SaaS End-User License Agreement

Last modified: March 8, 2024

THIS END USER LICENSE AGREEMENT, INCLUDING ANY APPLICABLE EXHIBITS ATTACHED HERETO (INCLUDING THE DATA PROCESSING ADDENDUM) OR ORDER FORM WHICH BY THIS REFERENCE IS INCORPORATED HEREIN (THIS "EULA" OR THIS "AGREEMENT"), IS A BINDING AGREEMENT BETWEEN QUANTUM METRIC, INC. ("QUANTUM") AND THE PARTY IDENTIFIED ON THE ORDER FORM AS THE BUYER OF THE SOFTWARE AND/OR THE PARTY MAKING USE OF THE QUANTUM SERVICE (AS DEFINED BELOW) (THE "CUSTOMER"); PROVIDED, HOWEVER, THAT IF THE PARTIES HAVE ENTERED INTO A SEPARATE WRITTEN AGREEMENT TO GOVERN THE USE OF THE QUANTUM SERVICE, SUCH SEPARATE WRITTEN AGREEMENT SHALL CONTROL AND SHALL SUPERSEDE AND REPLACE THIS EULA IN ALL RESPECTS. SUBJECT TO THE FOREGOING, BY CLICKING THE "ACCEPT" BUTTON AND/OR CONTINUING TO USE THE QUANTUM SERVICE, CUSTOMER AGREES THAT THIS EULA AMENDS, RESTATES, SUPERSEDES, AND REPLACES IN ITS ENTIRETY ANY PREVIOUS END USER LICENSE AGREEMENT OR SIMILAR AGREEMENT BETWEEN CUSTOMER AND QUANTUM.

QUANTUM PROVIDES THE QUANTUM SERVICE SOLELY ON THE TERMS AND CONDITIONS SET FORTH IN THIS EULA AND ON THE CONDITION THAT CUSTOMER ACCEPTS AND COMPLIES WITH SUCH TERMS AND CONDITIONS. BY CLICKING THE "ACCEPT" BUTTON, CUSTOMER (A) ACCEPTS THIS EULA AND AGREES THAT CUSTOMER IS LEGALLY BOUND BY ITS TERMS; AND (B) REPRESENTS AND WARRANTS THAT: (I) IF CUSTOMER IS AN INDIVIDUAL, SUCH INDIVIDUAL IS 18 YEARS OF AGE OR OLDER; AND (II) IF AN INDIVIDUAL IS UTILIZING THE QUANTUM SERVICE ON BEHALF OF A CUSTOMER THAT IS A CORPORATION, GOVERNMENTAL ORGANIZATION, OR OTHER LEGAL ENTITY, THE INDIVIDUAL HAS THE RIGHT, POWER, AND AUTHORITY TO ENTER INTO THIS EULA ON BEHALF OF CUSTOMER AND BIND CUSTOMER TO ITS TERMS. IF CUSTOMER DOES NOT AGREE TO THE TERMS OF THIS EULA, QUANTUM WILL NOT AND DOES NOT GRANT AND/OR LICENSE THE RIGHT TO USE THE QUANTUM SERVICE TO THE CUSTOMER AND THE CUSTOMER AND/OR ANY INDIVIDUAL ACTING ON BEHALF OF CUSTOMER MUST NOT ACCESS OR INSTALL THE QUANTUM SERVICE.

NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS EULA OR CUSTOMER’S ACCEPTANCE OF THE TERMS AND CONDITIONS OF THIS EULA, NO LICENSE IS GRANTED (WHETHER EXPRESSLY, BY IMPLICATION, OR OTHERWISE) UNDER THIS EULA, AND THIS EULA EXPRESSLY EXCLUDES ANY RIGHT, CONCERNING ANY SOFTWARE THAT CUSTOMER DID NOT ACQUIRE LAWFULLY OR THAT IS NOT A LEGITIMATE, AUTHORIZED USE OF THE QUANTUM SERVICE.

  1. DEFINITIONS. As used in this EULA:

    1. “Affiliate” means, with regard to either party hereto, an entity that owns or controls, is owned or controlled by or is or under common control or ownership with that party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

    2. “Authorized User” means an employee or contractor of the Customer or its Affiliates who is authorized by the Customer to access the Quantum Service.

    3. "Confidential Information" means all information regarding a party’s business, including, without limitation, technical, marketing, financial, employee, planning, and other confidential or proprietary information, disclosed under this Agreement, that is clearly identified as confidential or proprietary at the time of disclosure or that the receiving party knew or should have known, under the circumstances, was considered confidential or proprietary. Confidential Information of Customer includes Customer Data. Confidential Information of Quantum includes information derived from or concerning the Quantum Service, the Quantum Technology, the Documentation and the terms of this Agreement.

    4. "Customer Data" means any data concerning the characteristics and activities of visitors/end users of the Digital Property that is collected through the use of the Quantum Service. For the avoidance of doubt, Customer Data may include PII (as defined below) subject to the limitations set forth in Section 3.3 herein.

    5. "Digital Property", "Digital Properties" or "Domain" means any domain name, website, or native mobile application of Customer that may access the Quantum Service, as specified on the applicable Order Form(s).

    6. "Documentation" means any user manuals, handbooks, and online materials provided by Quantum to Customer that describe the features, functionality or operation of the Quantum Technology.

    7. "Order Form" means Quantum’s standard form of ordering document, signed by both parties detailing the services to be made available by Quantum pursuant to this Agreement.

    8. "PII" means any information or data that includes personally identifiable information.

    9. "Quantum Code" means Quantum’s proprietary software code to be installed, or actually installed, by Customer on a Digital Property, including any updates, modifications or improvements thereof provided by Quantum during the Term (as defined below) of this Agreement, which amongst other services, delivers cookies to visitors/end users of Digital Properties for the purpose of collecting Customer Data and interactions.

    10. "Quantum Service" means the online service delivered by Quantum to Customer using the Quantum Technology as described in this Agreement (including all Order Forms).

    11. "Quantum Technology" means the Quantum Code, Quantum Service and Documentation, including all intellectual property rights therein.

    12. "Sensitive Personal Information" means any of the following: (a) a person’s government-issued identification number (including but not limited to social security number, driver’s license number, or state-issued identification number); (b) password data; (c) any data related to payment processing, including but not limited to any financial account number, credit card number, debit card number, CVV2, banking account or routing number, credit report information, in each case with or without any required security code, access code, personal identification number, or password; and/or (d) biometric, health, medical or medical insurance data.

    13. "Services" means professional services, including training, consulting and project management, provided by Quantum to Customer as set forth in the applicable Order Form.

