<h1><em style=”font-size: 16px;”>Effective April 8, 2022</em></h1>
<div class=”col-md-12 col-sm-12″>
<em>Prior version is <a href=”/terms-of-service/”>here</a>.</em>
Welcome to Conversica. We offer online conversational AI virtual assistant Services to help organizations grow revenue at all stages of the customer journey. Our Services are offered under these Terms of Service (“Agreement“).
BY INDICATING YOUR ACCEPTANCE OF THIS AGREEMENT OR ACCESSING OR USING THE SERVICES, YOU ARE AGREEING TO BE BOUND BY ALL TERMS, CONDITIONS AND NOTICES CONTAINED OR REFERENCED IN THIS AGREEMENT. IF YOU DO NOT AGREE TO THIS AGREEMENT, PLEASE DO NOT USE THE SERVICES. FOR CLARITY, EACH PARTY EXPRESSLY AGREES THAT THIS AGREEMENT IS LEGALLY BINDING UPON IT.
This Agreement is entered into by and between Conversica, Inc., a Delaware corporation (“Conversica” or “we“), and the organization placing an order for the Services (“Customer”, “you“, and “your”) or whose Authorized User is accessing the Services. This Agreement consists of the terms and conditions set forth below, any appendices identified below and any Conversica ordering documents, online registration, order descriptions or order confirmations referencing this Agreement (each an “Order“). If you are accessing or using the Services on behalf of your organization, you represent that you are authorized to accept this Agreement on behalf of your organization, and all references to “you“, “your”, or “Customer” reference your organization.
The “Effective Date” of this Agreement is the earlier of (a) the date of Customer’s initial access to the Services (as defined below) through any online provisioning, registration, or order process or (b) the effective date of the first Order referencing this Agreement. This Agreement will govern Customer’s initial purchase on the Effective Date as well as any future purchases made by Customer that reference this Agreement.
If you have signed a separate written agreement with Conversica that is explicitly incorporated into an Order as the governing agreement, this Agreement will not apply to you.
<strong>“Affiliate”</strong> means a legal entity that directly or indirectly controls, is controlled by, or is under joint control with another legal entity (and for this purpose, a legal entity is deemed to control another legal entity if it owns, directly or indirectly, at least 50 percent of the capital of the other company); <strong>“Authorized User”</strong> means an individual who is authorized by Customer to access and use a Service through Customer’s account; <strong>“Beta Services”</strong> means Conversica services or functionality that may be made available to Customer to try at its option at no additional charge which is clearly designated as beta, pilot, limited release, or by a similar description; <strong>“Customer Data”</strong> means all electronic data submitted to the Services by Customer (or by a third party on behalf of or for the benefit of Customer) regarding Customer’s customers, prospective customers, and visitors to Customer’s website(s); <strong>“Documentation”</strong> means the technical documentation which is made available by Conversica to Customer and describes the operation and functionality of the Services and applicable security controls; <strong>“Personal Data”</strong> means Customer Data that identifies or relates to an identified or identifiable natural person; <strong>“Sensitive Personal Data”</strong> means Personal Data subject to specialized security regimes, including without limitation data subject to the Payment Card Industry Data Security Standards, financial account numbers, “Protected Health Information” as defined in HIPAA, social security numbers, and the Personal Data of children under 13; <strong>“Services”</strong> means Subscription Services and any related professional services ordered by Customer; <strong>“Subscription Services”</strong> means Conversica’s proprietary, conversational AI virtual assistant service(s) specified in an Order, including access to related Conversica platform dashboard(s) and APIs, as well as the technical support described in this Agreement and Orders.
<h3>2. CONVERSICA RESPONSIBILITIES</h3>
2.1 <u>Provision of Services</u>. Conversica will (a) make the Services available to Customer subject to this Agreement, including the attached Service Level Addendum, and the applicable Orders and Documentation, (b) provide standard technical support for the purchased Subscription Services to Customer at no additional charge, and/or upgraded support if purchased, as described in the attached Service Level Addendum, (c) provide the Services in accordance with laws and government regulations applicable to Conversica’s provision of its Services to its customers generally (i.e., without regard for Customer’s particular use of the Services), and (d) be responsible for the performance of its personnel (including its employees and contractors) and their compliance with Conversica’s obligations under this Agreement.
2.2 <u>Protection of Customer Data</u>. Conversica has implemented and will maintain technical and organizational measures designed to protect the Subscription Services and Customer Data from unauthorized access, destruction, use, modification, or disclosure at a level not materially less protective than as described in the Documentation. Customer may access, retrieve, and export Customer Data from the Conversica platform during the Subscription Term, using the Subscription Services features and functionality, at no additional charge. See the “Term and Termination” section for information regarding Customer account and Customer Data deletion following termination of this Agreement or the last Order. If you are a paying Customer, the attached Data Processing Addendum (“DPA“) will apply.
<h3>3. USE OF SERVICES</h3>
3.1 <u>Subscriptions</u>. Unless otherwise provided in the applicable Order, (a) Services are purchased as subscriptions for their access and use by Authorized Users for the term stated in the applicable Order (“Subscription Term”, (b) subscriptions for a Subscription Service may be added during a Subscription Term at the same pricing as the underlying subscription pricing for that Subscription Service, prorated for the portion of that Subscription Term remaining at the time the subscriptions are added, and (c) any added subscriptions will terminate on the same date as the underlying subscriptions. (Professional service packages related to the Services, if ordered, will be described in the Order.) By entering into an Order, a Customer Affiliate agrees to be bound by this Agreement as if it were the Customer hereto. Any Order between a Customer Affiliate and Conversica will be a separate agreement for which the Customer Affiliate (and not Customer) will be fully liable. Customer agrees that its purchases are not contingent on any future functionality or features.
3.2 <u>Authorized Users</u>. Only Authorized Users may access or use the Services. Each Authorized User must keep its login credentials confidential and not share them with anyone else. Customer is responsible for its Authorized Users compliance with this Agreement and actions taken through Customer accounts (excluding misuse of accounts directly caused by a Conversica breach of this Agreement). Customer will promptly notify Conversica if it becomes aware of any compromise of its Authorized User login credentials.
