General terms and conditions
1.1 The conclusion of an agreement for the APPMIRAL service shall entail the full and unconditional acceptance of these Terms and Conditions.
2. Agreement & scope
2.1 The APPMIRAL Service is provided to Client by CM.com (“CM.com”).
2.2 An Agreement shall be concluded by and between CM.com and the Client by the signing of an Order, incorporating these Terms and Conditions.
2.3 The Terms and Conditions contain the general contractual framework for the Services that may be provided by CM.com to the Client with regard to the Product, consisting of:
- A right to use the Product (the “Product License”);
- A right to receive Services in relation to the Product.
2.4 Each Order mentions the specific terms agreed upon with regard to the relevant subject and applies in addition to these Terms and Conditions. In the event of a conflict or a conflict of interpretation between these Terms and Conditions and an Order, the terms and conditions of the latter will apply.
3. Set Up of the product
3.1 CM.com shall provide the set up and implementation of the Product to the Client, consisting of the design, development and delivery of the Product to the Client and submitting the Product to the store(s) (the “Set Up Services”).
3.2 CM.com shall use all reasonable endeavours to ensure that the Set Up Services are provided in accordance with the timetable set out in the Proposal.
3.3 The Client acknowledges that a delay in the Client performing its obligations under these Terms and Conditions may result in a delay in the performance of the Set Up Services and CM.com will not be liable to the Client in respect of any failure to meet the Set Up Services timetable to the extent that failure arises out of a delay in the Client performing its obligations.
4. Product license
4.1 Grant of license
CM.com grants to the Client a non-exclusive and non-transferable right to use the Product during the Term, in accordance with these Terms and Conditions and for the Client’s own internal purposes and business operations exclusively.
4.2 Client restrictions
The Client may not:
- copy, translate, modify, adapt, decompile, disassemble, reverse engineer the Product in whole or in part, except as and to the extent specifically authorized by applicable law;
- create derivative works on the basis of the Product, modify the design of the databases that underlie the Product or perform Updates using update queries not supplied by CM.com;
- transfer the Product as a whole or in parts to the IT-environment of third parties without the consent in writing of CM.com;
- at any time deposit as security, assign, sub-license, sublease, sub-host, sell or give away control of any portion of the Product, without CM.com’s written consent.
4.3 Title and Ownership
Nothing in these Terms and Conditions will create the transfer of title or (intellectual) property rights to the Product and related objects by CM.com to the Client.
4.4 Protection & modifications
CM.com is authorized to take technical measures to protect the Product against unauthorized use and/or copying.
CM.com is authorized to replace or modify the source code of the Product in order to adjust it to the evolution of the Product.
4.5 Crowd Connect Feature
In the event that Client requests CM.com to integrate the Crowd Connect feature in the Product, and Crowd Connect is a part of the Service provided to Client under the Agreement, the following conditions apply and Client hereby unconditionally accepts and agrees to the terms and conditions of Crowd Connect available at https://www.crowdconnected.com/downloads/Colocator-TsCs.pdf
5.1 CM.com and the Client may agree that CM.com shall design, develop and implement a Customisation or Customisations in accordance with a specification and project plan agreed in writing by the parties in an additional Order.
5.2 All Intellectual Property Rights in the Customisations shall, as between the parties, be the exclusive property of CM.com (unless the parties agree otherwise in writing).
5.3. The Client acknowledges and agrees that CM.com is the only party who is allowed to design, develop and implement Customisations to the Platform.
6. Support Services
6.1 CM.com shall provide the Support Services to the Client during the Term.
6.2 CM.com shall provide the Support Services in accordance with the standards of skill and care on a best effort basis.
6.3 CM.com shall provide the Support Services in accordance with Attachment 2.
6.4 CM.com may suspend the provision of the Support Services if any amount due to be paid by the Client to CM.com under the Terms and Conditions is overdue, and CM.com has given to the Client at least 30 days’ written notice, following the amount becoming overdue, of its intention to suspend the Support Services on this basis.
7. Maintenance Services
7.1 CM.com shall provide the Maintenance Services to the Client during the Term, at its sole discretion.
7.2 CM.com shall provide the Maintenance Services with reasonable skill and care in accordance with Attachment 3.
7.3 CM.com may suspend the provision of the Maintenance Services if any amount due to be paid by the Client to the CM.com under the Terms and Conditions is overdue, and CM.com has given to the Client at least 30 days’ written notice, following the amount becoming overdue, of its intention to suspend the Maintenance Services on this basis.
8.1 CM.com shall maintain the availability of the Product to a sufficient level during the Term.
CM.com shall provide the Services in relation to the availability of the Product with reasonable skill and care, in accordance with Attachment 4.
CM.com may suspend the provision of the Services in this respect if any amount due to be paid by the Client to CM.com under the Terms and Conditions is overdue, and CM.com has given to the Client at least 30 days’ written notice, following the amount becoming overdue, of its intention to suspend the Services concerning the availability of the Product on this basis.
9. Client obligations
9.1 In order to respect the provision of Services under these Terms and Conditions, the Client will:
- make sure that the System Requirements (both software and hardware requirements) are met;
- provide the design assets and data required in a timely manner in order for CM.com to provide the Services to the Client under the Terms and Conditions;
- grant its co-operation to the Set Up Services by providing all useful and requested information and timely approvals to CM.com ;
- provide reasonable assistance to CM.com in diagnosing defects or any security issues relating to the Product;
- not request, permit or authorize anyone other than CM.com to provide any Services in respect of the Product without the written authorization of/or as suggested by the latter.
9.2 If any data or other input required from the Client for the Set Up Services or for the provision of Support Services is not available to CM.com or not available in good time or if the Client does not fulfil its obligations in any other way, CM.com will be entitled to suspend the execution of Services under these Terms and Conditions and/or charge extra, without prejudice to the right of termination in accordance with Clause 14.
10. Excluded matters
10.1 CM.com will have no obligation to provide Services for:
- a Product that has been modified, repaired altered or merged with unauthorized software by the Client or third parties;
- use of the Product not in line with the reasonable instructions of CM.com ;
- use of the Product for a purpose for which it was not designed.
10.2 Any service which is provided by CM.com as a result of any of the foregoing will be considered as additional Services out of scope and charged in accordance with the then current rates of CM.com or subject to the signing of an additional Order.
11.1 The Annual Fees for the Product license and Services provided under these Terms and Conditions are listed in the Order.
