Tebi Terms of Service
SECTION A – GENERAL TERMS AND CONDITIONS
A1. Subscription to Tebi Product.
By subscribing to a Tebi product Customer enters into a binding legal agreement with Tebi B.V., a private company with limited liability incorporated under the laws of The Netherlands (“Tebi”). This agreement is hereinafter referred to as the “Agreement”. During the License Term and in accordance with these Tebi Terms of Service, Customer may access and use the products which Customer subscribed to (each a “Product”), as referenced in Tebi’s services overview (the “Services Overview”). Each Product may include updates, cloud-based and support services, applications or documentation. Each of these are subject to the terms of these Tebi Terms of Service as applicable. Tebi may add to, change or discontinue any component of the Products at any time. Customer is responsible for all actions taken under its Tebi account credentials, regardless of whether such actions are taken by Customer, their employees or a third party. Customer will safeguard all account credentials in its possession or under its control. Tebi is not liable for any loss or damage arising from any unauthorized use of Customer’s account.
During the License Term, Tebi grants Customer a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use, and to permit its employees and all other users who access and use the Products on Customer’s behalf (collectively, the “Users”) to access and use, the Products as a service on the terms set forth in these Tebi Terms of Service (the “License”). Customer agrees that all rights, title and interest in and to all the intellectual property rights in the Products, and all modifications, extensions, scripts and other derivative works of the Products provided or developed by Tebi are owned exclusively by Tebi or its licensors. All rights not granted to Customer in these Tebi Terms of Service are reserved by Tebi.
A3. License Restrictions.
Customer and any Users shall not (and shall not allow any User or third party to): (i) decompile, disassemble, reverse engineer or attempt to reconstruct or discover any source code, underlying ideas, algorithms, file formats or programming or interoperability interfaces of the Products, by any means whatsoever; (ii) distribute viruses or other harmful or malicious computer code via or into the Products; (iii) engage in any conduct that disrupts or impedes a third party’s use and enjoyment of the Products; (iv) remove any product identification, copyright or other notices from the Products; (v) sell, lease, lend, assign, sublicense, grant access or otherwise transfer or disclose the Products in whole or in part, to any third party; (vi) use the Products for timesharing, service bureau or hosting purposes or otherwise use, resell, sublicense, distribute or transfer or allow others to use the Products to or for the benefit of third parties; (vii) modify or incorporate into or with other software or create a derivative work of any part of the Products, unless agreed to in writing by Tebi; (viii) use the output or other information generated by the Products for any purpose other than as contemplated by the Agreement; (ix) use the Products for any use other than Customer’s internal business use; (x) use unauthorized modified versions of the Products, including without limitation, for the purpose of building a similar or competitive product or service or for the purpose of obtaining unauthorized access to the Product; or (xi) use the Products in any way that is contrary to applicable laws including, without limitation, privacy, data protection, electronic communications and anti-spam legislation. Tebi retains all title to and, except as expressly licensed herein, all rights to the Products, all copies, derivatives and improvements thereof, and all related materials.
A4. License Term.
The “Initial Term” shall mean a period of one month, beginning on the first day of the calendar month prior to the effective date of the Agreement (e.g., when the effective date is 10 March, the Initial Term will commence on 1 March). Upon expiration of the Initial Term, the Agreement will automatically renew for a duration equal to the Initial Term (each a “Renewal Term”, the “Current Term” being the Initial Term or the then-current Renewal Term (as the case may be); and the Initial Term and all Renewal Terms collectively, the “License Term”) until terminated by Customer or Tebi by delivery of written notice to the other party at least one day prior to the end of the Current Term. Except as otherwise specified herein, Customer may not terminate this Agreement prior to the expiration of the License Term.
A5. Fees and Payment.
