REQUEST DEMO

Impartner Terms of Use

Updated: January 20, 2022
DOWNLOAD

This Impartner Terms of Use (“Terms of Use”) governs any and all Order Forms, Renewals, and Amendments to Order Forms by and between Impartner, Inc. (“Impartner”), including its affiliates and subsidiaries, and the Customer identified on page one of the Order Form and/or Amendment (“Customer”), unless expressly indicated otherwise. Capitalized terms not defined herein shall have the meaning assigned to them in the Order Form, Renewal. In the event of conflict, the order of precedence shall be: (i) Order Form, (ii) Data Processing Addendum (“DPA”), (iii) Impartner Terms of Use. Any Exhibits will be incorporated by reference and shall take the precedence to the Document to which it has been addended.

1. Definitions

“Admin Users” means Customer’s Portal Users who have the administrative rights to supply login credentials to other Portal Users. Customer shall not exceed twenty-five (25) Admin Users at any given time.

“Affiliate” means, with respect to any legally recognizable entity, any other such entity Controlling, Controlled by, or under common Control with such entity. “Control” means direct or indirect ownership of: (a) more than fifty percent (50%) of the outstanding equity interests representing the right to vote for members of the board of directors or other managing officers of such entity; or (b) for an entity that does not have outstanding equity interests that vote for members of the board of directors or other managing officers, more than fifty percent (50%) of the ownership interest representing the right to make decisions for such entity. An entity shall be deemed an Affiliate only for so long as such Control exists.

“Agreement” means the Order Form, Terms of Use, Data Processing Addendum, and any other exhibits or addenda attached thereto or hereto.

“Applicable Data Protection Law” shall mean: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”) and any data protection laws in any European Union Member State including laws implementing such Regulation, (ii) the GDPR as incorporated into United Kingdom (“UK”) law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (“UK GDPR”), (iii) the California Consumer Privacy Act of 2018 (“CCPA”), including any regulations promulgated thereunder, as amended from time to time; and (iv) any other applicable data protection law.

“Clients” means all Customer’s clients and customers who are not Partners or Employees.

“Customer Data” means all electronic data or information submitted by Portal Users to Impartner via the Service.

“De-Identified” or “Anonymized” data means information that cannot identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to an identified or identifiable natural person.

“Documentation” means Impartner’s then-current standard solution documentation, and includes all documentation found in the Impartner customer success portal.

“Employees” means Customer’s employees, consultants, contractors and agents.

“Implementation Services” means work required by Impartner for initial installation and configuration of Services in accordance specific line items on an Order Form.

“Licensees” means the combination of Employee’s, Clients, Partner Accounts, and Recipients.

“Malicious Code” means viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs.

“Order Form” means the invoice or order form, as applicable, agreed to by the Parties in which this Impartner Terms of Use is referenced. The Order Form will include some or all of the following information: the name of Customer, Customer’s address and billing information, the length of the Subscription Term, the fees due from Customer, the Use Limit, the applications and modules selected by Customer, and any professional services and support being purchased.

“Partners” means Customer’s resellers, channel partners or other members of Customer’s partner networks that provide services and/or sell products on behalf of Customer.

“Partner Accounts” means Partners who are listed as active within the Service.

“Portal Users” means individuals who are authorized by Impartner or Customer to access and use the Service, and who have been supplied user identifications and login credentials by Admin Users. Portal Users may include Customer’s employees, Partners’ employees, consultants, contractors and agents of Customer.

“Premier Support” means billable, professional services related to custom functionality, as outlined in an agreement between the Parties that delineates the specific scope of services.

“Price Quote” means the price quote included in the Order Form.

“Recipient” means an Employee, Partner or Client, as applicable, who, at Customer’s sole discretion, receives a digital communication from Customer as part of the Services.

“Sensitive Personal Information” means an individual’s financial information, sexual preferences, medical, or health information protected under any health data protection laws, biometric data (for purposes of uniquely identifying an individual), personal information of children protected under any child data protection laws (such as the personal information defined under the US Children’s Online Privacy Protection Act (“COPPA”)) and any additional types of information included within this term or any similar term (such as “sensitive personal data” or “special categories of personal information”) as used in applicable data protection or privacy laws.

“Service/s” means the online, cloud-based software applications, modules and content provided by Impartner to Customer via the Internet. The specific applications, modules and content that will be provided are outlined in the Order Form.

“Standard Support Services” means Impartner support provided in response to a ticket submitted by Customer via Impartner’s support ticking system related to the Services’ standard product capabilities.

“Subscription Term” means the period beginning on the Commencement Date (as defined in the Order Form) and continuing until the end of the Subscription Term specified in the Order Form, unless terminated earlier or renewed or extended as provided in the Agreement.

“Term” means the period beginning on the Effective Date (as defined in the Order Form) and continuing until the end of the Subscription Term specified in the Order Form, unless terminated earlier or renewed or extended as provided in the Agreement or any applicable Order Form.

“Use Limit” means the quantity of the Service that Customer is authorized to use or access as indicated in the applicable Order Form or pursuant to Section 3.1. Use Limit is based on the license use meter (which may include, but is not limited to, Partner Accounts, Employees, Recipients, Clients, or Licensees, as applicable) by which Impartner measures, prices and licenses the right to use the Service. For the avoidance of doubt, Customer may only use the Service for the use meter authorized, i.e. if the use meter is based on Partner Accounts, Customer may not use the Service for Employees and/or Clients.

2. The Service

2.1 Provision of the Service. Subject to the terms and conditions of the Agreement and the applicable Order Form, and upon Customer’s payment of the applicable fees, Impartner shall make the Service available to Customer and its Portal Users and Partners via the Internet during the Subscription Term. Customer’s right to access and use the Service is limited to Customer’s internal use only. Customer agrees that its purchase of a subscription to the Service is neither contingent on the delivery of any future functionality or features nor dependent on any oral or written comments made by Impartner regarding future functionality or features.

Call out within text module goes here

2.2 Support Services. Support services consist of Standard Support Services, Implementation Services, and Premiere Support. Standard Support Services are provided at no cost to Customer. Implementation Services and Premiere Services are provided in accordance with an Order Form that articulates the specific statement of work. For additional detail regarding the difference between Standard Support Services and Premier Support, see Types of Support, attached hereto as Exhibit F.

2.3 Customer Responsibilities. Customer shall at all times comply with the Acceptable Use Policy attached hereto as Appendix B and integrated by reference herein. Customer shall furthermore: (i) be responsible for its Portal Users’ compliance with the Agreement, (ii) maintain current contracts with its Partners that, at a minimum, require Partners’ use of Customer Data to comply with applicable laws and regulations, and (iii) use the Services only in accordance with the terms of the Agreement.

2.4 Partner Agreements. Customer shall maintain a written, legally binding agreement (each, a Partner Agreement) with each of its Partners that will have access to the Service. The form of each Partner Agreement shall be determined by Customer but each such Partner Agreement must be no less protective of Impartner’s rights (including, without limitation, Impartner’s rights in the Service) than this Agreement. Customer will enforce each such Partner Agreement with at least the same degree of diligence that Customer uses to enforce similar agreements for its own products, but in no event less than reasonable efforts. Customer will immediately notify Impartner if Customer becomes aware of any breach of any such Partner Agreement.

2.5 Third-Party CRM Applications. Customer understands and agrees that the Service does not include a license to any third-party CRM application and that Customer is responsible to obtain its own license to any third-party CRM application that Customer desires to use with the Service. Any acquisition by Customer of a third-party CRM application, including but not limited to any implementation, customization, or any exchange of data between Customer and any third-party provider, is solely between Customer and the applicable third-party provider. Except as expressly agreed by Impartner in an Order Form, Impartner does not warrant or support any third-party products or services.

2.6 Access to Customer Data. At any time during the Subscription Term, Customer may access the Customer Data and download a copy of such Customer Data.

2.7 Hosting Services. Impartner or its hosting services providers shall host the Service. Impartner’s current hosting services providers are listed in Annex 3 of the Standard Contractual Clauses of the Data Protection Addendum.

2.8 Additional Services. To the extent that Customer requires any additional products or services, such as customizations, program modifications or additions, new modules (which add new functionality), new releases of new products (which have different names and different functionality from the Service), professional services or professional consulting services, Customer may order such additional products and/or services pursuant to separate Order Form or written statement of work mutually agreed to by the Parties. Additional services (including, without limitation, professional services or professional consulting services) may be provided by Impartner upon the mutual agreement of the Parties for additional fees.

2.9 Affiliates. The Affiliates provisions herein only apply if and to the extent Customer is entering into this Terms of Use and/or any related Order Form on behalf of its Affiliates.

2.9.1 Customer warrants and attests that it has the authority to enter into this Agreement on behalf of its Affiliates.

2.9.2 Customer shall be responsible for its Affiliates’ compliance with the terms of this Agreement and any material breach of this Agreement by a Customer Affiliate shall be deemed to be a material breach by Customer.

2.9.3 All platform related limitations of Customer arising from the Agreement shall be applied holistically to Customer and Customer’s authorized Affiliates. Accordingly, by way of example only, references in the Agreement to concepts such as the number of Users and Partners shall refer to Users and Partners of Customer and Customer’s Affiliates so that the applicable Use Limit applies holistically to the number of Partners of Customer and all of its authorized Affiliates.

2.9.4 The Service specified in any applicable Order Form shall consist of one single instance of Impartner PRM. Should additional instances be required, for any reason, including for an Affiliate to have unique functionality independent from Customer’s single instance of Impartner PRM, additional implementation and/or subscription fees will apply.

2.10 Sanctioned Countries. Customer warrants and attests that (i) all Users are prohibited from residing in or operating from any country that is sanctioned by either the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) or the United Nations Security Council (“Prohibited Countries”), and (ii) Neither Customer nor its Affiliates will knowingly permit any data pertaining to residents of any Prohibited Countries be processed by the Service, including by prohibiting Customer’s and its Affiliates’ Partners from processing any such data via the Service.

Larger callout – insert  a new text module, apply the “Box Text” global style preset. Or copy an existing call out text box, then change the text. Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

3. Fees and Payment

3.1 Subscription Fees. The subscription fees payable for the Service are based on Customer’s Use Limit as set forth in the Order Form or modified in accordance with this Section 3.1. Except as otherwise set forth herein or in an Order Form, (i) fees are quoted and payable in United States dollars, (ii) fees are based on Service subscriptions purchased and not actual usage, and (iii) payment obligations are non-cancelable and fees paid are non-refundable, except as permitted in Section 6.1, Section 7.2, Section 9.3, or Section 11.2.

3.2 Expenses. Customer shall reimburse Impartner for all expenses incurred by Impartner with the prior approval of Customer in the performance of implementation or requested professional services, including, but not limited to, expenses of transportation in connection with providing services, reasonable expenses for out-of-town travel including meals, rental cars and lodging, professional and programming services which may be required such as secondary employees and other experts, as well as outside services such as programmers. Records of reimbursable expenses including statements and receipts shall be provided to Customer along with the invoice to which they pertain.

3.3 Invoicing and Payment. Fees will be invoiced in advance in accordance with the relevant Order Form. Unless otherwise stated in the Order Form, fees are due thirty (30) days from the invoice date. All fees shall be paid by wire transfer. With each wire transfer payment, Customer shall provide Impartner with a listing of the Impartner invoices that Customer is making payment against. If any amounts invoiced hereunder are not received by Impartner by the due date, then such amounts shall accrue interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid. Notwithstanding anything to the contrary in the Agreement, and without limiting any remedies available to Impartner, Customer shall be liable to Impartner for all reasonable expenses, including but not limited to collections and legal fees, associated with Impartner’s efforts to collect on an overdue invoice.

3.4 Suspension of the Service. If any charge owing by Customer is thirty (30) days or more overdue, Impartner may, without limiting its other rights and remedies, suspend the Service until such amounts are paid in full.

3.5 Taxes. Customer agrees to pay all applicable taxes levied by any tax authority on the Service or on Customer’s use thereof, which shall be separately invoiced, excluding taxes based on the net income of Impartner. Customer shall provide to Impartner any certificate of exemption or similar document required to exempt any transaction under the Agreement from sales tax or other tax liability.

4. Property Rights

4.1 Customer Data. As  between the Parties, Customer owns all rights, title and interest in and to all Customer Data. To the extent Customer Data is combined with data derived or obtained from public sources, the portion of data derived or obtained from such public sources will not be considered Customer Data. Pattern Data (defined hereinafter) will not be considered Customer Data.

4.2 Customer Responsibility for Customer Data. Customer has sole responsibility for (i) Customer Data submitted or contributed to the Service by Portal Users, and (ii) Portal Users’ use of such content, including without limitation its legality, reliability, accuracy, and appropriateness. Impartner will use the Customer Data it is provided by Customer or third parties in performing the Services “as-is”. Customer may delete or request that Impartner delete all or part of the Customer Data at any time. Customer is solely responsible for the accuracy, quality, integrity, and reliability of all Customer Data provided pursuant to this Agreement and for the compliance of such Customer Data with this Agreement and all applicable laws.