    14. "Session" means each instance in which a unique session identifier is sent by the Quantum Code to the browser of a visitor/end user of a Digital Property, which occurs when a Digital Property (a) contains an expired or invalid unique session identifier from the Quantum Code, or (b) contains no unique session identifier from the Quantum Code. The replacement of an expired or invalid unique session identifier from the Quantum Code or addition of a new unique session identifier by the Quantum Code constitutes a new session.  Session volume consumed by the Quantum Service is tracked and available to view on the Quantum Service by viewing the session card for a specific period of time.

    15. "Term" means collectively the initial term, which begins upon the acceptance of these terms and conditions, and each renewal term of this Agreement.

  2. SUBSCRIPTION TO THE QUANTUM SERVICE.

    1. Subject to the terms and conditions of this EULA, Quantum hereby grants to Customer a non-sublicensable, revocable, non-transferable, non-exclusive subscription during the Term to: (a) install, execute and use the Quantum Code on Customer's Digital Property; and (b) access and use the Quantum Service, up to the number of Sessions specified on the applicable Order Form(s). Quantum shall provide the Quantum Service or Trial Service (as the case may be) to Customer, and provide Customer with Services related thereto, on the terms and subject to the conditions set forth in this EULA (including all Order Forms).

    2. "Trial Use." Quantum may grant Customer such use rights in the Quantum Technology on a trial or evaluation basis as set out under Section 2.1 (that may be subject to no charge) (“Trial Services”).

      1. "Trial Services Conditions." Customer may only use the Trial Services on a strictly temporary basis for the period set out under an applicable Order Form, or if no Order Form exists such use is limited to 30 days after the Trial Services are made available to Customer, unless it is otherwise mutually agreed by the parties (“Trial Period”). For clarity, the Quantum Service shall include support for one Digital Property during the Trial Period, which may be deleted at the end of the Trial Period.

      2. "Trial Fees." Fees related to the Trial Services, if any, shall be set forth in the Order Form.

      3. "Trial Suspension." Customer acknowledges and agrees that Quantum, in its sole discretion, may stop providing the Trial Services at any time. Under such circumstances, Customer may no longer have access to any related data, information, and/or files and must immediately cease use of the Quantum Technology.

      4. "Continuation." If the parties wish to extend Customer’s subscription to the Quantum Service beyond the Trial Period, the parties shall enter into a separate written agreement and/or Order Form with new business terms to govern such subscription.

  3. CUSTOMER'S USE OF THE QUANTUM SERVICE.

    1. Access and Security Guidelines. Customer will be assigned a unique user identification name and password ("UserID") for each Authorized User’s access to and use of the Quantum Service through integration with either Customer’s or Quantum’s single sign-on provider. Customer will be responsible for assigning, disabling and otherwise administering access codes generated by such single sign-on provider. Customer is solely responsible for the security of its UserID, any access codes, and any passwords related thereto (including but not limited to administrative and user passwords) and is responsible for use of the Quantum Service by any and all employees, contractors or other users that it allows to access the Quantum Service. Customer shall immediately notify Quantum of any unauthorized access to or use of its UserID or access codes, or any other breach of security or misuse of the Quantum Service by its employees, contractors and other users that Customer allows to access the Quantum Service.

    2. General Restrictions. Customer will not, and will not permit any of its employees, contractors, affiliates, agents, or personnel to: (a) use the Quantum Service in a manner that knowingly violates any applicable law or regulation; (b) harass or intentionally interfere with another Quantum customer’s use and enjoyment of the Quantum Service; (c) reverse engineer, disassemble or decompile any component of the Quantum Technology; (d) intentionally interfere in any manner with the operation of the Quantum Technology or the hardware and network used to operate the Quantum Service; (e) except as expressly permitted herein, sublicense any of Customer’s rights under this Agreement, or otherwise use the Quantum Technology for the benefit of a third party or to operate a service bureau; (f) modify, copy or make derivative works based on any part of the Quantum Technology; (g) access or use the Quantum Technology to build a similar or competitive product or service; (h) use any robot, spider, scraper, or other automated means to access the Quantum Service for any purpose; (i) intentionally take any action that imposes or may impose an unreasonable burden on the Quantum Service infrastructure; (j) interfere or attempt to interfere with the integrity or proper working of the Quantum Technology; (k) remove, deface, obscure, or alter Quantum’s or any third party's copyright notices, trademarks, or other proprietary rights affixed to or provided as part of the Quantum Service; and/or (l) otherwise use the Quantum Service in any manner that exceeds the scope of use permitted under Section 2.

    3. Sensitive Data. Notwithstanding anything in this Agreement to the contrary, Customer covenants and agrees that, with Quantum’s reasonable assistance, Customer shall configure the Quantum Code and Quantum Service to refrain from collecting or transmitting: (a) any Sensitive Personal Information (whether or not encrypted); and/or (b) any other PII, except other PII that has been secured with Quantum’s client-side public/private key encryption (such Sensitive Personal Information and unencrypted PII collectively, "Sensitive Data"). In the event Customer becomes aware that any Sensitive Data has been collected or transmitted by the Quantum Service, Customer shall contact Quantum immediately, and reasonably cooperate with Quantum to delete all such Sensitive Data.

    4. Affiliates. Customer may permit its Affiliates to exercise its rights or perform its obligations hereunder; provided that (i) such Affiliates agree to be bound by the terms and conditions of this Agreement as if they were “Customer” herein (and Customer’s execution of the Order Form shall be deemed to be on behalf of itself and such Affiliates for this purpose); and (ii) all acts and omissions of such Affiliates (for clarity, including such Affiliates’ personnel) shall be deemed to be acts and omissions of Customer and Customer shall be responsible therefor.

    5. Compliance. Customer shall do or cause to be done all things necessary to comply with all applicable federal and state laws, rules and regulations in connection with its use of the Quantum Service under this Agreement, including any applicable federal and state laws relating to the collection, use, storage, or disclosure of Customer Data. Although Quantum has no obligation to monitor Customer’s use of the Quantum Service, Quantum may do so and may prohibit any use of the Quantum Service it believes in good faith may be in violation of the foregoing.

    6. Customer Requirements. Customer shall be responsible for obtaining, maintaining, and managing any equipment and ancillary services needed to connect to, access or otherwise use the Quantum Service, including, without limitation, computer networks, modems, hardware, servers, software, operating systems, networking, web servers and the like, and shall be responsible for maintaining the security thereof. Customer is responsible for correctly configuring its systems in accordance with the Documentation and any instructions provided by Quantum as may be necessary to access to the features and functions of the Quantum Service.

    7. Email. Customer acknowledges and agrees that if Customer elects to contact Quantum by email, such transmission might not be secure. An unaffiliated third party could view information Customer sends by these methods in transit. In the unlikely event that Quantum believes that the security of Customer information in Quantum’s possession or control may have been compromised, Quantum will promptly notify Customer of that development. Customer consents to Quantum’s use of email as a means of such notification.

