Master Subscription Agreement

This Master Subscription Agreement is between:

(1) Qualee Technology Pte. Ltd. (registered company no. 201719475R) (“Qualee”) and

(2)   the named entity ordering the services via the Order Form (“Client”)

(A) Qualee provides online systems via qualee.com (the “System”) that is further described in the user documentation (such as user guides or help articles) made available through the System (the “Documentation”).

(B) The parties are entering into this agreement (which includes the data processing agreement in Annex A (“Data Processing Agreement”) and, where applicable, the professional services terms in Annex B) and one or more order forms (the “Order Forms”).  The Order Form will form part of this agreement and specify: (1) the product plan applying to Client’s use of the System, which will determine (as described further in the Documentation): (a) the functionality that will be made available to Client by the System, and (b) the System support services (cases must be submitted via the Ticketing Centre (https://qualee.freshdesk.com/support/login) to be performed by Qualee (the “Support Services”), (2) any professional services to be performed by Qualee (the “Professional Services” and together with the System and the Support Services, the “Services”), and (3) the maximum number of users of Client and any Client Affiliates that may be designated by Client to access the System (“Authorised Users”). “Affiliates” means any company that directly or indirectly controls, is controlled by, or is under common control of a party. An entity shall be regarded as in control of another company or entity if it owns or directly or indirectly controls more than 50% of the voting rights of that company or entity.

1. Provision Of System and Services

1.1 Subject to payment by Client of the Charges (as defined below in section 4.1), Qualee shall, during the subscription term specified in the Order Form (as may be extended in accordance with this agreement) (the “Subscription Term”), and in accordance with this agreement: (a) provide Client with a non-exclusive, non-transferable, non-sublicensable, revocable, royalty-free licence to permit the Authorised Users to access and use the System during the Subscription Term in accordance with the terms of this agreement and solely for Client’s internal business operations, (b) perform the Support Services for Client during the support hours and to the service availability levels specified in the Order Form, and (c) perform the Professional Services in accordance with the Order Form and the Professional Services Annex B.  Client shall only use the Services and the Documentation for its internal business operations and in accordance with this agreement and shall use the System in accordance with the Documentation.

1.2 Client shall designate the Authorised Users, who will only be employees and contractors of Client and Client Affiliates, up to the maximum number specified in the Order Form, and shall procure that only one individual uses each Authorised User account and accounts are not shared. If Client wishes to procure additional Authorised User accounts above such maximum it shall execute an additional Order Form. The additional Authorised Users shall be coterminous with the pre-existing Subscription Term and Client shall pay additional subscription fees, as specified in the Order Form, for the new Authorised Users at the rate specified in the Order Form, pro-rated from the date of activation to the end of the then-current Subscription Term. Qualee shall invoice the additional subscription fees at the end of the month in which activation occurred.  Client shall procure that Client Affiliates and the Authorised Users comply with this agreement.

1.3 Qualee shall use reasonable efforts to make the System available to the level specified in the Documentation (“Service Availability”), excluding the following excused outages: (a) planned downtime, where Qualee has given at least four hours’ advance notice, and Qualee will give longer notice where reasonably possible (with notices being given by Qualee posting to https://qualee.statuspage.io/, to which Client may subscribe), (b) unscheduled maintenance in the case of actual or anticipated emergency, and (c) unavailability for reasons beyond Qualee’s reasonable control.  If Service Availability of the System in a month is not met (excluding excused outages) then Qualee shall, upon notification by Client to Qualee within 30 days of the end of the month in question, compensate Client by 10% of the applicable monthly subscription fee (excluding VAT) up to a maximum of 100% of that applicable monthly fee, for each 1% of non-availability of the System below the Service Availability, calculated in minutes.  

1.4 Qualee shall, to the extent required for the provision of Services under this agreement: (a) perform the Services substantially in accordance with this agreement and with reasonable skill and care, (b) comply with applicable laws, and (c) maintain any licences and consents that are needed to provide the Services and the System.

1.5 Qualee shall use reasonable efforts to correct promptly any material non-conformance of the System as detailed in the Documentation. However, Qualee will not be liable for (a) the System or Services to the extent damage is caused by these being used contrary to Qualee’s instructions or this agreement or modified other than by, or on behalf, of Qualee, or (b) Client’s connection to the System over the internet or integration to the System.  Client is responsible for ensuring that the System and Services meet its requirements and are fit for purpose. If Client does not perform its obligations in a timely manner, then Qualee may reasonably adjust the delivery plan for the Services.