4.3 Data Rights Granted by Customer. Customer grants Impartner a limited, worldwide, royalty-free, paid-up, and non-exclusive license during the Term to access, utilize and otherwise process Customer Data solely to: (i) provide the Services, including storing, hosting and management of such Customer Data; and (ii) create Pattern Data (as hereinafter defined). “Pattern Data” means de-identified information, data and/or reports derived from or compiled through the Services, including but not limited to aggregated and/or anonymized data and/or statistics indicating frequency of use, popularity of and/or other characteristics of the Services. For greater certainty, Pattern Data is data that does not identify Customer or Portal Users and is data that does not relate specifically to Customer’s or Partners’ businesses. Impartner shall own all rights, title and interest (including all intellectual property rights) in and to any Pattern Data.

4.4 Restrictions. Customer shall not at any time, directly or indirectly, and shall not permit any Portal User to (i) permit any third party to access or use the Service except as permitted herein or in an Order Form, (ii) copy, modify or create derivative works based on the Service or the Documentation, (ii) rent, lease, lend, sell, license, sublicense, publish, frame, mirror or otherwise distribute any part or content of the Service or Documentation, (iii) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Service, in whole or in part, or (iv) access the Service in order to (a) build a competitive product or service, or (b) copy any content, features, functions or graphics of the Service.

4.5 Sensitive Personal Information. Customer agrees not to use the Services to collect, process, or store any Sensitive Personal Information. Customer agrees not to transmit, disclose, or make available Sensitive Personal Information to Impartner, or to Impartner’s third-party service providers pursuant to its relationship with Impartner.

4.6 License to Feedback. Impartner encourages Customer to provide suggestions, proposals, ideas, recommendations, or other feedback regarding improvements to Impartner Services and related resources (“Feedback”). To the extent Customer provides Feedback, Customer grants to Impartner a royalty-free, fully paid, sub-licensable, transferable (notwithstanding the section herein on Assignment), non-exclusive, irrevocable, perpetual, worldwide right and license to make, use, sell, offer for sale, import, and otherwise exploit Feedback (including by incorporation of such feedback into the Impartner Services) without restriction; provided that such Feedback does not identify Customer, its Affiliates, Partners, Portal Users, or include any Customer Data without Customer’s prior written consent.

4.7 Impartner Reservation of Rights. Impartner reserves all rights, title, and interest, and all related intellectual property or other rights, in and to the Impartner Services and Documentation, any improvements, customizations, design contributions, or derivative works thereto, and any knowledge or processes related thereto and/or provided hereunder. No rights are granted to Customer with respect to the Service, or the intellectual property rights therein, other than the limited rights and licenses specified in the Agreement, and Customer will not access or use the Service, or the intellectual property rights therein, except as expressly permitted by the Agreement. Unless otherwise specified in the applicable Order Form, all deliverables provided by or for Impartner in the performance of providing the Services, excluding Customer Data and Customer Confidential Information, are owned by Impartner and constitute part of the Impartner Services under this Agreement.

4.8 Service Suspension. Notwithstanding anything to the contrary in the Agreement, Impartner may temporarily suspend Customer’s and/or any Portal User’s access to any portion or all of the Service if: (i) Impartner reasonably determines that: (A) Customer’s or any Portal User’s use of the Service disrupts or poses a security risk to Impartner or to any other customer or vendor of Impartner; (B) Customer, or any Portal User, is using the Service in breach of the Agreement or in violation of applicable law; (C) Customer has ceased to continue its business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of its assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution, or similar proceeding; or (D) Impartner’s provision of the Service to Customer is or becomes prohibited by applicable law; (ii) any vendor of Customer has suspended or terminated Impartner’s access to or use of any third-party services or products required to enable Customer to access and use the Service; or (iii) in accordance with Section 3.4 (any such suspension described in subclause (i), (ii), or (iii), a Service Suspension). Impartner shall use commercially reasonable efforts to provide written notice of any Service Suspension to Customer and to provide updates regarding resumption of access to the Service following any Service Suspension. Impartner shall use commercially reasonable efforts to resume providing access to the Service as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Impartner will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer may incur as a result of a Service Suspension.

5. Confidentiality

5.1 Confidential Information. As used herein Confidential Information shall mean all confidential or proprietary information disclosed orally or in writing by one Party to the other that is identified as confidential or whose confidential nature is reasonably apparent. Confidential Information of Customer shall include Customer Data; Confidential Information of Impartner shall include the Service; and Confidential Information of each Party shall include the terms and conditions of the Agreement and all Order Forms, as well as business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such Party. Confidential Information shall not include information which: (a) is or becomes a part of the public domain through no fault of the receiving Party; (b) was in the receiving Party’s lawful possession prior to the disclosure; (c) is lawfully disclosed to the receiving Party by a third party without restriction on disclosure or any breach of confidence; or (d) is independently developed by the receiving Party.

5.2 Protection of Confidential Information. Each Party agrees to (i) hold the other’s Confidential Information in confidence, (ii) use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care), and (iii) not use or disclose such Confidential Information other than in connection with the performance of its obligations hereunder or as otherwise authorized by the Agreement. Notwithstanding the foregoing, either Party may disclose any of the other Party’s Confidential Information to its employees or consultants that have a need to know such Confidential Information in connection with such Party’s performance under the Agreement and that have agreed to be bound by confidentiality obligations similar to those in this Section.

5.3 Term. These obligations of confidentiality will commence on the Effective Date and, unless terminated earlier pursuant to the termination provision herein, will remain in effect for the duration of the Agreement plus 2 years following its termination; provided, however, that all obligations under this Agreement relating to (i) trade secrets will survive for so long as any such Confidential Information remains a trade secret under applicable law, and (ii) financial information will survive for a period of five (5) years following termination of this Agreement.

5.4 Protection of Customer Data. Without limiting the above, Impartner shall maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data, in accordance with Annex II of the DPA. Impartner shall not (a) modify Customer Data, (b) disclose Customer Data except to provide the Services to Customer, as compelled by law in accordance with the “Compelled Disclosure” section below, or as otherwise expressly permitted in writing by Customer, or (c) access Customer Data except to provide the Service and prevent or address service or technical problems, or at Customer’s request in connection with customer support matters.

5.5 Compelled Disclosure. The receiving Party may disclose the Confidential Information of the disclosing Party if it is compelled by law to do so, provided the receiving Party gives the disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the disclosing Party’s cost, if the disclosing Party wishes to contest the disclosure. If the receiving Party is compelled by law to disclose the disclosing Party’s Confidential Information as part of a civil proceeding to which the disclosing Party is a party, the disclosing Party will reimburse the receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information.

5.6 Obligations on Termination. Upon expiration or termination of the Agreement, each Party will: (a) immediately cease all use of the other Party’s Confidential Information; and (b) upon request, within ten (10) calendar days, confirm in writing to the other Party that it has permanently erased from computer memory, destroyed or returned to the other Party the other Party’s Confidential Information, as well as any copies thereof on any media or in any form. Notwithstanding the foregoing, Impartner may retain Customer Data as required by applicable laws, regulations, court orders, subpoenas or other legal process. Any failure of Impartner to return or destroy electronic copies of Customer Data that are automatically generated through data backup and/or archiving systems shall not be deemed to violate the provisions of this Section, provided that Impartner shall not use such back-ups or archived copies for any purpose and such copies shall be subject to all confidentiality obligations set forth herein, and provided that such Customer Data is deleted in Impartner’s due course and within a commercially reasonable timeframe.

6. Warranties, Remedies, and Disclaimers

6.1 Impartner Warranties Impartner warrants that the Service will be provided materially in accordance with the Documentation. Impartner further represents and warrants that it has taken commercially reasonable steps to prevent the introduction of any Malicious Code or any other internal components, devices or mechanisms designed to disrupt, disable, harm, or otherwise impair in any material respect the normal and authorized operation of the Service. In the event of any breach of the foregoing warranty, Impartner will use commercially reasonable efforts to promptly repair the Service so as to be conforming. In the event of any breach of the foregoing warranty, due to no fault of Customer, and extending for thirty (30) days or more, or in the event that Impartner is not able to repair the affected services, then Customer shall receive a pro rata refund for the specific services affected, and Customer may terminate those specific services upon notice to Impartner.

6.2 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED HEREIN, THE SERVICE IS PROVIDED ON AN AS-IS BASIS WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND EACH PARTY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING. WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. IMPARTNER DOES NOT WARRANT THAT THE SERVICE WILL SATISFY CUSTOMER’S REQUIREMENTS OR (WITHOUT PREJUDICE TO THE LIMITED WARRANTY ABOVE) THAT IT IS WITHOUT DEFECT OR ERROR OR THAT CUSTOMER’S ACCESS THERETO WILL BE UNINTERRUPTED.

6.3 Third Party Products. Our Service may now and in the future incorporate the services of complementary products (each, a “Non-Impartner Product”). THESE ARE NOT IMPARTNER’S SERVICES AND IMPARTNER DOES NOT WARRANT OR SUPPORT NON-IMPARTNER PRODUCTS. ULTIMATELY, CUSTOMER (AND NOT IMPARTNER) WILL DECIDE WHETHER OR NOT TO ENABLE THIRD PARTY PRODUCTS. ANY USE OF A NON-IMPARTNER PRODUCT IS SOLELY BETWEEN CUSTOMER AND THE APPLICABLE THIRD-PARTY PROVIDER. IMPARTNER HEREBY EXPRESSLY DISCLAIMS ANY AND ALL LIABILITY IN CONNECTION WITH USAGE OF SUCH NON-IMPARTNER PRODUCTS.

6.4 Two Factor Authentication. The Services support access using two-factor authentication (“2FA”), which is known to reduce the risk of unauthorized use of or access to the Services. Impartner therefore disclaims all responsibility for any damages, losses or liability to Customer, Portal Users, or any other affected individuals in any event leading to such damages, losses or liability that could have been prevented by the use of 2FA.

7. Indemnification

7.1 Impartner Indemnification. Impartner agrees to defend Customer against any claims, demands, suits, or proceedings (each, a “Claim“) made or brought against Customer by a third party alleging that Customer’s use of the Service infringes or misappropriates the intellectual property rights of such third party and to indemnify Customer from any damages finally awarded by a court of competent jurisdiction against Customer or amounts agreed to in settlement in connection with any such Claim. Impartner’s obligations under this paragraph shall only apply to the extent that: (a) Customer promptly notifies Impartner in writing of the Claim; (b) Impartner has control of the defense and all related settlement negotiations relating to the Claim, provided however the settlement of any Claim shall not be made without advance written permission of Customer, which shall not be unreasonably withheld; and (c) Customer provides Impartner with the assistance, information and authority reasonably necessary to perform the above. In no event will Impartner have any obligation or liability under this paragraph for any Claim or action under any legal theory if the Claim or action is caused by, or results from: (i) Customer’s combination, operation or use of the Service with software or other materials not supplied by Impartner, (ii) any alteration or modification of the Service by Customer, (iii) Customer’s continued allegedly infringing activity after being notified thereof or after being provided modifications that would have avoided the alleged infringement, or (iv) the actions or omissions of any person or entity other than Impartner.

7.2 Remedy for Infringement. Should Customer’s right to use the Service pursuant to the Agreement be subject to a Claim of infringement or if Impartner reasonably believes such a Claim of infringement may arise, Impartner may, at its option and in its sole discretion (i) procure for Customer the right to continue to access and use the Services; (ii) modify the Service to render it non-infringing but substantially functionally equivalent to the Service prior to such modification; or (iii) if the alternatives described in clauses (i) and (ii) of this paragraph are not commercially practicable, then Impartner may terminate the Agreement and refund to Customer any amounts pre-paid by Customer for the Service for the unused portion of the Subscription Term.

7.3 Customer Indemnification. Customer agrees to defend Impartner against any Claims made or brought against Impartner by a third party alleging that the Customer Data or any other information provided by Customer to Impartner for use in connection with the Service, infringes or violates the intellectual property rights or privacy rights of a third party and to indemnify Impartner from any damages finally awarded by a court of competent jurisdiction against Impartner or amounts agreed to in settlement in connection with any such Claim. Customer’s obligations under this paragraph shall only apply to the extent that: (a) Impartner promptly notifies Customer in writing of the Claim; (b) Customer has control of the defense and all related settlement negotiations relating to the Claim, provided however the settlement of any Claim shall not be made without advance written permission of Impartner, which shall not be unreasonably withheld; and (c) Impartner provides Customer with the assistance, information and authority reasonably necessary to perform the foregoing. Impartner shall promptly provide Customer with written notice of any Claim which Impartner believes falls within the scope of this Section. Impartner’s failure to provide written notice to Customer shall not affect Customer’s indemnification obligations hereunder except to the extent that Customer is materially prejudiced thereby. At any time after Customer becomes aware of any such Claim, Customer may procure for Impartner the right to continue to use the information for use in connection with the Service at its own expense. Impartner shall not be responsible for any delay or disruption to the Customer’s use of the Service, including any damages stemming therefrom, caused by a Claim falling under this section.

