SUBSCRIPTION AGREEMENT
This is a legally binding agreement. Please read these terms and conditions carefully. By clicking the
button on the Orbit Labs registration page to accept this agreement, you represent that you have the full
legal authority to enter this agreement on behalf of the party identified in the registration process, and
in that capacity you acknowledge such party’s agreement to be bound by the terms and conditions set
forth or referenced below and in the addenda hereto.
This agreement (the “Agreement”) for use of the Application (as defined below) is between Orbit
Labs, Inc., a Delaware corporation (“Orbit”), and the party (the “Customer”) indicated during the account
registration process (such process and the information provided during such process as amended from time
to time through Customer’s login to its account in the Application in accordance with this Agreement, the
“Registration”). This Agreement is effective upon Customer’s acceptance of it in the course of the
Registration (the “Effective Date”). The information entered by or on behalf of Customer during the
Registration is incorporated herein and made a part of this Agreement.
1.
Certain Definitions.
(a)
“Affiliate” means, as to a party, any other entity that directly or indirectly controls, is under
common control with, or is controlled by, such party; as used in this definition, “control” and its derivatives
mean possession, directly or indirectly, of power to direct the management or policies of an entity.
(b)
“Application” means the online service offered by Orbit, known as Orbit Labs and
accessed at https://orbit.love, together with any associated software applications, database structures and
queries, interfaces, System Interfaces, tools, and the like, together with any and all revisions, modifications,
and updates thereof, as made available by Orbit to Customer pursuant to this Agreement.
(c)
“Confidential Information” means any information of any type in any form that (i) is
disclosed to or observed or obtained by one party from the other party (or from a person the recipient knows
or reasonably should assume has an obligation of confidence to the other party) in the course of, or by virtue
of, this Agreement and (ii) either is designated as confidential or proprietary in writing at the time of such
disclosure or within a reasonable time thereafter (or, if disclosure is made orally or by observation, is
designated as confidential or proprietary orally by the person disclosing or allowing observation of the
information) or is of a nature that the recipient knew or reasonably should have known, under the
circumstances, would be regarded by the owner of the information as confidential or proprietary. Without
limiting any other provisions of this Agreement, and whether or not otherwise meeting the criteria described
herein, the Application, Customer Data, and the content of this Agreement (other than the fact of its
existence and the identities of the parties hereto) shall be deemed conclusively to be Confidential
Information. For purposes of this Agreement, however, the term “Confidential Information” specifically
shall not include any portion of the foregoing that (i) was in the recipient’s possession or knowledge at the
time of disclosure and that was not acquired directly or indirectly from the other party, (ii) was disclosed
to the recipient by a third party not having an obligation of confidence of the information to any person or
body of which the recipient knew or which, under the circumstances, the recipient reasonably should have
assumed to exist, or (iii) is or, other than by the act or omission of the recipient, becomes a part of the public
domain not under seal by a court of competent jurisdiction. A selection or combination of information will
not meet any of the foregoing exceptions solely because some or all of its individual component parts are
so excepted and will meet such exception(s) only if the selection or combination itself is so excepted. In
the event of any ambiguity as to whether information is Confidential Information, the foregoing shall be
interpreted strictly and there shall be a rebuttable presumption that such information is Confidential
Information.
Confidential
Page 1 of 35
(d)
“Customer Data” means all data entered into the Application (i) by Customer Users or (ii)
by or on behalf of Customer pursuant to a conversion of data from another system or system interface with
another system, in each case as such data is maintained in the Application from time to time.
(e)
“Customer User” means an employee or individual independent contractor of Customer
or of an Affiliate of Customer duly authorized by Customer to use the Application pursuant to Orbit’s then-
current procedure for such authorization. For the avoidance of doubt, the System Administrator is a
“Customer User.”
(f)
“Documentation” means all documentation (whether printed or in an electronic retrieval
format) supplied or made available to Customer by Orbit for use with or in support of the Application or
its implementation, including without limitation any and all revisions, modifications, and updates thereof
as may be supplied or made available by Orbit to Customer during the term of this Agreement and all copies
thereof made by or on behalf of Customer.
(g)
“Hosting Services” means the provision, administration, and maintenance of servers and
related equipment, the provision of bandwidth at the hosting facility, and the operation of the Application
for access and use by Customer Users pursuant to this Agreement.
(h)
“Licensed Materials” means the Application and the Documentation.
(i)
“Loss” means all losses, liabilities, damages, awards, settlements, claims, suits,
proceedings, costs and expenses
(including reasonable legal fees and disbursements and costs of
investigation, litigation, expert witness fees, settlement, judgment, interest, and penalties).
(j)
“Statement of Work” means an addendum to this Agreement duly executed by each party
that sets forth the requirements, pricing, and other respective responsibilities of the parties as to additional
services to be provided pursuant to this Agreement; provided, however, that the failure of a Statement of
Work to comply with the foregoing standards shall not, in itself, invalidate such Statement of Work.
(k)
“System Administrator” means the individual identified as such in the Registration or
such substitute designated by Customer from time to time in accordance with Orbit’s then-current
procedures therefor.
(l)
“System Interfaces” means a system interface for transfer of data between the Application
and another system utilizing an application programming interface (API) provided by Orbit to Customer.
(m)
The word “including” means “including without limitation” unless otherwise expressly
provided in a given instance.
2.
License to Customer. Subject to the terms and conditions of this Agreement and any
applicable Statement of Work, Orbit grants to Customer a non-exclusive, non-transferable, non-
sublicensable (except as otherwise provided herein) license during the term of this Agreement for a
Customer User to access and use the Application and relevant Documentation in accordance with the terms
of this Agreement solely for Customer’s internal business purposes. All rights with respect to the Licensed
Materials not explicitly granted herein are reserved to Orbit.
3.
Services. Subject to the terms and conditions of this Agreement and any applicable Statement
of Work, and provided Customer is not in material breach of its obligations hereunder, Orbit shall provide
the following “Services” during the term of this Agreement:
(a)
Hosting. Orbit shall provide the Hosting Services; provided, however, that the Hosting
Services may be interrupted and the Application unavailable for use for reasonable periods from time to
Confidential
Page 2 of 35
time for Orbit to perform scheduled or unscheduled system maintenance, for Orbit to address security
threats or security incidents, or due to the acts or omissions of third parties or Orbit.
(b)
Support. Orbit shall provide to Customer Users reasonable consultation and assistance with
operational and technical support issues arising from use of the Application during Orbit’s then-current
normal business hours pursuant to requests for support services submitted by telephone or e-mail at such
numbers and e-mail addresses as Orbit shall provide to Customer from time to time.
(c)
Maintenance and Error Correction. In response to a reported error, Orbit shall use
commercially reasonable efforts to correct the error or to provide a reasonable workaround sufficient to
alleviate any substantial adverse effect of the problem on the utility of the Application, provided that
Customer assists Orbit in its efforts by, for example, making available, as reasonably requested by Orbit,
information, documentation, access to personnel, and testing.
(d)
Enhancements. From time to time at its discretion, Orbit may implement releases of the
Application that contain changes, updates, patches, fixes, enhancements to functionality, and/or additional
functionality. Orbit in its sole discretion will determine whether to include in the Application, as part of the
maintenance Services hereunder, features or functionality not originally specified for the Application, and
Orbit shall have no obligation to disclose or offer to Customer any such features or functionality.
(e)
Supported Use and Environment. Orbit’s obligations pursuant to this Agreement are
conditioned upon access to and use of the Application by Customer Users in accordance with the
Documentation and use of devices, browsers and other information technology meeting the criteria set forth
in the Documentation, published on Orbit’s website, or otherwise provided or made available to Customer
by Orbit from time to time. Upon reasonable notice to Customer from time to time, Orbit may revise the
specifications described in this paragraph or implement new such specifications to address the evolution of
such technology.
4.
Charges; Taxes. Amounts due hereunder shall be paid in the manner established during
Registration or as subsequently established by access to Customer’s Registration through a System
Administrator login to the Application. If applicable, Customer authorizes Orbit to charge or debit
automatically, using Customer’s provided payment method, all such amounts, including amounts due upon
renewal of this Agreement. Customer is responsible for providing complete and accurate billing and contact
information to Orbit. If Orbit offers Customer an option to be invoiced and Customer elects such option,
payment on each such invoice shall be due within 30 days from the date thereof or on such other terms as
may be set forth in the Registration. Customer shall pay when due (and Orbit at its discretion may collect
and pay on Customer’s behalf) all taxes, levies, or assessments based on or in any way measured by this
Agreement, the Licensed Materials, and the Services provided hereunder, excluding taxes based on Orbit’s
net income, but including sales and use taxes and personal property taxes, if any; provided, however, that
if Customer notifies Orbit in writing that Customer is exempt from paying applicable state, county, city, or
other local sales or use taxes and delivers to Orbit a copy of Customer’s tax exemption certificate or other
evidence satisfactory to Orbit demonstrating such exemption, Orbit shall not collect and pay such taxes on
Customer’s behalf except pursuant to an order from a court of competent jurisdiction or notice from such
taxing authority. If Customer has notified Orbit of such a tax exemption, Customer shall notify Orbit
promptly of any change in the status of such exemption.
5.
Customer Responsibilities and Restrictions.
(a)
Customer Connection to Application. Customer shall be responsible for selecting,
obtaining, and maintaining any equipment and ancillary services needed to access the Application, in each
case meeting any information technology environment criteria described in Section 3(e).
Confidential
Page 3 of 35
(b)
System Administrator. Customer acknowledges and agrees that the System Administrator,
utilizing mechanisms provided therefor within the Application, will have the sole responsibility for
authenticating and provisioning access to the Application for other Customer Users and for disabling access
to the Application for Customer Users. Customer shall cause the System Administrator to perform such
authentication in accordance with generally-accepted information security standards and shall cause the
System Administrator to disable such access immediately upon the termination of employment or
engagement of any Customer User by Customer or its Affiliate or when a Customer User otherwise is no
longer eligible to use the Application pursuant to this Agreement. Customer shall notify Orbit immediately,
by telephone and in writing, to disable access to the Application for a System Administrator who is
terminated or otherwise is no longer eligible to use the Application pursuant to this Agreement.