3.3 <u>Data Sources and Destinations</u>. Customer may use the Subscription Services to send Customer Data from its website(s), third party apps (such as a CRM app) or other data source to the Conversica platform so that the data may be used to initiate conversations with Customer prospects and end customers as determined by Customer. Customer may also send Customer Data from the Conversica platform to Customer’s website(s) or third-party apps for Customer’s further use. As further described below and in the Documentation, Customer determines the data sources and destinations with which it uses the Subscription Services, as well as the types and content of Customer Data it shares between such sources and destinations.
3.4 <u>Integrations with Third-Party Apps</u>. Third-party app integrations with the Subscription Services that are ordered by Customer will be specified on the Order. Customer will enable the Subscription Services to integrate with, and/or access, only those Customer systems or third-party applications (or apps) for which Customer has all necessary right and authority to do so. Customer is responsible for complying with the terms of any third-party apps with which Customer uses the Subscription Services. Customer will not provide Conversica with passwords or other credentials issued by third-party apps to Customer unless it is authorized to do so by the terms of such third-party applications. Conversica cannot guarantee the continued availability of integrations with third-party apps and may cease providing them without entitling Customer to any refund, credit, or other compensation, if for example and without limitation, the provider of a third-party app ceases to make it available for interoperation with the corresponding Subscription Service features in a manner acceptable to Conversica.
3.5 <u>Usage Limits</u>. Services are subject to usage limits specified in Orders and Documentation. If Customer exceeds a contractual usage limit, Conversica may work with Customer to seek to reduce Customer’s usage so that it conforms to that limit. If, notwithstanding Conversica’s efforts, Customer is unable or unwilling to abide by a contractual usage limit, Customer will execute an Order for additional quantities of the applicable Services promptly upon Conversica’s request, and/or pay any invoice for excess usage in accordance with the “Fees and Payment” section below.
3.6 <u>Service Trials</u>. If Conversica makes Subscription Services available to you for limited trial period (“Service Trial”), you may use them during the trial period specified in the Order solely to determine whether to purchase them for a Subscription Term. If you do not choose to order a Subscription Service prior to completion of the Service Trial, then following the end of the Service Trial your access to the Subscription Services will be terminated and your Customer Data hosted by Conversica will be deleted. Service Trials may not include all features or functionality offered as part of paid-for Subscription Services, and Conversica reserves the right to add or subtract any features or functionality at any time for Service Trials. Conversica has the right to suspend or terminate a Service Trial that is provided for free at any time for any reason.
3.7 <u>Free and Beta Services</u>. This Section applies to Conversica’ Free plans and any other free, trial, alpha or beta access to the Services or Service features (“Free & Beta Services”). Free plans are subject to usage limits, including limits listed in the Documentation. Any other Free & Beta Services are provided solely for Customer’s internal evaluation during the period designated by Conversica (or if not designated, 30 days) and may be subject to additional terms agreed by the parties. Conversica will identify Free & Beta Services prior to Customer’s use. Free & Beta Services are optional to use and Conversica may suspend or terminate Free & Beta Services at any time for any reason. Free & Beta Services may be inoperable, incomplete or include features that Conversica may never release, and their features and performance information are Conversica’ Confidential Information. Notwithstanding anything else in this Agreement, Conversica’ aggregate liability for Free & Beta Services will not exceed US $100.
3.8 <u>Customer Responsibilities</u>. Customer shall (a) use the Services only in accordance with this Agreement and the Documentation, (b) be responsible for the accuracy, quality and legality of Customer Data submitted to Conversica (including obtaining all necessary consents for transfer and use of the Customer Data with the Services), the means by which Customer acquired Customer Data, and Customer’s use of Customer Data with the Services, (c) not use any Service to collect, manage, or process Sensitive Personal Data, and (d) collect and provide Customer Data to Conversica and/or the Services only through permitted, secure delivery methods as specified in Orders or Documentation. Use of the Services in breach of the foregoing by Customer or Authorized Users that in Conversica’s judgment threatens the security, integrity, or availability of Conversica’s services, may result in Conversica’s immediate suspension of the Services. However, Conversica will use commercially reasonable efforts under the circumstances to provide Customer with notice and an opportunity to remedy such violation or threat prior to any such suspension.
3.9 <u>Usage Restrictions</u>. Customer will not (a) copy, modify, or attempt to interfere with the operation or functionality of the Services, (b) reverse engineer, decompile or attempt to derive the source code for the Services (except as permitted by law and then only with prior notice to Conversica), (c) sell, resell, sublicense, distribute, rent, lease or share the Services with or for the benefit of any third party (unless expressly authorized in the applicable Orders), (d) attempt to probe, scan, penetrate, breach or test the vulnerability of the Services or disable or circumvent the Services’ security or authentication measures, (e) access the Services for the purpose of building a competitive product or service, (f) use a Service to send unsolicited messages or store or transmit infringing, libelous, or otherwise unlawful, or tortious content or data, (g) store or transmit data on or through a Service in violation of law or third-party rights, (h) remove or obscure any proprietary notices in the Services, or (i) publish benchmarks or performance information about the Services.
<h3>4. FEES AND PAYMENT</h3>
4.1 <u>Payment</u>. Customer will pay all fees specified in the applicable Order (the “Fees”). All amounts payable are denominated and payable in United States Dollars. Unless otherwise specified in the applicable Order, Fees will be billed/charged commencing on the Subscription Term start date identified in each Order and are payable in advance. Customer will pay Fees using the payment method specified in the Order. (If an Order provides for payment by credit card, Customer will provide Conversica or its designated credit card processor with valid and updated credit card information. If Customer provides credit card information to Conversica, Customer authorizes Conversica to charge such credit card for all Services listed in the Order for the initial Subscription Term and any renewal Subscription Term(s) as set forth in the Order. Such charges shall be made in advance, either annually or in accordance with any different billing frequency stated in the applicable Order.) Customer is responsible for providing complete and accurate billing and contact information to Conversica and notifying Conversica of any changes to such information. If invoice payment method is selected in the Order, Fees are due thirty (30) days from Customer’s receipt of invoice. All payment obligations are non-cancelable, and Fees paid are non-refundable (except as explicitly stated otherwise herein), and quantities purchased cannot be decreased during the relevant Subscription Term. Fees related to usage are based on Conversica systems data which are determinative for all purposes hereunder. If Customer has a good faith dispute regarding Fees invoiced, Customer must give Conversica notice of the basis for such dispute within 30 days after the applicable invoice date and such disputed Fees will be due within 30 days after resolution of the dispute. A late payment charge equal to the lesser of (i) 1% per month, or (ii) the maximum rate permitted by law shall apply to all amounts due and not received by Conversica (nor disputed in accordance with this paragraph) by the due date.
