ComplianceMetrix Inc. End User Subscription TERMS

Last Updated: January 20, 2021

These End User Subscription Terms (the “Agreement”) is entered into by and between ComplianceMetrix (CMX) Inc. a Delaware C-Corporation, with offices at 4180 La Jolla Village Drive, Suite 570, La Jolla, California 92037 (“Company”) and the individual or entity placing an order for or accessing the Services ( “Customer” or “you”). This Agreement consists of the terms and conditions set forth below, any exhibits or addenda identified below, and any ordering documents, online registration, or order confirmations referencing this Agreement. No waiver, alteration, or modification of any of the provisions hereof shall be binding on CMX (or the Reseller, if applicable) unless made in writing and signed by an authorized representative of CMX (or the Reseller, if applicable). CMX’s (or, if applicable, its Reseller’s) provision of the Services, and Customer’s access to the Services is conditional upon Customer’s acceptance of this Agreement. If you are an employee or agent of an employer and are entering into this Agreement to obtain the Services for use by you and/or the employer for which you work, you hereby represent that you have the authority to bind the employer to the terms and conditions of this Agreement.

PLEASE NOTE THAT THIS AGREEMENT IS SUBJECT TO CHANGE BY COMPANY IN ITS SOLE DISCRETION AT ANY TIME. When changes are made, Company will make a new copy of the Agreement available through the Services and will update the “Last Updated” date at the top of the Agreement. Unless otherwise communicated to you, any updated Agreement shall become effective immediately upon posting. Company may require you to provide consent to the updated Agreement in a specified manner before further use of the Services is permitted. If you do not agree to any change(s) to this Agreement, you shall stop using the Services. Otherwise, your continued use of the Services constitutes your acceptance of such change(s). PLEASE REGULARLY CHECK THE SERVICES TO VIEW THE THEN-CURRENT AGREEMENT.