8. Limitation of Liability

IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER FOR ANY LOST PROFITS OR REVENUES OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER OR PUNITIVE DAMAGES, HOWEVER CAUSED, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCEPT FOR ITS OBLIGATIONS UNDER Section 2.3 (customer’s responsbilities), SECTION 5 (CONFIDENTIALITY), SECTION 7 (INDEMNIFICATION), and any data processing addendum included in the agreement, IN NO EVENT SHALL IMPARTNER’S LIABILITY FOR DAMAGES UNDER THIS AGREEMENT FOR ANY CAUSE WHATSOEVER, AND REGARDLESS OF THE FORM OF THE ACTION, EXCEED THE AMOUNT OF MONEY PAID BY CUSTOMER FOR THE SERVICE DURING THE 12-MONTH PERIOD IMMEDIATELY PRECEDING THE INCIDENT. WITH RESPECT TO THEIR OBLIGATIONS UNDER SECTION 2.3 (CUSTOMER’S RESPONSIBILITIES), SECTION 5 (CONFIDENTIALITY), SECTION 7 (INDEMNIFICATION), and any data processing addendum included in the agreement, IN NO EVENT SHALL IMPARTNER’S LIABILITY FOR DAMAGES UNDER THIS AGREEMENT FOR ANY CAUSE WHATSOEVER, AND REGARDLESS OF THE FORM OF THE ACTION, EXCEED five times (5x) the amount of fees paid or payable during the prior twelve (12) months pursuant to the applicable order form/s and/or amendments. THE FOREGOING SHALL NOT LIMIT THE PARTIES’ PAYMENT OBLIGATIONS UNDER SECTION 3 ABOVE. CUSTOMER ACKNOWLEDGES THAT THE AMOUNT OF FEES PAYABLE BY CUSTOMER TO IMPARTNER HEREUNDER REFLECT THE ALLOCATION OF RISK SET FORTH IN THIS AGREEMENT AND THAT the parties WOULD NOT HAVE ENTERED INTO THIS AGREEMENT WITHOUT THE LIMITATIONS ON ITS LIABILITY CONTAINED IN THIS SECTION. THESE LIABILITY LIMITATIONS APPLY EVEN IF CONTRACTUAL REMEDIES FAIL OF THEIR ESSENTIAL PURPOSE.

9. Term and Termination

9.1 Term of Agreement. Unless otherwise terminated as provided herein, the Agreement commences on the Effective Date and continues until the expiration of any of the Subscription Term(s) specified in the Order Form.

9.2 Termination for Cause. A Party may terminate the Agreement for cause (i) upon thirty (30) days’ written notice to the other Party of a material breach if such breach remains uncured at the expiration of such period, or (ii) if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. Notwithstanding the foregoing, if at any time Customer is not satisfied with Impartner’s implementation services or setup of the Service or otherwise believes that Impartner has failed to satisfactorily complete the setup of the Service, then Customer’s sole remedy shall be to notify Impartner of the failure or its dissatisfaction and Impartner shall then use commercially reasonable efforts to correct the implementation services or to properly setup the Service. From the date of notice of failure or dissatisfaction, Impartner shall, at a minimum, have thirty (30) days to cure any implementation issues of which it has been notified. In the event the Parties agree that Impartner is not able to cure, due to no fault of Customer, then Customer shall receive a pro rata refund for the specific services not implemented and Customer may terminate those specific services, upon notice to Impartner. For clarity, fault, as used in the preceding sentence, shall include any unreasonably delayed response/s by Customer to any reasonable implementation-related request/s from Impartner.

9.3 Refund or Payment upon Termination. Upon any termination for cause by Customer, and subject to any adjustment under Section 3.1, Impartner shall refund Customer any prepaid fees covering the unused portion of the Subscription Term. Upon any termination for cause by Impartner, Customer shall pay any unpaid fees covering the remainder of the Subscription Term after the effective date of termination. In no event shall any termination relieve Customer of its obligation to pay any fees payable to Impartner for any period prior to the effective date of termination.

9.4 Surviving Provisions. Sections 1, 3, 4, 5, 6, 7, 8, 9.4, 10 and 11 shall survive any termination or expiration of the Agreement.

10. Compliance with Law

10.1 Compliance. Customer shall comply with all applicable laws, rules, regulations and guidance (whether or not legally binding) of competent regulators in its use of the Service, including without limitation the federal CAN-SPAM ACT OF 2003 (CAN-SPAM) and, where applicable, Directive 2002/58/EC, Directive 95/46/EC (and applicable implementing legislation in EU member-states) and Regulation (EU) 2016/679 (GDPR) and any legislation at the EU level or national level in any jurisdiction currently part of the European Economic Area which amends or replaces any of the foregoing.

10.2 Standards for Accepting Client Email Lists. Customer shall send emails on an “opt-out” or “opt-In” basis only, as required by applicable law. Impartner strongly urges Customer to send to double opt-In lists only. In no event may Customer use the Service to send Spam. As used herein, “Spam” shall mean (a) unsolicited commercial email sent to a recipient who has not provided his/her/its email address directly to the sender, or sent to a recipient who would not have a reasonable expectation of receiving email from the sender, or who has entered their email address on a recognized list in order not to receive unsolicited communications (unless Customer has an explicit opt-in consent to receive direct marketing from Customer from that recipient addressed directly to Customer), or (b) any email advertising illicit or illegal activities, or (c) any electronic message sent to email addresses provided by a third party. Customer accepts all liability for, and agrees to indemnify and hold Impartner and its owners, officers, employees, representatives, agents, licensors, successors and assigns harmless from and against, any and all claims, damages, charges, costs, expenses, liabilities, causes of action and other obligations arising in connection with or as a result of (i) Customer’s supplying Impartner with email address lists that were provided by a third party, or (ii) Customer’s sending electronic mail that does not comply with the requirements of this Section 10. Nothing in this Section 10.2 shall limit or prejudice the general obligations of Customer set forth in Section 10.1 above.

10.3 Unsubscribe Requests. All emails built and/or sent by or on behalf of Customer using the Service must include a built-in unsubscribe link. Clicking unsubscribe links in the Service will flag an email address of a contact in Customer’s database as an “opt-out” and prevent sending of email to that contact email address in the future. Physical mailing addresses are required for all emails sent through the Service by CAN-SPAM. Customer shall remove all contacts that have elected to unsubscribe via US mail within forty-eight (48) hours of receipt of the written request or earlier where required under applicable law. Impartner subscribes to major feedback loops and automatically unsubscribes all recipients who have registered complaints if and when Impartner has sufficient information to do so.

11. General Provisions

11.1 Export Compliance. Each Party shall comply with the export laws and regulations of the United States and other applicable jurisdictions in providing and using the Service. Without limiting the foregoing, (i) each of Impartner and Customer represents that it is not named on any U.S. government list of persons or entities prohibited from receiving exports, and (ii) Customer shall not permit Portal Users to access or use Service in violation of any U.S. export embargo, prohibition or restriction.

11.2 Force Majeure. Neither Party shall be in default if a failure to perform any obligation hereunder is caused solely by supervening conditions beyond that Party’s reasonable control, including acts of God, civil commotion, strikes, labor disputes and governmental demands or requirements. When a Party’s delay or non-performance continues for a period of five (5) days or more, the other Party may terminate the Agreement without penalty. Any prepaid amounts shall be refunded on a prorated basis.

11.3 Relationship of the Parties. The Parties are independent contractors. The Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties.

11.4 No Third-Party Beneficiaries. There are no third-party beneficiaries to the Agreement.

11.5 Notices. Except as otherwise specified in the Agreement, all notices, permissions and approvals hereunder shall be in writing and delivered to the addresses set forth on the first page of the Agreement and shall be deemed to have been given upon: (i) personal delivery, (ii) the second business day after overnight delivery, (iii) the second business day after sending by confirmed facsimile, or (iv) the first business day after sending by email. Any legal notices sent to Impartner by email must additionally be sent to legal.notice@impartner.com, and any notices sent by email related to invoices or billing must be sent to accounts.receivable@impartner.com.

11.6 Waiver and Cumulative Remedies. No failure or delay by either Party in exercising any right under the Agreement shall constitute a waiver of that right. Other than as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a Party at law or in equity.

11.7 Severability. If any provision of the Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of the Agreement shall remain in effect.

11.8 Assignment. Neither Party may assign its rights or obligations under this Agreement without the other Party’s prior written consent. Notwithstanding the foregoing, either Party may assign its rights and obligations under this Agreement to an Affiliate as part of a reorganization, or to a purchaser of its business entity or substantially all of its assets or business to which rights and obligations pertain without the other Party’s consent, provided that: (a) the purchaser is not insolvent or otherwise unable to pay its debts as they become due; (b) the purchaser is not a competitor of the other Party; and (c) any assignee is bound hereby. Other than the foregoing, any attempt by either Party to transfer its rights or obligations under this Agreement will be void.”

11.9 Governing Law; Venue. The Agreement, and any disputes arising out of or related hereto, shall be governed exclusively by the internal laws of the State of Utah, without regard to its conflicts of laws rules. The state and federal courts located in Salt Lake City, Utah shall have exclusive jurisdiction to adjudicate any dispute arising out of or relating to the Agreement. Each Party hereby consents to the exclusive jurisdiction of such courts.

11.10 Modifications. Impartner may make clerical or immaterial changes to this Terms of Use without providing Customer notice. Any material changes will require Customer’s notice and consent.

Entire Agreement

The Agreement, including all exhibits and addenda hereto, constitutes the entire agreement between the Parties and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of the Agreement shall be effective unless in writing that specifically references the Agreement and is signed by the Party against whom the modification, amendment or waiver is to be asserted. Notwithstanding any language to the contrary therein, no terms or conditions stated in any Customer purchase order or in any other Customer order documentation shall be incorporated into or form any part of the Agreement, and all such terms or conditions shall be null and void.

EXHIBITS

Exhibit A: Reward Payment Processing

This Reward Processing Exhibit (“Exhibit A”) is only applicable in the event Customer is buying Referral Automation Programs. If Customer is not buying Referral Automation Programs, this Exhibit A is hereby null and void.

This Exhibit A is hereby attached and made a part of the Impartner Impartner Terms of Use (“Agreement”) between Impartner, Inc., a Delaware Corporation (“Impartner”) and your company (“Customer”). By signing an Order Form, Customer agrees to be legally bound by this Exhibit A as of the Effective Date the Order Form. In the event of any conflict or inconsistency with the terms of the Agreement, this Exhibit A shall govern. Terms not defined herein shall have the meaning assigned to them in the Agreement. By signing an Order Form, Customer agrees to receive and Impartner agrees to provide management of Customer’s rewards processing (“Services”), including providing reward availability and tracking reward payments under the following terms and conditions:

  1. Overview. Customer will be responsible for providing approval of all necessary information required by Impartner to perform the Services, whether such information is provided by Customer, its customers, consultants, end users, advocates or other agents of Customer (“Users”) or Recipients (as defined below), including, but not limited to, the reward amount(s) (“Reward”) or data necessary for Reward calculation, the party to receive the applicable Reward (“Recipient”), and method of issuing the Reward. To the extent Impartner does not have the necessary information to process a Reward, Impartner shall notify Customer and Customer shall be solely responsible for providing the information or obtaining the information from the applicable User. Impartner shall not be liable or responsible for failing to process a Reward if the Recipient Information has not been provided to Impartner. Upon execution of the Order Form, Impartner will implement Customer’s specifications into Impartner’s Application management interface (“Interface”). For purposes of this Exhibit A, “Application” means a database and software web services application offered to Customer over the Internet and accessible by a URL designated by Impartner. For the avoidance of doubt, this Exhibit A does not provide for the licensing of the Application, which is subject to the terms and conditions in the Agreement.
  2. Recipient Information. Customer, or a User on Customer’s behalf, is responsible for providing Impartner with the name of each Recipient and sufficient information to enable delivery of a Reward, including email address, physical address and/or bank account information (“Recipient Information”). Customer represents and warrants that it has obtained or has required Users to obtain all necessary consents, rights and permissions to disseminate or otherwise transfer such information, in writing, orally and/or electronically to Impartner for purposes of Impartner performing the Services. Customer agrees to indemnify, defend, and hold Impartner and its Payment Processors harmless against any claim or action brought by any User, Recipient or third party for an actual or alleged violation of this Section and any other losses, liabilities, damages and claims arising from Customer’s failure to obtain the necessary consents, rights or permissions. This obligation of Customer shall not be subject to any limitation of liability set forth in the Agreement.
  3. Use of Third-Party Payment Processors. In order to provide the Services, Impartner may, in its sole discretion, utilize the services of one or more third-party networks, payments processor or providers (each a “Payment Processor”), such as gift card vendors or cash payment vendors to facilitate the transfer of funds. Impartner may change Payment Processors at any time in its sole discretion with or without notice to Customer. In the event Impartner determines, in its sole discretion, that it is unable to provide the Service due to a Payment Processor, Impartner may temporarily discontinue the Service or provide the Service through an alternate Payment Processor. In the event Impartner temporarily discontinues the Service or provides the Service through an alternate Payment Processor, Impartner shall have no liability to Customer for the unavailability or delays in providing the Service.
  4. Reward Calculation. Prior to implementation of the Services, Customer and Impartner will agree in writing upon the method of calculating the Reward (i.e. a fixed Reward amount, a percentage of revenue, or other method of calculation as the parties may agree to in the Statement of Work or through a ticket submitted via Task View). As part of the Services, Impartner will calculate the amount of the Reward to be paid to each Recipient based upon the calculation method agreed upon in the Statement of Work. By using the Interface, Customer may change any variable amounts in the calculation. However, a change to the method of calculation shall require a Change Order to the Statement of Work if additional implementation services are required to be performed by Impartner. For purposes of this Exhibit A, “Change Order” means a ticket submitted via Task View.
  5. Payments Approval. Impartner will determine Reward amounts based upon data provided by Customer and Users on Customer’s behalf. Impartner will attribute Reward payments to Recipients based upon the data received from Customer and Users of the Program. Customer shall remain solely responsible for the accuracy of this data. In addition, Customer has the option to approve Reward payments by using the Interface and auditing capabilities provided by the Application. In the event that Customer elects not to use such capabilities, Customer agrees and authorizes Impartner to approve all Rewards automatically. Further, Impartner shall have no liability or responsibility to Customer or a Recipient for the timeliness, accuracy, completeness or appropriateness of any data and/or information received by Impartner from Customer, Customer’s systems, other financial institutions or any Payment Processor, including for undelivered Reward payments. If Customer believes or suspects that the Application has been compromised in any manner, or has become known or accessed by an unauthorized person (whether or not employed by Customer), Customer agrees to promptly notify the Impartner. Such compromise or unauthorized access will not affect any Reward payments Impartner instructed a Payment Processor or Customer to make in good faith prior to Impartner’s receipt of Customer’s notification and for a reasonable time period thereafter.
  6. Funding of Reward Payments. Prior to Impartner or its Payment Processor issuing a Reward payment, Customer must approve and provide sufficient funds for the Reward payments. Impartner will invoice Customer for the amount of the Rewards plus any applicable transaction fees as set forth in the Order Form. To expedite Reward payments, Customer may elect to prefund the Rewards account with Impartner on a periodic basis to assure that sufficient funds are available to make Reward payments and pay the applicable fees at the time that the Recipient is eligible to receive the Reward. Impartner will retain an accounting of differences between accumulated funds and Reward payments so that Customer can make adjustments to future prefunding amounts. Upon termination of this agreement, all unused prefunded amounts will be returned to Customer within thirty (30) days of the effective termination date. CUSTOMER AND IMPARTNER AGREE THAT IMPARTNER’S SOLE OBLIGATIONS ARE MANAGING AND FACILITATING THE REWARDS PAYMENTS PROCESS FOR CUSTOMER. ALL REWARDS ISSUED WILL BE APPROVED BY CUSTOMER AND ISSUED TO RECIPIENTS AT THE DIRECTION OF AND ON BEHALF OF CUSTOMER. IMPARTNER SHALL NOT FUND OR PAY ANY RECIPIENTS ON ITS OWN BEHALF OR FOR ITS OWN BENEFIT.
  7. Reward Management and Payment Timing. Impartner will communicate to the Customer, as specified in the Order Form, the amount of Rewards to be paid, the names of the Recipients and the Recipient Information to issue Reward payments. If Impartner is using a Payment Processor to issue Reward payments, Impartner will use commercially reasonable efforts to initiate Reward payments at the mutually agreed intervals. If Rewards are to be issued in cash-equivalents, including checks, ACH (Automated Clearing House), or wire transfers, Impartner will accrue and issue the Reward payments on a monthly basis, unless otherwise agreed upon in the Order Form. Notwithstanding the foregoing, Customer understands that circumstances beyond Impartner’s reasonable control may cause delays in payment, including, but not limited to, acts of god, utility or telecommunications failures, electrical outages, storms or other elements. For certain payment types, actual payment delivery date is dependent upon activities such as Payment Processor schedules, banking system transfer times, or postal service delivery times. For any Reward payment that requires the use of an account name and account number, if the account name and account number do not match, any financial institution involved in the Reward payment may, in its sole discretion, reject the Reward payment or rely solely upon the account number or other identifying number provided by Customer.
  8. Payments Compliance. Customer is solely responsible for determining if a Reward payment or designated Recipient receiving a Reward would violate any provision of any present or future risk control program of the Federal Reserve, Office of Foreign Assets Control (OFAC) policy, Presidential Order, Financial Industry Regulatory Authority (FINRA) policy, any anti-money laundering (AML), anti-terror regulations or other applicable Law. For the purposes of this Exhibit A, “Law” means all federal, state and local laws, statutes, rules, codes, directives, regulations, orders and ordinances, as enacted and/or amended from time to time and any rule, regulation, order, directive or decision of any governing trade association, as enacted and/or amended from time to time, including, as applicable, NACHA, Electronic Check Clearing House Organization, card associations, clearinghouses, networks and/or other associations involved in transactions under this Exhibit A. In addition to the foregoing, Impartner may suspend the Services if: (a) the Reward payment violates, in Impartner’s sole reasonable opinion, any of the foregoing, (b) Customer is in beach of the Agreement or this Exhibit A, (c) Customer has not provided sufficient funds to complete the Reward payment (including applicable fees), (d) Customer has provided insufficient Recipient Information, or (e) Impartner, in its sole discretion, determines that there is or may be compromise of or unauthorized access to the Service.
  9. Currency Exchange Rates. If Customer requests that Impartner calculate Reward amounts in non-US currency, Impartner will calculate estimated amounts that Customer can expect to fund using currency exchange rates publicly available on the date that the Reward to be paid is submitted to Impartner or approved for payment. Notwithstanding the foregoing, if a Recipient is receiving a Reward payment outside of the U.S. in a foreign currency, such Reward payment will be subject to the then-prevailing currency exchange rates at the time a Reward payment is made regardless of any prior estimated amounts provided by Impartner. Customer acknowledges that Reward amounts provided prior to the Reward payment are solely estimates and may not reflect the actual amount that Customer is required to fund. In addition, before releasing foreign Reward payments, Impartner will invoice Customer for expected costs based upon the then-prevailing currency exchange rate plus an additional percentage, up to five percent (5%) (“Float”) to set off any differences between the currency conversion rate at the time of invoice and the rate at the time of expected funding by the Customer and the currency conversion rate at the time of actual release of the foreign Reward payment. Impartner, will retain an accounting of the Float so that subsequent invoices may be adjusted to keep the accumulated Float amount within a reasonable amount. Upon termination of this Exhibit A, any unused Float amounts will be returned to Customer.
  10. Limitation of Liability. Unless as otherwise agreed upon in this Exhibit A, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Exhibit A, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this Exhibit A. For the avoidance of doubt, Impartner’s and its Affiliates’ total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the Agreement and this Exhibit A shall apply in the aggregate for all claims under both the Agreement and this Exhibit A, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such Exhibit A. Also, for the avoidance of doubt, each reference to the Exhibit A in this Exhibit A means this Exhibit A including its Schedules and Exhibits.
  11. Reporting and Forms. Customer acknowledges that it is not possible for the Services to be free of operator, program or equipment error and that errors in processing and compiling Reward related data may occasionally occur, requiring adjustments. As such, Customer agrees to review and verify all results and to maintain adequate controls for ensuring both the accuracy of data transmissions and the detection of errors. If the Services require Impartner to provide Customer or Recipients, on Customer’s behalf, with reports, forms or other tax documentation, including Form 1099 (“Documentation”) and Customer notifies Impartner within thirty (30) days of receiving the Documentation that such Documentation is not accurate, Impartner may, when Impartner, in its sole discretion, determines it feasible to do so, correct such Documentation and provide the corrected Documentation to Customer. For clarification, any Documentation provided to Recipients by Impartner is on behalf of Customer, and Customer shall be designated as the Payer for the purposes of such Documentation. Customer agrees to pay all fees and amounts incurred by Impartner in providing such Documentation to Recipients. Customer agrees to indemnify, defend, and hold Impartner and its Payment Processors harmless against all claims or actions for an actual or alleged violation of this Section, obligation to report income or payments, and any other losses, liabilities, damages and claims arising from Customer’s failure to properly report taxes under this Exhibit A. This obligation of Customer shall not be subject to any limitation of liability set forth in the Agreement.
  12. Term and Termination. This Exhibit A shall have the same term as the Agreement. This Exhibit A may only be terminated as described in the Agreement.
  13. Effect of Termination or Breach on Reward Payments. In the event of termination or breach of this Exhibit A, Customer shall remain responsible for the funding of any approved Reward payments to Recipients through the effective date of such termination and for all fees and charges for the Services for the processing of Reward payments through and after the effective date of such termination.

Exhibit B: Acceptable Use Policy

This Impartner Acceptable Use Policy sets out a list of acceptable and unacceptable conduct for our Services. Customer is responsible for compliance with this policy. Any violation of this policy is a breach of the Impartner Terms of Use. Capitalized terms used herein shall have the definition assigned to them in the Terms of Use.

Portal Users must do each of the following:

  • Keep passwords and all other login information confidential;
  • Monitor and control all activity conducted through Customer’s account in connection with the Services;
  • Promptly notify Impartner if Customer becomes aware of or reasonably suspect any illegal or unauthorized activity or a security breach involving Customer’s accounts or teams, including any loss, theft, or unauthorized disclosure or use of a username, password, or account;
  • Comply in all respects with all applicable terms of the third party applications, including any that Customer elects to integrate with the Services that you access or subscribe to in connection with the Services. Comply with all third-party terms of use applicable to Customer’s use of the Services, including the terms of this Acceptable Use Policy;
  • Comply with all applicable statutes, ordinances, regulations, rules, orders, treaties, and other laws, including, but not limited to, all intellectual property, security, privacy, and export control laws, and regulations promulgated by any government agencies, including, but not limited to, the U.S. Securities and Exchange Commission, and any rules of any national and other securities exchanges;
  • Upload and disseminate only Customer Data to which Customer owns all required rights under law and under contractual and fiduciary relationships (such as proprietary and confidential information learned or disclosed as part of employment relationships or under nondisclosure agreements) and do so only consistent with applicable law;
  • Use the Services only for the benefit of Customer and only for the purposes requested by the Customer;
  • Use commercially reasonable efforts to prevent unauthorized access to or use of the Services; and

Portal Users may not do any of the following:

  • Upload to, or transmit from, the Services any data, file, software, or link that contains or redirects to a virus, Trojan horse, worm, or other harmful component or a technology that unlawfully accesses or downloads content or information stored within the Services or on the hardware of Impartner or any third party or otherwise may compromise the security of the Services or Impartner’s systems;
  • Attempt to reverse engineer, decompile, hack, disable, interfere with, disassemble, modify, copy, translate, or disrupt the features, functionality, integrity, or performance of the Services (including any mechanism used to restrict or control the functionality of the Services) and any source code associated with the Services, any third party use of the Services, or any third party data contained therein (except to the extent such restrictions are prohibited by applicable law);
  • Interfere with or disrupt the integrity or performance of the Service or any content contained therein;
  • Use the Services to store, upload, or transmit any harassing, offensive, abusive, pornographic, or illegal content or for the purposes of engaging in any harassment, abuse or unethical or illegal activity;
  • Permit any third party that is not an Portal User to access or use a username or password for the Services;
  • Share, transfer or otherwise provide access to an account designated for Customer to another person;
  • Use the Services to store, upload, or transmit any data or other information or content that infringes upon or misappropriates someone else’s trademark, copyright, or other intellectual property right, or any privacy or publicity right, or that otherwise may be tortious or unlawful;
  • Attempt to gain unauthorized access to the Services or related systems or networks or to defeat, avoid, bypass, remove, deactivate, or otherwise circumvent any software protection or monitoring mechanisms of the Services;
  • Access the Services in order to build a similar or competitive product or service or copy any ideas, features, functions, or graphics of the Services;
  • Use the Services in any manner that may harm minors or that interacts with or targets people under the age of thirteen;
  • Impersonate any person or entity, including, but not limited to, an employee of Impartner’s, an Admin User, any Partner, any Impartner customer, or any other portal user, or falsely state or otherwise misrepresent your affiliation with a person, organization or entity;
  • Use the Services to provide material support or resources (or to conceal or disguise the nature, location, source, or ownership of material support or resources) to any organization(s) designated by the United States government as a foreign terrorist organization pursuant to section 219 of the Immigration and Nationality Act or other statutes, regulations, or other laws concerning national security, defense or terrorism;
  • Use the Services to export any information or content to foreign nationals or countries in violation of any export controls, embargoes, or other statutes, regulations, or other laws;
  • Access, search, or create accounts for the Services by any means other than Impartner’s supported interfaces (for example, by “scraping” or creating accounts in bulk);
  • If individual consents are required to collect, use, transfer or otherwise process any data processed by the Services, including data subject to data privacy laws and regulations, Customer shall be solely responsible for obtaining all such consents.
  • Use the Services to send unsolicited communications, promotions, advertisements, or spam unless done so in compliance with applicable data privacy laws and regulations (e.g., CAN-SPAM, CCPA, GDPR);
  • Send altered, deceptive or false source-identifying information, including “spoofing” or “phishing”;
  • Abuse referrals or promotions to get more credits than deserved;
  • Sublicense, resell, or similarly exploit the Services;
  • Use the Services for consumer, personal, or household purposes, as Impartner is solely intended for use by business entities and organizations;
  • Use contact or other user information obtained from the Services (including email addresses) to contact portal users outside of the Services without their express permission or authority, or to create or distribute mailing lists or other collections of contact or user profile information of portal users for use outside of the Services; or
  • Authorize, permit, enable, induce or encourage any third party to do any of the above.

If we believe a violation of this Acceptable Use Policy has occurred, upon providing you with a commercially reasonable opportunity to cure, such cure period to be directly commensurate with the severity of the violation, we may suspend your access to the Services upon providing you with notice and opportunity to cure, or in the event of imminent harm, without providing notice to you.

