End User License Agreement
THIS END USER LICENSE AGREEMENT (“AGREEMENT”) CONSTITUTES A BINDING CONTRACT BETWEEN KAYRAN LTD., AND ITS AFFILIATES (“WE”, “US”, “OUR”, “COMPANY”), AND THE LEGAL ENTITY IDENTIFIED BY THE DETAILS INCLUDED IN THE PURCHASE ORDER, PROPOSAL (“CUSTOMER”), OR AN INDIVIDUAL EMPLOYEE DESIGNATED BY THE CUSTOMER TO USE THE PLATFORM FOR THE BENEFIT OF THE CUSTOMER (HEREINAFTER “USER”). THE TERMS "YOU" AND "YOUR" WILL APPLY COLLECTIVELY TO SUCH CUSTOMER AND/OR SUCH USER, UNLESS OTHERWISE EVIDENT FROM THE CONTEXT.
IF YOU ARE ACTING ON BEHALF OF THE CUSTOMER TO ACQUIRE A RIGHT TO USE THE PLATFORM, YOU HEREBY REPRESENT AND WARRANT THAT YOU ARE DULY AUTHORIZED TO ENTER INTO THIS AGREEMENT ON BEHALF OF THE CUSTOMER AND THAT YOU HAVE THE PROPER AUTHORITY TO LEGALLY BIND THE CUSTOMER BY THIS AGREEMENT.
TAKING ANY STEP TO SET-UP, CONFIGURING OR INSTALLING THE PLATFORM SHALL CONSTITUTE YOUR ACCEPTANCE OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH ALL THE TERMS OF THIS AGREEMENT, YOU CEASE ALL USE OF THE PLATFORM AND RETURN THE PLATFORM WITH THE ORIGINAL PACKAGE AND THE PROOF OF PAYMENT TO THE COMPANY.
- “Customer Data” means Customer’s Personal Data included in Schedule 1 of the DPA (as defined below).
- “Documentation” means the technical specifications, user-guides and tutorials associated with the Platform, as provided by the Company.
- “Feedback” means suggestions, comments or feedback (whether orally or in writing) with respect to the Platform.
- “Marks” means all trademarks, service marks, logos, insignia or any other designation of source or origin, whether registered or not.
- “Output Reports” means the findings provided to Customer by Company regarding security vulnerabilities that the Platform has detected.
- “Platform” means the Company’s proprietary automated Web Application Vulnerability Scanner, and the Documentation.
- “Platform Analyses” means information and data related to the Customer’s use of the Platform, the Customer’s domain and network architecture and layout, the Platform’s functions and processes as carried out on the Customer’s network and security threats in the Customer’s domain and network that the Platform has detected that does not identify the Customer, users or other entities and is combined with the data of other customers or users.
- “Purchase Order” means that purchase order submitted by a User to Us or Our value added reseller(s) or Our Distributor(s).
- “Approved Proposal” the proposal submitted by Us to You including the proposed terms (including payment terms) for your Platform Subscription, which has been approved by you prior to your use of the Platform.
- “Subscription Fees” means the amounts specified in Your Purchase Order or the Approved Proposal for the use of the Platform.
- “Support Services” means the provision of support and technical assistance made available to Customer by Company (or on its behalf) in connection with the Platform, in accordance with the Service Leve Level Agreement attached hereto as Exhibit B.
- License; Restrictions
- License. Subject to the terms of this Agreement, Company hereby grants you, during the Term, a limited, non-exclusive, non-transferable, non-sublicensable, revocable right, to subscribe and use the Platform for your internal business purposes in accordance with the Documentation (the “License”).
- Restrictions. You may not, by yourself or through others: (i) sell, lease, sublicense or distribute the Platform, or any part thereof, or otherwise transfer the Platform or allow any unauthorized third party to use the Platform in any manner; (ii) reverse engineer, decompile, disassemble or otherwise reduce to human-perceivable form the Platform’s source code; (iii) modify, revise, enhance or alter the Platform; (iv) copy or allow copies of the Platform to be made that were not authorized by the Company; (v) make the Platform accessible to other users or the public; (vi) circumvent, disable or otherwise interfere with security-related features of the Platform or features that prevent or restrict use or copying of any content or that enforce limitations on use of the Platform; (vii) interfere or attempt to interfere with the integrity or proper working of the Platform; (viii) remove, alter or obscure any proprietary notice or identification, including copyright, trademark, patent or other notices, contained in or displayed on or via the Platform; (ix) use the Platform to violate any applicable laws, rules or regulations, or for any unlawful, harmful, irresponsible, or inappropriate purpose, or in any manner that breaches this Agreement, and/or (x) represent that you possesses any proprietary interest in the Platform.