1. 1. DEFINITIONS. Capitalized terms shall have the meanings set forth in this section, or in the section where they are first used.
3. 1.1 “Affiliate” means, with respect to party, any person or entity that, at any time during the term of this Agreement, directly or indirectly controls, is controlled by, or is under common control with such party. For purposes of this Section 1.1, “control” means ownership of fifty percent (50%) or more of the voting power of the outstanding voting securities (but only as long as such person or entity meets these requirements).
5. 1.2 “CMX” means Company and all its Affiliates, including without limitation, ComplianceMetrix (CMX) Inc.
7. 1.3 "Content" means, without limitation, any and all information, data, results, ideas, plans, sketches, texts, files, links, images, photos, video, sound, inventions (whether or not patentable), notes, works of authorship, articles, feedback, or other materials.
9. 1.4 “Customer Content” means any Content provided, imported or uploaded to, or otherwise used by or on behalf of Customer with the Services. Customer Content excludes any Usage Data.
11. 1.5 “Documentation” means the specifications and functional requirements published by CMX (or the Reseller, if applicable) for the Services and provided to Customer in either electronic, online help files or hard copy format. Marketing materials shall not be considered Documentation hereunder.
13. 1.6 “Intellectual Property Rights” means any and all now known or hereafter existing (a) rights associated with works of authorship, including copyrights, mask work rights, and moral rights; (b) trademark or service mark rights (c) trade secret rights; (d) patents, patent rights, and industrial property rights; (e) layout design rights, design rights, and other proprietary rights of every kind and nature other than trademarks, service marks, trade dress, and similar rights; and (f) all registrations, applications, renewals, extensions, or reissues of the foregoing, in each case in any jurisdiction throughout the world.
15. 1.7 “Reseller” means, if applicable, the CMX authorized Reseller from whom Customer has purchased a subscription to the CMX Services (or rebranded CMX Services if applicable).
17. 1.8 “Sensitive Data” means any of the following: (i) patient, medical, health insurance, or other protected health information regulated by the Health Insurance Portability and Accountability Act (“HIPAA”) or similar state, federal, or industry laws; (ii) credit, debit or other payment card data subject to the Payment Card Industry Data Security Standards (“PCI DSS”) (iii) social security numbers, driver’s license numbers, or other government ID numbers; (iv) any information deemed to be special categories of data as set forth in Article 9 of the EU General Data Protection Regulation or similar laws; or (v) other personal or sensitive information subject to regulation or protection under the Gramm-Leach-Bliley Act, the Children’s Online Privacy Protection Act or similar foreign or domestic laws.
19. 1.9 “Services” means the on-line service delivered by CMX to Customer using the Software hosted by Licensor and as made available by Licensor through the access methods described in this Agreement.
21. 1.10 “Software” means CMX’s proprietary computer software programs, including any updates and new releases thereto, made available to you through the Services.
23. 1.11 “Third Party Content” means any Content that is either (a) provided by third parties (including other customers of the Services) to the Services; or (b) made available on third party websites and linked to on the Services.
2. INTELLECTUAL PROPERTY.
- 2.1 Access. Subject to the terms and conditions of this Agreement, including without limitation, the continuous and timely payment of the fees owed by Customer to CMX (or the Reseller, if applicable) hereunder, CMX grants to Customer a limited, non-exclusive, non-sublicenseable, non-transferable right during the Term, solely for Customer’s internal business purposes, to use the Services in accordance with the Documentation. Customer shall not: (i) permit any party to access and/or use the Services; (ii) rent, lease, loan, or sell access to the Services; (iii) interfere with, disrupt, alter, translate, or modify the Services or any part thereof, or create an undue burden on the Services or the networks or services connected to the Services, including without limitation, the external websites that contain Third Party Content and that are linked to on the Services; (iv) reverse engineer, decompile, disassemble, or otherwise derive or determine or attempt to derive or determine the source code (or the underlying ideas, algorithms, structure or organization) of the Software; (v) without CMX’s express written permission, introduce software or automated agents or scripts to the Services so as to produce multiple accounts, generate automated searches, requests and queries, or to strip or mine data from the Services; (vi) perform or publish any performance or benchmark tests or analyses relating to the Services or the use thereof; or (vii) cover or obscure any page or part of the Services via HTML/CSS, scripting, or any other means, if any. Customer shall comply with all applicable laws and regulations in its use of the Services.
- 2.2 Usernames and Passwords. CMX (or the Reseller, if applicable) will provide you a unique username and password to enable you to access the Services pursuant to this Agreement. CMX (or the Reseller, if applicable) reserves the right to change or update these username and passwords in its sole discretion from time to time. Your username and password may only be used to access the Services during one (1) concurrent login session and shall comply with CMX’s then-current policies and/or security requirements regarding usernames and passwords (collectively, “CMX Security Requirements”). Customer acknowledges and agrees that only Customer entitled to access the Services with the username and password provided to Customer. Customer is responsible for maintaining the confidentiality of its username and password, and is solely responsible for all activities that occur under these usernames. Customer agrees to notify CMX (or the Reseller, if applicable) promptly of any actual or suspected unauthorized use of its account, usernames or passwords, or any other breach or suspected breach of this Agreement. Notwithstanding anything contained herein to the contrary, if you request to be permitted to deviate from the CMX Security Requirements, then CMX’s agreement to such request (if applicable) is conditioned upon CMX not being responsible for any unauthorized access and/or use of the Services by someone using a username and/or password that is not in strict compliance with the CMX Security Requirements (each a “Noncompliant Username/Password”). Accordingly, you hereby accept all responsibility for the use of any Noncompliant Username/Password and hereby release, discharge and waive all causes of action or other claims, including without limitation, all damages, liabilities judgments, costs and expenses, arising out or related to any Noncompliant Username/Password, including without limitation, any unauthorized access and/or use of the Services by someone using a Noncompliant Username/Password
- 2.3 IP Ownership. The Services and all Intellectual Property Rights in the Services are the exclusive property of CMX. Except as expressly set forth herein, no express or implied license or right of any kind is granted to Customer regarding the Services and Software, or any part thereof, including any right to obtain possession of any source code, data or other technical material relating to the Software. All rights not expressly granted to Customer are reserved to CMX.
3. CUSTOMER CONTENT AND EMAILS.

