User License Agreement

Last revised: April 2, 2024

 

This User License Agreement, along with any attachments, addenda, annexes, or Orders, constitutes the “Agreement” between You (“You” or “User”) and HYAS Infosec Inc. (“HYAS”), a British Columbia Corporation located at 408 – 55 Water Street, Office 8536, Vancouver, BC V6B 1A1, Canada. The Agreement governs User’s access to and use of HYAS’s digital-threat mitigation products, services, data, and support services (each a “Product”; collectively, the “Products”). HYAS and User are each referred to individually as a “Party” and together as the “Parties”.

BY ENGAGING WITH HYAS PRODUCTS—INCLUDING REGISTERING, ORDERING, DOWNLOADING, INSTALLING, ACCESSING, OR EVALUATING A PRODUCT—YOU CONSENT TO BE LEGALLY BOUND BY THIS AGREEMENT. SHOULD YOU REJECT ITS TERMS, IMMEDIATELY CEASE ALL USE AND ACCESS OF THE PRODUCTS. THIS AGREEMENT APPLIES TO PRODUCTS ACQUIRED DIRECTLY FROM HYAS OR THROUGH AN AUTHORIZED DISTRIBUTOR, RESELLER, OR SECURITY SERVICE PROVIDER.

HYAS reserves the right, at its sole discretion to modify any part of this Agreement at any time by posting the revised terms on HYAS’s website or by notifying Users through the Products or via email. Such modifications shall become effective immediately upon posting or notification. It is User’s responsibility to check the HYAS website periodically for changes. User’s continued access to or use of the Products after the posting of any changes to this Agreement constitutes acceptance of those changes. If User does not agree to the new terms, You must stop using the Products immediately.

Accepting this Agreement on behalf of an organization or legal entity signifies that You possess the requisite authority to bind said entity to these terms. Lack of authority, agreement, or compliance necessitates immediate cessation of Product use. This Agreement activates on the earlier date of (i) Order acceptance or (ii) initial Product use (“Effective Date”) and prevails over any conflicting Order terms unless the conflicting Order provision expressly cites this Agreement and the specific provisions intended to be overridden.

1. Definitions

a. “Controller” means the entity that determines the purposes and means of Processing of Personal Data. 

b. “Data Processing Agreement” or "DPA" means Schedule A.

c. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

d. “Documentation” means any HYAS manuals or guides regarding a Product’s use. 

e. “HYAS Data” means personal data made accessible by HYAS via a Product.

f. “Order” means an order for a Product that has been executed by User and either HYAS or its authorized distributor, reseller, or security service provider. 

g. “Personal Data” means any information that identifies or could be reasonably used to identify a natural person.  

h. “Process” means any operation or set of operations performed upon Personal Data, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, combining, restricting, erasing, destroying, disclosing, transmitting, or otherwise making available.

i. “Processor” means the entity that Processes Personal Data on behalf of the Controller.

j. “Professional Services” means HYAS’s professional investigation and analysis services.

k. “Purpose” means to mitigate and manage digital threats and incidents.

l. “Systems Data” means data generated or collected in connection with User’s use of the Products, such as logs, session data, telemetry data, support data, usage data, threat intelligence data, netflow data, and derivatives thereof.

m. “User Data” means data provided by or on behalf of User to HYAS during the relationship governed by this Agreement. User Data does not include Systems Data.

n. “User Personnel” means User employees and service providers authorized to access or use Products under and in accordance with the Agreement.

2. Rights and Restrictions

a. Rights. Subject to the terms and conditions of this Agreement, HYAS grants to User a limited, non-exclusive, non-transferable, non-assignable, non-sublicensable, revocable license to access and use the Products for the Purpose during the Term. 

b. Restrictions. User shall not directly or indirectly: (i) access or use Products for any unlawful or fraudulent purpose, or for any purpose that is not expressly permitted in the Agreement or Documentation, or that may infringe any of HYAS’s Intellectual Property Rights; (ii) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, display, host, outsource, or otherwise commercially exploit or make Products available to any third party; (iii) send or store, on or through a Product, viruses, worms, time bombs, trojan horses, or other harmful or malicious code, files, scripts, agents, or programs; (iv) interfere with or disrupt the integrity or performance of a Product; (v) attempt to gain unauthorized access to or use of a Product; (vi) remove or modify any HYAS markings or notice of a proprietary right; (vii) modify, make derivative works of, disassemble, reverse compile, or reverse engineer any part of a Product; (viii) access or use a Product in order to build or support, or assist a third party in building or supporting, competitive products or services; (ix) disclose results of any benchmark tests related to a Product without HYAS’s prior written consent; or (x) make public in any manner or disclose to any third party, any aspect of the Products, including photographs or screenshots thereof.