4.2 <u>Taxes</u>. Fees do not include any taxes, levies, duties, or similar governmental assessments, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction (“Taxes”). Customer is responsible for paying all Taxes associated with its purchases hereunder. If Conversica has the legal obligation to pay or collect Taxes for which Customer is responsible under this section, Conversica will invoice Customer and Customer will pay that amount unless Customer provides Conversica with a valid tax exemption certificate authorized by the appropriate taxing authority. For clarity, Conversica is solely responsible for taxes assessable against it based on its income, property, and employees.
4.3 <u>Travel Expenses</u>. Customer will reimburse Conversica for reasonable travel expenses, if any, directly related to providing any Services under this Agreement only if Customer approves the travel in advance by email and Conversica follows any travel policy which Customer provides to Conversica prior to such travel. Any approved travel expenses may be invoiced separately with supporting detail and shall be paid within 30 days of receipt.
<h3>5. TERM AND TERMINATION</h3>
5.1 <u>Term of Agreement</u>. The term of this Agreement (“Term”) commences on the Effective Date and continues until the Subscription Terms for all Orders hereunder have expired or have been terminated.
5.2 <u>Subscription Term and Renewals</u>. Your initial Subscription Term will be as specified in the applicable Order. Except as otherwise specified in your Order or unless your Order is terminated in accordance with the Agreement, immediately upon the expiration of each Subscription Term, your Order will automatically renew for a Subscription Term of the same duration unless either party provides the other party with written notice of non-renewal at least sixty (60) days prior to the expiration of the then-current Subscription Term. All renewals are subject to the applicable Services continuing to be offered and will be charged at the then-current rates.
5.3 <u>Termination</u>. A party may terminate this Agreement for cause (a) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period, or (b) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors.
5.4 <u>Effect of Termination</u>. Upon termination of this Agreement or the most recent Order, without prejudice to any other rights or remedies which the parties may have (a) all rights to use the Services will terminate; (b) Customer will pay to Conversica all outstanding Fees that have accrued hereunder prior to the date of termination; and (c) each Party will return the other Party’s Confidential Information or delete it and confirm such deletion upon request. If this Agreement or Orders are terminated by Customer pursuant to the “Termination” section above, Conversica will refund Customer any prepaid fees covering the remainder of the term of all Orders after the effective date of termination. If this Agreement is terminated by Conversica in accordance with the “Termination” section above, Customer will pay any unpaid fees covering the remainder of the Subscription Terms of all Orders to the extent permitted by applicable law. In no event will termination relieve Customer of its obligation to pay any fees payable to Conversica for the period prior to the effective date of termination.
5.5 <u>Account and Data Deletion Following Termination</u>. Unless the parties agree in writing otherwise, within 30 days of termination of this Agreement or all Orders, Conversica will terminate access to Customer Data and begin logical deletion of Customer Data followed by overwriting or cryptographic erasure, except that this requirement shall not apply to the extent Conversica is required by applicable law to retain Customer Data. This deletion, including the deletion of Customer Data on backup systems, will be completed as soon as practicable in accordance with the deletion schedules of Conversica’s underlying cloud services provider and the Customer Data will remain encrypted until it is unrecoverable. When media that hosted Customer Data is no longer useful, it will be destroyed in compliance with NIST SP 800-88 Revision 1 Guidelines for Media Sanitation.
5.6 <u>Survival</u>. All provisions of this Agreement that must survive the termination of this Agreement to fulfill their essential purpose, including payment, indemnification, and data protection provisions, will survive.
<h3>6. PROPRIETARY RIGHTS AND LICENSES</h3>
6.1 <u>Customer</u>. As between the parties, you exclusively own and reserve all right, title, and interest in and to, your Confidential Information, and Customer Data, subject to Conversica’s rights to process Customer Data in accordance with this Agreement. You grant Conversica the right to process Customer Data as necessary to provide the Services in a manner consistent with this Agreement.
6.2 <u>Conversica</u>. As between the parties, Conversica owns and reserves all right, title, and interest in and to the Services, the Documentation, our Confidential Information. Conversica may collect and use data regarding the use and performance of the Services in aggregated form, without use of any Personal Data, to analyze and improve the Services and optimize company operations. Any comments or suggestions you provide to us about the Services (“Feedback”) will be non-confidential and provided “as is” and we own all rights to use and incorporate Feedback into the Services, without payment or attribution to you.
“Confidential Information (or CI)” means all information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Customer’s CI includes Customer Data. Conversica’s CI includes its pricing. The CI of each party includes technology and technical information, product plans, and designs, and business processes disclosed by such party. However, CI does not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party. The Receiving Party will use the same degree of care it uses to protect its own CI of like kind to limit access to the Disclosing Party’s CI to those of its and its Affiliates’ employees and contractors and subcontractors who need that access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party that are not materially less protective than those herein or otherwise have a legal obligation to keep such information confidential. Neither party will disclose the terms of this Agreement or any Order to any third party other than its Affiliates, legal counsel, and accountants without the other party’s prior written consent, provided that such Disclosing Party remains responsible for its Affiliates, legal counsel, and accountants’ compliance with this section. The Receiving Party may disclose CI of the Disclosing Party to the extent compelled by law, provided the Receiving Party gives the Disclosing Party prior notice (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. Notwithstanding anything to the contrary herein, during the Subscription Term, Conversica may use Customer’s name and logo on the Conversica website and in marketing materials to identify Customer as a Conversica customer, provided Conversica follows Customer’s usage guidelines.
<h3>8. WARRANTIES AND DISCLAIMERS</h3>
8.1 <u>Both Parties</u>. Each party warrants to the other that it has full power and authority to enter into this Agreement and that it is binding upon such party and enforceable in accordance with its terms.