11.2 The cost for the development of new functionalities, development services in relation to integration with new Client systems will be charged separately to the Client in accordance with an additional Order.
12. Payment terms and taxes
12.1 The Client agrees to pay all invoices issued by CM.com under the Terms and Conditions.
Except if explicitly agreed otherwise in the Proposal, CM.com’s invoices must be paid by the Client within fourteen (14) days, starting on the invoice date and to the account number as mentioned on the relevant invoice.
12.2 In case of any overdue payment, the relating invoice will, without prior notice of default, bear interest at the rate of 8% per month, as well as a contractual indemnity set at 10% of the total amount invoiced, with a minimum of € 300.
In addition, in case of any overdue payment:
- all other claims against the Client that are not yet due, will become due without prior notice;
- CM.com can refuse to deliver any Services until the amount owed has been paid in full, including any interest and contractual indemnity due thereon;
- CM.com can pursue any other remedies available under applicable law.
12.3 Unless explicitly agreed otherwise, all amounts are net of taxes. All taxes which are or may be levied in the future by a government authority in respect of the Services provided by CM.com under these Terms and Conditions, will be borne by the Client.
13. Limited warranty
13.1 CM.com warrants that the Product conforms in all material respects to the specifications as listed in the Order.
13.2 CM.com provides no other warranty, whether express or implied, in relation to the Product, except for the mandatory legally provided warranties. In particular, CM.com provides no warranties of any kind in relation to:
- the merchantability and/or fitness of the Product for a particular purpose;
- the compatibility of the Product with the software and/or the hardware of third parties;
- the expectation of the Client that the Product will satisfy or may be customized to satisfy all or any of Client’s specific requirements, except if explicitly agreed otherwise in writing;
- the uninterrupted or error-free use of the Product by the Client, regardless of whether such warranty would otherwise be imposed by contract, statute, course of dealing, custom and usage, or otherwise.
13.3 If CM.com supplies or assists in supplying to the Client any hardware or non- CM.com software during or after the Setup Services, the Client acknowledges that any warranty is provided solely by the relevant third party vendor, and not by CM.com in whatever way. Hence, the Client will address any warranty or other claim directly to the relevant third party.
14. Term and Termination
14.1 The Agreement will commence on the Signature Date and will remain in force and effect for an initial period stipulated in the Order (the “Term”).
Subsequently the Term will be tacitly renewed for the same periods as the initial period, unless the Agreement is terminated by one of the Parties upon written notice to the other Party at the latest three (3) months before the end of the then current period.
14.2 Despite the above, the parties will be entitled, without prejudice to their other rights or remedies, to terminate the Agreement at any time and with immediate effect by notice by registered letter to the other party if (“Termination for cause”):
- said party is in breach of any of its obligations under the Agreement and either that breach is incapable of remedy or the concerning party has failed to remedy that breach within thirty (30) days after receiving written notice requiring it to do so; or
- a court order is made for the winding up of said party;
- an effective resolution is passed for the winding up of said party (other than for the purposes of amalgamation or reconstruction);
- said party has a receiver, manager, administrative receiver or administrator appointed in respect of it; or
- said party is unable to pay its debts as they fall due or its assets are worth less than its liabilities on a balance sheet basis.
Such immediate termination of the Agreement will automatically cause the immediate termination of the Proposal and any additional Proposals between the parties.
14.3 Upon early termination of the Agreement a) by CM.com due to the Client’s breach or b) by the Client in breach of the Agreement, CM.com may require the payment of damages proportionate to the remaining Fees, without prejudice to any other indemnity exceeding this amount.
14.4 Upon expiry or termination of the Agreement:
- the Client’s right to receive and use the Product and/or Services under the Agreement will cease automatically;
- each party will immediately return to the other all property and materials belonging to that party, including all Confidential Information;
- all amounts due from the Client to CM.com hereunder will be paid immediately.
14.5 Any termination of the Agreement will not affect any accrued rights or liabilities of either party, nor will it affect the coming into force or the continuance in force of any provision of these Terms and Conditions which are expressly, or by implication, intended to come into force or continue in force on or after termination.
15. Relationship between the parties
15.1 The relationship between the parties is that of independent contractors. Nothing in these Terms and Conditions will constitute, create or give effect to a joint venture, employer/employee relationship, partnership or other co-operative entity between the parties.
16. Limitation of liability
16.1 CM.com will not be liable to the Client or any other party for any indirect or consequential economic losses or damages, including, but not limited to, loss of profits, loss of revenue, loss of data or loss of goodwill, howsoever arising out of or in connection with the performance of Services under these Terms and Conditions.
16.2 To the full extent permitted by applicable law, CM.com’s total liability for direct damages to the Client in respect of these Terms and Conditions will not exceed the amount of the Fees paid by the Client for the last six (6) months, but never exceeding a total amount of EUR 50.000 (fifty thousand Euros).
17. Intellectual Property Rights
17.1 All Intellectual Property Rights in either party’s materials, information or data provided by that party to the other party under these Terms and Conditions will be and remain vested in that party. The other party will have no rights in respect thereof save for any rights granted to it by that party under these Terms and Conditions.
17.2 All intellectual Property Rights in any materials, logo’s trademarks of Client (“Client Materials”) which are provided by Client to CM.com and are used in the Product will be and remain vested in Client at all times. When supplying Client Materials, and/or any third party materials Client represents and warrants that (i) it has obtained all necessary rights, authorizations and licenses for the access to and the use of the Client Materials and/or third party materials by CM.com; (ii) CM.com’s use of the Client Materials and/or third party materials in accordance with the agreement will not violate any applicable (data protection) law or cause a breach of any agreement or obligations between Client and any third party; and (iii) the use of the Client Materials and/or third party materials, and the provisioning of the Service and Product will not infringe nor violate any Intellectual Property Rights of any third party.
17.3 All Intellectual Property Rights in the Product, the APPMIRAL and/or CM.com trademark and all signs and logos used in the Product will be and remain vested in CM.com at all times. The Client will have no rights in respect thereof save for any rights granted to it by CM.com under these Terms and Conditions.
17.4 All Intellectual Property Rights created in the delivery of Services will, as between the Parties, be the exclusive property of CM.com.
17.5 The Client acknowledges that CM.com may make the result of any Services available to any of its other clients or any other third party.