Exhibit C: Data Processing Addendum

This Data Processing Addendum (“DPA”), is made pursuant to the order form to which it is attached (the “Order Form”), by and between Impartner, Inc. (“Impartner”) and the customer indicated on page 1 of the Order Form (“Customer,” or “Data Controller”). This DPA will govern the Order Form as well as any subsequent order forms, amendments, and/or renewals, unless otherwise expressly agreed in writing between the parties. The Order Form and any exhibits attached thereto, including this DPA, shall be referred to collectively herein as the “Agreement.”

This DPA reflects the parties’ agreement with regard to the Processing of Personal Data. All capitalized terms in this DPA have the meaning assigned to them in the Order Form, Subscription Agreement / Terms of Use, and any other exhibits attached thereto, unless expressly defined otherwise in this DPA. In the event of any conflict/s between the Order Form, Subscription Agreement / Terms of Use, and Data Processing Addendum, unless expressly indicated otherwise, the order of precedence shall be: (i) Data Processing Addendum, (ii) Order Form, (iii) Subscription Agreement. Any exhibits will be incorporated by reference and shall take the precedence of the document to which it has been addended.

In the course of providing the Service to Customer pursuant to the Agreement, Impartner may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

Introduction

A. Customer is a Controller or Processor of certain Personal Data and wishes to appoint Impartner as a Processor or sub- processor to Process this Personal Data on Customer’s behalf.

B. The parties have entered into this DPA to ensure that Impartner conducts such data Processing in accordance with Customer’s instructions and Applicable Data Protection Law requirements, and with full respect for the fundamental data protection rights of the Data Subjects whose Personal Data will be Processed.

Definitions

In this DPA, the following terms shall have the following meanings. Other capitalized terms used in this DPA are defined in the context in which they are used or shall have the meanings given such terms in the Order Form or Subscription Agreement.

Applicable Data Protection Law” shall mean: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”) and any data protection laws in any European Union Member State including laws implementing such Regulation, (ii) the California Consumer Privacy Act of 2018 (“CCPA”), including any regulations promulgated thereunder, as amended from time to time; (iii) the UK GDPR, and (iv) any other applicable data protection law.

Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

Data Subject” means the identified or identifiable person to whom Personal Data relates.

“EU Standard Contractual Clauses” / “EU SCCs” means Module Two of the standard contractual clauses for the transfer of Personal Data, in accordance with Applicable Data Protection Law, to Controllers and Processors established in Third Countries, the approved version of which is in force at the date of signature of this Agreement that are in the European Commission’s Decision 2021/914 of 4 June 2021, as such standard contractual clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, and as may be amended or replaced by the European Commission from time to time, and as further defined in clause 4 of this DPA.

Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.

Processing” (and “Process“) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor” means the entity which Processes Personal Data on behalf of the Controller.

“Supervisory Authority(ies)” shall carry the meaning of that term in the GDPR.

UK Standard Contractual Clauses” / “UK SCCs” means the standard contractual clauses for controllers to processors approved by the European Commission by way of Commission Decision C(2010)593, as amended by the UK Information Commissioner’s Office for use in a UK context, available on the date of this Agreement at https://ico.org.uk/media/for-organisations/documents/2618973/uk-sccs-c-p-202012.docx, and as may be amended or replaced by the Information Commissioner’s Office or/and Secretary of State from time to time.

Data Protection

  1. Relationship of the parties. Customer appoints Impartner as a Processor, or service provider, to Process the Personal Data that is the subject matter of the Agreement (the “Data“). Accordingly, the parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Impartner is the Processor. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. Customer hereby represents and warrants that Customer complies with the requirements in the Applicable Data Protection Law in collecting and transferring the data to Impartner and permitting Impartner to act as a processor of the Data. Customer agrees that it will not disclose any special categories of personal information to Impartner and Customer will indemnify Impartner from any third-party claims against Impartner as a result of such disclosure.
  2. Purpose limitation. Customer hereby instructs Impartner to Process Personal Data and to transfer Personal Data to any country or territory as necessary for the provision of the Service and consistent with the Agreement. Customer’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of the Data and the means by which Customer acquires the Data. Impartner shall Process the Data as a Processor only as necessary to perform its obligations under the Agreement, and in accordance with the documented instructions of Customer (the “Permitted Purpose“), except where otherwise required by any EU (or any EU Member State) law applicable to Impartner, in which case Impartner shall to the extent permitted by Applicable Data Protection Law inform Customer of that legal requirement before the relevant Processing of that Data. In no event shall Impartner Process the Data for its own purposes or those of any third party except as set forth in the Agreement. Impartner shall also inform Customer if in its opinion an instruction of Customer infringes or violates Applicable Data Protection Law. Impartner shall not sell the Data, nor process, retain, use, or disclose the Data (i) for any purposes other than the Permitted Purpose, or (ii) outside of the direct business relationship between Impartner and Customer.
  3. Details of the Processing. Annex 1 to this DPA sets out certain information regarding Impartner’s Processing of the Data as required by Article 28(3) of the GDPR. Either party may make reasonable amendments to Annex 1 by written notice to the other party from time to time as such party reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this Section 3) confers any right or imposes any obligation on any party to this DPA.
  4. International transfers. Impartner shall not transfer any Personal Data of European Economic Area (“EEA“) / UK Data Subjects (nor permit such Personal Data to be transferred) outside of the EEA / UK unless (i) it has first obtained Customer’s prior written consent; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission / UK authorities have decided provides adequate protection for Personal Data, or to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or to a recipient that has executed the Standard Contractual Clauses adopted or approved by the European Commission / UK Secretary of State or the UK Information Commissioner (and approved by the UK Parliament). Partner hereby consents to the transfer of Personal Data to Impartner in the United States and the parties agree that the EU / UK Standard Contractual Clauses will apply to any such transfer, as appropriate.

A. The EU SCCs shall be deemed incorporated in this Agreement as follows:

    • Clause 7 of the EU SCCs, the “Docking Clause (Optional)”, shall be deemed incorporated;
    • in Clause 9 of the EU SCCs, the Parties choose Option 2, ‘General Written Authorisation’, with a time period of 10 days;
    • the optional wording in Clause 11 of the EU SCCs shall be deemed not incorporated;
    • in Clause 17 of the EU SCCs, the Data Exporter and Data Importer agree that the EU SCCs shall be governed by the laws of the Netherlands and choose Option 1 to this effect;
    • in Clause 18 of the EU SCCs, the Data Exporter and Data Importer agree that any disputes shall be resolved by the courts of the Netherlands;
    • Annexes I.A, I.B, I.C, II and III of the EU SCCs shall be deemed completed with the information set out in Annex 1, Annex 2 and Annex 3 to this DPA.

B. Where the UK SCCs apply (i.e., for transfers from UK to countries, which were not recognized as providing adequate protections by UK authorities), they will be deemed incorporated in this Agreement as follows:

    • in Clause 9 of the UK SCCs, the Parties agree that UK SCCs shall be governed by the laws of the United Kingdom.
    • in Clause 12 of the UK SCCs, the Optional “Indemnification” and “Priority of standard contractual clauses” Clauses are deemed not incorporated;
    • Annex 1 and 2 of the UK SCCs shall be deemed completed with the information set out in Annex 1 and Annex 2 of this DPA; and
    • in light of the obligations of the parties under UK SCCs, read in light of the Schrems II judgment issued by the Court of Justice of the European Union on July 16, 2020 (“Schrems II”), in regard to the transfer of personal data by Data Exporter from the UK to Data Importer located outside the UK in countries, which were not granted an adequacy decision by the UK Secretary of State (“Third Country”), parties hereby warrant to honour the supplementary safe-guards, as outlined in Annex 4 to UK SCCs, which forms its integral part. For the avoidance of doubt, this clause shal be referred to as the Supplementary Safeguards clause. In case of conflict between this Supplementary Safeguards Clause, and the UK SCCs, the UK SCCs shall prevail.
  1. Confidentiality of Processing. Impartner shall ensure that any person that it authorizes to Process the Data (including Impartner’s staff, agents and subcontractors) (an “Authorized Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to Process the Data who is not under such a duty of confidentiality. Impartner shall ensure that all Authorized Persons Process the Data only as necessary for the Permitted Purpose.
  2. Security. Impartner shall implement appropriate technical and organizational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a “Security Incident”). Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include those listed in Appendix 2.
  3. Sub-processing. Impartner may subcontract any processing of the Data to a third-party subcontractor (“sub-processor“) in accordance with the Applicable Data Protection Law. Customer hereby specifically authorizes the engagement of Impartner’s current sub-processors as identified on Annex 3. Impartner will impose data protection terms on its sub-processors to the same standard as provided for by this DPA. In the event that Impartner desires to add or replace any sub-processor, Impartner will provide at least 10 days’ prior notice of the addition or replacement of any sub-processor (including details of the processing it performs or will perform). Customer may object to Impartner’s addition or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. Customer consents to Impartner engaging other third party sub-processors to Process the Data provided that: (i) Impartner obtains Customer’s written consent; (ii) Impartner imposes data protection terms on any sub-processor it appoints that protect the Data to the same standard provided for by this DPA; and (iii) Impartner remains fully liable for any breach of this DPA that is caused by an act, error or omission of its sub-processor. Customer may object to Impartner’s appointment or replacement of a third- party sub-processor, provided such objection is on reasonable grounds relating to the protection of the Data. In such event, Impartner will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate this DPA and the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination). Customer will not directly communicate with Impartner’s sub-processors about the Service unless agreed to by Impartner.
  4. Cooperation and Data Subjects’ rights. Impartner shall provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Customer to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Data. In the event that any such request, correspondence, inquiry or complaint is made directly to Impartner, Impartner shall promptly inform Customer. To the extent legally permitted, Customer shall be responsible for any costs arising from Impartner’s provision of the assistance described in this paragraph. Communications pertaining to the foregoing shall be sent to dataprocessing@impartner.com.
  5. Data Protection Impact Assessment. If Impartner believes or becomes aware that its Processing of the Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform Customer and provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
  6. Security incidents. Upon becoming aware of a Security Incident, Impartner shall inform Customer without undue delay after becoming aware of the Security Incident, and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfill its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Impartner shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer apprised of all developments in connection with the Security Incident.
  7. Deletion or return of Data. Upon termination or expiry of the Agreement, Impartner shall (at Customer’s election) destroy or return to Customer all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for Processing). This requirement shall not apply to the extent that Impartner is required by any EU (or any EU Member State) law to retain some or all of the Data.
  8. Audit. Impartner will submit to audits and inspections in relation to the Processing of Data, at Customer’s sole cost and expense, and will provide Customer with whatever information it needs to ensure that they are both meeting their obligations under Article 28 of GDPR. Customer agrees that its requests to audit Impartner may be satisfied by Impartner presenting up- to-date attestations, reports or extracts from independent bodies, including without limitation external or internal auditors, Impartner’s data protection officer, data protection or quality auditors or other mutually agreed to third parties) or certification by a regulatory body by way of an IT security or data protection audit. Customer shall not exercise its audit rights under this DPA more than once per year, and no such audit may be exercised in a manner that (i) disrupts Impartner’s normal business operations, or (ii) causes Impartner to breach any obligation of confidentiality to another customer or to any other third party, whether imposed by regulation or contract.
  9. Sub-processor Audits. Customer may not audit Impartner’s sub-processors without Impartner’s and Impartner’s sub- processor’s prior agreement. Customer agrees that its requests to audit sub-processors may be satisfied by Impartner or Impartner’s sub-processors presenting up-to-date attestations, reports or extracts from independent bodies, including without limitation external or internal auditors, Impartner’s data protection officer, the IT security department, data protection or quality auditors or other mutually agreed to third parties) or certification by way of an IT security or data protection audit. Onsite audits at sub-processors premises may be performed by Impartner or a mutually agreed to auditor under a confidentiality agreement acting on behalf of Customer.
  10. Limitation of Liability. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement.
  11. Processing for Statistical Purposes. Impartner may Process Data for statistical purposes following the termination or expiration of the Agreement. Any such Processing shall be subject to appropriate safeguards, as provided in Article 89 of the GDPR, for the rights and freedoms of the Data Subject. Those safeguards will ensure that technical and organizational measures are in place in particular in order to ensure respect for the principal of data minimization. Those measures may include pseudonymization or that the Processing does not permit the identification of Data Subjects.
  12. Miscellaneous:

A. Headings. Headings in this DPA are for convenience of reference only and will not constitute a part of or otherwise affect the meaning or interpretation of this DPA.

B. Entire Agreement. This DPA (including all schedules and appendices thereto) and the Agreement constitute the entire agreement between the parties relating to the subject matter of this DPA and supersede all prior agreements, understandings, negotiations and discussions of the parties in relation to the subject matter of this DPA.

C. Severability. The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability will affect only such phrase, clause or provision, and the rest of this DPA will remain in full force and effect.

D. Notices. Any notice or other communication under this DPA given by either party to the other will be deemed to be properly given if given in writing and delivered (i) in person, (ii) by electronic mail to the email addresses agreed to between the parties, or (iii) in accordance with the Notice provision of the Agreement. Either party may from time to time change its address for notices under this Section by giving the other party notice of the change in accordance with this Section.

E. Third-party Rights. The provisions of this DPA will endure to the benefit of and will be binding upon the parties and their respective successors and assigns.

F. Counterparts. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. Execution of an Agreement incorporating the terms of this DPA shall be deemed to be execution of this DPA including all attachments.

