Data Processing Addendum
1. Definitions. Capitalized terms used but not defined in this Addendum will have the meanings set forth in the Agreement.
a. “CCPA” means Cal. Civ. Code § 1798.100 et. seq., otherwise known as the “California Consumer Privacy Act of 2018,” as amended.
b. “Data Protection Laws” mean all privacy or data protection laws applicable to Arist’s Processing of Personal Data under the Agreement or this Addendum, including the CCPA and any applicable EU Data Protection Laws.
c. “EU Data Protection Laws” means as applicable, the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (collectively “UK Data Protection Law”); (iii) any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law); or (v) any other applicable law relating to the data protection, security, or privacy of individuals that applies in the European Area.
d. “EU Standard Contractual Clauses”, “SCCs” or “Clauses” means as applicable, (i) the agreement pursuant to the European Commission’s Implementing Decision of 2021/914 published on 4 June 2021 on standard contractual clauses (“SCCs”) for the transfer of personal data to Third Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and any replacement, amendment or restatement of the foregoing issued by the European Commission (the “EU Model Clauses”); (ii) the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office (“UK ICO”) for data transfers from the UK to Third Countries; or (iii) any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto.
e. “Personal Data” means User Content (i.e., personal information) relating to an identified or identifiable individual.
f. The terms “Data Controller,” “Data Processor,” “Personal Information,” “Process” or “Processing” have the meanings given them under applicable Data Protection Laws.
2. Roles of the Parties. Company is the Data Controller and Arist is the Data Processor in respect of any Personal Data provided by Company and Users, including User Content (as defined in the Agreement), and Arist will such Process Personal Data solely in accordance with the Agreement or other documented instructions of Company provided in accordance with the Agreement, or as otherwise required by applicable law. It is Company’s responsibility to ensure that in accordance with relevant Data Protection Laws, there is a lawful basis for the collection and processing of Personal Data hereunder and Company has provided appropriate notices to users and other data subjects
3. Terms of Data Processing. Arist will:
a. process Personal Data only on Company’s reasonable documented instructions unless required to do so by law; in such a case, Arist will inform Company of that legal requirement before processing, unless prohibited by law on grounds of public interest;
b. ensure that persons authorised to process the Personal Data on Arist’s behalf have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality;
c. implement appropriate technical and organizational measures designed to ensure a level of security for the Personal Data that is appropriate to the risks to individuals that may result from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data;
d. not engage another processor without notice to Company. Company may request a list of sub-processors currently engaged by Arist by emailing to privacy@arist.co. Company may notify Arist in writing of any objections to new sub-processors (provided the objection is based on reasonable grounds relating to data protection). If we receive such an objection, the Parties will discuss such objections in good faith and Arist will use reasonable commercial efforts to resolve the objection. If the Parties are unable to resolve the objection, Company may terminate the affected Services by providing 30 days written notice to Arist. We will impose obligations on any Data Processor that we appoint on Company’s behalf that are equivalent to the terms set out herein. We will remain liable for the performance of these processors;
e. taking into account the nature of the processing, assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the EU Data Protection Laws and any assistance that Arist provides to Company in to respond to requests from: (i) data subjects to exercise their rights under Data Protection Laws; or (ii) regulatory authorities, will be at Company’s cost;
f. at the Data Controller’s election, delete or return all the Personal Data to the Data Controller after the end of providing the Services relating to processing, and delete existing copies except that Arist will be entitled to retain Personal Data where required by Data Protection Laws or another applicable law, or where such data is required for Arist’s internal record keeping or where it is necessary for use in any legal proceedings; Company must notify Arist of Company’s request to have Personal Data returned or deleted within 30 days after the effective date of termination; and
g. make available to the Data Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the EU Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller (in each case at the Data Controller's cost). Any assistance that Arist provides to Company to demonstrate compliance with Data Protection Laws will be provided at Company’s cost. The Parties will mutually agree on the timing, scope and duration of any audit. Company may not carry out audits more than once in any one-year period, other than where a data security incident has taken place, or pursuant to the request of a data protection authority. Company will ensure that any third-party auditor that Company appoint is (i) not an Arist competitor; and (ii) is committed to appropriate confidentiality obligations. Company and/or any third-party auditor will comply with Arist’s standard policies and procedures when accessing Arist’s premises or systems.
