Log InSign up for free

Terms of Service

Last updated: September 1, 2023.

Welcome, and thank you for your interest in Kozmik, Inc. (“Kozmik,” “we,” “our,” or “us”). These Terms of Use constitute a legally binding agreement (the “Agreement”) between you and Kozmik governing your access to and use of the Kozmik website, mobile application, Kozmik Material, software, API, products, and services provided by us (collectively, the “Service”).

PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SERVICE. THIS AGREEMENT (A) CONTAINS A BINDING ARBITRATION PROVISION THAT INCLUDES A JURY TRIAL WAIVER AND CLASS ACTION WAIVER, (B) A CLAUSE THAT GOVERNS THE JURISDICTION AND VENUE FOR ANY DISPUTES; AND (C) CERTAIN TERMS AND CONDITIONS WHICH APPLY WITH RESPECT TO RECURRING SUBSCRIPTION CHARGES.

By entering into this Agreement, and/or by accessing or using the Service, you expressly acknowledge that you have read, understood, and agree to be bound by this Agreement. If you are accessing and using the Service on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that company or other legal entity to this Agreement. This Agreement applies to all visitors, users, and others who access or use the Service (“Users,” “you,” or “your”). We reserve the right, at our sole discretion, to change, modify, add, or remove portions of this Agreement, at any time, by posting changes to this page. Your continued access to or use of the Service after such posting confirms your consent to be bound by this Agreement, as amended.IF YOU DO NOT AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT, YOU MAY NOT ACCESS OR USE THE SERVICE.

1. Privacy Policy and Additional Terms

Our Privacy Policy explains how we collect, use, and share your information, and is hereby incorporated into this Agreement. You agree that your access to and use of the Service is governed by our Privacy Policy.

Your use of the Service is subject to all additional terms, policies, rules, or guidelines applicable to the Service or certain features of the Service that we may post on or link from the Service (the “Additional Terms”), such as end user license agreements for any downloadable software applications, or rules applicable to a particular feature or content on the Service. All Additional Terms are incorporated by reference into, and made a part of, this Agreement.

2. Eligibility

To use the Service you must be, and hereby represent that you are, an individual 16 years or older who can form legally binding contracts. Persons under the age of 16, or any higher minimum age in the jurisdiction where that person resides, are strictly prohibited from accessing or using the Service unless their parent has consented in accordance with applicable law. Additionally, you are prohibited from accessing or using the Service if you are barred from receiving services under applicable law or have previously been suspended or removed from the Service.

3. Accounts and Registration

To access and use the Service you must create an account (“Account”) by providing us with information such as your name, contact information, and additional information we may ask you to provide. You must provide accurate, current, and complete information during the registration process and keep your Account information up-to-date at all times. You are responsible for all activity that occurs in association with your Account. We are not liable for any loss or damage caused by your failure to maintain the confidentiality of your Account credentials. You must immediately notify us if you discover or suspect any security breach related to the Service or your Account.

4. Limited Grant of Rights; use of the service

Grant of Access

Subject to this Agreement, we grant you a limited non-exclusive, non-transferable, non-sublicensable, revocable right to access and use the Service (including any documentation generally made available to our Users) to build, host, and manage web and mobile applications (each, an “App”) that may be made available to your customers or other members of the general public (each, an “End User”). In the event you would like us to create your App and any associated content (“Professional Services”), please contact us at the email at the end of this Agreement. Such Professional Services will be performed pursuant to a separate agreement and associated fees.

Our Rights

We reserve the right, but are not obligated, to investigate any violation of this Agreement or misuse of the Service. We may: (i) remove, disable access to, or modify any content or resource that violates this Agreement; and (ii) report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Any such reporting may include disclosing certain User Content, including Account information. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this Agreement. We may also access and disclose User Content if we believe in good faith that such access or disclosure is reasonably necessary to protect the rights, property, or safety of the Service, us, our employees, directors, officers, partners, or agents, or members of the public.

5. Restrictions

In addition to any other restrictions set forth in this Agreement, you agree not to engage in, attempt to engage in, or permit or assist others in engaging in, any of the following prohibited activities: (i) use any software, script, code, device, crawler, robot, or other means not provided by us to access the Service; (ii) circumvent, disable, or otherwise interfere with security-related features on the Service; (iii) modify, adapt, translate, reverse engineer, decipher, decompile, or otherwise disassemble any portion of the Service; (iv) access or use the Service in any manner that may damage, disable, unduly burden, or impair any part of the Service, or any servers or networks connected to the Service; (v) post information or interact with the Service in in a manner which is fraudulent, libelous, abusive, obscene, profane, harassing, or illegal; (vi) use the Service for any illegal purpose or in violation of any law, statute, rule, permit, ordinance or regulation; (vii) gain or attempt to gain unauthorized access to the Service; (viii) interfere or attempt to interfere with the Service provided to any User or network, including without limitation, via means of submitting a virus to the Service, spamming, crashing, or otherwise; (ix) engage in commercial use or distribution of the Service (other than use of the App for your business purposes), or copy or create any derivative work of the Service; (x) use the Service in any way that infringes or misappropriates any third party’s rights, including intellectual property rights, copyright, patent, trademark, trade secret, or other proprietary rights, or rights of publicity or privacy; and (xi) disclose the results of testing or benchmarking of the Platform.

6. Service Availability

We will use commercially reasonable efforts to make the Service available at all times, except for scheduled downtime and any unavailability caused by events beyond our reasonable control, such as fires, natural disasters, government actions, civil unrest, or Internet service provider failures or delays. We may, without prior notice and at our sole discretion, change the Service, stop providing the Service or certain features of the Service, or create usage limits for the Service. Notwithstanding the foregoing, we will endeavor to take reasonable steps to notify you prior to discontinuing any features or making any other changes to the Service. We will use reasonable efforts to provide support service for the Service in accordance with this Agreement. We may permanently or temporarily terminate or suspend your access to the Service without notice and liability for any reason, including if in our sole determination you violate any provision of this Agreement, or for no reason. You may contact us at the email address below for support.

7. Apps and Content

Apps

You are responsible for all content and operation of any App, including the actions of End Users. You must include terms on all Apps that are at least as protective of us as the terms herein (“End User Terms”). We may remove any content on the Service or App (or demand Users to remove such content) that we deem violates this Agreement.