    8. Implementation. Except to the extent otherwise set forth in an Order Form, Customer will be solely responsible for the integration of the Quantum Code into the Digital Property and its configuration with the Quantum Service.

    9. Digital Properties. As between Customer and Quantum, Customer is solely responsible and liable for the Digital Properties. In the event the Digital Property is not owned by the Customer, Customer represents and warrants that it is authorized to act on behalf of the Digital Property's owner to configure the Quantum Code and Quantum Service on the applicable Digital Property, including but not limited to deploying the Quantum Code on such Digital Properties. On each Digital Property in which Customer uses the Quantum Code, Customer shall prominently display and comply with a customary privacy policy on such Digital Property, as well as with all applicable laws, policies, and regulations relating to the collection, use and transfer of information obtained from visitors of its webpages. Any such privacy policy must, among other customary provisions, provide visitors of its webpages with accurate disclosure of its privacy practices (including its use of cookies) with respect to its use of third-party analytics services such as the Quantum Service. Customer represents and covenants that the Digital Properties, including all content, products and services available therein, do not and will not: (a) violate any third-party right, including copyright, trademark, patent, trade secret, moral right, privacy right or right of publicity; (b) violate any laws or regulations (including with respect to privacy); (c) contain any harassing, abusive, tortious, defamatory, false, or intentionally misleading content; or (d) contain any computer viruses, worms or other software intended to damage or alter a computer system or data.

  4. OWNERSHIP AND DATA.

    1. Quantum Technology. Quantum shall own and retain all right, title and interest in and to: (a) the Quantum Technology (including the Quantum Service); (b) the source code and object code (including the Quantum Code) and the underlying structure, ideas, know-how or algorithms relevant to the Quantum Technology; (c) any software, documentation (including the Documentation), data (other than Customer Data), applications, inventions or other technology related to or developed in connection with the Quantum Technology; (d) all improvements, enhancements or modifications to any of the foregoing (whether or not based upon any suggestions, enhancement requests, recommendations or other feedback provided by Customer relating to the Quantum Service), and (e) all intellectual property rights related to any of the foregoing (collectively, "Quantum IP"), and such Quantum IP shall be Quantum's sole and exclusive property. Customer shall have no proprietary interest in the Quantum IP, and will not seek, and will require its employees, agents or subcontractors not to seek, patent, copyright, trademark, registered design, or other protection for any rights in any Quantum IP. Customer acknowledges that the Quantum IP is protected by intellectual property rights owned by or licensed to Quantum. Other than as expressly set forth in this Agreement, no license or other rights in any Quantum IP are granted to the Customer.

    2. Quantum Use of Customer Data. Customer shall own all right, title and interest in and to the Customer Data, as well as any data or reports (except the underlying technology, template forms and designs) that is created or derived from the Customer Data and provided to Customer as part of the Quantum Service. Subject to the terms of the Agreement, Quantum is provided a limited license to Customer Data for the purpose of providing the Quantum Service, including a license to collect, process, store, and display Customer Data to the extent appropriate in providing the Quantum Service to Customer. Customer represents and warrants to Quantum that it (a) has the right to provide access to the Customer Data to Quantum and that neither the provision of the Customer Data to Quantum nor Quantum’s use of such Customer Data in accordance with this Agreement infringes or violates any intellectual property, publicity, privacy, confidentiality, contractual, or other rights; and (b) is authorized to, and has all necessary permissions to, provide the aforementioned license to Quantum. Quantum shall use and disclose Customer Data solely for the purpose of providing the Quantum Service to Customer, and shall not retain, use, sell, share, rent, transfer, distribute, or otherwise disclose or make available Customer Data for the benefit of anyone other than Customer without Customer’s prior written consent, or as otherwise permitted under applicable privacy laws. Upon termination or expiration of this EULA for whatever reason, Customer shall have thirty (30) days to request a copy of its Customer Data from Quantum in an industry standard format. Following the thirty (30) days and/or upon request from Customer, Quantum shall immediately cease to process and otherwise handle Customer’s information and may promptly destroy the Customer Data, in accordance with such instructions as may be given by Customer at that time.

    3. Aggregated Data. Notwithstanding the foregoing, Quantum may use certain Aggregated Data in order to perform analysis and statistical reporting and for auditing, research and analysis to operate and improve Quantum technologies and services. "Aggregated Data" means aggregated statistical information and data that is not identifiable to any person or entity. Quantum shall not disclose to any third party any Aggregated Data that reveals or discloses Customer’s Confidential Information or the identity of the Customer. Without limiting the generality of the foregoing, Quantum shall have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Quantum Service and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom), and Quantum will be free (during and after the Term) to use such information and data to improve and enhance the Quantum Technology and for other development, diagnostic and corrective purposes in connection with the Quantum Service and other Quantum offerings, and to disclose such data solely in aggregate or other de-identified form in connection with its business.

    4. Integration with Third Party Service Providers. The Quantum Service is designed to work with multiple third party service providers, but Quantum may not have control over how the Quantum Service integrates from time to time with such services, and Quantum does not control the operation of those services. Accordingly, if applicable, Customer acknowledges and agrees that (i) Quantum is not responsible for the performance of such third party services or other third party services Quantum may reference or provide links to, including, without limitation, their use or treatment of Customer Data therein; (ii) Quantum is not responsible or liable for any content or other materials generated by such services or applications; (iii) Quantum is not responsible for any technical inability to access Customer Data in such services via the Quantum Service; and (iv) Quantum shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such services or applications. Customer acknowledges sole responsibility for and assumes all risk arising from Customer’s use of any third-party websites or resources.

  5. FEES, PAYMENT AND SUSPENSION OF SERVICES. Customer will pay Quantum the fees for the Quantum Service and other related services ("Fees") in accordance with the applicable Order Form. All Fees will be billed in advance on an annual basis and are due within 30 days of receipt of invoice, unless otherwise provided in the applicable Order Form. In the event that Customer wishes to increase the number of Digital Properties and/or Sessions beyond the maximum number of Digital Properties and/or Sessions specified in the applicable Order Form, Customer shall be required to pay additional fees associated with the increased number of Digital Properties and Sessions, prorated for the remainder of the then-current term. For avoidance of doubt, a Session is defined in Section 1.14 and Session volume is determined based on that definition. Such overages will be calculated as set forth on the applicable Order Form. All Fees owed by Customer in connection with this Agreement are exclusive of, and Customer shall pay, all sales, use, excise and other taxes and applicable export and import fees, customs duties and similar charges that may be levied upon Customer in connection with this Agreement, except for employment taxes and taxes based on Quantum’s net income. If Quantum reasonably determines that it is required to collect tax from Customer in connection with this Agreement or an Order Form issued hereunder, then Quantum may include the amount of such tax on the applicable invoice(s), and Customer shall pay such invoiced taxes in addition to the Fees. Customer shall pay to Quantum a late payment fee equal to 2% per month of any Fees or invoiced taxes not paid within 15 days of the payment due date until such amount is paid in full. Notwithstanding anything in this Agreement to the contrary, Quantum reserves the right (in addition to any other rights or remedies Quantum may have) to discontinue the Quantum Service and suspend the UserID and Customer’s access to the Quantum Service if any Fees set forth in the Order Form or due in accordance with this Section 5 are more than 15 days overdue until such amounts are paid in full. Customer shall maintain complete, accurate and up-to-date billing and contact information.

