Enboarder Terms of Service - UK/EU

These Terms of Service, including all Order Forms, addenda, exhibits and schedules hereto, as well as the Privacy Policy, Acceptable Use Policy, and Data Protection Addendum (collectively, the "Agreement"), are between Enboarder Limited (Company Number: 10907898), with registered offices located at 10 John St., London, WC1N 2EB ("Enboarder") and customer ("Customer") whose name appears on the Order Form regarding the Online Services and is effective as of the Subscription start date set forth on the Order Form ("Effective Date"). Enboarder and Customer are each referred to individually as a "party," and collectively as the "parties."

1. AGREEMENT

  • This Agreement governs Enboarder's provision of the Online Services and Customer's access to and use of the Online Services. It contains the general terms and conditions applicable to all such Online Services.
  • By accepting this Agreement, Customer acknowledges that Customer has read, understood and agrees to be bound by this Agreement which, together with the Privacy Policy, Data Protection Addendum and Acceptable Use Policy, govern Enboarder's relationship with Customer in relation to the Online Services. Order Forms may contain additional terms specific to the Online Services provided thereunder.
  • If you are an individual entering into this Agreement on behalf of an entity, such as your employer, you represent that you have the legal authority to bind that entity.

2. DEFINITIONS

In this Agreement, unless the context requires otherwise:

  • "Acceptable Use Policy" means Enboarder's Acceptable Use Policy available at https://enboarder.com/acceptable-use as updated from time to time on the Website and incorporated by reference into the Agreement;
  • "Add-Ons" means advanced functionality to support the Platform which Customer may request under section 5;
  • "Add-On Fees" means the fees for the Add-Ons published on the Website;
  • "Applications" means software programs provided by Customer that run on or run through the Platform;
  • "Content" means Personal Data and all other text, files, images, graphics, illustrations, information, data (including audio, video, photographs, and other content and material), in any format, provided by Customer that are uploaded, reside in, run on or run through, the Platform;
  • "Data Protection Addendum" means Enboarder's Data Protection Addendum attached hereto as Addendum A and incorporated by reference into this Agreement;
  • "Data Protection Laws" has the meaning set forth in Enboarder's Data Protection Addendum (See Addendum A);
  • "Documentation" means material describing the functional processes, assumptions, specifications, and principal operations of the Platform which has been designated by Enboarder as the official documentation for the Platform;
  • "Feedback" means all suggestions comments, opinions, code, input, ideas, reports, information, know-how or other feedback provided by Customer (whether in oral, electronic, or written form) to Enboarder related to the Online Services;
  • "Fees" means the Subscription Fees and Add-On Fees;
  • "Initial Subscription Period" means the period specified in the applicable Order Form;
  • "Intellectual Property Rights" means all intellectual property rights throughout the world, including but not limited to, the following rights: copyright (including copyrights, copyright registration and copy rights with respect to computer software, software design, software code, software architecture, firmware, programming tools, graphic user interfaces, reports, dashboard, business rules, use cases, screens, alerts, notification, drawings specifications and databases); moral rights, trade secrets and other rights with respect to confidential or proprietary information; know-how; other rights with respect to inventions, discoveries, ideas, improvements, techniques, formulae, algorithms, processes, schematics, testing procedures, technical information, and other technology; and any other intellectual and industrial property rights, whether or not subject to registration or protection; and all rights under any license or other arrangement with respect to the foregoing;
  • "Internal Purposes" means internal business use within Customer's systems, networks, and devices;
  • "Log-In Credentials" means sign-in identification and password or other method of access that Enboarder provides to Customer in order to access the Subscription;
  • "Malicious Code" means, without limitation, code, files, scripts, agents or programs intended to do harm, including, without limitation, viruses, worms, bombs and trojan horses;
  • "Online Services"means any and all of the services, Software, and other offerings provided by Enboarder pursuant to the Agreement, including the Subscription, the offerings provided through the Website, any mobile applications and APIs provided by Enboarder, and all such services and software labelled as alpha, beta, pre-release, trial, preview or otherwise. Online Services may include any enhancements, updates, upgrades, derivatives, or bug fixes to such services, software and offerings, and any documentation, add-ons, templates and sample data sets;
  • "Order Form" means an order for the Online Services (using Enboarder's template) signed by the Customer and accepted by Enboarder, which specifies the Subscription, including, without limitation, the number of seats or users, the Initial Subscription Period, the Subscription Fees, and any additional terms applicable to the Subscription;
  • "Payment Date" means the recurrent date (monthly or annual) for payment of the Fees as specified in the Order Form;
  • "Personal Data" means any information relating to an identified or identifiable natural person which is uploaded to the Platform by or on behalf of the Customer in connection with the Customer's use of the Subscription;
  • "Platform" means the workflow platform located at https://enboarder.com/ and related services located in the https://enboarder.com/ domain and subdomains, including software, code, algorithms, hosted services, and web interfaces that is comprised of the web-based authoring environment to create and monitor workflows, and the mobile-first screens that are delivered to manager(s) and employees which are part of the Online Services;
  • "Privacy Policy" means Enboarder's Privacy Policy available at https://enboarder.com/privacy as updated from time to time on the Website;
  • "Software" means any software forming part of the Platform and/or Add-Ons;
  • "Subscription" means the non-exclusive, non-sublicensable, non-transferrable, revocable, limited right and license to access and use the Platform for an Internal Purpose during the Subscription Period, as specified in an Order Form;
  • "Subscription Fees" means the monthly or annual fee for the Subscription as set out in the Order Form, or published on the Website from time to time, which Customer must pay in advance to Enboarder in accordance with section 6;
  • "Subscription Period" means the Initial Subscription Period as extended under section 17(b); and
  • "Website" means www.enboarder.com.

3. LICENSE GRANT

Customer's Subscription is subject to and governed by the terms and conditions in this Agreement, including those in the applicable Order Form. In the event of a conflict between the terms in and Order Form and these Terms of Service, the terms in the Order Form will control with respect to the Subscription provided under such Order Form. The Subscription is granted subject to and conditional on Customer's compliance with the Agreement and upon payment of the Fees in accordance with section 6.