Customer shall pay Tebi the fees (“Fees”) specified in the Services Overview, in accordance with the timing and currency specified in the Services Overview. Unless required by applicable law, all payments by Customer to Tebi under this Agreement are non- refundable and made via the payment method specified in the Services Overview, or as otherwise agreed in writing by the parties. Customer shall undertake any additional actions reasonably requested by Tebi to implement any automated Fee payment process. Any amounts past due shall accrue interest at a rate which is the lesser of: one and a half percent (1.5%) per month or the maximum rate allowable by law. Any assessment of late Fees shall be without prejudice to Tebi’s right to suspend Customer’s access to the Products. Fees are net of tax. Any applicable goods and services or sales taxes, including any applicable VAT, will be added to Fees owing pursuant to the Agreement. Tebi may increase Fees at the first day of any calendar month by giving Customer at least ten (10) days’ written notice thereof.
A6. Confidential Information.
Tebi and Customer (each a “Receiving Party”) shall each retain in confidence all information received from the other party (the “Disclosing Party”) pursuant to or in connection with the Agreement or the Products, that the Disclosing Party identifies as being proprietary and/or confidential or that, by the nature of the circumstances surrounding the disclosure, ought in good faith to be treated as proprietary and/or confidential (“Confidential Information”), and will make no use of such Confidential Information except as necessary to fulfill their respective obligations under the Agreement. Each party shall treat the terms and conditions of the Agreement as confidential; however, either party may disclose such information in confidence to its legal and financial consultants as required in the ordinary course of that party’s business. Notwithstanding the foregoing, the restrictions set forth above will not apply to (i) information previously known to the Receiving Party without reference to the Disclosing Party’s Confidential Information, (ii) information which is or becomes publicly known through no wrongful act of the Receiving Party, (iii) information that is independently developed by the Receiving Party without reference to the Disclosing Party’s Confidential Information, or (iv) information required to be disclosed pursuant to applicable law by enforceable orders of the court or other governmental authority. The foregoing shall also not prevent Tebi from using Customer Data on an aggregate and de-identified basis. Customer shall ensure that its Users fully comply with the terms of this Section and shall be responsible for any damage suffered by Tebi as a result of a User’s failure to do so.
A7. Customer’s Representations.
Customer represents and warrants that currently and throughout the License Term (i) Customer is fully authorized to enter into the Agreement and that Customer and any Users are fully authorized to utilize the Products, (ii) Customer and any Users are and will remain in compliance with all Tebi policies, applicable laws and regulations with respect to its and their use of the Products and activities related to the Agreement, including but not limited to fiscal and privacy laws; and (iii) if Customer or any of its Users imports lists into the Products for the purpose of sending electronic communication (e.g., email, text messages), or otherwise collects electronic addresses for the purpose of sending electronic messages, then Customer warrants that each person on such list has previously opted-in to receive promotional electronic communications from Customer (where applicable) and that the content of such communications by Customer will comply with applicable laws and regulations.
A8. Customer Data and Privacy.
“Customer Data” means any data that Customer or its Users input into the Products for processing in connection with the Agreement, including any personally identifiable information (“Personal Data”) forming part of such data.
Customer may select the Personal Data it inputs into the Products at its sole discretion; Tebi has no control over the nature, scope, origin, and/or the means by which Customer acquires Personal Data processed by the Products. Tebi will comply, and will ensure that its personnel comply, with the requirements of applicable privacy laws and regulations governing Customer Personal Data in Tebi’s possession or under its control. Customer is solely responsible for ensuring that it complies with any legal, regulatory or similar restrictions applicable to the types of data Customer elects to process through the Products. Customer remains responsible for properly handling and processing notices regarding Personal Data of Customer’s customers and Users.
Tebi will regularly perform backups of Customer Data stored in the Products to the extent possible. Tebi will assist Customer in recovering and restoring Customer Data to the Products to the extent commercially feasible. Customer understands and agrees that Tebi is not responsible for any loss or corruption of Customer Data. Tebi may delete any Customer Data stored in the Products as from the 30th day following termination of the Agreement.