  6. CONFIDENTIAL INFORMATION. Each party (the "Receiving Party") understands that the other party (the "Disclosing Party") has disclosed or may disclose Confidential Information of the Disclosing Party. The Receiving Party agrees: (a) to take reasonable precautions to protect such Confidential Information, and (b) not to use (except in performance of its obligations hereunder or as otherwise permitted herein) or divulge the Disclosing Party’s Confidential Information to any person or entity other than its or its Affiliates’ employees, directors, partners, contractors, consultants, customers, counsel, service partners, or agents who have a reasonable need to know such information and who are bound by at least equivalent obligations of confidentiality and nondisclosure as those under this Agreement (collectively, “Authorized Recipients”). The Receiving Party shall be fully responsible for the breach of this Agreement by its Authorized Recipients. The Disclosing Party agrees that the foregoing shall not apply with respect to any information that the Receiving Party can document: (i) is or becomes generally available to the public; (ii) was in its possession or known by it prior to receipt from the Disclosing Party; (iii) was rightfully disclosed to it without restriction by a third party; (iv) was independently developed without use of any Confidential Information of the Disclosing Party; or (v) is required to be disclosed by law (but only to the extent such disclosure is required) after giving the Disclosing Party as much advance notice of the possibility of such disclosure as reasonably practicable so that the Disclosing Party may attempt to stop such disclosure or obtain a protective order concerning such disclosure (except that no notification is required if the Receiving Party is prohibited by law from notifying the Disclosing Party). Confidential Information disclosed to the Receiving Party remains the property of the Disclosing Party. All Confidential Information and any copies shall be promptly destroyed or returned to the Disclosing Party upon the termination of this Agreement or upon the Disclosing Party's earlier request, except to the extent the Receiving Party is obligated to retain by law, or that has been stored on routine back-up media solely for the purpose of disaster recovery will be subject to destruction in due course, provided that such Confidential Information cannot be accessed in the ordinary course of business prior to destruction. This Agreement states the entire, exclusive agreement between the parties concerning the disclosure of Confidential Information, including through use of the Quantum Service, and any confidentiality, non-disclosure, or similar agreement between the parties, shall be superseded, terminated, and of no further force and effect as of date Customer accepts these terms and/or uses the Quantum Service.

  7. WARRANTIES. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, QUANTUM, AND ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, CONTRACTORS, AGENTS, PARTNERS, LICENSORS AND DISTRIBUTORS, DO NOT MAKE ANY REPRESENTATIONS, PROMISES, OR WARRANTIES, EXPRESS OR IMPLIED, ABOUT THE QUANTUM TECHNOLOGY OR SERVICES. QUANTUM PROVIDES THE QUANTUM TECHNOLOGY AND ALL SERVICES PROVIDED HEREUNDER "AS-IS," "WITH ALL FAULTS," AND "AS AVAILABLE." CUSTOMER’S USE OF THE QUANTUM TECHNOLOGY, INCLUDING CONTENT WITHIN THE QUANTUM TECHNOLOGY, IS AT CUSTOMER’S OWN RISK AND QUANTUM DOES NOT REPRESENT, PROMISE, OR WARRANT THAT THE QUANTUM TECHNOLOGY WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE. CUSTOMER UNDERSTANDS AND AGREES THAT NO DATA TRANSMISSION OVER THE INTERNET OR INFORMATION STORAGE TECHNOLOGY CAN BE GUARANTEED TO BE SECURE, AND QUANTUM EXPRESSLY DISCLAIMS ANY WARRANTIES, EXPRESS OR IMPLIED, TO THAT EFFECT. QUANTUM MAKES NO COMMITMENTS, PROMISES OR WARRANTIES ABOUT THE CONTENT WITHIN THE QUANTUM TECHNOLOGY OR CONTENT LINKED FROM THE QUANTUM TECHNOLOGY, THE SUPPORT QUANTUM PROVIDES FOR THE QUANTUM TECHNOLOGY, THE SPECIFIC FUNCTIONS OF THE QUANTUM TECHNOLOGY, THE SECURITY OF THE QUANTUM TECHNOLOGY, OR THE QUANTUM TECHNOLOGY’S RELIABILITY OR SERVICES, QUALITY, ACCURACY, AVAILABILITY, OR ABILITY TO MEET CUSTOMER’S NEEDS, PROVIDE CERTAIN OUTPUTS, OR ACHIEVE CERTAIN RESULTS. ALL IMPLIED WARRANTIES, SUCH AS THE IMPLIED WARRANTY OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW.

  8. DATA PROCESSING ADDENDUM. Quantum may process and use personal data in connection with Customer’s use of the Quantum Technology in accordance with applicable privacy and data protection laws. Quantum’s Data Processing Addendum (“Quantum DPA”) which is attached hereto as Exhibit A(and subject to update by Quantum from time to time) or such terms that may be executed between Customer and Quantum governing the same scope, is hereby incorporated by reference and solely applies to Customer’s Personal Data (as defined in the Quantum DPA) in connection with use of the Quantum Technology.

  9. CERTAIN UNDERTAKINGS OF QUANTUM.

    1. Recovery and Business Continuity. Quantum shall maintain and implement disaster recovery and avoidance procedures and a business continuity plan reasonably designed to prevent the Quantum Service from being materially interrupted during any disaster.

    2. Data Security. In addition to the obligations relating to Confidential Information stated above, Quantum shall protect and maintain the confidentiality, security and integrity of Customer Data in the manner provided for under, and otherwise comply with applicable domestic and foreign laws, regulations, rules and industry standards related to the collection, storage, handling, processing and transfer of such Customer Data. Without limiting the generality of the foregoing, Quantum shall implement and maintain reasonable administrative, technical and physical safeguards and other security measures necessary to maintain the confidentiality, security and integrity of Customer Data.

    3. SSAE 18 Audit. Quantum anticipates that its third-party hosting provider shall conduct an annual examination of the controls placed in operation and a test of operating effectiveness, as defined by the American Institute of Certified Public Accountants’ (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18, Report on Controls at a Service Organization Relevant to Security, Availability, Process Integrity, Confidentiality and Privacy (SOC 2 Report), and issue a report thereon. As of the Effective Date, the results and reports from the latest such audit can be found at https://cloud.google.com/security/compliance/.