c. Authentication Credentials. User shall keep accounts and authentication credentials providing access to Products secure and confidential. User will immediately notify HYAS about any misuse of User accounts or authentication credentials. Authentication credentials may not be shared. If HYAS has reasonable grounds to believe that User is in violation of this section, HYAS may immediately suspend or terminate access to Products.

d. Third-Party Technology Integrations. User may access Products via the user interface of a HYAS authorized technology integration partner. If User elects to utilize such an interface, User agrees it will comply with the applicable terms of service of the technology integration partner. Technology integrations are provided on an as-is basis and access to such offerings may be terminated, without cause or notice to User, at any time. 

3. Products

1. Provision of Products. HYAS will remotely provide User with Products. User will cooperate with HYAS, as necessary, in support of HYAS’s provision of the Products, including by providing all reasonably-requested information, materials, and personnel in a timely manner. 

2. Product Support. User may be entitled to receive HYAS’s standard support for the Products. HYAS provides support and maintenance for the Products during HYAS’s regular working hours: weekdays, from 9:00am to 5:00pm Pacific Time, excluding all United States and Canadian holidays. Additional support may be purchased in an Order.

3. Changes in Products. HYAS may, in its sole discretion, modify, discontinue, substitute, delete, or restrict any aspect or feature of the Products, provided that any such modification will not result in a material diminution in the nature or level of the Products offered to User prior to such change.

4. Professional Services. No part of User’s engagement for Products under this Agreement is an agreement for a work made for hire and HYAS retains full right, title, and interest to any deliverables. Deliverables are only licensed to User. Notwithstanding anything to the contrary in this Agreement, (i) User shall only use deliverables for the Purpose and (ii) User acknowledges that there is no guarantee of satisfactory results from any professional services. Professional services are provided by HYAS on a non-exclusive basis.

4. Fees and Payment

a. Invoicing. User agrees to pay all fees for the Products as set forth in each Order. Except as expressly provided in this Agreement, all payments made by User to HYAS hereunder are non-refundable. Notwithstanding anything stated to the contrary, any terms in any User-generated order document (“User PO”) (whether signed by neither, one, or both of the Parties) shall be construed solely as evidence of User’s internal business processes, and shall be void and of no effect between the Parties; provided, however, in the event the User PO is the only ordering document between the Parties, any payment obligations of User thereof shall apply.

b. Overdue payments. If User’s account is thirty (30) days or more overdue, in addition to any other rights or remedies HYAS may have, HYAS reserves the right to withhold, suspend, or revoke its Product licenses and terminate this Agreement, in HYAS’s sole discretion. Upon written notice to User demanding immediate payment of the fees, User will have a ten (10) day grace period to cure the default. If the default is not fully cured within the grace period, all outstanding fees for the remaining term of the Agreement shall become immediately due and payable. User acknowledges that the acceleration of fees is a reasonable measure to protect HYAS’s financial interests and is not intended as a penalty. User agrees that in any legal action or proceeding to enforce HYAS’s rights under this Agreement, User shall be responsible for all costs and expenses incurred by HYAS, including but not limited to reasonable attorneys’ fees and court costs. This provision is in addition to any other remedies available to HYAS, and it shall survive the termination of expiration of this Agreement until all outstanding fees have been paid in full. 