Without prejudice to any other right the Company has under this Agreement or under applicable law, the Company may employ technological measures to detect and prevent fraudulent or unauthorized use of the Platform or parts thereof. The Company may suspend and/or revoke your License without prior notice, if the Company, at its sole discretion, has deemed your use of the Platform to be fraudulent or outside the scope of the License.
- Open Source and Third Party Licenses. The Platform: (i) includes certain open source code software and materials as further detailed in the Documentation (“Open Source Software”), that are subject to their respective open source licenses (“Open Source Licenses”); and (ii) may include third party proprietary software (which are not subject to Open Source Licenses) (“Third Party Software”), subject to their respective license agreement(s) (“Third Party Terms”). Such Open Source Licenses and Third Party Terms contain provisions concerning warranty, copyright policy and other provisions. By executing this Agreement, You hereby acknowledge and agree to comply with the terms and condition of the Open Source Licenses and Third Party Terms, as may be amended from time to time. In the event of any inconsistencies or conflicting provisions between the provisions of the Open Source Licenses and/or the Third Party Terms and the provisions of this Agreement, the provisions of the Open Source Licenses and/or Third Party Terms shall prevail.
- Title and Intellectual Property
- Platform. All rights, title and interest in and to the Platform, including but not limited to, patents, copyrights, trademarks, trade names, service marks, trade secrets and other intellectual property rights, and any goodwill associated therewith, are owned by or licensed to the Company. Other than what is expressly granted by this Agreement, the Company does not grant any other rights to patents, copyrights, trademarks (whether registered or unregistered), trade names, trade secrets, domain names or any other rights, functions, licenses or content with respect to, or in connection with, the Platform. Nothing in this Agreement constitutes a waiver of the Company’s intellectual property rights under any law, and any rights not granted to Customer herein is expressly reserved by the Company.
- Platform Analyses. Company may compile Platform Analyses in an aggregated form to create statistical analyses, and for research and development purposes, and make available such Platform Analyses in a form that does not identify Customer or any individual. It is hereby agreed that Company shall retain all right, title and interest in such Platform Analyses.
- Feedback. It is further agreed that to the extent You provide Company with Feedback, You acknowledges that any and all rights, including intellectual property rights in such Feedback shall belong exclusively to Company and that such shall be considered Company's Confidential Information (as defined below), and You hereby irrevocably and unconditionally transfers and assigns to Company all intellectual property rights in such Feedback and waives any and all moral rights that You may have in respect thereto. It is further understood that use of Feedback, if any, may be made by Company at its sole discretion, and that Company in no way shall be obliged to make use of any kind of the Feedback or part thereof.
- All goodwill arising out of any use of a Party’s Marks, by the other Party, will inure solely to the benefit of the proprietor Party. Each Party agrees that it will not engage or participate in any activity or course of action that dilute, diminishes or tarnishes the image or reputation of the other Party or its Mark.
- ANY USE OF THE PLATFORM IN VIOLATION OF THE LICENSE GRANTED HEREUNDER OR RESTRICTIONS IMPOSED IN THIS AGREEMENT MAY RESULT IN THE REVOCATION OF THE LICENSE AND MAY EXPOSE YOU TO CLAIMS FOR DAMAGES. IF THE COMPANY DETERMINES THAT THE PLATFORM HAS BEEN USED IN VIOLATION OF THE LIMITED LICENSE GRANTED HEREUNDER OR RESTRICTIONS IMPOSED IN THIS AGREEMENT, YOU WILL, AT THE COMPANY’S REQUEST, COMPENSATE THE COMPANY FOR EACH YEAR OR PART THEREOF DURING WHICH THE VIOLATION WAS COMMITTED, IN AN AMOUNT EQUAL TO THREE (3) TIMES THE LICENSE FEE THAT WITH WHICH THE VIOLATION IS ASSOCIATED, HAVE PAID. PAYMENT OF THIS LIABILITY FEE DOES NOT REPLACE THE COMPANY’S RIGHTS TO OTHER REMEDIES OR DAMAGES AWARDED BY A COMPETENT COURT OR ARBITRATION PROCESS.
- The Customer hereby grants the Company a license to use the Customer’s trademarks for presenting the Customer as the Company's client in any media and opportunity.