1.6 Qualee may modify the Documentation and System if it does not materially reduce the functionality of the System (and may provide alternative features that have materially the same benefits as the previous feature).

1.7 Qualee may use the name and logo of Client for promotional and marketing purposes.

‍

2. Client Data

2.1 Client shall own any data or information uploaded by Client and/or its Authorised Users into the System or provided by Client to Qualee in connection with the Services (“Client Data”). Client shall be responsible for the content of Client Data.

2.2 Qualee shall back-up Client Data as set out in its then-current published security policy (the “Security Overview”).  If there is any loss or damage to Client Data due to a System error, then Qualee shall use reasonable efforts to restore the lost or damaged Client Data from the latest back-up as its sole liability.  Qualee shall not be responsible for any loss, destruction, alteration or disclosure of Client Data caused by any party other than Qualee or its subcontractors.

‍

3. Client's Obligations

3.1 Client shall (a) co-operate with Qualee and provide any necessary information, as required to provide the Services, (b) comply with laws applicable to this agreement and maintain any necessary licences and consents to allow the use of Client Data in accordance with this agreement, (c) procure that the Authorised Users keep their System passwords confidential, and (d) use reasonable efforts to prevent unauthorised access or use of the System and the Documentation (and if Client is aware of unauthorised access or use, promptly notify Qualee).

3.2 Client shall not (and Qualee may suspend Client’s access to the System if any of the following occur, or Qualee reasonably believes any of the following has occurred): (a) access, store, distribute or transmit any viruses or any material that is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing, discriminatory or offensive, (b) except as expressly permitted under this agreement or allowed by any applicable law that is incapable of exclusion: (i) copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute any portion of the System or Documentation, or (ii) de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form any part of the System, (c) use the System, Services or Documentation to provide services to third parties or build a product or service which competes with the System or Services, (d) subvert any security restrictions imposed by Qualee, including attempting to obtain, or assist others in obtaining, access to the System, other than as permitted under this agreement, (e) use the System in a way that adversely affects the System or other users use of the System, (f) make the Services, System or Documentation available to any third party or assist third parties in obtaining access, or (g) engage in any excessive or abusive use of the optional modules and/or features of the System as may be provided by the sub-processors referred to in section 3 of Annex A from time to time, which is usage significantly in excess of average usage patterns that adversely affects the availability, functionality, speed, responsiveness and/or stability of the Services for any other Client(s) and/or any Authorised User(s) (“Excessive Usage”). Should Qualee determine that any Excessive Usage has occurred, Client shall account to Qualee for any charges incurred by Qualee as a result of such usage.

‍

4. Charges and Payment

4.1 Client shall pay Qualee the subscription fees and charges specified in the Order Form for Client’s use of the System and the Services (the “Charges”). The Charges are non-cancellable and non-refundable (except if this agreement is terminated by Client for Qualee’s material breach, in which case Qualee will refund any prepaid fees covering the remainder of the then-current Subscription Term).  Client shall pay the Charges within 30 days of receiving Qualee’s invoice.

Subscription fees shall be invoiced on or around the “Effective Date” for the initial Subscription Term (each as specified in the Order Form) and on or around the beginning of each subsequent minimum renewal period of 12 months (“Renewal Periods”) in advance thereafter (or in accordance with section 1.2). Professional Services fees shall be invoiced in accordance with the Order Form.

4.2 Client shall reimburse Qualee for any transaction fees that may be incurred by Qualee in connection with payments of the Charges if any are due from Client’s bank.

4.3 The Charges are exclusive of value added, sales, use or withholding, or equivalent taxes in any jurisdiction (together, the “Taxes”), which if payable, will be additionally payable by Client at the appropriate rate. Client shall be responsible for, and will not withhold or deduct, any applicable Taxes on the Charges.

4.4 If Qualee has not received payment within 30 days of receipt of an invoice and has contacted (or attempted to contact) Client both by email and by telephone referring to its rights of suspension, then (a) Qualee may disable Client's access to the System and suspend the Services, and (b) interest shall accrue on a daily basis at an annual rate equal to 3% over the then current base lending rate of Qualee's bankers in Singapore. If a Charge is 30 days or more overdue, then Client shall reimburse Qualee for Qualee’s reasonable costs incurred in the collection of the overdue amount from Client.

4.5 Qualee may increase the Charges at the start of each Renewal Period by giving not less than 60 days' prior written notice to Client.