G. Governing Law. This Addendum will be governed by and construed in accordance with the governing law of the Agreement, without regard to its conflict of laws principles, except to the extent that Applicable Data Protection Law(s) require otherwise, in which event this DPA will be governed in accordance with Applicable Data Protection Law.

H. Signatures. This DPA has been signed on behalf of each of the parties by a duly authorized signatory.

Data Controller and Impartner agree that they have caused this Agreement to be executed by their duly authorized representatives by virtue of their signature on a corollary Order Form.

ANNEX

Annex 1: Details of Processing of Personal Data

A. LIST OF PARTIES

1. Data exporter(s):

Name: Party identified as Customer in the DPA

Address: The address listed on page 1 of the Order Form

Contact Person’s name, position and contact details: Listed on page 1 of the Order Form

Activities relevant to the data transferred under EU/UK SCCs: Primary business point of contact for relationship with Data Importer.

Signature and date: Reflected in DPA

Role (controller/processor): Controller

2. Data importer:

Name: Impartner, Inc.

Address: 10619 South Jordan Gateway Suite 200, South Jordan, UT 84095

Contact Person’s name, position and contact details: Zachary R. Burd, Senior Director, Legal and Business Affairs, dataprocessing@impartner.com

Activities relevant to the data transferred under EU/UK SCCs: Responsible for Data Importer’s data privacy program

Signature and date: Reflected in DPA

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred:

Customer may provide Impartner, or allow Impartner access to, Personal Data associated with the following categories of Data Subjects:

    • Employees, agents, advisors, subcontractors or contact persons of Customer;
    • Customer’s clients, channel partners, prospects, business partners, and vendors (who are natural persons);
    • Other authorized users of the Services.

Categories of Personal Data transferred:

The personal data transferred concern the following categories of data:

    • Personal details, names, user names, passwords, email addresses of users
    • Personal data within emails which identifies or may be reasonably linked or linkable to an individual
    • Data Subjects’ metadata including sent, to, from, date, time, subject which may be considered Personal Data
    • File attachments sent by Data Exporter or Data Exporter’s partners which may contain Personal Data
    • Personal Data sent by users of their own accord in free text fields or in files uploaded
    • Personal Data Information offered by users as part of support enquiries
    • Technical operational data including without limitation IP addresses, logins, search queries; which may include Personal Data
    • Other data added by Controller from time to time

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Data Exporter agrees that it will not disclose any special categories of Personal Data or Personal Data classified as “sensitive” (or similar classification) to Data Importer.

The frequency of the transfer

Data Exporter transfers Personal Data as often as necessary to adequately provide Services outlined in the Agreement. This may involve transfers in multiple instances, e.g., to update recipient lists at which Services are aimed.

Nature and purpose of the processing

Data Importer is engaged to provide the Services to Data Exporter which involve the Processing of Personal Data. The scope of the Services is set out in the Agreement, and the Personal Data will be Processed by Data Importer to deliver those Services and to comply with the terms of the Agreement and this DPA.

The period for which the personal data will be retained

The Personal Data will be retained per the requirements of the Subscription Agreement and this DPA, and shall be as long as necessary to perform the Services. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Subject matter and nature of transfers to sub-processors are outlined in Annex 3 of the DPA, for each relevant sub-processor. Duration of transfers is same as the duration of transfers to the Data Importer.

C. COMPETENT SUPERVISORY AUTHORITY

For purposes of the EU SCCs, the competent supervisory authority is the Dutch Data Protection Authority, unless expressly agreed otherwise in the DPA.

Annex 2: Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data

This Annex forms part of the DPA and EU/UK SCCs and must be completed by the parties.

The below includes description of the technical and organizational security measures implemented by the Data Importer in accordance with UK SCCs Clauses 4(d) and 5(c) (or document/legislation attached):

Overview

This document serves as an overall listing of the controls in place at Impartner to maintain the security of our office and data. Impartner follows the COSO framework for organizational controls. These controls are always in force and audited for compliance at least annually by a certified public accounting firm. They form the backbone of our SOC 2 processes.

Management

Impartner management is ultimately responsible for overseeing these controls. On a semi-annual basis each control owner is required to review the controls under their jurisdiction. Management observes the controls in action over the course of the year to ensure functionality and to recommend changes where needed. 

Definitions

  • Company – Company is defined as Impartner, Inc.
  • Client – Client is defined as any user of Impartner systems.

Integrity and ethical values

Control Description

  • The Company’s views on personal and corporate integrity and ethical values, along with guidelines for employee conduct are contained within the Code of Conduct. The Code of Conduct provides a framework for how employees conduct business and perform their duties.
  • The Company maintains a Contractor Agreement, which outlines the Company’s associated standards of conduct. Third-party contractors working on behalf of the Company are required to read, accept, and abide by the Agreement before commencing work.
  • Background checks are performed on all new employees using a third-party service. The results are reviewed by HR for appropriateness and appropriate action is taken, as deemed necessary.
    According to the Code of Conduct, Company personnel witnessing any improper behavior should report such incidents promptly to management and/or HR.
  • On an annual basis, all relevant employees are subject to a formal performance review to assess the employee’s performance in their current roles and to identify opportunities for growth and job performance improvement.
  • The Code of Conduct reiterates that employees who violate company policies are subject to appropriate disciplinary action up to and including termination.

Board oversite and development of controls

Control Description

  • The Company is managed by a Board comprised of key investors who are independent of day-to-day management of the Company and the founders/executives. The Board is governed by a charter, meets in executive session on a quarterly basis, and retains full and free access to officers, employees, and the books and records of the Company. The Board and its committees have authority to hire independent legal, financial, or other advisors as deemed necessary or appropriate in the discharge of their duties, including oversight of the development and performance of internal control.
  • Quarterly, the Board meets with members of executive management to discuss operational and financial results and significant matters, risks, and issues facing the Company.

Management reporting lines and responsibility over objectives

Control Description

  • HR maintains formal organizational charts to clearly identify positions of authority and the lines of communication and escalation.
  • Employee duties and responsibilities are defined and communicated through job descriptions and policies and procedures.
  • Job descriptions exist for common positions and are periodically reviewed by HR and management for accuracy and updated as needed.
  • The Company maintains an internal control policy which outlines management’s responsibility regarding internal controls, frameworks, audit observations (from internal and external sources), and remediation of findings. The policy is reviewed and approved by the Audit and Risk Committee on an annual basis.
  • The responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving relevant system controls is assigned to appropriate personnel with authority to perform their related duties.
  • The Company maintains a third-party (vendor) risk management policy, which outlines the policies, procedures, and responsibilities associated with onboarding new vendors and monitoring existing vendors who will have access to Company’s customers’ personal information, including their implementation and execution of applicable internal controls. The policy is reviewed and approved by a member of InfoSec on an annual basis.
  • On a periodic basis, control owners sign an acknowledgement form, certifying that they have read applicable SOC control descriptions and, as needed, narratives, and understand their related process and control responsibilities. Desired updates, if any, are communicated to applicable internal and external (auditors) personnel to update appropriate documentation.

Employee recruitment, retention, and training

Control Description

  • Internal policy and procedure documents relating to security and availability are maintained and made available on the Company’s box.com site. The policies are reviewed and approved by a member of IT management on an annual basis.
  • The Company maintains policies related to computer usage and security awareness, which reflect its commitment to provide training to its employees on guarding against, detecting, and reporting malicious software that poses a risk to the Company’s information systems.
  • In accordance with the policies and the annual security awareness training, Company personnel are trained on appropriate computer usage and security awareness. Company personnel are instructed to notify IT immediately of any abnormal system behavior or suspicion of a threat.
  • Job requirements are documented in formal job descriptions. Prior to fulfilling positions within the Company, management evaluates a candidate’s abilities and background (experience, education, training, etc.) to meet the requirements of the position.
  • IT provides company-wide security awareness training to all new employees upon hire, and to all company personnel at least once per calendar year, to help employees understand their obligations and responsibilities to comply with the Company’s security and confidentiality policies and procedures, including the identification and reporting of incidents.
  • The Company provides on-the-job training and/or external training of new hires and/or existing employees, as deemed necessary, to empower them with the skills needed to carry out job responsibilities, as they relate to security and availability.
  • As part of its ongoing efforts in business planning, budgeting, and risk assessments, senior management evaluates the need for additional tools and resources in order to achieve its business objectives.
  • Before the Company engages or otherwise works with relevant vendors/third parties (e.g., colocation facilities), the Company requests and reviews relevant supporting documentation and information (e.g. business licenses, entity standing, industry standard assurance/attestation reports, inquiries, completed questionnaires) before engaging in a business relationship. Entities found to be lacking in or non-compliant with relevant commitments and requirements (e.g., security, availability) and other relevant policies and procedures are refused.
  • Formal agreements are in place with relevant vendors and third parties. The agreements establish, as applicable, the commitments and requirements of the vendor or partner, such as the scope of services and product specifications, roles and responsibilities, compliance and control requirements (e.g., security, availability), and service level expectations. These agreements require the vendors to notify Company personnel should a security incident occur involving PRM data and/or services.
  • The Company evaluates relevant service providers (e.g., colocation facility, cloud providers) annually in accordance with its vendor management process. Relevant supporting documentation and information (e.g. industry standard assurance/attestation reports (e.g., SOC 2), inquiries, completed questionnaires) are obtained and assessed to (a) re-evaluate the services provided and identify any new risks arising from the relationship, b) evaluate the appropriateness and effectiveness of relevant vendor controls and the impact of control exceptions, if known, and c) validate the Company is adhering to relevant complementary user-entity control considerations, if any.

    Results of the evaluations are included in threat/risk analysis discussions for planning and possible mitigation, where deemed necessary.

Generation and use of quality information

Control Description

  • The Company has a dedicated technology support team, consisting of development, IT, and Quality Assurance personnel, which is focused on maintaining the quality of internal information systems.
  • In support of Company initiatives (e.g., SOC), the Company has designed, documented, and implemented IT General Controls (change management; logical and physical access and security; and computer operations) over its relevant information systems to support automated control activities and the quality of information captured, generated, processed, and/or stored therein.
  • The Company maintains a master list of all relevant spreadsheets and system-generated reports/information from internal and external sources used in support of the performance of internal control (IT-dependent manual controls) related to the PRM Application System. The master list is updated as needed, but formally reviewed by applicable department management on an annual basis to ensure completeness and accuracy. On the list, management also specifies how it obtains reasonable assurance that the information being used is sufficiently reliable (e.g., completeness, accuracy, level of detail, change-control) for its intended purpose.

Internal communication of objectives and responsibilities

Control Description

  • The Company maintains an information security incident management policy. The policy defines the protocols for identifying, reporting, investigating, responding to, mitigating, communicating, and documenting suspected or known security incidents and is made available to relevant internal users in the Company’s Box.com site.
  • The Company maintains documentation of system and service descriptions outlining relevant aspects of the design and operation of the system, its boundaries, and components. Documentation is available to relevant internal and/or external users through PRM support pages, the Company’s box.com site, master IT system asset listings, and system/network diagrams.
  • Changes that may affect the Company’s security and/or availability commitments and requirements and/or the related responsibilities of internal or external users are communicated directly to the relevant users (via means such as PRM messages, support pages, and user guides; broadcast emails; direct outreach by Project Managers; department meetings; and/or educational events).
  • For user story requests, authorization is given by the Product Owner or management to ensure they meet user needs and the PRM design vision. For reported bugs, authorization occurs once the bugs are verified by internal personnel or automation processes.

External communication of internal controls

Control Description

  • The Company communicates its security and availability commitments regarding the system to external users via the Subscription Agreement (Terms of Use) and Privacy Policy, which are posted on the Company’s website.
  • External user roles and responsibilities are communicated via several mediums, including the Subscription Agreement (Terms of Use) and Privacy Policy, which are posted on the Company’s website.
  • Support contact information is readily available to customers through the Company’s website and other Company-provided documentation (e.g., training documentation, Subscription Agreement (Terms of Use)). Customers and/or associated users are encouraged to contact appropriate. Company personnel if they become aware of items such as operational or security failures, incidents, system problems, concerns, or other complaints.

Identification and assessment of risks

Control Description

  • The Executive Team maintains a strategic plan, which includes department objectives and goals for the coming year. Consideration is given to operational, reporting (external financial, external non-financial, and internal), and compliance objectives.

    At least quarterly, the Executive Team meets to monitor progress against the Company objectives/goals and to discuss specific business developments, department results, and various risks and opportunities facing the Company.

  • Management communicates business objectives and goals to all team members through various means, including quarterly Company-wide meetings, Company-wide emails, and other messaging systems, as appropriate.
  • The Company has established a Security Council, consisting of members of the IT Operations, Development, Dev/Ops, and Security teams. The Security Council meets regularly to evaluate whether the Company’s security initiatives are aligned with operational risks, objectives, and goals.

Risk analysis and management

Control Description

  • The Company maintains master lists of IT system components (e.g., servers, software, network devices) supporting PRM. The lists are reviewed and updated as needed, but at least annually, for completeness and accuracy.
  • At least annually, the Company performs a formal risk assessment, which includes the identification of relevant internal and external threats (including those arising from customers and the use of vendors/third parties) to system components, an analysis of the risks associated with the identified threats, the determination of appropriate risk mitigation strategies (including procedures over assessing and monitoring vendors/third parties), and the development or modification and deployment of controls consistent with the risk mitigation strategy.