4. USE OF THE SUBSCRIPTION

  • To receive the Subscription, Customer must:
    1. Use the Log-In Credentials;
    2. For the duration of the Subscription Period, provide Enboarder with access to and a right to use, process, and transmit Customer's Content and Customer's Applications for the purposes of providing the Subscription and for any other purposes specified in the Agreement; and
    3. Follow any operating procedures and use any software as may be specified in the Documentation or as may be notified by Enboarder from time to time.
  • It is a condition of Customer's Subscription that Customer complies at all times with the Acceptable Use Policy.
  • Customer acknowledges that Customer is responsible for all hardware, software, and telecommunications services used to access and use the Subscription.

5. ADD-ONS

Customer may, during the Subscription Period, request the provision of Add-Ons to be included as part of the Subscription. If the request for Add-Ons is agreed by Enboarder, Customer must pay Enboarder the Add-On Fees at the time set out in section 6. The Agreement will govern Customer's use of and access to such Add-Ons.

6. FEES AND PAYMENT

6.1 Fees

The Subscription Fees and Add-On Fees will be payable by Customer on or before the Effective Date and on each subsequent Payment Date. All payments must be made in the currency set out in the Order Form via electronic funds transfer, as per Enboarder's instructions. Enboarder will issue an electronic tax invoice upon registration and then prior to each Payment Date.

6.2 Late Payments

If Customer fails to pay any past due invoice, Enboarder may revoke or suspend the Subscription until such time as Customer pays any outstanding amounts. Enboarder may charge interest on all past due invoices at a rate of 1.5% per month, or the highest rate allowed under applicable law, whichever is lower.

6.3 Taxes

All Subscription Fees and Add-On Fees are exclusive of all applicable taxes (except for any withholding taxes and taxes solely based on Enboarder's net income), duties, imposts, charges, withholdings, rates, levies, or other governmental impositions of whatever nature and by whatever authority imposed, assessed, or charges ("Taxes") and Customer will be responsible for the payment of all such Taxes and any related penalties and interest arising from the payment of or failure to pay such amounts. If Customer is legally required to withhold any amounts to be paid to Enboarder, Customer may deduct such Taxes from the amount otherwise owed and pay the tax to the appropriate taxing authority, and must provide to Enboarder, on a timely basis, properly executed certificates, receipts or other documentation as evidence of such payment to the taxing authority sufficient to permit Enboarder to establish Enboarder's right to a credit for such Taxes against Enboarder's income tax liability. Customer must provide Enboarder with such assistance as Enboarder may reasonably request in connection with any applicable by Enboarder to qualify for the benefit of a reduced rate of withholding taxation under the terms of any applicable income tax treaty.

7. OWNERSHIP AND LICENSE RESTRICTIONS

7.1 Ownership
  • The Subscription is a temporary right to access and use the Platform and Enboarder, its suppliers or its licensors, retain and reserve all rights, including all Intellectual Property Rights, in and to the Platform. For the avoidance of doubt, Enboarder will own all rights, including all Intellectual Property Rights, in any features or functionality of the Platform or the Subscription which are the result of Feedback provided to Enboarder by the Customer, and Customer agrees that Enboarder is free to use, reproduce, modify, adapt, create derivative works from, publicly perform, publicly display, distribute, make, have made, assign, pledge, transfer, or otherwise grant rights in such features or functionality in any form and any medium (whether now known or later developed), without credit or compensation to Customer.
  • Subject to the license granted under section 4(a)(ii), Customer and its licensors will retain all Intellectual Property Rights in and to its Content and Applications.
7.2 License Restrictions
  • Restrictions: Except as expressly authorized in the Agreement or by Enboarder in writing, Customer must not, and must not permit any third party to:
    1. access or use the Subscription for any purpose other than Internal Purposes (including for any competitive analysis, commercial, professional, or other for-profit purposes);
    2. copy any materials provided as part of the Subscription (except as required to run the Subscription and for reasonable backup purposes);
    3. modify, adapt, or create derivative works of any Software;
    4. rent, lease, loan, resell, transfer, sublicense, display, or distribute the Subscription to any third party;
    5. use or offer any functionality of the Subscription on a service provider, service bureau, hosted, software as a service, or time-sharing basis, provide or permit other individuals or entities to create Internet "links" to the Subscription, or "frame" or "mirror" the Subscription on any other server, or wireless, or Internet-based device;
    6. decompile, disassemble, translate or reverse-engineer any Software of otherwise attempt to derive source code, algorithms, methods, or techniques used or embodied in the Subscription;
    7. disclose to any third party the results of any benchmark tests or other evaluation of the Subscription;
    8. remove, alter, obscure, cover or change any trademark, copyright, or other proprietary notices, labels, or markings from or on the Subscription;
    9. interfere with or disrupt the servers or networks connected to any website through which the Subscription is provided;
    10. use the Subscription to build a similar or competitive product or service;
    11. use the Subscription to transmit Malicious Code;
    12. use the Subscription for any illegal, unauthorized or otherwise improper purposes;
    13. attempt to download the Software;
    14. modify or alter the Software or Documentation; or
    15. except as permitted under section 8.2, provide or make the Website available in any manner to a third party.
  • Other Parties: Any employee, consultant, contractor, or agent hired to perform services for Customer may operate the Subscription on Customer's behalf solely pursuant to and in accordance with this Agreement, provided that:
    1. Customer is responsible for ensuring that any such party agrees in a legally enforceable manner to abide by and fully comply with the terms and conditions of this Agreement on the same basis as applicable to Customer;
    2. such use is only in connection with Customer's Internal Purposes;
    3. . such use does not represent or constitute an increase in the scope of the licenses provided in this Agreement; and
    4. Customer remains fully responsible and liable for any and all acts or omissions by such third parties related to this Agreement.
  • Immediate Termination: Any violation of section 7.2 by the Customer will be considered a material breach of this Agreement and Enboarder may immediately terminate the Agreement without notice in the event of such breach.