(c)
Account Passwords and Data Security. Customer shall maintain and cause to be maintained
the confidentiality of all user IDs and passwords of Customer Users, including implementing and enforcing
policies and procedures as reasonable and appropriate thereto, and Customer at all times shall maintain (and
shall cause any Affiliate having Customer Users to maintain) adequate technical, physical, and
administrative safeguards, including access controls and system security requirements and devices, to
ensure that access to the Application by or through Customer is limited to Customer Users. Customer shall
be solely responsible for all use or misuse of the user IDs of Customer Users, and except as otherwise
required by applicable law Orbit shall have no obligation to monitor for or report any use or attempted use
of the user IDs of Customer Users. All such user IDs and passwords are deemed to be Confidential
Information of both Customer and Orbit. Customer shall take reasonable steps to ensure that Customer
Users not share user IDs or passwords. Customer shall be responsible for maintaining the user ID and
resetting the password for the System Administrator if the person responsible for such account for Customer
is terminated or otherwise is no longer eligible to use the Application.
(d)
Compliance with Laws. Customer represents, warrants, and covenants that it and its System
Administrator and Customer Users will only use the Services and Licensed Materials in a manner that
complies with all applicable laws, regulations, rules, and other authorities. Customer and its System
Administrator and Customer Users shall not use the Licensed Materials or the Services to collect, store,
receive, process, use, disclose, manipulate, track or distribute any information, including Customer Data,
or otherwise interact with any individual in violation of applicable laws, regulations, rules, and other
authorities.
(e)
Prohibited Uses. Customer and the Customer Users shall not do, nor shall they authorize
any person to do, any of the following by or through the Licensed Materials or Services: (i) collect, store,
receive, process, use, disclose, manipulate, track, or distribute any content or data that is illegal or promotes
illegal acts, involves minors, encourages or incites violence or dangerous acts, or is discriminatory,
derogatory, hateful, abusive, racist, fraudulent, defamatory, libelous, obscene, pornographic, unlawful,
harassing, violent, or threatening; (ii) access, connect to, or retrieve data from any third-party system,
service, application, or site that does not permit such access, connection, or retrieval; (iii) threaten, harass,
bully, or encourage others to do so; (iv) promote or condone discrimination or violence against individuals
or groups based on race, ethnic origin, religion, disability, gender, age, nationality, veteran status, political
affiliation, or sexual orientation/gender identity;
(v) gain or attempt to gain access to any software
applications, computer systems, or data not expressly authorized under this Agreement; (vi) violate any
applicable law, regulation, ordinance, or guideline; (vii) infringe the rights of any other person, including
intellectual property rights (for example, any patent, trademark, trade secret, copyright, or other proprietary
rights) or rights of publicity or privacy; (viii) impersonate any person or entity; (ix) act in a manner that is
discriminatory, derogatory, hateful, abusive, racist, fraudulent, defamatory, libelous, obscene, unlawful,
harassing, violent, or threatening; (x) collect, store, receive, process, use, disclose, manipulate, track or
distribute any computer viruses, worms, trojan horses, back door, trap door, time bombs, malware, or other
malicious code; (xi) hack the Licensed Materials or related systems or networks or otherwise attempt to
Confidential
Page 4 of 35
harvest, access, or collect information of other Orbit users or customers;
(xii) generate fraudulent
impressions of or fraudulent clicks on ad(s) through any automated, deceptive, fraudulent or other invalid
means, including but not limited to through repeated manual clicks, the use of robots, agents or other
automated query tools and/or computer generated search requests, and/or the unauthorized use of other
search engine optimization services and/or software; (xiii) extract data from hate-related websites, websites
that promote violence, websites that include content prohibited by these terms, or illegal drug-related
websites; (xiv) process data on behalf of any third party, unless the third party is also subject to this
Agreement; (xv) engage in any action or practice that reflects poorly on Orbit or otherwise disparages or
devalues Orbit’s reputation or goodwill; (xvi) otherwise use the Licensed Materials, Customer Data, or any
other data associated with the foregoing for any purpose or in any manner not specifically authorized by
this Agreement; or (xvii) attempt to do or assist any party in attempting to do any of the foregoing.
(f)
Other Restrictions. In addition to complying with the other terms, conditions and
restrictions set forth in this Agreement, Customer and the Customer Users shall not do, nor shall they
authorize any person to do, any of the following: (i) make any copies or prints, or otherwise reproduce or
print, any portion of the Licensed Materials, whether in printed or electronic format; (ii) distribute,
republish, download, display, post, or transmit any portion of the Licensed Materials; (iii) copy, create, re-
create, disassemble, reverse engineer, re-engineer, or decompile the Licensed Materials or otherwise
attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms
relevant to the Licensed Materials or any software, documentation or data related to the Licensed Materials;
(iv) modify, adapt, translate, or create derivative works from or based upon any part of the Licensed
Materials; (v) combine or merge any part of the Licensed Materials with or into any other software,
document, or work; (vi) refer to or otherwise use any part of the Licensed Materials as part of any effort to
develop a product or service having any functional attributes, visual expressions, or other features or
purposes similar to those provided by Orbit; (vii) remove, erase, or tamper with any copyright, logo, or
other proprietary or trademark notice printed or stamped on, affixed to, or encoded or recorded in the
Licensed Materials, or use a proxy, reverse proxy, or any other such mechanism that is intended to, or has
the effect of, obscuring any of the foregoing or confusing an individual as to Orbit’s rights in the foregoing;
(viii) fail to preserve all copyright and other proprietary notices in any copy of any portion of the Licensed
Materials made by or on behalf of Customer; (ix) sell, market, license, sublicense, distribute, rent, loan, or
otherwise grant to any third party any right to possess or utilize any portion of the Licensed Materials
without the express prior written consent of Orbit (which may be withheld by Orbit for any reason or
conditioned upon execution by such party of a confidentiality and non-use agreement and/or other such
other covenants and warranties as Orbit in its sole discretion deems desirable); (x) diminish or infringe any
intellectual property rights in and to the Licensed Materials or impair or interfere with any copyright
protection mechanisms, copyright management information systems or digital identification devices
employed in association with the foregoing; (xi) “frame” or “mirror” any portion of the Licensed Materials;
(xii) use any robot, spider, other automatic device, or manual process, to “screen scrape,” monitor, “mine,”
or copy any portion of the Licensed Materials; (xiii) restrict or inhibit any other person from using the
Licensed Materials, including without limitation by means of “hacking” or defacing any portion thereof;
(xiv) use any device, software, methodology, or routine to interfere with or disrupt the Licensed Materials
or the servers or networks connected to the Licensed Materials by trespass or burdening network capacity;
(xv) use the Licensed Materials or Services in any manner that interferes with or disrupts the integrity or
performance of the foregoing or their components; (xvi) create fraudulent accounts; or (xvii) attempt to do
or assist any party in attempting to do any of the foregoing.
(g)
Monitoring. Although Orbit has no obligation to monitor use of the Licensed Materials,
Orbit may do so and may prohibit any use of the Licensed Materials the Orbit believes may be (or is alleged
to be) in violation of applicable laws, regulations, or this Agreement.
Confidential
Page 5 of 35
(h)
Disclaimer. Orbit shall not be liable to Customer for any Loss arising out of or relating to
Customer’s failure to comply with its obligations set forth in this Section 5.
6.
Ownership.
(a)
Customer Data. As between Orbit and Customer, Customer has and retains exclusive
ownership of all Customer Data and all intellectual property and proprietary rights therein. Orbit
acknowledges that the foregoing constitute valuable assets and may constitute trade secrets of Customer or
its licensors.
(b)
Licensed Materials. As between Orbit and Customer, Orbit has and retains exclusive
ownership of the Licensed Materials and all intellectual property and proprietary rights therein. Customer
acknowledges that the foregoing constitute valuable assets and may constitute trade secrets of Orbit or its
licensors.
(c)
Suggestions, Joint Efforts, and Statistical Information. Customer may suggest, and the
parties may discover or create jointly, findings, inventions, improvements, discoveries, or ideas that Orbit,
at its sole option, may incorporate in the Licensed Materials or in other products or services that may or
may not be made available to Customer. Any such finding, invention, improvement, discovery, or idea,
whether or not patentable, that is conceived or reduced to practice during the term of this Agreement,
whether by a party alone or by the parties jointly, arising from or related to this Agreement or the Licensed
Materials shall be and remain solely property of Orbit and may be used, sold, licensed, or otherwise
provided by Orbit to third parties, or published or otherwise publicly disclosed, in Orbit’s sole discretion
without notice, attribution, payment of royalties, or liability to Customer. Customer acknowledges and
agrees that Orbit has and retains exclusive and valid ownership of all anonymized statistical information
regarding Customer Users’ use of the Application. Customer hereby assigns to Orbit any and all right, title,
and interest in and to any such findings, inventions, improvements, discoveries, ideas, and statistical
information. Unless otherwise expressly agreed in writing, Customer shall not obtain any right, title, or
interest (other than the license expressly set forth herein) in or to anything created or developed by Orbit in
connection with or incident to this Agreement.
7.
License to Use Customer Data. Customer grants to Orbit a non-exclusive, transferrable,
sublicensable, worldwide, royalty-free license to use and disclose Customer Data as necessary to perform
its obligations under this Agreement and for purposes of (i) monitoring, improving, and correcting the
performance of the Application, developing enhancements to the Application, developing new products,
and other internal business purposes; (ii) compiling statistical information (including without limitation
aggregating Customer Data with other data); (iii) aggregating Customer Data with other data; (iv) creating
de-identified versions of Customer Data; and (v) in perpetuity using, reproducing, preparing derivative
works of, and distributing such aggregated or de-identified data for any lawful purpose and to grant
sublicenses for the foregoing. Customer represents and warrants that it owns or has the legal right and
authority, and will continue to own or maintain the legal right and authority, to grant to Orbit the license
set forth herein. Customer further represents and warrants that it has provided all necessary notices to
process the Customer Data and to transfer the Customer Data to Orbit. Customer shall indemnify, defend,
and hold harmless Orbit, its affiliates, and their respective directors, officers, employees, and agents from
and against any Losses arising from or related to a claim of a third party with respect to a breach of the
foregoing representations and warranties of Customer.
8.
Confidentiality.
(a)
Security of Confidential Information. Each party possessing Confidential Information of
the other party will maintain all such Confidential Information under reasonably secure conditions, using
Confidential
Page 6 of 35
reasonable security measures and in any event not less than the same security procedures used by such party
for the protection of its own Confidential Information of a similar kind.