‍

5. Proprietary Rights

5.1 Qualee shall have a non-exclusive, royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual licence to use or incorporate into the System and Services any suggestions, enhancement requests, recommendations or other feedback provided by Client or its Authorised Users relating to the operation of the System and Services.

5.2 Nothing in this agreement will be deemed to transfer any intellectual property rights between the parties. Client may use the System by viewing it in a browser or printing out copies for Client’s use, but Qualee reserves all other rights.

5.3 Client grants Qualee a non-exclusive licence to use Client Data for the purposes of providing the System and Services in accordance with the agreement.

‍

6. Confidentiality

The parties shall each (a) keep confidential, (b) only use for the purposes of this agreement and (c) only disclose in confidence to the recipient’s employees, contractors and advisors who need to know, the confidential information of the other party received in connection with this agreement, unless the confidential information (i) has become public knowledge otherwise than through a breach of this section, (ii) can reasonably be shown to have been known by the recipient before being received from the discloser, (iii) was obtained by a third party that had not breached a duty of confidentiality, or (iv) is required to be disclosed by law or a party’s regulatory body.  Upon termination of this agreement each party shall on request promptly return or take reasonable steps to delete the confidential information of the other party.

‍

7. Indemnity

7.1 Qualee shall defend and indemnify Client and Client Affiliates, from and against:

7.1.1 any claim brought by a third party that the Services, Documentation or System infringes any patent effective as of the Effective Date, copyright, trade mark, database right or right of confidentiality, and shall indemnify Client and Client Affiliates for any amounts awarded against Client or Client Affiliates in judgment or settlement of any such infringement claims, and

7.1.2 any third party or regulatory claims, actions, proceedings, or fines, and for any related losses, damages, expenses and costs, to the extent arising out of or in connection with any material breach by Qualee of the Data Processing Agreement.

7.2 Client shall defend and indemnify Qualee and the Qualee Affiliates, from and against:

7.2.1 any claims, actions, proceedings, losses, damages, expenses and costs arising in connection with the misuse or otherwise improper of the System and/or Documentation in breach of this agreement by Client or by any person under the control of Client or any Client Affiliate; and

7.2.2 any third party or regulatory claims, actions, proceedings, or fines, and for any related losses, damages, expenses and costs, to the extent arising out of or in connection with any material breach by Client of the Data Processing Agreement.

7.3 Section 7.1 and 7.2  are subject to:

7.3.1 the indemnifying party being given prompt notice of any matter for which indemnified party wishes to be indemnified;

7.3.2 the indemnified party providing reasonable co-operation in the defence and settlement of the relevant claim, at the indemnifying party's expense; and

7.3.3 the indemnifying party being given sole authority to defend or settle the relevant claim, provided that no settlement shall be made which prejudices the indemnified party’s rights or imposes any obligations on it without its prior written approval (such approval not to be unreasonably withheld or delayed).

7.4 In the defence or settlement of any third-party claim, Qualee may procure the right for Client to continue using the System, replace or modify the System so that it becomes non-infringing or, if such remedies are not reasonably available, terminate this agreement on two business days' notice to Client without any additional liability.

7.5 Qualee will not be liable to Client to the extent that an alleged infringement is based on:

7.5.1 a modification of the Services or Documentation by anyone other than Qualee or its subcontractors;

7.5.2 Client's use of the Services or Documentation in a manner contrary to the instructions given by Qualee; or

7.5.3 Client's use of the Services or Documentation after notice of the alleged infringement.

7.6 The foregoing states Client's sole and exclusive rights and remedies, and Qualee's entire obligations and liability, for infringement of any intellectual property right.

7.7 Each party shall make reasonable efforts to mitigate any loss, damage or liability it may suffer or incur as a result of a breach by the other party of this agreement or in respect of which it seeks indemnification from the other party under this agreement.

‍

8. Limitation Of Liability

8.1 Except as expressly and specifically provided in this agreement and to the fullest extent permitted by applicable law:

8.1.1 Client assumes sole responsibility for all information, notifications, results, data or disclosures (collectively “Results”) obtained or delivered in the course of the use of the Services and the Documentation, and Qualee expressly disclaims any and all responsibility and liability in respect of such Results;

8.1.2 Qualee shall have no liability for any damage caused by errors or omissions in any information, instructions or scripts provided to Qualee by Client in connection with the Services, or any actions taken by Qualee at Client's direction;

8.1.3 all terms implied by law are excluded from this agreement; and

8.1.4 the Services and the Documentation are provided to Client on an "as is" basis.

8.2 Nothing in this agreement excludes or restricts liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or otherwise to the extent such exclusion or limitation is not otherwise permitted by law.