  10. INDEMNIFICATION. Customer shall hold harmless and indemnify Quantum or its Affiliates, or each of its or their respective personnel, officers, employees, directors, agents, successors and assigns from any suit, claim, or action arising out of or related to Customer's use of the Quantum Technology, Customer Data or violation of this EULA, including any liability or expense arising from claims (including claims for negligence), losses, damages, suits, judgments, and litigation costs, including reasonable attorney’s fees.

  11. LIMITATION OF LIABILITY. NOTWITHSTANDING ANYTHING HEREIN TO THE CONTRARY, TO THE FULL EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL QUANTUM OR ITS OFFICERS, DIRECTORS, STOCKHOLDERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS, EMPLOYEES, OR AGENTS, BE RESPONSIBLE OR LIABLE WITH RESPECT TO ANY SUBJECT MATTER OF THIS EULA, UNDER ANY CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (A) FOR ERROR OR INTERRUPTION OF USE OR FOR LOSS OR INACCURACY OR CORRUPTION OF DATA OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR LOSS OF BUSINESS; OR (B) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS, REVENUES, DATA AND/OR USE); IN EACH CASE, WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL QUANTUM’S AGGREGATE, CUMULATIVE LIABILITY IN ANY WAY RELATING TO THIS EULA (INCLUDING THE QUANTUM DPA) EXCEED THE AMOUNT OF FEES ACTUALLY RECEIVED BY QUANTUM FROM CUSTOMER DURING THE 12 MONTHS PRECEDING THE CLAIM. THE PARTIES WOULD NOT HAVE ENTERED INTO THIS EULA BUT FOR SUCH LIMITATIONS.

  12. MISCELLANEOUS.

    1. Modification of the EULA. Quantum may modify this EULA, including the Quantum DPA, from time to time. Unless Quantum indicates otherwise, modifications will be effective as of the date they are posted on this page or any successor page or, as the case may be, when Customer clicks through to accept the revised EULA. Customer should review the EULA regularly.

    2. Continued Use of the Services. Customer may cease using the Quantum Technology at any time, at which time any amount owed to Quantum under this Agreement will become immediately due and payable, but Customer’s continued use of or subscription to any Quantum Technology after the effective date of any modifications to the EULA means that Customer agrees to the EULA as modified.

    3. Waiver and Severability of Terms. The failure of Quantum to exercise or enforce any right or provision of this EULA will not constitute a waiver of such right or provision. If any provision (or part of a provision) of this EULA is found to be invalid, Quantum and Customer agree to give effect to the intentions as reflected in the provision, and the other provisions of this EULA remain in full force and effect.

    4. Assignment by Quantum. Quantum may freely assign this EULA and all of the policies and other documents incorporated or referenced in it (including all rights, licenses, and obligations under it or them), in whole or in part and without notice, for any reason, including for the purpose of internal restructuring (for example, mergers or liquidations).

    5. Publicity. Quantum may use Customer’s name and logo on Quantum’s websites and promotional materials (including for use at trade shows) to identify Customer as a user of the Quantum Service.

    6. Force Majeure. Any delay in the performance of any duties or obligations of either party (except the payment of money owed) will not be considered a breach of this Agreement if such delay is caused by an act, event, or occurrence beyond such party’s reasonable control, including, without limitation, acts of God, fires, floods, storms, landslides, epidemics, lightning, earthquakes, drought, blight, famine, quarantine, blockade, governmental acts or inaction, orders or injunctions, war, insurrection or civil strife, sabotage, explosions, labor strikes, work stoppages, acts of terror, acts or omissions of vandals or hackers, issues arising from bugs or other problems in the software, firmware or hardware of Quantum’s suppliers, or outages or issues with upstream providers or network carriers, provided that such party uses reasonable efforts, under the circumstances, to notify the other party of the cause of such delay and to resume performance as soon as commercially feasible.

    7. Governing Law and Venue. This EULA and any action related thereto will be governed and interpreted by and under the laws of the State of Delaware, without giving effect to any conflicts of laws principles that require the application of the law of a different jurisdiction. Customer hereby expressly consents to the exclusive personal jurisdiction and venue in the state and federal courts for the county in which Quantum’s principal place of business is located for any action arising from or related to this EULA. The United Nations Convention on Contracts for the International Sale of Goods does not apply to this EULA.

    8. Export. Customer agrees not to export, re-export, or transfer, directly or indirectly, any U.S. technical data acquired from Quantum, or any products utilizing such data, in violation of the United States export laws or regulations.

    9. Compliance with Laws. Customer agrees to comply with all applicable federal, state, and local laws, executive orders and regulations issued, where applicable. Customer is solely responsible for determining whether a particular use of the Quantum Technology is compliant with any applicable laws.

    10. Federal Government End Use Provisions. The Quantum Service is a "commercial item" as that term is defined at 48 C.F.R. § 2.101, consisting of "commercial computer software" and "commercial computer software documentation" as such terms are used in 48. C.F.R. § 12.212.  Accordingly, if Customer is an agency of the US Government or any contractor therefor, Customer only receives those rights with respect to the Quantum Service as are granted to all other end users under this Agreement, in accordance with (a) 48 C.F.R. § 227.7201 through 48 C.F.R. § 227.7204, with respect to the Department of Defense and their contractors, or (b) 48 C.F.R. § 12.212, with respect to all other U.S. Government licensees and their contractors.

    11. Termination. Quantum, it its sole discretion, may change, discontinue or terminate any or all aspects of a fee-based service provided to Customer without notice, including access to the Quantum Service and to support services, content and other products or services ancillary to the Quantum Service, and/or the Quantum Technology, subject to providing an appropriate refund for any prepaid and unearned fees. Notwithstanding the foregoing, Quantum may terminate this EULA, as well as access to the Quantum Service and to support services and other products or services ancillary to the Quantum Service, and/or the Quantum Technology, immediately upon written notice if Customer materially breaches the EULA and such termination will not entitle Customer to any refund.

    12. Independent Contractors. The relationship of Quantum and Customer established by this Agreement is that of independent contractors. Nothing in this Agreement shall be construed to create any agency or employment relationship between Quantum or any of its employees and Customer or any of its employees. Neither Party shall have any right, power or authority to assume, create or incur any expense, liability or obligation, express or implied, on behalf of the other.

  13. ACCESSING THE QUANTUM SERVICE THROUGH A RESELLER.

    1. Resellers. Customer may purchase access to the Quantum Service from an authorized reseller of the Quantum Service (each, a "Reseller"). Each Reseller offers access to the Quantum Service upon the terms and conditions agreed upon between Customer and Reseller. All access to, and use of, the Quantum Service is governed solely by this Agreement. For avoidance of doubt, despite purchasing access to the Quantum Service from a Reseller, Customer hereby understands and agrees to be bound by this Agreement.