5. Ownership 

a. HYAS Products. Nothing in this Agreement assigns or grants to User any right, title, or interest in or to any Intellectual Property Rights in or relating to the property and materials of HYAS and its licensors, including the Products, and any modifications, enhancements, or adaptations thereof. All right, title, and interest in and to Products is retained by HYAS and its respective licensors. “Intellectual Property Rights” means any registered and unregistered rights granted, applied for, or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, or other intellectual property rights laws, and all similar or equivalent rights or forms of protection, in any part of the world.

b. Feedback. Notwithstanding anything to the contrary in this Agreement, User hereby grants HYAS a non-exclusive, worldwide, irrevocable, perpetual, royalty-free license to use any ideas, suggestions, requests, comments, input (including input submitted through any Product feature where User actively submits information to HYAS), recommendations, corrections, enhancement requests, or other feedback provided by User (“Feedback”) in connection with the Products, to HYAS for any lawful purpose. User acknowledges that it provides Feedback voluntarily, and HYAS has no obligation to use any Feedback. 

6. Data Processing

a. HYAS Data. The Parties agree that HYAS and User separately, and not jointly, determine the means of Processing HYAS Data (for HYAS, providing HYAS Data pursuant to this Agreement, and for User, Processing HYAS Data for the Purpose). HYAS Data made accessible to User may be governed by certain data privacy laws, including the General Data Protection Regulation (EU) 2016/679 of April 27, 2016 (“GDPR”). User shall comply with all applicable privacy laws in its use of the Products, and when User has access to HYAS Data, such data will be Processed in accordance with the DPA. User shall immediately notify HYAS of actual or reasonably suspected unauthorized access or Processing of HYAS Data, and receipt of any requests to exercise privacy rights as they relate to HYAS Data. In the event either Party is legally required to amend this Agreement to comply with applicable privacy laws, the Parties will negotiate such amendments in good faith. If HYAS determines that certain HYAS Data may no longer be used or must be removed, modified, or disabled to avoid violating applicable law or any third-party rights, (i) User will follow HYAS’s reasonable instructions, which may include deletion of HYAS Data and written confirmation thereof, and (ii) HYAS may discontinue User’s access to such HYAS Data through the Products. If User violates Section 2 of this Agreement, HYAS may immediately limit, suspend, or block User’s access to HYAS Data. 

b. User Data. HYAS will Process User Data (e.g., account registration information) solely for the purpose of carrying out its Agreement obligations. To the extent HYAS Processes User Data that is personal data, such personal data will be Processed in accordance with the HYAS Privacy Statement, located at https://www.hyas.com/privacy-statement/. The Parties agree that, as between the Parties regarding the Processing of User Data, User is a Controller and HYAS is a Processor. 

c. Systems Data. HYAS may use Systems Data to provide Products to User, to improve Products, to develop new Products, and for threat intelligence research purposes. HYAS will not disclose to any third party Systems Data that identifies User, except to the extent required to comply with applicable law or valid order of a court or government agency of competent jurisdiction. 

7. Confidentiality

“Confidential Information” means the information of a Party (“Disclosing Party”) disclosed to the other Party (the “Receiving Party”), whether orally or in writing, that reasonably would be considered confidential or proprietary to the Disclosing Party, including information relating to the Disclosing Party’s business and marketing plans, software code, technology, product designs, business processes, trade secrets, know-how, strategies, clients, and pricing, in each case whether or not marked, designated, or otherwise identified as “confidential”, excluding information that the Receiving Party can demonstrate is, without breach of any obligation owed to the Disclosing Party: (a) generally known to the public; (b) known to the Receiving Party prior to its disclosure by the Disclosing Party; (c) independently developed by the Receiving Party; or (d) received from a third party in good faith. The Receiving Party will not, and will not permit any party to, disclose the Disclosing Party’s Confidential Information, or use the Disclosing Party’s Confidential Information, except as necessary for the performance of its obligations under this Agreement. Each Party agrees to protect the confidentiality of the other Party’s Confidential Information in the same manner that it protects the confidentiality of its own proprietary information, but in no event using less than reasonable care.  For clarity, Confidential Information is exempt from public disclosure under the provisions of the Trade Secrets Act, 18 U.S.C. §1905. The Parties agree that any unauthorized use or disclosure of Confidential Information may cause irreparable harm for which monetary damages would not be an adequate remedy and that, in the event of such breach or threatened breach by the Receiving Party, the Disclosing Party, in addition to other remedies which may be available in law, equity, or otherwise, may seek equitable relief, including injunctive relief, without any requirement to prove actual damages or show irreparable harm. If the Receiving Party is compelled by court order or by applicable laws to disclose the Disclosing Party’s Confidential Information, it will provide the Disclosing Party with: (i) advance notice to sufficiently allow the Disclosing Party to object to the compelled disclosure; and (ii) reasonable assistance, at the Disclosing Party's cost, should the Disclosing Party wish to contest such disclosure.