- Each party (“Disclosing Party”) may from time to time during the term of this Agreement disclose to the other party (“Receiving Party”) certain information regarding the Disclosing Party’s business, including technical, marketing, financial, employee, planning, and other confidential or proprietary information (“Confidential Information”). The Receiving Party will not use any Confidential Information of the Disclosing Party for any purpose not expressly permitted by this Agreement, and will disclose the Confidential Information of the Disclosing Party only to its employees or contractors who have a need to know such Confidential Information for purposes of this Agreement and who are under a duty of confidentiality no less restrictive than the Receiving Party’s duty hereunder. The Receiving Party will protect the Disclosing Party’s Confidential Information from unauthorized use, access or disclosure in the same manner as the Receiving Party protects its own confidential or proprietary information of a similar nature and with no less than reasonable care.
- The Receiving Party’s obligations under this Section, with respect to any Confidential Information of the Disclosing Party, shall not apply to and/or shall terminate if and when the Receiving Party can document that such information: (a) was already lawfully known to the Receiving Party at the time of disclosure by the Disclosing Party; (b) was disclosed to the Receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (c) is, or through no fault of the Receiving Party has become, generally available to the public; or (d) was independently developed by the Receiving Party without access to, or use of, the Disclosing Party’s Confidential Information. In addition, the Receiving Party will be allowed to disclose Confidential Information of the Disclosing Party to the extent that such disclosure is required by law or by the order or a court of similar judicial or administrative body, provided that the Receiving Party notifies the Disclosing Party of such required disclosure promptly and in writing and cooperates with the Disclosing Party, at the Disclosing Party’s reasonable request and expense, in any lawful action to contest or limit the scope of such required disclosure.
- Customer Data
- Customer hereby acknowledges and agrees that Company is acting as a data processor and will use Customer Data only in accordance with Customer's instructions in performing its obligations under this Agreement. Company will implement appropriate technical and organizational measures to protect the Customer Data provided by Customer against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure of the Customer Data.
- Customer shall comply at all times with all applicable privacy and data protection laws and regulations (including the EU General Data Protection Regulation (“GDPR”)) and industry guidelines to which Customer is subject, for allowing Company to use the Customer Data in accordance with this Agreement (including, without limitation, the provision of such data to Company, the transfer of such data by Company to its affiliates and subcontractors, including transfers outside of the European Economic Area), including provide all appropriate notices, obtain all appropriate informed consents, as applicable.
- Where applicable, Customer shall sign the Company's Data Processing Agreement (“DPA”) attached hereto as Exhibit A. In the event Customer fails to comply with any data protection or privacy law or regulation, the GDPR and/or any provision of the DPA, and/or fails sign the DPA, then: (a) to the maximum extent permitted by law, Customer shall be fully liable for any such breach, violation, infringement and/or processing of Customer Data without a DPA by Company and Company's affiliates and subsidiaries (including, without limitation, their employees, officers, directors, subcontractors and agents); (b) in the event of any claim of any kind related to any such breach, violation or infringement and/or any claim related to processing of Customer without a DPA, Customer shall defend, hold harmless and indemnify Company and Company's affiliates and subsidiaries (including, without limitation, their employees, officers, directors, subcontractors and agents) from and against any and all losses, penalties, fines, damages, liabilities, settlements, costs and expenses, including reasonable attorneys' fees; and (c) the limitation of Customer’s liability under Section 9 below shall not apply in connection with Sections 6.3(a) and 6.3(b) above.
- Credit card details, if requested, will not be transferred to any third party.
- Term and Termination
- Term. This Agreement is effective for the period set forth in the Purchase Order or the Approved Proposal, unless terminated in accordance with this Section 7 (the “Initial Term”). Thereafter, this Agreement shall be renewed automatically, for successive one (1) year terms (unless agreed otherwise by the parties), at the Company’s then current rates (each a “Renewal Term”, and together with the Initial Term, the “Term”), unless either party provides notice to the other party of its intent not to renew the Agreement, within ninety (90) days of the end of the applicable Term. If You continue to use the Platform past any renewal date, You shall be deemed to have renewed the Agreement for the following term at the rates applicable for said new Term. Furthermore this Agreement may be terminated if the Company is required to do so by law (for example, where the provision of the Company's services is, or becomes, unlawful) . In such cases the Company shall, where possible, give reasonable notice of such termination.
- Termination for Breach. We may terminate this Agreement at any time by giving written notice to You, if You are in breach or default of any provision of this Agreement.
- Consequences of Termination. Upon expiration or termination of this Agreement, You shall: (i) immediately cease all use of the Platform; (ii) return the Platform and all Documentation and related materials in Your possession to the Company; (iii) erase or otherwise destroy all copies of the Software in its possession, which is fixed or resident in the memory or hard disks of its computers; and (iv) return to Company any and all Company Confidential Information in its possession. For the removal of any doubt, no refunds or any portion thereof will be made.
