THIS AGREEMENT CONTAINS DISCLAIMERS, INDEMNITIES AND LIMITATIONS OF LIABILITY. BY USING THE DHANGO SYSTEM, CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT, REPRESENTS AND WARRANTS THAT IT HAS READ ALL SUCH PROVISIONS, HAS CONSULTED LEGAL COUNSEL, AND UNDERSTANDS THE EFFECT OF ALL SUCH PROVISIONS.
This section defines some capitalized terms used in this Agreement.
1.1 “Affiliate” means a legal entity that is controlled by, controls or is under common control with a party, where “control” means more than 50% of the voting power or ownership interests, or the power to elect at least a majority of the directors, of such legal entity.
1.2 “Agreement” means this dhango License Agreement and the applicable Order Form.
1.3 “Authorized User” means an employee of Customer to whom a specific user IDs is assigned for such employee to access and use the dhango System pursuant to this Agreement and who is under a legally binding obligation of confidentiality consistent with the confidentiality provisions of this Agreement.
1.4 “Customer” means the entity identified on an Order Form who is accessing the dhango System pursuant to this Agreement.
1.5 “dhango” means dhango Inc.
1.6 “dhango Materials” means, in any and all formats and throughout the world: (a) the dhango System; (b) the methodology, information, content, documents, software, works of authorship, technology, hardware, products, processes, algorithms, user interfaces, know-how, and other trade secrets, techniques, designs, ideas, inventions, “look and feel,” and other tangible or intangible technical material or information used or provided by dhango in relation to this Agreement; and (c) the Improvements (defined in Section 8, below).
1.7 “dhango System” means the software that is offered by dhango to its customers as an Internet-based service via dhango’s designated platform, including all text, images, graphics, logos, illustrations, photographs, video, audio, and other materials, as well as the designs, icons, layout, “look and feel,” and all other graphical elements of such system, and all code and software attendant thereto, including the Documentation and any Updates.
1.8 “Documentation” means the formal documentation in any medium as determined and provided by dhango with the dhango System, as updated by dhango from time to time and designated as official documentation to the dhango System by dhango.
1.9 “Fees” means a combination of a Monthly Base fee, plus a Monthly Transaction fee, plus a Monthly Token Fee.
1.10 “Platform” means a single account used by Customer to aggregate payments, or payment related offerings, on behalf of Customer’s merchants.
1.11 “Order Form” means a dhango order form that is executed by both Customer and dhango, is governed by this Agreement, and contains Customer information required by dhango to provide Customer with access to the dhango System.
1.12 “Records” means the data input into and output from the dhango System as a direct result of Customer’s use of the dhango System.
1.13 “Update” means an improvement, enhancement, modification, translation, adaptation, compilation, upgrade, change, contribution, correction, update, addition, or derivative work of or to the dhango System that is generally made available by dhango to all licensees of the dhango System. Updates do not include any hardware or software that dhango licenses for an additional fee separately from the dhango System, even if licensed by dhango for use in conjunction with the dhango System.
2.1 License Grant. Subject to the terms of this Agreement and timely payment of all Fees due hereunder, dhango grants to Customer, during the Term, a personal, nonexclusive, nontransferable, limited license to access and use the dhango System in strict accordance with the Documentation and solely to engage in Customer’s ordinary and normal business. Authorized Users’ may only access and use the dhango System on dhango’s supplier’s servers, only via the Internet address provided by dhango, and only with the passwords and user IDs that are assigned to such Authorized User. The Fees detailed in Section 3.1 of this Agreement are for a single Platform that can be used by and on behalf of Customer and its Affiliates only. If Customer or its Affiliates require additional Platforms, then additional Fees shall be owed.
2.2 Conditions. Customer is not entitled to, and will not receive delivery of, any source or object code related to the dhango System. The dhango System may be hosted by dhango or its suppliers on a server that is shared with other customers of dhango. Customer is solely responsible for procuring and maintaining the computer hardware, systems software, Internet connections, and other items necessary to access and use the dhango System in the manners authorized by the Agreement and the Documentation. Customer may only utilize the dhango System with a third-party payment platform then-currently integrated with the dhango System.
2.3 Restrictions. Except as specifically set forth in this Agreement, Customer shall not itself, or through any Affiliate, agent, or other third party, including any Authorized User, do any of the following: (a) sell, lease, license, sublicense, modify, or encumber the dhango System or any part thereof; (b) decompile, disassemble, or reverse engineer any portion of the dhango System or otherwise attempt to discover any source code or underlying ideas or algorithms of the dhango System or any technology associated with the dhango System; (c) in any manner attempt to thwart or overcome the copy restriction and protection measures embedded within the dhango System; (d) make available to, or permit use of, the dhango System by persons other than the Authorized Users; or (e) use the dhango System for the benefit of or on behalf of any third party, such as through commercial timesharing, rental, or other sharing arrangements or on a service bureau or an outsourcing basis.
3.1 Monthly Fees. Fees for Customer’s usage of the dhango System will be calculated on a monthly basis. Customer shall pay a MonthlyTransaction Fee and a Monthly Token Fee. The Monthly Transaction Fee is based on the volume of Customer’s use of the dhango System in anyapplicable month There are multiple tiers of Monthly Transaction Fees, as indicated in the table below, based on Customer’s monthly volume oftransactions. Each month, dhango will calculate the Fees due using the tiers in the table below (as shown in the example calculations below) andwill automatically invoice Customer for the applicable month. A Minimum Monthly Transaction Fee of $5,000.00 shall be charged each month fortransaction volumes below 20,000.
Example calculations:
Additionally, Customer shall pay a Monthly Token Fee of $0.03 per Token. A “Token” is any saved payment method created by Customer. Feesassociated with Tokens will be charged only in the month in which the Token was created (i.e., the Monthly Token Fee is a one-time charge in themonth in which the Token is created). If no Tokens are created in the applicable month, then there is no Monthly Token Fee owed for that month.
Every year following the effective date in the Order Form, there will be a 5% increase on the current Monthly Transaction Fees for the subsequent12-month period. dhango may increase any other Fees at any time, provided dhango supplies Customer with at least 120 days’ advance notice ofsuch change. Notices for any Fee changes shall be delivered to Customer exclusively via the online dashboard available to Customer in the dhangoSystem.
3.2 Invoices. dhango will invoice Customer for all Fees monthly in arrears. All invoices will be delivered exclusively via the online dashboard available to Customer in the dhango System. Invoices will show aggregations of the number of monthly transactions and Tokens created that were used by dhango to calculate the Fees due. Details of individual transactions will be available to Customer via the online dashboard in the dhango System. Neither the failure of dhango to deliver an invoice for amounts due hereunder nor any error in the amount invoiced by dhango shall constitute a waiver by dhango of Customer’s obligations to pay the amounts due. All amounts due under this Agreement shall be paid in U.S. currency. It is Customer’s responsibility to obtain such U.S. currency prior to making payment to dhango.
3.3 Payments. Unless the parties otherwise mutually agree, all payments for Fees will be deducted automatically from Customer’s designated account via direct debit on the invoice date. Customer will provide dhango with designated account information for direct debit with acceptance of this Agreement. Should there be insufficient funds in the designated account to pay all such Fees when due, the full amount of such deficiency shall be immediately due and payable by Customer, plus a processing charge of 5%. Any Fees remaining unpaid more than 30 days after the invoice date will be subject to an interest charge at the rate of 1% per month or the highest rate allowable at that time by law (whichever is lower). Customer shall reimburse dhango for any and all costs and expenses incurred by or on behalf of dhango to collect overdue amounts from Customer, including attorneys’ fees and court costs.
3.4 Additional Costs. Customer may request dhango perform ACH account validation services for a Fee of $0.20 per validation. Customer may request dhango perform background check services for a Fee of $15.00 per background check.
If Customer requests dhango provide additional services, then the parties will agree on mutually-acceptable fees for such additional services, which may include any expenses to be incurred by dhango in the performance of such services.
3.5 Taxes. Customer shall pay all taxes due in connection with this Agreement including sales, use, excise, value-added taxes assessed on the goods and services provided hereunder, consumption, and other similar taxes or duties, but excluding any taxes on dhango’s net income, net worth, or property. dhango will invoice Customer for any taxes payable by Customer that are required to be collected by dhango pursuant to any applicable law, rule, regulation, or other requirement of law. dhango will indicate on the invoices sent to Customer the amount billed for any taxes. In the event that a taxing authority or other entity asserts that dhango is responsible for the payment of any taxes, interest, or penalties for which Customer is responsible pursuant to this Section, Customer shall defend, indemnify, and hold harmless dhango from any and all liability for the payment of such taxes, interest, or penalties and any expenses and fees (including reasonable attorneys’ fees) incurred by dhango as a result of such assertion. Customer shall take all reasonable steps, including the posting of a bond, to remove any lien from dhango’s property that arises from such assertion.