17.6 CM.com allows rebranding of the Product depending on the pricing tier selected, as stipulated in the SOW.
18. Indemnity for breach of third party rights
18.1 Without prejudice to Clause 16, CM.com will indemnify the Client against any direct damages which may be awarded against it by an enforceable court decision, as a result of the Product being held to infringe an Intellectual Property Right of a third party, but only if:
- the Client notifies CM.com promptly by e-mail, immediately confirmed by registered mail, upon learning that a claim might be asserted;
- CM.com has sole control over the defense of the claim and of any negotiations for its settlement or compromise;
- the Client takes no action that is contrary to CM.com’s interests.
18.2 If a claim, as described in this clause, may be or has been asserted, the Client will permit CM.com, at the latters option and expense, to:
- procure the right to continue using the Product;
- replace or modify the Product to eliminate the infringement while providing functionally equivalent performance; or
- return the Product and refund to the Client a pro rata share of Fees that the Client has actually paid for the period that the Product is/was not usable.
18.3 CM.com will have no indemnity obligation whatsoever to the Client under this clause if the Intellectual Property Rights infringement claim results from:
- a correction or modification of the Product not provided by CM.com;
- the failure to promptly respond to suggested Updates or Upgrades which would resolve the infringement;
- the use of the Product by the Client in a manner not consistent with these Terms and Conditions or the reasonable instructions of CM.com; or
- the combination of the Product with other software not agreed upon by CM.com.
19.1 The parties acknowledge that they may become privy to Confidential Information which is disclosed by the other party.
19.2 The Receiving Party will keep all Confidential Information confidential. The Receiving Party will not disclose Confidential Information to any other person, and will not use Confidential Information for any purposes other than for the purposes of the Agreement. The Receiving Party will safeguard the Confidential Information to the same extent that it safeguards its own confidential and proprietary information and in any event with not less than a reasonable degree of protection.
19.3 The Receiving Party agrees to disclose Confidential Information only on a “need-to-know” basis to employees and independent contractors.
19.4 The Receiving Party agrees that before any of its subcontractors and/or agents may be given access to Confidential Information, each such subcontractor and/or agent will agree to be bound by a confidentiality undertaking comparable to these Terms and Conditions. Notwithstanding the return of any Confidential Information, the Receiving Party and its subcontractors and/or agents will continue to hold in confidence all Confidential Information, which obligation will survive any termination of the Agreement.
19.5 In the event the Receiving Party is requested or required to disclose, by court order or regulatory decision, any of the other party’s Confidential Information, the Receiving Party will provide the other party with prompt written notice so that the Disclosing Party may seek a protective order or other appropriate remedy and/or waive compliance with the provisions of these Terms and Conditions. The Receiving Party will furnish only that portion of the Confidential Information which is legally required.
19.6 Within ten (10) Business Days upon (i) the termination of the Agreement or (ii) the Disclosing Party’s reasonable earlier request at any time, the Receiving Party will destroy or return to the Disclosing Party (at its option) any and all of Disclosing Party’s Confidential Information, and will purge all copies and traces of the same from any storage location and/or media.
19.7 Confidential Information will not include any information that the Receiving Party can establish:
- prior to receipt from the Disclosing Party, was in the possession of or rightfully known by the Receiving Party without an obligation to maintain its confidentiality;
- at the time of use or disclosure by the Disclosing Party was generally known to the public without violation of these Terms and Conditions and not as a result of any action or inaction of the Receiving Party;
- is disclosed to the Receiving Party by a third party not in violation of any obligation of confidentiality; or
- is independently developed by the Receiving Party without the participation of employees or other individuals who have had access to Confidential Information of the Disclosing Party.
20. Data Protection
20.1 Each party shall, at all times, comply with its respective obligations under the General Data Protection Regulation 2016/679, as amended, and any further implementation or replacement of that law (“Data Protection Legislation”). The word “Process” and the expression “Personal Data”, when used in this clause shall have the meaning assigned thereto in the Data Protection Legislation.
20.2 CM.com shall process Personal Data provided to it pursuant to these Terms and Conditions and the Data Processing Addendum (Attachment 5) in accordance with the Data Protection Legislation.
21. Subcontracting and assignment
21.1 CM.com will be entitled to use the services of subcontractors for the performance of any Services under these Terms and Conditions. In such case, CM.com will remain liable towards the Client for the performance of these services.
21.2 The Agreement may not be assigned by either party without the written consent of the other party, in whole or in part, such consent not to be unreasonably withheld; provided, however, that either party may assign the Agreement, in whole or in part, without prior notice or permission to; (i) any of its affiliates or to a third party that succeeds all or substantially all of its business and assets relating to the subject matter of the Agreement, whether by merger, acquisition, sale of a majority of its equity, sale of substantially all of its assets, or a similar transaction; or (ii) to a financial institution in the event of an assignment of receivables. Any prohibited assignment shall be null and void. Subject to the foregoing, the Agreement shall be binding upon and shall inure to the benefit of the successors and permitted assigns.
22. Intellectual Property Rights
22.1 If the performance of the Agreement by either party, or of any obligation thereunder (with the exception of payment obligations), is prevented, restricted or interfered with by reason of war, revolution, civil commotion, riot, fire, flood, disaster, acts of public enemies, blockade or embargo, strikes, any law, order, proclamation, regulation, ordinance, demand or requirement having a legal effect of any government or any judicial authority or representative of any such government, or any other act whatsoever, which is beyond the reasonable control of the party affected, such party will, upon giving prior written notice to the other party, be excused from such performance to the extent of such prevention, restriction, or interference, provided that the party so affected will use its best efforts to avoid or remove such causes of non-performances, and will continue performance thereunder with the utmost dispatch whenever such causes are removed; provided, however, that the non-excused party may terminate the Agreement if such non-performance continues uncured for thirty (30) calendar days.
23.1 Compliance with laws and regulations
Both parties will, for their own accounts, comply with the laws and regulations of the public authorities relating to these Terms and Conditions and pay all fees or other expenses in this respect.
The failure of either party at any time to insist upon strict performance of any of the provisions under these Terms and Conditions will not be deemed a waiver of its right at any time thereafter to insist upon strict performance.
All notices, demands or consents required or permitted under these Terms and Conditions will be in writing. Notice will be sent to the parties at the addresses set forth on the SOW, or at such other address as will be given by either party to the other in writing.
Section headings used herein are for reference only and will not be used to construe the provisions of these Terms and Conditions. The plural will be deemed to include the singular, and the singular will be deemed to include the plural.