    2. Reseller as Administrator. If Customer orders the Quantum Service through a Reseller, then Customer is responsible for determining whether the Reseller has access to Customer’s account, including access as an administrator and/or the ability to configure Customer’s use of the Quantum Service and for any related rights or obligations.  As between Customer and Quantum, Customer is solely responsible for any access by Reseller on behalf of Customer to the Quantum Service, including any configuration of the Customer data to be collected through the Quantum Service.

    3. Purchase of Quantum Service through Reseller. If Customer purchased access to the Quantum Service through a Reseller:

      1. Instead of paying Quantum, Customer will pay the applicable amounts to the Reseller, as agreed between Customer and Reseller. Quantum may suspend or terminate Customer’s right to use the Quantum Service if Quantum does not receive the corresponding payment from Reseller.

      2. Customer’s order details (e.g., the Quantum Service(s) to which Customer is subscribing, the number of Digital Properties, Session Count, user count, the subscription term, and the time period for Session Replay History and Analytics History) will be as stated in the order placed with Quantum by Reseller on Customer’s behalf, and Reseller is responsible for the accuracy of any such order as communicated to Quantum.

      3. If Customer is entitled to a refund under this Agreement, unless otherwise specified in writing by Quantum, Quantum will refund any applicable fees to Reseller and Reseller will be solely responsible for refunding the appropriate amounts to Customer.

      4. Resellers are not authorized to modify this Agreement or make any promises or commitments on behalf of Quantum, and Quantum is not bound by any obligations to Customer other than as set forth in this Agreement.

EXHIBIT A

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”), is incorporated into and forms part of the End User License Agreement (and all exhibits and Order Forms issued thereunder) (collectively the “Principal Agreement”), and applies where, and to the extent that, Quantum processes Personal Data acting as a Processor for Customer in provision of the Quantum Service. For clarity, this is a binding agreement between Quantum Metric, Inc. and the party identified on the Order Form as the buyer of the Quantum Service and/or the party making use of the Quantum Service (“Customer”). The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

  1. DEFINITIONS.

    1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

      1. “2021 SCCs” means the 2021 EU Standard Contractual Clauses (Module 2 – Controller to Processor) ((EU) 2021/914), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en, together with the attached Annexes 2 and 3.

      2. “Adequacy Decision” means a decision adopted by a competent authority with jurisdiction over Customer Group Member declaring that a jurisdiction meets an adequate level of protection of Personal Data.

      3. “Applicable Laws” means any applicable law with respect to any Customer Personal Data in respect of which any Customer Group Member is subject to any other Data Protection Laws.

      4. “Customer Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

      5. “Customer Group Member” means Customer or any Customer Affiliate.

      6. “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of a Customer Group Member in order to provide Services.

      7. “Contracted Processor” means Quantum or a Subprocessor.

      8. “Data Protection Laws” means EU and UK data protection laws, including the EU GDPR and laws implementing or supplementing the EU GDPR, and the UK GDPR and laws supplementing the UK GDPR, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and any regulations promulgated thereunder (collectively, the “CCPA”), the Colorado Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act, and, to the extent applicable, the data protection and privacy laws of any other jurisdiction, and in each case as amended, replaced or superseded from time to time.

      9. “EEA” means the European Economic Area.

      10. “EU GDPR” means EU General Data Protection Regulation 2016/679.

      11. “Personal Data” means any information that identifies an individual or relates to an identifiable individual.

      12. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

      13. “Process” or “Processing” means the collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, deletion, combination, restriction, adaptation, retrieval, consultation, destruction, disposal, or other use of data.

      14. “Sale” or “Sell” means exchanging, disclosing, making available, transferring or otherwise providing or communicating Personal Data to a third party for monetary or other valuable consideration.

      15. “Services” means the services and other activities to be supplied to or carried out by or on behalf of Quantum for Customer Group Members pursuant to the Principal Agreement.

      16. “Share” or “Sharing” means sharing, releasing, disclosing, making available, transferring or otherwise providing or communicating Personal Data to a third party for c ross-context behavioral advertising, as defined in the CCPA, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-contextual behavioral advertising for the benefit of a business in which no money is exchanged.

      17. “Subprocessor” means any person (including any third party, but excluding an employee, contractor or other personnel of Quantum) appointed by or on behalf of Quantum to Process Personal Data on behalf of any Customer Group Member in connection with the Principal Agreement.

      18. “Transfer” means the access by, transfer or delivery to or disclosure of Personal Data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction from which the Personal Data originated.

      19. “UK 2021 SCCs Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf, as amended or replaced from time to time.

      20. “UK GDPR” means the EU GDPR as it forms part of the law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018, and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019

    2. The terms, “Commission”, “Controller”, “Member State”, “Processor” and “Supervisory Authority” shall have the same meaning as in the Data Protection Laws (as the context so requires), and their cognate terms shall be construed accordingly.

    3. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

  2. PROCESSING OF CUSTOMER PERSONAL DATA.

    1. Role of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller, Quantum is the Processor (or “service provider,” as defined under the CCPA), and that Quantum will engage Subprocessors pursuant to section 5 hereof.

    2. Quantum shall not Process Customer Personal Data other than on the relevant Customer Group Member’s behalf and in accordance with the relevant Customer Group Member’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case shall to the extent permitted by Applicable Laws inform the relevant Customer Group Member of that legal requirement before the relevant Processing of that Personal Data.

    3. Quantum shall not: (a) Sell or Share Customer Personal Data; (b) disclose Customer Personal Data to any third party for the commercial benefit of Quantum or any third party; (c) retain, use, disclose, or otherwise Process Customer Personal Data outside of its direct business relationship with Customer or for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by Data Protection Laws; or (d) combine Customer Personal Data with Personal Data that Quantum receives from, or on behalf of, other persons, or collects from its own interaction with an individual covered under applicable Data Protection Laws, except as permitted under Data Protection Laws.

    4. Each Customer Group Member:

      1. instructs Quantum (and authorizes Quantum to instruct each Subprocessor) to:

        1. Process Customer Personal Data; and

        2. in particular, transfer Customer Personal Data to any country or territory,

        as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and
      2. warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 2.4.1 on behalf of each relevant Customer Affiliate.

    5. Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of applicable Data Protection Laws. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with applicable Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.

    6. Details of Processing. Annex 1 to this Addendum sets out certain information regarding the Contracted Processors’ Processing of the Customer Personal Data, including the scope of the processing of Customer Personal Data. Customer may make reasonable amendments to Annex 1 by written notice to Quantum from time to time as Customer reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 2.6) confers any right or imposes any obligation on any party to this Addendum.