8. LINKS AND TOOLS

8.1 Linked Sites
  • The Website may contain links to other websites including, without limitation, social networking, blogging, and other similar sites ("Linked Sites").
  • The Linked Sites are provided for Customer's convenience only and it is Customer's responsibility to make Customer's own decisions about the currency, completeness, accuracy, reliability, and suitability of information contained in and use of or access to the Linked Sites.
  • Enboarder does not endorse, verify, represent or take any responsibility for the content of the Linked Sites.
  • Customer acknowledges that the Linked Sites may have different terms of use and privacy policies and Customer's use of the Linked Sites is governed by such third party's site terms of use and privacy policy.
8.2 Link to the Website
  • Customer may include a link to the Website, but permission is restricted to making a link without any alteration of the relevant Website contents, Permission is not granted to reproduce, frame or reformat the files, pages, images, information and materials from the Website on any other website unless express prior written permission has been obtained from Enboarder.
  • In no event is Customer permitted to use the Website to sell a product or service, or to increase traffic to Customer's website for commercial reasons, such as advertising sales.
  • Enboarder reserves the right to prevent linking to the Website at any time.
8.3 Third-party tools
  • Enboarder may provide the use of third-party tools on the Website or in connection with Customer's use of the Subscription (such as for form capture). Such tools are provided "as is" and without warranty of any kind.

9. PERSONAL DATA

9.1 Data Processing

Enboarder will process and use any Personal Data in accordance with the Privacy Policy and the Data Protection Addendum located in Addendum A. In the event of a conflict between any provisions in these Terms of Service and the Data Protection Addendum, the provisions of the Data Protection Addendum will govern and control with regard to the processing of Personal Data. Enboarder will maintain a security program materially in accordance with industry standards that is designed to protect the security, confidentiality, and integrity of the Personal Data.

9.2 Consents

Customer represents and warrants and agrees that Customer has made any disclosures to and obtained any consents from the relevant data subjects which are required under applicable Data Protection Laws in order for the Personal Data to be lawfully uploaded to the Platform and Enboarder to process that Personal Data as contemplated by this Agreement.

10. CONTENT

10.1. Use of Content

Customer hereby grants Enboarder a perpetual, irrevocable, non-exclusive, royalty-free, paid-up, worldwide, sublicensable license to use, access, transmit, host, store, and display the Content solely for the purpose of providing and improving the Subscription, including rights to extract, compile, aggregate, synthesize, use, and otherwise analyze all or any portion of the Content. Enboarder may use, publish, share, distribute, or disclose such Content on an aggregate basis or in a de-identified manner that does not allow personal data about Customer to be separated from the aggregate data and identified as originating from Customer.

10.2. Content Warranty and Obligations

Customer represents, warrants, and agrees that Customer has all rights to provide the Content and other materials that Customer provides or makes available to Enboarder. Customer acknowledges and agrees that Customer is solely responsible for all Content and for Customer's conduct while using the Subscription. Customer acknowledges and agrees that:

  • Customer will evaluate and bear all risks associated with Customer's use and distribution for all Content;
  • Customer is responsible for protecting and backing up the Content;
  • Customer is responsible for protecting the confidentiality of all Content in Customer's possession and control; and
  • Under no circumstances will Enboarder be liable in any way for any Content, including but not limited to, any errors or omissions in any Content, or any loss or damages of any kind incurred as a result of Customer's use, deletion, modification, or correction of any Content. Customer has full discretion and control regarding how to store, protect, remove or delete any Content and Enboarder will have no liability for any damages caused by such deletion or removal of or failure to store or protect Content.

11. FEEDBACK

Customer agrees to provide Enboarder with Feedback. Enboarder, in its sole discretion, may or may not respond to Customer's Feedback or promise to address all of Customer's Feedback in the development of future features or functionalities of the service or any related or subsequent versions of such service. Customer assigns, at no charge, all rights, title and interests in Feedback to Enboarder, and agrees that Enboarder is free to use, reproduce, modify, adapt, create derivative works from, publicly perform, publicly display, distribute, make, have made, assign, pledge, transfer or otherwise grant rights in the Feedback in any form and any medium (whether now known or later developed), without credit or compensation to Customer. Customer warrants that the Feedback does not infringe any copyright or trade secret of any third party, and that Customer has no knowledge of any patent of any third party that may be infringed by the Feedback (including any implementation thereof recommended by you). Customer further warrants that Customer's Feedback is not subject to any license terms that would purport to require Enboarder to comply with any additional obligations with respect to any service that incorporates Customer's Feedback.

12. SECURITY, VIRUSES, ERRORS AND AVAILABILITY

  • Customer acknowledges that:
    1. the internet is an insecure public network which means that there are risks that information sent to or from the Online Services may be intercepted, corrupted, or modified by third parties; and
    2. files obtained from and through the Online Services may contain Malicious Code.
  • Customer bears the risks and responsibility for any loss or damage caused, directly or indirectly, by the risks described in this section 12, and Enboarder accepts no liability for any interference with, or damage to, Customer's computer system, device, software, Content or other data occurring in connection with Customer's access or use of the Online Services.
  • Notwithstanding the foregoing, Enboarder will take all commercially reasonable steps to maintain the security and the integrity of the Online Services. Specifically, Enboarder will:
    1. implement appropriate administrative, physical and technical safeguards to protect Customer's Content; and
    2. as soon as it becomes aware that Malicious Code is contained in or affects the Online Services and/or that any of Customer's Content has, or may have been, subject to unauthorized access, immediately notify Customer and take all reasonable steps to remedy the problem, secure the Content and remove the Malicious Code, as applicable.

13. WARRANTIES, DISCLAIMERS AND EXCLUSIVE REMEDIES

  • No representation or warranty (express or implied) is made as to the currency, completeness, accuracy, reliability, suitability, and/or availability of any information on the Website.
  • Subject to sections 13(d), 13(e), and 13(f), Enboarder will use commercially reasonable efforts to ensure that the Subscription will operate in accordance with the applicable Documentation.
  • Each party represents and warrants that it has the full right, power, and authority to enter into this Agreement and to perform its obligations and duties under this Agreement, and that the performance of such obligations and duties does not conflict with or result in a breach of any other agreement of such party or any judgment, order, or decree by which such party is bound.
  • If the Subscription (including the functionality of the Platform) fails to operate in accordance with the applicable Documentation during the Initial Subscription Period and Customer notifies Enboarder in writing of this failure, Enboarder, at its cost, will correct the failure provided that Enboarder may decline to correct the failure if such correction cannot be completed in a commercially reasonable manner but in such event, Customer may terminate this Agreement and recover a pro-rata portion of the Subscription Fees paid by Customer that are attributable to the failed services. This section 13(d) states Enboarder's sole liability and Customer's exclusive remedy for any breach of section 13(b).
  • The warranty in section 13(b) will not apply if the failure of the Subscription resulted from improper use or a defect in or failure of any device, communications link or software used to access the Subscription.
  • EXCEPT AS SET FORTH IN SECTION 13(b) AND 13(c), ENBOARDER DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, TITLE, QUIET ENJOYMENT AND WARRANTIES ARISING OUT OF COURSE OF DEALING, USAGE OR TRADE PRACTICE, OR BY STATUTE OR IN LAW. ENBOARDER SPECIFICALLY DOES NOT WARRANT THAT THE SUBSCRIPTION WILL MEET CUSTOMER'S REQUIREMENTS, THE OPERATION OR OUTPUT OF THE SUBSCRIPTION WILL BE ERROR-FREE, VIRUS-FREE, SECURE, ACCURATE, RELIABLE, COMPLETE, OR UNINTERRUPTED.