- Survival. The provisions of this Section 7.5 (Survival), 2.1 (Restrictions), 4 (Title & Intellectual Property), 5 (Confidentiality), 7.3 (Consequences of Termination), 8 (Warranty Disclaimer) 9 (Limitation of Liability), 10 (Indemnification) and 12 (General) shall survive the termination or expiration of this Agreement.
- Warranty Disclaimers
- THE PLATFORM IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS, AND THE COMPANY HEREBY DISCLAIMS ALL OTHER WARRANTIES EXPRESS, IMPLIED, OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, ACCURACY, AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. WITHOUT LIMITING THE FOREGOING, THE COMPANY SPECIFICALLY DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES THAT THE PLATFORM WILL MEET YOUR REQUIREMENTS OR FULFILL ANY OF YOUR NEEDS. TO THE EXTENT THE COMPANY MAY NOT, AS A MATTER OF APPLICABLE LAW, DISCLAIM ANY WARRANTY, THE SCOPE AND DURATION OF SUCH WARRANTY SHALL BE THE MINIMUM PERMITTED UNDER SUCH LAW.
- You acknowledge that the Platform relies on network, infrastructure, hardware and software, partly managed and operated by others. The Company does not warrant that the Platform will operate in an uninterrupted or error-free manner, or that it will always be available, free from errors or omissions, malfunctions, bugs or failures, including hardware failures, software failures and software communication failures. For the avoidance of doubt, the Company will assume no liability whatsoever for damages incurred or sums paid by You, in connection with any fault by You or any third party’s harmful components impacting Your computer network (such as computer viruses, worms, computer sabotage, or “denial of service” attacks).
- Limitation of Liability
- EXCEPT FOR CUSTOMER’S BREACH OF SECTION 2, 5, or 6, OR EACH PARTY’S OBLIGATIONS UNDER SECTION 10: (A) IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY WITH RESPECT TO THE SUBJECT MATTER OF THIS AGREEMENT FOR ANY INDIRECT, SPECIAL, EXEMPLARY, STATUTORY, INCIDENTAL OR CONSEQUENTIAL DAMAGES, LOSS OF DATA, LOSS OF PROFITS, INABILITY TO USE THE PLATFORM OR RELIANCE UPON THE OUTPUT REPORTS, WHETHER SUCH DAMAGES ARE BASED ON CONTRACT, TORT, OR ANY OTHER LEGAL THEORY, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES; AND (B) THE COMPANY’S ENTIRE LIABILITY ARISING FROM THIS AGREEMENT WILL NOT EXCEED AN AMOUNT EQUAL TO THE AGGREGATE ACTUALLY FEES PAID BY YOU TO THE COMPANY, PURSUANT TO THIS AGREEMENT, IN THE TWELVE (12) MONTHS PRECEDING THE EVENT PURPORTEDLY GIVING RISE TO THE LIABILITY.
- THE FOREGOING LIMITATIONS AND EXCLUSIONS IN THIS SECTION 9 SHALL APPLY: (i) EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF ANY DAMAGES OR LOSSES; (ii) EVEN IF ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE; AND (iii) REGARDLESS OF THE BASIS OR THEORY OF LIABILITY.
- Support Services. Subject to the terms and conditions of this agreement, and Your full and timely payment to the Company of all applicable Subscription Fees, We and/or Our value added reseller, will provide You during the Term with technical support for questions, problems and inquiries regarding the Platform, pursuant to the support scheme, hours and channels agreed upon between You and the Company (directly and/or through Our value added reseller), all as further set forth in the Service Level Agreement attached hereto as Exhibit B.
- Force Majeure. Except for payment obligations, neither party will be liable to the other party for failure or delay in performance of any of its obligations under or in connection with this Agreement arising out of any event or circumstance beyond that party’s reasonable control, including without limitation an Act of God, endemic, pandemic, fire, flood, lightning, war, revolution, act of terrorism, riot, civil commotion, adverse weather condition, adverse traffic condition, strike, lock-out or other industrial action, and failure of supply of power, fuel, transport, equipment, raw materials, or other goods or services.
- Injunctive Relief. In the event of breach of this Agreement or the License hereunder, You hereby acknowledge that such a breach may cause irreparable harm to the Company for which monetary or other damages may not be an adequate remedy, and therefore, in addition to any other legal or equitable remedies, The Company will be entitled to seek an injunction or other equitable remedy against such breach in any competent jurisdiction.