8. Warranty and Disclaimer

User represents and warrants that it has obtained or will obtain, prior to HYAS’s delivery of the Products, any necessary rights and consents, including that of User Personnel, to use the Products, and it has not, and will not, infringe, misappropriate, or otherwise violate any Intellectual Property Rights of HYAS or any third party, or violate any applicable law. HYAS will provide the Products, exercising such skill and care as would reasonably be expected by similar providers. EXCEPT FOR THE EXPRESS WARRANTY SET FORTH HEREIN, HYAS PRODUCTS ARE PROVIDED AS-IS. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HYAS DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE AND MAKES NO WARRANTY THAT HYAS DATA OR HYAS PRODUCTS ARE ACCURATE, COMPLETE, SUITABLE FOR THE PURPOSES INTENDED, UNINTERRUPTED, OR WITHOUT ERROR. USER FURTHER ACKNOWLEDGES THAT THE PRODUCT IS NOT INTENDED OR SUITABLE FOR USE IN SITUATIONS OR ENVIRONMENTS WHERE THE FAILURE OR TIME DELAYS OF, OR ERRORS OR INACCURACIES IN, THE CONTENT, DATA, OR INFORMATION PROVIDED BY THE PRODUCT COULD LEAD TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE.

9. Limitation of Liability

EXCLUDING ONLY BREACHES OF ARTICLE 2, ARTICLE 6, ARTICLE 7 AND USER’S PAYMENT OBLIGATIONS, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE TOTAL AGGREGATE LIABILITY OF EITHER PARTY WILL NOT, WHETHER IN CONTRACT, TORT, OR OTHERWISE, EVEN IF A PARTY IS NOTIFIED IN ADVANCE OF THE POSSIBILITIES OF SUCH DAMAGES, EXCEED THE AMOUNT OF FEES PAID OR PAYABLE BY USER FOR THE PRODUCTS IN THE TWELVE (12) MONTH PERIOD PRECEDING THE FIRST EVENT GIVING RISE TO THE CLAIM. IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY: (A) SPECIAL, EXEMPLARY, PUNITIVE, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES; (B) LOSS OF SAVINGS, PROFIT, USE, GOODWILL, OR REPUTATION; (C) BUSINESS INTERRUPTION; OR (D) COSTS OF REPLACEMENT PRODUCTS; ARISING OUT OF, OR IN ANY WAY CONNECTED TO, THE PRODUCTS OR THIS AGREEMENT.

10. Indemnification

a. User will defend, indemnify, and hold HYAS and its officers, directors, employees, affiliates, and licensors ("HYAS Indemnitees") harmless from and against all losses, damages, and costs (including reasonable legal fees) incurred in connection with any claim, action, suit, or proceeding made or brought against HYAS Indemnitees by a third party arising out of or related to: (i) unauthorized use of Products; (ii) violation of applicable law; (iii) breach of any representations or warranties set forth herein; or (iv) HYAS's breach of any agreement with a third party, where such breach is due to the acts or omissions of User.

b. HYAS will defend, indemnify, and hold User and its officers, directors, employees, and affiliates ("User Indemnitees") harmless from and against any and all third-party losses, damages, and costs (including reasonable legal fees) incurred in connection with any claim, action, suit, or proceeding made or brought against User Indemnitees by a third party arising out of or related to any claim that the Products, when used in accordance with this Agreement and Documentation, infringes any third party’s Intellectual Property Rights; provided, that User: promptly gives written notice of the claim to HYAS, gives HYAS sole control of the defense and settlement of the claim, and provides HYAS all available information and reasonable assistance. The foregoing obligation shall not apply to any action or loss arising from the combination or use of Products with any other software, products, hardware, materials, or processes not provided by HYAS; User's failure to adhere to comply with all Documentation and other specifications and instructions; or User's modification of the Products or any other unauthorized or unapproved use of the Products. If a Product becomes, or should HYAS find that it is likely to become, the subject of an infringement claim, HYAS may, at its sole discretion: (i) obtain a license that would permit User to continue to use the Product; (ii) modify the Product to render it non-infringing; (iii) provide a non-infringing product that possesses the functionality of the Product at no additional cost to User; or (iv) immediately terminate this Agreement with respect to such Product, in which case HYAS will provide User with a pro-rata refund for any pre-paid fees covering the remainder of the term of the Agreement from the date of termination. THIS ARTICLE SETS FORTH HYAS’S SOLE LIABILITY, AND USER'S EXCLUSIVE REMEDY, FOR INTELLECTUAL PROPERTY RIGHT INFRINGEMENT.