3.6 Fees Nonrefundable. Except to the extent this Agreement expressly provides otherwise, none of the Fees or other amounts due under this Agreement are refundable for any reason.
4.1 License Term. The initial term of this Agreement shall begin on the effective date listed in the Order Form and the license granted hereunder is for the period of six months (the “Term”) unless earlier terminated as permitted by this Agreement. Thereafter, the Term shall automatically renew for additional one-month periods unless a party gives the other party notice of non-renewal at least 30 days prior to the end of the then-current Term.
4.2 Breach. In addition to its rights under this Section 4 and elsewhere in this Agreement, in the event Customer is in breach or any material term of this Agreement, including failing to timely pay all amounts due, dhango shall have the right, without prior written notice and without any resulting liability to dhango, to immediately suspend Customer’s access to the dhango System until such time as Customer fully cures such breach. Suspension under this Section 4.2 shall not relieve Customer of its obligation to pay any amounts then due or that may become due during the period of such suspension. If Customer does not cure such breach within 30 days, then on the 30th day following written notice from dhango of such breach, this Agreement automatically terminates.
4.3 Duties upon Termination. Upon termination of the license in this Agreement, (a) dhango may, without prior written notice and without any resulting liability, to immediately suspend its performance of any and all support and Customer’s access to and use of the dhango System and the Records, and (b) Customer shall immediately (i) discontinue access to and use of the dhango System, (ii) deliver to dhango any and all Documentation and related materials (and any copies thereof) in Customer's possession or under its control, and (iii) delete any copies of same from Customer's computers and data storage devices. In the event of Customer’s failure to return such Documentation and related materials within 10 days, Customer agrees that dhango shall be entitled to seek injunctive relief to require such return, reasonable attorney’s fees and costs incurred in obtaining such injunctive relief, and such damages as a court of competent jurisdiction shall award.
5.1 Availability of the dhango System. During each full calendar month during the Term, dhango will use commercially reasonable efforts to make the dhango System Available to Customer at least 99.9% of the total number of minutes that make up the applicable month. The dhango System is considered “Available” for purposes of this Section when the dhango System is available to Authorized Users on the entry point onto the Internet that is controlled by dhango or its providers. The calculation of Availability of the dhango System pursuant to this Section excludes (a) downtime during code releases, fixes, and updates to the dhango System, (b) any instance where the dhango System is not Available due to factors outside the reasonable control of dhango, including denial of service attacks and other malicious attempts to disrupt the availability of the dhango System through the Internet; (c) any downtime resulting, directly or indirectly, from any act by Customer or any person acting on behalf of Customer or accessing the dhango System with Customer’s permission, (d) any downtime resulting from failures in Customer’s Internet access, equipment, or software, and (e) any downtime resulting from a Force Majeure Event (defined below). dhango may schedule code releases, fixes, and updates to the dhango System at such times as dhango or its provider deems reasonable. In the event that the dhango System is not Available for any reason other than those specified in items (a) through (e) in this paragraph, dhango shall work diligently and continuously to restore Availability of the dhango System as soon as reasonably practicable. In addition, if the dhango System is not Available more than 5% of the total number of minutes that make up any calendar month, less the total number of minutes for unavailability as a result of items (a) through (e) in this paragraph, then if Customer notifies dhango in writing of such unavailability within five days of the end of the applicable month, then dhango will provide a credit to Customer to be applied against the next month’s Fees in an amount equal to 5% of the applicable month’s Monthly Base Fee.
5.2 Data Back-up. During the Term, Customer may store Records on dhango’s or its supplier’s servers through the dhango System. Provided that Customer pays the Fees stated on the applicable invoice, dhango shall provide Customer up to 5 years of storage space on dhango’s or its supplier’s servers for storage of the Records. The Records will be backed up regularly and such back up may be used by dhango to restore the Records in the event of a loss of or damage to such Records. The foregoing notwithstanding, dhango provides the back-up service as a courtesy to its customers and not as an insurance policy against the loss of the Records. Customer hereby releases, discharges, and waives any and all claims against dhango that relate to or arise out of any act or omission by dhango in backing up or failing to back up the Records. The foregoing notwithstanding, during the Term and continuing thereafter, dhango shall have the right, but not the obligation, to retain, access, use, and copy the Records for the purposes of (a) exercising its rights or performing its obligations in connection with this Agreement, (b) responding to inquiries or fulfilling requests by Customer, and (c) providing products or services requested by Customer under this Agreement or any other agreement. dhango shall have no obligation to maintain or retain any copy of the Records and may, but shall not be obligated to, purge its systems of all such Records upon termination or at any time thereafter.
5.3 Confidentiality of Records. All Records are confidential and belong to Customer. dhango shall: (a) use Records only for the purposes of exercising its rights or performing its obligations in connection with this Agreement; (b) exercise reasonable care to protect Records from disclosure to, or access by, any third parties without Customer’s prior written consent; and (c) disclose Records to only those of its employees, officers, directors, or professional advisors required to have access as necessary to allow dhango to exercise its rights or perform its obligations hereunder and who are bound to levels of care with respect to such Records that are at least as restrictive as the terms of this Agreement.
5.4 Data Protection. Without limiting the terms of this Agreement, for so long as dhango has access to or possession of the Records, dhango shall maintain, at its sole cost and expense, a formal cybersecurity program, at a level not materially less protective than specified in the attached Data Protection Addendum.
6.1 Telephone and E-mail Support. dhango shall provide support to Authorized Users who have difficulty using the dhango System. Such support shall be provided via a toll-free telephone number and/or e-mail from 8:30 a.m. to 5:30 p.m. CT, Monday through Friday, excluding U.S. National Holidays.
6.2 Reporting Nonconformities. A “Nonconformity” is a failure of the dhango System to operate in substantial conformity with its Documentation. In the event that Customer suspects that the dhango System contains a Nonconformity, it will provide dhango with a reasonably accurate written description of such suspected Nonconformity. Customer’s description of the suspected Nonconformity shall include reasonably detailed documentation, explanations, and any necessary underlying data to substantiate such Nonconformity, as well as any reasonable assistance necessary for dhango to diagnose, reproduce, and correct such Nonconformity. Customer may also request that dhango correct such Customer-Specific Nonconformity. If dhango is willing and able to provide such services, then Customer shall also pay dhango for those services on a time and materials basis subject to the terms of a separate agreement. A “Customer-Specific Nonconformity” means any Nonconformity that is caused by any of the following: (a) improper use of the dhango System; (b) incorrect or incomplete data input into the dhango System; (c) the limitations or incompatibilities of operating systems, systems software, utilities, hardware, communication links, or peripheral devices used by Authorized Users with the dhango System; or (d) any other failure of the dhango System to operate in substantial conformity with its Documentation that is not caused by dhango.
6.3 Nonconformity Correction. If dhango is able to confirm the existence of a Nonconformity, then it shall prioritize the Nonconformity in accordance with its standard support practices and shall use reasonable efforts to correct it. To the extent that a Nonconformity correction includes any modifications to the dhango System, then such correction shall be included in a future Update. dhango may assign a new priority to the Nonconformity after research if the initial description was not accurate or after provision of a manual method of working around the Nonconformity if such method lessens the impact of the Nonconformity. If an immediate correction is needed for a Nonconformity, dhango will use reasonable efforts to provide Customer with a temporary correction. The foregoing notwithstanding, Customer acknowledges that the dhango System is complex and may contain some Nonconformities. dhango does not warrant uninterrupted or error-free operation or performance of the dhango System or that all Nonconformities can or will be corrected.
6.4 Updates. Any Updates of the dhango System that are made generally available by dhango to supported licensees of the dhango System during the Term, other than functional enhancements that are licensed separately to customers by dhango, will be installed by dhango on its or its supplier’s servers at such times and in such form as dhango determines in its sole discretion is reasonable. Installation of Updates does not include any necessary conversion of the Records. Any such data conversion services shall be subject to the terms of a separate agreement, which may include additional charges. The foregoing notwithstanding, although Updates to the dhango System may be issued periodically, dhango is not required to create and deliver Updates.
6.5 Support Procedures. All support described in this Section shall be performed by dhango at dhango’s or its provider’s facilities and shall be delivered to Customer by phone, telecommunications network, mail, or commercial delivery service.