14. INDEMNIFICATION

14.1 Claims Against Customer.

Enboarder will defend, indemnify, and hold Customer harmless against any claim, suit or action brought against Customer by a third party to the extent that such claim, suit or action arises from an allegation that the Online Services, when used as expressly permitted by this Agreement, infringes the Intellectual Property Rights of such third party ("Customer Claim"), and Enboarder will indemnify Customer for any amounts awarded against Customer in judgment or settlement of such Customer Claim. If Enboarder receives prompt notice of a Customer Claim that, in Enboarder's reasonable opinion, is likely to result in an adverse ruling, then Enboarder may: (i) obtain a right for Customer to continue using the Online Services at issue; (ii) modify such Online Services to make it non-infringing; (iii) replace such Online Services with a non-infringing version; or (iv) terminate this Agreement and/or provide a reasonable depreciated or pro-rata refund of amounts prepaid for the allegedly infringing Online Services.

14.2 Enboarder Indemnity Limits.

Notwithstanding the foregoing, Enboarder will have no obligation under section 14.1 or otherwise with respect to any infringement claim based upon: (i) any use of the Online Services and/or Documentation not expressly permitted under this Agreement or contrary to the instructions given to Customer by Enboarder; (ii) any use of the Online Services in combination with products, equipment, software, or data not made available by Enboarder if such infringement would have been avoided without the combination with such other products, equipment, software, or data; (iii) Customer's use of the Online Services or Documentation after notice of the alleged or actual infringement from Enboarder or any appropriate authority; or (iv) any modification of the Online Services or Documentation by any person other than Enboarder or its authorized agents or subcontractors (collectively, "Excluded Claims"). Enboarder will have no obligation under section 14.1 or otherwise with respect to any claim based upon the use by Customer of any Content uploaded or accessed through the Online Services to the extent such claim is not based on the Online Services itself. Section 14.1 and 16(b) state Enboarder's sole obligation and liability and Customer's exclusive remedy for all third-party claims.

14.3 Claims Against Enboarder.

Customer will defend, indemnify, and hold Enboarder harmless against any claim, suit, proceedings, or losses against or damages, expenses, and costs (including without limitation court costs and reasonable legal fees) incurred by Enboarder brought by a third party to the extent that such claim, suit or action arises from: (i) Customer's failure to comply with or violation of any applicable law or regulation; (ii) Customer's infringement of any third party's Intellectual Property Right; (iii) Customer's use of any Content; (iv) Customer's products or services; or (v) Excluded Claims (each, an "Enboarder Claim").

14.4 Procedure.

The foregoing obligations are conditioned on the party seeking indemnification: (i) promptly notifying the other party in writing of such claim; (ii) giving the other party sole control of the defense thereof and any related settlement negotiations; and (iii) cooperating and, at the other party's request and expense, assisting in such defense. Neither party may make any public announcement of any claim, defense, or settlement without the other party's prior written approval. The indemnifying party may not settle, compromise, or resolve a claim without the consent of the indemnified party, if such settlement, compromise, or resolution causes or requires an admission or finding of guilt against the indemnified party, imposes any monetary damages against the indemnified party, or does not fully release the indemnified party from liability with respect to the claim.

15. CONFIDENTIALITY

15.1 Definitions:

In this section:

  • "Confidential Information" means information disclosed by a party in connection with the provision or use of the Online Services that either:
    1. Is designated as confidential by the Discloser at the time of disclosure; or
    2. Would reasonably be understood by the Recipient, given the nature of the information or the circumstances surrounding its disclosure, to be confidential, including without limitation, Discloser's product designs, product plans, data, software and technology, financial information, marketing plans, business opportunities, proposed terms, pricing information, discounts, inventions and know-how disclosed by Discloser to Recipient, whether in writing, verbally, or otherwise, and whether prior to, on, or after the Effective Date. Enboarder's Confidential Information also includes the Platform, the Subscription, and terms and conditions upon which Enboarder is providing the Online Services to the Customer;
  • "Discloser" means a party which discloses Confidential Information to the other party; and
  • "Recipient" means a party which receives Confidential Information disclosed by the other party.
15.2 Use of Confidential Information

A Recipient may not use Confidential Information in any way for its own benefit or the benefit of any third party, except as expressly permitted by, or as required to implement, this Agreement or as otherwise authorized in writing by the Discloser.

15.3 Disclosure of Confidential Information:

Recipient must:

  • Hold Confidential Information in strict confidence and take reasonable precautions to protect and secure such Confidential Information (such precautions to include, at a minimum, all precautions Recipient employs with respect to its own Confidential Information); and
  • Not divulge any Confidential Information to any third party (other than to employees or contractors as set forth below). Any employee or contractor given access to any Confidential Information must have a legitimate "need to know" such Confidential Information for use specified in section 15.2 and Recipient will remain responsible and liable for each such person's compliance with this Agreement.
15.4 Confidentiality Period
  • Irrespective of any termination of this Agreement, Recipient's obligations with respect to Confidential Information expire 5 years from the date of receipt of the Confidential Information (except with respect to any trade secrets where such obligations will be perpetual).
  • Exclusions: This Agreement imposes no obligations with respect to information which:
    1. was in Recipient's possession before receipt from Discloser;
    2. is or becomes a matter of public knowledge through no fault of Recipient;
    3. was rightfully disclosed to Recipient by a third party, who has no restriction on disclosure; or
    4. is developed by Recipient without use of the Confidential Information as can be shown by documentary evidence. Recipient may make disclosures to the extent required by law or court order, provided Recipient makes reasonable efforts to provide Discloser with notice of such disclosure as promptly as possible and uses diligent efforts to limit such disclosure and obtain confidential treatment or a protective order, and has allowed Discloser to participate in the proceeding.
  • Return or Destruction of Confidential Information: Upon termination of this Agreement or written request by Discloser, the Recipient must:
    1. cease using the Confidential Information; and
    2. return or destroy the Confidential Information and all copies, notes or extracts thereof to Discloser within 7 business days of such request or termination.