11. Term and Termination 

a. Term. The term of this Agreement (the "Term") will commence on the Effective Date and will continue in effect for the duration of any active Orders. Unless earlier terminated in accordance with this Agreement, each Order will expire at the end of the subscription period set therein.

b. Suspension or Termination for Cause. Excluding only User’s violations of Article 2, whereby in such case HYAS may, upon notice to User and with immediate effect, suspend or terminate User's access to and use of the Products, either Party may terminate this Agreement or any Order, for cause, upon written notice to the other Party: (i) in the event of a material breach of this Agreement by the other Party which remains uncured for thirty (30) days after receipt of written notice thereof; or (ii) if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency.

c. Effects of Termination or Expiration. Upon any termination or expiration of this Agreement: (i) all rights, consents, and licenses granted by either Party hereunder will immediately terminate, and all User Personnel will promptly discontinue using Products; (ii) each Party will: (a) immediately discontinue all use of the other Party's Confidential Information; (b) promptly return to the other Party or, at the other Party's option, destroy, all copies of the other Party's Confidential Information in its possession; and (c) promptly pay all outstanding amounts due under any Order. 

d. Survival. Any provision that by its nature should survive expiration or termination will survive the expiration or termination of this Agreement.

12. Miscellaneous 

a. Independent Contractors. The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties. 

b. Force Majeure. Except as expressly provided in this Agreement, neither Party will be liable for any failure to perform its non-monetary obligations under this Agreement if such failure is caused by a force majeure event or other reasonably unforeseeable event beyond that Party’s reasonable control (a “Force Majeure Event”), including acts of God, acts of government (including imposing an export or import restriction), flood, fire, earthquakes, pandemic, epidemic, civil unrest, acts of terror, or utility, telecommunications, Internet service provider, or hosting facility failures. Such Party will promptly inform the other Party of the Force Majeure Event by written notice. The Party impacted by the Force Majeure Event will make reasonable efforts to perform the portions of its obligations not prevented by the Force Majeure Event.

c. Notices. All notices under this Agreement shall be in writing and be sent by electronic mail. Notices to HYAS shall be sent to contracts@hyas.com. Notices to User, unless otherwise indicated by User, may be sent to the individual that executed the Order or Agreement on behalf of User, or to a contact later identified by the Party’s notice in compliance with this Section. Email notices must be sent to designated contacts from the Party’s official domain name.

d. Waiver and Cumulative Remedies. No failure or delay by either Party in exercising any right under this Agreement will constitute a waiver of that right. Except as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a Party at law or in equity.

e. Severability. If a court of competent jurisdiction finds any provision of this Agreement invalid or unenforceable, that provision of this Agreement will be amended to achieve as nearly as possible the intent of the Parties, and the remainder of this Agreement will remain in full force and effect.

f. No Assignment. Neither Party may assign its rights or delegate its obligations under this Agreement without the other Party's prior written consent, and absent such consent, any purported assignment will be null, void, and have no effect. Notwithstanding the foregoing, HYAS may: (a) assign this Agreement upon notice to the User in the event of a change of control, merger, transfer, or sale of all, or substantially all, of its assets; and (b) subcontract or delegate its obligations hereunder to third-party service providers or subcontractors.

g. Publicity. User agrees that HYAS may publish User’s name and logos to identify User as a HYAS customer.  