Customer has sole and exclusive responsibility for: (a) Customer’s use of the dhango System, including any and all decisions made by Customer or its employees or agents as a result of information or results obtained by using the dhango System; (b) establishing proper internal procedures and safeguards associated with Customer’s use of the dhango System and the information or results obtained by using the dhango System; (c) complying with all laws, rules, and regulations that govern or otherwise relate in any way to Customer’s use of the dhango System; (d) establishing and maintaining compliance with all industry standards applicable to Customer; and (e) monitoring and verifying input and output data. Under no circumstances will dhango be liable to Customer for any claims or damages arising out of or related to Customer’s use or misuse of the dhango System or arising out of or related to any failure of Customer to perform or adequately fulfill any of the foregoing responsibilities. Instead, Customer shall be solely responsible for all costs and expenses associated with fulfilling its responsibilities under this Section and for all liabilities, costs, damages, and expenses that may arise from or relate to Customer’s failure to perform or to adequately fulfill its responsibilities under this Section, including any and all liabilities, costs, damages, and expenses (including attorney’s fees) asserted against or incurred by dhango or its Affiliates, or their officers, directors, employees, or agents, as a result of Customer’s performance of, or lack of performance of, any of the duties assumed by Customer in this Section.
As between Customer and dhango, Customer acknowledges and agrees that dhango and/or its licensors own and shall retain ownership of all right, title, and interest in and to the dhango System, and all copies and partial copies thereof, and any and all intellectual property rights embodied therein. All rights in the dhango System not expressly granted by dhango to Customer in this Agreement are reserved to dhango. Except as expressly provided in this Agreement, no other rights or licenses are intended or conveyed herein, whether by implication, estoppel, or otherwise. dhango owns all right, title, and interest in and to all improvements, enhancements, modifications, changes, contributions, and additions to the dhango System that are conceived, made, authored, or reduced to practice at any time by or for dhango or Customer (whether solely, jointly, or with third parties) together with all intellectual property rights therein (collectively “Improvements”), including Improvements that implement any feedback, suggestions, and improvements regarding the dhango System provided by Customer to dhango. To the extent Customer has or might obtain any rights, title, or interest in or to the Improvements in contravention of this Section, Customer hereby assigns to dhango all such rights, title, and interests in and to all such Improvements. Furthermore, dhango’s name, logos, domain names, product names, and other trademarks belonging to dhango and its Affiliates and licensors (collectively the “dhango Marks”) are valuable assets of dhango and its Affiliates and licensors, and as between Customer and dhango, dhango and its licensors own all right, title, and interest in and to the dhango Marks and any and all intellectual property rights embodied therein. Customer agrees, upon request by dhango and without any additional consideration, to execute, acknowledge, and deliver to dhango all assignments and other instruments that dhango may reasonably request to effectuate the intent of this Section. The dhango System and other dhango Materials are protected under the copyright laws of the United States and of the Berne Convention.
The terms of this Agreement, the dhango Materials, and any and all other software (whether in object code or source code), Documentation, data, drawings, benchmark tests, specifications, release notes, trade secrets, logins, passwords, and other access codes provided by dhango to Customer pursuant to this Agreement are “Confidential Information” belonging to dhango. Customer shall: (a) use Confidential Information only for the purposes of exercising its rights or performing its obligations in connection with this Agreement; (b) protect Confidential Information from disclosure to, or access by, any third parties without dhango’s prior written consent; and (c) disclose Confidential Information to only those of its employees, officers, directors, or professional advisors required to have access as necessary to allow Customer to exercise its rights or perform its obligations hereunder and who are bound to levels of care with respect to such Confidential Information that are at least as restrictive as the terms of this Agreement. Information shall remain Confidential Information subject to the terms of this Section until dhango notifies Customer in writing that such information is no longer Confidential Information. Customer shall exercise not less than reasonable care in protecting the Confidential Information from unauthorized use and disclosure. Any breach of the provisions of this Section will result in serious and irreparable injury to dhango for which dhango cannot be adequately compensated. Therefore, in addition to any other remedy that dhango may have, dhango is entitled to enforce the specific performance of this Section and to seek both temporary and permanent injunctive relief without the necessities of proving that it has no adequate remedy at law or of posting a bond. Customer shall (x) immediately report to dhango any unauthorized access to, disclosure of, or use of the Confidential Information of which Customer becomes aware, regardless of (or in addition to) any report made to any appropriate law enforcement agency, and (y) use its best efforts to immediately alleviate the condition or circumstances causing or allowing such breach to occur and make any and all modifications and take any corrective actions necessary to protect from further breaches. Without in any way limiting the foregoing, Customer agrees to notify dhango in writing immediately upon discovery of any unauthorized copying or use of the dhango System or other dhango Materials. Customer shall promptly furnish full details of such unauthorized copying or use to dhango, will assist in preventing the recurrence of such unauthorized copying or use, and will cooperate with dhango in any action (including litigation or criminal complaints) against third parties that dhango deems advisable to protect its rights to the dhango System and the dhango Materials. Customer's compliance with this Section shall not be construed to bar dhango's right to recover damages or obtain other relief against Customer for its breach of any part of this Agreement. The disclosure of Confidential Information pursuant to this Agreement is not intended in any way to transfer or grant any right, title, or interest in or to such Confidential Information to Customer unless otherwise expressly indicated by dhango in writing.
EXCEPT AS EXPRESSLY SET FORTH HEREIN, DHANGO AND ITS LICENSORS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, BY WAY OF THIS AGREEMENT AND SPECIFICALLY DISCLAIM, TO THE MAXIMUM EXTENT ALLOWED BY LAW, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGMENT. THE DHANGO SYSTEM IS PROVIDED “AS-IS” WITHOUT WARRANTY OR GUARANTY OF ANY KIND. NOTHING IN THIS AGREEMENT IS INTENDED TO CONSTITUTE OR CREATE ANY REPRESENTATION OR WARRANTY BY DHANGO TO ANY THIRD PARTY, INCLUDING ANY AUTHORIZED USERS, DIRECTLY OR AS A THIRD-PARTY BENEFICIARY, WITH RESPECT TO THE DHANGO SYSTEM OR OTHER SUBJECT MATTER OF THIS AGREEMENT. DHANGO AND ITS LICENSORS ARE NOT LIABLE FOR ANY LOSS OR DAMAGE RESULTING FROM ANY USE OR APPLICATION OF THE INFORMATION OR RESULTS OBTAINED FROM THE DHANGO SYSTEM OR FROM ANY UNINTENDED OR UNFORESEEN RESULTS OBTAINED FROM THE DHANGO SYSTEM. IN ENTERING INTO THIS AGREEMENT, CUSTOMER HAS NOT RELIED ON ANY CONDITIONS, REPRESENTATIONS, OR WARRANTIES EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT.
11.1 Indemnity by dhango. If a third party claims that the dhango System infringes a United States patent, copyright, or trade secret, dhango will defend Customer against that claim at dhango’s expense and pay all damages that a court finally awards or that are provided for in a settlement approved by dhango. dhango shall have no liability for any claim that is based on a modification of the dhango System by anyone other than dhango, requirements or specifications or materials provided to dhango by or on behalf of Customer, use of the dhango System other than in accordance with its intended use, or use of the dhango System in combination with data, software, or hardware not provided by dhango. If a claim of infringement is made or appears likely, dhango may obtain the right for Customer to continue using the dhango System or dhango may modify or replace the dhango System to make it non-infringing. If dhango determines that neither of these options is reasonably available, dhango may cancel Customer’s license for the affected the dhango System and refund to Customer any prepaid, unearned fees for the time period following such termination. This is dhango’s entire obligation to Customer, and Customer’s sole remedy, regarding any third-party claims arising out of or relating to this Agreement.
11.2 Indemnity by Customer. If a third party claims that dhango is responsible for: (i) any damages arising out of or related to Customer’s use of the dhango System, including any use or application by Customer of the output of the dhango System; (ii) any damages arising out of or related to Customer’s material breach of this Agreement; (iii) any damages based on the actual or alleged infringement of a United States patent, copyright, trademark, or trade secret arising out of or related to dhango’s possession or use of Records in accordance with the terms of this Agreement; (iv) any damages arising out of or related to dhango’s possession or use of personal data of Authorized Users provided to dhango in accordance with the terms of this Agreement; or (v) any damages arising out of or related to Customer’s performance of, or lack of performance of, any of the duties assumed by Customer in Section 7, then Customer will defend dhango against that claim at Customer’s expense and pay all costs, damages, and attorney’s fees that a court finally awards or that are provided for in a settlement approved by Customer.