8.2 <u>Customer</u>. Customer warrants that it has the necessary legal rights, express consents, and authority from each of the individuals whose email addresses, telephone numbers and/or other Personal Data is submitted to the Services by or on behalf of the Customer sufficient to disclose such Personal Data to Conversica, to provide access to Conversica so that the Services may contact and interact with such individuals, and to use such Personal Data in accordance with this Agreement. Customer further warrants that it has not been subject to or settled a third-party suit or government claim relating to sending electronic communications in violation of law.
8.3 <u>Conversica</u>. Conversica warrants that during the Subscription Term (a) the Services when used in accordance with this Agreement, the Orders, and Documentation will perform materially as described in this Agreement, the Orders, and the Documentation, (b) Conversica will not materially decrease the overall security of the Services, and (c) subject to the “Integration with Third Party Apps” section above, Conversica will not materially decrease the overall functionality of the Services. For any breach of a warranty above, Customer’s exclusive remedies are those described in the “Termination” and “Refund or Payment upon Termination” sections above.
8.4. <u>Disclaimers</u>. EXCEPT AS EXPRESSLY STATED HEREIN, THE SERVICES ARE PROVIDED “AS IS” AND NEITHER PARTY MAKES ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. SERVICES PROVIDED FREE OF CHARGE AND BETA SERVICES ARE PROVIDED “AS IS” AND AS AVAILABLE EXCLUSIVE OF ANY WARRANTY WHATSOEVER.
<h3>9. MUTUAL INDEMNIFICATION</h3>
9.1. <u>Indemnification by Conversica</u>. Subject to Section 9.3, Conversica shall indemnify, defend, and hold harmless Customer and its Affiliates and each of their respective employees, officers, directors, contractors,
shareholders, agents and assigns (each a “Customer Entity”) from and against any and all damages, losses, costs (including reasonable attorneys’ fees), or other expenses arising from third party claims, actions, suits or proceedings against Customer alleging that any purchased Service when used by Customer and its Authorized Users as permitted in this Agreement infringes or misappropriates an intellectual property right (a “Claim Against Customer Entity”). If the Services become, or in Conversica’s opinion are likely to become the subject of an infringement claim, Conversica may at its option and expense (i) modify the Services so that they are no longer claimed to infringe or misappropriate an intellectual property right, without breaching any Conversica warranty stated in this Agreement, (ii) obtain a license for Customer’s continued use of that Service in accordance with this Agreement, or (iii) terminate Customer’s Order(s) for that Service upon 30 days’ written notice and refund Customer any prepaid fees covering the remainder of the term of the terminated Order(s). The above defense and indemnification obligations do not apply if (a) the allegation does not state with specificity that the Services are the basis of the Claim Against any Customer Entity; (b) a Claim Against Customer Entity arises from the use or combination of the Services or any part thereof with software, hardware, data, or processes not provided by Conversica, if the Services or use thereof would not infringe without such combination; or (c) a Claim Against Customer Entity arises from Customer’s breach of this Agreement or applicable Orders.
9.2. <u>Indemnification by Customer</u>. Subject to Section 9.3, Customer shall indemnify, defend, and hold harmless Conversica and its Affiliates and each of their respective employees, officers, directors, contractors, shareholders, agents, and assigns (each a “Conversica Entity”) from and against any and all damages, losses, costs (including reasonable attorneys’ fees), or other expenses arising from third party claims, actions, suits or proceedings against any Conversica Entity (i) alleging Customer’s use of the Services in an unlawful manner or in violation of the Agreement, the Documentation, or an Order, or (ii) in connection with Customer Data when used by Conversica as permitted hereunder.
9.3 <u>Indemnification Procedure</u>. The party seeking indemnity (“Indemnified Party”) will give the party from whom indemnity is sought (“Indemnifying Party”) timely written notice of the claim for which indemnity is sought and control of the disposition thereof; provided, that failure to give timely notice will not relieve the Indemnifying Party of its obligations except to the extent that such untimely notice materially impairs the Indemnifying Party’s ability to defend such claim. The Indemnified Party will cooperate with the Indemnifying Party’s reasonable requests (at the Indemnifying Party’s expense) in connection with the defense and settlement of such claim. Neither party will settle any claim for which indemnity is sought unless: (i) such settlement includes an unconditional release of the other party from all liability on the claim, or (ii) the other party gives its prior written consent, not to be unreasonably withheld or delayed.
9.4 <u>Excusive Remedy</u>. This “Mutual Indemnification” section states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any third-party claim described in this section.
<h3>10. LIMITATION OF LIABILITY</h3>
EXCEPT FOR A PARTY’S INDEMNIFICATION OBLIGATIONS, A PARTY’S VIOLATION OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, AND CUSTOMER’S PAYMENT OBLIGATIONS, EACH PARTY’S AGGREGATE LIABILITY WILL BE LIMITED TO THE TOTAL AMOUNTS PAID OR PAYABLE BY CUSTOMER TO CONVERSICA IN THE TWELVE MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR ANY LOST PROFITS, REVENUES, GOODWILL, OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, BUSINESS INTERRUPTION OR PUNITIVE DAMAGES, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY’S OR ITS AFFILIATES’ REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE. THE FOREGOING DISCLAIMER WILL NOT APPLY TO EITHER PARTIES’ LIABILITY ARISING FROM ITS NEGLIGENCE OR WILLFUL MISCONDUCT THAT RESULTS IN BODILY INJURY, DEATH, OR DAMAGE TO TANGIBLE PROPERTY OR TO THE EXTENT PROHIBITED BY LAW.
Conversica may modify this Agreement from time to time with notice to Customer. Modifications take effect at Customer’s next Subscription Term or Order unless Conversica indicates an earlier effective date. If Conversica requires modifications with an earlier effective date and Customer objects, then at Conversica’s option, either (a) modifications become effective on Customer’s next Subscription Term or Order or (b) Customer may terminate this Agreement with notice to Conversica, in which case Conversica will provide Customer a refund of any pre-paid Services fees for the terminated portion of the current Subscription Term (as its exclusive remedy). To exercise this right, Customer must notify Conversica of its objections within 30 days after Conversica’s notice of the modified Agreement. Once the modified Agreement takes effect Customer’s continued use of the Services constitutes its acceptance of the modifications. Conversica may require Customer to click to accept the modified Agreement.