23.5 Applicable law and jurisdiction
As per Attachment 1: Governing law and disputes.
24. Definitions and interpreation
For the purposes of these Terms and Conditions, the following terms will have the meanings specified or referred to in this clause:
“Agreement” each agreement and/or “Order” entered into by and between CM.com and the Client, to which these Terms and Conditions shall apply.
“Attachment” will mean any attachment to these Terms and Conditions, forming an integral part thereof.
“Bugs” will mean any mistake, problem, or malfunction which causes an incorrect or inadequate functioning of the Product without such Incident being caused by third party interference or dependencies.
- “Major Bug” will mean a Bug which has a substantial impact on Client’s use of the Product, as listed in the APPMIRAL Service Level Agreement as incidents of severity High and Urgent;
- “Minor Bug” will mean a Bug which does not have any substantial impact on Client’s use of the Product, as listed in the APPMIRAL BASIC Support Services Agreement as incidents of severity Low and Medium.
“Business Day” will mean Monday through Friday, excluding public holidays in Belgium.
“Business Hours” will mean 9:00 a.m. – 5:00 p.m. on a Business Day in the Brussels timezone.
“Client” will mean the Party receiving the right to use the APPMIRAL Product and Services as defined in the Proposal.
“CM.com” the CM.com group company entering into the Agreement with Client as identified in the applicable Agreement.
“Confidential Information” will mean any and all information that is disclosed (orally, in writing, by electronic delivery, or otherwise) by one party (“Disclosing Party”) to the other party (“Receiving Party”) prior to or during the term of the Agreement (or to which the Receiving Party otherwise gains access as a result of the Agreement) relating to the business of the Disclosing Party, including without limitation business plans and models, financial information, market research, Client and supplier information, proprietary software and methods, and information concerning proprietary inventions and technologies. The Product, Documentation and these Terms and Conditions, including the amount of fees to be paid hereunder, are agreed to be Confidential Information of APPMIRAL.
“Documentation” will mean any (a) publications relating to the use of the Product, such as reference manuals, user guides, systems administrator and technical guides; or any (b) written materials prepared by APPMIRAL describing the infrastructure setup, platform, software requirements or any technical specifications relating to the functionality of the Product, installation specifications, and other technical requirements specified for the operation of the Product, as made available by APPMIRAL to the Client.
“End users” will mean the people who actually have access to and use the Product. This may include, but is not limited to, the Client’s employees, (sub)contractors and other members of the Client’s workforce.
“Fees” will mean all fees – annual or one-off, related to the Services provided by APPMIRAL as agreed upon in the Proposal.
“Incident” , “error” or “defect” will mean that the operation of the Product deviates from the (expected) standard as provided for in the Proposal and any related Documentation.
“Intellectual Property Rights” will mean all patent rights, trademarks, designs and models, copyrights, softwarerights, rights in databases, proprietary rights in know-how, including trade secrets and other confidential information, and any other form of legally protectable intellectual or industrial property rights under any jurisdiction whatsoever.
“Payment Milestone” will mean a specific moment or event as defined in the Proposal, triggering the payment date of certain Fees.
“Product” will mean the APPMIRAL core product, which is a software application, with regard to festivals and more specifically one of the different packages offered by APPMIRAL, namely (i) improve, (ii) extend or (iii) augment, as listed in the Proposal.
“Product License” will mean a right to use the Product.
“Services” will mean any services that APPMIRAL provides to the Client under these Terms and Conditions.
- “Set Up Services” will mean, amongst others, set up, implementation and integration supplied by APPMIRAL to the Client with regard to the Product.
- “Maintenance services” will mean any services related to the maintenance of the Product.
- “Support Services” will mean any services related to the support of the Product.
“Signature Date” will mean the moment the Proposal is signed.
“Sign off” will mean the moment in which the Product, as it was deployed to production is accepted by the Client.
“Proposal” will mean an offer that includes all commercial aspects, also incorporating these Terms and Conditions, that may be signed between APPMIRAL and the Client.
“System Requirements” will mean, the minimum hardware and software requirements, including devices, operating system versions and general End User equipment requirements to run the Product, as listed in the Proposal and the Documentation, or notified otherwise by APPMIRAL to the Client.
“Term” will mean the initial period stipulated in the SOW.
“Terms and Conditions” will mean the general Terms and Conditions of APPMIRAL as set out herein and applying to all Proposals of APPMIRAL.
“Update” will mean a release of the Product which corrects faults and Bugs or otherwise amends the Product, but which does not constitute an Upgrade.
“Upgrade” will mean a new version of the Product, usually consisting of several bundled improvements, adjustments and reviews.
The titles and headings included in these Terms and Conditions are for convenience only and do not express in any way the intended understanding of the parties. They will not be taken into account in the interpretation of these Terms and Conditions.
The Attachments to the Terms and Conditions form an integral part thereof and any reference to the Terms and Conditions includes the Attachments and vice versa.
Attachment 1: Governing Law and Disputes
The Agreement is between Client and the CM.com entity identified in the Order. Unless expressly agreed otherwise, the Agreement will be governed by and interpreted according to the laws of the state or country identified in the table below without regard to conflict of law principles. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to the Agreement. All disputes will be subject to the exclusive jurisdiction of the dispute forum identified below.
|CM.com contracting entity and notices address||Governing law||Dispute forum|
|CM.COM Netherlands B.V.
Konijnenberg 30, 4825 BD Breda, the Netherlands.
VAT number: NL815652288B01
Coc number: 20123808
CM.com International B.V.
Konijnenberg 30, 4825 BD Breda, the Netherlands.
Coc number: 20163380
|Dutch||Competent court in Amsterdam, the Netherlands.|
|CM.com Denmark A/S
H.C. Andersens Boulevard 38, 3. th, 1553 København V, Denmark.
VAT number: DK42857661
Coc number: 42857661
|Denmark||Competent court in Copenhagen, Denmark.|
|CM Communication Platform & Technology, S.L.U.
Calle Serrano 41, 4a planta, 28001 Madrid, Spain.
VAT number: ESB88586961
Coc number: B88586961
|Spain||Competent court in Madrid, Spain.|
|CM Telecom France SAS
3-5 rue Saint-Georges, 75009 Paris, France.
VAT number: FR66802946715
Coc number: 802946715
|French||Competent court in Paris, France.|
|CM Telecom Hong Kong Ltd.