- Assignment. This Agreement, and any rights and licenses granted hereunder, may not be transferred or assigned by You without our prior written consent, but may be assigned by Company without restriction or notification. Any assignment in breach of this Agreement shall be null and void.
- Governing Law and Jurisdiction. This Agreement and any dispute related thereto or in connected therewith, will be exclusively governed by, and construed in accordance with, the laws of the State of Israel, without regard to its conflicts of law principles which may result in the application of provisions of law other than those of Israel. In such a case, the sole and exclusive personal jurisdiction and venue for any legal proceedings in connection with this Agreement will be in the competent courts located in Tel-Aviv, Israel.
- Entire Agreement and Severability. This Agreement constitutes the entire and complete agreement between you and us concerning any use of, or in connection with, the Platform. This Agreement supersedes all prior oral or written statements, understandings, negotiations and representations with respect to the subject matter herein. If any provision of this Agreement is held invalid or unenforceable, that provision must be construed in a manner consistent with the applicable law to reflect, as nearly as possible, the original intentions of the parties, and the remaining provisions will remain in full force and effect. This Agreement may be modified or amended only in writing, signed by the duly authorized representatives of both parties.
- No Waiver of Rights and Remedies. Neither Party will, by mere lapse of time, without giving notice thereof, be deemed to have waived any breach by the other Party of any terms or provisions of this Agreement. A waiver by either Party, of any breach, will not be construed as a waiver of subsequent breaches or as a continuing waiver of such breach.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed as of the date of the last signature below.
KAYRAN LTD. CUSTOMER
By: _______________ By: _________________
Title: ______________ Title: _______________
* * * * *
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) is made and entered into as of this ____ day of ____, 202_ forms part of the End User License Agreement (the “Agreement”). You acknowledge that you, on behalf of [______] incorporated under __________ law, with its principal offices located at ____________________ (collectively, “You”, "Your”, “Customer”, or “Data Controller”) have read and understood and agree to comply with this DPA, and are entering into a binding legal agreement with KAYRAN as defined below (“KAYRAN”, “Us”, “We”, “Our”, “Service Provider” or “Data Processor”) to reflect the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below) of GDPR-protected individuals. Both parties may also be referred to as the “Parties” and each, a “Party”.
WHEREAS, KAYRAN shall provide the services set forth in the Agreement (collectively, the “Services”) for Customer, as described in the Agreement; and
WHEREAS, The Services may entail the processing of personal data in accordance with the Data Protection Laws and Regulations (as defined below); and
WHEREAS, the Parties wish to set forth the arrangements concerning the processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:
- INTERPRETATION AND DEFINITIONS
- The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA.
- References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated.
- Words used in the singular include the plural and vice versa, as the context may require.
- Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Authorized Affiliate” means any of Customer's Affiliate(s) which (a) is subject to the Data Protection Laws And Regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and KAYRAN, but has not signed its own agreement with KAYRAN and is not a "Customer" as defined under the Agreement.
- “Controller” or “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA only, and except where indicated otherwise, the term "Data Controller" shall include yourself, the Customer and/or the Customer’s Authorized Affiliates.
- “Data Protection Laws and Regulations” means all laws and regulations, including the EU Data Protection Directive 95/46/EC, the General Data Protection Regulation (EU) 2016/679 (the “GDPR”), and local laws and regulations of the the European Economic Area and their Member States, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
- “Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.
- “KAYRAN” means KAYRAN Ltd.
- “KAYRAN Group” means KAYRAN and its Affiliates engaged in the Processing of Personal Data.
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.
- “Sub-processor” means any Processor engaged by KAYRAN.
- “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
PROCESSING OF PERSONAL DATA
- Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, (i) Customer is the Data Controller, (ii) KAYRAN is the Data Processor and that (iii) KAYRAN or members of the KAYRAN Group may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
- Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the means by which Customer acquired Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all required legal bases in order to collect, Process and transfer to Data Processor the Personal Data and to authorize the Processing by Data Processor of the Personal Data which is authorized in this DPA.
- Data Processor’s Processing of Personal Data. Subject to the Agreement, Data Processor shall Process Personal Data in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and this DPA and to provide the Services; (ii) Processing for Customer to be able to use the Services; (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement; (iv) Processing as required by Union or Member State law to which Data Processor is subject; in such a case, Data Processor shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
To the extent that Data Processor cannot comply with a request from Customer and/or its authorized users (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind), Data Processor (i) shall inform Customer, providing relevant details of the problem, (ii) Data Processor may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Data Processor all the amounts owed to Data Processor or due before the date of termination. Customer will have no further claims against Data Processor (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).