(b)
Non-Disclosure Obligation. Except as otherwise may be permitted by this Agreement,
neither party shall disclose any Confidential Information of the other party to any third party without the
express prior written consent of the other party; provided, however, that either party may disclose
appropriate portions of Confidential Information of the other party to those of its employees, contractors,
agents, and professional advisors having a substantial need to know the specific information in question in
connection with such party’s exercise of rights or performance of obligations under this Agreement
provided that all such persons (i) have been instructed that such Confidential Information is subject to the
obligation of confidence set forth by this Agreement and (ii) are bound by contract, employment policies,
or fiduciary or professional ethical obligation to maintain such information in confidence.
(c)
Compelled Disclosure. If either party is ordered by a court, administrative agency, or other
governmental body of competent jurisdiction to disclose Confidential Information, or if it is served with or
otherwise becomes aware of a motion or similar request that such an order be issued, then such party will
not be liable to the other party for disclosure of Confidential Information required by such order if such
party complies with the following requirements: (i) if an already-issued order calls for immediate
disclosure, then such party immediately shall move for or otherwise request a stay of such order to permit
the other party to respond as set forth in this paragraph; (ii) such party immediately shall notify the other
party of the motion or order by the most expeditious possible means; (iii) such party shall not oppose a
motion or similar request by the other party for an order protecting the confidentiality of the Confidential
Information, including not opposing a motion for leave to intervene by the other party; and (iv) such party
shall exercise reasonable efforts to obtain appropriate assurance that confidential treatment will be accorded
the Confidential Information so disclosed.
(d)
Non-Use Obligation. Except as expressly authorized in this Agreement, during the term of
this Agreement and forever thereafter (or for such shorter period as may be imposed by applicable law),
neither party shall use any Confidential Information of the other party, except at the request of and for the
benefit of such other party, without the express prior written consent of the other party.
(e)
Copying of Confidential Information. Except as otherwise may be permitted by this
Agreement, neither party shall copy or otherwise reproduce any part of any Confidential Information of the
other party, nor attempt to do so, without the prior written consent of the other party. Any embodiments of
Confidential Information of a party that may be generated by the other party, either pursuant to or in
violation of this Agreement, will be deemed to be solely the property of the first party and fully subject to
the obligations of confidence set forth herein.
(f)
Proprietary Legends. Without the other party’s prior written consent, neither party shall
remove, obscure, or deface on or from any embodiment of any Confidential Information any proprietary
legend relating to the other party’s rights.
(g)
Reports of Misappropriation. Each party shall report to the other party without
unreasonable delay any act or attempt by any person of which such party has knowledge or reasonably
suspects (i) to use or disclose, or copy Confidential Information without authorization from the other party
or (ii) to reverse assemble, reverse compile, or otherwise reverse engineer any part of the Confidential
Information.
(h)
Post-Termination Procedures. Except with respect to Customer Data as provided in
Section 11(c) or as otherwise expressly provided in this Agreement, promptly upon the expiration or any
termination of this Agreement or other expiration or termination of a party’s right to possess and/or use
Confidential Information, each party shall turn over to the other party (or destroy and certify the same in
Confidential
Page 7 of 35
writing, if agreed in writing by the other party) any embodiments of any Confidential Information of the
other party.
9.
Representations and Warranties; Disclaimers.
(a)
REPRESENTATION AND WARRANTY DISCLAIMERS. THE LICENSED
MATERIALS AND ALL SERVICES PROVIDED OR TO BE PROVIDED UNDER THIS
AGREEMENT ARE PROVIDED “AS IS,” WITH ALL FAULTS, AND CUSTOMER ASSUMES THE
ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LICENSED MATERIALS.
ORBIT DISCLAIMS, ANY AND ALL WARRANTIES, CONDITIONS, OR REPRESENTATIONS
(EXPRESS OR IMPLIED, ORAL OR WRITTEN) WITH RESPECT TO THE LICENSED MATERIALS
OR ANY PART THEREOF OR THE SERVICES, INCLUDING WITHOUT LIMITATION ANY AND
ALL IMPLIED WARRANTIES OR CONDITIONS OF TITLE, NON-INFRINGEMENT,
MERCHANTABILITY, OR FITNESS OR SUITABILITY FOR ANY PURPOSE (WHETHER OR NOT
ORBIT KNOWS, HAS REASON TO KNOW, HAS BEEN ADVISED, OR OTHERWISE IS IN FACT
AWARE OF ANY SUCH PURPOSE), WHETHER ALLEGED TO ARISE BY LAW, BY REASON OF
CUSTOM OR USAGE IN THE TRADE, BY COURSE OF DEALING, OR OTHERWISE. ORBIT
EXPRESSLY DISCLAIMS ANY WARRANTY OR REPRESENTATION TO ANY PERSON OTHER
THAN CUSTOMER.
DUE TO THE CONTINUAL DEVELOPMENT OF NEW TECHNIQUES FOR INTRUDING UPON
AND ATTACKING NETWORKS, ORBIT DOES NOT WARRANT THAT THE LICENSED
MATERIALS, SERVICES, OR ANY EQUIPMENT, SYSTEM, OR NETWORK ON WHICH THEY
ARE USED OR ACCESSED, WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK
THAT RESULTS IN CUSTOMER’S INABILITY TO USE THE LICENSED MATERIALS OR THE
UNAUTHORIZED DISCLOSURE OR COMPROMISE OF CUSTOMER DATA.
COMPANY CANNOT AND DOES NOT GUARANTEE OR WARRANT THAT FILES AVAILABLE
FOR DOWNLOADING FROM THE INTERNET OR THE LICENSED MATERIALS WILL BE FREE
OF VIRUSES OR OTHER DESTRUCTIVE CODE. CUSTOMER IS RESPONSIBLE FOR
IMPLEMENTING SUFFICIENT PROCEDURES AND CHECKPOINTS TO SATISFY ITS
PARTICULAR REQUIREMENTS FOR ANTI-VIRUS PROTECTION AND ACCURACY OF DATA
INPUT AND OUTPUT, AND FOR MAINTAINING A MEANS EXTERNAL TO THE APPLICATION
FOR ANY RECONSTRUCTION OF ANY LOST DATA.
(b)
Other Disclaimers. Customer will be exclusively responsible as between the parties for,
and Orbit makes no representation or warranty with respect to, determining whether the Licensed Materials
will achieve the results desired by Customer, ensuring the accuracy of any Customer Data, and selecting,
procuring, installing, operating, and maintaining the technical infrastructure for Customer’s access to and
use of the Licensed Materials (other than with respect to the Hosting Services). Orbit shall not be liable for,
and shall have no obligations with respect to, any aspect of the Licensed Materials that is modified by any
person other than Orbit or its contractors, use of the Licensed Materials other than in accordance with the
most current operating instructions provided by Orbit, errors or other effects of problems, defects, or
failures of software or hardware not provided by Orbit or of acts or omissions of Customer or any third
party. Customer acknowledges that the operation of the Licensed Materials will not be error free in all
circumstances and that all defects in the Licensed Materials may not be corrected.
(c)
Some jurisdictions do not allow the exclusion of certain warranties or the limitation or
exclusion of liability for incidental or consequential damages, so some of the limitations and disclaimers
above may not apply to Customer. To the extent applicable law does not permit such disclaimer of warranty,
the scope and duration of such warranty and the extent of such liability shall be the minimum permitted
under such applicable law.
Confidential
Page 8 of 35
10.
Breach; Termination; Disposition of Data.
(a)
Notice of Breach; Cure Period. In the event of a breach of a provision of this Agreement,
the notice and cure procedures set forth in this paragraph shall apply. The non-breaching party shall give
the breaching party notice describing the breach and stating the time, as provided herein, within which the
breach must be cured. If a provision of this Agreement sets forth a cure period for the breach in question,
then that provision shall take precedence over any cure period set forth in this paragraph. No cure period
shall be required, except as may be provided otherwise in this Agreement, if this Agreement sets forth
specific deadline dates for the obligation allegedly breached. If the breach is of an obligation to pay money,
the breaching party shall have five business days to cure the breach after written notice thereof by the non-
breaching party. If the breach is a material breach of an obligation relating to the other party’s Confidential
Information, including Customer’s use or disclosure of the Application other than in compliance with the
license granted in this Agreement, then the non-breaching party, in its sole discretion, may specify in the
notice of breach that no cure period will be permitted. Orbit may immediately terminate this Agreement
without notice if Customer breaches its obligations under Section 5. If the breach is other than a breach of
the kind described above in this paragraph, then the cure period will be 30 days after the notice of the breach
by the non-breaching party.
(b)
Termination. If a breach of any provision of this Agreement has not been cured at the end
of the applicable cure period, if any (or upon such breach if no cure period is permitted), then the non-
breaching party thereupon may terminate this Agreement by notice to the other party. Termination of this
Agreement by Orbit for breach by Customer shall terminate all licenses granted to Customer herein. This
Agreement and the licenses granted to Customer herein shall terminate automatically, to the extent
permitted by applicable law in the jurisdiction or jurisdictions in question, if Customer makes an assignment
for the benefit of its creditors, files a petition for bankruptcy, receivership, reorganization, or other like
proceeding under any present or future debtor relief law (or is the subject of an involuntary such petition or
filing that is not dismissed within 60 days after the effective filing date thereof), or admits of a general
inability to pay its debts as they become due. Any termination of this Agreement shall be in addition to, and
not in lieu of, any other rights or remedies available at law or in equity.
(c)
Disposition of Customer Data. Upon Customer’s written request within 30 days following
the expiration or any termination of this Agreement, Orbit shall destroy the Customer Data; provided,
however, that to the extent Orbit is required by applicable law or legal process to retain any portion of the
Customer Data, or to the extent that destruction of any Customer Data is infeasible, Orbit shall retain such
Customer Data as though it were Confidential Information for such time as is required by such law or
process or until destruction is no longer infeasible, after which Orbit promptly shall destroy the Customer
Data. If Customer does not provide such notice within 30 days following the expiration or termination of
this Agreement, Orbit may destroy such Customer Data in its sole discretion.
11.
Risk Allocation.
(a)
EXCLUSION OF INDIRECT DAMAGES. IN NO EVENT WILL ORBIT BE LIABLE
UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE
THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT
LIABILITY, AND OTHERWISE, FOR ANY: (a) CONSEQUENTIAL, INCIDENTAL, INDIRECT,
EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (b) INCREASED COSTS,
DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (c)
LOSS OF GOODWILL OR REPUTATION; (d) USE, INABILITY TO USE, LOSS, INTERRUPTION,
DELAY OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (e)
COST OF REPLACEMENT GOODS OR SERVICES, IN EACH CASE REGARDLESS OF WHETHER
ORBIT WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH
LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE.