12.1 <u>Amendment, Waiver, and Remedies</u>. This Agreement may be modified or amended only in writing signed by the parties. The failure of either party to enforce any provision of this Agreement will not constitute a waiver of such party’s rights to subsequently enforce the provision, and a waiver of breach shall not be a waiver of any other or subsequent breach. A party’s remedies specified in this Agreement are in addition to any other remedies that may be available at law or in equity.
12.2 <u>Insurance</u>. During the term of this Agreement and for three years thereafter Conversica will maintain the following insurance coverages: adequate automobile and workers’ compensation coverages, including such insurance coverage as may be required by law; no less than $5,000,000 in Errors and Omissions and Cyber Liability coverage; and no less than $5,000,000 in Comprehensive General Liability coverage. Upon request, Conversica will provide Customer with a certificate of insurance stating its insurance coverage.
12.3 <u>Notice</u>. All notices under this Agreement must be delivered in writing, in person, by overnight courier, or by certified or registered mail (postage prepaid and return receipt requested) to the other party at its address stated at the beginning of this Agreement and to the person signing this Agreement on behalf of such party (with a copy addressed to its legal department), except Conversica may provide electronic notices of breach by non-payment by email to Customer’s business contact and billing contact email addresses provided on the relevant Order(s). Notices will be deemed effective upon receipt. Either Party may change the recipient or its address for notices by providing notice to the other Party as specified herein.
12.4 <u>Relationship of the Parties, Third-Party Beneficiaries, and Assignment</u>. The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. Each party will be solely responsible for payment of all compensation owed to its employees, as well as all employment-related taxes. There are no third-party beneficiaries under this Agreement. Neither party may assign this Agreement without the other party’s prior written consent, except that either party without such consent may assign this Agreement to an Affiliate or any other entity in connection with a reorganization, merger, consolidation, acquisition, or other restructuring involving all or substantially all such party’s voting securities or assets. Non-permitted assignments are void.
12.5 <u>Export Control</u>. In its use of the Subscription Services, Customer agrees to comply with all export and import laws and regulations of the United States and other applicable jurisdictions. Without limiting the foregoing, (i) Customer represents and warrants that it is not listed on any U.S. government list of prohibited or restricted parties or located in (or a national of) a country that is subject to a U.S. government embargo or that has been designated by the U.S. government as a “terrorist supporting” country, (ii) Customer shall not (and shall not permit any of its Authorized Users to) access or use the Subscription Services in violation of any U.S. export embargo, prohibition or restriction, and (iii) Customer shall not submit to the Subscription Services any information that is controlled under the U.S. International Traffic in Arms Regulations.
12.6 <u>Governing Law and Venue</u>. This Agreement is deemed to have been made in and will be governed by and construed in accordance with the laws of the State of California without reference to its conflicts of law principles or to the United Nations Convention on the International Sale of Goods. All disputes arising out of or relating to this Agreement will be submitted to the exclusive jurisdiction of a court of competent jurisdiction located in San Mateo, California and each party irrevocably consents to such personal jurisdiction and waives all objections to this venue. If any legal action or other proceeding any is brought for any breach of this Agreement, the prevailing party shall be entitled to recover its reasonable attorneys’ fees and other costs incurred in bringing such action or proceeding, in addition to any other relief to which such party may be entitled.
12.7 <u>Entire Agreement, Severability, and Order of Precedence</u>. This Agreement together with any attached addendums and documents incorporated by reference herein represents the entire agreement between the parties with respect to the matters set forth herein and supersedes any prior or contemporaneous agreements relating thereto. Titles and headings of sections of this Agreement are for convenience only and will not be used to limit the scope or intent of any Agreement provision. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this Agreement will remain in effect. . In the event of any conflict or inconsistency among the following documents, the order of precedence shall be the: (1) applicable Order which incorporates this Agreement by reference, (2) Agreement, and (3) Documentation. Any different or additional terms of any related quote, purchase order, vendor registration or similar order document provided by Customer are hereby rejected and shall have no force or effect
<h3>SERVICE LEVEL ADDENDUM</h3>
<b>1. Service Availability Commitment</b>1.1 <u>Availability Commitment</u>. Conversica will use commercially reasonable efforts to make Conversica’s AI virtual assistants ordered by Customer available to engage with Customer’s prospective or current customers within Customer’s selected AI virtual assistant worktimes 97.50% of each calendar month as measured by Conversica’s systems (“Availability Commitment”).
1.2 <u>Exclusions</u>. The calculation of availability will exclude unavailability due to: (i) Customer’s use of the Services in a manner not authorized in the Agreement or Documentation, (ii) general Internet problems, force majeure events or other factors outside of the reasonable control of Conversica, (iii) Customer’s (or one of its vendors’) equipment, software, network connections, utilities, or other infrastructure, (iv) third party systems, acts or omissions or (v) scheduled maintenance.
1.3 <u>Scheduled Maintenance</u>. Scheduled maintenance is rare, and Conversica will notify Customer at least 72 hours prior to any scheduled maintenance and will use commercially reasonable efforts to minimize its impact on Services availability.
1.4 <u>Special Termination Right</u>. If Conversica fails to meet the Availability Commitment for an AI virtual assistant in two (2) consecutive months or in any three (3) of six (6) consecutive months, Customer may terminate the Order with regard to such AI virtual assistant upon written notice to Conversica and will receive as its sole remedy a refund of any fees Customer has pre-paid for use of such AI virtual assistant for the terminated portion of the Subscription Term of the applicable Order (“*Special Termination Right”). Customer must exercise the Special Termination Right within thirty (30) days after the end of the month during which the Special Termination Right arose. The Special Termination Right is Customer’s sole and exclusive remedy, and Segment’s sole and exclusive liability, for any failure of Conversica to meet the Availability Commitment.