  3. QUANTUM PERSONNEL.

    Quantum shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, limiting access to those individuals who require access to Customer Personal Data for the purposes of the Principal Agreement, providing appropriate training related to data security to those individuals who have access to Customer Personal Data, and ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
  4. SECURITY.

    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Quantum shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to designed to provide a level of security appropriate to that risk, including, as appropriate, i) the pseudonymisation of Customer Personal Data; (ii) protecting the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iii) restoring the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and (iv) regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Customer Personal Data – as set out in Quantum’s then-current Enterprise Security Brief, the current version of which is available on the Quantum support site, as it may be updated from time to time. Quantum will not materially decrease the overall security of the Services during Customer’s subscription term.

    2. In assessing the appropriate level of security, Quantum shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

  5. SUBPROCESSORS.

    1. Each Customer Group Member authorizes Quantum to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.

    2. Quantum may continue to use those Subprocessors already engaged by Quantum as at the date of this Addendum, subject to Quantum in each case as soon as practicable meeting the obligations set out in section 5.3. As of the date of this Addendum, Quantum utilizes Google, LLC as a Subprocessor and Customer and all Customer Affiliates hereby agree to Quantum’s use of Google as a Subprocessor.

      Quantum shall give Customer prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within ten (10) days of receipt of that notice, Customer notifies Quantum in writing of any objections (on reasonable grounds) to the proposed appointment, Quantum shall not appoint (or disclose any Customer Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Customer Group Member and Customer has been provided with a reasonable written explanation of the steps taken. If Quantum is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, the Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Quantum without the use of the objected-to new Subprocessor by providing written notice to Quantum. Quantum will refund the Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on the Customer.
    3. With respect to each Subprocessor, Quantum shall ensure that the arrangement between on the one hand (a) Quantum, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum.

  6. INDIVIDUAL RIGHTS.

    1. Taking into account the nature of the Processing, Quantum shall assist each Customer Group Member, at such Customer Group Member’s request, by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer Group Members’ obligations, as reasonably understood by Customer, to respond to requests to exercise individual rights under applicable Data Protection Laws.

    2. Quantum shall:

      1. promptly notify Customer if Quantum receives a request from an individual under any applicable Data Protection Law in respect of Customer Personal Data; and

      2. ensure that Quantum does not respond to that request except on the documented instructions of Customer or the relevant Customer Affiliate or as required by Applicable Laws to which Quantum is subject, in which case Quantum shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before Quantum responds to the request.

  7. PERSONAL DATA BREACH.

    1. Quantum shall notify Customer without undue delay upon Quantum becoming aware of a Personal Data Breach affecting Customer Personal Data. Taking into account the nature of the Processing and the information available to Quantum, Quantum will, at Customer’s request, assist Customer in complying with its notification obligations regarding Personal Data Breaches under applicable Data Protection Laws.

  8. COMPLIANCE WITH DATA PROTECTION LAWS.

    Quantum will comply with all obligations applicable to Quantum’s Processing of Customer Personal Data under applicable Data Protection Laws. Upon the reasonable request of Customer, Quantum will make available to Customer all information in its possession necessary to demonstrate Quantum’s compliance with its obligations under applicable Data Protection Laws. Quantum will notify Customer if Quantum makes a determination that it can no longer meet its obligations under an applicable Data Protection Law. Customer has the right, upon providing notice to Quantum, to take reasonable and appropriate steps to stop and remediate unauthorized Processing of Customer Personal Data, including where Quantum has notified Customer that it can no longer meet its obligations under an applicable Data Protection Law.
  9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION.

    Quantum shall provide reasonable assistance to each Customer Group Member, at such Customer Group Member’s request, with any data protection impact assessments, and prior consultations with the Supervisory Authority or other competent data privacy authorities, which Customer reasonably considers to be required of any Customer Group Member by Article 35 or 36 of the EU GDPR or Article 35 or 36 of the UK GDPR (as applicable) or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Quantum.
  10. DELETION OR RETURN OF CUSTOMER PERSONAL DATA.

    1. Quantum shall handle the deletion of Customer Personal Data related to a termination of Services in accordance with Section 4.2 of the Principal Agreement.

    2. Quantum may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws.

    3. Quantum shall, upon request from Customer, provide written certification to Customer that it has fully complied with this section 9 within 60 days from the date on which Services are terminated.

  11. AUDIT RIGHTS.

    1. Subject to section 11.2, Quantum shall make available to each Customer Group Member on request all information reasonably necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by any Customer Group Member or an auditor mandated by any Customer Group Member in relation to the Processing of the Customer Personal Data by the Contracted Processors.

    2. Customer or the relevant Customer Affiliate undertaking an audit shall give Quantum reasonable notice of any audit or inspection to be conducted under section 11.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Quantum’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Quantum need not give access to its premises for the purposes of such an audit or inspection: (a) to any individual unless he or she produces reasonable evidence of identity and authority; (b) outside normal business hours at those premises; or (c) for the purposes of more than one audit or inspection in any calendar year; except for any additional audits or inspections which Customer or the relevant Customer Affiliate undertaking an audit reasonably considers necessary because of genuine concerns as to Quantum’s compliance with this Addendum; or a Customer Group Member is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory. Customer is responsible for all costs and fees related to such audit, and Customer should promptly notify Quantum of its findings discovered during the course of the audit.

  12. INTERNATIONAL TRANSFERS.

    1. Customer Personal Data may be Transferred to the United States, the United Kingdom, the EEA, the Ukraine, any jurisdiction covered by an Adequacy Decision, and any other jurisdiction specified in the Principal Agreement or otherwise in writing by Customer.

    2. Except as otherwise set forth in this paragraph, the 2021 SCCs, hereby incorporated by reference to this Addendum, will apply to any Transfer of Customer Personal Data that is subject to the EU GDPR or to the Swiss Federal Act on Data Protection (“FADP”) from the EEA or Switzerland to a Contracted Processor located outside of the EEA or Switzerland. Notwithstanding the foregoing, the 2021 SCCs will not apply to the extent the Transfer is covered by an Adequacy Decision. Where the Transfer relates to Customer Personal Data subject to FADP, all references in the 2021 SCCs to “EU,” “Union,” or “Member State” will be interpreted as references to Switzerland, and references to EU law will be interpreted as relevant provisions of FADP.

      1. For the purpose of Clause 9 of the 2021 SCCs, the parties agree that subcontracting will be in accordance with Option 2 as described in Section 5 of this Addendum.

      2. For the purpose of Clause 17 of the 2021 SCCs, the parties agree that the 2021 SCCs will be governed by the law of Ireland for Transfers of Customer Personal Data subject to the EU GDPR and by the law of Switzerland for Transfers of Customer Personal Data subject to FADP.

      3. For the purpose of Clause 18 of the 2021 SCCs, the parties agree that any dispute arising from the 2021 SCCs will be resolved by the courts of Ireland for Transfers of Customer Personal Data subject to the EU GDPR and by the courts of Switzerland for Transfers of Customer Personal Data subject to FADP.