Confidential
Page 9 of 35
(b)
EXCLUSION OF SERVICE-RELATED DAMAGES. ORBIT SHALL NOT BE LIABLE
FOR ANY DAMAGES, LIABILITY OR LOSSES ARISING OUT OF: (i) CUSTOMER’S USE OF OR
RELIANCE ON THE SERVICES, OR CUSTOMER’S INABILITY TO ACCESS OR USE THE
APPLICATION; OR (ii) ANY TRANSACTION OR RELATIONSHIP BETWEEN CUSTOMER AND
ANY OTHER INDIVIDUAL, EVEN IF ORBIT HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. ORBIT SHALL NOT BE LIABLE FOR DELAY OR FAILURE IN
PERFORMANCE RESULTING FROM CAUSES BEYOND ORBIT’S REASONABLE CONTROL.
(c)
MAXIMUM AGGREGATE LIABILITY. IN NO EVENT WILL ORBIT’S
AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY
LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING
NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE EXCEED THE TOTAL AMOUNTS PAID
TO ORBIT UNDER THIS AGREEMENT IN THE TWELVE MONTH PERIOD PRECEDING THE
EVENT GIVING RISE TO THE CLAIM.
(d)
Intentional Risk Allocation. Each party acknowledges that the provisions of this
Agreement were negotiated, as a material part of the agreement memorialized herein, to reflect an informed,
voluntary allocation between them of all risks (both known and unknown) associated with the transactions
involved with this Agreement. The warranty disclaimers and limitations in this Agreement are intended,
and have as their essential purpose, to limit the circumstances of liability. The remedy limitations and the
limitations of liability are separately intended, and have as their essential purpose, to limit the forms of
relief available to the parties.
(e)
Indemnification. Customer agrees to indemnify, defend, and hold harmless Orbit, its
Affiliates, their successors and assigns, and all of their respective officers, directors, agents, and employees
from and against any claims, liabilities, damages, judgments, awards, losses, obligations, costs, expenses
or fees (including reasonable attorneys’ fees) arising out of or relating to (i) Customer’s and/or a Customer
User’s use of the Licensed Materials or Services, including those obtained through use of the Licensed
Materials; (ii) Customer’s and/or a Customer User’s breach or violation of this Agreement or applicable
law, regulation, rule, or other authority; or (iii) Customer’s and/or a Customer User’s violation of the rights
of any third party, including those of other users and third-parties.
12.
Marketing. Orbit may identify Customer as an Orbit customer and display Customer’s logos
in its marketing materials and advertisements, on its web site, and in presentations. Orbit shall not acquire
any intellectual property rights in any such logos, trademarks, service marks, or other indicia of origin.
13.
Certain Data Processing.
(a)
Data Processing Addendum. If Customer is a “Controller” as defined in the Data
Processing Addendum attached hereto as Exhibit A, the parties acknowledge and agree that the Data
Processing Addendum shall apply to the extent Customer Data includes “Customer Personal Data,” as
defined in the Data Processing Addendum. If Customer is or becomes a Controller, Customer shall notify
Orbit thereof prior to any Processing of Customer Personal Data (as defined in the Data Processing
Addendum).
(b)
Collection of Technical Data. Notwithstanding anything to the contrary herein, Orbit shall
have the right to collect and analyze data and other information relating to the provision, use and
performance of the Licensed Materials and related systems and technologies, and Orbit will be free (during
and after the term hereof) to (i) use such information and data to improve and enhance the Licensed
Materials and for other development, diagnostic and corrective purposes in connection with the Licensed
Materials and other service offerings, and (ii) disclose such data solely in aggregated or de-identified form
in connection with its business.
Confidential
Page 10 of 35
14.
Other Provisions.
(a)
Notice. Except as otherwise expressly provided herein, notices shall be given under this
Agreement in writing in the English language, signed by the party giving the same, and shall be given
(i) personally (in which case such notices shall be deemed given when so delivered), (ii) by certified or
registered U.S. Mail, properly addressed and postage pre-paid, from within the United States (in which case
such notices shall be deemed given on the third business day after deposit), (iii) by generally recognized
overnight courier, properly addressed and pre-paid, with next business day instruction (in which case such
notices shall be deemed given on the next business day after deposit), or (iv) if to Customer, at Orbit’s
election, by e-mail (in which case such notice shall be deemed given upon transmission unless Orbit
receives a non-delivery email message within a reasonable time thereafter). Such notices shall be sent to
Orbit at 325 9th Street, San Francisco, CA 94103 and to Customer at the address for notices or email address
designated in the Registration or as provided in clause (iv) of this the preceding sentence. Either party may
change its address for purposes of notice by written notice thereof to the other party.
(b)
Nature of Relationship; Subcontractors. Orbit shall provide all Services hereunder as an
independent contractor to Customer. Subject to the provisions of this Agreement regarding confidentiality,
Orbit may perform its obligations hereunder through its employees and through subcontractors. Nothing
contained herein shall be deemed to create any agency, partnership, joint venture, or other relationship
between the parties or any of their affiliates, and neither party shall have the right, power, or authority under
this Agreement to create any duty or obligation on behalf of the other party.
(c)
Force Majeure. Neither party shall be liable for any failure to perform its obligations under
this Agreement if such failure arises, directly or indirectly, out of causes reasonably beyond the direct
control of such party and not due to such party’s own fault or negligence or that of its contractors or
representatives or other persons acting on its behalf, and which cannot be overcome by the exercise of due
diligence and which could not have been prevented through commercially reasonable measures, including
acts of God, acts of terrorists or criminals, acts of domestic or foreign governments, change in any law or
regulation, fires, floods, explosions, epidemics, disruptions in communications, power, or other utilities,
strikes or other labor problems, riots, or unavailability of supplies.
(d)
Governing Law; Venue. This Agreement shall be construed and enforced in accordance
with the laws of the state of California (other than its conflicts of law provisions) and venue shall be
exclusively in the federal or state courts sitting in California.
(e)
Jury Trial Waiver. THE PARTIES SPECIFICALLY WAIVE ANY RIGHT TO TRIAL
BY JURY IN ANY COURT WITH RESPECT TO ANY CONTRACTUAL, TORTIOUS, OR
STATUTORY CLAIM, COUNTERCLAIM, OR CROSS-CLAIM AGAINST THE OTHER ARISING
OUT OF OR CONNECTED IN ANY WAY TO THIS AGREEMENT, BECAUSE THE PARTIES
HERETO, BOTH OF WHICH ARE REPRESENTED BY COUNSEL, BELIEVE THAT THE COMPLEX
COMMERCIAL AND PROFESSIONAL ASPECTS OF THEIR DEALINGS WITH ONE ANOTHER
MAKE A JURY DETERMINATION NEITHER DESIRABLE NOR APPROPRIATE.
(f)
Injunctive Relief. Each party acknowledges that any violation of its covenants in this
Agreement relating to the other party’s Confidential Information and intellectual property would result in
damage to such party that is largely intangible but nonetheless real and that is incapable of complete remedy
by an award of damages. Accordingly, any such violation shall give such party the right to a court-ordered
injunction or other appropriate order to enforce specifically those covenants without bond and without
prejudice to any other rights or remedies to which such party may be entitled as a result of a breach of this
Agreement.
Confidential
Page 11 of 35
(g)
Attorney Fees. If litigation or other action is commenced by a party to enforce this
Agreement or between the parties concerning any dispute arising out of or relating to this Agreement, the
prevailing party will be entitled, in addition to any other award that may be made, to recover all court costs
and other official costs and all reasonable expenses associated with the litigation or other action, including
reasonable fees and expenses of counsel.
(h)
Assignment. Customer may transfer or assign some or all of its rights and/or delegate some
or all of its obligations under this Agreement only with the express prior written consent of Orbit, which
may be granted or withheld in Orbit’s sole discretion; provided, however, that if Customer is not a natural
person, Customer may assign all of its rights hereunder indivisibly to an entity that controls, is controlled
by, or is under common control with Customer (“control” meaning possession, directly or indirectly, of a
majority of an entity’s voting interests) or to a purchaser of substantially all of Customer’s assets so long
as such assignee (i) agrees in writing to comply with Customer’s obligations under, and to be bound by,
this Agreement (this clause does not in itself authorize Customer to delegate its duties under this
Agreement) and (ii) promptly notifies Orbit in writing of the same. Any purported transfer or assignment
by Customer of any right under this Agreement otherwise than in accordance with the provisions of this
paragraph shall be null and void and a breach of this Agreement. This Agreement shall be fully assignable
by Orbit in its sole discretion.
(i)
Successors and Assigns. This Agreement will be binding upon and inure to the benefit of
the parties and their successors and assigns permitted by this Agreement.
(j)
No Third Party Beneficiaries. Except as otherwise expressly set forth herein, nothing in
this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the
parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities
whatsoever.
(k)
Entire Agreement. This Agreement and any separately-executed Statement of Work,
together with all exhibits and attachments to each of the foregoing, constitutes the entire agreement between
the parties concerning the subject matter hereof. In the event of any conflicting terms between this
Agreement and any Statement of Work, this Agreement shall control unless the Statement of Work
specifically states otherwise. No prior or contemporaneous representations, inducements, promises, or
agreements, oral or otherwise, between the parties with reference thereto will be of any force or effect. Each
party represents and warrants that, in entering into and performing its obligations under this Agreement, it
does not and will not rely on any promise, inducement, or representation allegedly made by or on behalf of
the other party with respect to the subject matter hereof, nor on any course of dealing or custom and usage
in the trade, except as such promise, inducement, or representation may be expressly set forth herein.
(l)
Survival. The covenants herein concerning Confidential Information, indemnification,
post-termination procedures, and any other provision that, by its nature, is intended to survive this
Agreement shall survive any termination or expiration of this Agreement.
(m)
Amendment and Waiver. Except as otherwise expressly provided herein, no modification
or amendment to this Agreement will be valid or binding unless in writing and duly executed by the party
or parties to be bound thereby. The failure of either party at any time to require performance by the other
party of any provision of this Agreement shall in no way affect the right of such party to require performance
of that provision. Any waiver by either party of any breach of this Agreement shall not be construed as a
waiver of any continuing or succeeding breach of such provision, a waiver of the provision itself, or a
waiver of any right under this Agreement.