User Content

You are responsible for all text, images, photographs, or other materials provided, created, or uploaded to the Service or Apps that are associated with your Account (“User Content”). User Content includes all content of Apps, the design and workflow of an App, all data generated by or submitted to an App, including information relating to and submitted by End Users (“End User Content”), and any components, templates, and plug-ins (“Components”) created by you for use in your App or the Templates (defined below). You represent and warrant that: (i) you have all necessary rights, consents, and permissions to submit to the Service and otherwise disclose, transfer, and use all User Content, including to grant the rights to User Content herein; and (ii) User Content will not violate any applicable law, rule, or regulation, infringe any third party’s intellectual property, privacy, or publicity right, or cause a breach of any agreement with any third party (including any governmental agencies). By posting, displaying, sharing, or distributing User Content, or allowing End Users to do the foregoing related to End User Content, on or through the Service or the Apps, you grant us, our affiliates, and any applicable Third-Party Services (defined below), a non-exclusive, transferable, perpetual, irrevocable, fully paid right and license to: (a) use, copy, and prepare derivative works of User Content for the purpose of operating and improving the Service, and providing related services, if applicable; and (b) use the Templates offered on the Template Store for building our own programs or applications, testing, internal business processes, marketing, in our documentation, and any other internal business purpose.

Content Policy

These are guidelines for what Apps (as defined in our Term of Use) and content will and will not be permitted on Kozmik’s platform. This content policy (“Content Policy”) is informed by the policies of the Apple App Store and Google Play Store, and any similar platform or party. This Content Policy applies to all Apps regardless of whether they are published on a specific web domain or one of the aforementioned App Stores. We also suggest you review the Apple App Store and Google Play Store policies, and/or the policies of any similar platform or party, before submitting an App to be reviewed by any store. We ask that you abide by not just the letter of this Content Policy, but the spirit as well. Kozmik reserves the right to remove any App at any time if it does not align with the following guidelines of platform use:

Objectionable Content

1. Drugs/Alcohol

1.1 Apps that encourage inappropriate or illegal consumption of tobacco or vape products, illegal drugs, or excessive amounts of alcohol are not permitted.

1.2 Apps that facilitate or promote the sale of controlled substances (except for licensed pharmacies and licensed or otherwise legal cannabis dispensaries), or tobacco is not allowed.

2. Guns/Weapons

2.1 Apps that facilitate the sale of guns, gun parts, weapons, ammunition, accessories, or gunpowder and other explosives that can cause serious damage to persons or property are not permitted.

2.2 Apps that depict and encourage illegal or reckless use of weapons are not permitted.

2.3 Apps that provide instructions for the manufacture of explosives, firearms, ammunition, restricted firearm accessories, or other weapons are not permitted.

3. Gambling

3.1 Valid licensed or authorized gambling Apps that follow the laws, rules, regulations and guidelines for types of online gambling products allowed in each country are permitted. Apps that fail to comply with relevant laws, rules, regulations and guidelines are not permitted.

3.2 Apps that contain content or services enabling or facilitating users’ ability to wager, stake, or participate using real money (including in-App items purchased with money) to obtain a prize of real-world monetary value are not permitted.

4. Adult Content

4.1 Apps that contain overtly sexual or pornographic material or depict non-consensual sex acts are not permitted. This includes any content or services intended to be sexually gratifying and “hookup” apps that may include pornography or be used to facilitate prostitution. There may be exceptions for content that pertains to medicine, fine art, or sales of adult toys.

5. Hatred/Violence

5.1 Apps cannot promote content that incites or endorses hatred against others or that seeks to intimidate, exploit, or humiliate others or that inappropriately discriminates against a person or group especially based on race or ethnic origin, religion, disability, age, nationality, veteran status, sexual orientation, gender, gender identity, or any other characteristic that is associated with systemic discrimination or marginalization.

5.2 Apps cannot contain language that is defamatory, discriminatory, mean spirited content, obscene, abusive, invasive of privacy, or otherwise objectionable or which otherwise include content that facilitates threats, harassment, or bullying.

5.3 Apps cannot depict or facilitate gratuitous violence or other dangerous activities. This includes depictions of animals or humans being harmed or killed and depictions of bestiality.

5.4 Apps cannot urge customers to participate in activities (like bets, challenges, etc.) or use their devices in a way that risks physical harm to themselves or others.

5.5 Apps cannot contain content related to terrorism, such as content that promotes terrorist acts, incites violence, or celebrates terrorist attacks.

6. Misinformation

6.1 Apps that mislead users by impersonating someone else (e.g. another developer, company, entity) or that misrepresent or conceal their ownership or primary purpose are not permitted.

6.2 Medical Apps that could provide inaccurate data or information, or that could be used for diagnosing or treating patients may be reviewed with greater scrutiny.

6.3 Apps that provide inaccurate device data are not permitted.

6.4 Apps that attempt to deceive users or enable dishonest behavior including but not limited to Apps which contain features which are determined to be functionally impossible, provide false information and features or include inaccurate device data, such as fake location trackers are not permitted.

6.5 Apps that enable trick or joke functionality are not permitted, such as anonymous or prank phone calls or messaging.

6.6 Apps that provide inaccurate imitations or misleading quotations of religious text are not permitted.

6.7 Apps that contain content identified as false by third party fact checkers (such as Factly, Full Fact, and Reuters) will not be permitted. This includes disinformation, false or misleading information presented as news with the aim of damaging the reputation of a person or entity, or making money through advertising revenue.

7. Security

7.1 Apps that access or use any network, hardware or software system (“System”) without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System are not permitted.

7.2 Apps that monitor data or traffic on a System without permission are not permitted.

7.3 Other than the legitimate use of aliases and anonymous remailers, Apps that forge TCP-IP packet headers, e-mail headers, or any part of a message describing its origin or route are not permitted.

8. Children

8.1 Makers and end-users must comply with applicable privacy laws, rules and regulations around the world relating to the collection of data from children online. Apps designated for children may not send personally identifiable information or device information to third parties.

8.2 Third party ads are not permitted for Apps in a children’s category, unless the third party ad services use publicly documented practices and policies that include a human review of the ad creatives for age appropriateness.

8.3 Apps that contain any content that constitutes as child pornography, sexualizes minors, promotes pedophilia or promotes inappropriate interaction targeted at a minor are not permitted.

8.4 Apps that appeal to children but contain adult content and themes are not permitted.

8.5 Apps that promote negative body or self-image, including Apps that depict for entertainment purposes plastic surgery, weight loss, and other cosmetic adjustments to a person's physical appearance are not permitted.

9. User Generated Content

9.1 Apps that allow for user generated content must include a mechanism for reporting objectionable user content.

9.2 Apps that allow for user generated content must contain takedown procedures in compliance with applicable laws, including the Digital Millennium Copyright Act.

Enforcement

If at any time an App violates this Content Policy, Kozmik will take appropriate action and provide an email to the maker with relevant information about the action with information on how to appeal if the maker believes there was an error. Actions may include removal of the App from Kozmik’s platform, suspension of the maker’s account, and/or termination of the maker’s account. Some violations may result in a warning about the objectionable content and information about further actions that need to be taken.

Repeat or serious violations in Apps may result in termination of the maker's account from Kozmik’s platform.