Customer agrees that any materials that it provides to Tebi, including but not limited to questions, comments, suggestions, ideas, plans, notes, drawings, modifications, improvements, original or creative materials or other information regarding Tebi or the Products, whether such materials are provided in email, feedback forms, or any other format (the “Feedback”), shall belong exclusively to Tebi, without any requirement to acknowledge or compensate Customer. Customer agrees to assign, and hereby assigns, all rights, title, and interest worldwide in and to the Feedback and the related intellectual property rights to Tebi and agrees to assist Tebi, at Tebi’s expense, in perfecting and enforcing such rights. Tebi may disclose or use Feedback for any purposes whatsoever without any obligation to Customer.
A10. Third-Party Services.
“Third-Party Services” are products, applications, services, software, networks, systems, directories, websites, databases and information from third parties, including from Adyen N.V., that one or more Products link to, or which Customer may connect to or enable in conjunction with one or more Products. Customer may decide to enable, access or use any Third-Party Services (as defined above). Customer agrees that access and use of such Third-Party Services shall be governed solely by the terms and conditions of such Third-Party Services, and that Tebi is not responsible or liable for, and makes no representations or warranties as to any aspect of such Third-Party Services, including, without limitation, their content or data practices (including with regards to Customer Data and Personal Data) or any interaction between Customer and the provider of such Third-Party Services, regardless of whether or not such Third- Party Services are provided by a third party that is a member of a Tebi partner program or otherwise designated by Tebi as “certified”, or “approved” by or “integrated” with Tebi. Any use by Customer of Third-Party Services shall be solely between Customer and the applicable third-party provider. Customer irrevocably waives any claim against Tebi with respect to such Third-Party Services. Tebi is not liable for any damage or loss caused or alleged to be caused by or in connection with Customer’s enablement, access or use of any such Third-Party Services, or Customer’s reliance on the privacy practices, data security processes or other policies of such Third- Party Services.
A11. Maintenance Activities.
It may be necessary for Tebi to perform scheduled and/or unscheduled repairs or maintenance, or remotely patch or upgrade the Product. This may temporarily degrade the quality of the services or result in a partial or complete outage of the Product. Tebi will endeavor to carry out such work during times that will cause the least disruption to Customer’s business. Customer shall cooperate, if necessary, to perform such work.
A12. Termination and suspension.
In the event of a material breach of the Agreement by either party, the non-breaching party may terminate the Agreement by giving the breaching party written notice specifying the nature of the breach in reasonable detail and the non-breaching party’s intention to terminate (a “Termination Notice”). If the breach has not been cured within the period ending thirty (30) days following delivery of the Termination Notice, then the Agreement shall automatically terminate.
Notwithstanding the foregoing, Tebi may suspend Customer’s access to the Products immediately without notice if Tebi, in its sole discretion, believes: (i) such suspension is required by law; (ii) there is a security or privacy risk to Customer; (iii) Customer is infringing or violating the rights of third parties, or acting in a manner that is abusive, profane or offensive; (iv) Customer does not pay its Fees or any invoices in a timely manner; or (v) Customer is in breach of any material provision of the Agreement, including its License restrictions or confidentiality obligations. Any suspension of Customer’s access to the Products will not limit or waive Tebi’s rights to terminate the Agreement or Customer’s access to the Products.
Upon termination of the Agreement, Customer shall discontinue its use of the Product(s). Notwithstanding the foregoing, termination of the Agreement by Tebi shall not limit Customer’s obligation to pay all of the applicable Fees, nor restrict Tebi from pursuing any available remedies, including injunctive relief. Any installments that have not yet matured will become due immediately upon termination. Customer agrees that following termination of Customer’s account and/or use of the Product, Tebi may immediately deactivate Customer’s account and delete Customer Data. Customer further agrees that Tebi shall not be liable to Customer nor to any third party for any termination of Customer’s access to the Product or deletion of Customer Data in accordance with the Agreement. Sections discussing License restrictions, Fees and payment, confidentiality, Customer representation, indemnification, and limitation of liability shall survive termination of the Agreement, along with any other provisions that are intended by their terms to survive termination of the Agreement.