8.3 Subject to section 8.2:

8.3.1 neither party shall be liable to the other party, whether in contract, tort (including for negligence), breach of statutory duty or otherwise for (a) any loss of profits, loss of business, depletion of goodwill or similar losses or loss or corruption of data or information, or pure economic loss, or (b) for any indirect or consequential loss; however arising under or in connection with this agreement, provided that this section shall not apply to limit or exclude any obligation to pay the Charges or any charges that may be owed by Client in respect of any Excessive Usage; and

8.3.2 the total and aggregate liability of (a) Qualee and the Qualee Affiliates and (b) Client and Client Affiliates, in each case whether in contract, tort (including for negligence), breach of statutory duty or otherwise, arising under or in connection with this agreement shall be limited to 125% of the total subscription fees paid or payable for the Authorised Users during the 12 months immediately preceding the date on which the claim arose.

‍

9. Term And Termination

9.1 This agreement shall commence on the Effective Date and continue for the initial Subscription Term and for successive Renewal Periods thereafter, unless (a) either party notifies the other of its intention to terminate, giving at least 30 days’ written notice, to take effect at the expiry of the initial Subscription Term or then current Renewal Period, or (b) otherwise terminates in accordance with this section.

9.2 Either party may terminate this agreement with immediate effect by giving written notice to the other party if the other party:

9.2.1 fails to pay any amount due under this agreement and remains in default not less than 30 days after being notified in writing to make such payment;

9.2.2 commits a material breach of any other term of this agreement which breach is irremediable or (if remediable) fails to remedy that breach within a period of 30 days after being notified in writing to do so; or

9.2.3 the other party is subject to any of the following events (or any event analogous to any of the following in a jurisdiction other than England and Wales) in relation to the relevant entity: becomes insolvent, enters into liquidation, whether voluntary or compulsory (other than for reasons of bona fide amalgamation or reconstruction), passes a resolution for its winding-up, has a receiver or administrator manager, trustee, liquidator or similar officer appointed over the whole or any part of its assets, makes any composition or arrangement with its creditors or takes or suffers any similar action in consequence of its debt, or becomes unable to pay its debts  or suspends or ceases, or threatens to suspend or cease, all or a substantial part of its business.

9.3 On termination of this agreement for any reason: (a) Client shall cease using the System and the Documentation, (b) each party shall return and make no further use of any equipment, property, Documentation and other items (and all copies of them) belonging to the other party, (c) without prejudice to Qualee’s rights in respect of Anonymised Data as set out in the Data Processing Agreement, Qualee shall delete Client Data within 90 days of the termination of this agreement (unless otherwise requested by Client to delete sooner), provided that Client Data contained on backup copies of Qualee’s databases shall not be deleted for up to 180 days from the date of termination, upon expiry of the then-current backup, and Client shall be entitled to export aggregated Client Data via the data export functionality within the System, and (d) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination shall not be affected.

9.4 Any provision of this agreement that expressly or by implication is intended to operate after expiration or termination of this agreement shall remain in full force and effect.

‍

10. General

10.1 Except in relation to Clients’ obligation to pay the Charges, neither party shall have any liability for non or delayed performance by events beyond its reasonable control, provided that the other party is notified of such event and its expected duration and such affected party uses reasonable endeavours to mitigate its effect.  If a party is prevented due to any such events from substantially performing its obligations under this agreement for a period in excess of 30 consecutive days, then the other party may terminate this agreement on 30 days’ written notice.

10.2 The Services including other Qualee technology, and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Qualee and Client each represents that it is not named on any U.S. government denied-party list. Client will not permit any Authorised User to access or use any Service or Documentation in a U.S.-embargoed country or region (currently Cuba, Iran, North Korea, Sudan, Syria or Crimea) or in violation of any U.S. export law or regulation.

10.3 If there is an inconsistency between (a) the “Special Terms” section in the Order Form and this agreement, the Special Terms shall prevail; or (b) any other terms of the Order Form and this agreement, this agreement shall prevail.

10.4 No variation of this agreement shall be effective unless it is in writing and signed by the parties’ authorised representatives.

10.5 No failure or delay by a party to exercise any right or remedy shall constitute a waiver of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

10.6 Except as expressly provided in this agreement, the rights and remedies provided under this agreement are in addition to any rights or remedies provided by law.

10.7 If any provision of this agreement is found to be invalid, unenforceable or illegal, the other provisions shall remain in force.  If any provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.