End User Terms

End User Terms must grant you or the applicable owner or controller of the App the same rights with respect to use, removal, and treatment of End User Content that we have with respect to User Content set forth in this Agreement. You agree that all Apps will conspicuously post a consumer-facing privacy policy that: (i) complies with applicable laws, rules, and regulations, including those related to data privacy; (ii) accurately describes your information collection, use, and disclosure practices in accordance with FTC regulations and any other applicable laws, rules, and regulations; and (iii) indicates that you use third-party service providers in order to make Apps available and that such third-party service providers will have access to and will use such End User Data as provided herein.

Usage Data

We may collect and analyze data and other information relating to the provision, use, and performance of various aspects of the Service and related systems and technologies, including without limitation, information concerning User Content and data derived therefrom that does not specifically identify a User or End User (“Usage Data”). We own all right, title, and interest in and to Usage Data.

DMCA

We operate the Service in compliance with 17 U.S.C. §512 and the Digital Millennium Copyright Act (“DMCA”). It is our policy to respond to any infringement notices and take appropriate actions under the DMCA and other applicable intellectual property laws. The DMCA requires that all notices of alleged copyright infringement must be in writing. When informing us of an alleged copyright infringement, the complaint must do the following: (i) identify the copyrighted work(s) that allegedly has been infringed; (ii) describe the material that is claimed to be infringing and provide sufficient information to permit us to locate that material; (iii) provide your contact information, including an address, telephone number, and email address; (iv) certify or include a statement that the complainant has a good faith belief that the use of the copyright-protected material in the manner complained of is not authorized by the copyright owner, the owner's agent, or law; (v) certify that the information that you have provided us is accurate; and (vi) include a physical or electronic signature of the copyright owner or person authorized to act on behalf of the owner. Before the complainant alleges an infringement, complainant should consult copyright materials to confirm that the use is, in fact, infringing. The United States Copyright Office provides basic information, online, at http://www.copyright.gov/circs/circ01.pdf, which can assist one in determining whether an exception or defense, such as fair use, may apply to the use of your copyrighted work. Where it has been clearly established that a User is a repeat offender, we may, in our sole discretion, terminate such User’s Account. If you believe that your copyrighted work is being infringed on the Service or App, please notify us at the email address at the bottom of this Agreement.

8. Third-Party Services

You may have access to certain applications and features provided by third parties through the Service (“Third-Party Services”). Your use of any Third-Party Services is subject to this Agreement and to any third-party terms applicable to such Third-Party Services. If you do not accept the applicable third-party terms, do not use such Third-Party Services. When using Third-Party Services, you are responsible for any information you provide to such third party. We have no responsibility or liability for any Third-Party Services. Providers of Third-Party Services may change or discontinue the functionality or features of their Third-Party Services. Any data or information you allow us to access from a Third-Party Service is deemed User Content for purposes of this Agreement.

9. Template Store

The Services may include functionality (the “Template Store”) which (i) allows certain users to share Applications or templates that they have built or configured using the Services (such users are “Template Developers”, and such Applications or templates are “Shared Templates”), and (ii) allows other users to access such Shared Templates in connection with the Services (such other users are “Template Users”). When we use the word “you” in this Agreement, it refers to any user (including without limitation Template Developers and Template Users), while if we use one of those specific terms, it only applies to that category of user.

Listing Shared Templates

Prior to listing a Shared Template on the Template Store (or any updated or modified version of any Shared Template), Template Developer must submit such Shared Template to Kozmik for review using the online submission functionality provided by Kozmik, if any. Template Developer agrees to provide accurate, complete, and updated information about Template Developer and such Shared Template during such submission process and as otherwise requested by Kozmik. Template Developer is solely responsible for evaluating and testing all aspects of each Shared Template (including functionality, performance, security, and user interface) prior to submission. Kozmik reserves the right to conduct any type of review of a Shared Template, and Kozmik may adopt and change its review standards and processes in its sole discretion. Although Kozmik will use commercially reasonable efforts to avoid any adverse effects on Shared Templates during the testing process, Template Developer agrees that Kozmik will bear no responsibility for any such adverse effects. If Template Developer makes any updates or modifications to any Shared Template, Template Developer must submit such updated or modified versions to Kozmik for review and approval under the same process set forth above.

If you list or otherwise provide a Shared Template on the Template Store, you hereby represent, warrant, and agree that: (i) subject to Kozmik ’s rights in the Services and the Content (and associated intellectual property rights), such Shared Template shall be considered Your Content, and subject to all terms and conditions of this Agreement applicable to Your Content (including without limitation all applicable licenses, representations and warranties); (ii) without limiting the foregoing, you hereby grant Kozmik a worldwide, nonexclusive, sublicensable, perpetual, royalty-free, fully paid-up, transferable right and license (A) to market your Shared Templates and to permit others to use, access, and otherwise exploit your Shared Templates and any associated documentation through the Template Store and the Services in accordance with this Agreement, and (B) to use your applicable trademarks and logos in connection with the distribution and marketing of your Shared Templates; (iii) you acknowledge that you are solely responsible (and that Kozmik has no responsibility) for your Shared Template, including without limitation the functionality, content, development, operation, and maintenance thereof, (iv) your Shared Template (including (a) all content and other materials contained in or available through such Shared Template), and (b) the use of any of the foregoing by Kozmik or any Template Users) do not and will not violate, misappropriate or infringe the rights of any person or entity including any contract rights, privacy rights, or any copyright, patent, trademark, trade secret or other personal or proprietary rights (and without limiting the foregoing, you will not include any data or other information in connection with a Shared Template that constitutes personally identifiable information regarding any individual), (v) your Shared Templates (including any content or materials made available in connection therewith) are not offensive, profane, obscene, libelous or otherwise illegal, and (vi) your Shared Templates will not contain any virus, worm, Trojan horse, adware, spyware or other malicious code. You will comply with all applicable local, state, national and international laws and regulations, including, without limitation, all applicable export control laws, and maintain all licenses, permits and other permissions necessary to list and provide your Shared Templates.

For clarity, (i) all Shared Templates that are built using the Service may contain, embed, or otherwise depend on the Services, including technology, Content and intellectual property owned or licensed by Kozmik, (ii) your participation in the Template Store (including the building or configuration a Shared Template) does not grant you any rights in such Services, technology, Content or intellectual property (all of which are hereby reserved by Kozmik) except as expressly set forth herein.

Using Shared Templates

Subject to the terms and conditions of this Agreement (including Template User’s payment of all applicable fees), for each Shared Template that Kozmik permits Template User to access via the Template Store, Kozmik hereby grants Template User a nonexclusive, revocable, limited, personal license to use such Shared Template solely on the Service to build and provide Applications to Template Users’ End Users via the Service. Except for the foregoing express licenses, (x) Template User shall have no other right to use or otherwise exploit any Shared Template, and (y) Template User may not resell or otherwise relicense any Shared Template (including via the Template Store).

Template User hereby acknowledges and agrees that (i) Template Developers are not employees, partners, representatives, agents, joint venturers, independent contractors or franchisees of Kozmik, (ii) Kozmik does not control, and is not responsible for supervising, directing, controlling or monitoring, Template Developers or Shared Templates and expressly disclaims any responsibility and liability for Shared Templates, including but not limited to any warranty or condition of good and workmanlike services, warranty or condition of quality or fitness for a particular purpose, or compliance with any law, regulation, or code, (iii) before obtaining or using any Shared Template, Template Users are responsible for making their own determinations that the Shared Template is suitable, (iv) Kozmik can’t and won’t be responsible for making sure that Shared Templates are up to any standard of quality, or that any information provided by a Template Developer is accurate or up-to-date, and (v) Kozmik shall have no obligation to provide any support or similar services with respect to Shared Templates or a Template User’s use thereof.

Template Store Fees; Revenue Share

The Template Store may allow Template Developers to establish a fee that must be paid in order for a Template User to obtain access to a Shared Template (such Shared Templates are referred to as “Paid Templates”). Template User agrees to pay all fees set forth on the Services with respect to any Paid Templates that are accessed by or provided to Template User, in accordance with Section 11  (Fees and Payment).

For each Paid Template that is purchased by a Template User, Kozmik shall be entitled to a commission equal to thirty percent (30%) of all fees paid or payable by such Template User in connection with such Paid Template (the “Kozmik Commission”), without deduction for any taxes or any other government levies. Subject to Template Developer’s compliance with all of the terms and conditions of this Agreement, for each sale of one of Template Developer’s Paid Templates via the Template Store to a Template User, Template Developer shall receive the amounts actually paid by such Template User for such Paid Template, less the applicable Kozmik Commission. Template Developer acknowledges and agrees that the purchase of Shared Templates through the Template Store are considered End-User Transactions (as defined below) and will be subject to all of the applicable terms of this Agreement with respect to End-User Transactions. Kozmik makes no representations, warranties, or other assurances regarding the amount of any fees that may be obtained by Template Developer in connection with the Template Store.

If there is a dispute between participants on the Services (including without limitation any dispute between and Template Developer and a Template User), you agree that Kozmik is under no obligation to become involved, but that Kozmik will have the power to be the sole arbiter of that dispute and Kozmik’s decision will be final and binding. Notwithstanding anything else, Kozmik reserves the right, in its sole discretion and for any reason at any time, to refuse to list a Shared Template on the Template Store and/or to remove any Shared Template from the Template Store and/or the Services (including without limitation any Paid Templates).

 

10. Ownership and Proprietary Rights

Kozmik Material

Except for the limited rights granted to you in this Agreement and except for User Content, we retain all right, title, and interest in and to the Service and associated documentation, all data, text, images, logos, software, content, and other information and content available on or through the Service, and any and all enhancements, improvements, developments, derivative works, or other modifications made to or related to the foregoing (“Kozmik Material”). The Kozmik Material is protected by copyright, trademark, and/or other intellectual property laws and you acknowledge and agree that we retain all right, title, and interest in and to the Kozmik Material. Except as expressly stated in this Agreement, you may not sell, transfer, alter, reproduce, distribute, republish, download, display, post, or transmit any Kozmik Material, in whole or in part, by any means.

User Content

Except for the limited rights granted to us in this Agreement, as between the parties, you retain all right, title, and interest in and to the User Content. At any time you may contact us in order to export User Content.

Marks

Each party retains all right, title, and interest in and to their respective trademarks, service marks, logos, name, branding, and equivalent identifiers (“Marks”). You grant us a limited, non-exclusive, non-transferable, sublicensable right to use your Marks on the Service and as otherwise required to fulfill our obligations hereunder, and for attribution as set forth in Section 18, consistent with your trademark guidelines if provided to us. Except for the reproduction of our Marks in order to promote the Service on Apps, you may not use our Marks for any purposes, including in a way that suggests you are endorsed by or associated with us in anyway other than as a customer. All permitted use of a party’s Marks hereunder will inure to the benefit of the owning party.

Feedback

You acknowledge and agree that any feedback, comments, or suggestions you may provide regarding the Service (“Feedback”) will be Kozmik’s sole and exclusive property and you hereby irrevocably assign to us all of your right, title, and interest in and to all Feedback.

11. Fees and Payment

Pricing and Payment Terms

Your use of the Service is based on a monthly subscription and is subject to certain recurring access fees and other service related fees and charges, as applicable (including, without limitation, any part of any Template Fees due pursuant to Section 9 above). All fees, including any applicable taxes and transaction fees, are in U.S. Dollars and payable in advance. We are not responsible for any charges or expenses you incur resulting from charges billed by us in accordance with this Agreement. All fees and other payments related to your Account will be made in accordance with the billing terms in effect when such payment is due or funds are received. You must provide us with a valid credit card at the time you create your Account and you will promptly update your Account if there is any change to your payment information. Any recurring fees will automatically renew at the rates then in effect, are automatically charged to your credit card, and will continue until cancelled by you in your Account, or as otherwise cancelled in accordance with this Agreement. We may also charge a fee (such as a revenue percentage or commission) of each End User’s purchase on Apps and each Template Store Transaction at our sole discretion. Fees, if any, in relation to Templates  is determined by the Template Developer and we may suspend or withhold payments to Template Developer for its breach of this Agreement. We use a third-party payment processor to process payments and you must agree to their terms when entering payment information. By providing your payment information, you agree that we may invoice you for all fees when they become due to us without additional notice or consent and apply any funds we have on hand to the payment or offset of such invoice(s). We may add new features for additional fees, or amend fees for existing features, at any time in our sole discretion. Your continued use of the Service after any price change becomes effective constitutes your agreement to pay the new amount.

Trial Period

After registration of an Account, you may be given an initial trial period to use of the Service. You may cancel your Account at any time during the trial without incurring any charges. If you do not cancel your Account during the trial period, you will be asked to provide your payment information in order to continue using the Service and will be charged any applicable subscription and other fees immediately at the end of the trial period. You are limited to one trial per person for any twelve (12) month period. Free trial eligibility is determined by us at our sole discretion and we may limit eligibility or duration to prevent free trial abuse. We reserve the right to revoke the free trial and put your Account on hold in the event that we determine that you are not eligible.

No Refunds

You may cancel your Account at any time by navigating to the 'Team & Billing' section inside your 'Settings' page of your Kozmik account and changing your account plan; however, payments are nonrefundable and there are no refunds or credits for partially used periods or in relation to Template Store Transactions. Following any cancellation, however, your subscription will be valid until your paid period is complete.

12. Disclaimer

THE SERVICE IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. USE OF THE SERVICE IS AT YOUR OWN RISK. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICE AND ANY TEMPLATE IS PROVIDED WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, PRIVACY, SECURITY, ACCURACY, TIMELINESS, QUALITY, OR NON-INFRINGEMENT. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM US OR THROUGH THE SERVICE WILL CREATE ANY WARRANTY NOT EXPRESSLY STATED HEREIN. WITHOUT LIMITING THE FOREGOING, WE, OUR SUBSIDIARIES, OUR AFFILIATES, AND OUR THIRD-PARTY LICENSORS DO NOT WARRANT THAT: (I) THE SERVICE OR YOUR USE OF THE SERVICE WILL BE ACCURATE, RELIABLE, ERROR-FREE, OR CORRECT; (II) THE SERVICE OR YOUR USE OF THE SERVICE WILL MEET YOUR REQUIREMENTS; (III) THE SERVICE WILL BE AVAILABLE AT ANY PARTICULAR TIME OR LOCATION, TIMELY, UNINTERRUPTED, OR SECURE; (IV) ANY DEFECTS OR ERRORS WILL BE CORRECTED; OR (V)THE SERVICE IS FREE OF VIRUSES OR OTHER HARMFUL TEMPLATES. ANY CONTENT (INCLUDING TEMPLATES ON THE TEMPLATE STORE) DOWNLOADED OR OTHERWISE OBTAINED THROUGH THE USE OF THE SERVICE IS DOWNLOADED OR OTHERWISE USED AT YOUR OWN RISK AND YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE, INCLUDING DAMAGE TO YOUR COMPUTER SYSTEM OR MOBILE DEVICE, OR LOSS OF DATA THAT RESULTS FROM SUCH DOWNLOAD OR USE OF THE SERVICE OR ANY TEMPLATE.

WE DO NOT WARRANT, ENDORSE, GUARANTEE, OR ASSUME RESPONSIBILITY FOR ANY PRODUCT OR SERVICE ADVERTISED OR OFFERED BY A THIRD PARTY THROUGH THE SERVICE (INCLUDING ANY TEMPLATE ON THE TEMPLATE STORE) OR ANY HYPERLINKED WEBSITE OR SERVICE, AND WE WILL NOT BE A PARTY TO OR IN ANY WAY MONITOR ANY TRANSACTION BETWEEN YOU AND THIRD-PARTY PROVIDERS OF PRODUCTS OR SERVICES.

If you live in a state that does not allow for the disclaimer of certain warranties, the disclaimers above may not apply to you.

13. Indemnity

You agree to defend, indemnify, and hold us and our officers, directors, employees, agents, and affiliates (the “Entities”) harmless from any and all third-party claims, proceedings, damages, injuries, liabilities, losses, costs and expenses (including reasonable attorneys’ fees and litigation expenses), arising out of or relating to: (i) your access to or use of the Service; (ii) all User Content and Apps; (iii) your violation of any portion of this Agreement or any applicable law, rule, or regulation; or (iv) your violation of any third-party right.

14. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THE ENTITIES OR ITS THIRD-PARTY LICENSORS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA, OR OTHER INTANGIBLE LOSSES, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM THE USE OF, OR INABILITY TO USE, THE SERVICE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES. NOTWITHSTANDING THE FOREGOING, THE TOTAL LIABILITY OF THE ENTITIES AND ANY THIRD-PARTY, WHETHER IN CONTRACT, WARRANTY, TORT (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE), PRODUCT LIABILITY, STRICT LIABILITY, OR ANY OTHER THEORY, ASSOCIATED WITH ANY CLAIM ARISING OUT OF OR RELATING TO USE OF OR ACCESS TO THE SERVICE FOR ANY REASON WHATSOEVER SHALL BE LIMITED TO ONE HUNDRED DOLLARS ($100). IF THE JURISDICTION YOU ARE IN DOES NOT ALLOW FOR THE EXCLUSION OF CERTAIN TYPES OF DAMAGES, THEN SOME OF THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU IN CERTAIN CIRCUMSTANCES.

15. Alerts and Notifications

By entering into this Agreement or using the Service, you agree to receive communications from us, including emails, text messages, alerts, and other electronic communications. Standard message and data rates apply to all messages sent to or received from us. Any notices, agreements, disclosures, or other communications that we send to you electronically will satisfy any legal communication requirements, including that the communication be in writing.

16. Dispute Resolution

PLEASE READ THE FOLLOWING SECTION CAREFULLY BECAUSE IT REQUIRES YOU TO ARBITRATE CERTAIN DISPUTES AND CLAIMS WITH US AND LIMITS THE MANNER IN WHICH YOU CAN SEEK RELIEF FROM US.

The parties shall use their best efforts to settle any dispute, claim, question, or disagreement directly through consultation and good faith negotiations, which shall be a precondition to either party initiating a lawsuit or arbitration. If the parties do not reach an agreed upon solution within a period of thirty (30) days from the time such informal dispute resolution is pursued, then either party may initiate binding arbitration. Except as expressly set forth herein, any dispute, claim, or controversy (each, a “Claim”) arising out of or relating to this Agreement will be settled by binding arbitration administered by the American Arbitration Association (the “AAA”) in accordance with the provisions of its Commercial Consumer Arbitration Rules and the supplementary procedures for consumer related disputes of the AAA, excluding any rules or procedures governing or permitting class actions. The arbitrator, and not any federal, state or local court or agency, shall have exclusive authority to resolve all disputes arising out of or relating to the interpretation, applicability, enforceability, or formation of this Agreement, including without limitation, to any Claim that all or any part of this Agreement is void or voidable. The arbitrator’s award shall be binding on the parties and may be entered as a judgment in any court of competent jurisdiction. The procedures and rules of the Federal Arbitration Act, 9 U.S.C. § 1, et seq. shall exclusively govern the interpretation and enforcement of any arbitration. The AAA Rules are available at www.adr.org/arb_med or by calling the AAA at 1-800-778-7879.

The parties each acknowledge and agree to waive the right to a trial by jury or to participate as a plaintiff or class member in any purported class action or representative proceeding. Any arbitration will be conducted only on an individual basis and not in a class, collective, consolidated, or representative proceeding. However, each party retains the right to bring an individual action in small claims court or the right to seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation, or violation of a party’s copyright, trademark, trade secret, patent, or other intellectual property right. If any court or arbitrator determines that the foregoing class action waiver is void or unenforceable for any reason or that an arbitration can proceed on a class basis, then the arbitration provision herein shall be deemed null and void in its entirety and the parties shall be deemed to have not agreed to arbitrate disputes.

In addition to the severability provisions set forth above, in the event that any portion of this arbitration provision is deemed illegal or unenforceable, such provision shall be severed and the remainder of this section shall be given full force and effect. Any Claim or cause of action you may have arising out of or relating to this Agreement or the Service must be commenced within one (1) year after the cause of action accrues, otherwise, such cause of action or claim is permanently barred. The parties specifically exclude from application to this Agreement the United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act.

17. Term and Termination

This Agreement commence when you first visit or use any feature of the Service and shall apply to all of your subsequent visits and uses. We may, at our sole discretion, terminate your access to and use of the Service, with or without cause, immediately, and without notice, which may include no longer supporting Apps. We will not be liable to you or any third party for any such termination. Upon any termination, discontinuation, or cancellation of the Service or your access thereto, your right to access or use the Service will immediately terminate. All provisions of this Agreement which by their nature should survive termination shall survive the termination of your access to the Service, including without limitation, provisions regarding ownership, warranty disclaimers, indemnity, and limitations of liability.

18. General

Except as provided in Section 16 above, this Agreement is governed by the laws of the State of California, without regard to conflict of law principles. You agree to submit to the personal and exclusive jurisdiction of the state courts and federal courts located within San Francisco, California for the purpose of litigating any dispute. You may not assign or transfer this Agreement or your rights herein, in whole or in part, by operation of law or otherwise, without our prior written consent. We may assign this Agreement at any time without notice or consent. If any portion of this Agreement is held invalid, you agree that such invalidity will not affect the validity of the remaining portions of this Agreement. We may identify you as a customer in standard marketing materials, including the customer page of our website. No waiver by us of any breach or default of this Agreement will constitute a continuing waiver of such breach or default or be deemed to be a waiver of any preceding or subsequent breach or default. This Agreement represents the complete agreement between the parties regarding the subject matter set forth herein and supersedes all prior agreements and representations between you and us.

19. Contact

Please contact us with any questions regarding this Agreement at [email protected] or at the address below.

Kozmik 

2093 PHILADELPHIA PIKE #8183

CLAYMONT, DE19703

 

 

Further Information for Users in the European Economic Area

If you are a user in the European Economic Area, we process your personal data in the United States as data controller and in compliance with the European General Data Protection Regulation (“GDPR”).

We do not collect special categories of personal data as defined in Article 9, GDPR.

Legal Basis for Processing

When we process your personal data, we will only do so for the following reasons:

  • As necessary to perform our responsibilities under our agreement with you (including to provide the Service);

  • When we have a legitimate interest in processing your personal data, including to communicate with you about changes to our Service, to help secure and improve our Service, to analyze use of our Service, and additional purposes outlined in Section 2 of this Policy;

  • As necessary to comply with our legal obligations; and

  • When you have provided us with your consent to do so.

Data subject rights

You have the right to:

  • access personal data we hold about you;

  • request rectification or erasure of your personal data;

  • request the restriction the of processing of your personal data;

  • object to the processing of your personal data; and

  • data portability.

If we have requested your consent, you may withdraw such consent at any time.

If you would like to exercise any of your data subject rights under the GDPR, including by withdrawing your consent, please contact us at [email protected]

You have the right to lodge a complaint regarding our data processing with a supervisory authority. The EU Commission provides a list of supervisory authorities here:https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

Automated Decision-making

Kozmik does not make any decisions involving the use of automated decision-making or profiling.

Transfer of personal data

Our service providers or other third parties with whom Kozmik may share your personal data from time to time, as described above, may be located abroad, and in particular outside the European Economic Area. In such case, Kozmik will require them to take, in accordance with applicable legislation, all organizational and technical measures reasonably necessary to ensure an adequate level of protection of your personal data.

Data Processing Addendum

This Data Processing Addendum (”DPA”), forming part of the Kozmik Terms of Service (“Principal Agreement”), is made and, by and between Kozmik, Inc., a Delaware corporation (“Kozmik”) and you (the “Customer”). (each a “Party” and together, “Parties”)

WHEREAS

(A) The Customer acts as a Data Controller.

(B) Kozmik acts as Data Processor.

(C) The Customer wishes to contract certain Services as set forth in the Principal Agreement, which imply the processing of personal data by the Data Processor. Further details of the Processing are set out in Schedule 1 to this DPA.

(D) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(E) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1.DEFINITIONS. Capitalized terms shall have the meaning set forth in this Section 1 or as otherwise defined in other sections of this DPA. If not defined, Capitalized terms shall have the same meaning set forth in the Principal Agreement or the GDPR, as applicable:

1.1. “DPA” means this Data Processing Agreement and all Schedules.

1.2. “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Principal Agreement, including Personal Data provided as Customer Data as defined in the Principal Agreement.

1.3. “Contracted Processor” means Kozmik and any Subprocessor.

1.4. “Data Protection Laws” means all data protection legislation and regulations applicable to the processing of the Customer Personal Data under this DPA and the Principal Agreement, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (“GDPR”) and supplementing national legislation, in each case as may be amended, repealed, consolidated, or replaced from time to time.

1.5. “EEA” means the European Economic Area.

1.6. “GDPR” has the meaning set forth in the definition of Data Protection Laws.

1.7. “Data Transfer” means:

(a) a transfer of Customer Personal Data from the Customer to Kozmik; or

(b) an onward transfer of Customer Personal Data from Kozmik to a Subprocessor.

Services” means the services the Customer is provided pursuant to the Principal Agreement.

Subprocessor” means any person appointed by or on behalf of Data Processor to process Customer Personal Data on behalf of the Customer in connection with the DPA.

2.PROCESSING OF CUSTOMER PERSONAL DATA.

2.1. Kozmik, as Data Processor:

(a) shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and

(b) shall not Process Customer Personal Data other than on the relevant Customer’s documented instructions, including the Principal Agreement, unless Kozmik reasonably believes that such documented instructions are unlawful or infringe applicable Data Protection Laws. In the case of Kozmik believing that the Customer’s documented instructions are unlawful or infringe applicable Data Protection Laws, Kozmik shall immediately inform the Customer of such belief.

3.DATA PROCESSOR PERSONNEL.Kozmik shall take commercially reasonable steps to ensure that any employee, agent, or contractor of Kozmik, who may have access to the Customer Personal Data, are subject to confidentiality undertakings or statutory obligations of confidentiality, ensuring in each case that access is limited to those individuals who need to know or access the relevant Customer Personal Data, as necessary for the purposes of the Principal Agreement.

4.SECURITY. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Kozmik shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures listed in Article 32(1) of the GDPR. Kozmik’s technical and organizational measures are described in Schedule 3 to this DPA.

5.SUBPROCESSING.

5.1. The Customer generally agrees that Kozmik may engage Subprocessors (as well as advisors, contractors, and auditors) to Process Customer Personal Data. The Customer authorizes Kozmik to appoint (and permit each Subprocessor appointed in accordance with this Section 5 to appoint) Subprocessors in accordance with this Section 5 and any restrictions in the Principal Agreement.

5.2. Kozmik may continue to use those Subprocessors already engaged by Kozmik as at the date of this DPA as listed at Schedule 2 to this DPA.

5.3. If Kozmik engages a new Subprocessor, Kozmik shall inform the Customer of the engagement by sending an email notification to the Customer and the Customer may object to the engagement of such new Subprocessor by notifying Kozmik within 7 (seven) days of Kozmik ’s email, provided that such notification must be on reasonable grounds, directly related to the new Subprocessor’s ability to comply with substantially similar obligations to those set out in this DPA. If the Customer does not object within the specified time period, the engagement of the new Subprocessor shall be deemed accepted by the Customer.

5.4. With respect to each Subprocessor (which, for the purposes of this Section 5.4 includes new Subprocessors engaged in accordance with Section 5.3), Kozmik shall ensure that the arrangement between Kozmik and the relevant Subprocessor is governed by a written contract including terms that offer at least the same level of protection for Customer Personal data as those set out in this DPA and meet the requirements of Article 28(3) of the GDPR.

6.DATA SUBJECT RIGHTS.

6.1. Taking into account the nature of the Processing, Kozmik shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2. Kozmik shall:

(a) promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and

(b) ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which Kozmik is subject, in which case Kozmik shall to the extent permitted by applicable laws inform Customer of that legal requirement before Kozmik responds to the request.

7.PERSONAL DATA BREACH AND NOTIFICATION.

7.1. Kozmik shall notify Customer without undue delay upon Kozmik becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to notify, report, or inform Data Subjects and Supervisory Authorities of the Personal Data Breach under the Data Protection Laws.

7.2. Kozmik shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

8.DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION. Kozmik shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the processing and information available to, the Contracted Processors.

9.DELETION OR RETURN OF CUSTOMER PERSONAL DATA. Subject to this Section 9, Kozmik shall promptly and in any event within 20 days of the date of cessation of any Services involving the processing of Customer Personal Data, delete and procure the deletion of all copies of the Customer Personal Data or return all Customer Personal Data to the Customer, at the Customer’s choice.

10.AUDIT RIGHTS.

10.1. Subject to this Section 10, Kozmik shall make available to the Customer on request reasonable information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors. A Customer may only mandate an auditor for the purposes of this Section 10.1 if the auditor is reasonably agreed to by Kozmik.

10.2. Information and audit rights of the Customer only arise under Section 10.1 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

10.3. Customer shall give Kozmik reasonable advance notice of any audit or inspection to be conducted under Section 10.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury, or disruption to Kozmik’s premises, equipment, personnel, and business while its personnel are on those premises in the course of such an audit or inspection. Kozmik need not give access to its premises for the purposes of such an audit or inspection:

(a) to any individual unless he or she produces reasonable evidence of identity and authority;

(b) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer undertaking an audit has given notice to Kozmik that this is the case before attendance outside those hours begins;

(c) for the purposes of more than one audit or inspection, in respect of Kozmik, in any calendar year, except for any additional audits or inspections which:

(i) Customer reasonably considers necessary because of genuine concerns as to Kozmik’s compliance with this DPA; or

(ii) Customer is required to carry out by Data Protection Law, a Supervisory Authority, or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where the Customer has identified its concerns or the relevant requirement or request in its notice to Kozmik of the audit or inspection; or

(d) to a third party who is performing the audit on behalf of the Customer, unless such third party auditor executes a confidentiality agreement acceptable to Kozmik before the audit.

10.4. Customer shall reimburse Kozmik for any time expended for any such on-site audit, if applicable, at Kozmik’s then-current professional services rate, which shall be made available to Customer upon request. Before commencement of any such on-site audit; Customer and Kozmik shall mutually agree on the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Kozmik. Customer shall promptly notify Kozmik with information regarding any non-compliance during the course of an audit.

10.5. The Customer must provide Kozmik with any audit reports generated in connection with any audit at no charge unless prohibited by applicable law. The Customer may use audit reports only for the purposes of meeting its audit requirements under the Data Protection laws and/or confirming compliance with the requirements of this DPA. The audit reports shall be confidential.

10.6. Nothing in this Section 10 shall require Kozmik to breach any confidentiality owed to any of its clients, employees, or Subprocessors.

11.DATA TRANSFER. For those Data Transfers not based on an adequacy decision, as defined in Article 45 of the GDPR, or otherwise subject to appropriate safeguards or a derogation, under Articles 46 and 49 of the GDPR, respectively, the restricted transfers shall be subject to the Standard Contractual Clauses attached hereto as Schedule 4, and Kozmik may transfer or authorize the Data Transfer to countries outside the EU and/or the EEA consistent with those Standard Contractual Clauses.

12.MISCELLANEOUS.

Notices. All notices and communications given under this DPA shall be made in accordance with Section 15 of the Principal Agreement.

12.2.Liability and Indemnification. The liability of each party to this DPA, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the limitations or exclusions of liability set out in Section 14 of the Principal Agreement entitled “Limitation of Liability.” Furthermore, the terms of indemnification by both Parties shall be governed by Section 13 of the Principal Agreement entitled “Indemnity” as appropriate.

12.3.Order of Precedence. In the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Principal Agreement and agreements entered into or purported to be entered into after the date of this DPA (except where explicitly agreed otherwise in writing, signed on behalf of the parties), the provisions of this DPA shall prevail. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses set forth in Schedule 4, the Standard Contractual Clauses shall prevail.

12.4.Governing Law. Notwithstanding Sections 7 and 9 of the Standard Contractual Clauses, this DPA is governed by the laws of the country or territory stipulated for this purpose in Section 18 of the Principal Agreement.

12.5.Term and Termination. The term of this DPA shall commence on the Effective Date of this DPA and shall be coterminous with the Principal Agreement in accordance with Section 17 of the Principal Agreement.

12.6.Amendment. This DPA is subject to the applicable terms for amendment set forth in the Principal Agreement.

SCHEDULE 1 - DETAILS OF THE PROCESSING

This Schedule includes certain details of the processing of Customer Personal Data as required by Article 28(3) GDPR. This Schedule also provides details of processing as related to the transfer of Personal Data, as specified in Section 11 of the DPA and Schedule 4 to the DPA.

Subject matter and duration of the processing of Customer Personal Data

The subject matter and duration of the processing of the Customer Personal Data are set out in the Principal Agreement and this DPA.

The nature and purpose of processing of Customer Personal Data

Kozmik will process Customer Personal Data as necessary to perform the Services under the Principal Agreement, as further specified in the applicable Project Addendum or Statements of Work, and as further instructed by the Customer in the use of the Services.

The types of Customer Personal Data to be processed

Customer may submit Customer Personal Data to Kozmik for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name

  • Title

  • Position

  • Employer

  • Client ID

  • Physical addresses

  • Contact information (company, email, phone, physical business address)

The categories of Data Subject to whom the Customer Personal Data relates

Customer may submit Personal Data to Kozmik for the provision of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)

  • Contact persons of Customer’s prospects, customers, business partners and vendors

  • Employees, agents, advisors, freelancers of Customer (who are natural persons)

  • Customer’s Users authorized by Customer to use the Services

The obligations and rights of the Customer

The obligations and rights of the Customer are set out in the Principal Agreement and this DPA.

SCHEDULE 2 – APPROVED SUBPROCESSORS

  • Render

  • Expo

  • Codemagic

  • Amazon Web Services

  • DigitalOcean

  • Sentry

  • Google Suite

  • Slack

  • Stripe

  • Sendgrid

  • Hubspot

  • Mixpanel

  • Google Analytics

SCHEDULE 3 – SECURITY MEASURES

Kozmik will implement and maintain the security measures set out in this Schedule 3. Kozmik may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the Services.

Kozmik has implemented security measures including, but not limited to:

1. In the software development lifecycle, a code review process for all production code changes, prior to release; code analysis tools to detect security and vulnerability defects; automated and manual vulnerability testing.

2. Encryption of all data sent across public networks except as specifically requested by our users, and use of SSH for replication over public networks.

3. Reliance on Amazon Web Services and Heroku for physical security and physical handling of servers, to which Kozmik employees do not have physical access.

4. An annual internal audit that includes identifying and prioritizing security, privacy, legal, and business continuity risks, as well as a review of our business processes and governance, conducted by company executives representing legal, IT security, IT operations and business continuity planning concerns.

5. Security incident response process defining procedures for notifying customers if an incident may have impacted their data.

6. Documented procedures for authenticating customer access.

7. Logical segmentation to ensure customers can only access their own data; there are no scenarios where customers are given general systems access beyond specifically granted access to their data.

8. Procedures governing use of production data, enforced by controls including auditing and technical safeguards; use of production data on a strictly as-needed basis for diagnosing issues as requested by clients; and policies governing the circumstances in which production data can be used in this manner.

9. Company policies in place around handling of employee laptops, including HR termination processes involving revoking all access and collecting all assets within 24 hours.

10. Training for all Kozmik employees around their job duties and the security obligations inherent in those roles.

11. Procedures to identify, assess and mitigate any reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of systems or files containing Personal Data and evaluate and improve safeguards as necessary.

SCHEDULE 4 – STANDARD CONTRACTUAL CLAUSES 

Controller to Processor

SECTION I

Clause 1

Purpose and scope 

  1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

  2. The Parties:

    1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

    2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)

  3. have agreed to these standard contractual clauses (hereinafter: “Clauses”). 

  4. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B. 

  5. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

  1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects. 

  2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

  1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

    1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

    2. Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

    3. Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

    4. Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

    5. Clause 13;

    6. Clause 15.1(c), (d) and (e);

    7. Clause 16(e);

    8. Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.

  2. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

  1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

  2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

  3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679. 

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Excluded

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses. 

8.1    Instructions

  1. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

  2. The data importer shall immediately inform the data exporter if it is unable to follow those instructions. 

8.2    Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter. 

8.3    Transparency 

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.  

8.4    Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5    Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a). 

8.6    Security of processing

  1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. 

  2. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 

  3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. 

  4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7    Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8    Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if: 

  1. the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer; 

  2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

  3. the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

  4. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9    Documentation and compliance

  1. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses. 

  2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

  3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.   

  4. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice. 

  5. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

  1. OPTION 2: GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least [Specify time period] in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object. 

  2. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

  3. The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

  4. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract. 

  5. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

  1. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

  2. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required. 

  3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

  1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject. 

  2. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.   

  3. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to: 

    1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

    2. refer the dispute to the competent courts within the meaning of Clause 18.

  4. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679. 

  5. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

  6. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

  1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses. 

  2. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses. 

  3. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

  4. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

  5. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

  6. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

  7. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

  1. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority. 

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority. 

  1. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

  1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

  2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

    1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred; 

    2. the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards; 

    3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

  3. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

  4. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

  5. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]

  6. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: , if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.  

Clause 15

Obligations of the data importer in case of access by public authorities

15.1    Notification

  1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: 

    1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

    2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

  2. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter. 

  3. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). 

  4. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request. 

  5. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2    Review of legality and data minimisation

  1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

  2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. 

  3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

  1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason. 

  2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

  3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

    1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; 

    2. the data importer is in substantial or persistent breach of these Clauses; or

    3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. 

  1. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law. 

  2. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679. 

Clause 17

Governing law

[OPTION 1: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.] 

[OPTION 2: These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.]  

Clause 18

Choice of forum and jurisdiction

  1. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

  2. The Parties agree that those shall be the courts of Ireland.

  3. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence. 

  4. The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

EXPLANATORY NOTE: 

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can be achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

ANNEX I

A. LIST OF PARTIES

Data exporter(s): 

Name: Customer, as defined in the Data Processing Addendum and the Terms of Use.

Address: Customer’s address. 

Activities relevant to the data transferred under these Clauses: the Processing of Personal Data in connection with the Customer’s use of Kozmik Services under the Kozmik Terms of Service. 

Role (controller/processor):  Controller

Data importer(s): 

Name:  Kozmik, Inc. 

Address:  2093 PHILADELPHIA PIKE #8183

CLAYMONT, DE19703

Contact person’s name, position and contact details: __________________

Activities relevant to the data transferred under these Clauses: the Processing of Personal Data in connection with the Customer’s use of Kozmik Services under the Kozmik Terms of Service. 

Role (controller/processor): Processor. 

B. DESCRIPTION OF TRANSFER    

Categories of data subjects whose personal data is transferred

The details of the processing are set forth in Schedule 1 of the DPA to which the clauses are appended.

Categories of personal data transferred

The details of the processing are set forth in Schedule 1 of the DPA to which the clauses are appended.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

    N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing

The details of the processing are set forth in Schedule 1 of the DPA to which the clauses are appended.

Purpose(s) of the data transfer and further processing

The details of the processing are set forth in Schedule 1 of the DPA to which the clauses are appended.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period 

We will only retain Personal Information as long as reasonably required to provide the Service unless a longer retention period is required or permitted by law (for example, for regulatory purposes).

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

……………………..

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority/ies is designated in accordance with Clause 13

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

A description of the technical and organisational security measures implemented by the data importer are set out in Schedule 3 of the DPA to which the clauses are appended.

ANNEX III – LIST OF SUB-PROCESSORS

A list of sub-processors is set forth in Schedule 2 of the DPA to which the clauses are appended.