Fraud assessment

Control Description

  • As part of the Company’s formal risk assessment, management identifies fraud risks and assesses the likelihood of occurrence and potential impact on the Company’s operational, reporting, and compliance objectives.

Identification of changes that impact the system

Control Description

  • Several mediums, such as the formal risk assessment process, quarterly Board of Directors meetings, weekly Executive management team meetings, industry (including security) news feeds/resources, and customer security questionnaires (in RFPs), assist Company personnel in identifying relevant changes (e.g., environmental, regulatory, technology) that could impact business objectives; commitments and requirements to security and availability; and internal and external operations. In response to relevant changes, the risk assessment and related mitigation strategies are updated where deemed necessary.

Evaluation of the effectiveness of controls

Control Description

  • As part of the risk assessment and mitigation processes, the Company identifies, designs, develops, and implements key controls where deemed necessary. The Company uses several mediums, including customer feedback, application / system security and performance monitoring, and internal performance reviews, to monitor the overall effectiveness of its underlying control environment. Identified discrepancies are appropriately investigated and, where needed, resolved. The resolution of such discrepancies may include updating the risk assessment and related mitigation strategies.
  • The Company employs host and network-based intrusion detection/intrusion prevention (IDS/IPS) systems and logging and monitoring software to a) collect data from PRM application and supporting infrastructure components (e.g., servers, databases, network devices) and endpoint systems, b) monitor the related systems for security and operational matters (e.g., latency, throughput, uptime, utilization), and c) detect unusual system activity. Based on configured events, the software systems automatically generate email, console, and/or MS Teams alerts to IT support personnel for further investigation and, if needed, resolution.
  • On an annual basis, IT personnel review production servers and network devices to ensure relevant configuration settings are maintained in accordance with the current hardening policy and procedure document and out-of-compliance configurations are appropriately corrected.
  • Quarterly vulnerability scans and annual third-party penetration tests are performed on Impartner’s core applications to identify vulnerabilities and variances from Company standards. Results are evaluated by appropriate personnel and remediation actions are performed, where deemed appropriate.

Internal communication of control deficiencies

Control Description

  • The Company uses a Third-party service to actively forward relevant system alerts to on-call personnel. At any given time, there are three individuals on call: a primary contact, a backup contact, and an escalation contact. The on-call rotation includes at least one member of the Operations team at all times.

Protection of information assets

Control Description

  • The Company maintains a Hardening Policy, which establishes internal standards for asset hardening and configuration (e.g., access and service restrictions, logging and monitoring mechanisms (including host-based agents), patching). The Policy is reviewed and approved by a member of IT management on an annual basis.
  • Firewalls are implemented at external points of connectivity and network segment boundaries (DMZ, internal) and are configured (e.g., access control lists, rules) to protect against unauthorized external access. Firewall rules are restrictive by default, and are configured to restrict connectivity and data flow to pre-approved network destinations and ports.
  • Traffic flowing to PRM also passes through a web application firewall designed to inspect traffic for malicious content and mitigate or prevent denial-of-service attacks.
  • Customers do not have direct access to the PRM database. Customers authenticate to PRM which connects to the production database via a restricted private connection.
  • A unique user ID and password are required to access PRM. PRM provides Customers the ability to set their own password policies within PRM, including Expiration, History, Minimum Length, Complexity, Login attempts and Lockout duration.
  • In order to remotely access relevant production network devices and PRM systems (web, database, and support services servers; and the database), users must pass through several layers of authentication. First, users must connect to the corporate network through a local physical connection, corporate WiFi via LDAP authentication, or VPN via a username and two factors of authentication. Next, users authenticate at the system or device layer using a separate username and password.

    Password parameters are configured according to the Company’s password policy and include, where system functionality permits, settings such as minimum length, complexity, expiration, history, and lockout.

  • Internal user account passwords for PRM web, database, and support services servers are stored in an encrypted hash.
  • Customers’ PRM account passwords are hashed and salted in accordance with industry standards.
  • External access to PRM is restricted through the use of user authentication and a minimum of TLS encryption. TLS is used during customer logins and throughout customer sessions, providing encryption of data transmissions between customer browsers and PRM application servers.

    In addition, VPN, TLS, SSH, and/or other encryption-based technologies are required for communications between other remotely accessible endpoints and the systems and users connecting to them.

  • The Company uses a combination of private circuit technologies (IPsec and a private leased layer 2 connection) in order to protect data transmitted between its facilities (corporate office, colocation facilities).
  • The PRM database is encrypted at rest using full-disk encryption.
    Database and file backups are encrypted at rest and access to the backups is restricted to appropriate IT personnel.
  • PRM supports the use of role-based security, allowing customer account administrators the capability to assign pre-defined access levels (roles) and associated permissions to applicable users, based on job functions.
  • Administrative access to the production network domain, network devices, PRM super user functionality, and PRM supporting systems (web, database, and support services servers; database; SparkPost; and cloud storage) is restricted via logical access rights to appropriate IT administrators / support personnel and required system accounts. Access is granted on a minimum necessary basis in order for Company personnel to effectively carry out job functions and responsibilities.
  • Company access to view or manage customer instances of PRM is restricted via logical access rights to appropriate support personnel.

Control of access to the system and supporting services

Control Description

  • Requests for new or modified access to the production network domain, network devices, PRM super user functionality, and PRM supporting systems (web, database, and support services servers; the database; SparkPost; and cloud storage) are approved by an appropriate supervisor before access is granted. System administrators provision access rights that are in accordance with the request and/or are commensurate with the user’s job responsibilities.
  • As part of the onboarding process for PRM, an administrator account is created for the customer’s primary contact, enabling him/her to manage all customer user accounts going forward. In order to log in, the user must change the initial password, thus preventing Company personnel from using that password to access the customer’s application instance.
  • The Privacy Policy, which is posted on the Company’s website, instructs external users to maintain the secrecy of their PRM passwords and account information.

    Additionally, account sharing of end-user-based accounts on internal systems is prohibited (unless exempted by management) by internal policies. The policies also state that violators may be subject to appropriate disciplinary action

  • In accordance with the Company’s Hardening Policy, only system/service accounts that serve a valid business purpose are enabled on production servers, databases, and network devices, and default (built-in) passwords have been changed where applicable.
  • HR personnel notify IT system administrators of employee terminations. Upon notification, system administrators proceed to disable/delete the employee’s access to applicable systems, including the production network domain, network devices, PRM super user functionality, and PRM supporting systems (web, database, and support services servers; the database; SparkPost; and cloud storage). A checklist listing relevant Company systems is utilized in the process to ensure that access rights are checked and, where applicable, disabled/deleted.
  • Passwords to sensitive built-in administrator and other master-level accounts are changed in a timely manner when an employee with knowledge of them departs or changes roles and no longer needs such access. A checklist listing all relevant systems, utilities, and colocation facilities is utilized in the process to ensure all accounts are appropriately updated.
  • All production network domain accounts that are inactive for 90 days are automatically disabled. If the accounts are still inactive after 180 days, notification is sent to IT management for review.
  • On an annual basis, a user account audit of the production network domain, network devices, PRM super users, and PRM supporting systems (web, database, and support services servers; the database; SparkPost; and cloud storage) is performed by a member of IT management to validate the ongoing appropriateness of all internal accounts and related access levels.

Physical access

Control Description

  • All new requests for access to the colocation facilities must be approved by a member of IT senior management.
  • Upon notification of an applicable employee termination, the Sr. Director of IT or other authorized Company account administrator updates the master access list at the colocation facilities to disable the employees associated physical access rights.
  • On a semi-annual basis, the list of personnel with physical access rights to the colocation facilities are reviewed by a member of IT senior management to validate the ongoing appropriateness of access.

Asset management

Control Description

  • The Information Security team maintains an End of Life Policy, which outlines the policies governing the disposition of obsolete or unwanted IT assets and any accompanying software and data stored therein.
  • IT maintains a master list of relevant IT hardware assets. As IT assets containing sensitive software and/or data are deemed end-of-life and ready for sale or disposal, the storage media is removed and securely wiped. The master list is updated to reflect the actions taken on disposed assets.

Logical access

Control Description

  • The Sr. Director of IT reviews configured firewall rules on a semi-annual basis for appropriateness and adherence to Company standards. Requests for changes, if any, are documented and submitted to appropriate network personnel for implementation.

Data movement

Control Description

  • The Company maintains policies relating to data transmission and storage, which prohibit the transmission of sensitive information over the Internet or other public communication paths (for example, e-mail), unless it is encrypted. In addition, these policies prohibit the storage of customer information on removable media, mobile devices, or other unencrypted end-user storage media.

Unauthorized or malicious software

Control Description

  • Endpoint security software has been implemented to assist Company personnel in preventing, detecting, and analyzing security-related events, including the introduction of potentially malicious software, on end-user systems and production servers. Endpoints are configured to receive updated threat and virus signatures from the vendor continuously. The software sends a consolidated report to IT at least daily outlining threats detected on relevant endpoints, action taken, etc. Relevant issues are appropriately investigated and, if needed, resolved.

Patch management

Control Description

  • The Company maintains a patch management policy, which establishes internal standards for identifying, evaluating, and implementing patches to remediate relevant vulnerabilities. The policy is reviewed and approved by the Sr. Director of IT on an annual basis.
  • IT monitors the availability of patches to network devices and PRM supporting systems (web, database, and support services servers) on a daily basis. Relevant patches are applied in a timely manner, in a phased approach starting with non-production network devices and servers to assess the potential for service disruptions before application to the production servers.

Incident management

Control Description

  • For security events deemed to be an “incident,” as defined in the Incident Response Policy, the Security Incident Response Team is activated and executes the incident response program, which includes analysis, containment, eradication, recovery, communication to affected parties (internal and external), and post-incident activity, as appropriate. Details of key information gathered and actions performed relating to the incident and associated response are documented in an Incident ticket.
  • The Company’s IT team performs periodic tabletop incident response simulations to test the Company’s Security Incident Response Plan, taking into account the threat, likelihood, magnitude, business impact analysis, availability, etc. The Security Incident Response Plan and related policies / processes / systems are revised, as needed, based on the test results.
  • At least annually, the Company tests its ability to failover PRM to the disaster recover colocation facility.

Change management

Control Description

  • The Company maintains a formal application change management policy, which outlines considerations for planning, design, testing, implementation, and maintenance of changes.
  • For each change, automated application regression tests are performed to identify common issues.
  • Application-related changes are appropriately tested by Quality Assurance (QA) personnel prior to implementation in production.
    Changes are approved by appropriate personnel, as defined in the application change management policy, prior to implementation in production.
  • For PRM and its related database, separate development, test, and production environments exist in support of the Company’s application change management process.
  • PRM changes are deployed to production servers by appropriate personnel, who are separate from the development function.
    PRM code can be rolled back as needed during and after deployment.
  • The Company maintains a formal infrastructure change management policy, which defines the relevant types of changes that can be made to the Company’s infrastructure and sets forth the procedures for the associated testing, approval, and documentation. The policy is reviewed and approved on an annual basis by a member of IT for ongoing appropriateness.
  • During the ongoing risk assessment processes and the periodic planning and budgeting processes, infrastructure, data, software, and procedures are evaluated for needed changes. Change requests are created where appropriate.
    When relevant system deficiencies are identified, change requests are generated, analyzed, prioritized, assigned, authorized, tested, approved, and implemented in accordance with the Company’s change management procedures.

Risk mitigation

Control Description

  • The Company maintains a Disaster Recovery policy, which outlines tasks and procedures to be executed for disaster recovery, to minimize the amount of downtime caused by a disaster.
  • The Company maintains a formal Backup Policy, which is reviewed and approved by the Sr. Director of IT on an annual basis.
  • PRM production runs in a redundant environment with clusters of servers, enabling load balancing and continued operation in the event of a logical or hardware failure of any given server.
  • The Company currently contracts with Flexential, utilizing two geographically distinct colocation facilities. The Company mirrors production technology and functionality (e.g., software, systems, data) between the facilities to permit the resumption of PRM operations in the event of a disaster at the production facility.
    On a daily basis, incremental and/or full backups of production network device configurations and PRM data and locally-stored customer files are generated, stored locally to disk, and subsequently copied to tape.
    IT monitors the backup and copy processes for completion using log files and/or automated email alerts. Issues are appropriately investigated and, if needed, resolved.
  • PRM production databases and website content reside at the production Flexential colocation facility (in Las Vegas) or the Azure IaaS and are replicated, in real-time, to redundant hardware sets both locally and at either the disaster recovery Flexential colocation facility (in SLC), or multi-zone Azure IaaS facilities.

    Email alerts are automatically sent out by monitoring utilities in the event of a replication issue or noteworthy lag. Issues are appropriately investigated and, if needed, resolved by IT and/or database personnel.

  • The Company tests its ability to restore PRM database data quarterly, and customer files semi-annually, from backup data.
  • The Company has established an Insurance Committee headed by the CFO which meets at least annually with a broker to review the insurance coverage of the business, taking into account risks that may threaten achievement of applicable Company objectives. The Insurance Committee makes appropriate changes to the insurance coverage, as deemed necessary.