h. Export Compliance. HYAS Products are subject to U.S. Export Administration Regulations and other relevant export control and economic sanctions laws. User agrees to comply with all such laws as they relate to access to and use of the Products by User. User shall not access or use the Products in any jurisdiction in which it is prohibited under U.S. or other applicable laws (a “Prohibited Jurisdiction”). User represents and warrants that (a) User is not named on any U.S. government list of persons or entities prohibited from receiving U.S. exports, or transacting with any U.S. person, (b) User is not a national of, or a company registered in, any Prohibited Jurisdiction, (c) User shall not permit access or use Products in violation of any U.S. or other applicable export embargoes, prohibitions, or restrictions, and (d) User shall comply with all applicable laws regarding the transmission of data exported from the U.S. and the countries in which User is located.

i. Federal Acquisition Regulations. If applicable law is inconsistent with any provision of this Agreement or mandates that any provision of this Agreement does not apply to User, then such provision shall be deemed of no effect to the most limited extent necessary to comply with applicable law, and the remainder of this Agreement will remain in full force and effect. User hereby acknowledges and agrees that Products provided hereunder constitute "Commercial Computer Software" as defined in Section 2.101 of the Federal Acquisition Regulation (“FAR”) (48 CFR 2.101).  Therefore, in accordance with Section 12.212 of the FAR (48 CFR 12.212), and Sections 227.7202-1 and 227.7202-3 of the Defense Federal Acquisition Regulation Supplement (“DFARS”) (48 CFR 227.7202-1 and 227.7202-3), the use, duplication and disclosure of the software and related Documentation provided under this Agreement by User is governed by, and is subject to, all of the terms, conditions, restrictions, and limitations set forth in this Agreement. If, for any reason, FAR 12.212, DFARS 227.7202-1, DFARS 227.7202-3 or the license terms herein are deemed not applicable, then such User hereby acknowledges that its right to use, duplicate or disclose the software and related Documentation provided under this Agreement are "Restricted Rights" as defined in FAR 52.227-14(a) (May 2014) and FAR 52.227-14(g)(4) (Alt III) (Dec 2007), or DFARS 252.227-7014(a)(15) (Feb 2014), as applicable. User hereby also acknowledges and agrees that any hardware provided hereunder constitutes a “commercial item” as defined in FAR 2.101 (48 CFR 2.101). Therefore, in accordance with FAR 12.211, User acquires only the technical data and the rights in that data customarily provided to the public, as set forth in this Agreement.  If, for any reason, FAR 12.211 or the license terms herein are deemed not applicable, then User hereby acknowledges that its right to use, duplicate or disclose any technical data delivered under this Agreement are "Limited Rights" as defined in FAR 52.227-14(a) (May 2014) and FAR 52.227-14(g)(3) (Alt II) (Dec 2007), or DFARS 252.227-7013(a)(14) (Feb 2014), as applicable.

j. Governing Law. This Agreement and any action related to it will be governed by the laws of the Province of British Columbia and the federal laws of Canada. Any disputes will be brought and resolved in the provincial and federal courts in Victoria, British Columbia, which exercise exclusive jurisdiction over claims arising out or related to this Agreement. However, HYAS may initiate legal action to collect unpaid fees or protect its Intellectual Property Rights in any jurisdiction. If a Party initiates any proceeding regarding this Agreement, the prevailing Party to such proceeding is entitled to reasonable attorneys’ fees and costs for claims arising out of this Agreement. The United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement. 

k. Reservation of Rights. HYAS reserves all rights not expressly granted to User under this Agreement.

l. Entire Agreement. This Agreement constitutes the entire agreement between the Parties and supersedes all prior agreements, proposals, and representations, whether written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of this Agreement is effective unless in writing and signed by each Party.

m. Counterparts. This Agreement may be executed and exchanged electronically in counterparts, each of which is deemed an original, but all of which together are deemed a single instrument.

***

Because the Agreement may require both HYAS and User to Process HYAS Data, this Data Processing Agreement sets out additional terms, requirements, and conditions to Process such data when applicable. This DPA, which includes and incorporates the Controller to Controller Standard Contractual Clauses and annexes (the “Clauses”), is entered into by and between HYAS and User and is made effective as of the Effective Date. 

1. Purpose. The purpose of this DPA is to ensure compliance with the GDPR’s Personal Data transfer requirements, including the Clauses approved by the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (currently available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1688587744942).