Customer shall indemnify, defend and hold harmless Tebi and its officers, employees, and agents from and against all losses, expenses, liabilities, damages and costs including, without limitation, reasonable attorneys’ fees (collectively “Costs”), to the extent that such Costs are attributable to any breach by Customer or any User, independent contractor, or affiliate thereof, of any representations, warranties or other obligations set forth in the Agreement.
Tebi shall indemnify, defend and hold harmless Customer and its officers, employees, agents and affiliates from and against all Costs, to the extent such Costs are attributable to the Products infringing or misappropriating any registered third-party intellectual property right, including trademarks, patents and copyrights if Tebi is notified promptly in writing and given authority, information, and assistance for the defense or settlement of any related proceeding.
A14. Limitation of Liability.
TO THE FULLEST EXTENT PERMISSIBLE BY APPLICABLE LAW, TEBI’S AGGREGATE LIABILITY UNDER THE AGREEMENT SHALL BE LIMITED TO THE FEES PAID BY CUSTOMER DURING THE THREE-MONTH PERIOD IMMEDIATELY PRECEDING THE DATE THE CLAIM GIVING RISE TO SUCH LIABILITY WAS FIRST ASSERTED.
TO THE FULLEST EXTENT PERMISSIBLE BY APPLICABLE LAW, NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, RELIANCE OR PUNITIVE DAMAGES OR LOST OR IMPUTED PROFITS OR ROYALTIES, LOST DATA OR COST OF PROCUREMENT OF SUBSTITUTE SERVICES, WHETHER FOR BREACH OF CONTRACT, WARRANTY, TORT, STATUTORY REMEDY OR ANY OBLIGATION ARISING THEREFROM OR OTHERWISE AND IRRESPECTIVE OF WHETHER EITHER PARTY HAS ADVISED OR BEEN ADVISED OF THE POSSIBILITY OF ANY SUCH LOSS OR DAMAGE.
TO THE FULLEST EXTENT PERMISSIBLE BY APPLICABLE LAW, CUSTOMER HEREBY WAIVES ANY CLAIM THAT THESE EXCLUSIONS DEPRIVE IT OF AN ADEQUATE REMEDY. THE PARTIES ACKNOWLEDGE THAT THE PROVISIONS OF THIS SECTION FAIRLY ALLOCATE THE RISKS UNDER THE AGREEMENT AS BETWEEN THEM. THE PARTIES ACKNOWLEDGE THAT THE LIMITATIONS SET FORTH IN THIS SECTION ARE INTEGRAL TO THE AMOUNT OF FEES CHARGED IN CONNECTION WITH MAKING THE PRODUCTS AVAILABLE TO CUSTOMER AND THAT, WERE TEBI TO ASSUME FURTHER LIABILITY OTHER THAN AS SET FOR HEREIN, SUCH FEES WOULD OF NECESSITY BE SET SIGNIFICANTLY HIGHER.
A15. Disclaimer of Warranties.
CUSTOMER ACKNOWLEDGES THAT (i) TEBI CANNOT GUARANTEE THE RESULTS GENERATED THROUGH THE PRODUCTS, OR THAT THE PRODUCTS WILL BE CONTINUOUSLY AVAILABLE FOR USE WITHOUT INTERRUPTION, (ii) THE PRODUCTS ARE PROVIDED “AS IS”, ON AN “AS AVAILABLE” BASIS WITHOUT ANY REPRESENTATION, WARRANTY OR CONDITION OF ANY KIND, AND TEBI HEREBY DISCLAIMS ALL CONDITIONS, REPRESENTATIONS AND ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, ARISING BY LAW OR OTHERWISE WITH RESPECT TO THE PRODUCTS, INCLUDING, BUT NOT LIMITED TO, ANY (a) IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, (b) IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE, COURSE OF DEALING, OR USAGE OF TRADE, (c) WARRANTY OF TITLE OR NON-INFRINGEMENT; OR (d) STATUTORY REMEDY, AND (iii) TEBI IS NOT RESPONSIBLE FOR ANY PRODUCT CONFIGURATION SETTINGS OR PRODUCT CHANGES APPLIED BY OR ON BEHALF OF CUSTOMER. TEBI EXPRESSLY DISCLAIMS ANY SPECIFIC SERVICE LEVEL WARRANTIES OR COMMITMENTS. REGARDLESS OF ANY OTHER TERM OF THE AGREEMENT, NOTHING IN THE AGREEMENT EXCLUDES OR PURPORTS TO EXCLUDE ANY STATUTORY RIGHT OR WARRANTY THAT MAY NOT BE EXCLUDED BY LAW.