Capacity management

Control Description

  • Monitoring software is used to track processing, storage, memory, and other system performance metrics and demands in PRM and compare them to historical trends on an ongoing basis. Based on pre-defined capacity thresholds, the software automatically generates email and logged alerts to IT support personnel for further investigation. Significant events (e.g., increasing trend in usage) are further discussed in the weekly Engineering meeting. Change requests are initiated as needed to maintain or improve the system.
  • The Company maintains a master list of PRM system components at its production and disaster recovery locations. The list includes information about hardware assignment and redundancy.

Annex 3: Vendor’s Sub-Processors

Flexential: Located in Salt Lake City, Ut and Las Vegas, NV

  • Colocation services with no logical access to data
  • Partner portals are hosted at these sites

Azure: Located in US-West-2 availability zone (Portland OR)

  • Hosts main database and PRM admin portal with PRM microservices
  • No logical data access

Amazon Web Services (AWS): US-West zone

  • Hosting microservices
  • No logical data access.

Auth0: Located in multiple AWS US zones

  • Provides Identity Provider services with logical access to usernames

Wasabi: Located in Azure US-west zone

  • Provides offsite backup data storage

 Google Analytics: Processes data at numerous Google data centers in the U.S.

  • Provides web analytics for Impartner’s customers to analyze portal activity

 New Relic: Colocation services in Chicago, IL and Multiple AWS US zones

  • Provides aggregate performance metrics for Impartner engineers to identify and troubleshoot tech issues
  • No logical data access

 Linode: Located in London, UK

  • Provides Internet as a Service (IaaS) for News on Demand and Social on Demand
  • No logical data access

 Otava: Located in Ann Arbor, MI

  • Provides IaaS for Impartner Referral
  • No logical data access.

 SolarWinds Papertrail: Numerous data centers in the U.S.

  • Log aggregation and alerting to detect anomalies and debug technical issues

 Vertical Response: Located in San Francisco, CA

  • Provides email services for TCMA email marketing functionality
  • Has access to Partners’ client lists provided by Partners either directly to Vertical Response or via Impartner

Mailgun Technologies Inc.: San Antonio, TX HQ; Configured to process EU Data solely in EU.

  • Provides email services for Impartner’s News On Demand and Social On Demand products
  • Has access to Customer’s partner lists if Customers utilize Impartner’s News on Demand or Social On Demand products

Annex 4: Supplementary Safeguards

This Annex is integrated into the UK SCCs (hereinafter “Clauses”) by reference.

Pursuant to the Supplementary Safeguards Clause, parties to UK SCCs hereby warrant the following: 

  1. In the event that Data Importer receives a request from any law enforcement authority of a Third Country for disclosure of personal data processed under these Clauses in such Third Country, it will use every reasonable effort to redirect such authority to request data directly from the relevant Data Exporter.
  2. In the event that Data Importer is served with legally binding requests by any law enforcement authority in Third Country for disclosure of personal data in such Third Country, it will notify the relevant Data Exporter without undue delay. Such notification shall include information available to Data Importer.
  3. In the event that the Data Importer in Third Country becomes aware of any direct access by local public authorities regarding such personal data, it will notify the relevant Data Exporter without undue delay. Such notification shall include relevant information available to Data Importer.
  4. If Data Importer is prohibited from notifying the relevant Data Exporter, it agrees to seek a waiver of the prohibition. Data importer agrees to document its efforts to seek such waiver in order to be able to demonstrate them upon reasonable request of Data Exporter.
  5. In case of any legally binding request as referred to in point 2 above, Data Importer will review the legality of the request for disclosure under laws of the relevant Third Country, notably whether such request remains within the powers granted to the requesting public authority, and to exhaust available remedies to challenge the request if it concludes that there are grounds under such laws to do so. When challenging a request, Data Importer shall seek interim measures with a view to suspend the effects of the request until the court has decided on the merits. Data importer shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are notwithstanding the obligations of Data Importer under the Clauses.
  6. In any case, Data Importer will provide the minimum amount of personal data permissible if responding to a request for disclosure, based on a reasonable interpretation of the request.
  7. Data importer will immediately notify relevant Data Exporter if, after having committed to these supplementary safeguards, and for the duration of the Clauses, Data Importer has a reason to believe that it has become subject to new/amended Third Country laws or a change in national enforcement practices that do not allow Data Importer to meet its obligations under the Clauses.
  8. Data importer has implemented appropriate technical and organisational measures to ensure compliance with the level of protection required under UK data protection laws in the context of a transfer of Personal Data to Third Countries under the Clauses to ensure a level of security appropriate to the risk, as outlined in Annex 2 to these Clauses.
  9. Data importer further certifies that:

A. It has not and for the duration of the Clauses will not purposefully create back doors or similar programming that could be used to access its system holding Personal Data processed under the Clauses, or purposefully create or change its business processes in a manner that facilitates undue access to such Personal Data or systems, and

B. Local laws of the relevant Third Country of the Data Importer do not require it to create or maintain such back doors or business processes as outlined in the provision immediately above

Exhibit D: Types of Support

Impartner Standard Support (Included with every purchase)

What qualifies as “Customer Support” and as free or included support?

  • General Guidelines
    • Related to standard / core functionality
    • Will resolve bugs, outages, standard capability not functioning as intended
    • Support is provided based upon items included in your current contract
    • Support team will provide direction on where to find videos and documentation for questions related to self-service items.
  • If the ticket is related Impartner outages, bugs or core capabilities not functioning properly there is no charge related to these types of items.
  • Client may request that Impartner support team perform work that the client could do themselves, but this will be a chargeable item. IE Professional Services
    • Please note that delivery timeline will be based on best efforts of resource availability. 

Impartner Premier Support (Specific Line Item on Order Form or Billed Hourly)

Professional Services (Billable Service)

  • Any support services requested related to custom functionality is considered professional services and billable to the client.
  • Break/Fix issue related to configuration that is broken due to configuration changes made.
    • CRM Sync is a good example. If the client makes a change in SFDC or CRM Sync and breaks the integration properly working as an example; Impartner support can diagnose and fix that issue as it relates to the Impartner solution as a billable charge.
    • Please note that Impartner is not support for your CRM instance.
  • Customer training after implementation can be purchased to further educate your team or assist new team member in the event of new employees or changes to staff.
  • Any support or modifications related to non-standard features, including the customer’s CPQ Integration support
  • Custom functionality is not done through support. SOW and contracts need to be done to complete custom work.
  • Examples:
    • Portal design / look & feel –This is unique design and customization work unless using an Impartner standard template.
  • Having Impartner staff build any of the following for you are considered billable events:
    • Workflows
    • Partner Journeys
    • T&C tests, quizzes, certs etc.
    • Email campaigns

Impartner Platinum Support (TAM, Annual Billing)

A Technical Account Manager is one of the best ways to anticipate the needs of your evolving company for an extended period of time. If your company has a lot of changes and moving parts for an ongoing basis or has elected to utilize a significant amount of custom work a TAM is a great solution. The TAM will be a dedicated resource for your company that understands your business model, process and solution configuration. You will work with the same resource for everything related to your solution and they become an extension of your company and resource pool. Please note that a TAM is available for no less than ¼ time with a minimum of one year commitment given the level of dedicated solution expertise. For clarity, all services related to Custom/Non-standard Developed Functionality shall be treated as professional services engagements. Creating new functionality is not the role of a TAM.

Exhibit E: Service Level Agreement

Production Commitment

Production Commitment
Impartner Production Environment
SLA Production target – application
99.5% system availability excluding scheduled maintenance.
Maintenance windows or other planned down time
Most scheduled maintenance is done non-disruptively. If the system is needed to be shut down for maintenance purposes, advanced notice is given to the customer, and work is performed off hours. Typical availability is not affected by more than 15 minutes. Routine maintenance and patching are conducted without impacting availability, and work is performed during off-peak weekend hours without advanced notice.
Phone support window
Standard Customer Care provides 24/7 access to online customer support, as well as phone support, from 8 a.m. to 5 p.m. US PT, Monday through Friday. Phone support outside these hours is available at an additional cost.
Issue severity definition and turnaround/resolution timelines
Service requests may be submitted by you online through Impartner’s web‐based customer support systems (Task View or Support Request Form), by email, or by telephone. The service request severity level is selected by you and should be based on the following severity definitions:

Severity 1

Your production use of the SaaS program is stopped or so severely impacted that you cannot reasonably continue work. You experience a complete loss of service. The operation is mission critical to the business and the situation is an emergency. A Severity 1 service request has one or more of the following characteristics:

• Impartner application or partner portal is unavailable from web browser.
• Critical documented functionality is not available.
• System performance is such that it prevents users from performing necessary functions.

Impartner will use reasonable efforts to respond to Severity 1 service requests within one (1) hour. Impartner will work 24/7 until the Severity 1 service request is resolved or as long as useful progress can be made. You must provide Impartner with a contact during this 24/7 period, either on site or by mobile phone, to assist with data gathering, testing, and applying fixes. You are requested to propose this severity classification with great care, so that valid Severity 1 situations obtain the necessary resource allocation from Impartner.

Severity 2

You experience a severe loss of service. Important features of the SaaS program are unavailable with no acceptable workaround; however, operations can continue in a restricted fashion. Impartner Support works to provide an initial response within 4 hours to the creation of a Severity 2 request.

Severity 3

You experience a minor loss of service. The impact is an inconvenience which may require a workaround to restore functionality. Impartner Support works to provide an initial response within 24 hours to the creation of a Severity 3 request. We request all Severity 3 requests be made online using our Task View ticketing system.

Severity 4

You request information, an enhancement, professional services or content placement on the portal or documentation clarification regarding the SaaS program, but there is no impact on the operation of such program. You experience no loss of service. The result does not impede the operation of a system. We request all Severity 4 requests be made online using our Task View ticketing system. Impartner Support works to provide an initial response within 24 business hours to the creation of a Severity 4 request.

Support escalation process
Escalating an issue brings a heightened level of awareness to management and, when appropriate, more resources to management and, when appropriate, more resources. It does not automatically change the severity rating of an issue. Therefore, clear communication is essential to bringing about a successful and timely resolution. If the business impact has changed, or was incorrectly set, customers should request a change of severity rather than escalation of the issue.

Service request severity can be changed online or by calling the dedicated support manager. To escalate an issue, contact the dedicated support manager who will then engage the appropriate team members to work with you to develop an action plan. Any time service is deemed unsatisfactory by a client, management will respond to determine what, if any, actions can be taken to ensure better performance in the future.

SLA for professional service work
SLA for most portal content updates and changes is 24‐48 business hours. Updates that involve custom programming or other professional services will take longer. Impartner will make commercially reasonable efforts to complete the tasks submitted or enter a commitment or completion time for such tasks in Task View within 24‐48 business hours after submission.
Notification of root cause and corrective action for unscheduled downtime
In the rare case that there is downtime outside the SLA described above, Impartner will provide an email notification of such downtime and explain root cause and corrective measures that have been taken.

• Recovery Time Objective (RTO): The primary business impact is the loss of public confidence and the interruption of sales cycles. The expected RTO is less than 12 hours.
• Recovery Point Objective (RPO): The unrecovered transactions will have to be reentered into the system. The data loads from other system will have to rerun to recover lost data. The expected RPO is less than 12 hours.

Uptime reporting
Client may request this report monthly via Task View, and Impartner will provide a report of portal uptime.
Critical patches and updates
Impartner commits to making system, software, and hardware updates and patches to Production environments in a commercially reasonable manner per its internal policies.

Development & Stage Commitment

Development & Stage Commitment
Impartner Development & Stage
SLA Development & Stage systems target – application
99% system availability excluding scheduled maintenance.
Maintenance windows or other planned down time
Most scheduled maintenance is done non-disruptively. If the system is needed to be shut down for maintenance purposes, it is the intent of Impartner to perform this during night or weekend hours (US) to avoid disruption to the service. Typically availability is not affected by more than 15 minutes. Routine maintenance and patching are conducted without impacting availability, and work is performed during off-peak weekend hours without advanced notice.
Support window
Customer Care provides 24/7 access to online customer support, as well as phone support, from 8 a.m. to 5 p.m. US PT, Monday through Friday. Phone support outside these hours is available at an additional cost.
Issue severity definition and turnaround/resolution timelines
Service requests may be submitted by you online through Impartner’s web‐based customer support systems (Task View or Support Request Form), by email, or by telephone.

Please note that these systems are provided for convenience and testing. However, testing and server sync times do not reflect that of production services. Such that these systems are not production based, the SLA for these systems will be as follows:

• Initial response time will be within 48 business hours
• Time to resolution will be based on commercially reasonable efforts while ensuring production items take priority

Please note that Impartner is not responsible to ensure that content, data, assets and/ or other information in PRM matches that of production.

Support escalation process
Escalating an issue brings a heightened level of awareness to management and, when appropriate, more resources to resolve a given issue. In the case of Development and Stage environments, escalations can be submitted, but will not be prioritized over Production issues nor held to the same standard of the Production environment.

Service request severity escalation requests can be made online or by calling the dedicated support manager. To escalate an issue, contact the dedicated support manager who will then engage the appropriate team members to work with you to develop an action plan.

Notification of root cause and corrective action for unscheduled downtime
In the rare case that there is downtime outside the SLA described above, Impartner will provide information related to these systems upon request of the client for root cause information.
Critical patches and updates
Impartner commits to making system, software, and hardware updates and patches to Development and Stage environments in a commercially reasonable manner per its internal policies.