3.1 Customer Content. Customer is solely responsible for the accuracy, content, and legality of all Customer Content. Customer represents and warrants that any Customer Content shall not (a) infringe any copyright, trademark, or patent; (b) misappropriate any trade secret; (c) be deceptive, defamatory, obscene, pornographic or unlawful; (d) contain any viruses, worms or other malicious computer programming codes able to damage the Services, any Third Party Content, or other data of the Services; or (e) otherwise violate the rights of a third party. Customer further represents and warrants that Customer has made all necessary disclosures and obtained or otherwise possesses all consents, permissions and other rights required or necessary to (i) collect, share, and use Customer Data as contemplated in this Agreement and/or in connection with Customer’s use of the Services, and (ii) provide the Customer Data to CMX and for CMX to use the Customer Data pursuant to this Agreement. CMX may, but is not obligated to, backup any Customer Content that is posted on the Services. Customer is solely responsible for creating backup copies of any Customer Content posted on the Services at Customer’s sole cost and expense. Customer agrees that any use of the Services contrary to or in violation of the representations and warranties of the Customer in this section constitutes improper and unauthorized use of the Services. Customer hereby grants to CMX a non-exclusive, non-transferable right and license to use the Customer Content during the term of this Agreement for the limited purposes of performing CMX’s obligations and exercising its rights hereunder. Additionally, CMX may use any Customer Content as set forth in the Privacy Policy (as defined herein).

3.2 No Sensitive Data. Customer specifically agrees not to use the Services to collect, store, process or transmit any Sensitive Data. Customer acknowledges that CMX is not a Business Associate or subcontractor (as those terms are defined in HIPAA) or a payment card processor and that the Services are not compliant with HIPAA or PCI-DSS. CMX shall have no liability under this Agreement for Sensitive Data, notwithstanding anything to the contrary herein.

3.3 Customer Emails. If you enable the Services to allow email correspondence (including attachments) to be sent outside of the Services (“Customer Emails”), you acknowledge that CMX has absolutely no control over the content, format, or legality of Customer Emails or the email addresses to which Customer Emails are sent. Accordingly, you hereby accept all responsibility for Customer Emails and hereby release, discharge and waive all causes of action or other claims, including without limitation, all damages, liabilities judgments, costs and expenses, arising out or related to any Customer Emails, including, without limitation, the use or publication of any content contained in any Customer Emails.

4. THIRD PARTY CONTENT. CMX makes no representations or warranties regarding any Third Party Content found on or through the Services or that is otherwise available using the Services. Customer represents and warrants that any Third Party Content that it uses or has access to shall not be copied, altered, or redistributed by Customer without the prior written consent of the owner of such Third Party Content.

5. CMX USE OF INFORMATION. CMX collects information and data on how the Services are used by customers (such as, but not limited to, demographic information, search terms used or how customer perform searches and information about the platform and workflow) (the “Usage Data”) and reserves the right to disclose to use, modify, and share such Usage Data in its discretion. CMX owns all Usage Data and will process such data in accordance with CMX’s privacy policy set forth at compliancemetrix.com/privacy (the “Privacy Policy”). In the event any Customer Content is anonymized, CMX and its agents, subcontractors and licensors may use and share such anonymized Customer Content without restriction in accordance with local laws. CMX has the right (but not the obligation) to review any Content and delete (or modify) any Content that in CMX’s sole judgment violates this Agreement or which is prohibited content, or may otherwise violate the rights, harm, or threaten the safety of any customer or user of the Services or any other person, or create liability for CMX or any customer or user of the Services. CMX reserves the right (but has no obligation) to investigate and take appropriate legal action in CMX’s sole discretion against Customer if Customer violates this provision or any other provision of this Agreement, including without limitation, removing the prohibited content from the Services (or modifying it), terminating the Agreement, reporting Customer to law enforcement authorities, and taking legal action against Customer. Any use of the Services in violation of this Agreement may result in, among other things, termination or suspension of Customer’s rights to use the Services.