3806 Central Plaza, 18 Harbour Road, Wanchai, Hong Kong.
Coc number: 231683
|Hong Kong||Competent court in Hong Kong.|
|CM Telecom Shenzhen Co. Ltd.
Rm 201, Building A, No. 1 Qianwan Yi Road, Qianhai Shenzhen Hong Kong Corporation Area, Qianhai District Shenzhen, China.
VAT & Coc number: 91440300MA5DJN2T4Y
|The People’s Republic of China||Notwithstanding the possibility of appeal – be submitted to the People’s Court of CM.com registered residence.|
|CM Telecom Singapore Private Limited
77 Robinson Road #13-00, Singapore 068896.
VAT & Coc number: 201936423E
|Singapore||Arbitration in Singapore in accordance with the Arbitration Rules of the Singapore International Arbitration Centre (“SIAC Rules”) for the time being in force, which rules are deemed to be incorporated by reference in this clause. The seat of the arbitration shall be in Singapore. The Tribunal shall consist of one arbitrator. The language of the arbitration shall be in English.
|CM Telecom South Africa (Pty) Ltd
Mazars House, Rialto Rd, 7441 Grand Moorings Precinct, Century City, Cape Town, South Africa.
VAT number: 4650274337
Coc number: 2015/290821/07
|South Africa||The parties shall use their best efforts to settle the dispute by mediation.
Upon written notice from any party to the other (the “Dispute Notice”) the dispute shall be referred to a suitably qualified independent mediator, whose identity shall be agreed between the parties in writing, within 7 (seven) days of receipt of the Dispute Notice, and failing agreement as aforesaid, to a suitably qualified independent mediator appointed by the President for the time being of the Cape Law Society (or its successor body in the Western Cape). The mediator shall be an Africa Centre for Dispute Settlement accredited mediator.
The mediation shall be held at a venue in Cape Town. The parties shall agree on the mediation procedure and failing agreement within 14 (fourteen) days of receipt of the Dispute Notice or such longer period of time as may be agreed to in writing, then, the mediation shall take place in accordance with the United Nations Commission on International Trade Law Model Conciliation Rules in force at the time of the dispute.
If for any reason, including lack of co-operation by the parties, a dispute is not settled by mediation within 30 (thirty) days of receipt of the Dispute Notice or such longer period of time as may be agreed to in writing, then the dispute shall be settled by arbitration in accordance with the following provisions:
the arbitrator shall, if the dispute is agreed in writing by the parties to be:
primarily an accounting matter, be an independent practicing accountant of not less than 10 (ten) years’ standing as such;
primarily a legal matter, be an attorney of not less than 10 (ten) years’ standing as such or a practicing senior counsel;
any other matter, be a suitably qualified independent person, agreed upon in writing by the parties; provided that if the parties do not, within 14 (fourteen) days of the 30-day period contemplated in clause 16.5 agree in writing as to the identity of the arbitrator, the arbitrator shall, irrespective of the nature of the dispute, be appointed by the Registrar of the Arbitration Foundation of Southern Africa upon request by any party to make such appointment;
the arbitration shall be held at a venue in Cape Town and shall be conducted in accordance with the rules of the Arbitration Foundation of Southern Africa;
immediately after the arbitrator has been appointed, any party shall be entitled to call upon the arbitrator to fix a date and place when and where to meet with the arbitrator to settle the manner in which the arbitration proceedings will be held;
subject to the clause above any order or award that may be made by the arbitrator: shall be final and binding; shall be carried into effect; and may be made an order of any competent court.
Nothing in this section shall preclude any party from seeking interim and/or urgent relief from a court of competent jurisdiction.
|CM Telecom UK Ltd.
8th Floor, 20 Farringdon Street, EC4A 4ABLondon, United Kingdom of Great Britain and Northern Ireland.
VAT number: GB138342417
Coc number: 08141550
|England and Wales||Competent court in London, England and Wales.|
|CM.com Belgium N.V.
Stationsstraat 100, 2800 Mechelen, Belgium.
VAT number: BE0472759588
Coc number: 472759588
|Belgium||Competent court in Brussels, Belgium.|
|CM.com Brasil Ltda
Av Brigadeiro Faria Lima, 1485, 01452-002 Sao Paulo, Brazil.
Coc number: 44.287.836/0001-94
|Brazil||Competent court in Sao Paulo, Brazil.|
|CM.com Germany GmbH
Wiesenhüttenstraße 11, 60329 Frankfurt/Main, Germany.
VAT number: DE298052829
Coc number: HRB 13092
|German Federal Republic law||Notwithstanding the possibility of appeal – be submitted to the competent court in Frankfurt if the Client is classified as a merchant (“Kaufmann”), he concludes this Agreement as part of his professional activities, the Client is an institution of public law or a special fund under public law.
|CM.com Italy S.r.l.
Via Milano Fiori 6, 20090 Edificio A, Scala 13, Piano 1, 1st floor, Assago (MI), Italy.
VAT number: IT11506110961
Coc number: 2608080
|Italy||Competent court in Milan, Italy.|
|CM.com Japan K.K.
4-3-5 704 Ebisu, Shibuya-ku, 150-0013 Tokyo, Japan.
VAT number: 4011001121020
Coc number: 0110-01-121020
|Japan||Competent court in Tokyo, Japan.|
|CM.COM Mexico, S. de R.L. de C.V.
Boulevard Manuel Avila Camacho Num Ext 176, Int Piso 11, 11650 Ciudad de Mexico, Mexico.
Coc number: 202100101305
|Estados Unidos Mexicanos||Competent court in Estados Unidos Mexicanos.|
|CM.com US Inc.
11801 Domain Blvd, 3rd floor – B 133, Austin, TX, 78758, USA.
Coc number: 7734319
|State of New York, USA||Competent court in State of New York, USA.|
|CMCOM Kenya Limited
Applewood Adams Room 1113, Ngong Road, Nairobi, Kenya.
VAT number: P051936698J
Coc number: PVT-Y2UMZL5
|Kenya||Competent court in Nairobi, Kenya.|
|CMCOM TURKEY ELEKTRONİK HABERLEŞME LİMİTED ŞİRKETİ
Maslak Mahallesí Maslak Meydan Sk. Beby Giz Plaza A, Blok Apt. no: 1-99, Sariyer/Istanbul, Turkey.