16. LIMITATION OF LIABILITY

  • Subject to section 16(d), in no event will Enboarder be liable to Customer for any special, indirect, incidental, consequential, exemplary, or punitive damages, or for any loss of use, data, content, applications, goodwill or profits, business interruption, or costs of procuring substitute software or services, arising out of or in connection with this Agreement or the use or performance of the Subscription. Without limiting the foregoing, Enboarder will have no liability or responsibility for any business interruption or loss of data, content, or applications arising from the automatic termination of the license rights granted herein and any associated cessation of the Platform or Subscription, its functions, any unanticipated or unscheduled downtime for any reason or any deletion, corruption, or damage of data, content, or applications on or through the Platform or Subscription.
  • Subject to section 16(d), Enboarder's total cumulative liability to Customer in connection with this Agreement and the supply of the Online Services, including all Order Forms, at any time will be limited to and will not exceed the fees actually paid by Customer to Enboarder for the Subscription in the 12-month period immediately preceding the date of the event that gave rise to such cause of action ("Liability Cap").
  • The foregoing limitations, exclusions and disclaimers shall apply regardless of whether such liability arises from any claim based upon contract (including under any indemnity), warranty, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, and whether or not the party has been advised of the possibility of such loss or damage. The parties agree that the limitations on liabilities set forth herein are agreed allocations of risk and such limitations will apply notwithstanding the failure of essential purpose of any limited remedy
  • Nothing in this Agreement excludes the liability of either party for:
    1. Death or personal injury caused by negligence;
    2. Fraud or fraudulent misrepresentation; or
    3. Any other liability that cannot be legally limited by law.

17. SUBSCRIPTION PERIOD AND TERMINATION

  • Unless earlier terminated in accordance with this Agreement, the Initial Subscription Period will commence on the Effective Date and end on the term set forth in the applicable Order Form.
  • The initial Subscription Period will automatically renew for additional periods of 12 months, unless a party provides written notice to the other party of its intention not to renew at least 30 days prior to expiration of the Initial Subscription Period or any subsequent 12-month period, as appropriate.
  • Without limiting any other right or remedy Enboarder may have against Customer arising out of or in connection with this Agreement, Enboarder may, at its option, terminate Customer's Subscription with immediate effect by giving Customer prior written notice if:
    1. Customer fails to comply with the Acceptable Use Policy when accessing or using the Subscription;
    2. Customer commits a material breach of any terms in this Agreement where that breach is not capable of remedy; or
    3. Customer breaches any other provision of this Agreement and fails to remedy that breach within 14 days after receiving notice requiring Customer to do so.
  • If Customer's Subscription is terminated under section 17(c), Enboarder will not be liable and Customer will not be entitled to any refund of any part of the Fees previously paid.
  • Immediately upon termination of this Agreement:
    1. all Order Forms and licenses granted under this Agreement will immediately terminate and Customer must immediately cease all use of the Subscription;
    2. Customer must destroy, or upon Enboarder's request, return to Enboarder the Confidential Information that is in Customer's possession or control; and
    3. any and all of Customer's payment obligations under each Order Form will immediately become due. Upon Enboarder's request, Customer must certify in writing that it has returned or destroyed all copies of Enboarder's Confidential Information.
  • Clauses 1, 6, 7, 10, 11, 13 – 19 will survive termination of this Agreement.

18. GENERAL

  • Compliance with Laws. Customer must comply fully with all applicable laws, including all applicable laws relating to bribery or corruption, and export laws and regulations of any country where Customer uses or accesses any portion or functionality of the Subscription.
  • Assignment and Novation. Customer may not assign, delegate or transfer this Agreement or give or transfer the Subscription, Documentation or an interest in them to another individual or entity, in whole or in part, by agreement, operation of law or otherwise. Any attempt to assign this Agreement other than as permitted herein will be null and void. Customer acknowledges that Enboarder may assign, subcontract, or delegate any of its rights or obligations under this Agreement. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties' permitted successors and assigns.
  • Entire Agreement. This Agreement constitutes the entire agreement between the parties in connection with its subject matter and supersedes all previous agreements or understandings between the parties in connection with its subject matter.
  • Severability. This Agreement is declared to be severable. If a court of competent jurisdiction holds any part of this Agreement void, invalid, or unenforceable, it is severed and will be deemed to be omitted to the extent that it is void, invalid, or unenforceable, and the remainder of this Agreement will remain in full force and effect, and the provision affected will be construed so as to be enforceable to the maximum extent permissible by law.
  • Waiver. A waiver by either party in respect to a breach of a term of this Agreement by the other party will not be taken to be a waiver in respect of any other breach. The failure to enforce any term of this Agreement will not be interpreted as a waiver of that term.
  • Governing Law and Jurisdiction. This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) will be governed by and construed in accordance with the laws of England and Wales. The parties agree that the courts of England and Wales shall have exclusive jurisdiction to settle any action, proceeding, controversy, or claim between them arising out of or relating to this Agreement (including non-contractual disputes or claims). The parties agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply to this Agreement, regardless of the countries in which the parties do business or are incorporated.