6. WARRANTY DISCLAIMER
- 6.1 Performance. CMX warrants that the Services, when used as permitted by CMX and in accordance with the instructions in the Documentation, will operate as described in the Documentation in all material respects. Except as set forth in any Service Level Agreement executed in writing between Customer and CMX, CMX will, at its own expense and as its sole obligation and Customer’s exclusive remedy for any breach of this warranty, correct any reproducible error in the Services reported to CMX (or the Reseller, if applicable, and then by the Reseller to CMX) by Customer in writing during the subscription term.
- 6.2 Disclaimer. EXCEPT AS SET FORTH IN SECTION 6.1, THE SERVICES ARE PROVIDED “AS-IS” AND AS AVAILABLE AND CMX MAKES NO (AND HEREMY DISCLAIMS ALL) WARRANTIES, REPRESENTATIONS, OR CONDITIONS, WHETHER WRITTEN, ORAL, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, NONINFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE.
7. LIMITATION OF LIABILITY. IN NO EVENT SHALL CMX, (AND THE RESELLER, IF APPLICABLE), OR ITS SUPPLIERS BE LIABLE TO CUSTOMER FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING DAMAGES OR COSTS DUE TO LOSS OF PROFITS, DATA, USE OR GOODWILL, PERSONAL OR PROPERTY DAMAGE RESULTING FROM OR IN CONNECTION WITH CMX’S PERFORMANCE HEREUNDER OR THE USE, MISUE, OR INABILITY TO USE THE SERVICES OR OTHER PRODUCTS OR SERVICES HEREUNDER. THE MAXIMUM LIABILITY OF CMX (AND THE RESELLER, IF APPLICABLE) ARISING OUT OF OR IN ANY WAY CONNECTED TO THIS AGREEMENT SHALL NOT EXCEED THE FEES PAID BY CUSTOMER TO CMX (OR THE RESELLER, IF APPLICABLE) DURING THE SIX (6) MONTHS PRECEDING THE CLAIM. THE EXISTENCE OF ONE OR MORE CLAIMS UNDER THIS AGREEMENT WILL NOT INCREASE CMX’s LIABILITY.
8. INDEMNIFICATION. Customer will defend at its expense any suit brought against CMX, (and the Reseller, if applicable), and will pay any settlement Customer makes or approves or any damages finally awarded in such suit insofar as such suit is based on a claim by any third party based upon, resulting from or related to: (a) Customer’s use of the Services; (b) any improper or unauthorized use of the Services by Customer; or (c) repeat infringement of copyright, irrespective of whether Customer cures such infringement.
9. TERM AND TERMINATION. This Agreement shall automatically expire at the end of the applicable subscription term. CMX may terminate your subscription and this Agreement immediately if you are in material breach of any term or condition of this Agreement. Without limiting the foregoing, CMX may suspend your access to and use of the Services immediately if CMX has not timely received all applicable fees. Upon termination or expiration of this Agreement for any reason, all rights granted by CMX to you in this Agreement will immediately cease to exist and you must discontinue all use of the Services and Software. Upon termination or expiration of this Agreement for any reason all rights and obligations of both parties, including all licenses granted to Customer hereunder, shall immediately terminate.
Sections 1, 2.3, 3-8 and 10 will survive expiration or termination of this Agreement for any reason.
- 10. MISCELLANEOUS.
- 10.1 Customer’s use of the Services shall be in accordance with this Agreement, all applicable laws and the terms of any Terms & Conditions, subscription agreement, statement of work, or other agreement between CMX and your employer relating to the Services (the “Master Terms”). In the event of any direct conflict between this Agreement and the Master Terms, the terms of this Agreement shall govern. To the extent that CMX has access to or processes any Customer Personal Data, CMX shall comply with the terms of Exhibit A – Data Processing Addendum.
- 10.2 Governing Law and Venue. This Agreement and any action related thereto will be governed, controlled, interpreted, and defined by and under the laws of the State of California without giving effect to any conflicts of laws principles that require the application of the law of a different state. Customer hereby expressly consents to the personal jurisdiction and venue in the state and federal courts located in the county in California where CMX has its primary office for any lawsuit filed there against Customer by CMX arising from or related to this Agreement.
- 10.3 Severability. If any provision of this Agreement is unenforceable, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will continue in full force and effect.
- 10.4 No Assignment. This Agreement, and Customer’s rights and obligations herein, may not be assigned, subcontracted, delegated, or otherwise transferred by Customer without CMX’s prior written consent, and any attempted assignment, subcontract, delegation, or transfer in violation of the foregoing will be null and void. CMX may freely assign this Agreement. The terms of this Agreement shall be binding upon assignees.
- 10.5 Force Majeure. CMX shall not be liable hereunder by reason of any failure or delay in the performance of its obligations hereunder for any cause which is beyond its reasonable control.
- 10.6 Independent Contractors. Customer’s relationship to CMX is that of an independent contractor, and neither party is an agent or partner of the other. Customer will not have, and will not represent to any third party that it has, any authority to act on behalf of CMX.