KAYRAN will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of KAYRAN, to the extent that such is a result of Customer’s instructions.
- Details of the Processing. The subject-matter of Processing of Personal Data by Data Processor is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
RIGHTS OF DATA SUBJECTS
- Data Subject Request. Data Processor shall, to the extent legally permitted, promptly notify Customer if Data Processor receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, erasure (“right to be forgotten”), restriction of Processing, data portability, right to object, or its right not to be subject to automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, Data Processor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Data Processor shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Data Processor is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Data Processor’s provision of such assistance.
- Confidentiality. Data Processor shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need to know basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality and non-disclosure. Data Processor will keep the list of persons to whom access to Personal Data has been granted under periodic review. On the basis of the said review, access to Personal Data can be withdrawn and in this case, Personal Data will not be accessible anymore to those persons.
- Data Processor may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable Data Protection Laws and Regulations (in such a case, Data Processor shall inform the Customer of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to its legal counsel(s), data protection advisor(s) and accountant(s).
AUTHORIZATION REGARDING SUB-PROCESSORS
- Appointment of Sub-processors. Customer acknowledges and agrees that (a) Data Processor’s Affiliates may be used as Sub-processors; and (b) Data Processor and/or Data Processor’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.
- List of Current Sub-processors and Notification of New Sub-processors. Data Processor shall make available to Customer the current list of Sub-processors used by Data Processor. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”). The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Customer. In any event, the Sub-processor List shall be deemed authorized by Customer unless it provides a written reasonable objection for reasons related to the GDPR within three (3) business days following the publication of the Sub-processor List. Customer may reasonably object for reasons related to the GDPR to Data Processor’s use of an existing Sub-processor by providing a written objection to KAYRAN. In the event Customer reasonably objects to an existing Sub-processor, as permitted in the preceding sentences, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Data Processor without the use of the objected-to Sub-processor by providing written notice to Data Processor provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Data Processor. Customer will have no further claims against Data Processor due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph.
- Objection Right for New Sub-processors. Customer may reasonably object to Data Processor’s use of a new Sub-processor for reasons related to the GDPR by notifying Data Processor promptly in writing within three (3) business days after receipt of Data Processor’s notice in accordance with the mechanism set out in Section 5.2 and such written objection shall include the reasons related to the GDPR for objecting to Data Processor’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within three (3) business days following Data Processor’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Data Processor will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Data Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Data Processor without the use of the objected-to new Sub-processor by providing written notice to Data Processor provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Data Processor. Until a decision is made regarding the new Sub-processor, Data Processor may temporarily suspend the Processing of the affected Personal Data. Customer will have no further claims against Data Processor due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
- Controls for the Protection of Personal Data. Data Processor shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data. Data Processor regularly monitors compliance with these measures. Upon the Customer’s request, Data Processor will assist Customer, at Customer’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Data Processor.
- Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Data Processor shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Data Processor) a copy of Data Processor’s then most recent third-party audits or certifications, as applicable (provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Customer to assess compliance with this DPA and/or with applicable Data Protection Laws and Regulations, and shall not be used for any other purpose or disclosed to any third party without Data Processor’s prior written approval and, upon Data Processor's first request, Customer shall return all records or documentation in Customer's possession or control provided by Data Processor in the context of the audit and/or the certification). With respect to audits and inspections, the parties shall discuss in good faith and agree on the scope, timing and details of the audits and inspections. To the extent that Data Processor’s obligations in this section involve more than 8 hours/man of work, Customer shall bear the costs and expenses of complying with this clause.
PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION
Data Processor maintains security incident management policies and procedures and, to the extent required under applicable Data Protection Laws and Regulations, shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Data Processor or its Sub-processors of which Data Processor becomes aware (a “Personal Data Incident”). Data Processor shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Data Processor deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Data Processor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users. In any event, Customer will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).
DELETION OF PERSONAL DATA
Subject to the Agreement, Data Processor shall, upon the written request of Customer, delete the Personal Data after the end of the provision of the Services relating to processing, unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Data Processor may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations.
- Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Data Processor. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer.
- Communication. The Customer shall remain responsible for coordinating all communication with Data Processor under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
- Collaboration with Customers’ Data Protection Impact Assessments. Upon Customer’s written request, Data Processor shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Data Processor. Data Processor shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to Section 10.2 of this DPA, to the extent required under the GDPR.
- Transfer mechanisms for data transfers.