2. Independent Controller. Each Party acknowledges and confirms that it: (a) is an independent controller and not a joint controller; (b) shall comply with applicable data privacy laws and the terms of this DPA in connection with its processing of Personal Data; (c) is lawfully entitled to Process Personal Data; (d) will only give lawful instructions to any processors or sub-processors; (e) will be responsible for determining the legal basis(es) of its own Processing activities; and (f) will provide the other Party with reasonable assistance, information, and cooperation as such Party may reasonably request to ensure compliance with its respective obligations under data privacy laws. 

3. Third-Party Communications. If User receives a third-party inquiry, complaint, or request related to HYAS Data, User will direct such communications to HYAS so that HYAS may respond. User agrees to work with HYAS in good faith on the response.

4. User Personnel. User will ensure that all User Personnel access will be pursuant to the principles of role-based access and least privilege. 

5. Processing Restrictions. User may Process HYAS Data only for the Purpose; no other Processing purposes are permitted.

6. Personal Data Breach. User will immediately notify HYAS when it becomes aware of or reasonably suspects that (a) an act or omission could compromise the security, confidentiality, or integrity of HYAS Data or the physical, technical, administrative, or organizational safeguards put in place to protect it, whether or not the incident rises to the level of a breach under data privacy laws (each, a “Personal Data Breach”); or (b) any unauthorized or unlawful Processing of HYAS Data. 

7. Remediation. User will coordinate with HYAS to investigate any Personal Data Breach, including: (a) conducting interviews with User’s employees and others involved in the matter; (b) making available all relevant records, logs, files, data reporting, and other materials required to comply with data privacy laws or as reasonably requested by HYAS. User will not inform any third party of a Personal Data Breach without first obtaining HYAS’s prior written consent, except when applicable law requires it. Each Party will work with the other Party to make any required notifications to the applicable regulatory authorities and affected Data Subjects in accordance with applicable laws. 

8. Amendments. The Parties will in good faith negotiate and execute revisions to this DPA as may become necessary to address changes to applicable law.

9. Survival. Any provision contained in this DPA that, in order to give proper effect to its intent, should survive the DPA’s expiration or termination, will survive the DPA’s expiration or termination.

10. Breach Liability. Each Party shall be liable for any losses, liabilities, damages, fines, penalties, sanctions, compensation, settlements, costs (including legal fees), interest, and expenses incurred by or awarded against it, or agreed to be paid by it, as a result of its own breach of this DPA or violation of applicable data privacy laws. 

11. Data Protection. The Parties must implement and maintain appropriate technical and organizational measures to ensure a reasonable level of security of Personal Data. In assessing the appropriate level of security, the Parties must account for the state of the art, costs of implementation, and the nature, scope, context and purposes of Processing of Personal Data, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and the risks that are presented by the Processing of Personal Data in the context of the Agreement.

12. Conflict; Order of Precedence. To the extent of any conflict between the provisions of this DPA and the Agreement, this DPA shall prevail in respect to its subject matter.

***

1. List of Parties 

 

 

3. Competent Supervisory Authority. The Irish Supervisory Authority - The Data Protection Commission shall act as the competent supervisory authority.

***

Each Party will: 

1. implement a written security policy which its personnel are aware of and comply with;

2. provide its personnel with training to ensure ongoing capabilities to carry out the security measures established in the written information security policy;

3. use reasonable measures to prevent unauthorized access to Personal Data through the use of appropriate physical and logical entry controls, and securing areas for data Processing; 

4. build in system and audit trails; 

5. use secure passwords and state-of-the-art network intrusion detection technology, encryption and authentication technology, secure logon procedures, and virus protection; 

6. employ regularly updated controls that detect and prevent harmful or malicious code, files, scripts, agents, or programs from being executed on any system; 

7. account for all the risks that are presented by Processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, Processing, access or disclosure of Personal Data; 

8. ensure encryption of Personal Data in rest and in transit; 

9. maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; 

10. maintain the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical, technical, or security incident, including a Personal Data Breach; 

11. implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of Personal Data Processing; 

12. implement controls to reduce the risk associated when outsourcing services, including but not limited to: specifying security and confidentiality requirements; restricting subcontractor access to only those areas of the system(s) that are necessary to perform the outsourced service(s); generating event logs on systems and networks that have been accessed; and analyzing the event logs; and

13. have in place formal processes and procedures to support the secure creation, amendment and deletion of user accounts, and perform regular reviews of use