(n)
Severability. If any provision of this Agreement is ruled wholly or partly invalid or
unenforceable by a court or other body of competent jurisdiction, then (i) the validity and enforceability of
Confidential
Page 12 of 35
all provisions of this Agreement not ruled to be invalid or unenforceable will be unaffected; (ii) the effect
of the ruling will be limited to the jurisdiction of the court or other body making the ruling; (iii) the provision
held wholly or partly invalid or unenforceable shall be deemed amended, and the court or other body is
authorized to reform the provision, to the minimum extent necessary to render them valid and enforceable
in conformity with the parties’ intent as manifested herein; and (iv) if the ruling or the controlling principle
of law or equity leading to the ruling subsequently is overruled, modified, or amended by legislative,
judicial, or administrative action, then the provision in question as originally set forth in this Agreement
shall be deemed valid and enforceable to the maximum extent permitted by the new controlling principle
of law or equity.
(o)
Headings. The headings of the sections used in this Agreement are included for
convenience only and are not to be used in construing or interpreting this Agreement.
Confidential
Page 13 of 35
EXHIBIT A
DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “Addendum”) is made effective as of the Effective Date (as
defined below), by and between Orbit and Customer.
WHEREAS, the parties have entered into that certain Subscription Agreement (the “Agreement”)
to which this Addendum is attached and pursuant to which Orbit shall provide the Licensed Materials and
certain services (collectively, the “Services”); and
WHEREAS, Customer is a “Controller” under the GDPR and requires a data processing agreement
with third parties engaged in the Processing of Personal Data on its behalf; and
WHEREAS, in the course of performing its obligations under the Agreement, Orbit may Process
Customer Personal Data on behalf of Customer as a Processor; and
WHEREAS, this Addendum forms an integral part of the Agreement and applies to the extent that
Orbit Processes Customer Personal Data in the course of its performance under the Agreement.
NOW, THEREFORE, in consideration of the mutual covenants contained herein, and other good
and valuable consideration, the sufficiency of which is hereby acknowledged, the parties agree as follows:
1.
Definitions.
(a)
All capitalized terms used but not otherwise defined herein shall have the meanings set
forth in the Agreement.
(b)
“Customer Personal Data” means any Personal Data which Orbit Processes pursuant to
the Agreement on behalf of Customer in its role as Controller.
(c)
“Data Protection Legislation” means all European data protection and privacy laws
applicable to the Processing of Customer Personal Data under the Agreement, including, where applicable,
GDPR.
(d)
“Effective Date” means the later of the date on which the Agreement becomes effective
or the date on which Customer provides Customer Personal Data to Orbit for Processing.
(e)
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(f)
“Personal Data Breach” means a Personal Data Breach of Customer Personal Data in
connection with the Agreement.
(g)
“Security Measures” means commercially reasonable security-related policies, standards,
and practices commensurate with the size and complexity of Orbit’s business; the level of sensitivity of the
Personal Data collected, handled and stored; and the nature of Orbit’s business activities.
(h)
“Sub-Processor” means any Processor engaged by Orbit to Process Customer Personal
Data pursuant to the terms of the Agreement and this Addendum.
Confidential
Page 14 of 35
(i)
“Controller”,
“Data Subject”,
“Personal Data”,
“Personal Data Breach”,
“Processor”, “Process”, “Processing”, and “Supervisory Authority” shall have the meanings ascribed
to such terms in the Data Protection Legislation, whether or not capitalized therein.
2.
Relationship of the Parties. The parties acknowledge and agree that Customer is the
Controller and that Orbit is a Processor with respect to all Customer Personal Data.
3.
Compliance with Laws.
(a)
Each party shall comply with its respective obligations under the Data Protection
Legislation with respect to Customer Personal Data. Customer shall not use the Services or the Licensed
Materials in a manner that violates Data Protection Legislation, nor shall Customer instruct Processor to
Process Customer Personal Data in violation of Data Protection Legislation. Customer represents, warrants,
and covenants that it will only instruct Orbit to Process Customer Personal Data and use the Services and
Licensed Materials in a manner that complies with Data Protection Legislation.
(b)
Customer represents and warrants that it has a valid legal basis or lawful purpose for
Processing Customer Personal Data and for any transfer of Customer Personal Data to Orbit, and Customer
shall maintain a record of such valid legal bases and lawful purposes. Customer shall immediately notify
Orbit if any change should occur in the legal bases or lawful purposes for the Processing or transfer of
Customer Personal Data and shall immediately instruct Orbit of any new or revised scope, duration, subject
matter, nature, or purposes regarding the Processing of Customer Personal Data by Orbit.
(c)
Customer shall have sole responsibility for the accuracy, quality, and legality of Customer
Personal Data and the means by which Customer acquires Customer Personal Data. Customer represents
and warrants that it has all rights and necessary consents and that it has provided all necessary notices to
Process Customer Personal Data and to transfer Customer Personal Data to Orbit. Customer shall obtain all
necessary consents from Data Subjects and shall maintain a record of such rights and consents. Customer
shall immediately notify Orbit if a Data Subject revokes or changes his or her consent to the Processing of
his or her Personal Data and shall immediately instruct Orbit of any new or revised scope, duration, subject
matter, nature, or purposes regarding the Processing of Customer Personal Data by Orbit.
4.
Processing Purpose and Instructions.
(a)
Customer shall determine and instruct Orbit as to the scope, purposes, and manner by
which Customer Personal Data is to be Processed by Orbit and, from time to time, may reasonably modify
those instructions. Orbit shall notify Customer if, in Orbit’s opinion, an instruction provided by Customer
infringes upon Data Protection Legislation.
(b)
Customer represents and warrants to Orbit that the subject matter, duration, nature, and
purposes of the Processing and the types of Personal Data and categories of Data Subjects contemplated by
this Addendum are accurately described as follows and instructs Orbit to engage in such Processing:
(i)
Subject Matter of the Processing: Orbit’s provision of the Services under the
Agreement; provided, however, Customer acknowledges and agrees that it controls how the Licensed
Materials are used to Process Customer Personal Data.
(ii)
Duration of the Processing: The term of the Agreement plus the period from the expiry
of the term until deletion of all Customer Personal Data by Orbit in accordance with the Agreement.
(iii)
The Nature and Purpose of the Processing: Orbit will process Customer Personal Data
for the purposes of providing the Services as instructed by Customer. Processing activities may include:
collection, retrieval, organization, storage, alteration, enhancement, aggregation, de-identification, use, and
Confidential
Page 15 of 35
disclosure. Customer acknowledges and agrees that it controls how the Licensed Materials are used to
Process Customer Personal Data.
(iv)
The Types of Personal Data and Categories of Data Subjects: The types of Personal
Data and Data Subjects include the individuals selected by Customer or Customer’s employees, agents, or
contractors and information collected and Processed in providing the Services. Customer acknowledges
and agrees that it controls how the Licensed Materials are used to Process Customer Personal Data.
(c)
Orbit shall only Process Customer Personal Data as set forth in the Agreement, this
Addendum, and any specific, written instructions provided by an authorized representative of Customer to
Orbit; provided, however that Orbit may engage in Processing required by Data Protection Legislation to
which Orbit is subject after informing Customer of any such requirement (unless the law prohibits providing
such information).
5.
Reasonable Security and Safeguards.
(a)
Subject to any hardware, software and network infrastructure used by Customer, Orbit
shall, taking into account the state of the art, the costs of implementation, and the nature, scope, context and
purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of
natural persons, implement appropriate technical and organizational measures (the Security Measures) to
ensure a level of security appropriate to the risks presented by the Processing and the nature of Customer
Personal Data.
(b)
The Security Measures are subject to technical progress and development, and Orbit may
update or modify the Security Measures from time to time provided that such updates and modifications do
not result in the degradation of the overall security.
(c)
Orbit shall take steps to ensure that any natural person acting under the authority of Orbit
who has been granted access to the Customer Personal Data by Orbit does not Process Customer Personal
Data in violation of this Addendum. Orbit shall ensure that persons authorized to Process Customer
Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation
of confidentiality.
(d)
Customer is responsible for using and configuring the Services and the Licensed Materials
in a manner which enables both parties to comply with Data Protection Legislation and for implementing
appropriate technical and organizational measures with respect to its systems, networks, resources,
personnel, and operations to ensure the privacy and security of Customer Personal Data.
6.
Personal Data Breach.
(a)
Upon becoming aware of a Personal Data Breach, Orbit will notify Customer without
undue delay and will provide information relating to the Personal Data Breach as reasonably requested by
Customer.
(b)
Orbit shall notify Customer without undue delay if, in its assessment, Customer Personal
Data has been Processed in a manner that is inconsistent with this Addendum, the instructions provided
Customer, or Data Protection Laws.
7.
Assessments and Audits.
(a)
Orbit shall, upon reasonable and written notice and subject to obligations of confidentiality
and pursuant to a non-disclosure agreement, contribute to audits (including inspections) conducted by
Customer or a third-party auditor mutually agreed upon by the parties and allow its Processing procedures
Confidential
Page 16 of 35
and documentation to be inspected no more than annually in order to ascertain compliance with this
Addendum. Such audit shall be at Customer’s sole expense. Orbit shall cooperate in good faith with audit
requests by providing access to relevant knowledgeable personnel and documentation. Except as otherwise
required by law, (i) Customer shall provide at least thirty (30) days prior written notice to Orbit of any
requested audit; (ii) any audit shall be conducted during Orbit’s normal business hours; (iii) an audit shall
not last longer than three (3) business days; and (iv) Customer and its agents and auditors shall not access
Orbit’s proprietary or confidential information, except to the extent access is strictly necessary to
demonstrate compliance with this Addendum and in a manner acceptable to Orbit that preserves the
proprietary or confidential nature of the information.
(b)
During the term of this Addendum, Orbit shall make available to Customer all information
necessary to demonstrate Orbit’s compliance with Article 28 of the GDPR.
8.
Cooperation and Assistance
(a)
Taking into account the nature of the Processing and the information available to Orbit,
Orbit shall assist Customer in ensuring compliance with Customer’s obligations under Articles 32 through
36 of the GDPR.
(b)
Taking into account the nature of the Processing, Orbit shall assist Customer by
implementing appropriate technical and organizational measures, insofar as is possible, for the fulfilment
of Customer’s obligations of responding to requests for exercising a data subject’s rights under Chapter III
of the GDPR.