10.8 This agreement constitutes the entire agreement between the parties and supersedes all previous agreements (written or oral) relating to its subject matter.

10.9 Each party acknowledges that it does not rely on, and shall have no remedies in respect of, any statement not set out in this agreement.  Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this agreement.

10.10 This agreement may not be assigned or transferred by either party without the prior written approval of the other but may be assigned or transferred by either party without the other’s consent to (a) a parent or subsidiary, (b) an acquirer of all or substantially all of its assets, or (c) a successor by merger.

10.11 Nothing in this agreement shall create a partnership between the parties or authorise either party to act as agent on behalf of the other.

10.12 This agreement does not confer any rights on any third person or third party.

10.13 Any notice under this agreement shall be in writing and shall be delivered by hand or sent by pre-paid first-class post or recorded delivery post to the other party at its address set out in this agreement, or such other address as may have been notified by that party for such purposes, or sent by email to the other party's email address as set out in this agreement. A notice delivered by hand shall be deemed received when delivered (or if delivery is not in business hours, at 9 am on the first business day following delivery). A correctly addressed notice sent by pre-paid first-class post or recorded delivery post shall be deemed received at the time at which it would have been delivered in the normal course of post. A notice sent by email shall be deemed received at the time of transmission.

10.14 This agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with English law and subject to the exclusive jurisdiction of the English courts.

‍

1. General

1.1 Each party shall comply with its respective obligations under the applicable laws and regulations concerning data protection and/or privacy in or relating to the European Union countries and the UK, including the EU General Data Protection Regulation (2016/679) (“GDPR”) and local implementing law or regulations (“Data Protection Legislation”).  The terms “process”, “controller”, “processor”, “personal data” and “data subject” shall have the same meaning as in the applicable Data Protection Legislation.

1.2 Subject to section 1.4 of this Annex, Client will be the controller of the personal data in Client Data (“Personal Data”) and Qualee will be the processor. Qualee shall:

1.2.1 process the Personal Data only to the extent, and in such a manner, as is necessary for performing this agreement and in accordance with Client’s written instructions from time to time and shall not process the Personal Data for any other purpose. Where Qualee is required by law to process the Personal Data, Qualee will promptly inform Client of such legal requirement prior to carrying out the processing, unless it is prohibited from doing so by law;

1.2.2 limit access to Personal Data to those of its authorised personnel who need access to it in order to meet Qualee’s obligations under this agreement, ensure that all such personnel are bound by appropriate obligations of confidentiality and ensure that all such Personal Data is kept separate from any personal data of Qualee or of any other client of Qualee;

1.2.3 implement and maintain appropriate technical and organisational measures (a summary of such technical and organisational measures pursuant to Article 32 DSGVO is attached hereto as Schedule 1: Technical and Organisational Measures), to ensure an appropriate level of security in respect of such Personal Data, against accidental, unauthorised or unlawful loss, destruction, alteration, disclosure of or access to such Personal Data; such measures shall be implemented with regard to: (a) encryption of Personal Data; (b) back-up and disaster recovery arrangements; (c) the ability to ensure ongoing confidentiality, integrity, availability and resilience of the IT infrastructure and environment; and (d) the regular testing and evaluation of the effectiveness of such measures. In particular, Qualee shall, in providing the Services, follow and comply with the data privacy and security measures set out in its Security Overview in connection with the Personal Data;

1.2.4 only engage sub-processors in accordance with section 3 of this Annex;

1.2.5 promptly notify Client if it receives any complaint, notice or communication which relates to the processing of the Personal Data, or any request from a data subject exercising any rights pursuant to the applicable Data Protection Legislation and reasonably cooperate with and assist Client in relation to any such complaint, notice communication, or request and shall not disclose any of the Personal Data to any data subject or to a third party other than at the request of Client, or as provided for in this Data Processing Agreement;

1.2.6 promptly notify Client if it becomes aware of any unauthorised or unlawful processing, loss of, damage to, disclosure of, access to or destruction of the Personal Data (“Data Breach”) and provide Client with any co-operation, information and assistance, reasonably requested by Client in respect of any Data Breach;

1.2.7 upon termination of this agreement, Qualee will delete the Personal Data in accordance with the terms of the Master Subscription Agreement. Client shall be entitled to export aggregated Client Data via the data export functionality within the System; and

1.2.8 upon reasonable notice, make available to Client or grant to Client and its auditors and agents, a right of access to and to take copies of any information or records kept by Qualee pursuant to this Data Processing Agreement, solely to the extent necessary to demonstrate Qualee’s compliance with the Data Protection Legislation and provided always that this section shall not require Qualee to disclose any confidential information relating to Authorised Users, individual responses to employee engagement surveys or any other personally identifiable data of Authorised Users save to the extent required by the Data Protection Legislation.  In relation to any sub-processors that are engaged pursuant to this agreement, Client acknowledges and agrees that it is sufficient, for the purposes of satisfying the requirements of this section, that Qualee has a right to audit those sub-processors on behalf of Client, subject to reasonable restrictions.