- Transfers to countries that offer adequate level of data protection: Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) and the United Kingdom (collectively, “EEA”) to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.
- Transfers of Personal Data to the United States: If the Processing of Personal Data includes transfers from the EEA to the United States, the parties shall transfer Personal data only to recipients that have certified their compliance with the EU-US and/or Swiss-US Privacy Shield Program. Each party shall ensure that each such recipient maintain its certification under the Privacy Shield for so long as it maintains any of the Personal Data transferred to it by such party. In the event that EU authorities or courts determine that the Privacy Shield is not an appropriate basis for transfers, Subsection (c) shall apply to transfer of Personal Data to the United States.
- Transfers to other countries: If the Processing of Personal Data includes transfers from the EEA to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with Article 46 of the GDPR, and shall execute the standard data protection clauses adopted by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission or comply with any of the other mechanisms provided for in the GDPR for transferring Personal Data to such Other Countries.
- For clarity, responsibility for compliance with the obligations corresponding to Data Controllers under Data Protection Laws and Regulations shall rest with Customer and not with KAYRAN. KAYRAN may, at Customer’s cost, provide reasonable assistance to Customer with regards to such obligations.
- Termination. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. This Section 10 and Section 2.2 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
- Amendments; Relationship with Agreement. This DPA may be amended at any time by a written instrument duly signed by each of the Parties. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement.
This DPA shall only become legally binding between Customer and Data Processor when the formalities steps set out in the Section “INSTRUCTIONS ON HOW TO EXECUTE THIS DPA” below have been fully completed.
LEGAL EFFECT; SIGNATURE
By signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required or permitted under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent that KAYRAN processes Personal Data for which such Authorized Affiliates qualify as the/a “data controller”.
The Parties' authorized signatories have duly executed this Agreement:
Customer Legal Name:
SCHEDULE 1 - DETAILS OF THE PROCESSING
Data Processor will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing
- Providing the Service(s) to Customer.
- Setting up an account/account(s) for Customer.
- Setting up profile(s) for users authorized by Customers.
- For Customer to be able to use the Services.
- For Data Processor to comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
- Performing the Agreement, this DPA and/or other contracts executed by the Parties.
- Providing support and technical maintenance, if agreed in the Agreement.
- Resolving disputes.
- Enforcing the Agreement, this DPA and/or defending Data Processor’s rights.
- Management of the Agreement, the DPA and/or other contracts executed by the Parties, including fees payment, account administration, accounting, tax, management, litigation.
- Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
- All tasks related with any of the above.
Duration of Processing
Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Data Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First name
- Last name
- Email address
- Mobile phone number
- Domain names.
- Any other Personal Data that the Customer decides to provide to the Data Processor in connection with the Services.
In some limited circumstances Personal Data may also come from others sources, for example, in the case of anti-money laundering research, fraud detection or as required by applicable law. For clarity, Customer shall always be deemed the “Data Controller” and KAYRAN shall always be deemed the “data processor” (as such terms are defined in the GDPR).
Categories of Data Subjects
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Customer’s customers and/or Customers
- Customer’s users authorized by Customer to use the Services
- Employees, agents, advisors, freelancers of Customer (who are natural persons)
- Prospects, Customers, business partners and vendors of Customer (who are natural persons)
- Employees or contact persons of Customer’s prospects, Customers, business partners and vendors
KAYRAN – SERVICE LEVEL AGREEMENT
This Service Level Agreement (“SLA”) is made and entered into as of this ____ day of ____, 202_ forms part of the customer Authorization Agreement (the “Agreement”) between KAYRAN Ltd (“We” or "KAYRAN ") and ___________ (“Customer”). Any capitalized terms used but not otherwise defined herein shall have the meaning ascribed to them in the Agreement.
SERVICE – SaaS solution only
- KAYRAN service. We use commercially reasonable efforts to make KAYRAN Cloud available 24 hours a day, 7 days a week, except for: (a) planned downtime (which We give notice), and (b) unavailability caused by force majeure circumstances beyond Our reasonable control.
- KAYRAN service will not impact customer’s domain traffic including the event of KAYRAN service downtime.
- False positive rate of identifying security vulnerabilities will be less than 5% (Where under the control of KAYRAN – Not including Customer SOC team).
- Support Request. For the purposes of this agreement, a "Support Request" is generally defined as a request in writing for support to fix a bug in an existing released version of KAYRAN’s product or a request for support that involves functionality of the stated product.
- Levels of Support. Two levels of support are provided under this agreement. These levels, which are integrated into KAYRAN’s support process, are defined as follows:
- Standard Coverage. This level is inclusive within this Agreement with no further cost.