Addendum A Data Protection Addendum

This Data Protection Addendum ("Addendum") that is referenced in the Agreement, forms part of the agreement ("Principal Agreement") entered into on the Effective Date of the Agreement between:

  1. Enboarder Limited (Company Number: 10907898) ("Processor") acting on its own behalf and as agent for each Processor Affiliate; and
  2. The party defined as Customer under the Agreement ("Controller")acting on its own behalf and as agent for each Controller Affiliate.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

1. Definitions.

1.1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
  • "Controller Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Controller, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
  • "Controller Group Member" means Controller or any Controller Affiliate;
  • "Controller Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of a Controller Group Member pursuant to or in connection with the Principal Agreement;
  • "Contracted Processor" means Processor or a Subprocessor;
  • "Delete" means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed;
  • "Data Protection Laws" means all laws relating to the protection of personal data and privacy in force from time to time in any jurisdiction as applicable and binding on any party, including (without limitation):
    1. the EU GDPR;
    2. the UK GDPR;
    3. the UK Data Protection Act 2018;
    4. the Privacy and Electronic Communications Directive (EU) 2002/58/EC;
    5. the Privacy and Electronic Communications (EC Directive) Regulations 2003; and
    6. any laws that implement, replace, extend, re-enact, consolidate oramend any of the foregoing;
  • "EEA" means the European Economic Area;
  • "GDPR" the EU GDPR and/or UK GDPR (as applicable);
  • "EU GDPR" means the EU General Data Protection Regulation 2016/679;
  • "Restricted Transfer" means:
    1. a transfer of Controller Personal Data from any Controller Group Member to a Contracted Processor; or
    2. an onward transfer of Controller Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer:
      • involves the transfer of Controller Personal Data outside the United Kingdom; or
      • would be prohibited by the Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses or UK Addendum to be established below;
  • "Services" means the services and other activities to be supplied to or carried out by or on behalf of Processor for Controller Group Members pursuant to the Principal Agreement;
  • "Standard Contractual Clauses" means the annex to the commission implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council or any new standard contractual clauses replacing or amending these from time to time;
  • "Subprocessor" means any person (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Processor or any Processor Affiliate to Process Personal Data on behalf of any Controller Group Member in connection with the Principal Agreement;
  • "Processor Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Processor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
  • "UK" means the United Kingdom;
  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner's Office pursuant to s 119A (1) Data Protection Act 2018 (UK) or any new UK Addendum replacing or amending these from time to time; and
  • "UK GDPR" means the UK version of the GDPR as it forms part of the law of each applicable jurisdiction of the United Kingdom pursuant to the European Union (Withdrawal) Act 2018.
1.2. The terms, "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Processing of Controller Personal Data

2.1. Processor and each Processor Affiliate shall:
  • comply with all applicable Data Protection Laws in the Processing of Controller Personal Data; and
  • not Process Controller Personal Data other than on the relevant Controller Group Member's documented instructions unless Processing is required by Data Protection Laws to which the relevant Contracted Processor is subject, in which case Processor or the relevant Processor Affiliate shall to the extent permitted by Data Protection Laws inform the relevant Controller Group Member of that legal requirement before the relevant Processing of that Personal Data.
2.2. Each Controller Group Member (where applicable):
  • instructs Processor and each Processor Affiliate (and authorises Processor and each Processor Affiliate to instruct each Subprocessor) to:
    1. Process Controller Personal Data; and
    2. transfer Controller Personal Data to any country or territory,
    as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and
  • warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 2.2(a) on behalf of each relevant Controller Affiliate.
2.3. Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Controller Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Controller may make reasonable amendments to Annex 1 by written notice to Processor from time to time as Controller reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 2.3) confers any right or imposes any obligation on any party to this Addendum.

3. Processor and Processor Affiliate Personnel

Processor and each Processor Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Controller Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Data Protection Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor and each Processor Affiliate shall in relation to the Controller Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, Processor and each Processor Affiliate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Subprocessing

5.1. Each Controller Group Member authorises Processor and each Processor Affiliate to appoint (and permit each Subprocessor appointed in accordance with this section 6 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.
5.2. Processor and each Processor Affiliate may continue to use those Subprocessors already engaged by Processor or any Processor Affiliate as at the date of this Addendum, subject to Processor and each Processor Affiliate in each case first meeting the obligations set out in section 5.4.
5.3. Processor shall give Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 30 (thirty) calendar days of receipt of that notice, Controller notifies Processor in writing of any objections (on reasonable grounds) to the proposed appointment, neither Processor nor any Processor Affiliate shall appoint (nor disclose any Controller Personal Data to) the proposed Subprocessor except with the prior written consent of Controller.
5.4. With respect to each Subprocessor, Processor or the relevant Processor Affiliate shall:
  • before the Subprocessor first Processes Controller Personal Data (or, where relevant, in accordance with section 5.2) carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Controller Personal Data required by the Principal Agreement;
  • ensure that the arrangement between, on the one hand, (a) Processor, or (b) the relevant Processor Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written agreement including terms which offer at least the same level of protection for Controller Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR;
  • if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement referred to in paragraph (b); and
  • provide to Controller for review such copies of the Contracted Processors' agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Controller may request from time to time.
5.5. Processor and each Processor Affiliate shall ensure that each Subprocessor performs the obligations under sections 2.1, 3, 4, 6.1, 7.2, 8 and 10.1, as they apply to Processing of Controller Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Processor.

6. Data Subject Rights.

6.1. Taking into account the nature of the Processing, Processor and each Processor Affiliate shall assist each Controller Group Member by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller Group Members' obligations, as reasonably understood by Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2. Processor shall:
  • promptly notify Controller if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data; and
  • ensure that the Contracted Processor does not respond to that request except on the documented instructions of Controller or the relevant Controller Affiliate or as required by Data Protection Laws to which the Contracted Processor is subject, in which case Processor shall to the extent permitted by Data Protection Laws inform Controller of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach.

7.1. Processor shall notify Controller without undue delay upon Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Controller Personal Data, providing Controller with sufficient information to allow each Controller Group Member to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
  • describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned
  • communicate the name and contact details of Processor's data protection officer or other relevant contact from whom more information may be obtained;
  • describe the likely consequences of the Personal Data Breach; and
  • describe the measures taken or proposed to be taken to address the Personal Data Breach.
7.2. Processor shall co-operate with Controller and each Controller Group Member and take such reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

Processor and each Processor Affiliate shall provide reasonable assistance to each Controller Group Member with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers to be required of any Controller Group Member by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors

9. Deletion or return of Controller Personal Data

9.1. Subject to sections 9.2 and 9.3 Processor and each Processor Affiliate shall promptly and in any event within 60 (sixty) calendar days of the date of cessation of any Services involving the Processing of Controller Personal Data (the "Cessation Date"), Delete and procure the Deletion of all copies of those Controller Personal Data.
9.2. Subject to section 9.3, Controller may in its absolute discretion by written notice to Processor within 30 (thirty) calendar days of the Cessation Date require Processor and each Processor Affiliate to (a) return a complete copy of all Controller Personal Data to Controller by secure file transfer in such format as is reasonably notified by Controller to Processor; and (b) Delete and procure the Deletion of all other copies of Controller Personal Data Processed by any Contracted Processor. Processor and each Processor Affiliate shall comply with any such written request within 60 (sixty) calendar days of the Cessation Date.
9.3. Each Contracted Processor may retain Controller Personal Data only to the extent required by Data Protection Laws and only to the extent and for such period as required by Data Protection Laws and always provided that Processor and each Processor Affiliate shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose. For the avoidance of doubt, the terms of this Addendum and any equivalent undertaking or agreement entered into by the Contracted Processor shall remain in place for as long as the Controller Personal Data is retained by the Contracted Processor.
9.4. Processor shall provide written certification to Controller that it and each Processor Affiliate has fully complied with this section 9 within 60 (sixty) calendar days of the Cessation Date.