4. CCPA: If the Services involve the Processing of any Personal Data subject to the CCPA, Arist acknowledges and agrees it will comply with applicable requirements of the CCPA. If Arist receives verifiable consumers’ requests directly from the consumer regarding Personal Data that constitutes “Personal Information”, it will promptly forward any such requests to Company. Further, Arist acknowledges and agrees it is prohibited from: (i) selling (as defined under the CCPA) Personal Information; (ii) retaining, using, or disclosing Personal Information for any purpose other than as specified in the Agreement, including retaining, using, or disclosing Personal Information for a commercial purpose other than providing the services specified in the Agreement; and (iii) retaining, using, or disclosing Personal Information outside of the direct business relationship between the Arist and Company. Arist also certifies that it and its employees shall comply with the restrictions set out in this subsection.
5. EU International Transfers. Processor may process and transfer Personal Data originating from the European Area in and to the United States and Third Countries where its affiliates and its Sub-processors have operations. All data transfers and processing of Personal Data originating from the European Area shall be made in compliance with the applicable European Area Data Protection Law, and if Processor or Sub-processor are in a Third Country, then Model Clauses, Module Two (“Controller to Processor”) shall apply as to such transfer. If Model Clauses apply, it is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. To the extent Controller adopts an alternative data transfer mechanism (including any new version or replacement to the Model Clauses adopted pursuant to Data Protection Laws) for the transfer of Personal Data (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall upon notice to Processor apply instead (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Law and extends to the Third Countries to which Personal Data is transferred). In the event that Processor (and/or Sub-processors) are self-certified under the Data Privacy Framework (DPF), such certification has been deemed adequate under European Area Data Protection Law for processors in the United States and the Model Clauses shall not apply:
a. EEA Personal Data Transfers. For the purposes of the descriptions in the Model Clauses relating to EEA Personal Data Transfers: (i) Processor agrees that it is the “data importer” and Controller is the “data exporter”; (ii) Appendix 1- Details of Processing and Appendix 2 – Information Security Policy of this DPA shall form Annex I and Annex II of the Model Clauses, respectively, if applicable; (iii) Annex III of the Model Clauses shall be subject to General Authorization; and (iv) The Model Clauses shall be governed by the laws of Ireland.
b. UK Personal Data Transfers. Where Personal Data transfers are subject to the UK Data Protection Law, each party agrees to be bound by the terms and conditions set out in the UK Transfer Addendum, attached to and incorporated by reference as Appendix 3, in exchange for the other Party also agreeing to be bound by the UK Transfer Addendum.
Before commencing any EU International Transfer to or from a sub-processor, Arist will use its reasonable efforts to confirm such sub-processors take measures to adequately protect Personal Data consistent with Data Protection Laws including use of an approved transfer mechanism.
6. SCCs: Modules and Options. For the purposes of Section 4 above, the Parties agree that Module Two and the following Options of the Clauses are deemed to be incorporated:
Clause 7 (Docking clause): Clause 7 will not be incorporated.
Clause 9 (Use of sub-processors): General Written Authorization, and the specific time period will be as set out in Section 3(d) herein.
Clause 11 (Redress): the Option in Clause 11(a) will not be incorporated.
Clause 17 (Governing law) and Clause 18 (Choice of forum and jurisdiction): For EU transfers: The law and forum inserted will be the laws and forum of the EU Member State in which the data exporter is established, save that: (i) where such laws do not allow for third-party beneficiary rights; (ii) the data exporter is not established in an EU Member State, the law and forum will be Ireland. For UK transfers, the law and forum shall be England.