(i)
If Orbit receives any requests from Data Subjects or applicable Supervisory
Authorities relating to the Processing of Customer Personal Data under the Agreement, including requests
from Data Subjects seeking to exercise their rights under Data Protection Legislation, Orbit will promptly
redirect the request to Customer. Orbit will not respond to such communication directly without Customer's
prior authorization, unless legally compelled to do so.
(ii)
In the event Customer needs to provide information (including details of the services
provided by Orbit) to a competent Supervisory Authority, Orbit shall assist Customer in providing such
information, to the extent that such information is solely in the possession of Orbit or its Sub-processors.
(c)
To the extent permitted by law, each party shall promptly inform the other party of any
inquiry or complaint received from a Data Subject or a Supervisory Authority relating to the Processing of
Customer Personal Data under this Addendum. The parties and their respective employees, contractors, and
agents shall cooperate with a Supervisory Authority in the performance of its tasks with respect to this
Addendum.
9.
Use of Sub-Processors
(a)
Customer acknowledges and agrees that Orbit may engage such Sub-Processors as Orbit
determines are reasonably appropriate for the Processing of Customer Personal Data under the Agreement
and the Standard Contractual Clauses attached hereto as Exhibit 1. Orbit shall ensure that each of its Sub-
Processors is bound by substantially the same data protection obligations applicable to Orbit under this
Addendum by way of contract, including sufficient guarantees to implement appropriate technical and
organization measures such that the Processing by the Sub-Processor will meet the requirements imposed
by the GDPR. Customer hereby consents to Orbit’s subcontracting of its processing of Personal Data under
the Standard Contractual Clauses attached hereto as Exhibit 1.
(b)
Customer hereby consents to the processing of Customer Personal Data by, and the
disclosure and transfer of Customer Personal Data to, the Sub-Processors listed on Annex III to Exhibit 1.
Confidential
Page 17 of 35
(c)
Customer provides a general consent for Orbit to engage onward Sub-Processors in the
Processing of Customer Personal Data under the Agreement without Customer’s prior consent, provided
that Orbit has entered into an agreement with the Sub-Processor containing data protection obligations that
are as restrictive as the obligations under this Addendum (to the extent applicable to the services provided
by the Sub-processor). Within ten (10) days of receiving a notification from Orbit to Customer of any
changes in its use of Sub-Processors during the term of the Agreement, Customer shall notify Orbit of any
objections to such additional or different Sub-Processors. If Customer does not timely notify Orbit of an
objection, Customer acknowledges and agrees that Orbit may use the Sub-Processor(s) identified in Orbit’s
notice pursuant to the general authorization provided by Customer in this Section.
(d)
To the extent required under Data Protection Legislation, Orbit will be responsible for any
acts, errors, or omissions of its Sub-Processors that cause Orbit to breach any of its obligations under this
Addendum.
10.
International Data Transfers. Customer acknowledges and agrees that Customer Personal
Data will be transferred to the United States of America, a jurisdiction that has been determined not to offer
an adequate level of data protection by the European Commission. Customer further acknowledges and
agrees that Orbit’s Sub-Processor for cloud storage and related services may in limited instances transfer
Customer Personal Data to other jurisdictions for which the European Commission has not adopted an
adequacy decision. To facilitate such transfers, the parties hereby enter into the Standard Contractual
Clauses attached hereto as Exhibit 1, which are incorporated by reference herein. The parties shall work
together during the Term to ensure that they (or the relevant Sub-Processor) have a legally-approved
mechanism in place to facilitate such data transfers, including working together to document the
appropriateness of such mechanism in accordance with Data Protection Legislation. Customer
acknowledges and agrees that by clicking the button on the Orbit Labs registration page to accept the
agreement, Customer executes the Standard Contractual Clauses attached hereto as Exhibit 1.
11.
Data Retention and Destruction. Upon termination of the Agreement and upon completion
of Orbit’s obligations in relation to the Processing of Customer Personal Data under this Addendum, or
upon Customer’s written instructions at any time during the term of this Addendum, Orbit shall either: (i)
return to Customer all or certain subsets of Customer Personal Data in Orbit’s possession; (ii) render
anonymous all or certain subsets of Customer Personal Data in Orbit’s possession; or (iii) permanently
delete or render unreadable all or certain subsets of Customer Personal Data. In the event Orbit determines
that anonymization, return, or destruction of Customer Personal Data is not reasonably feasible because
Orbit is required by applicable law to retain any such Customer Personal Data, Orbit shall notify Customer
thereof and limit any further Processing to those purposes that make the anonymization, return or
destruction infeasible. The requirements of this section shall survive termination or expiration of this
Addendum and shall be in force as long as any Customer Personal Data remain in the custody or control of
Orbit.
12.
Liability and Indemnification. Customer will indemnify, defend, and hold Orbit harmless
against any claim, demand, suit or proceeding (including any damages, costs, reasonable attorney’s fees,
and settlement amounts) made or brought against Orbit by a third party alleging that the Services, Licensed
Materials, or the Processing or transfer of Customer Personal Data infringes Data Protection Legislation.
13.
General.
(a)
Orbit acknowledges and agrees that it has no ownership of Customer Personal Data other
than as expressly permitted under the Agreement or as authorized by Customer.
(b)
ANY CLAIMS BROUGHT UNDER THIS ADDENDUM WILL BE SUBJECT TO THE
TERMS AND CONDITIONS OF THE AGREEMENT, INCLUDING THE EXCLUSIONS AND
Confidential
Page 18 of 35
LIMITATIONS SET FORTH IN THE AGREEMENT; PROVIDED, HOWEVER, THAT THE PARTIES
HAVE NOT LIMITED THEIR LIABILITY UNDER THE AGREEMENT WITH RESPECT TO ANY
DATA SUBJECT’S RIGHTS UNDER DATA PROTECTION LEGISLATION WHERE SUCH
LIMITATION WOULD BE PROHIBITED BY LAW.
(c)
In the event of a conflict between the Agreement (or any document referred to therein) and
this Addendum, the provisions of this Addendum shall prevail.
(d)
All notices provided for in this Addendum shall be sent to Orbit and Customer at the
addresses provided in the Agreement and in accordance with all requirements for service of notices under
that agreement.
(e)
This Addendum will terminate automatically upon the termination of the Agreement and
any obligations under section 10 thereof.
Confidential
Page 19 of 35
EXHIBIT 1
STANDARD CONTRACTUAL CLAUSES (PROCESSORS)
Clause 1
Purpose and scope
(a)
The purpose of these standard contractual clauses is to ensure compliance with the
requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data (General Data Protection Regulation)
for the transfer of personal data to a third country.
(b)
The Parties:
(i)
the natural or legal person(s), public authority/ies, agency/ies or other body/ies
(hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A
(hereinafter each ‘data exporter’), and
(ii)
the entity/ies in a third country receiving the personal data from the data exporter,
directly or indirectly via another entity also Party to these Clauses, as listed in
Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c)
These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d)
The Appendix to these Clauses containing the Annexes referred to therein forms an integral
part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a)
These Clauses set out appropriate safeguards, including enforceable data subject rights and
effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU)
2016/679 and, with respect to data transfers from controllers to processors and/or
processors to processors, standard contractual clauses pursuant to Article
28(7) of
Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate
Module(s) or to add or update information in the Appendix. This does not prevent the
Parties from including the standard contractual clauses laid down in these Clauses in a
wider contract and/or to add other clauses or additional safeguards, provided that they do
not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or
freedoms of data subjects.
(b)
These Clauses are without prejudice to obligations to which the data exporter is subject by
virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
Confidential
Page 20 of 35
(a)
Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against
the data exporter and/or data importer, with the following exceptions:
(i)
Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii)
Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii)
Clause 9(a), (c), (d) and (e);
(iv)
Clause 12(a), (d) and (f);
(v)
Clause 13;
(vi)
Clause 15.1(c), (d) and (e);
(vii)
Clause 16(e);
(viii) Clause 18(a) and (b).
(b)
Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU)
2016/679.
Clause 4
Interpretation
(a)
Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms
shall have the same meaning as in that Regulation.
(b)
These Clauses shall be read and interpreted in the light of the provisions of Regulation
(EU) 2016/679.
(c)
These Clauses shall not be interpreted in a way that conflicts with rights and obligations
provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements
between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these
Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred
and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Docking clause
Confidential
Page 21 of 35
(a)
An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede
to these Clauses at any time, either as a data exporter or as a data importer, by completing
the Appendix and signing Annex I.A.
(b)
Once it has completed the Appendix and signed Annex I.A, the acceding entity shall
become a Party to these Clauses and have the rights and obligations of a data exporter or
data importer in accordance with its designation in Annex I.A.
(c)
The acceding entity shall have no rights or obligations arising under these Clauses from
the period prior to becoming a Party.
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer
is able, through the implementation of appropriate technical and organisational measures, to satisfy
its obligations under these Clauses.
8.1 Instructions
(a)
The data importer shall process the personal data only on documented instructions from
the data exporter. The data exporter may give such instructions throughout the duration of
the contract.
(b)
The data importer shall immediately inform the data exporter if it is unable to follow those
instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer,
as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as
completed by the Parties, available to the data subject free of charge. To the extent necessary to
protect business secrets or other confidential information, including the measures described in
Annex II and personal data, the data exporter may redact part of the text of the Appendix to these
Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject
would otherwise not be able to understand the its content or exercise his/her rights. On request, the
Parties shall provide the data subject with the reasons for the redactions, to the extent possible
without revealing the redacted information. This Clause is without prejudice to the obligations of
the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has
become outdated, it shall inform the data exporter without undue delay. In this case, the data
importer shall cooperate with the data exporter to erase or rectify the data.
Confidential
Page 22 of 35
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After
the end of the provision of the processing services, the data importer shall, at the choice of the data
exporter, delete all personal data processed on behalf of the data exporter and certify to the data
exporter that it has done so, or return to the data exporter all personal data processed on its behalf
and delete existing copies. Until the data is deleted or returned, the data importer shall continue to
ensure compliance with these Clauses. In case of local laws applicable to the data importer that
prohibit return or deletion of the personal data, the data importer warrants that it will continue to
ensure compliance with these Clauses and will only process it to the extent and for as long as
required under that local law. This is without prejudice to Clause 14, in particular the requirement
for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the
contract if it has reason to believe that it is or has become subject to laws or practices not in line
with the requirements under Clause 14(a).