- On Premise Coverage. Requires a remote access to the site, for support purposes as a prerequisite for remote-support. *On Premise coverage support service does not include travel & accommodation expenses to and from the site upon a support call that requires an on-site visit.
- Standard Support Coverage. This is support provided by the appropriate KAYRAN’s help desk when it receives the Support Request from the customer. Customer shall open a support ticket for KAYRAN, which is then passed to the KAYRAN’s support specialists.
- Call Management Process. KAYRAN’s problem-ticket system will be used by all support team levels (where approval and technical access has been granted) to record and track all problem reports, inquiries, or other types of calls received by support. Support Requests are taken by KAYRAN’s Help Desk as follows:
2:00 a.m. – 5:00 p.m. Sunday - Thursday
2:00 a.m. – 11:00 a.m. Friday
Off-hours coverage (service outage only)
24x7x365, outside of standard coverage described above
- Response Time: The guaranteed response time following any critical/outage incident shall be 24 hours or less. The guaranteed response time following any High, medium, or cosmetic service incident shall be one (1) business day or less, normal business hours (2:00 a.m. – 5:00 p.m., Sunday – Thursday; and 2:00 a.m. – 11:00 a.m., Friday all US Eastern Time) on a best effort basis. The response time begins when the request is logged with KAYRAN’s problem-ticketing system and is stopped when a response has been initiated from KAYRAN.
- Tickets severity will be classified as Critical, High, Medium and Customer Request and handled as detailed below
- Critical – will be resolved within 48 hours
- High – will be resolved within 5 business days
- Medium – will be resolved on the next major release (up to two month)
- Customer request – may be resolved according to KAYRAN’s roadmap plans
UPDATES & UPGRADES [for On-Premise implementations only] Updates and upgrades to KAYRAN’s products occurs when an update/upgrade to an existing product is released; KAYRAN shall make the updated software version available for the Customer every 3 months or less, and/or in an event on which a critical software upgrade has been released by KAYRAN or any of its 3rd party technology partners.
ROLES OF KAYRAN
KAYRAN has the following general responsibilities under this Agreement:
KAYRAN will use its own appropriate help desk to provide Level-1 to Level-4 support services.
Once a support request has been submitted, KAYRAN will make itself available to work with the Customer support resource assigned to the support request within the stated response time.
KAYRAN will attempt to resolve problems over the phone/online on first call.
The customer end-users will not contact KAYRAN’s support resources directly to report a problem. All problem calls must be logged through the appropriate help desk.
KAYRAN will provide all necessary and requested documentation, information, and knowledge capital to the Customer prior to the start of support of KAYRAN’s products.
This SLA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided.
RELATIONSHIP WITH AGREEMENT
In the event of any conflict between the provisions of this SLA and the provisions of the Agreement, the provisions of this SLA shall prevail over the conflicting provisions of the Agreement.
This SLA may be amended at any time by a written instrument duly signed by each of the Parties.
EXCLUSIONS AND BOUNDARIES
Solution Uptime shall not apply to any of the following exceptions and events which may cause a delay in performing KAYRAN’s obligations under this SLA including providing any support:
Overall Internet congestion, slowdown, or unavailability;
Unavailability of generic internet services (e.g. DNS servers) due to virus or hacker attacks;
Force majeure events and any other conditions beyond KAYRAN’s reasonable control which prevents or substantially limits KAYRAN’s Services including but not limited to, fire, flood, accident, earthquakes, telecommunications line failures, electrical outages, acts of God, pandemics or labor disputes;
Actions or omissions of the Customer (unless undertaken at the express direction of KAYRAN) or third parties beyond the control of KAYRAN including errors and faults relating to hardware, software and/or communication of the Customer;
Unavailability due to the Customer equipment or third-party computer hardware, software, or network infrastructure not within the sole control of KAYRAN’s;
Scheduled version updates;
Altered, damaged, or modified deliverables of KAYRAN’s Services (expect for alterations or modifications made by KAYRAN);
Defects or errors caused by incorrect and/or negligent use of the Customer;
Defects caused by failure to implement reasonable recommendations or solutions to defects provided by KAYRAN;
Products installed in a hardware or operating environment not supported by KAYRAN;
Third party software not licensed through or supported by KAYRAN;
Defects or errors caused by any fault or error in the equipment, programs, applications or products used in conjunction with the Services, or otherwise resulting from causes beyond the reasonable control of KAYRAN.
The parties' authorized signatories have duly executed this Agreement:
By ______________________ By ______________________
It’s ______________________ It’s ______________________