7. Details of Data Processing, Security Measures.
a. For the purposes of Section 4 above, the Parties agree that Annex I of the EU Standard Contractual Clauses will be pre-populated with the following details:
List of Parties
Data Exporter:
Name: Company.
Address: per Company’s Order(s).
Contact person's name, position, contact details: per Company’s Order(s).
Activities relevant to the data transferred under these Clauses: per the Agreement.
Role (controller/processor): Data Controller.
Data importer(s):
Name: Arist Holdings Inc.
Address: per Company’s Order(s)
Contact person's name, position and contact details: privacy@arist.co
Activities relevant to the data transferred under these Clauses: per the Agreement.
Role (controller/processor): Data Processor
Description of transfer
Categories of data subjects whose personal data is transferred: the data subjects may include Company’s employees and Users
Categories of personal data transferred: name, email address, phone number.
Sensitive data transferred: no sensitive data will be transferred by the data exporter to the data importer.
The frequency of the data transfer: continuous unless otherwise specified in the Agreement.
Nature of the processing: data hosting, storage and such other services as described in the Agreement.
Purpose(s) of the data transfer and further processing: to provide the Services under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained until such time as Company notifies Arist that Company would like it returned to Company or deleted per the Agreement.
For transfers to sub-processors, also specify the subject matter, nature and duration of the processing:
• subject matter of the processing is the processing of Personal Data in connection with the performance of the Agreement;
• nature of processing is as described in the Agreement; and
• the duration of the processing is determined by Company, subject to the other provisions of the Agreement.
Competent supervisory authority
The EU Member State in which the data exporter is established and, if the data exporter is not established in an EU Member State, the data protection authority of Ireland.
b. For the purposes of Section 4 above, the Parties agree that Annex II of the EU Standard Contractual Clauses will be pre-populated with the following details:
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Technical Security Measures
Cloud Security
· Cloud Infrastructure Security; All of our services are hosted with Amazon Web Services (AWS). They employ a robust security program with multiple certifications. For more information on our provider’s security processes, please visit AWS Security.
· Data Hosting Security: All of our data is hosted on Amazon Web Services (AWS) databases. These databases are all located in the United States. Please reference the above vendor specific documentation linked above for more information.
· Encryption at Rest: All databases are encrypted at rest.
· Encryption in Transit: Our applications encrypt in transit with TLS/SSL only.
· Vulnerability Scanning: We perform vulnerability scanning and actively monitor for threats.
· Logging and Monitoring: We actively monitor and log various cloud services.
· Business Continuity and Disaster Recovery: We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. We utilize monitoring services to alert the team in the event of any failures affecting users.
· Incident Response: We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication.
Access Security
· Permissions and Authentication: Access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role. Where available, we have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies to ensure access to cloud services are protected.
· Least Privilege Access Control: We follow the principle of least privilege with respect to identity and access management.
· Quarterly Access Reviews: We perform quarterly access reviews of all team members with access to sensitive systems.
· Password Requirements: All team members are required to adhere to a minimum set of password requirements and complexity for access.
· Password Managers: All company issued laptops utilize a password manager for team members to manage passwords and maintain password complexity.
Vendor and Risk Management
· Annual Risk Assessments: We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud.
· Vendor Risk Management: Vendor risk is determined and the appropriate vendor reviews are performed prior to authorizing a new vendor.
Organizational Security Measures
· Information Security Program: We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants.
· Third-Party Audits: Our organization undergoes independent third-party assessments to test our security and compliance controls.
· Third-Party Penetration Testing: We perform an independent third-party penetration at least annually to ensure that the security posture of our services is uncompromised.
· Roles and Responsibilities: Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well defined and documented. Our team members are required to review and accept all of the security policies.
· Security Awareness Training: Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
· Confidentiality: All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.
· Background Checks: We perform background checks on all new team members in accordance with local laws.
For more information, please see https://arist.co/legal/security