<b>2. Technical Support</b>2.1 <u>Standard Support</u>. Conversica’s standard technical support is included for all Customer purchases with other plans we may offer designed as add-on modules. Under our standard technical support plan (“Standard Plan”), our technical support team responds to Authorized User issues and technical problems that prevent an Authorized User from using the Services in accordance with the Documentation. The following types of assistance are typically provided by our technical support team with Customer cooperating in the troubleshooting and resolution of issues: help in understanding Subscription Service features, clarifying Documentation, addressing performance issues, and supporting Conversica’s standard or custom integrations. The Standard Plan includes the following features:
<ul style=”margin-left: 20px; line-height: 30px;”>
<li>Access to Conversica Support Portal (my.conversica.com)</li>
<li>Access to Conversica Academy with training videos</li>
<li>Conversica Services platform availability and performance monitoring 24/7</li>
<li>New Service releases at Conversica’s discretion</li>
2.2 <u>Support Hours and Means</u>.
<ul style=”margin-left: 20px; line-height: 30px;”>
<li>Hours: Technical support is available Monday-Friday (except holidays) 6 AM-6 PM Pacific Times and from 9 AM-5 PM Pacific Times Saturday, Sunday, and holidays (the hours of operations referred to as “Support Hours”.)</li>
<ul style=”margin-left: 20px; line-height: 30px;”>
<li>Via Conversica Support Portal (<a href=”http://www.my.conversica.com/”>www.my.conversica.com</a>).</li>
<li>Via phone at 888.633.7738 for ticket initiation. (Leave a message providing the name of your company, your email address, and a description of the issue, and a support ticket will be generated from your message.)</li>
<li>Via email at <a href=”mailto:[email protected]”>[email protected]</a>.</li>
2.3 <u>Technical Support Service Levels</u>. Conversica will use commercially reasonable efforts to initially respond to each support issue submitted to Conversica in accordance with initial response time target related to the issue’s priority level as shown below. The initial response time target is defined as the amount of time during Support Hours beginning when Conversica has received notice of a support request (submitted as described above) up to the time Conversica notifies Customer that it has started a support case to assist with the issue.
<th style=”text-align: center;” colspan=”3″>Conversica Technical Support Service Levels</th>
<th>Issue Severity Category</th>
<th>Initial Response Time Target</th>
<td>Critical Severity: Services platform is unavailable or essential functionality is non-operational.</td>
<td>≤ 60 minutes</td>
<td>Medium Severity: A significant feature of the Services platform is not working correctly and is limiting full operation in a material respect, but the platform overall is operational.</td>
<td>≤ 4 Hours</td>
<td>Low Severity: A Low Severity issue is any issue pertaining to a non‐paying Customer and, for a paying Customer, any issue that does not fall into either a Critical or Medium Severity Level above, including general usage questions and Document clarification requests. There is no material impact on the quality, performance, or functionality of the Services.</td>
<td>≤ 24 Hours</td>
<h2>DATA PROCESSING ADDENDUM</h2>
This DPA supplements the Agreement between Customer and Conversica, Inc. and applies to the processing of Personal Data in connection with the Services. This DPA shall remain in effect for the term of the Agreement and thereafter until Conversica destroys Personal Data. Capitalized terms, such as Personal Data, which are used but not defined in this DPA will have the meanings provided elsewhere in the Agreement.
1. <u>Definitions</u>. The terms “controller”, “data subject”, “processing”, and “processor” shall have the same meaning as in the GDPR or applicable Data Protection Laws; “CCPA” means the California Consumer Privacy Act of 2018; “Data Protection Laws” means applicable laws and regulations of the United States and its states, Canada and its provinces, the European Union and its Member States, member countries of the European Economic Area, Switzerland, or the United Kingdom, relating to the privacy, security or protection of Personal Data, including, without limitation the GDPR, the CCPA, and, of any other territory agreed in writing by the Parties in an Order; “EU Standard Contractual Clauses” means the contractual clauses (with Module Two applicable to data transfers from controller to processor) adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council; “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data; “Personal Data Incident” means known or reasonably suspected, unauthorized or unlawful access to or destruction, loss, alteration, or disclosure of Personal Data in the possession, custody or control of Conversica; “Restricted Transfer” means a transfer of Personal Data outside the European Economic Area, unless such transfer is to a country deemed by the European Union Commission to have an adequate level of protection by reason of its domestic law or of the international commitments it has entered into; “Sub-processor” means any entity appointed by or on behalf of Conversica to process Personal Data on behalf of Customer in connection with the Services; “UK Standard Contractual Clauses” means the EU Standard Contractual Clauses, if adopted by the United Kingdom, and prior to such adoption, the Standard Contractual Clauses for Controllers to Processors available on the UK ICO website.
2. <u>Processing of Personal Data</u>. With respect to the processing of Personal Data pursuant to this DPA, the Parties acknowledge and agree that Customer acts as a controller and Conversica acts as a processor. Conversica will comply with Data Protection Laws applicable to Conversica’s processing of Personal Data in the capacity of a processor of such data. To the extent permitted by law, Conversica will process Personal Data in accordance with Customer’s relevant documented instructions, which shall consist of the Agreement, this DPA and any Order executed by the Parties. Notwithstanding the foregoing, if other processing is required by law, Conversica shall, to the extent permitted by law, inform Customer of that legal requirement before such other processing of Personal Data. By entering into this DPA, Customer instructs Conversica to process Personal Data: (a) to provide, support and improve the Services, (b) as further specified via Customer’s use of the Services; (c) as documented in this DPA, the Agreement, and each Order executed by the Parties. In the event Conversica believes Customer’s instructions may infringe Data Protection Laws, Conversica will promptly inform Customer.
3. <u>CCPA</u>. Any capitalized term used in this paragraph and not previously defined in the Agreement or this DPA will have the meaning ascribed to it in the CCPA. With respect to the processing of Personal Data consisting of the Personal Information of Consumers, the Parties acknowledge and agree that Customer is a Business and Conversica is a Service Provider and that the Customer Personal Information that Customer discloses to Conversica is provided to Conversica for Customer’s Business Purpose(s). Conversica will not retain, use, share or disclose Personal Information for any purpose other than for the specific purpose of performing the Services, or as otherwise permitted by the CCPA. For the avoidance of doubt, Conversica may, as part of providing the Services, (1) deidentify or aggregate Personal Data and (2) process Personal Data for purposes of mitigating fraud, financial loss, or other harm, and analyzing and improving Conversica’s products, services, or systems.