10. Audit rightsa

10.1. Subject to sections 10.2, Processor and each Processor Affiliate shall make available to each Controller Group Member on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by any Controller Group Member or an auditor mandated by any Controller Group Member in relation to the Processing of the Controller Personal Data by the Contracted Processors.
10.2. Information and audit rights of the Controller Group Members only arise under section 10.1 to the extent that the Principal Agreement does not otherwise give them information and audit rights meeting the relevant requirements of the Data Protection Laws (including, where applicable, article 28(3)(h) of the GDPR).
10.3. Processor shall immediately inform Controller if, in its opinion, an instruction pursuant to this section 10 (Audit Rights) infringes the Data Protection Laws.

11. Restricted Transfers

11.1. Subject to section 11.2, any Restricted Transfer made from the Processor (as "data exporter") to a Contracted Processor, (as "data importer") will be under an agreement containing the Standard Contractual Clauses and UK Addendum.
11.2. The agreement between the Processor and any Contracted Processor referred to in section 11.1 will include the details set out in Annex 2 of this Addendum.
11.3. Section 11.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of the Data Protection Laws.

12. General Terms

Governing law and jurisdiction
12.1. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
  • the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
  • this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
Order of precedence
12.2. Nothing in this Addendum reduces Processor's or any Processor Affiliate's obligations under the Principal Agreement in relation to the protection of Personal Data or permits Processor or any Processor Affiliate to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement.
12.3. Subject to section 12.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail. Changes in Data Protection Laws, etc.
12.4. Controller may:
  • by at least 30 (thirty) calendar days' written notice to Processor from time to time make any variations to, or request replacement of, any Standard Contractual Clauses (including any Standard Contractual Clauses entered into under section 11.1, as they apply to Restricted Transfers which are subject to particular Data Protection Laws, which are required, as a result of any change in, or decision of a competent authority under, the Data Protection Laws, to allow those Restricted Transfers to be made (or continue to be made) without breach of the Data Protection Laws; and
  • propose any other variations to this Addendum which Controller reasonably considers to be necessary to address the requirements of any Data Protection Laws.
12.5. If Controller gives notice under section 12.4(a):
  • Processor and each Processor Affiliate shall promptly co-operate (and ensure that any affected Sub-processors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 5.4(c); and
  • Controller shall not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by Processor to protect the Contracted Processors against additional risks associated with the variations made under section 12.4(a) or 12.5(a).
12.6. If Controller gives notice under section 12.4(b), the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller's notice as soon as is reasonably practicable.
12.7. Neither Controller nor Processor shall require the consent or approval of any Controller Affiliate or Processor Affiliate to amend this Addendum pursuant to this section 12 or otherwise.
Severance
12.8. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.9. This Addendum may be executed in counterparts, each of which shall be deemed to be an original and which together shall constitute one and the same Addendum. IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Principal Agreement with effect from the date first set out above.

On behalf of the Controller:

On behalf of the Processor: Enboarder Pty Ltd (ABN 36 606 680 602)



ANNEX 1: DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.

Data controller

The data controller is (please specify briefly your activities relevant to the transfer):

As part of hiring individuals (New Hire), data controller will collect certain personal data from the New Hire to communicate before their commencement date, and to set them up as an employee by collecting the relevant information. Data controller will be transferring personal data to the data processor to initiate an effective digital onboarding program for new joiners.

Data processor

The data processor is (please specify briefly activities relevant to the transfer):

Processing that data in order to deliver relevant and appropriate digital onboarding experiences to new hires

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Individual hired by data controller (New Hire), data controller employees (HR, manager of the New Hire, mentor, buddy)

Categories of data

The personal data transferred concern the following categories of data (please specify):

New Hire: first name, surname, email address, phone number, bank details, right to work documents, next of kin information, academic certificates, office location, function, business division/ team
Data controller's employees: name, email address

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

N/A

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

Storage on servers located within the EEA (except where clause 12 Restricted Transfers applies, in which case personal data may be stored on servers located in the data importer's country), deletion, and other processing requested by the data controller

Subject matter and duration of the Processing of Controller Personal Data

The subject matter and duration of the Processing of the Controller Personal Data are set out in the Principal Agreement and this Addendum.

The obligations and rights of Controller and Controller Affiliates

The obligations and rights of Controller and Controller Affiliates are set out in the Principal Agreement and this Addendum.



ANNEX 2: DETAILS IN RELATION TO RESTRICTED TRANSFERS

Details of Processing

This forms part of the agreement between the Processor and any Contracted Processor.

  • List of Parties

    1. Data Exporter:
      • Name: Enboarder Ltd
      • Address: 10 John Street, London, England, WC1N 2E United Kingdom
      • Contact person's name, position and contact details: Aleia Waldmann, Director of Legal Operations, privacy@enboarder.com Activities relevant to the data transferred under these
      • Clauses: Providing people activation services via the Enboarder services
      • Role (controller/processor): Processor
    2. Data Importer:
      • Name: Enboard.me Pty Ltd
      • Address: 121 Sussex St, Sydney NSW 2000 Australia
      • Contact person's name, position and contact details: Aleia Waldmann, Director of Legal Operations, privacy@enboarder.com Activities relevant to the data transferred under these
      • Clauses: Providing people activation services via the Enboarder services
      • Role (controller/processor): Processor
  • Description of Transfer

    1. Categories of data subjects whose personal data is transferred

      The personal data transferred concern the following categories of data subjects:

      Individual hired by data exporter (New Hire), customer employees (HR, manager of the New Hire, mentor, buddy)

    2. Categories of personal data transferred
      The personal data transferred concern the following categories of data:
      • New Hire: first name, surname, email address, phone number, bank details, right to work documents, next of kin information, academic certificates, office location, function, business division/ team
      • Customer's employees: name, email address
    3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

      N/A

    4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

      Continuous

    5. Nature of the processing

      The personal data transferred will be subject to the following basic processing activities:

      Storage on servers located within the EEA (except where Restricted Transfers applies, in which case personal data may be stored on servers located in the data importer's country), deletion, and other processing requested by the data controller

    6. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

      Upon the termination or expiration of the Agreement, or at any time upon Data Controller's request, Data Processor will immediately cease to process Data Controller Data and will promptly return or destroy the Data Controller Data (including all copies) in Data Processor's possession or control (including any Data Controller Data held by Subprocessors) as instructed by Data Controller.