VAT number: TR2111266107
Coc number: 10898352
|Republic of Turkey||Competent court in Istanbul, Çağlayan (Central), Turkey.|
|Communication Platform India Private Limited
2nd Floor, Sabari Complex, 24 Field Marshal, Cariappa Road, Shanthala Nagar, Ashok Nagar, Bangalore, Karnataka 560025, India.
VAT number: 29AAJCC2024Q1ZA
Coc number: U72900KA2020FTC142667
|India||Competent court in Bangalore, India.|
Attachment 2: APPMIRAL support services
1.1 CM.com shall provide the Support Services to the Client during the Term on a best effort basis.
1.2 CM.com shall provide the Support Services in accordance with the standards of skill and care reasonably expected from a service provider in the industry.
1.3 CM.com may suspend the provision of the Support Services if any undisputed amount due to be paid by the Client to CM.com under this Agreement is overdue, and CM.com has given to the Client at least 30 days’ written notice, following the amount becoming overdue, of its intention to suspend the Support Services on this basis.
2. Provision of Support Services
2.1 The Support Services shall be provided remotely, save to the extent that the Parties agree otherwise in writing.
2.2 The Support Services shall be provided during Business Hours, on Business Days.
3. Limitations on Support Services
3.1 CM.com shall have no obligation to provide Support Services in respect of any Incident caused by:
(a) the improper use of the Product by the Client; or
(b) any alteration to the Product made without the prior consent of CM.com.
Attachment 3: APPMIRAL Maintenance Services
1.1 This Attachment 3 sets out the service applicable to the Maintenance Services.
2.1 CM.com shall apply Updates to the Product as follows:
(a) third party security Updates shall be applied to the Product following release by the relevant third party, providing that CM.com may -acting reasonably – decide not to apply any particular third party security Update;
(b) CM.com’s security Updates shall be applied to the Product following the identification of the relevant security risk and the completion of the testing of the relevant Update; and
(c) other Updates shall be applied to the Product in accordance with any timetable notified by CM.com to the Client.
3.1 CM.com shall produce Upgrades at its sole discretion.
Attachment 4: Availability
1. Introduction to availability
1.1 This Attachment 4 sets out CM.com’s availability commitments relating to the Product.
1.2 In this Attachment 4, “uptime” means the percentage of time during a given period when the Product is available at the gateway between public internet and the network of the hosting services provider for the Product.
2.1 APPMIRAL shall use reasonable endeavours to ensure that the uptime for the Product is at least 99,5 % during each calendar month
3.1 Downtime caused directly or indirectly by any of the following shall not be considered when calculating whether CM.com has met the uptime guarantee given in Clause 2.1 of this Attachment 4:
(a) a Force Majeure Event;
(b) a fault or failure of the internet or any public telecommunications network;
(c) a fault or failure of the Client’s computer systems or networks;
(d) any breach by the Client of these Terms and Conditions; or
(e) maintenance carried out in accordance with these Terms and Conditions; or
(f) outages or planned maintenance caused by third party (hosting) providers.
Attachment 5: Data Processing Addendum
This GDPR Data Processing Addendum (“DPA”) forms part of the Terms and Conditions.
The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Laws as defined below.
In the course of providing services to the Client, CM.com (the “Processor”) may process personal data on behalf of the Client (the “Controller”).
In this DPA, the following terms shall have the meanings set out below:
|“Authorised Sub-processors”||means (a) those Sub-processors set out in Annex 3 and (b) any additional Sub-processors consented to in writing by Controller in accordance with the Sub-processing section.|
|“Sub-processor”||means any Data Processor (including any third party) appointed by CM.com to process Controller Personal Data on behalf of the Controller.|
|“Process/Processing”, “Data Controller”, “Data Processor”, “Data Subject”,”Personal Data”,
“Special Categories of Personal Data”
|and any further definition not included under this Agreement or the CM.com Agreement shall have the same meaning as in EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”).|
|“Data Protection Laws”||means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”) as well as any local data protection laws.|
|“Erasure”||means the removal or destruction of Personal Data such that It cannot be recovered or reconstructed.|
|“EEA”||means the European Economic Area.|
|“Third country“||means any country outside EU/EEA, except where that country is the subject of a valid adequacy decision by the European Commission on the protection of Personal Data in Third Countries.|
|“Controller Personal Data”||means the data described in Annex 1 and any other Personal Data processed by CM.com on behalf of the Controller pursuant to or in connection with the Agreement.|
|“Personal Data Breach”||means a breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data transmitted, stored or otherwise processed.|
|“Services”||means the services supplied by CM.com to the Controller pursuant to the agreement(s) in place between the parties.|
|“Deliverables”||means the products supplied by CM.com to the Controller pursuant to the Agreement .|
|“Standard Contractual Clauses”||means the standard contractual clauses for the transfer of personal data to Processors established in Third countries, as approved by the European Commission Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these.|
In the course of providing the Services and/or Deliverables to the Controller pursuant to the Agreement, CM.com may process Controller Personal Data on behalf of the Controller as per the terms of this DPA. CM.com agrees to comply with the following provisions with respect to any Controller Personal Data.
To the extent required by applicable Data Protection Laws, CM.com shall obtain and maintain all necessary licenses, authorizations and permits necessary to process Personal Data including the Controller Personal Data mentioned in Annex 1.
CM.com shall maintain all the technical and organizational measures to comply with the requirements set forth in the DPA and its Annexes.
Processing of Controller Personal Data
CM.com shall only process Controller Personal Data for the purposes of the Agreement. CM.com shall not process, transfer, modify, amend or alter the Controller Personal Data or disclose or permit the disclosure of the Controller Personal Data to any third party other than in accordance with Controller’s documented instructions, unless said processing is required by EU or Member State law to which CM.com is subject.
CM.com shall take all reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Controller Personal Data, ensuring in each case that access is limited to those individuals who require access to the relevant Controller Personal Data.
CM.com shall ensure that all individuals which have a duty to process Controller Personal Data:
- are informed of the confidential nature of the Controller Personal Data and are aware of CM.com’ obligations under this Agreement and the Agreement in relation to the Controller Personal Data;
- have undertaken appropriate training in relation to the Data Protection Laws;
- are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
- are subject to user authentication and logon processes when accessing the Controller Personal Data in accordance with this Agreement, the Agreement and the applicable Data Protection Laws
Personal Data Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CM.com shall take all reasonable measures to implement appropriate technical and organizational measures (Annex 2) to ensure a level of Controller Personal Data security appropriate to the risk, including but not limited to:
- pseudonymization and encryption;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Controller Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
In assessing the appropriate level of security, CM.com shall take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed.