4. <u>Conversica Personnel</u>. Conversica shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.
5. <u>Sub-processing</u>. Customer hereby authorizes Conversica to appoint (and permit each Sub-processor to appoint) Sub-processors to process Personal Data in accordance with this Section 5. Customer agrees that Conversica may continue to use Sub-processors already engaged as of the Effective Date to process Personal Data. The list of Sub-processors is located at: https://www.conversica.com/sub-processor/list-of-subprocessors/. When any new Sub-processor is appointed, Conversica will provide notice via email to Customer or by updating the list of Sub-processors located at https://www.conversica.com/sub-processor/list-of-subprocessors/. Customer can subscribe to our RSS feed at the prior URL to be automatically notified of any changes in the list of sub-processors. If Customer objects to such appointment, Customer may terminate the Agreement solely as to those Services for which the new Sub-processor processes Personal Data, by sending written notice of termination to [email protected] within 30 days of Conversica sending or posting the notice of the new Sub-processor. If Customer does not terminate within this 30-day period, Customer will be deemed to have accepted the new Sub-processor. Any termination under this section shall be deemed to be without fault by either party and shall be subject to the terms of the Agreement. In such event, Conversica will refund Customer any prepaid subscription fees for the terminated Services applicable to periods after the effective date of termination. This termination and refund right is Customer’s sole and exclusive remedy if Customer objects to any new Sub-processor. Conversica shall enter into a written agreement with each Sub-processor which imposes terms consistent with this DPA and that obligate the Sub-processor to comply with applicable Data Protection Laws with respect to the processing of Personal Data.
6. <u>Data Subject Requests</u>. Customer is responsible for handling any requests or complaints from data subjects with respect to their personal data processed by Conversica as part of Personal Data. Conversica will notify Customer promptly and in any event within ten (10) business days of receipt, unless prohibited by applicable law, if Conversica receives any data subject requests or complaints. The Service includes technical and organizational measures that have been designed, considering the nature of its processing, to assist Customer in fulfilling their obligations to respond to such requests or complaints. In addition, to the extent Customer, in its use of the Subscription Service, does not have the ability to address a data subject request, Conversica shall upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such data subject request, to the extent Conversica is legally permitted to do so and the response to such data subject request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Conversica’s provision of any extraordinary assistance required hereunder.
7. <u>Regulatory Investigations and Other Assistance</u>. At Customer’s request, Conversica will assist you in the event of an investigation by a competent regulator, including a data protection regulator or similar authority, if and to the extent that such investigation relates to the processing of Personal Data by Conversica. To the extent permitted by applicable law, Conversica may charge a reasonable fee for such requested assistance except where such investigation arises from a breach by Conversica of the Agreement, including this DPA. If, pursuant to Data Protection Laws, Customer is required to perform a data protection impact assessment or prior consultation with a Supervisory Authority, at Customer’s request, Conversica will provide its reasonable assistance and relevant. Any additional assistance shall be mutually agreed upon between the Parties and at the Customer’s sole expense.
8. <u>Information and Audits</u>. Upon Customer’s request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Conversica shall make available to Customer a copy of Conversica’s most recent, annual third-party SOC 2 Type 2 audit report or equivalent audit report and other Documentation relevant to the security and compliance of the Services. If Customer, after having reviewed such report and Documentation, reasonably deems that additional information is necessary to demonstrate Conversica’s compliance with this DPA and Data Protection Laws, Conversica shall reasonably assist and make available to Customer, upon a written request, information and/or documentation deemed necessary by Conversica to demonstrate Conversica’s compliance with this DPA and Data Protection Laws.
9. <u>Personal Data Incident Notification and Management</u>. If Conversica becomes aware of a Personal Data Incident, Conversica will (a) notify Customer without undue delay and use commercially reasonable efforts to do so within forty-eight (48) hours after Conversica discovers the Personal Data Incident, (b) provide Customer with a detailed description of the Personal Data Incident and the personal data concerned, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. Conversica will take reasonable steps to mitigate the effects of the Personal Data Incident and to minimize any resulting damage. At Customer’s request, Conversica will provide reasonable assistance and cooperation with respect to any notifications that Customer is legally required to send to affected data subjects and/or regulators. Conversica’s notification of or response to a Personal Data Incident will not be construed as an acknowledgement by Conversica of any fault or liability with respect to the Personal Data Incident.
10. <u>Personal Data Protection and Deletion Following Termination</u>. See the Agreement section entitled “Account and Data Deletion Following Termination”.
11. <u>Restricted Transfers</u>. Subject to this Section 11, Conversica and its Sub-processors may process Personal Data in accordance with this DPA outside the country in which the Customer and data subjects are located to the extent permitted by Data Protection Laws. For any Restricted Transfer from the Customer to Conversica pursuant to this DPA, one of the following transfer mechanisms shall apply, in the following order of precedence:
<ol style=”margin-left: 20px; line-height: 30px;”>
<li>Conversica’s EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, when they are recognized by the EU and Switzerland, respectively, as adequate transfer mechanisms, provided Conversica has self-certified to adhere to these Frameworks;</li>
<li>the EU Standard Contractual Clauses and, in addition only with respect to transfers from the United Kingdom (“UK”) the UK Addendum; or</li>
<li>any other lawful basis permitted by Data Protection Laws.</li>
Customer as “data exporter” and Conversica as “data importer” hereby enter into the EU Standard Contractual Clauses and UK Standard Contractual Clauses, including DPA Exhibit A attached hereto, all of which are incorporated herein by this reference and constitute a part of this DPA. These Standard Contractual Clauses will take effect only upon the occurrence of a Restricted Transfer.