1.2.9 provide the contact details of the company’s data protection officer to the extent and as long as the Processor is subject to the respective legal requirement pursuant to Section 5 BDSG (German Federal Data Protection Act) or another applicable national law.

1.3 The subject-matter and duration of the processing of the Personal Data by Qualee, the nature and purpose of the processing and the type of Personal Data and categories of data subjects are all as set out in Qualee’s platform user data privacy policy accessible at https://www.qualee.com/privacy-policy. Qualee may change the policy after the date of this agreement by giving not less than 30 days’ prior written notice to Client, provided that Client may terminate this agreement by giving notice within 14 days of having received such notification if Qualee materially increases the manner or scope in which it processes the Personal Data.

1.4 Qualee may anonymise Client Data in which case: (a) the data (“Anonymised Data”) will not be treated as Personal Data provided that it is not personal data for the purposes of the GDPR, (b) Qualee may use the Anonymised Data for statistical or benchmarking purposes to contribute towards the development of Qualee’s products and services during or after the term of this agreement and will not be required to delete the Anonymised Data on termination.

1.5 For the purposes of section 1.2.1 of this Annex, Client shall not direct Qualee to process the Personal Data in a way that is inconsistent with Qualee’s standard services, or, require Qualee to provide Client Data other than in aggregate form, unless otherwise agreed with Qualee. Client keeping its account active shall be deemed to be an instruction to Qualee to continue to process the Personal Data to allow use of the System. Qualee shall anonymise Personal Data after it has been held on the System for more than five years.

1.6 Client shall not (and shall not permit its Authorised Users to) configure the System dashboard or other interface by reference to, or devise or undertake any surveys or analysis using the System by reference to, any special category of personal data (within the meaning of the GDPR), namely: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health data; sex life or sexual orientation, without obtaining Qualee’s prior written agreement. If Qualee agrees, Client shall ensure such processing complies with an appropriate legal basis in accordance with applicable Data Protection Legislation.

1.7 Qualee shall be paid its reasonable costs by Client to support any Client-requested actions under section 1.2 of this Annex, including audits, subject access requests or Client’s interactions with regulators (unless required as a result of Qualee breaching this Data Processing Agreement).

1.8 Client shall ensure, and shall procure that all Client Affiliates shall ensure, that:

1.8.1 it is entitled to transfer any relevant Personal Data to Qualee, such that Qualee may lawfully use, process and transfer such Personal Data in accordance with this agreement on Client's behalf; and

1.8.2 all relevant data subjects have been informed of such use, processing, and transfer as required by all applicable Data Protection Legislation.

‍

2. Overseas Data Transfers

2.1 Save as otherwise stated in the Special Terms section in the Order Form, Client hereby acknowledges and agrees that Qualee shall be entitled to transfer and/or process such Personal Data outside the European Economic Area in connection with the provision of certain optional modules and features of the System, as set out in the Security Overview, to the third parties and at the physical server locations as approved in accordance with section 3 of this Annex, in connection with the functioning and support of such modules and features in the course of the provision of the System; and Client hereby consents to such transfer and processing where such modules and/or features are requested to be included within the System.  Qualee and Client shall document any relevant contractual requirements of Client as required under applicable Data Protection Legislation to ensure compliant transfer and processing of such Personal Data outside the European Economic Area.  In this respect the parties hereby agree that, unless the relevant transfer is to a third party based in a country confirmed as having adequate data protection safeguards by the European Commission, they will adopt the standard contractual clauses for data export as stipulated from time to time by the European Commission, insofar as and for so long as such contractual clauses remain legally valid and enforceable.

‍

3. Use of Sub-Processors

3.1 Client hereby consents to Qualee using the sub-processors listed in Section 3 “Sub-processor Details” of the Security Overview and if Client uses the features identified on such page as being provided by any of the optional sub-processors, Client will be deemed to have consented to the use of such sub-processors.

3.2 Client hereby grants to Qualee a general authorisation to appoint additional or replacement sub-processors (not listed on https://help.qualee.com/en/articles/4939073-protecting-your-data as at the Effective Date) under this agreement, provided that Qualee shall: (a) notify the Client by email, providing all requisite information concerning such sub-processor and the processing to be undertaken by it, (b) update this agreement to reflect such new sub-processor, (c) provide the Client with a reasonable opportunity to object to the processing of Personal Data by such new sub-processor, and (d) ensure that such sub-processor is bound by equivalent contractual terms as those set out in this Data Processing Agreement.    

‍

Hereinafter, the material measures taken by Processor regarding compliance with the terms of Article 32 DSGVO are briefly described.

The following description of the status quo of the elementary measures regarding the protection of data understandably cannot disclose any and all security measures in place. Particularly in the context of data protection and data security, it is not possible to provide confidential and detailed descriptions, as the protection of security measures against unauthorised disclosure is at least as important as the security measure itself.

‍

1. Corporate measures of access control, which prevent unauthorized persons from obtaining physical access to the information systems, the data processing device and the confidential files and data media

Data centres are physically secured using a defence in depth approach. This includes the use of top-tier data centres, designed as anonymous buildings without company signage, vehicle barriers, guard stations, alarms, security doors and cages.

Access to the data centres is authorized based on position or role. Access is strictly limited to those few individuals with a business need for access. Access is controlled via badges, biometrics, and security guards. Subsequent entry to the production cage areas and tape vault requires badge and biometric access. Access to the data centre cages requires two-factor authentication a minimum of two times.

Physical access to the data centres and cages is monitored 24/7 by data centre security personnel through guarded lobbies and CCTV cameras that are set up inside and outside the data centres in critical areas. Critical areas that are monitored include; doors to co-location areas, access to cage doors, server floor areas, external perimeter, data centre entries and exits, and shipping/ receiving.

All visitors must be pre-approved and authenticated before authorizing access to the facilities. All visitors must be accompanied by an individual on the authorized data centre access list. Unaccompanied visitors are not allowed access to the data centre. Upon arrival visitors must sign in at the front desk, submit a valid government issued photo ID, and be approved by an individual on the authorized list. 

All physical access activity is electronically logged and video retained for a minimum of 90 days.

‍

2. Company security measures concerning access control, which prevent data processing systems from being used without authorisation

tilised to restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed. Additionally, all traffic between the components are secured via SSL shared secrets. 

AWS’ data centres are ISO 27001 certified and have documented security policies and procedures, per requirements of this certification. Access Control is also tested as a control objective under continuous  SOC 1, 2 & 3 audits.

Internal Administration Access

Access to the backend systems is restricted to a limited number of Qualee employees and access is granted on the principles of least privilege. The access is given only to enable the operation and maintenance of the service, for analysis of data and to facilitate support of Clients.

Each access request must first be approved by a member of the management and reason for access must be given. On employment termination access to all systems are immediately revoked, managed through the Entry & Exit Policy.

A tamper-proof audit log is recorded and retained for at least 12 months.

‍

3. Corporate measures of access control, which ensure that users entitled to use a data processing system have access only to the data to which they have a right of access

When accessing the Qualee platform using industry standard Transmission Layer Security (TLS) technology, your information is protected using both server authentication and data encryption, ensuring that data is safe, secure, and available only to authorised Users in your organisation.

Additionally, the security can be further enhanced by enforcing multi-factor authentication and/or SSO.  

 Access to data - personally identifiable information and aggregated and anonymised survey responses, at the application level, are granted by access control groups which are can be controlled by the Client using the administration functionality in Qualee.

‍

4. Corporate security measures taken concerning transmission control, to ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport

All data is encrypted in transit using TLS 1.2 (256bit).

‍

5. Corporate measures of input control that ensure to determine who has entered, modified or removed data from relevant systems

All data will be input by the Client; Qualee will not input data on Client's behalf unless directly instructed. Hence, Client's input controls apply in the first instance and Client is responsible for the correct assignment of  and user access rights.

With regard to login verification, logging is enabled for account access in Production. This information contains time, date, username, and source location for access. Successful/failed login, changes and system messages are logged and reported in real time to our logging system. Qualee applies monitoring at multiple levels to ensure a high level of availability and security. Statuspage is used to monitor for availability of all services that compose the system, with immediate alerts via email and SMS to the response team.

All alerts are received by the relevant employees including the core response team.