The Controller acknowledges and expressly agrees that CM.com may use third party Sub-processors for the provision of the Services as described in the Agreement .
Any such Sub-processors that provide services for the Controller and thereto Process Personal Data will be permitted to Process Personal Data only to deliver the Services and will be prohibited from Processing such Personal Data for any other purpose.
CM.com remains fully responsible for any such Sub-processor’s compliance with CM.com’s contractual obligations, including the present Agreement. CM.com will, prior to the entrusting of services to such Sub-processor, carry out any relevant due diligence on such Sub-processor to assess whether it is capable of providing the level of protection for the Personal Data as is required by this DPA, and provide evidence of such due diligence to the Controller where requested by the Controller or a regulator.
CM.com will enter into written agreements with any such Sub-processor which contain obligations no less protective than those contained in this Agreement, including the obligations imposed by the Standard Contractual Clauses of the European Commission, as applicable.
CM.com will make available to the Controller the current list of Sub-processors for the Services identified in Annex 3 to this Agreement. Such Sub-processors list will include the identities of those Sub-processors and their country of location. CM.com will provide the Controller with a notification of a new Sub-processor before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.
If the Controller objects to the use of a new Sub-processor that will be processing the Controller’s Personal Data, then the Controller will notify APPMIRAL in writing within twenty-one (21) calendar days after receipt of CM.com’ written request to that effect. In such case, CM.com will use reasonable efforts to change the affected Services or to recommend a commercially reasonable change to the Controller’s use of the affected Services to avoid the Processing of Personal Data by the Sub-processor concerned. If CM.com is unable to make available or propose such change within sixty (60) calendar days, the Controller may terminate the relevant part of the contractual relationship between the Parties regarding those Services which cannot be provided by CM.com without the use of the Sub-processor concerned. To that end, the Controller will provide written notice of termination that includes the reasonable motivation for non-approval
Data Subject Rights
Taking into account the nature of the Processing, CM.com shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights as laid down in the Data Protection Laws.
CM.com shall promptly notify the Controller if it receives a request from a Data Subject and/or competent authority under any applicable Data Protection Laws with respect to Controller Personal Data.
CM.com shall cooperate as requested by the Controller to enable the Controller to comply with any exercise of rights by a Data Subject under any Data Protection Laws with respect to Controller Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws with respect to Controller Personal Data or this Agreement, which shall include:
- The provision of data requested by the Controller within a reasonable timescale specified by the Controller in each case, including details and copies of the complaint, communication or request and any Controller Personal Data it holds in relation to a Data Subject;
- Where applicable, providing such assistance as is reasonably requested by the Controller to enable the Controller to comply with the relevant request within the timescales prescribed by the Data Protection Laws;
- Implementing additional technical and organisational measures as may be reasonably required by the Controller to allow the Controller to respond effectively to relevant complaints, communications or requests.
It is however explicitly agreed between the Parties that any costs incurred by CM.com for the services delivered in relation to the aforementioned assistance will be charged to the Controller at the then current hourly rate of CM.com.
Personal Data Breach
CM.com shall notify the Controller without undue delay and, in any case, within fourty-eight (48) hours upon becoming aware of or reasonably suspecting a Personal Data Breach. CM.com will provide the Controller with sufficient information to allow the Controller to meet any obligations to report a Personal Data Breach under the Data Protection Laws.
Such notification shall:
- Describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
- Communicate the contact details of CM.com or other relevant contact from whom more information may be obtained;
- Describe the estimated risk and the likely consequences of the Personal Data Breach; and
- Describe the measures taken or proposed to be taken to address the Personal Data Breach.
CM.com shall without undue delay further investigate the Personal Data Breach and shall keep Controller informed of the progress of the investigation and take all reasonable steps to further minimize the impact. Both Parties agree to fully cooperate with such investigation.
In the event of a Personal Data Breach, CM.com shall not inform any third party without first obtaining the Controller’s prior written consent, unless notification is required by EU or Member State law to which CM.com is subject, in which case CM.com shall, to the extent permitted by such law, inform the Controller of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Controller before notifying the Personal Data Breach.
CM.com’ s obligation to report or respond to a Personal Data Breach is not and will not be construed as an acknowledgement by CM.com of any fault or liability with respect to the Personal Data Breach.
Any costs incurred by CM.com for the services delivered in relation to the fore mentioned assistance related to Personal Data Breaches caused by the Controller, will be charged to the Controller at the then current hourly rate of CM.com.
Data Protection Impact Assessment and Prior Consultation
CM.com shall provide reasonable assistance to the Controller with any data protection impact assessments which are required under Article 35 of GDPR and with any prior consultations to any supervisory authority of the Controller which are required under Article 36 of GDPR, in each case solely in relation to Processing of Controller Personal Data by CM.com on behalf of the Controller and considering the nature of the processing and information available to CM.com.
Any costs incurred by APPMIRAL for the services delivered in relation to the fore mentioned assistance will be charged to the Controller at the then current hourly rate of CM.com.
Erasure or return of Controller Personal Data
CM.com shall promptly and, in any event, within 90 (ninety) calendar days of the earlier of: (i) cessation of Processing of Controller Personal Data by CM.com; or (ii) termination of the Agreement, either:
- Return a complete copy of all Controller Personal Data to the Controller by secure file transfer and securely erase all other copies of Controller Personal Data Processed by CM.com or any Authorised Sub-processor; or
- Securely wipe all copies of Controller Personal Data Processed by CM.com or any Authorised Sub-processor, and in each case, provide a written certification to the Controller that it has complied fully with the requirements of section Erasure or Return of Controller Personal Data.
CM.com may retain Controller Personal Data to the extent required by Union or Member State law, and only to the extent and for such period as required by Union or Member State law, and always provided that CM.com shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified in the Union or Member State law requiring its storage and for no other purpose
Upon reasonable written notice in advance, CM.com shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and allow for, and contribute to audits, including inspections by the Controller or another auditor mandated by the Controller of any premises where the Processing of Controller Personal Data takes place.
CM.com shall permit the Controller or another auditor mandated by the Controller to inspect, audit and copy any relevant records, processes and systems in order that the Controller may satisfy itself that the provisions of this Agreement are being complied with.
CM.com shall immediately inform the Controller if, in its opinion, an instruction pursuant to this section infringes the Data Protection Laws.