11.3 Indemnity Procedures. A party required to provide indemnification as set out above (the “Indemnifying Party”) will have no liability under this Section 11 unless the party entitled to indemnification (the “Indemnified Party”) promptly notifies the Indemnifying Party in writing of any claim or allegation that is subject to indemnification and allows the Indemnifying Party to control, and cooperates with the Indemnifying Party (at the Indemnifying Party’s cost) in, the defense and settlement of the claim. The Indemnified Party may, at its own cost and expense, monitor, through its attorneys or otherwise, such defense and settlement of such claim. No settlement of a claim shall require the payment of money by an Indemnified Party without the consent of the Indemnified Party. For purposes of this Agreement, “prompt notice” shall be notice received in a timely manner in that the time of receipt of such notice does not jeopardize the Indemnifying Party's right to defend against such claim.
11.4 Additional Indemnified Parties. The parties intend that the rights to receive indemnification under this Section 11 shall extend to the parties hereto, as well as to their Affiliates and those officers, directors, employees, and agents of the parties acting within the course and scope of their employment or engagement with the applicable party and who are performing duties or exercising rights on behalf of a party pursuant to the terms of this Agreement. No other person or entity shall be entitled to indemnification pursuant to this Section 11.
11.5 Limitations of Liability. DHANGO, ITS AFFILIATES, AND ITS LICENSORS ARE NOT LIABLE IN ANY MANNER TO CUSTOMER OR ANY OTHER PARTY FOR ANY EXEMPLARY, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, NEGLIGENCE, STRICT PRODUCT LIABILITY, OR OTHERWISE, EVEN IF INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. THE AGGREGATE LIABILITY OF DHANGO, ITS AFFILIATES, AND/OR ITS LICENSORS IN RELATION TO, OR FOR BREACH OF, THIS AGREEMENT SHALL NOT EXCEED THE GREATER OF $5,000 OR THE AMOUNT OF FEES ACTUALLY PAID TO DHANGO BY CUSTOMER FOR THE DHANGO SYSTEM DURING THE SIX MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH LIABILITY. THE LIMITATIONS OF LIABILITY IN THIS SECTION WILL BE ENFORCED, EVEN IF ANY EXCLUSIVE REMEDY FAILS OF ITS ESSENTIAL PURPOSE.
12.1 Governing Law and Venue. The laws of the State of Texas govern this Agreement, without regard to its principles governing the conflicts of laws. Because the parties agree that this agreement is not an agreement for the sale of goods, this Agreement shall not be governed by any part of the Uniform Commercial Code, nor shall it be governed by any codification of the Uniform Computer Information Transactions Act or any reference to the United Nations Convention on Contracts for the International Sale of Goods. THE PARTIES UNCONDITIONALLY CONSENT TO THE EXCLUSIVE JURISDICTION OF AND VENUE IN THE STATE AND FEDERAL COURTS LOCATED IN AUSTIN, TEXAS FOR ACTIONS ARISING OUT OF OR RELATED TO THIS AGREEMENT. Notwithstanding the foregoing, dhango may seek equitable remedies in any court of competent jurisdiction to protect its intellectual property or Confidential Information.
12.2 Force Majeure. If either party is unable to perform its obligations under this Agreement due to circumstances beyond its reasonable control (a “Force Majeure Event”), such obligations shall be suspended so long as those circumstances persist, once the delaying party notifies the other of the delay and its causes. Except where a delay is caused by the act or omission of the other party (in such event the rights, remedies and liabilities of the parties shall be those conferred and imposed by the other terms of this Agreement), any costs arising from such delay shall be borne by the party incurring the same.
12.3 Assignment. Customer may not transfer, whether by assignment, delegation, sublicense, merger, consolidation, operation of law, or otherwise, any rights, remedies, liabilities, or obligations under this Agreement without dhango's prior written consent. The consent to any particular assignment shall not constitute consent to further assignment. dhango shall be allowed to transfer, whether by assignment, delegation, subcontracting, sublicense, merger, consolidation, operation of law, or otherwise, any or all of its rights, remedies, liabilities, or obligations under this Agreement, and Customer hereby irrevocably consents thereto and agrees to tender performance to, or seek performance from, any such successor or assign. This Agreement shall be binding upon the parties and their respective successors and permitted assigns. Any transaction in contravention of this Section shall be null and void.
12.4 Entire Agreement. This Agreement states the entire understanding between dhango and Customer concerning the subject matter of this Agreement and supersedes all prior oral and written communications. This Agreement may only be amended in a written document signed by both parties. The terms of any purchase order or similar document provided by Customer, including any pre-printed terms thereon and any terms that are inconsistent, add to, or conflict with this Agreement shall be null and void and of no legal force or effect.
12.5 Waiver. No delay or omission by either party to exercise any right or remedy provided by this Agreement will be construed to be a waiver thereof. No waiver of any breach of any provision of this Agreement shall constitute a waiver of any prior, concurrent, or subsequent breach of the same or of any other provisions hereof. No waiver of any breach of any provision of this Agreement shall be effective unless made in writing by an authorized representative of the party against whom such waiver is asserted.
12.6 Survival. Any provision of this Agreement that expressly or by implication is intended to continue in force shall survive termination of this Agreement, including obligations to return dhango Materials and Confidential Information, confidentiality terms, proprietary rights, disclaimers, and indemnity, as well as any other provisions necessary to interpret the rights or obligations of the parties hereunder following such termination.
12.7 Affiliates. The obligations, limitations, restrictions, and prohibitions placed on Customer under this Agreement shall apply equally to Customer’s Affiliates to the extent that such Affiliates have access to or use the dhango System. Customer and its Affiliates shall be jointly and severally liable for such Affiliate’s acts and omissions related to the subject matter of this Agreement, whether in tort, contract or otherwise.
12.8 Notices. Any notice, request, instruction, or other communication at any time hereunder required or permitted to be given or furnished by either party hereto to the other shall be deemed sufficiently given or furnished if in writing and actually delivered to the party to be notified at the email address stated in the invoice submitted by dhango to Customer for Fees due under this Agreement. Either party may change its email address for notice by written notice to the other party. All communications between the parties will be in English.
12.9 Construction. The headings used herein are inserted only as a matter of convenience and for reference and shall not affect the construction or interpretation of this Agreement. Where context so indicates, a word in the singular form shall include the plural, a word in the masculine form the feminine, and vice-versa. The word "including" and similar constructions (such as "for example", "such as", and "e.g.") shall mean "including, without limitation," throughout this Agreement.
12.10 Severability. If any provision hereof is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision shall be deleted and the remainder thereof shall remain in full force and effect, and the parties shall substitute for the invalid or unenforceable provision a valid provision most closely approximating the economic effect and intent of the invalid or unenforceable provision. If the parties cannot agree in good faith on a substitute provision, then the court may conform the provision to most closely approximate the economic effect and intent of the invalid or unenforceable provision. If the court cannot conform the provision in accordance with this Section, then the provision shall be deleted as contemplated in this Section. Reference to a provision in this Section shall, if applicable, include or be limited to a part of a provision.
12.11 Third-Party Beneficiaries. Each party intends that this Agreement shall not benefit or create any right or cause of action in or on behalf of, any person or entity other than Customer and dhango, unless otherwise expressly stated in this Agreement. dhango shall not be obligated to provide any support to any party except Customer pursuant to the terms of this Agreement.
This Data Protection Addendum (the “Addendum”) forms part of the dhango License Agreement between Customer and dhango Inc. covering Customer's use of the dhango System (the “Agreement”).
1.1 “Applicable Law” shall mean all laws and regulations applicable to dhango's processing of personal data under the Agreement.
1.2 “Authorized Persons” shall mean dhango's employees, contractors or other authorized agents who need access to Controller Personal Data to enable dhango to provide the dhango System.
1.3 “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Customer is the controller under the Agreement.
1.4 “Controller Personal Data” means any personal data processed by dhango on behalf of the Customer pursuant to the Agreement. For the avoidance of doubt, all Customer Data that constitutes personal data is Controller Personal Data.
1.5 “Customer Data” means data and other information made available by Customer to dhango in connection with Customer's use of the dhango System under the Agreement.
1.6 “dhango System” means the software offered by dhango to its customers as an Internet-based service via dhango's designated platform, including all text, images, graphics, logos, illustrations, photographs, video, audio, and other materials, as well as the designs, icons, layout, "look and feel," and all other graphical elements of such system, and all code and software attendant thereto, including the Documentation and any Updates.