    7. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

      Please refer to Annex III below



Appendix II

Technical and Organizational Measures

This Appendix forms part of the agreement between the Processor and any Contracted Processor.

Description of the technical and organisational security measures implemented by the data importer:

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

All Infrastructure is built on AWS Cloud with Auto Scaling that adds additional servers when there is a need. All Servers are deployed in at least 2 availability zones for resilience. Only connections over Secure channel using TLCv1.2 and above are allowed. We have implemented Web Application Firewall rules for blocking non-legitimate traffic.

All data is validated in the backend to manage integrity of data before doing business operations. Users are Authenticated and are only allowed to perform operations based on their role.

Daily database backups ensure data can be restored easily.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Daily Backups are done to ensure data can be restored back in case of any technical or physical incident.

Enboarder does not manage their own data centers and all of the data resides on AWS cloud.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing.

Enboarder follows Agile development methodology with all tickets marked as Done by QA team after proper testing. QA teams also performs regression and automation testing.

Developers are all trained on OWASP Top 10 coding principles. Continuous checks are done on third party libraries for any vulnerabilities. Enboarder also performs dynamic code scans for any Vulnerabilities introduced in code. Sonarqube performs the Static code Analysis to find any security issues in code.

Measures for user identification and authorization

Enboarder uses JWT cookies for User identification and users have defined roles for authorization. All operations are allowed access based on the Authentication and Authorization role of the user. Enboarder also has connectors for SSO Integration using SAML2 for user Authentication with all IDPs that support SAML2.

Measures for the protection of data during transmission

All of the data is encrypted at Rest and is only transmitted over secure channel using TLS v1.2 and above.

Measures for the protection of data during storage

All of the data is encrypted at Rest using AES 256 encryption with encryption key managed by AWS

Measures for ensuring physical security of locations at which personal data are processed

All of Enboarder Servers are on AWS cloud. Please add links from AWS website here.

Measures for ensuring events logging

All events are logged in AWS using Cloudtrail and Cloudwatch and by Application. All of the events go to Enboarder SIEM solution for monitoring and alerting.

Measures for ensuring system configuration, including default configuration

All of Enboarder Infrastructure is built using Cloudformation Templates (IAAS). All the configurations are applied by code. Manual changes to Infrastructure are not allowed.

Measures for internal IT and IT security governance and management

Enboarder is ISO27001 certified and undergoing SOC-2 compliance program

Measures for ensuring data quality

Enboarder has robust Testing measures in place to ensure data quality remains good. All of the User Input data is sanitized before being saved to the database. Role based access checks are performed to stop non-authorized access

Measures for ensuring limited data retention

Enboarder has policies in place for data purge for backups after 90 days. For application data, configurations allow Admin users to setup their preferences for data purge

Measures for ensuring accountability

Enboarder logs a lot of data in the SIEM solution, which can be used to analyze events in case of any incident.

Measures for allowing data portability and ensuring erasure

Data portability to customers is only via APIs or via special request from the backend. Data erasures if needed to be done for a customer and never executed manually. Enboarder has a mix of manual approval and automated process to perform data destruction activities in control manner.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter Classify all data and apply appropriate controls for each level

  • Employ encryption of all customer data in transit and at rest to minimum industry standards
  • Perform periodic reviews of all our security policies and controls
  • Schedule annual penetration tests of the Enboarder application and remediate appropriately
  • Perform annualized security training for all Enboarder employees
  • Utilize centralized monitoring and logging of all Enboarder production systems


ANNEX III
SUBPROCESSOR LIST

AWS BurstSMS Customer.io Esendex FullStory Intercom Mailjet MyInterview Twilio
Categories of data subjects whose data the subprocessor may process on behalf of vendor Data Controller, User Data Controller, User Data Controller, User Data Controller, User Data Controller, User Data Controller, User Data Controller, User Data Controller, User Data Controller, User
Categories of data that the subprocessor may process on behalf of vendor Contact data (email); Cookies or tags (IP address, DNS name, and MAC address); Usage logs; Analytics data Contact data (phone number); Personal data added in SMS messages; Deep links to application Contact data (email); Personal data added in email messages; Deep links to application Contact data (phone number); Personal data added in SMS messages; Deep links to application User interactions for page analytics Contact data (name, email); Chat and help messages Contact data (email); Personal data added in email messages; Deep links to application Storage for videos recorded by customers. This feature is not available by default Contact data (phone number); Personal data added in SMS messages; Deep links to application
Method of transmission of this data from vendor to subprocessor API over encrypted channel. Stores and processes all information API over encrypted channel API over encrypted channel API over encrypted channel API over encrypted channel All data sent to Intercom is encrypted in transit and at rest API over encrypted channel Uses widget of MyInterview API over encrypted channel
Purpose of transmission of this data from vendor to subprocessor Main cloud provider SMS provider (APAC region) Email provider (mainly APAC/US region) SMS provider (EU/UK region) Analytics and insights to support users and product development Customer messaging platform Email provider (EU/UK region) Video on demand SMS provider (US region)
Format of data processed by the vendor's subprocessor Various types json json json json json json Streaming media json
Duration of transmission of this data from vendor to subprocessor Continuous basis to support service Continuous basis to support service Continuous basis to support service Continuous basis to support service Continuous basis to support service Continuous basis to support service Continuous basis to support service Continuous basis to support service Continuous basis to support service
Locations where subprocessor processes this data on vendor's behalf Sydney (AUS); Oregon (USA); Frankfurt (EU/UK); Canada Australia USA UK Frankfurt (EU/UK); USA USA Germany or Belgium Frankfurt USA