A16. Assignment and Subcontractors.
Customer may not assign any of its rights or obligations under the Agreement without Tebi’s prior written consent. Tebi may, without Customer’s prior consent, assign its rights and obligations under the Agreement. Subject to the foregoing, the provisions of the Agreement shall be binding on and inure to the benefit not only of the parties hereto but also to their successors and permitted assigns. Tebi shall be free to perform all or any part of the Agreement through one or more subcontractors.
A17. Governing Law and Dispute Resolution.
The Agreement shall be governed by and construed in accordance with the laws of the Netherlands.
Any claim, dispute or controversy (whether in contract or tort, pursuant to statute or regulation, or otherwise, and whether pre-existing, present or future) arising out of or relating to: (i) the Agreement; (ii) the Products or any other services provided by Tebi; (iii) oral or written statements, or advertisements or promotions relating to the Agreement or to the Products or any other services provided by Tebi; or (iv) the relationships that result from the Agreement, will be determined by the courts of Amsterdam, the Netherlands.
Notwithstanding the foregoing provisions, (i) each party retains the right to seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation or violation of a party’s copyrights, trademarks, trade secrets, patents, or other intellectual property rights; and (ii) Tebi reserves the right to collect any outstanding amounts that Customer owes to Tebi in a court of competent jurisdiction.
If one or more of the provisions of the Agreement is held to be invalid, illegal or unenforceable in any respect by a court of competent jurisdiction, then the validity, legality and enforceability of the remaining provisions of the Agreement shall be unaffected.
Tebi may provide any and all notices, statements and other communications to Customer through either email, posting on its website, an in-product message, or by mail or express delivery service. During the term of the Agreement, Customer grants Tebi a free license to use, reference and display the Customer’s name and trademarks in any communications, including publications, press releases, stories, websites, social media posts, and public filings in connection with the promotion, marketing, distribution and public disclosure of the Tebi brand, activities and Products (collectively, the “Materials”). Following the termination of the Agreement, Tebi shall have sixty (60) days to remove all Customer’s name and trademarks from the Materials.
Neither party shall be deemed in default or otherwise liable for any delay in or failure of its performance under the Agreement (other than Customer’s payment obligations) by reason of any act of God, fire, natural disaster, accident, act of government, shortage of materials, failure of transportation or communication or of suppliers of goods or services, or any other cause to the extent it is beyond the reasonable control of such party.
Tebi reserves the right, at any time and upon ten (10) days’ written notice, to amend the Agreement, including making changes to the scope of the Products.
SECTION B – DATA PROCESSING AGREEMENT
B1. About this Data Processing Agreement.
This Data Processing Agreement (“DPA”) forms an integral part of the Agreement concluded by and between Customer as controller and Tebi as processor in connection with Customer’s license to access and use the Product, which includes the provision of various data processing services to Customer (the “Services”).
Terms used in this DPA have the same meaning as those used in Section A, unless otherwise stated. If there are any conflicts or inconsistencies between the General Terms and Conditions and the DPA, the DPA prevails.
B3. Description of Personal Data.
When providing the Services, Tebi may have access to or otherwise receive or process information relating to identified or identifiable individuals (“Personal Data”).
a. Type of Personal Data processed.
Depending on how the Customer chooses to use the Services, Tebi may process the following types of Personal Data: first name, last name; contact information (e-mail address, home address, phone number); language; date of birth; role/function; IP address; location data; government-issued identification numbers; financial information, bank account details and buying behavior. Tebi may also process other kinds of Personal Data if Customer has chosen to collect and input such Personal Data into the Product. The Services do not require other kinds of Personal Data to function properly. Tebi disclaims all liability for damages or claims associated with Customer’s choice to input non-compulsory Personal Data into the Product.
b. Data Subjects.
Personal Data about the following categories of individuals is processed:
- Owner(s) of a business that subscribe(s) to the Services.
- Individuals whose Personal Data is processed using the Services, including Customer’s customers and suppliers.
B4. Purposes of the processing.
Tebi shall process Personal Data on behalf of Customer to provide the Services to Customer pursuant to the Agreement and any additional purposes as instructed by Customer when using the Services.
B5. Responsibilities regarding data processing.
Customer is the controller of all the Personal Data that it collects through the Services. Customer shall ensure that it is entitled to process and transfer the Personal Data to Tebi so that Tebi may lawfully process the Personal Data on Customer’s behalf, as contemplated under this DPA.
Tebi acts as a processor of the Personal Data collected by Customer through the use of the Services.
Customer acknowledges and hereby grants its express written authorization that Tebi may engage sub-processors as necessary to perform the Services. The list of Tebi’s authorized sub-processors can be found on https://tebi.com/en/subprocessors and Customer acknowledges that these sub-processors are essential to provide the Services. Tebi will inform Customer if it adds, replaces or changes its sub-processors by updating the aforementioned list. Customer may object to the changes on legitimate grounds in accordance with the principles of good faith, reasonableness and fairness within 30 calendar days after the change. Customer acknowledges that if it objects to Tebi’s use of a sub-processor, Tebi will not be obligated to provide Customer the Services for which Tebi uses that sub-processor.
B6. Data processing.
Tebi shall ensure that any processing shall be fair, lawful, and consistent with Tebi’s obligations under this DPA and compliant with applicable data protection law.
a. Controller instructions.
Tebi shall process Personal Data only on the documented instructions of Customer. If Tebi is required to additionally process Personal Data in compliance with an applicable law or regulation to which Tebi is subject, it will inform Customer of such legal requirement prior to such processing, unless prohibited from doing so by an applicable law or regulation.
b. Ensure appropriate protection.
Tebi shall ensure appropriate protection of Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where processing involves a transmission of Personal Data over a network, and against all other unlawful forms of processing.
c. Security safeguards.
Tebi shall comply with the security requirements set forth in clause B12, taking into consideration the state of the art, the costs of implementation and the nature, scope, context and purposes of processing.
Tebi shall not disclose Personal Data to any third party or unauthorized persons, unless Customer has given its prior written consent to such disclosure and subject to the conditions laid down in this clause B6.
Tebi shall hold Personal Data in strict confidentiality and require that employees and any other person under its authority who will be provided access to or will otherwise process Personal Data are held to the same level of confidentiality in accordance with the requirements of the DPA (including during the term of their employment or engagement and thereafter).
f. Data subject requests.
Tebi shall take appropriate measures to assist Customer, insofar as this is possible, in fulfilling Customer’s obligations as a controller in responding to requests from individual data subjects to exercise their rights under any applicable data protection law or regulation. In addition, Tebi shall promptly notify Customer if it receives a request from an individual with respect to Personal Data, including but not limited to information access requests, information rectification requests, requests for blocking, erasure, or portability of Personal Data and shall not respond to any such requests unless expressly authorized to do so by Customer or unless required under an applicable data protection law to which Tebi is subject. Additionally, Tebi shall ensure that it has implemented technical and organizational measures to assist Customer in fulfilling its obligation to respond to any such requests from an individual with respect to Personal Data processed. Tebi shall promptly and properly deal with enquiries and requests from Customer in relation to the processing of Personal Data under this DPA.
g. Assistance with Customer’s compliance.
Taking into account the nature of the processing and the information available to Tebi, Tebi shall assist Customer in ensuring compliance with the obligations regarding security measures and conducting data protection impact assessments, where necessary pursuant to Articles 32-36 of the General Data Protection Regulation (“GDPR”). Tebi shall assist and support Customer in the event of an investigation by a competent data protection authority, if and to the extent that such investigation relates to the processing of Personal Data under this DPA. Tebi shall promptly notify Customer if in Tebi’s view an instruction given by Customer infringes an applicable law or regulation, including data protection laws, or a change in the applicable laws and regulations is likely to have a substantially adverse effect on its ability to comply with its obligations under this DPA. Tebi shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by Customer. Tebi may refuse to carry out an instruction that is obviously unlawful.
h. Disclosure requests.
To the extent permitted by applicable law, Tebi shall notify Customer of each request Tebi receives from a public authority requiring Tebi to disclose Personal Data processed in the context of the Agreement or to participate in an investigation involving that Personal Data. Tebi will make reasonable efforts to narrow the scope of any such request received and will provide only the Personal Data specifically requested.
i. Data breach.
Tebi shall promptly (and in any event within forty-eight (48) hours) after becoming aware, notify Customer of any facts known to Tebi concerning any actual accidental or unauthorized access, disclosure or use, or accidental or unauthorized loss, damage or destruction of Personal Data by any current or former employee, contractor or agent of Tebi or by any other person or third party. Tebi shall cooperate fully with Customer in the event of any accidental or unauthorized access, disclosure or use, or accidental or unauthorized loss, damage or destruction of Personal Data by any current or former employee, contractor or agent of Tebi or by any other person or third party, in order to limit the unauthorized disclosure or use, seek the return of any Personal Data, and assist in providing notice to competent regulators and affected individuals if requested by Customer.
B7. Onward processing.
Tebi may only subcontract performance of part of the Services to third parties as sub-processors if Tebi ensures that such sub-processors are bound to obligations that are not less onerous than those set out in this DPA.
B8. Retention and deletion.
Tebi processes Personal Data for as long as it is reasonably needed to deliver the Services. The retention term can be longer if Tebi is required to keep Personal Data longer on the basis of applicable law or to administer its business.
Upon request by Customer, Tebi shall immediately cease to process Personal Data and shall promptly return all such Personal Data, or delete the same, in accordance with such instructions as may be given by Customer at that time, unless it is required to store the Personal Data under an applicable law or regulation to which Tebi is subject or unless explicitly agreed otherwise with Customer. The obligations set out in this clause B8 shall remain in force notwithstanding termination or expiration of this DPA.
B9. Audit and Compliance.
Tebi will make available to Customer all information necessary to demonstrate compliance with the obligations regarding the processing of Personal Data provided to Tebi in its role as a data processor.
Tebi shall make the processing systems, facilities and supporting documentation relevant to the processing of Personal Data available for an audit by Customer or a qualified independent assessor selected by Customer and provide all assistance Customer may reasonably require for the audit no more than one time per 12-month period. If the audit demonstrates that Tebi has breached any obligation under the DPA, Tebi shall immediately cure that breach.
In case of inspection or audits by a competent governmental authority relating to the processing of Personal Data, Tebi shall make available its relevant processing systems, facilities and supporting documentation to the relevant competent public authority for an inspection or audit if this is necessary to comply with applicable laws. In the event of any inspection or audit, each party shall provide all reasonable assistance to the other party in responding to that inspection or audit. If a competent public authority deems the processing of Personal Data under this DPA unlawful, the parties shall take immediate action to ensure future compliance with applicable data protection law. Instead of on-site inspections and controls, Tebi may refer Customer to an equivalent control by independent third parties (such as neutral data protection auditors), compliance with an approved code of conduct (as referred to in Article 40 GDPR) or suitable data protection or IT security certifications pursuant to Article 42 GDPR. This applies in particular if company and business secrets of Tebi or Personal Data of third parties would be endangered by the controls.