Exhibit A - Data Processing Addendum

This Data Processing Addendum ("Addendum") forms part of the Agreement between CMX and Customer and applies to CMX’s Processing of Customer Personal Data under the Agreement.

1. Definitions. The terms used in this Addendum shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
- 1.1 Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or CMX respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
- 1.2 “CCPA” means the California Consumer Privacy Act of 2018, as amended from time to time.
- 1.3 "Customer Personal Data" means any Customer Data that is Personal Data Processed by CMX on behalf of Customer or any Customer Affiliate pursuant to or in connection with the Agreement. For purposes of this Addendum, Customer Personal Data does not include personal information of employees or other representatives of Customer with whom CMX has a direct business relationship.
- 1.4 "Data Protection Laws" means, with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Personal Data, including, where applicable, European Data Protection Laws and the CCPA;
- 1.5 “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
- 1.6 “European Data Protection Laws” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time, (“GDPR”) and any other data protection laws of the European Union, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent it applies to the relevant Personal Data or Processing thereof under the Agreement.
- 1.7 “Personal Data” means “personal data”, “personal information”, “personally identifiable information”, or similar information defined in and governed by Data Protection Laws.
1.8 “Process” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.9 “Security Incident” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data Processed by CMX. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
1.10 “Services” means the CMX Service, the Professional Services, and any such other services that CMX has agreed to provide to Customer under the Agreement.
1.11 "Subprocessor" means any third party or CMX Affiliate appointed by CMX to Process Customer Personal Data.
2. Scope of this Addendum. This Addendum applies to CMX’s Processing of Customer Personal Data under the Agreement, except that Exhibit D-1 (European Data Processing Terms) to this Addendum applies only to such Processing of Customer Personal Data governed by European Data Protection Laws. Exhibit D-2 (California Data Processing Terms) to this Addendum applies only to such Processing of Customer Personal Data governed by the CCPA.
3. Processing of Customer Personal Data. CMX shall not Process Customer Personal Data other than on Customer's documented instructions. For the avoidance of doubt, the Agreement and any related order form entered into by Customer shall constitute documented instructions for the purposes of this Addendum. Customer acknowledges and agrees that such instruction authorizes CMX to Process Customer Personal Data (a) to perform its obligations and exercise its rights under the Agreement; (b) perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement; (c) pursuant to any other written instructions given by Customer and acknowledged in writing by CMX as constituting instructions for purposes of this Addendum; and (d) as reasonably necessary for the proper management and administration of CMX’s business. Customer shall be responsible for: (1) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and CMX’s Processing of Customer Personal Data; and (2) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to CMX and to permit the Processing of such Customer Personal Data by CMX for the purposes of performing CMX’s obligations under the Agreement or as may be required by Data Protection Laws. Customer shall notify CMX of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Customer Personal Data that would impact CMX’s ability to comply with the Agreement or applicable Data Protection Laws.
4. Confidentiality. CMX shall take reasonable steps to ensure that individuals that Process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CMX shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

6. Subprocessing. Customer (a) specifically authorizes CMX to engage its Affiliates as Subprocessors, and (b) generally authorizes CMX to engage third parties as Subprocessors as CMX considers reasonably appropriate for the Processing of Customer Personal Data. CMX shall notify Customer of the addition or replacement of any such Subprocessor and Customer may, on reasonable grounds, object to a Subprocessor by notifying CMX in writing within 10 days of receipt of CMX's notification, giving reasons for Customer's objection. Upon receiving such objection, CMX shall: (1) work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and (2) where such change cannot be made within 10 days of CMX's receipt of Customer's notice, Customer may by written notice to CMX with immediate effect terminate the portion of the Agreement or relevant order form to the extent that it relates to the Services which require the use of the proposed Subprocessor. This termination right is Customer's sole and exclusive remedy to Customer’s objection of any Subprocessor appointed by CMX. CMX shall require all Subprocessors to enter into an agreement with equivalent effect to the Processing terms contained in this Addendum. CMX shall remain fully liable for compliance with the obligations of this Addendum and for any acts and omissions of each Subprocessor that cause CMX to breach any of its obligations hereunder.