      4. For the Purpose of Annex I.C of the 2021 SCCs, the parties agree that [Customer to specify EU Member State] is the competent supervisory authority for Transfers of Customer Personal Data subject to the EU GDPR and that Switzerland is the competent supervisory authority for Transfers of Customer Personal Data subject to FADP.

    3. This paragraph applies with respect to any Transfer of Customer Personal Data that is subject to the UK GDPR to a Contracted Processor located in a country outside the United Kingdom for which there is no Adequacy Decision. In such cases, the parties agree that:

      1. The applicable version of the 2021 SCCs shall apply for the purposes of Table 2 of the UK 2021 SCCs Addendum;

      2. The provisions of the UK 2021 SCCs Addendum, including Part 2 ‘Mandatory Clauses’, shall apply in full and are hereby incorporated by reference to this Addendum; Table 1 of the UK 2021 SCCs Addendum, the names of the parties, their roles and their details shall be considered populated by the information set out in Annex 2.A;

      3. Tables 2 and 3 of the UK 2021 SCCs Addendum shall be considered populated by the applicable version of the 2021 SCCs, including the information set out in the Annexes of the 2021 SCCs; and

      4. For the purposes of Table 4 of the UK 2021 SCCs Addendum, neither party may end the UK 2021 SCCs Addendum.

    4. For Transfers of Customer Personal Data from jurisdictions outside the EEA, United Kingdom, Switzerland, and Similar Jurisdictions to jurisdictions not covered by an Adequacy Decision, a Contracted Processor will, if needed and at Customer’s request, enter into an appropriate data transfer agreement in order to facilitate the transfer of Customer Personal Data.

  13. LIMITATION OF LIABILITY.

    1. Each party's and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Principal Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Principal Agreement and this Addendum together.

    2. For the avoidance of doubt, Quantum’s total liability for all claims from the Customer and all Customer Affiliates arising out of or related to the Principal Agreement and this Addendum shall apply in the aggregate for all claims under both the Principal Agreement and this Addendum, including by the Customer and all Customer Affiliates, and, in particular, shall not be understood to apply individually and severally to the Customer and/or to any Customer Affiliate.

  14. GENERAL TERMS.

    1. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:

      1. the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

      2. this Addendum and any disputes or claims howsoever arising under this Addendum are governed by the laws of the country or territory stipulated in the Principal Agreement.

    2. Nothing in this Addendum reduces Quantum’s obligations under the Principal Agreement in relation to the protection of Customer Personal Data or permits Quantum to Process (or permit the Processing of) Customer Personal Data in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

    3. Subject to section 14.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

    4. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

List of Annexes

Annex 1 – Details of Processing of Customer Personal Data

Annex 2 – Standard Contractual Clauses

Annex 3 – Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) EU GDPR and Article 28(3) UK GDPR.

Subject matter and duration of the Processing of Customer Personal Data

The subject matter and duration of the Processing of the Customer Personal Data are set out in the Principal Agreement and this Addendum.

The nature and purpose of the Processing of Customer Personal Data

Customer Personal Data will be processed to the extent necessary to perform the Services under the Principal Agreement and as instructed by the Customer in its use of the Services.

The types of Customer Personal Data that may be Processed

  • IP address

  • Contact Information (email, phone, physical mailing address, billing address)

  • As otherwise set forth on the applicable Order Form(s) or as instructed by Customer or Customer Affiliates in writing in accordance with the Principal Agreement

The categories of Data Subject to whom the Customer Personal Data relates

  • Customer’s end users who access the Customer’s websites or other applications where the Services are deployed

  • As otherwise set forth on the applicable Order Form(s) or as instructed by Customer or Customer Affiliates in writing in accordance with the Principal Agreement

The obligations and rights of Customer and Customer Affiliates

  • The obligations and rights of Customer and Customer Affiliates are set out in the Principal Agreement and this Addendum.

ANNEX 2

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: Customer as defined in the Principal Agreement

Address: Address as defined in the relevant Order Form, or if an Order Form does not exist, then the address of the Customer as set forth in the Principal Agreement

Contact person’s name, position and contact details: The Data Privacy Officer for the Customer, as defined in the Principal Agreement, or if there is none, then the name of the person executing the Principal Agreement

Activities relevant to the data transferred under these Clauses: The activities as authorized and described in the Principal Agreement between Quantum and Customer.

Role (controller/processor): Controller

Data importer(s):

Name: Quantum Metric, Inc.

Address: 10807 New Allegiance Drive, Ste. 155, Colorado Springs, Colorado 80921, USA

Contact person’s name, position and contact details: The Data Privacy Officer for the Customer, as defined in the Principal Agreement, or if there is none, then the name of the person executing the Principal Agreement

Activities relevant to the data transferred under these Clauses: The activities as authorized and described in the Principal Agreement between Quantum and Customer.

Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

Data subjects

The personal data transferred concern the following categories of data subjects (please specify): Those set forth in Annex 1 to the Addendum.

Categories of data

The personal data transferred concern the following categories of data (please specify): Those set forth in Annex 1 to the Addendum.

Special categories of data/sensitive data (if applicable)

The personal data transferred concern the following special categories of data or sensitive data (please specify): N/A

Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions for sensitive data:

Access only for staff having followed specialized training.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing/Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify): The activities set forth in Annex 1 to the Addendum.

Purpose(s) of the data transfer and further processing/p>

The purpose(s) of the transfer and further processing are Quantum’s performance of the services as authorized and described in the Principal Agreement between Quantum and Customer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The criteria include: the duration of the services as agreed upon between the parties and set forth in the Principal Agreement between Quantum and Customer; whether there is a legal obligation to which Quantum is subject, for example, certain laws requiring retention of the personal data; and whether retention is advisable in light of Quantum’s legal position, such as in regard to applicable statutes of limitations, litigation, or regulatory investigations.

For transfers to processors, also specify subject matter, nature and duration of the processing

The performance of the services as set forth in the written services agreement with the (sub-) processor, with the duration of the performance of the services as set forth in the written services agreement with the (sub-) processor.

ANNEX 3: TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Data importer shall maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Personal Data uploaded to the Services, as described in data importer’s then-current Enterprise Security Brief, the current version of which is available on the data importer’s support site at https://community.quantummetric.com/s/article/2021-Enterprise-Security-and-Privacy-Guide, as it may be updated from time to time. Data importer will not materially decrease the overall security of the Services during a subscription term.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

Where data importer transfers personal data to (sub-) processors, data importer implements and maintains measures for vetting and oversight of its (sub-) processors to protect personal data consistent with the 2021 SCCs, including with respect to security obligations and assistance to the controller and/or data exporter as applicable.