8.6 Security of processing
(a)
The data importer and, during transmission, also the data exporter shall implement
appropriate technical and organisational measures to ensure the security of the data,
including protection against a breach of security leading to accidental or unlawful
destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter
‘personal data breach’). In assessing the appropriate level of security, the Parties shall take
due account of the state of the art, the costs of implementation, the nature, scope, context
and purpose(s) of processing and the risks involved in the processing for the data subjects.
The Parties shall in particular consider having recourse to encryption or pseudonymisation,
including during transmission, where the purpose of processing can be fulfilled in that
manner. In case of pseudonymisation, the additional information for attributing the
personal data to a specific data subject shall, where possible, remain under the exclusive
control of the data exporter. In complying with its obligations under this paragraph, the
data importer shall at least implement the technical and organisational measures specified
in Annex II. The data importer shall carry out regular checks to ensure that these measures
continue to provide an appropriate level of security.
(b)
The data importer shall grant access to the personal data to members of its personnel only
to the extent strictly necessary for the implementation, management and monitoring of the
contract. It shall ensure that persons authorised to process the personal data have committed
themselves to confidentiality or are under an appropriate statutory obligation of
confidentiality.
(c)
In the event of a personal data breach concerning personal data processed by the data
importer under these Clauses, the data importer shall take appropriate measures to address
the breach, including measures to mitigate its adverse effects. The data importer shall also
notify the data exporter without undue delay after having become aware of the breach.
Such notification shall contain the details of a contact point where more information can
be obtained, a description of the nature of the breach (including, where possible, categories
and approximate number of data subjects and personal data records concerned), its likely
consequences and the measures taken or proposed to address the breach including, where
Confidential
Page 23 of 35
appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is
not possible to provide all information at the same time, the initial notification shall contain
the information then available and further information shall, as it becomes available,
subsequently be provided without undue delay.
(d)
The data importer shall cooperate with and assist the data exporter to enable the data
exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to
notify the competent supervisory authority and the affected data subjects, taking into
account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for
the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life
or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive
data’), the data importer shall apply the specific restrictions and/or additional safeguards described
in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions
from the data exporter. In addition, the data may only be disclosed to a third party located outside
the European Union (in the same country as the data importer or in another third country,
hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under
the appropriate Module, or if:
(i)
the onward transfer is to a country benefitting from an adequacy decision pursuant to
Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii)
the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47
Regulation of (EU) 2016/679 with respect to the processing in question;
(iii)
the onward transfer is necessary for the establishment, exercise or defence of legal claims
in the context of specific administrative, regulatory or judicial proceedings; or
(iv)
the onward transfer is necessary in order to protect the vital interests of the data subject or
of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards
under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a)
The data importer shall promptly and adequately deal with enquiries from the data exporter
that relate to the processing under these Clauses.
(b)
The Parties shall be able to demonstrate compliance with these Clauses. In particular, the
data importer shall keep appropriate documentation on the processing activities carried out
on behalf of the data exporter.
Confidential
Page 24 of 35
(c)
The data importer shall make available to the data exporter all information necessary to
demonstrate compliance with the obligations set out in these Clauses and at the data
exporter’s request, allow for and contribute to audits of the processing activities covered
by these Clauses, at reasonable intervals or if there are indications of non-compliance. In
deciding on a review or audit, the data exporter may take into account relevant
certifications held by the data importer.
(d)
The data exporter may choose to conduct the audit by itself or mandate an independent
auditor. Audits may include inspections at the premises or physical facilities of the data
importer and shall, where appropriate, be carried out with reasonable notice.
(e)
The Parties shall make the information referred to in paragraphs (b) and (c), including the
results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
(a)
The data importer has the data exporter’s general authorisation for the engagement of sub-
processor(s) from an agreed list. The data importer shall specifically inform the data
exporter in writing of any intended changes to that list through the addition or replacement
of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient
time to be able to object to such changes prior to the engagement of the sub-processor(s).
The data importer shall provide the data exporter with the information necessary to enable
the data exporter to exercise its right to object.
(b)
Where the data importer engages a sub-processor to carry out specific processing activities
(on behalf of the data exporter), it shall do so by way of a written contract that provides
for, in substance, the same data protection obligations as those binding the data importer
under these Clauses, including in terms of third-party beneficiary rights for data
subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its
obligations under Clause 8.8. The data importer shall ensure that the sub-processor
complies with the obligations to which the data importer is subject pursuant to these
Clauses.
(c)
The data importer shall provide, at the data exporter’s request, a copy of such a sub-
processor agreement and any subsequent amendments to the data exporter. To the extent
necessary to protect business secrets or other confidential information, including personal
data, the data importer may redact the text of the agreement prior to sharing a copy.
(d)
The data importer shall remain fully responsible to the data exporter for the performance
of the sub-processor’s obligations under its contract with the data importer. The data
importer shall notify the data exporter of any failure by the sub-processor to fulfil its
obligations under that contract.
(e)
The data importer shall agree a third-party beneficiary clause with the sub-processor
whereby - in the event the data importer has factually disappeared, ceased to exist in law
or has become insolvent - the data exporter shall have the right to terminate the sub-
processor contract and to instruct the sub-processor to erase or return the personal data.
Confidential
Page 25 of 35
Clause 10
Data subject rights
(a)
The data importer shall promptly notify the data exporter of any request it has received
from a data subject. It shall not respond to that request itself unless it has been authorised
to do so by the data exporter.
(b)
The data importer shall assist the data exporter in fulfilling its obligations to respond to
data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In
this regard, the Parties shall set out in Annex II the appropriate technical and organisational
measures, taking into account the nature of the processing, by which the assistance shall
be provided, as well as the scope and the extent of the assistance required.
(c)
In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply
with the instructions from the data exporter.
Clause 11
Redress
(a)
The data importer shall inform data subjects in a transparent and easily accessible format,
through individual notice or on its website, of a contact point authorised to handle
complaints. It shall deal promptly with any complaints it receives from a data subject.
(b)
In case of a dispute between a data subject and one of the Parties as regards compliance
with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a
timely fashion. The Parties shall keep each other informed about such disputes and, where
appropriate, cooperate in resolving them.
(c)
Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the
data importer shall accept the decision of the data subject to:
(i)
lodge a complaint with the supervisory authority in the Member State of his/her
habitual residence or place of work, or the competent supervisory authority
pursuant to Clause 13;
(ii)
refer the dispute to the competent courts within the meaning of Clause 18.
(d)
The Parties accept that the data subject may be represented by a not-for-profit body,
organisation or association under the conditions set out in Article 80(1) of Regulation (EU)
2016/679.
(e)
The data importer shall abide by a decision that is binding under the applicable EU or
Member State law.
(f)
The data importer agrees that the choice made by the data subject will not prejudice his/her
substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
Confidential
Page 26 of 35
(a)
Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies
by any breach of these Clauses.
(b)
The data importer shall be liable to the data subject, and the data subject shall be entitled
to receive compensation, for any material or non-material damages the data importer or its
sub-processor causes the data subject by breaching the third-party beneficiary rights under
these Clauses.
(c)
Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the
data subject shall be entitled to receive compensation, for any material or non-material
damages the data exporter or the data importer (or its sub-processor) causes the data subject
by breaching the third-party beneficiary rights under these Clauses. This is without
prejudice to the liability of the data exporter and, where the data exporter is a processor
acting on behalf of a controller, to the liability of the controller under Regulation (EU)
2016/679 or Regulation (EU) 2018/1725, as applicable.
(d)
The Parties agree that if the data exporter is held liable under paragraph (c) for damages
caused by the data importer (or its sub-processor), it shall be entitled to claim back from
the data importer that part of the compensation corresponding to the data importer’s
responsibility for the damage.
(e)
Where more than one Party is responsible for any damage caused to the data subject as a
result of a breach of these Clauses, all responsible Parties shall be jointly and severally
liable and the data subject is entitled to bring an action in court against any of these Parties.
(f)
The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to
claim back from the other Party/ies that part of the compensation corresponding to its/their
responsibility for the damage.
(g)
The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
(a)
The supervisory authority with responsibility for ensuring compliance by the data exporter with
Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as
competent supervisory authority.
(b)
The data importer agrees to submit itself to the jurisdiction of and cooperate with the
competent supervisory authority in any procedures aimed at ensuring compliance with
these Clauses. In particular, the data importer agrees to respond to enquiries, submit to
audits and comply with the measures adopted by the supervisory authority, including
remedial and compensatory measures. It shall provide the supervisory authority with
written confirmation that the necessary actions have been taken.
Clause 14
Local laws and practices affecting compliance with the Clauses
Confidential
Page 27 of 35
(a)
The Parties warrant that they have no reason to believe that the laws and practices in the
third country of destination applicable to the processing of the personal data by the data
importer, including any requirements to disclose personal data or measures authorising
access by public authorities, prevent the data importer from fulfilling its obligations under
these Clauses. This is based on the understanding that laws and practices that respect the
essence of the fundamental rights and freedoms and do not exceed what is necessary and
proportionate in a democratic society to safeguard one of the objectives listed in Article
23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b)
The Parties declare that in providing the warranty in paragraph (a), they have taken due
account in particular of the following elements:
(i)
the specific circumstances of the transfer, including the length of the processing
chain, the number of actors involved and the transmission channels used; intended
onward transfers; the type of recipient; the purpose of processing; the categories
and format of the transferred personal data; the economic sector in which the
transfer occurs; the storage location of the data transferred;
(ii)
the laws and practices of the third country of destination- including those requiring
the disclosure of data to public authorities or authorising access by such authorities
- relevant in light of the specific circumstances of the transfer, and the applicable
limitations and safeguards;
(iii)
any relevant contractual, technical or organisational safeguards put in place to
supplement the safeguards under these Clauses, including measures applied during
transmission and to the processing of the personal data in the country of destination.
(c)
The data importer warrants that, in carrying out the assessment under paragraph (b), it has
made its best efforts to provide the data exporter with relevant information and agrees that
it will continue to cooperate with the data exporter in ensuring compliance with these
Clauses.
(d)
The Parties agree to document the assessment under paragraph (b) and make it available to
the competent supervisory authority on request.
(e)
The data importer agrees to notify the data exporter promptly if, after having agreed to
these Clauses and for the duration of the contract, it has reason to believe that it is or has
become subject to laws or practices not in line with the requirements under paragraph (a),
including following a change in the laws of the third country or a measure (such as a
disclosure request) indicating an application of such laws in practice that is not in line with
the requirements in paragraph (a).