Customer will reimburse Tebi for any reasonable costs incurred by Tebi in connection with any audit or inspection by (or on behalf of) Customer or a competent governmental authority, except where such audit or inspection reveals that Tebi has materially breached any of its obligations under the DPA.
Except where Tebi is otherwise prohibited by law from making such disclosure, Tebi shall promptly inform Customer if: (i) it receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the processing of Personal Data under this DPA, if it concerns Customer Data; or (ii) it intends to disclose Personal Data to any competent public authority.
Tebi shall ensure that any employee, agent, independent contractor, or any other person engaging in the provision of the Services and who has access to Personal Data of Customer, shall comply with all data protection and privacy laws and regulations (including any and all legislative and/or regulatory amendments or successors thereto), applicable to Tebi.
B10. Data inquiries.
Customer may, at any time, contact Tebi at [email protected] with all questions and suggestions concerning data protection.
B11. General provisions.
Any amendments or supplements to this DPA must be made in writing. The same applies to any waiver of any right or obligation under this DPA. The order of precedence of individual contractual agreements shall remain unaffected thereby. Tebi reserves the right to amend this DPA at any time with effect for the future. Amendments will only be made if the following objective reasons exist:
- if the amendment helps to bring the DPA in line with applicable law, in particular if the applicable legal situation changes;
- if the amendment enables Tebi to comply with mandatory judicial or administrative decisions;
- if the amendment reflects details of a new or updated Tebi Service or of new or updated technical or organizational processes and the existing contractual relationship with Customer is not affected to Customer’s detriment;
- if the amendment is solely to Customer’s advantage.
If any provision of this DPA is or becomes invalid or impracticable in whole or in part, the validity of the remaining provisions shall not be affected thereby.
This DPA shall be effective for the entire License Term and this DPA terminates on the date on which the Agreement has expired or is terminated.
B12. Tebi’s Security Measures.
The following description provides an overview of the technical and organizational security measures implemented by Tebi:
a. Data Protection.
- Tebi will process the Personal Data as a data processor, only for the purpose of providing the Services in accordance with documented instructions from Customer (provided that such instructions are commensurate with the functionalities of the Services), and as may be agreed to with Customer.
- Tebi implements and maintains appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.
- Tebi ensures that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Personal Data.
- In-transit: Tebi implements HTTPS encryption on all of its login interfaces. Tebi’s HTTPS implementation uses industry standard algorithms and certificates.
- At-rest: Tebi implements encryption at rest to protect against data loss.
b. Access Control
Preventing Unauthorized Product Access.
Outsourced processing: Tebi hosts its services on third party hosting infrastructure in the form of data centers and Infrastructure-as-a-Service (IaaS). Additionally, Tebi maintains contractual relationships with vendors in order to provide the Services in accordance with the DPA. Tebi relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: Tebi hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls of Tebi’s infrastructure providers are audited for SOC 2 Type II, ISO 27001 and PCI DSS compliance, among other certifications.
Authentication: Tebi implemented a strong authentication mechanism for Tebi users accessing its customer products.
Authorization: Customer data is stored in multi-tenant storage systems accessible to customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Tebi’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
c. Incident Management Control
- Detection: Tebi designed its infrastructure to log extensive information about the system behavior, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of, unintended, or anomalous activities. Tebi personnel, including security, operations, and support personnel are responsive to known incidents.
- Response and tracking: Tebi maintains a record of known security incidents that includes descriptions, dates and times of relevant activities, and incident remediation. Suspected and confirmed security incidents are investigated by security, operations or support personnel, and appropriate resolution steps are identified and documented. For any confirmed incidents, Tebi will take appropriate steps to minimize product and customer damage or unauthorized disclosure.
- Communication: If Tebi becomes aware of unlawful access to customer data stored within its products, Tebi will: (i) notify the affected customers of the incident; (ii) provide a description of the steps Tebi is taking to resolve the incident; (iii) provide status updates to the customer contact, as it deems necessary or is legally required. Notification of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Tebi selects, which may include via email or telephone.