‍

6. Please describe how it is guaranteed that controller’s personal data is processed just on behalf of the controller and just within the controller’s instructions (commission control)

See Master Subscription Agreement (Annex A: Data Processing Agreement) and the service description in place between Client and Company, which notes “Qualee shall process the Personal Data only to the extent, and in such a manner, as is necessary for performing this agreement and in accordance with Client’s written instructions from time to time and shall not process the Personal Data for any other purpose.” The DPA acts as the foundation of Client’s instructions, with additional instructions provided through use of the platform and via requests to Client Success Managers.

Development and staging environments are separated from the production platform, with development running on procedurally generated, artificial test data, further restricting the storage, duplication and processing of Client Data.

‍
7. General corporate security measures concerning availability control against accidental loss or destruction of electronic data, files and data media

Three full backups are performed every day. Two separate snapshots stored in the primary AWS account and the secondary DR account respectively. The third backup is performed using another procedure and stored on S3 in the AWS Singapore zone. All the backups are stored using server-side-encryption, which is enforced using a policy. Backups are retained for 90 days and are protected from deletion via two-factor authentication

Validated disaster recovery plan objectives are an RPO of 24 hours and a RTO within 72.

The company completes Disaster Recovery (DR) exercises at least annually, and any new infrastructure undergoes a DR exercise as part of the validation process prior to go-live.

‍

8. Measures in the Processor’s systems which guarantee that data can be processed separately for certain purposes so that there is no unnecessary access to data which are stored for other purposes (separation control)

At an account level, data between Clients is logically separated, enforced by various tests and code protections, to ensure Clients can only access and process their own data.

All development and testing is performed on a physically segregated Dev environment using artificially generated test data, reducing access to, duplication and processing of Client Data.

‍

This Annex will also apply to any services to be provided under an Order Form that are described as “Professional Services” and will form part of the agreement entered into by the parties. Professional Services will be deemed to be Services.

‍

1. Professional Services

1.1 Qualee shall provide the Professional Services to Client as set out in the Order Form and according to any specifications provided by Qualee, subject to Client’s payment of the applicable Charges.  Any changes to the Professional Services will be subject to a change order being signed by the parties before the change is implemented. Qualee shall use reasonable efforts to deliver the Professional Services by any specified delivery dates but such dates are estimates.

1.2 The use of the System shall be governed by the agreement and not this Annex and Client’s right to use the System will be subject to an applicable Order Form.  The purchase of Professional Services is not dependent on the delivery of any future functionality or features in the System.

1.3 Client shall reasonably co-operate and assist Qualee in relation to the Professional Services, including (a) allocating sufficient resources and promptly performing any tasks reasonably necessary to enable Qualee to perform the Professional Services, (b) promptly providing any necessary information, documentation, equipment or other materials, and (c) informing Qualee in advance of any applicable security or health and safety rules that apply to any site visits. Qualee shall not be liable for any delay or failure in performing the Professional Services as a result of Client failing to provide such cooperation and assistance and may charge Client for additional resulting costs that it incurs in performing the Professional Services.

1.4 Client shall notify Qualee of any failure of the Professional Services to comply with this agreement within 30 days of completion. Qualee shall either reperform or otherwise remedy the Professional Services or refund the Charges for the deficient part of the Professional Services.

‍

2. Intellectual Property Rights

2.1 Subject to payment of the Charges, Qualee hereby grants Client a non-exclusive, perpetual, sub-licensable right to use the deliverables (if applicable) for Client’s internal business purposes.

‍

3. Charges and Payment

3.1 Client shall pay the Charges specified in the Order Form, or if no rate is specified, Qualee’s standard rates in effect at the time the Order Form is executed. If the total Charges are stated to be an estimate then the actual Charges will only exceed the estimate with Client’s prior written approval or Qualee will cease the Professional Services when the estimate is reached.

3.2 With Client’s prior written approval, Qualee may charge for its travel and related out-of-pocket expenses reasonably incurred by the individuals performing the Professional Services.

3.3 The Charges for Professional Services shall be invoiced on or around the Effective Date as specified on the Order Form by Qualee.  

3.4 If this agreement terminates before completion of the Professional Services then Client shall pay any unpaid Charges incurred before the termination date (pro-rated for fixed fees on a percent-completed basis). Pre-paid fees will be reimbursed to the extent they relate to after the termination date where Client terminates for cause, but not otherwise.  Unless otherwise specified in the Order Form, in the event that Client has pre-purchased a block of Professional Services time, any unused time shall expire at the later of: (a) twelve months from the start date of purchase of such time; or (b) the end date of the applicable Subscription Term.

3.5 All sums payable to Qualee shall become due immediately upon termination of this Annex.