(f)
Following a notification pursuant to paragraph (e), or if the data exporter otherwise has
reason to believe that the data importer can no longer fulfil its obligations under these
Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or
organisational measures to ensure security and confidentiality) to be adopted by the data
exporter and/or data importer to address the situation. The data exporter shall suspend the
data transfer if it considers that no appropriate safeguards for such transfer can be ensured,
or if instructed by the competent supervisory authority to do so. In this case, the data
Confidential
Page 28 of 35
exporter shall be entitled to terminate the contract, insofar as it concerns the processing of
personal data under these Clauses. If the contract involves more than two Parties, the data
exporter may exercise this right to termination only with respect to the relevant Party,
unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this
Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1
Notification
(a)
The data importer agrees to notify the data exporter and, where possible, the data
subject promptly (if necessary with the help of the data exporter) if it:
(i)
receives a legally binding request from a public authority, including judicial
authorities, under the laws of the country of destination for the disclosure
of personal data transferred pursuant to these Clauses; such notification
shall include information about the personal data requested, the requesting
authority, the legal basis for the request and the response provided; or
(ii)
becomes aware of any direct access by public authorities to personal data
transferred pursuant to these Clauses in accordance with the laws of the
country of destination; such notification shall include all information
available to the importer.
(b)
If the data importer is prohibited from notifying the data exporter and/or the data
subject under the laws of the country of destination, the data importer agrees to use
its best efforts to obtain a waiver of the prohibition, with a view to communicating
as much information as possible, as soon as possible. The data importer agrees to
document its best efforts in order to be able to demonstrate them on request of the
data exporter.
(c)
Where permissible under the laws of the country of destination, the data importer
agrees to provide the data exporter, at regular intervals for the duration of the
contract, with as much relevant information as possible on the requests received (in
particular, number of requests, type of data requested, requesting authority/ies,
whether requests have been challenged and the outcome of such challenges, etc.).
(d)
The data importer agrees to preserve the information pursuant to paragraphs (a) to
(c) for the duration of the contract and make it available to the competent
supervisory authority on request.
(e)
Paragraphs (a) to (c) are without prejudice to the obligation of the data importer
pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where
it is unable to comply with these Clauses.
15.2
Review of legality and data minimisation
(a)
The data importer agrees to review the legality of the request for disclosure, in
particular whether it remains within the powers granted to the requesting public
authority, and to challenge the request if, after careful assessment, it concludes that
Confidential
Page 29 of 35
there are reasonable grounds to consider that the request is unlawful under the laws
of the country of destination, applicable obligations under international law and
principles of international comity. The data importer shall, under the same
conditions, pursue possibilities of appeal. When challenging a request, the data
importer shall seek interim measures with a view to suspending the effects of the
request until the competent judicial authority has decided on its merits. It shall not
disclose the personal data requested until required to do so under the applicable
procedural rules. These requirements are without prejudice to the obligations of the
data importer under Clause 14(e).
(b)
The data importer agrees to document its legal assessment and any challenge to the
request for disclosure and, to the extent permissible under the laws of the country
of destination, make the documentation available to the data exporter. It shall also
make it available to the competent supervisory authority on request.
(c)
The data importer agrees to provide the minimum amount of information
permissible when responding to a request for disclosure, based on a reasonable
interpretation of the request.
Clause 16
Non-compliance with the Clauses and termination
(a)
The data importer shall promptly inform the data exporter if it is unable to comply with
these Clauses, for whatever reason.
(b)
In the event that the data importer is in breach of these Clauses or unable to comply with
these Clauses, the data exporter shall suspend the transfer of personal data to the data
importer until compliance is again ensured or the contract is terminated. This is without
prejudice to Clause 14(f).
(c)
The data exporter shall be entitled to terminate the contract, insofar as it concerns the
processing of personal data under these Clauses, where:
(i)
the data exporter has suspended the transfer of personal data to the data importer
pursuant to paragraph (b) and compliance with these Clauses is not restored within
a reasonable time and in any event within one month of suspension;
(ii)
the data importer is in substantial or persistent breach of these Clauses; or
(iii)
the data importer fails to comply with a binding decision of a competent court or
supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance.
Where the contract involves more than two Parties, the data exporter may exercise this
right to termination only with respect to the relevant Party, unless the Parties have agreed
otherwise.
(d)
Personal data that has been transferred prior to the termination of the contract pursuant to
paragraph (c) shall at the choice of the data exporter immediately be returned to the data
exporter or deleted in its entirety. The same shall apply to any copies of the data. The data
importer shall certify the deletion of the data to the data exporter. Until the data is deleted
Confidential
Page 30 of 35
or returned, the data importer shall continue to ensure compliance with these Clauses. In
case of local laws applicable to the data importer that prohibit the return or deletion of the
transferred personal data, the data importer warrants that it will continue to ensure
compliance with these Clauses and will only process the data to the extent and for as long
as required under that local law.
(e)
Either Party may revoke its agreement to be bound by these Clauses where (i) the European
Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that
covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU)
2016/679 becomes part of the legal framework of the country to which the personal data is
transferred. This is without prejudice to other obligations applying to the processing in
question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law
allows for third-party beneficiary rights. The Parties agree that this shall be the law of France.
Clause 18
Choice of forum and jurisdiction
(a)
Any dispute arising from these Clauses shall be resolved by the courts of an EU Member
State.
(b)
The Parties agree that those shall be the courts of France.
(c)
A data subject may also bring legal proceedings against the data exporter and/or data
importer before the courts of the Member State in which he/she has his/her habitual
residence.
(d)
The Parties agree to submit themselves to the jurisdiction of such courts.
Confidential
Page 31 of 35
ANNEX I
A. LIST OF PARTIES
Data Importer: Processor
Data Exporter: Controller
Orbit Labs, Inc.
Customer (as defined in the Subscription
Agreement)
325 9th Street
Customer’s address and contact information as
San Francisco, CA 94103
designated in Registration (as defined in the
Subscription Agreement)
Privacy Officer
privacy@orbit.love
Activities: Orbit, provider of the Services
Activities: Customer, recipient of the Services
B. DESCRIPTION OF TRANSFER
DATA SUBJECTS. The personal data transferred concern the following categories of data subjects:
Individuals selected by Customer or Customer’s employees, agents, or contractors and information
collected and Processed in providing the Services, namely customers and potential customers.
Customer acknowledges and agrees that it controls how the Licensed Materials are used to Process
Customer Personal Data.
CATEGORIES OF DATA. The personal data transferred concern the following categories of data:
First and last name, title, position, employer, contact information (company, email, phone, physical
business address), professional life data, personal life data. Customer acknowledges and agrees
that it controls how the Licensed Materials are used to Process Customer Personal Data.
SENSITIVE DATA (if appropriate). The personal data transferred concern the following categories of
sensitive data:
Depending on how Customer uses the Services, the personal data may include personal data
revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade
union membership, data concerning health, or data concerning a natural person's sex life or sexual
orientation. Customer acknowledges and agrees that it controls how the Licensed Materials are
used to Process Customer Personal Data.
FREQUENCY. The transfer of personal data will occur with the following frequency:
Periodically during the term of the Subscription Agreement, depending on how Customer uses the
Services
NATURE. The nature of the personal data transfer is as follows:
Orbit will process Customer Personal Data for the purposes of providing the Services and as set
forth in the Agreement. Processing activities may include: collection, retrieval, organization,
Confidential
Page 32 of 35
storage, alteration, enhancement, aggregation, de-identification, use, and disclosure. Customer
acknowledges and agrees that it controls how the Licensed Materials are used to Process Customer
Personal Data.
PURPOSES OF THE TRANSFER(S). The transfer is made for the following purposes:
The transfer is intended to enable the relationship and performance of the underlying agreement
between the parties.
ADDITIONAL USEFUL INFORMATION (storage limits and other relevant information).
Any personal data transferred between the parties may only be retained for the period of time
permitted under the underlying agreement between the parties.
C. COMPETENT SUPERVISORY AUTHORITY
France’s Commission Nationale de l’Informatique et des Libertés
Confidential
Page 33 of 35
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND
ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s)
(including any relevant certifications) to ensure an appropriate level of security, taking into
account the nature, scope, context and purpose of the processing, and the risks for the rights and
freedoms of natural persons.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and
purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of
natural persons, the data importer has implemented appropriate technical and organizational measures
intended to ensure a level of security appropriate to the risk
1.
Orbit implements various security and compliance measures to ensure that our technical and
organizational controls to ensure security and processing of data are best in class. Orbit is a
SOC 2 Type 1 certified organization under the Common Criteria, and additionally under the
Confidentiality and Processing Integrity optional Criteria. Orbit implements over 116 discrete
controls, made up of many various individual controls as part of our compliance requirements
to ensure that we meet these requirements.
2.
Orbit encrypts all data in transit and at rest, ensuring that data cannot be accessed by any
unauthorized parties while in transit, physically, or through compromise. Orbit implements
various measures including stringent QA processes and regular evaluation of processing
systems to ensure ongoing integrity, availability and resilience of processing systems and
services. Confidentiality of data is a paramount criteria during engineering scoping and is
regularly evaluated independently by our security and infrastructure teams.
3.
Orbit has various processes in place for regularly testing, assessing and evaluations the
effectiveness of our measures. These include, but are not limited to, monthly audits of access
levels, arbitrary spot checks by independent auditors to ensure control compliance, regular
external security penetration tests and evaluations, as well as automated tooling to identify
compliance violations, and stringent access control scope.
4.
In the event of a Disaster Recovery incident, Orbit is well prepared. Our infrastructure is well
documented and we conduct Disaster Recovery drills at least annually to ensure that in the
event of a significant event, we are fully familiar with the processes and flows needed to recover
with speed and accuracy.
5.
Orbit conducts vendor review for all vendors we conduct business with. Additional review is
conducted for any vendors deemed critical to business continuity, and infrastructure providers
are required to meet beyond-industry-standards for physical and digital security controls and
implementations.
Confidential
Page 34 of 35
ANNEX III
LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
Sub-processor Name
Description of Processing
Amazon Web Services, Inc.
Application hosting
Heroku, Inc.
Application hosting and deployment
Clearbit (APIHub, Inc.)
Data enrichment
Appsignal
Performance monitoring
Segment
Event tracking
Algolia
Search services
Amplitude
Marketing aggregation
HelpScout
Support ticketing and management
Sprig (formerly UserLeap)
Product and user research
Glitch
Marketing data processing
Honeycomb
Performance monitoring
Webflow
Application hosting
Mailchimp
Marketing email management
Confidential
Page 35 of 35