International Transfers of Controller Personal Data
CM.com shall not process Controller Personal Data nor permit any Authorised Sub-processor to process the Controller Personal Data in a Third Country, unless authorized in writing by Controller in advance, via an amendment to this Agreement.
When requested by Controller, CM.com shall promptly enter into (or procure that any relevant Sub-processor of CM.com enters into) an agreement with Controller including Standard Contractual Clauses and/or such variation as Data Protection Laws might require, in respect of any Processing of Controller Personal Data in a Third Country, which terms shall take precedence over those in this Agreement.
Controller shall comply with all applicable laws and regulations, including the Data Protection Laws.
Controller remains responsible for the lawfulness of the Processing of Controller Personal Data including, where required, obtaining the consent of Data Subjects to the Processing of his or her Personal Data.
Controller remains fully responsible for Personal Data Breaches caused by Controller’s actions or negligence.
With regard to the protection of the Data Subject’s rights pursuant to the applicable Data Protection Laws, Controller shall facilitate the exercise of Data Subject rights and shall ensure that adequate information is provided to Data Subjects about the Processing hereunder in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Controller shall take reasonable steps to keep Personal Data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.
With regard to components that Controller provides or controls, including but not limited to workstations connecting to the CM.com IT-environment, data transfer mechanisms used and credentials issued to Controller personnel, Controller shall implement and maintain the required technical and organizational measures for data protection and will be solely liable for any damages caused by errors of the Controller in this respect.
Subject to this section, the parties agree that this DPA and the Standard Contractual Clauses shall terminate automatically upon termination of the Agreement.
This DPA shall be governed by the governing law of the Agreement for so long as that governing law is the law of a Member State of the European Union.
With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including but not limited to the Agreement, the provisions of this DPA shall prevail with regard to the parties’ data protection obligations for Personal Data of a Data Subject from a Member State of the European Union.
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
- Data Subjects
- Categories of Personal Data
CM.com may Process (a subset of) the following categories of Personal Data:
- Contact information (email, phone, …)
- Timetable preferences and favouriting behaviour
- Ticketing data & insights (if integrated)
- Location information (is the visitor currently present in a known site of the event – based on GeoFencing technology)
Purposes of Processing of Personal Data
Personal Data will be Processed for the purpose of:
- Execution of the Services under the Agreement and/or any other agreement in place between the parties.
- Duration of the Processing of Controller Personal Data
Personal data will be Processed for the duration of any agreement in place between the parties.
ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES
Organizational Security Controls
Organizational security controls shall include the following principles at a minimum.
CM.com and CM.com personnel shall Process Controller’ Personal Data, and access and use any networks, systems and/or computers managed by Controller, only on a need-to-know basis and only to the extent necessary to perform the Services under the DPA, the Agreement and/or any agreement in place between the Parties.
Prior to providing access to any Controller’ Personal Data to any personnel, CM.com shall take reasonable steps to ensure continuing compliance of the level of security specified under this DPA by such personnel. CM.com personnel with access to Personal Data are subject to confidentiality obligations, and these are formally integrated into employment contracts.
CM.com shall maintain information security policies and procedures consistent with the provisions of this DPA.
Ownership for Security and Data Protection: CM.com has appointed one or more individuals responsible for coordinating and monitoring the security rules and procedures as well as data protection compliance.
Risk Management: CM.com executes periodical risk assessments based on a formal risk management methodology.
CM.com shall take reasonable measures to terminate physical and logical access to Controller’ Personal Data by CM.com personnel no later than the date of separation or transfer to a role no longer requiring access to Controller’ Personal Data.
CM.com maintains a selection process by which it evaluates the security, privacy and confidentiality practices of a Sub-processor in regard to data handling.
Technical Security Controls
Technical security controls on CM.com information systems (any systems and/or computers used to Process Controller’ Personal Data pursuant to the DPA) shall include the following principles at a minimum.
CM.com shall use appropriately strong passwords consistent with technology industry practices, including minimum password length, lockout, expiration period and changing of default passwords.
CM.com shall implement and maintain controls to detect and prevent unauthorized access, intrusions and computer viruses.
CM.com shall maintain documented change management procedures that provide a consistent approach for controlling, implementing and documenting changes (including emergency changes) for CM.com information systems.
Unless otherwise expressly agreed in the Agreement, development and testing environments shall be physically and/or logically separated from production environments.
CM.com shall maintain reasonable back-up and disaster recovery processes and procedures.
Workstations shall not be left authenticated when unattended and shall be password or PIN protected when not in use.
Personal Data on portable devices are encrypted.
CM.com has procedures for securely disposing of media and printed materials that contain Personal Data.
CM.com standardly encrypts, or provides the mechanisms to Controller to encrypt, Personal Data that is transmitted over public networks.
Event Logging: CM.com logs access and use of its information systems containing Personal Data, registering the access ID, time and relevant activity.
Physical Security Controls
Physical security controls shall include the following principles at a minimum on all CM.com facilities where Controller’ Personal Data may be Processed.
Physically secure perimeters and external entry points shall be suitably protected against unauthorized access. Access to all locations shall be limited to CM.com Personnel and authorized visitors only. Reception areas shall be manned or have other means to control physical access.
Visitors shall be required to sign a visitor register.
ANNEX 3: AUTHORISED SUB-PROCESSORS
List of Approved Sub-processors as at the DPA effective date.
- Google LLC // 1600 Amphitheatre Parkway Mountain View, CA 94043 United States
– Performance Monitoring, Analytics
– Location: Worldwide Services
- Amazon Web Services EMEA SARL // 38 Avenue John F. Kennedy , L-1855 Luxembourg
– Server Infrastructure, Data Storage, Push Notification Services
– Location servers: European Region > EU-West-1 (Dublin, Ireland)
- Spotify USA Inc // 4 World Trade Center, 140 Greenwich Street, 62nd floor, NY 10007, New York
– Music Services
> optionally activated by the user on his own device
Location: Worldwide Services
- Crowd Connected Ltd. // Surrey Technology Center, Guildford, HU2 7YG, United Kingdom
– Location Intelligence
> optionally activated by the user on his own device
Location: European Region
- CM.com // Konijnenberg 30, 4825 BD Breda, The Netherlands
– Customer Data Platform (if integrated)
– Ticketing Data (if integrated)
Location: European Region
- CM.com Affiliates
– Support, development, performance of the Agreement
- Cloudflare Inc.
– Network security
Location: USA (DPA, Standard contractual clauses)