12. <u>General Terms</u>. All notices to Conversica provided under this DPA must be in writing and sent to [email protected] All clauses of the Agreement not explicitly amended or supplemented by this DPA remain in full force and effect and shall continue to apply to the Services. In the event of any conflict between the Agreement (including its annexes and appendices) and this DPA, the provisions of this DPA shall control. Conversica may amend the terms of this DPA, insofar as necessary to comply with the relevant requirements of Data Protection Laws, upon notice to Customer by email to the primary contact on the account. Any such amendments will automatically become effective within 10 days from Conversica’s transmission of each such notice. Should any provision of this DPA be found invalid or unenforceable pursuant to any applicable law, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that reasonably matches the intent of the original provision and the remainder of the DPA will continue in effect. If Conversica decides that it can no longer meet its obligations in accordance with this DPA, it shall promptly notify the Customer of that determination, and cease the relevant processing activity or take other reasonable and appropriate steps to resolve the issue. This DPA shall be subject to the limitations of liability under the Agreement.
<h2>DPA EXHIBIT A</h2>
This DPA Exhibit A completes the template/blank sections of the EU Standard Contractual Clauses. (With regard to Personal Data transferred from the UK to Conversica, the EU Standard Contractual Clauses are hereby modified as indicated in the “UK Addendum to the EU Commission Standard Contractual Clauses” published by the UK ICO.) Capitalized terms used but not defined in this Exhibit A will have the meanings provided in the DPA or elsewhere in the Agreement.
<b>EU Standard Contractual Clauses: main body particulars:</b><u>Exporter contact details:</u> Customer contact details as set out in the Agreement.
<u>Importer contact details:</u> Conversica, Inc. contact details as set out in the Agreement.
<u>Governing Law (clauses 9 & 11):</u> The law of the country in which the data exporter’s EU representative is established/ based (as appropriate) or, if none exists, Republic of Ireland.
<b>Annex 1 of the EU Standard Contractual Clauses:</b><u>Data Exporter:</u> Customer whose address and contact information is provided in the Order or Agreement and whose business is described on Customer’s website.
<u>Data Importer:</u>Conversica, Inc., a provider of online virtual assistant services, which are delivered as software as a service and process Personal Data pursuant to data exporter’s instructions as reflected in the Agreement. Conversica’s address is as provided in the Agreement.
<u>Categories of data subjects whose personal data is transferred:</u> Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Information relating to the following categories of data subjects: Data exporter’s employees, contractors, representatives, agents, and other individuals whom data exporter permits to use the Services, as well as personal data relating to the data exporter’s customers and leads or prospective customers.
<u>Categories of personal data transferred:</u> Data exporter may submit personal data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following personal data: Personal Data, including first and last name, email address, phone number, physical address, purchase history, conversations, lead status.
<u>Sensitive data transferred (if applicable):</u> It is not anticipated that Customer will submit sensitive data to Conversica. For the sake of clarity sensitive data is Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
<u>The frequency of the transfer:</u> Continuous.
<u>Nature of the processing:</u> Collection, receipt, recording, organization, structuring, storage, retrieval, consultation, copying for backup, use, transmission, dissemination or otherwise making available (including in the form of reports), alignment or combination, restriction, deletion, and destruction.
<u>Purpose(s) of the data transfer and further processing:</u> The performance of the Services pursuant to the Agreement, including deletion of the data pursuant to the Agreement.
<u>The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:</u> The period for which the personal data will be retained is stated in the Agreement.
<u>For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:</u> See identification of approved Sub-processors and descriptions at: https://www.conversica.com/sub-processor/list-of-subprocessors/. The Sub-processors processing will be as necessary to provide the Services and for the duration of the provision of the Subscription Services under the Agreement.
<u>Competent supervisory authority:</u> The competent supervisory authority is the one in the EU member state where Customer is established or, if Customer is not established in the EU, the competent supervisory authority where Customer’s representative appointed pursuant to GDPR Article 27 is established, or if none has been appointed, the Republic of Ireland.
<b>Annex 2 of the EU Standard Contractual Clauses:</b>Data importer has implemented numerous technical and organizational measures, including those listed below, to ensure an appropriate level of security, considering the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. See <a href=”http://trust.conversica.com”>trust.conversica.com</a> for further information regarding Conversica’s security and data protection measures.
1. Annual SOC 2 Type 2 audits.
2. Certification of compliance with ISO 27001:2013.
3. Regular external penetration testing.
4. Regular application and platform vulnerability scans.
5. Incoming and outgoing customer data are transmitted via HTTPS API, SFTP, and SSH.
6. Customer data is encrypted at rest, during processing and in transit with secure encryption technologies, currently AES 256 and TLS 1.2 or above.
7. Network access is restricted and controlled through various mechanisms including, but not limited to, virtual private networks (VPNs), virtual private clouds (VPCs), multiple AWS Accounts, and security groups all of which require Multi-Factor Authentication (MFA).
8. Use of active perimeter protective measures such as perimeter and web application firewalls.
9. Regular monitoring and vulnerability scans on the host operating system, web application, and databases in the cloud environment using a variety of tools.
10. Active protection using cloud tools against Distributed Denial of Service (DDoS) attacks, Denial of Service (DOS), Distributed Reflective Denial of Service (DRDOS), Man-in-the-Middle (MITM) attacks, IP spoofing, port scanning, and packet sniffing.
11. Security and privacy training (including against social engineering attacks) is performed upon hire with refresh at least annually.
12. Production-level, application changes are tested and reviewed, and oversight consists of both technical lead and peer review.
13. Static Application Security Testing (SAST) is regularly conducted. This can include gating application deployment against any findings.
14. Administrators and standard users are managed by a Role-Based Access Control (RBAC) model, and multi-factor authentication with appropriate approval workflows.
15. Background checks and managed onboarding and offboarding for company personnel and contractor access to systems with regular access reviews.
16. Industry-accepted configuration benchmarks, such as the Center for Internet Security (CIS) benchmarks and security approved and configured system baseline images.
17. Operational environment changes are prototyped, tested, and reviewed. Change oversight consists of both technical lead and a review against security and privacy requirements.
18. Where applicable, automated patch management is enabled on cloud native configurations. Non-automate patch management is overseen by security members and adheres to operational change management controls
19. Logical controls are employed with industry accepted technologies to separate customer accounts, compute requirements and storage requirements.
<b>Annex 3 of the EU Standard Contractual Clauses:</b>Data exporter authorizes data importer to use sub-processors pursuant to “Sub-processing” Section of the DPA.