7. Data Subject Rights. If receives a request from a Data Subject under any Data Protection Laws in respect to Customer Personal Data, CMX will advise the Data Subject to submit the request to Customer and Customer will be responsible for responding to any such request. CMX will (taking into account the nature of the Processing of Customer Personal Data) provide Customer with self-service functionality through the Services or other reasonable assistance as necessary for Customer to perform its obligations under Data Protection Laws to fulfill requests by Data Subjects to exercise their rights under Data Protection Laws, provided that CMX may charge Customer on a time and materials basis in the event that CMX considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
8. Security Incident. If CMX becomes aware of a confirmed Security Incident, CMX will notify Customer without undue delay after becoming aware of Security Incident. Such notification may be delivered to an email address provided by Customer or by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the appropriate notification contact details are current and valid. CMX will take reasonable steps to provide Customer with information available to CMX that Customer may reasonably require to comply with its obligations under Data Protection Laws. CMX’s notification of or response to a Security Incident under this Section 8 will not be construed as an acknowledgement by CMX of any fault or liability with respect to the Security Incident.
9. Deletion or Return of Customer Personal Data. Unless otherwise required by applicable Data Protection Laws, following termination or expiration of the Agreement CMX shall, at Customer's option, delete or return all Customer Personal Data and all copies to Customer.
10. General Terms. This Addendum will, notwithstanding the expiration or termination of the Agreement, remain in effect until, and automatically expire upon, CMX’s deletion of all Customer Personal Data. Except as expressly modified by the Addendum, the terms of the Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement, this Addendum will govern. Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

ANNEX-1 - European Data Processing Terms

1. Definitions. For purposes of this Exhibit D-1, the terms “controller”, “processor", and “supervisory authority” have the meanings given in European Data Protection Laws; "EEA" means the European Economic Area as well as any country for which the European Commission has published an adequacy decision as published at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en; "Standard Contractual Clauses" means the mandatory provisions of the standard contractual clauses for the transfer of
Personal Data to Processors established in third countries which do not ensure an adequate level of data protection pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010; and “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses.
2. Processing of Customer Personal Data.
- 2.1 Roles and Regulatory Compliance. The parties acknowledge and agree that (a) CMX is a processor of the Customer Personal Data under European Data Protection Laws; (b) Customer is a controller of the Customer Personal Data under European Data Protection Laws; and (c) each party will comply with the obligations applicable to it in such role under European Data Protection Laws with respect to the Processing of Customer Personal Data.
- 2.2 Subject Matter and Details of Processing. The parties acknowledge and agree that: (a) the subject matter of the Processing under the Agreement is CMX’s provision of the Services; (b) the duration of the Processing is from CMX’s receipt of Customer Personal Data until deletion of all Customer Personal Data by CMX in accordance with the Agreement and this Addendum; (c) the nature and purpose of the Processing is to provide the Services; (d) the Data Subjects to whom the Processing pertains are Customer’s employees, contractors, consultants, franchisees, customers, prospective customers, business partners, and other contacts of Customer; and (e) the categories of Customer Personal Data are such categories as Customer is authorized to provide or submit under the Agreement.
- 2.3 CMX’s Compliance with Instructions. CMX will only Process Customer Personal Data in accordance with Customer’s instructions as described in this Addendum unless European Data Protection Laws require otherwise, in which case CMX will notify Customer (unless that law prohibits CMX from doing so).
3. Data Protection Impact Assessment and Prior Consultation. In the event that Customer considers that the Processing of Customer Personal Data requires a privacy impact assessment to be undertaken or requires assistance with any prior consultations to any supervisory authority of Customer, following written request from Customer, CMX shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, provided that CMX may charge Customer on a time and materials basis in the event that CMX considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.