1.7 “Personal data” means and includes "personal information," "personal data" or other cognate terms as defined by Applicable Law
1.8 “Process, Processed or Processing” means any operation or set of operations performed on personal data.
1.9 “Processor” means the entity which processes personal data on behalf of the controller.
1.10 “Security Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized use, disclosure, acquisition, or access to Controller Personal Data that materially compromises the availability, confidentiality or integrity of Controller Personal Data.
1.11 “Sell, Selling, Sale” or Sold and Share, Shared, or Sharing” shall have the meanings set forth in Applicable Law.
2.1 dhango, as processor for Customer under the Agreement, will comply with Applicable Law relating to the privacy and protection of Controller Personal Data.
2.2 Customer, as controller under the Agreement, will comply with Applicable Law relating to the privacy and protection of personal data.
2.3 Customer represents and warrants is has provided or made available all required notices and obtained all required consents for the collection, use, sharing, or other processing of personal data in compliance with Applicable Law, (including any notice or consents for dhango's processing of personal data on its behalf), and will indemnify and hold harmless dhango from and against any claims, liabilities, fines, penalties, costs or other expenses arising out of Customer's failure to provide any notices and consents required under Applicable Law. ; Customer agrees to make available, upon request, information to demonstrate compliance, including a copy of the compliant notices or consents.
2.4 As between the parties, all Customer Personal Data remains, at all times, the property of Customer, and Customer may direct dhango in connection with dhango's processing of Customer Personal Data in compliance with Applicable Law.
2.5 dhango shall immediately inform Customer if it cannot comply with an instruction or, in its opinion, an instruction infringes any law applicable to Customer or dhango, or if dhango can no longer meet its obligations under Applicable Law.
2.6 dhango will process Customer Personal Data only as necessary for the provision of the dhango System.
This Data Protection Addendum (the “Addendum”) formspart of the dhango License Agreement between Customer and dhango Inc. covering Customer's use of the dhango System (the “Agreement”).
LAW
1.1 “Applicable Law” shall mean all laws and regulations applicable to dhango's processing of personal data under the Agreement.
1.2 “Authorized Persons” shall mean dhango's employees, contractors or other authorized agents who need access to Controller Personal Data to enable dhango to provide the dhango System.
1.3 “Controller” means the natural or legal person, publicauthority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Customer is the controller under the Agreement.
1.4 “Controller Personal Data” means any personal data processed by dhango on behalf of the Customer pursuant to the Agreement. For the avoidance of doubt, all Customer Data that constitutes personal data is Controller Personal Data.
1.5 “Customer Data” means data and other information made available by Customer to dhango in connection with Customer's use of the dhango System under the Agreement.
1.6 “dhango System” means the software offered by dhango to its customers as an Internet-based service via dhango's designated platform, including all text, images, graphics, logos, illustrations, photographs, video, audio, and other materials, as well as the designs, icons, layout, "look and feel," and all other graphical elements of such system, and all code and software attendant thereto, including the Documentation and any Updates.
1.7 “Personal data” means and includes "personal information," "personal data" or other cognate terms as defined by Applicable Law
1.8 “Process, Processed or Processing” means any operation or set of operations performed on personal data.
1.9 “Processor” means the entity which processes personal dataon behalf of the controller.
1.10 “Security Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized use, disclosure, acquisition, or access to Controller Personal Data that materially compromises the availability, confidentiality or integrity of Controller Personal Data.
1.11 “Sell, Selling, Sale” or Sold and Share, Shared, or Sharing” shall have the meanings set forth in Applicable Law.
2.1 dhango, as processor for Customer under the Agreement, will comply with Applicable Law relating to the privacy and protection of Controller Personal Data.
2.2 Customer, as controller under the Agreement, will comply with Applicable Law relating to the privacy and protection of personal data.
2.3 Customer represents and warrants is has provided or made available all required notices and obtained all required consents for the collection, use, sharing, or other processing of personal data in compliance with Applicable Law, (including anynotice or consents for dhango's processing of personal data on its behalf), and will indemnify and hold harmless dhango from and against any claims, liabilities, fines, penalties, costs or other expenses arising out of Customer's failure to provide any notices and consents required under Applicable Law. ; Customer agrees to make available, upon request, information to demonstrate compliance, including a copy of the compliant notices or consents.
2.4 As between the parties, all Customer Personal Data remains, at all times, the property of Customer, and Customer may direct dhango in connection with dhango's processing of Customer Personal Data in compliance with Applicable Law.
2.5 dhango shall immediately inform Customer if it cannot comply with an instruction or, in its opinion, an instruction infringes any law applicable to Customer or dhango, or if dhango can no longer meet its obligations under Applicable Law.
2.6 dhango will process Customer Personal Data only as necessary for the provision of the dhango System.
3.1 dhango will process Customer Personal Data forthe sole purpose of providing the dhango System under the Agreement and not for any other purpose. dhango shall not retain, use, or disclose Customer Personal Data for any purpose other than the specific purpose of providing the dhango System specified in the Agreement or as otherwise permitted by law, including retaining, using, or disclosing Customer Personal Data for a purpose other than providing the dhango System. Without limiting the generality of the foregoing, dhango agrees it shall not intentionally: (i) Sell or Share the Personal Information; (ii) retain, use, or disclose Customer Personal Data outside of the direct business relationship between dhango and the Customer; or(iii) combine Customer Personal Data with personal data it receives from another source except to perform business purposes permitted by Applicable Law.
3.2 dhango represents it has implemented appropriate technical and organizational measures such that its processing of Customer Personal Data will meet requirements of Applicable Law.
3.3 dhango's processing of Customer Personal Data includes:
(a) Data Subjects: Personnel and customers of the Customer.
(b) Categories of Customer Personal Data: With respect to personnel of Customer, personal details, including information identifying the data subject such as name, employer, address, e-mail, telephone number, location and other contact details. With respect to customers of the Customer, name, address, e-mail, telephone number, location, and billing and payment details such as bank account, social security, tax identification, and credit or debit card numbers.
(c) Special Categories of Data: None.
(d) Nature and Purpose of Processing: All processing actions required to provide the dhango System under the Agreement.
(e) Frequency of Transfer to dhango: Continuously throughout the term of the Agreement.
(f) Retention of Customer Personal Data: Except as otherwise provided in the Agreement or this Addendum, in accordance with the retention policy of dhango, provided any personal data retained beyond termination of the Agreement for critically necessary or legal purposes, will be protected in accordance with the Agreement and this Addendum.
(g) Transfers to sub processors: the subject matter, nature and duration of the Processing: As described in Section 10 of this Addendum.
3.4 dhango will provide information about dhango processing of Customer Personal Data asis reasonably requested by Customer to assist Customer in its compliance obligations under Applicable Law.
3.5 dhango will promptly notify Customer of requests received regarding the processing of Customer Personal Data from third parties, including regulators, authorities, data subjects and law enforcement authorities. dhango, unless otherwise required under the law, will make reasonable efforts to respond to any such requests as they relate to Customer Personal Data after receipt of documented instructions from Customer. Such efforts by dhango are superseded by any legalor regulatory requirements otherwise. Such restriction on responses does notimpede or restrict dhango's ability or right to consult or retain counsel, security consultants or other advisors with regard to dhango's own rights and protections.
3.6 dhango will provide reasonable and appropriate cooperation in support of Customer's response to such requests, including validated requests from data subjects to access, amend, transfer, opt out of Sale or Sharing, delete or exercise other data subject rights around personal data (collectively, Data Subject Rights). Customer recognizes its duty to provide adequate time and reasonable, clear notice of such requests, inquiry or complaints so that dhango may provide appropriate cooperation for such requests. Absent adequate time and reasonable notice, dhango is not responsible for or able to support Customer response requirements.
4.1 Customer will ensure its instructions comply with all laws, rules and regulations applicable in relation to Customer Personal Data, and that processing of Customer Personal Data in accordance with Customer's instructions will not cause dhango to be in breach of Applicable Law or any other law, rule orregulation applicable with respect to the Customer Personal Data.
4.2 Customer represents and warrants all required notices and consents for the collection, use, sharing, or other processing of personal data have been made or obtained in compliance with Applicable Law. Customer will indemnify and hold harmless dhango from and against any claims, liabilities, fines, penalties, costs or other expenses arising out of Customer's failure to meet its obligations under Applicable Law and this Section 4.2.
4.3 Customer represents and warrants all Customer workers, personnel, employees, contractors or other agents who are provided access to the dhango System will, prior to any access to the dhango System,have been provided reasonably current data privacy and data security and cyber security training, including but not limited to clean desk procedures, phishing awareness, proper password protocols and the like
5.1 Customer on its own behalf grants dhango ageneral consent to engage Authorized Persons, including subprocessors, to provide the dhango System as needed.
5.2 If dhango uses subprocessors to fulfill its obligations under the Agreement, it will:
(a) Conduct reasonable due diligence to ensure such subprocessor is capable of providing a reasonably commensurate level of protection for the Customer Personal Data under Applicable Law.
(b) Execute a written contract including applicable terms regarding the sub-processing activities imposing substantially similar data protection obligations as this Addendum.
(c) Keep a list of subprocessor agreements, which shall be updated regularly and made available to Customer upon prior, written request.
(d) Customer acknowledges and agrees dhango is (and its subprocessors may be) based in the United States and that dhango provides (and subprocessors may provide) services under the Agreement from the United States, and Customer hereby consents to the transfer of Customer Personal Data to the United States for processing by dhango and its subprocessors.
(e) Customer and dhango acknowledge the Customer may engage a third-party payment gateway service provider, a third-party payment processing service provider or others to facilitate payment transactions inconnection with the Agreement. Any such third parties engaged by Customer will not be deemed a subprocessor of dhango under the Agreement or this Addendum. Nothing in this Addendum obligates dhango to enter into an agreement with any such third party or be responsible or liable for such third party's acts oromissions.
5.3 dhango will give Customer a list of all subprocessors upon Customer's reasonable, written request. If the Customer, within seven (7) days of receipt of such requested list, has an objection to any dhango subprocessors, it shall directly provide written notice of any objections (on reasonable grounds) to dhango. dhango will consider such objections and use commercially reasonable efforts to resolve the same; Customer will reasonably and in good faith cooperate with dhango in such efforts. If the parties are unable to resolve Customer's objection within a reasonable time period ', and if dhango is unable to provide some or all of the dhango System without use of the objected-to subprocessor, then Customer may terminate the applicable dhango System that otherwise cannot be provided without use of the objected-to subprocessor by providing written notice to dhango.
5.4 Wherea subprocessor fails to fulfil its obligations under Applicable Law, dhango shall remain responsible for such subprocessor.
6.1 dhango will take reasonable steps to ensure that access to Customer Personal Data is limited to those dhango Authorized Persons who have a need to know / access the relevant Customer Personal Data for purposes of the Agreement and compliance with Applicable Law dhango will take reasonable measures to ensure Authorized Persons are subject to confidentiality agreements and process Customer Personal Data in accordance with the Agreement and this Addendum.
6.2 dhango will provide training to Authorized Persons to whom it provides Customer Personal Data to provide for and implement appropriate safeguards to protect Customer Personal Data
6.3 dhango will take measures to limit access to Customer Personal Data by Authorized Persons with the level of access necessary to perform their job functions to support provision of the dhango System to Customer.
6.4 dhango will provide Customer with the name and contact details of the party responsible for compliance under Applicable Law within dhango.
6.5 dhango will take commercially reasonable efforts to not disclose Customer Personal Data to any third party beyond Authorized Persons, unless required to do so by law; in such a case dhango shall take reasonable measures to inform Customer of such legal requirements before processing if in fact feasible, unless that law prohibits such information on important grounds of public interest.
5.1 Customer on its own behalf grants dhango ageneral consent to engage Authorized Persons, including subprocessors, to provide the dhango System as needed.
5.2 If dhango uses subprocessors to fulfill its obligations under the Agreement, it will:
(a) Conduct reasonable due diligence to ensure such subprocessor is capable of providing a reasonably commensurate level of protection for the Customer Personal Data under Applicable Law.
(b) Execute a written contract including applicable terms regarding the sub-processing activities imposing substantially similar data protection obligations as this Addendum.
(c) Keep a list of subprocessor agreements, which shall be updated regularly and made available to Customer upon prior, written request.
(d) Customer acknowledges and agrees dhango is (and its subprocessors may be) based in the United States and that dhango provides (and subprocessors may provide) services under the Agreement from the United States, and Customer hereby consents to the transfer of Customer Personal Data to the United States for processing by dhango and its subprocessors.
(e) Customer and dhango acknowledge the Customer may engage a third-party payment gateway service provider, a third-party payment processing service provider or others to facilitate payment transactions inconnection with the Agreement. Any such third parties engaged by Customer will not be deemed a subprocessor of dhango under the Agreement or this Addendum. Nothing in this Addendum obligates dhango to enter into an agreement with any such third party or be responsible or liable for such third party's acts oromissions.
5.3 dhango will give Customer a list of all subprocessors upon Customer's reasonable, written request. If the Customer, within seven (7) days of receipt of such requested list, has an objection to any dhango subprocessors, it shall directly provide written notice of any objections (on reasonable grounds) to dhango. dhango will consider such objections and use commercially reasonable efforts to resolve the same; Customer will reasonably and in good faith cooperate with dhango in such efforts. If the parties are unable to resolve Customer's objection within a reasonable time period ', and if dhango is unable to provide some or all of the dhango System without use of the objected-to subprocessor, then Customer may terminate the applicable dhango System that otherwise cannot be provided without use of the objected-to subprocessor by providing written notice to dhango.
5.4 Wherea subprocessor fails to fulfil its obligations under Applicable Law, dhango shall remain responsible for such subprocessor.
6.1 dhango will take reasonable steps to ensure that access to Customer Personal Data is limited to those dhango Authorized Persons who have a need to know / access the relevant Customer Personal Data for purposes of the Agreement and compliance with Applicable Law dhango will take reasonable measures to ensure Authorized Persons are subject to confidentiality agreements and process Customer Personal Data in accordance with the Agreement and this Addendum.
6.2 dhango will provide training to Authorized Persons to whom it provides Customer Personal Data to provide for and implement appropriate safeguards to protect Customer Personal Data
6.3 dhango will take measures to limit access to Customer Personal Data by Authorized Persons with the level of access necessary to perform their job functions to support provision of the dhango System to Customer.
6.4 dhango will provide Customer with the name and contact details of the party responsible for compliance under Applicable Law within dhango.
6.5 dhango will take commercially reasonable efforts to not disclose Customer Personal Data to any third party beyond Authorized Persons, unless required to do so by law; in such a case dhango shall take reasonable measures to inform Customer of such legal requirements before processing if in fact feasible, unless that law prohibits such information on important grounds of public interest.
7.1 Upon termination or expiration of the Agreement for any reason, dhango will, and will use reasonable means to ensure Authorized Persons, as requested by Customer, either destroy all accessible Customer Personal Data processed under the Agreement and in its possession or control (including all originals and copies) as soon as practicable, and no later than ninety (90) days after termination or expiration or it is no longer required or, return all such Customer Personal Data to Customer within ninety (90) days.
7.2 Upon Customer's reasonable request, dhango will certify in writing to that it has destroyed or returned Customer Personal Data. In the event dhango is unable to return or destroy all Customer Personal Data, dhango will retain Customer Personal Data only to the extent and for such period as required by Applicable Law, maintaining the security and confidentiality of such retained Customer Personal Data
8.1 dhango will maintain appropriate physical, organizational and technical processes and procedures and measures to protect against unauthorized access, processing, loss, destruction, theft, damage, use, disclosure or other compromise of Customer Personal Data (collectively, Appropriate Safeguards), including the technical and organizational security measures set forth as Annex 1 to this Addendum. Such Appropriate Safeguards will, in all material respects, be in accordance with standard industry practice and not less stringent than the measures dhango applies to its own data or systems. Such Appropriate Safeguards will be appropriate to foreseeable harm that might result from foreseeable risks to Customer Personal Data, taking into consideration the state of the art, the costs of implementation and the nature, scope, context and purpose of the processing and the risks to the individuals whose personal data it -processes on behalf of Customer.
8.2 PCI Compliance. To the extent applicable, dhango agrees to comply with the PCI Standards and provide Customer, upon prior written, reasonable request, a report regarding such compliance efforts. For purposes of this section, "PCI Standards" shall mean applicable standards and requirements issued by the PCI-SSC, including but not limited to the Payment Card Industry Data Security Standard (PCI-DSS), Payment Application Data Security Standard (PA-DSS), Tokenization Product Security Guidelines, and any additional applicable standards or requirements established by a major payment card network with respect to the security of Account Data. Any reference to a standard or requirement document means the operable version of the document, as its issuing organization may amend and publish.
9.1 dhango will promptly notify Customer within seventy-two (72) hours upon dhango becoming aware of an actual or reasonably suspected Security Breach. dhango may notify Customer by telephone or via email if it has knowledge that there is an actual or reasonably suspected Security Breach. If available at the time of the notification, dhango will provide notice of the following:
(a) the nature of the Security Breach,
(b) the approximate and available categories and numbers of data subjects concerned;
(c) the approximate categories and numbers of records concerned;
(d) the name and contact details of the dhango contact from whom more information may be obtained;
(e) describe, as is possible at the time, measures taken to address the Security Breach.
9.2 Taking into account the nature of processing and the information available to dhango at the time, dhango will reasonably assist Customer in its efforts to comply with its obligations regarding a Security Breach as set forth in Applicable Law. If any Customer Personal Data is subject to a Security Breach on the dhango System, dhango will, upon becoming aware of the Security Breach, without undue delay notify the Customer, take reasonable steps to contain and counteract the Security Breach and minimize any damage resulting from such Security Breach, and provide Customer with sufficient information to allow it to meet its obligations to report to regulatory authorities or inform the applicable data subjects of such Security Breach to the extent required under Applicable Law. dhango will cooperate to assist Customer in the investigation, mitigation and remediation of each such Security Breach.
10.1 dhango will not, to the extent it is on notice, process Customer Personal Data in a jurisdiction outside of the jurisdiction in which it was collected without written consent. To the extent such written consent to the processing of Customer Personal Data outside of the jurisdiction in which it was collected is provided, dhango agrees to comply with Applicable Law governing cross-border transfer of Customer Personal Data. If the activities of dhango involve processing of Customer Personal Data from the European Economic Area or Switzerland to locations outside of the European Economic Area or Switzerland, dhango agrees to comply with a legally valid data transfer mechanism, including to execute EU Standard Contractual Clauses (SCCs) to ensure compliance with restrictions on cross-border transfers.
10.2 The Parties agree to amend this Addendum or put in place additional contractual terms, safeguards, or other mechanisms enabling them to comply with applicable international data transfer restrictions pertaining to Customer Personal Data, in case a data transfer mechanism is no longer deemed adequate.
11.1 dhango will maintain all records pertinent to its processing of Customer Personal Data required by Applicable Law and (to the extent they are applicable to dhango's activities as processor for Customer) dhango will make such records available to Customer upon the Customer's reasonable, prior, written request.
11.2 dhango will make available to Customer, on Customer's reasonable, prior, written request, information necessary to demonstrate compliance with this Addendum, and will, at Customer's cost, allow for and cooperate with audits by the Customer or an auditor appointed by Controller in relation to the Processing of the Controller Personal Data by Processor, subject to the following:
(a) Information disclosed to Customer or its auditor or that is otherwise revealed in such records or audits will be the Confidential Information of dhango under the confidentiality provisions of the Agreement.
(b) Customer may request an audit by emailing support@dhango.com.
(c) Audits may not be conducted more than once per year.
(d) Audits will be conducted only during Customer's normal business hours and only with reasonable, advance written notice of not less than 21 business days.
(e) Following dhango's receipt of Customer's prior, written request to conduct an audit, dhango and Customer will discuss and agree in advance on the reasonable scope, start date and duration of this audit, as well as any applicable security and confidentiality controls required.
(f) No such audit will include access to dhango's (or any subprocessors') facilities or systems (e.g., computing infrastructure, servers, data storage mechanisms and infrastructure, audit logs, activity reports, system configuration, etc.) without dhango's express, prior, written consent.
(g) dhango may charge a fee (based on dhango's reasonable costs) for any such audit. dhango will provide Customer with additional details of this fee including basis of calculation, in advance of the audit. Additionally, Customer will be responsible for any fees charged by any third-party auditor appointed by Customer for such audit.
11.3 In lieu of audit, upon reasonable, prior, written request by Customer, but no more than once per year, dhango agrees to complete, within thirty (30) days of receipt,an audit questionnaire provided by Customer regarding Customer's compliance with this Addendum, of reasonable length and required detail (not to exceed a reasonably-estimated three person-hours to complete unless otherwise agreed to and subject to the payment of additional fees), provided any such questionnaire responses will be dhango's Confidential Information under the confidentiality provisions of the Agreement.
12.1 If dhango materially breaches this Addendum or fails to comply with Applicable Law, Customer shall provide written notice to dhango of such alleged material breach, allowing dhango thirty days from delivery of such notice to dhango an opportunity to cure the alleged material breach. If within those thirty (30) days, dhango fails to cure the alleged breach, Customer shall have the right to terminate the Agreement or stop dhango processing
12.2 Subject to the following sentence of this Section 12.2, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum will prevail. In any event, dhango's liability under this Addendum, including for breach or other failure under this Addendum by dhango or its subprocessors, will be (to the maximum extent permitted under Applicable Law) subject to the exclusions and limitations of liability provided for in the Agreement as if this Addendum were a part of the Agreement, ab initio
12.3 To the extent this Addendum is not governed exclusively by Applicable Law, it will be governed by and construed in accordance with the laws selected pursuant to the governing law provision set forth in the Agreement.
12.4 This Addendum constitutes the entire understanding of the parties with respect to the subject matter hereof and supersedes all prior agreements, oral or written.
12.5 Except as expressly stated in Applicable Laws, the parties to this Addendum do not intend to create any rights in any third parties.
12.6 The parties agree that, to the extent required under Applicable Law, such as due to legislative changes, court decisions, and/or to reflect measures or guidance from regulatory authorities, the Customer may request reasonable changes or additions to this Addendum to reflect applicable requirements. If Customer makes a request to change or supplement this Addendum pursuant to this Section 12.6, the parties will in good faith negotiate such changes and additions (including, where applicable, providing for Customer's reimbursement of dhango's costs and expenses for undertaking additional obligations) and the dhango will not unreasonably withhold or delay agreement to reasonable variations to this Addendum.
12.7 Based on the Customer Personal Data Customer will process using the dhango System or otherwise provide to dhango, if and to the extent Applicable Law requires additional clauses to be executed beyond those set forth in this Addendum, then Customer will provide reasonable notice to dhango in writing of such requirement and dhango will in good faith review, negotiate and consider adding such clauses as an additional addendum to the Agreement. In the absence of such notice, Customer represents and warrants that no additional clauses are required.
ANNEX 1: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
dhango shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and take reasonable measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.
At a minimum, dhango has implemented and shall maintain the following security measures:
Business Continuity, Enterprise Resilience, and Disaster Recovery
1. Business Impact Analysis:
a) Critical IT systems and components are identified, including recovery time objective and recovery point objective.
2. Recovery Strategies
a) Mission critical information is backed up on a reasonable basis and incremental changes are backed up daily.
b) Backed-up information is stored encrypted with FIPS 140-2 compliant encryption protocols.
c) Restoration of critical data back-ups are tested no less than annually.
d) Backed-up information is stored in a secure off-site facility.
e) Backed-up information is immutable.
3. Recovery Plans and Procedures, and Maintenance
a) dhango maintains a business continuity and disaster recovery plan for business functions and supporting technology.
b) The business continuity and disaster recovery plan are available in the event of disaster.
4. Testing and Exercising
a) The business continuity and disaster recovery plans for business functions and supporting technologies are tested annually.
5. Escalation and Crisis Management
a) The business continuity plan contains notification procedures to alert customers of material service disruptions including off hour and weekend coverage.
b) The disaster recovery plan contains notification procedures to alert customers of material service disruptions off hour and weekend coverage.
IT Risk and Compliance Management
1. Regulatory and Standards Implementation
a) An information security officer is assigned.
b) A security awareness program is established and communicated to all Authorized Persons in an effort to socialize and develop awareness of information confidentiality, security policies, standards, and good security practices.
c) Information Security awareness information js distributed to Authorized Persons on a periodic basis.
d) A privacy awareness program is established and communicated to Authorized Persons.
e) Privacy awareness information is distributed to Authorized Persons on a periodic basis.
f) Privacy training is delivered and managed for Authorized Persons on no less than an annual basis.
g) Authorized Persons are required to sign confidentiality and non-disclosure agreements.
2. Risk and Compliance Assessments
a) An accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of personal data is conducted at least annually.
b) Authorized Persons undergo a background check.
3. Policies, Standards, and Procedure Management
a) A documented risk management function and/or program supported by executive management is established.
b) A documented information security function and/or program supported by executive management is established.
c) A documented privacy function and/or program supported by executive management is established.
d) The information security function/program sets forth security policies and standards enforced through administrative procedures that are maintained and updated as needed.
e) The privacy function/program establishes confidentiality policies that are maintained and updated as needed.
4. Issue and Corrective Action Management
a) Controls are implemented to reduce risks and vulnerabilities to a reasonable and appropriate level.
5. Exception Management
a) Disciplinary measures for violations are disclosed in the Information Security and Privacy Program.
b) An appropriate, documented security incident response plan is established by dhango in an effort to ensure incidents are tracked, monitored, and investigated until closure is achieved.
c) An appropriate, documented privacy incident response plan is established by dhango in an effort to ensure incidents are tracked, monitored, and investigated until closure is achieved.
Data Protection
1. Data Classification & Inventory
a) dhango maintains a documented information classification schemeto ensure proper protection, use and destruction of dhango's data.
2. Data Lifecycle Analysis
a) Systems containing personal data are documented, including security and privacy controls.
b) Documents showing the flow of personal data through systems and business processes are established.
3. Data Encryption & Obfuscation
a) Personal data is encrypted during storage on devices including handhelds, laptops, workstations, and removable media with industry standard encryption protocols, such as FIPS 140 2 compliance.
b) Personal data is encrypted during storage on servers with industry standard encryption protocols, such as FIPS 140 2 compliance.
c) Personal data is encrypted during transmission with industry standard encryption protocols, such as FIPS 140 2 compliance.
d) Business to business communications with personal data are encrypted.
4. Data Loss Prevention
a) A documented policy and process with regard to the removal or movement of personal data to unsecured systems or media is established.
b) Personal data, stored on removable media is secured with restricted access to those with a business need.
c) Technical controls are employed to prevent transmission of personal data to unauthorized recipients.
d) Technical controls are employed to prevent storage of personal data on unsecured systems.
5. Data Retention and Destruction
a) A policy with regard to the removal or destruction of personal data is established and implemented, and when appropriate purged or destroyed using a NIST 800-88 approved process when no longer needed.
Identity & Access Management
1. Authorized Persons Account Management
a) Access to systems and applications require a unique identifier (e.g., user ID) and multi-factor authentication (such as NIST 800 63B AAL2).
b) Authorized Persons IDs are locked after five consecutive unsuccessful login attempts.
c) Authorized Persons IDs are disabled after 60 days of inactivity.
d) Passwords are issued to Authorized Persons in a secure manner and changed after first login.
e) dhango has established industry standard password policies that meet or exceed NIST 800 63B Appendix A.
f) Passwords cannot be displayed on screens or in reports.
g) Passwords are encrypted in transmission and in storage.
2. Access Management
a) Access to personal data is restricted to individuals with a business need and access control mechanisms implemented to limit access appropriately.
b) Security administration procedures include procedures for access requests for new Authorized Persons, changing access, prompt deletion of Authorized Persons involving terminations, user transfers and periodic verification of Authorized Persons and access rights.
c) Authorized Person access requests are documented with management approval including privileged Authorized Persons.
d) Documented remote access policies for Authorized Persons are implemented and enforced.
e) Shared or System IDs are documented describing functions and risks.
f) Shared or System IDs are required to have passwords meeting or exceeding NIST 800 63B Appendix A.
g) Shared or System IDs are not accessible by an individual user for interactive use.
3. Data Platform Integration
a) All systems containing personal data have system access controls.
b) Single sign on technologies is leveraged wherever possible to eliminate the need for multiple access controls systems.
4. Access Reporting and Audit
a) Authorized Persons IDs and System IDs with privileged authorities are revalidated at least quarterly.
b) Authorized Persons' access to systems containing personal data are revalidated at least quarterly.
5. Access Governance
a) Authorized Persons access defined by job roles in an effort to segregate duties.
b) Authorized Persons' access logged and tracked to an individual.
6. Federation
a) Access to systems by agents, Subprocessors, or outsourced services must meet dhango's Identity Management requirements.
Secure Development Lifecycle
1. Security and Risk Requirements
a) A documented process is implemented to conduct an accurate and thorough assessment and mitigation of potential risks and vulnerabilities as part of the System Development Life Cycle.
b) Security controls are considered and implemented throughout the System Development Life Cycle.
c) Production and non-production environments are separated.
d) Non-production environments do not contain production data.
2. Application Role Design and Access Privileges
a) Application access privileges follow the least privilege concept.
b) Access is controlled by a common access methodology.
c) Application role design accounts for separation of duties.
3. Secure Coding Guidelines
a) Secure coding principles and practices are documented and followed.
4. Secure Build
a) Information technology systems deployment procedures ensure implementation of security configuration settings.
b) All security controls are tested prior to implementing new systems or upgrades into production.
Infrastructure, Operations and Network Security/Cyber Threat and Vulnerability Management
1. Antivirus (AV) & Malware protection
a) dhango maintains a documented policy and procedure for guarding against, detecting, and reporting malicious software.
2. Intrusion Detection and Prevention
a) Intrusion detection and prevention systems are implemented for critical components of the network and systems containing or processing personal data.
3. Network Access Controls
a) dhango maintains a policy and procedure to prevent unauthorized/unsecured devices from accessing the network.
4. Network and Application Firewalls
a) Firewalls are implemented and configured to deny access except authorized documented business services.
5. Data Loss Prevention
a) dhango maintains a policy and procedure to prevent transmission of personal data to unauthorized recipients or stored in unauthorized locations.
6. Remote Access Controls
a) Multi factor authentication (NIST 800 63B AAL2) is implemented for remote network access (e.g., VPN, Citrix, etc.).
7. Security Monitoring and Logging
a) dhango maintains a policy and procedure to monitor networks, systems, and applications for potential security events.
b) A documented process is maintained to respond to potential security events on a 24x7x365 basis.
c) Security relevant events are securely logged and tamper proof.
d) All events are traceable to specific individuals or systems.
e) Logs are implemented on systems storing or processing critical information.
f) Logs are retained for a minimum of twelve (12) months.
g) Logs are reviewed for inappropriate activities in a timely manner and appropriate actions must be taken.
Cyber Threat and Vulnerability Management
1. OS Hardening & Secure Configuration
a) Required security configuration settings are selected and documented.
b) Documented processes are implemented to periodically verify security configuration settings.
c) Information systems are able to access or process personal data actively and automatically blank the screen or enable a screen saver and require re-authentication after fifteen (15) minutes of inactivity or less.
2. Patch Management
a) A patch management process is implemented and enforced.
b) Prompt application of security patches, service packs, & hot fixes is required for all systems that store, process, manage or control access to personal data.
3. Vulnerability Management and Security Assessments
a) dhango maintains a process and procedure to identify, quantify, prioritize, track, and remediate vulnerabilities.
b) Periodic third-party assessments are conducted from outside and within the network at least annually.
c) Vulnerability assessments are conducted at least quarterly.
4. Incident and Problem Management
a) A problem management system is implemented.
5. Capacity Management
a) dhango maintains a documented policy and process to evaluate current capacity against projected requirements.
6. Change and Release Management
a) dhango maintains a documented policy and process for change management.
b) dhango maintains a documented policy and process for release management.
c) Systems and application resources are changed through an enforced and documented change management process.
7. Asset and Configuration Management
a) dhango maintains an auditable and documented inventory of information technology assets and architectures.
Physical Security
1. Policies, Standards, and Procedure Management
a) dhango maintains a documented physical security function and/or program.
b) The physical security function/program establishes physical security policies enforced through automated systems and administrative procedures.
c) All servers storing or processing personal data to be located in a secure data center or equivalent secure facility.
2. Facility Access Controls
a) Employees are required to wear identification badges at all times in sensitive facilities.
b) Visitors must be identified, sign in, wear temporary visitor badges, and be escorted.
c) Establishment of two levels of authentication for data center access to sensitive areas.
d) Data center and other sensitive facilities access are periodically reviewed to ensure access is valid.
e) Facility access logs retained for at least twelve (12) months and be reviewed as needed.
3. Issue and Corrective Action Management
a) Any known high risk physical security vulnerabilities affecting personal data is communicated to support@dhango.com.
b) Any Data Center facility is equipped and maintained with fire detection/suppression, surge and brown-out, air conditioning, and other computing environment protection systems necessary to assure continued service for critical systems.
c) dhango maintains policies and procedures to document repairs and modifications to physical components of facilities where personal data is stored, which are related to security (for example, hardware, walls, doors and locks).
d) All hardware and electronic media containing personal data identified and tracked.