4. Relevant Records and Audit Rights. CMX shall make available to Customer on request all information reasonably necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by Customer or an auditor mandated by Customer, not being competitors of CMX ("Mandated Auditor") of any premises where the Processing of Customer Personal Data takes place in order to assess compliance with this Addendum. CMX shall provide reasonable cooperation to Customer in respect of any such audit and shall at the request of Customer, provide Customer with relevant records of compliance with its obligations under this Addendum. CMX shall promptly inform Customer if, in its opinion, a request infringes the Data Protection Laws or any other confidentially obligations with CMX’s other Customers. Customer agrees that: (1) audits may only occur during normal business hours, and where possible only after reasonable notice to CMX (not less than 20 days' advance written notice); (2) audits will be conducted in a manner that does not have any adverse impact on CMX's normal business operations; (3) Customer or any Mandated Auditor will comply with CMX's standard safety, confidentiality, and security procedures in conducting any such audits; and (4) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any such audit will be deemed to be the Confidential Information of CMX. To the extent any such audit incurs in excess of 20 hours of CMX personnel time, CMX may charge Customer on a time and materials basis for any such excess hours.

5. Data Transfer.
- 5.1 Data Processing Facilities. CMX may, subject to Section 5.2 of this Addendum, Process Customer Personal Data in the United States or anywhere CMX or its Subprocessors maintains facilities. Subject to CMX’s obligations in this Section 5, Customer is responsible for ensuring that its use of the Services comply with any cross-border data transfer restrictions of European Data Protection Laws.
- 5.2 Standard Contractual Clauses. In the event that Customer transfers any Customer Personal Data to CMX in a country outside the EEA and no lawful alternative basis for such transfer applies, such transfer will be governed by the Standard Contractual Clauses, the terms of which are hereby incorporated into this Addendum. In furtherance of the foregoing, CMX and Customer agree that:
  - 5.2.1 for purposes of the Standard Contractual Clauses, (a) Customer will act as the data exporter and (b) CMX will act as the data importer;
  - 5.2.2 for purposes of Appendix 1 to the Standard Contractual Clauses, the categories of data subjects, data, special categories of data (if appropriate), and the processing operations shall be as set out in Section 2.2 to this Exhibit D-1;
  - 5.2.3 for purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures shall be the security measures described in the Addendum;
  - 5.2.4 upon data exporter’s request under the Standard Contractual Clauses, data importer will provide the copies of the subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and that data importer may remove or redact all commercial information or clauses unrelated the Standard Contractual Clauses or their equivalent beforehand;
  - 5.2.5 the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Section 4 of this Exhibit D-1;
  - 5.2.6 Customer’s authorizations in Section 6 of the Addendum will constitute Customer’s prior written consent to the subcontracting by CMX of the Processing of Customer Personal Data if such consent is required under Clause 5(h) of the Standard Contractual Clauses;
  - 5.2.7 certification of deletion of Customer Personal Data as described in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Customer’s request;
  - 5.2.8 the Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis; and
  - 5.2.9 in the event that the Standard Contractual Clauses cease to be recognized as a legitimate basis for the transfer of Personal Data to an entity located outside the EEA, the parties shall reasonably cooperate to identify and implement an alternative legitimate basis for such transfer to the extent that one is required by European Data Protection Laws.
- ANNEX-2 - California Data Processing Terms
  1. 1. For purposes of this Exhibit D-2, the terms “business”, “commercial purpose”, “sell”, and “service provider” have the meanings given in the CCPA.
  3. 2. With respect to Customer Personal Data, CMX is a service provider under the CCPA.
  5. 3. CMX will not (a) sell Customer Personal Data; (b) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Personal Data for a commercial purpose other than providing the Services; or (c) retain, use or disclose the Customer Personal Data outside of the direct business relationship between CMX and Customer.
  7. 4. The parties acknowledge and agree that (a) the Processing of Customer Personal Data described in Section 3 of the Addendum is integral to and encompassed by CMX’s provision of the Services and the direct business relationship between the parties.
  9. 5. Notwithstanding anything in the Agreement or any order form entered in connection therewith, CMX’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

Start small with just one solution or implement CMX1 in full from the get-go

Industries we serve

Learning & resources

About us

End User Subscription Terms

ComplianceMetrix Inc. End User Subscription TERMS

Exhibit A - Data Processing Addendum

ANNEX-1 - European Data Processing Terms

ANNEX-2 - California Data Processing Terms

Connect with us: