EVENT

Aprimo UK Terms and Conditions

These Aprimo UK Terms and Conditions were last updated on the 7th of January, 2025.

These Aprimo UK Terms and Conditions (this “Agreement”) are made as of the date shown on the Order Form (“Effective Date”) between Aprimo Marketing Operations UK Ltd (registered in England and Wales under Company No: 10162761) whose registered office is at Suite 1, 7th Floor, 50 Broadway, London, SW1H 0BL, United Kingdom (“Aprimo”) and the customer or enterprise listed within and signatory to each such Order Form (“Customer”), each a “Party” and together collectively referred to as the “Parties”.

Where Customer has signed an Order Form, Customer agrees to be bound by this Agreement.

WHEREAS:
Aprimo is the licensor of a cloud based software platform; and the Customer wishes to access and use the Aprimo platform in return for the payment of fees and subject to the terms and conditions of this Agreement. In consideration of the foregoing the Parties agree as follows:

Definitions: 

“Agreement” means these terms and conditions, any attached Schedules, any Order Form (including any statement of work) together with any variations of the same; 
“Confidential Information” means all information which is marked or designated as confidential or should otherwise be considered confidential due to its nature (and includes, but is not limited to, electronic data or databases, drawings, films, documents, computer readable media or oral information) which is disclosed by one Party (the “Disclosing Party”) to the other (the “Receiving Party”) or otherwise obtained by the Receiving Party in respect of the Disclosing Party and its business and operations. “Confidential Information” includes, but is not limited to, commercial, financial and technical information and data and information and data which concern the Parties’ current and future products and services, pricing, customers, suppliers, licensors and marketing plans (if any) in connection with the provision of the Services under this Agreement; 
“Force Majeure Event” means any cause affecting the performance by a Party of its obligations arising from acts, events, omissions, happenings or non-happenings beyond its reasonable control, including acts of God, riots, war or armed conflict, acts of terrorism, acts of government, local government or regulatory bodies, fire, flood, storm or earthquake, or disaster, interruption of or delay in transportation, unavailability of or interruption or delay in telecommunications or third party services, failure of third party software or inability to obtain raw materials, supplies or power but excluding any industrial dispute between the Customer and Aprimo or any failure in any sub-contractor Aprimo uses to deliver any Services under this Agreement; 
“Intellectual Property Rights” means all intellectual property rights wherever in the world arising, whether registered or unregistered (and including any application), including copyright, know-how, moral rights, trade secrets, business names and domain names, trademarks, service marks, trade names, patents, petty patents, utility models, design rights, semi-conductor topography rights, database rights, rights in any software and all rights in the nature of unfair competition rights or rights to sue for passing off; 
“Order Form” means the initial order executed between the Parties together with any supplemental or renewal order(s) under this Agreement; 
“Professional Services” means the provision of consulting services as specified in the applicable Order Form or statement of work; 
“Professional Services Fees” means the amount due and payable for the Professional Services; 
“Services” means any Professional Services as well as access and use by the Customer of the System, to which the Customer is granted access to and use of under this Agreement and which includes (i) online and/or telephone customer support to Customer in accordance with Aprimo’s customer engagement guide; and (ii) hosting of the System, in accordance with its specifications and the Service Level Agreement in Schedule A; 
“Subscription Fee” means the amount due and payable, annually in advance for the Subscription Period; 
“Subscription Period” means the period of subscription to the Service as defined in an Order Form; 
“System” means the modules of Aprimo’s platform specified in the applicable Order Form. 

1. Subscription Licence. 

1.1 Upon execution of an Order Form, and payment of the Subscription Fees, Aprimo grants the Customer a personal, non-transferable (without the right of sub-licence), non-exclusive, revocable subscription licence to access and use the System for the Subscription Period for the limited purpose of managing its internal business operations. 
1.2 The Customer’s licence rights are limited to those granted in this Agreement and as specified in an Order Form. Except as expressly agreed in writing by Aprimo, the Customer shall not directly or indirectly reverse engineer, attempt to derive the source code, copy or reproduce all or any portion of the System, whether electronically, mechanically or otherwise, in any form including, but not limited to, the copying of presentation, style or organization. 
1.3 The Customer shall use the System and the Service solely for its intended purposes, in accordance with the terms of this Agreement, and shall not use the System and/or the Service for the benefit of any third party except as specifically contemplated under this Agreement. 
1.4 The Customer shall not: (a) use the System for any content or activity that is libelous, slanderous, defamatory, offensive, scandalous, or obscene, or infringes on any third party’s rights, or violates any applicable law; or (b) introduce into the System any viruses, Trojan horses, worms, time bombs, cancel bots or other computer programming routines that are intended to damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information; or (c) perform any load or similar testing without Aprimo’s written consent. 
1.5 The Customer shall not allow the System and/or the Service and/or Professional Services to be used in breach of any reasonable instruction given by Aprimo, or that causes Aprimo to be subject to any criminal prosecution, enforcement action, civil claim or other action or liability. 
1.6 Access to the System and its various components, whether by authorized users within Customer’s business or by other entities or businesses who Customer permits to access the System as “affiliates” or otherwise in connection with a business relationship with Customer, will be subject to this Agreement. 
1.7 Aprimo may, from time to time, update or modify any component of the System, release new versions of the System or create new features or functionality related thereto, each of which will, to the extent Aprimo makes such versions, features or functionality available to other similarly-situated Aprimo subscribers, be included within the System. 
1.8 Aprimo reserves the right to develop additional functionality that may become part of future released modules that would require an additional Order Form. 

2. Fees and Payment. 

2.1 Aprimo will invoice the Customer for the Subscription Fees and any Professional Services Fees (collectively the “Fees”) in accordance with the payment plan set out in the Order Form. 
2.2 All payments shall be due thirty (30) days from the date of the invoice. Fees which are more than thirty (30) days overdue shall accrue late charges from the date such payment was due until the date paid at a rate equal to the lesser of 15% per annum or the maximum rate permitted by applicable law. 
2.3 The Customer may not offset Fees due under this Agreement for any reason, and Customer agrees to reimburse Aprimo for all reasonable costs (including attorney’s fees) incurred in collecting past due Fees owed by Customer. 
2.4 Any travel and other expenses incurred by Aprimo in completing the Professional Services will be invoiced separately, on a monthly basis. 
2.5 If the Customer wishes to dispute an invoice, it must notify Aprimo within fourteen (14) days from the date of the invoice, with details of the dispute. The Customer may only withhold payment of the specific sums subject to such notified dispute. 
2.6 All Fees exclude taxes and Customer agrees to pay any applicable taxes charged arising from this Agreement in a timely manner. If Customer is tax-exempt, Customer shall provide Aprimo with its tax-exemption number and certificate within five (5) business days after the Effective Date. Customer shall be responsible for any liability or expense incurred by Aprimo as a result of Customer’s failure or delay in paying taxes due or if Customer’s claimed tax exemption is rejected. If Customer is legally required to withhold tax from its payment of Fees to Aprimo, Customer agrees to gross up all Fees that are subject to such withholding tax, such that the net payment received by Aprimo is the full originally stated amount of such Fees. 
2.7 Aprimo reserves the right to vary the Fees with effect from the end of the Subscription Period and subsequent anniversaries thereof by providing not less than 28 days written notice to Customer. 
2.8 Aprimo reserves the right to suspend access to the System if Aprimo reasonably believes that the Customer has used the System in an unauthorized or illegal manner, if the Customer is in breach of any of its obligations under this Agreement, if any regulatory authority requires Aprimo to suspend access, if necessary to carry out emergency maintenance, or if the Customer fails to make payment of any undisputed amounts within thirty (30) days of the due date for such payment, provided that Aprimo has notified the Customer that such payment is overdue. 

3. Term and Termination. 

3.1 This Agreement shall continue in full force beginning on the Effective Date and ending on the date which is thirty-six (36) months from the Effective Date, (“Term”). 
3.2 The Subscription Licence granted under Clause 1.1 shall commence on the Effective Date and will continue for the duration of the Subscription Period. 
3.3 In the event any Order Form provides for a Subscription Period that extends beyond the Term, the Term of this Agreement shall automatically be deemed to be extended through the termination date of such Order Form. 
3.4 Either Party shall be entitled to terminate this Agreement immediately upon written notice to the other Party in the event that the other Party (i) declares bankruptcy, or (ii) or has committed an act of bribery directly linked to this Agreement, or (iii) breaches any material term set forth herein and fails to cure such breach within 30 days from the date of receipt of written notice thereof (or, to the extent the applicable breach is not susceptible to cure within a 30-day period, commences actions to cure such breach within such period and diligently pursues such cure until the applicable breach has been remedied). 
3.5 In the event of termination of this Agreement by Aprimo as a result of a breach by the Customer, or upon expiry of the Subscription Period, all rights granted to the Customer under any licence in this Agreement shall cease and the Customer shall stop using the System or Service as relevant. 
3.6 Sections 3 through 14 of this Agreement shall survive any termination of this Agreement. 

4. Intellectual Property. 

4.1 All Intellectual Property Rights in the System and the Service including any supporting software and documentation are the property of Aprimo or its licensors. The Aprimo name, logo and product names associated with the System and the Service are trademarks of Aprimo and its licensors, and no right or licence is granted to use them. Without limiting the foregoing, Aprimo retains sole and exclusive ownership of all rights, title, and interest in its artificial intelligence models, algorithms, software, technology, products and services, and any modifications, alterations, improvements, enhancements, or derivatives arising from or related thereto. Customer acknowledges and agrees that it does not acquire any ownership rights in Aprimo’s intellectual property. Customer’s rights are limited to accessing and using the Services and System as provided by Aprimo. 
4.2 The Customer shall not, either during the Subscription Period or after the expiry of this Agreement, permit or cause to occur any infringement of any Intellectual Property Rights covered by this Clause 4. 
4.3 Customer grants to Aprimo a limited, worldwide, non-exclusive, sublicensable right during the subscription period of the applicable Order Form to host, copy, process, display, anonymize, aggregate, modify, create derivatives of, and otherwise use Customer intellectual property (including Customer’s data) as necessary for Aprimo to provide the Services, System and Professional Services to Customer. 
4.4 If Customer provides Aprimo with suggestions, enhancements, recommendations, or other feedback on the System (“Feedback”), Customer hereby assigns to Aprimo all right, title, and interest in and to the Feedback and Aprimo is free to use the Feedback for any purpose. 

5. Confidentiality. 

5.1 Each Party undertakes to treat as confidential all Confidential Information of the other Party and not to use such Confidential Information for any purpose other than to the limited extent necessary to perform under this Agreement and not to disclose such Confidential Information to any third party except as may be reasonably required pursuant to this Agreement and subject to confidentiality obligations at least as protective as those set forth herein. 
5.2 Without limiting the generality of the foregoing, each Party shall use at least the same degree of care which it uses to prevent the disclosure of its own confidential information, provided, however, that in no event shall such degree of care be less than reasonable in light of general industry practice. 
5.3 The Parties hereby agree that the terms set forth in this Agreement constitute Confidential Information of both Parties and as such, neither Party will disclose such terms to any third party other than such Party’s legal counsel. 
5.4 Notwithstanding the foregoing, Aprimo shall be entitled to list Customer as a client on Aprimo’s website and/or in marketing materials. 
5.5 The duties imposed on the Parties by Clauses 5.1 to 5.3 above do not extend to information or data which at the time of its disclosure or use by the receiving Party: a) is generally available and known to the public other than by reason of the receiving Party’s breach of this clause 5; b) the receiving Party can demonstrate had previously come lawfully into the receiving Party’s possession from a third party under no restriction as to its use or disclosure; or c) the receiving Party can demonstrate that it developed independently without reliance on Confidential Information of the other. 
5.6 Each Party agrees and acknowledges that damages alone may not be an adequate remedy for breach of this clause 5 and that each Party may be entitled to seek injunctive or other equitable relief to remedy or prevent any breach or threatened breach of this clause 5. 

6. Representations; Warranties; Disclaimers. 

6.1 Each Party represents and warrants that: (i) it has the authority to enter into this Agreement and to perform the services required of it hereunder; and (ii) it will comply with all applicable laws and regulations in carrying out its responsibilities hereunder. 
6.2 Aprimo represents and warrants that (i) it will perform the Service and Professional Services hereunder using reasonable skill and care and in a professional manner consistent with industry practices; and (ii) the System will operate substantially in accordance with the specifications made available to Customer by Aprimo (“Documentation”). 
6.3 Customer represents and warrants that: (i) it has obtained, and will maintain, all necessary rights, consents, and permissions required by law, including, without limitation, any consents required from data subjects (including where such data subjects are authorized users of the System or consumers of Customer), to collect, process, and share Customer’s intellectual property, including, without limitation, any of Customer’s personal data and other data, with Aprimo in connection with Customer’s use of the Services and System; (ii) the collection, processing, and sharing of Customer’s data with Aprimo complies with all applicable laws, regulations, and contractual obligations, including, but not limited to, intellectual property, data protection, and privacy laws; and (iii) its actions in relation to Aprimo’s Services and System will not infringe or violate the rights of any third party.  
6.4 Except as explicitly set forth herein, neither Aprimo nor its employees, affiliates, agents, suppliers, licensors, or the like makes any warranties of any kind, whether express or implied, including, without limitation: (a) warranties of merchantability, non-infringement, or fitness for a particular purpose; (b) warranties regarding System uptime or downtime; (c) warranties as to the results that may be obtained by the other Party by entering into this Agreement and/or the business relationship described in the Order Form(s); (d) warranties regarding the Services or System, including any related software, technology, results, or outputs used or generated therefrom; or (e) the accuracy, reliability, or completeness of any results or outputs provided by Aprimo’s platform, THE SERVICES, THE SYSTEM, SOFTWARE, technologies, or related AI models. Customer understands and agrees that it is solely responsible for the use of the Services and System and assumes all risks associated therewitH. Customer should not rely on the accuracy of any AI model, result, output, or information made available through Aprimo’s platform or technologies. No oral or written information or advice provided by Aprimo will create any warranty not expressly stated herein. The Services, System, related AI models, and any outputs provided by Aprimo are provided “AS-IS,” without any warranties, express or implied, including but not limited to: (i) accuracy or reliability; (ii) merchantability or fitness for a particular purpose; (iii) non-infringement of third-party rights; (iv) non-interference with Customer’s operations; or (v) that the Services, System, or AI models will be uninterrupted, free from flaws, error-free, or free from defects. 

7. Certain Responsibilities. 

7.1 The Customer is responsible for: (i) maintaining all of its user devices and providing its permitted users with equipment and internet services sufficient to access and utilize Aprimo; and (ii) configuring necessary user accounts in connection with use of the System. 
7.2 The Customer is responsible for administering, and keeping current, all System user accounts, which includes monitoring the employees that have access to the System as users, at all times, and ensuring that former employees or employees that are no longer required to have access to the System do not retain active user accounts. 
7.3 The Customer shall be solely responsible for: (i) inputting all data into the System unless otherwise specified in an Order Form; (ii) maintaining confidentiality as may be required in connection with any data entered into the System; (iii) ensuring that each of Customer’s permitted users within its business complies with the terms set forth herein; (iv) maintaining all passwords and access codes to the System, and refraining from sharing or otherwise permitting third parties to use any such passwords and/or access codes; (v) obtaining any and all consents from relevant data subjects in relation to data privacy laws; and (vi) installing the SDK and JavaScript on Customer’s websites and applications, to the extent applicable. 
7.4 The Customer shall provide Aprimo, its agents, subcontractors, consultants and employees, in a timely manner and at no charge, with access to the Customer’s Sites, information, data remote access and other facilities as reasonably required by Aprimo to provide access to the System and to perform the Professional Services. 

8. Indemnification.
 
8.1 Aprimo will defend or settle any suit brought by a third party against the Customer alleging that the System infringes any third party patent, copyright and/or trade secret rights (“IPR Claim”) and Aprimo shall indemnify Customer for damages awarded as a result of such IPR Claim. 
8.2 The indemnity at Clause 8.1 is conditional upon the Customer giving Aprimo notice promptly upon receipt of any IPR Claim, giving Aprimo sole control of the defence of such claim, including negotiations, appeals, and settlements, and giving Aprimo reasonable information and assistance as requested. 
8.3 The indemnity at Clause 8.1 will not apply to any infringement arising from: (a) any modification of the System made by any party other than Aprimo; (b) a modification or enhancement to the System pursuant to designs provided by Customer; (c) the combination, operation or use by Customer of the System with any equipment, software, or devices not supplied by Aprimo to the extent the claim would have been avoided if the System were not used in such combination. Further (if and to the extent applicable to Customer), in the event Customer activates, accesses, or uses any of the following artificial intelligence features: (i) Content Coach, (ii) Smart Transform; or (iii) Smart Actions (collectively, the “Generative Features”) and accesses, develops, generates, creates, derives, or uses generative ‘outputs’ from the Generative Features (the “Generative Outputs”), then Aprimo shall bear no liability, nor shall Aprimo be responsible for indemnifying, defending or holding harmless Customer for any allegation, claim, dispute or otherwise arising under, related to, or in connection with Customer’s access or use of the Generative Features or Generative Outputs, including but not limited to allegations or claims of disinformation, discrimination, harassment, and infringement. 
8.4 If the System is held to infringe, or in Aprimo’s opinion the System is likely to be held to infringe any Intellectual Property Rights of a third party, Aprimo may at its sole discretion and expense, either: (a) secure the right for Customer to continue use of the infringing System; (b) replace or modify the infringing System to make it non infringing, provided such replacement or modified system contains substantially similar functionality; or (c) terminate the licenses to the infringing System granted hereunder. If Aprimo elects to terminate the licenses under (c), as Customer’s sole and exclusive remedy, Aprimo shall refund to Customer any prepaid, unused license fees for the infringing System indicated on the related Order Form. 

9. Limitation on Liability.
 
9.1 BOTH PARTIES ACCEPT UNLIMITED LIABILITY FOR: a) DEATH OR PERSONAL INJURY CAUSED BY ITS NEGLIGENCE; OR b) DECEPTIVE CONDUCT, FRAUD OR FRAUDULENT MISREPRESENTATION; OR; c) ANY OTHER ACT OR OMISSION FOR WHICH LIABILITY CANNOT BE LIMITED BY LAW. 
9.2 SUBJECT TO CLAUSE 9.1, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF GOODWILL, LOSS OF REPUTATION, LOSS OF ANTICIPATED SAVINGS, LOSS OF BUSINESS, LOSS, CORRUPTION OR DESTRUCTION OF DATA. 
9.3 SUBJECT TO CLAUSE 9.1, NEITHER PARTY’S LIABILITY ARISING OUT OF THIS AGREEMENT, WHETHER BASED IN CONTRACT, TORT OR ANY OTHER LEGAL THEORY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES SHALL IN NO EVENT EXCEED 150% (ONE HUNDRED AND FIFTY PERCENT) OF THE FEES PAID TO APRIMO HEREUNDER DURING THE 12-MONTH PERIOD IMMEDIATELY PRECEDING THE DATE ON WHICH THE APPLICABLE CLAIM AROSE, EXCEPT FOR (I) APRIMO’S INDEMNIFICATION OBLIGATION IN CLAUSE 8, AND (II) CUSTOMER’S BREACH OF CLAUSE 1. 
9.4 IN NO EVENT WILL APRIMO HAVE ANY LIABILITY FOR NON-PROVISION OR DELAY IN THE PROVISION OF THE SYSTEM, THE SERVICE AND/OR PROFESSIONAL SERVICES WHICH CAN BE REASONABLY ATTRIBUTED TO THE ACTS OR OMISSIONS OF THE CUSTOMER, ITS EMPLOYEES, SUB-CONTRACTORS, AGENTS OR CUSTOMERS; AND/OR OCCURS DURING ANY PERIOD OF SCHEDULED MAINTENANCE. 

10. Force Majeure. 

10.1 Excluding payment obligations hereunder and/or within an Order Form, neither Party shall be liable to the other Party for failure or delay in performing its obligations hereunder if such failure or delay is due to a Force Majeure Event. 
10.2 If a Force Majeure Event affects the performance of the claiming Party for ninety (90) consecutive days, the non-claiming Party may terminate this Agreement, or an affected Order Form, upon not less than thirty (30) days prior written notice to such Party. 

11. Governing Law and Dispute Resolution. 

11.1 The rights and obligations of the Parties under this Agreement and each Order Form shall be governed by the laws of England and Wales and the Parties submit to the jurisdiction of the English courts. 
11.2 Any dispute or claim arising out of or in connection with this Agreement, an Order Form or the performance, breach or termination thereof, shall be finally settled by arbitration in England under the rules of arbitration of (CEDR) the Centre for Effective Dispute Resolution. 

12. Data Protection. 

12.1 For the purposes of this clause 12, the meaning of Data Processor and Data Controller shall be determined in accordance with Regulation (EU) 2016/679 of 27 April 2016 (the “General Data Protection Regulation” or “GDPR”) and the Data Protection Act 2018. 
12.2 Each Party undertakes to the other Party that, in carrying out its obligations under this Agreement, it will comply with its obligations under GDPR and the Data Protection Act 2018, the UK GDPR and any codes of conduct or guidelines issued by the relevant regulatory authorities and in accordance with Data Protection provisions in Schedule B. 
12.3 The Customer and Aprimo acknowledge that for the purposes of GDPR and the Data Protection Act 2018, the Customer is the Data Controller and Aprimo is the Data Processor in respect of any Personal Data (as defined in Schedule B Data Protection provisions) processed under this Agreement. 

13. Anti-Bribery. 

13.1 The Parties agree they shall respect and comply with all applicable legislation regulating the prohibition of corruptive acts (hereinafter: anti-corruption legislation) in the contractual territory. Neither contracting party shall require of the other party and its associated or affiliated companies, directors, clerks, shareholders, employees, representatives or agents across the world to violate the applicable anti-corruption legislation. 
13.2 Without limitations to the aforesaid, the Parties hereto guarantee that no person shall give, offer, agree with, promise to give, or authorise to give either directly or indirectly, to any third party money or other valuable objects as an incentive or reward for obtaining a favour or omitting an action or exerting influence on a) any government official or employee of the public sector (including employees in state-owned companies or agencies or companies and agencies controlled by the state); b) any political party, its official or candidate; c) any intermediary; to pay anything stated above, or d) any person or subject; in order to obtain or retain in a corruptive or inappropriate manner a business deal or any other business benefit, for example to obtain a permit or approval under the condition that any such acts are against the currently valid legislation applicable in a specific territory. 
13.3 If a Party violates the provisions of the first or second paragraph of this Clause 13, the other Party may terminate this Agreement with immediate effect. 
13.4 The Parties undertake that they, their directors, top managers and other employees shall not offer, promise, give, authorise, induce or accept any unauthorised reward in cash or other benefit of any kind in relation to this Agreement (or give hints that they shall or could undertake any such act at any time in the future). 
13.5 If the fourth paragraph of this Article is violated, the Agreement shall be deemed null and void. 

14. Miscellaneous. 

14.1 Each Party shall pay its own costs and expenses in connection with this Agreement and its activities hereunder. 
14.2 Aprimo shall be entitled to subcontract portions of the Services and/or various of its responsibilities hereunder to third parties, it being understood that Aprimo shall be responsible for actions taken by each such subcontractor hereunder. 
14.3 This Agreement, together with each Order Form, supersedes all prior written or oral agreements between the Parties regarding the subject matter hereof and supersedes any contradictory or additional language in any purchase order. 
14.4 The relationship between the Parties under this Agreement is that of independent contractors and neither shall be, nor represent itself to be, the joint venture, partner, agent or representative of the other Party. 
14.5 This Agreement may only be amended by written agreement of the Parties. 
14.6 This Agreement shall inure to the benefit of and be binding upon the Parties hereto and their respective successors and assigns, but shall not be assignable by either Party other than to an assignment to an Affiliate or in the event of change of control, including but not limited to an entity acquiring substantially all of its assets, equity or business and assuming the obligations hereunder. 
14.7 Any notice pursuant this Agreement shall be deemed effective when delivered in person, or by pre-paid ordinary first class post to the address on the front page of this Agreement or any other address notified in writing. Notices delivered by hand during business hours will be served on the day they are delivered. Notice sent by first class post will be deemed served on the second business day after the date they are posted. 
14.8 A person who is not a Party to this Agreement has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement, but this does not affect any right or remedy of a third party which exists or is available apart from under that Act. 
14.9 If any provision of this Agreement is held to be unenforceable or invalid for any reason, or if any governmental agency rules that any portion of this Agreement is illegal or contrary to public policy, the remaining provisions, to the extent feasible, will continue in full force and effect with such unenforceable or invalid provision to be changed and interpreted to best accomplish its original intent and objectives. 
14.10 Aprimo or Customer may assign its respective rights and obligations under this Agreement, without the consent of the other party, to: (a) an Affiliate; or (b) a successor to the assigning party’s business or assets related to this Agreement, including but not limited to an entity acquiring substantially all of its assets, equity or business and assuming the obligations hereunder. Upon a requested assignment, name change, replication or similar request by Customer, the Customer and its new party shall sign all reasonably necessary documents required by Aprimo including documentation regarding the authorization of a new URL and any data changes.  

SCHEDULE A: SERVICE LEVEL AGREEMENT 

1. SERVICE LEVELS

System Availability; Service Levels. Aprimo shall use commercially reasonable efforts to provide availability of the System. If the Customer encounters Server Downtime (excluding any test & development environments) more than one percent (1%) of the time during any month, Customer shall be entitled to a credit equal to the pro rata amount of System Fees applicable to that month relating to such unavailability, up to an aggregate amount of up to ten (10%) of its applicable monthly System Fees for such month. For purposes of this section, Server Downtime percentage in a calendar month shall mean the percentage derived by dividing (x) the total number of minutes that the System is unavailable due to Server Downtime in such month; by (y) the total number of minutes in the month. If for any reason other than a Force Majeure Event (a) Server Downtime is greater than ten percent (10%) for one calendar month or (b) Server Downtime for the prior three (3) consecutive months is greater than three percent (3%) per month, then Customer shall be entitled to terminate the applicable Order Form for material breach and receive a refund of any prepaid System Fees allocable to the post-termination period.

2. CUSTOMER SUPPORT 

Response Times. Aprimo measures Response Time as the interval between Customer’s initial contact (via electronic receipt of case or phone call) to Aprimo and the first contact (via electronic receipt or phone call) with an Aprimo Customer Services support analyst.


Initial Response Times 

Priority 1– 2 hours 
Priority 2 & 3  Next Business Day 


Status Updates

Priority 1– Hourly 
Priority 2– Once every 2 days 
Priority 3– Once every 5 days 

3. MAINTENANCE & BACKUP

Maintenance; Updates. Aprimo shall advise Customer prior to any scheduled maintenance that requires Aprimo to take down the System. Aprimo shall not be responsible for any damages or costs incurred by Customer or any user during or as a result of the scheduled down time or down time as to which Aprimo has provided notice to Customer.

Backup and Recovery Requirements. Aprimo will perform a running archive on the System in conformity with Aprimo’s then current backup procedures and policies.

Exclusions. Aprimo shall have no support obligations with respect to any hardware or software product other than the System (“Nonqualified Products”).

4. DEFINITIONS

Capitalized terms which are not defined herein shall have the meanings set forth in the Agreement. Additionally, the following terms shall have the meanings set forth below.

“Server Downtime” shall mean the time during which the System is not available to be accessed or used by the Customer, as monitored by Aprimo, but shall not include the time the System is unavailable due to scheduled maintenance or unavailability due to improper use of the System by Customer.

Priority 1” shall mean a problem that prohibits use of the product or renders the product inoperable. A Priority 1 case is a catastrophic issue in the Aprimo System, which severely impacts the Customer’s production systems, as they are inaccessible or there is a system wide performance degradation making the System unusable.

Priority 2” shall mean a problem that causes a significant impact to the business; however, operations can continue in a degraded fashion. A Priority 2 case is a production issue in which the Customer can access the System, but in a severely reduced capacity. This type of issue is causing significant impact to portions of the Customer’s normal business operations and productivity.

“Priority 3” shall mean a non-critical problem that is impacting the Customer. A Priority 3 case is an issue that is impacting the Customer, but is neither critical nor preventing ongoing use of the System.

SCHEDULE B: DATA PROCESSING ADDENDUM

This Data Processing Addendum, including its Schedules, (“DPA”) forms part of the Aprimo UK Terms and Conditions or other written or electronic agreement between the applicable Aprimo and Customer entities for the purchase of specific software, products and professional services as set out in further detail in the such Aprimo UK Terms and Conditions, including any relevant order forms and statements of work incorporated therein, (“Services”) (and the Aprimo UK Terms and Conditions defined as the “Agreement”) to reflect the Parties’ agreement with regard to the Processing of Personal Data.

In Aprimo providing the Services to Customer pursuant to the Agreement, Aprimo may Processes Personal Data on behalf of Customer. Aprimo and Customer hereby agree to the following in relation to such Processing:

TERMS AND CONDITIONS:

1. DEFINITIONS

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting or ownership interests of the subject entity.

“Aprimo” means the Aprimo entity listed in the Aprimo UK Terms and Conditions and applicable order forms, statements of work, or other documentation incorporated therein by reference.

“Authorized Affiliate” means any of Customer’s Affiliate which (a) is subject to the Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom; (b) is permitted to use the Services pursuant to the Agreement between Customer and Aprimo; and (c) falls under the jurisdiction of this DPA, as expressly intended by Customer and Aprimo.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Customer” means the customer entity that executed the Agreement. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and its Authorized Affiliates to the extent required by Data Protection Laws.

“Customer Data” means the data that is uploaded, shared or submitted by or on behalf of Customer in relation to the Services provided by Aprimo pursuant to the Agreement.

“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including those of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Europe” means the European Union, the European Economic Area, Switzerland and the United Kingdom.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.

“Personal Data” means any information relating to an identified or identifiable natural person where such information is Customer Data.

“Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

“Regulator” means a government agency or law enforcement authority.

“Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur- lex.europa.eu/eli/dec_impl/2021/914/oj.

“Sub-processor” means any Processor engaged by Aprimo, or if and to the extent applicable, an Aprimo Affiliate and may include Aprimo Affiliate(s) themselves as may be required by Data Protection Laws.


2. PROCESSING OF PERSONAL DATA 

2.1 Customer’s Obligations. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. Customer shall ensure it provides or otherwise obtains any required notices and/or consents from Data Subjects under Data Protection Laws such that Aprimo may lawfully Process Personal Data. Further, Customer’s instructions to Aprimo for the Processing of Personal Data shall at all times comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquires Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject or violate Data Protection Laws. Customer agrees not to Process, or allow the Processing of, any Customer Data in connection with the Services that (i) would subject Aprimo to compliance obligations under the Payment Card Industry Data Security Standards (“PCI DSS”); or (ii) qualifies as Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”) or any similar laws or regulations, unless explicitly agreed to in writing by Aprimo. The foregoing restriction includes, without limitation, the Processing of bank account numbers and credit card numbers with the Services. 

2.2 Aprimo’s Obligations. Aprimo shall treat Personal Data as “Confidential Information” (as such term is defined in the Agreement) and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement, including specifically the applicable order forms, statements of work, or similar written instruments as expressly agreed to by Aprimo and Customer; (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer, including through e-mail, where such instructions are consistent with the terms of the Agreement and any rights and obligations therein. Furthermore, Aprimo may Process Personal Data in order to comply with Data Protection Laws, including to prevent fraudulent or illegal activity.  

2.3 Details of the Processing. The Processing of Personal Data by Aprimo shall only relate to the provision of the Services as outlined in the Agreement and this DPA. Additional details regarding the duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects involved, are further described in Attachment I of this DPA. 

2.4 Customer Instructions. Aprimo shall inform Customer immediately (i) if, in its reasonable opinion, an instruction from Customer constitutes a breach of Data Protection Law; or (ii) if Aprimo is unable to follow Customer’s instructions for the Processing of Personal Data due to the possibility that it will cause Aprimo to violate of law, regulation or similar. 


3. RIGHTS OF DATA SUBJECTS 

3.1 Data Subject Request. Aprimo shall (where not prohibited by law) promptly notify Customer of any request it has received from a Data Subject (“Data Subject Request”). Aprimo shall not respond to a Data Subject Request and shall provide reasonable cooperation to Customer in responding to such Data Subject Request, including by providing the information reasonably necessary to respond to such Data Subject Request.  

3.2 Required Assistance. Taking into account the nature of the Processing, Aprimo shall assist Customer by implementing and ensuring it maintains appropriate technical and organizational measures consistent with the requirements set forth in Data Protection Laws. 


4. PERSONNEL AND DATA PROTECTION OFFICER 

4.1 Confidentiality, Reliability and Limitation of Access. Aprimo shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.  

4.2 Data Protection Officer. Aprimo, or Aprimo’s Affiliate(s) have appointed a data protection officer. The appointed person may be reached at SecurityTeam@Aprimo.com


5. SUB-PROCESSORS 

5.1 Appointment of Sub-processors. Aprimo itself, or Aprimo’s Affiliates (depending upon the contracting entity to this DPA and the Agreement) may be retained as Sub-processors. Aprimo or Aprimo’s Affiliates may engage third-party Sub-processors to provide the Services to Customer. Aprimo, or Aprimo’s Affiliate (as applicable), has entered into a written agreement with each Sub-processor containing data protection obligations no less protective than those required by Data Protection Laws. 

5.2 List of Sub-processors and Notification of New Sub-processors. Aprimo’s current list of Sub-processors is annexed hereto as Attachment III. Customer hereby consents to these Sub-processors, their locations and processing activities. Aprimo shall provide reasonable notice through a notification (via e-mail, through the Aprimo software, or otherwise) of any additional Sub-processor prior to authorizing any such Sub-processor(s) to Process Personal Data. 

5.3 Objection Right for New Sub-processors. Customer may object to Aprimo’s use of an additional Sub-processor by notifying Aprimo promptly in writing within fifteen (15) days of receipt of Aprimo’s notice. If Customer objects to the additional Sub-processor, Aprimo will use reasonable efforts to make available to Customer a change in the to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Aprimo is unable to make available such change within a reasonable period of time, Customer may terminate the applicable part of the Services with respect only to those Services which cannot be provided by Aprimo without the use of the objected-to Sub-processor by providing written notice to Aprimo. 

5.4 Liability. Aprimo shall be liable for the acts and omissions of its Sub-processors to the same extent Aprimo would be liable if performing the services of each Sub-processor directly under the terms of this DPA. 


6. CERTIFICATIONS; AUDIT; IMPACT ASSESSMENT 

6.1 Certification. Upon Customer’s written request, Aprimo shall make available the information reasonably necessary to demonstrate compliance with this DPA. Upon Customer’s written request which shall be made no more than once in any given twelve (12) month interval, provided this DPA remains in effect, and subject to the confidentiality obligations set forth in the Agreement, Aprimo shall provide a copy of its then current third-party SOC 2 Type II audit report that Aprimo generally makes available to its customers at the time of such request. 

6.2 Audit. Where required by Data Protection Laws, Aprimo shall allow Customer to audit Aprimo solely to demonstrate its compliance with this DPA. Such audit may include inspections and assessments conducted by Customer. With respect to any assessment or audit that is conducted: (i) the timing and scope shall be mutually agreed to by Aprimo and Customer; (ii) the assessment or audit shall be conducted during regular business hours of Aprimo; (iii) Customer shall not have access to Aprimo’s internal systems; and (iv) the audit shall take place not more than once in any twelve (12) month period. The scope of such audit must also be reasonably tailored to verify only Aprimo’s compliance with this DPA, and shall not be permitted for any other purpose. 

6.3 Data Protection Impact Assessment. Upon Customer’s request, Aprimo shall provide Customer with cooperation reasonably necessary to fulfill Customer’s obligation under Data Protection Laws to carry out a data protection impact assessment in relation to the Services. 


7. SECURITY INCIDENT NOTIFICATION 

7.1 Notification. In the event Aprimo becomes aware of a confirmed security breach of Customer’s Personal Data, Aprimo will notify Customer without undue delay. Aprimo shall provide information reasonably requested by Customer in connection with such breach. Aprimo will provide reasonable assistance to Customer as may be necessary for Customer to satisfy any of its notification obligations imposed under Data Protection Laws in connection with such breach. Aprimo shall also act reasonably in remediating and/or taking action that is reasonably necessary to prevent such breach from reoccurring. 


8. REGULATORS  

8.1 Assistance with Regulators. To the extent required by Data Protection Laws, Aprimo will provide Regulators with the information and assistance reasonably necessary to investigate security breaches relating to Customer Personal Data. Aprimo will provide Regulators with information and assistance reasonably necessary to demonstrate that the Services comply with Data Protection Laws to the extent that a Regulator’s request concerns the processing of Customer Personal Data under the Agreement and this DPA.‍ 


9. RETURN AND DELETION OF CUSTOMER DATA 

9.1 Data Deletion. Prior to, or upon expiration or termination of the Agreement, Aprimo shall at the request of Customer in accordance with Aprimo’s then existing data retention and data return policies and procedures: (i) return Customer Data to Customer; or (ii) delete Customer Data. For the avoidance of doubt, immediately following termination or expiration of the Agreement, Aprimo shall have no obligation to store or hold on to Customer Data, unless expressly agreed to in the Agreement. Until Customer Data is deleted or returned, Aprimo shall continue to comply with this DPA. 

9.2 Data Return. If Customer has purchased certain software as part of the Services, Customer may be given the ability to download Customer Data for the duration of the active subscription for such software while the valid order form, statement of work, or similar agreement for such software remains in effect. 


10 AUTHORIZED AFFILIATES 

10.1 Authorized Affiliate Rights and Relationship. To the extent required by law, Authorized Affiliates may only exercise any rights as a Controller in respect to this DPA, through the Customer entity which has signed the Agreement, provided however, only to the extent Authorized Affiliates have established any rights under this DPA pursuant to applicable law and are intended beneficiaries under the Agreement. Any communications relating to any complaint, allegation or claim arising in connection with this DPA, may only be communicated to and discussed with Aprimo by the Customer entity that has signed the Agreement with Aprimo. This DPA itself does not and is not intended to establish direct rights of Authorized Affiliates regarding the provision of the Services. 


11 LIMITATION OF LIABILITY 

11.1 Limits on Liability. The aggregate liability of each Aprimo and Customer and their respective Affiliates, collectively, arising from or related to this DPA, regardless of the legal basis (contract, tort, or otherwise), is governed by the ‘Limitation on Liability’ (or similar) section of the Agreement. References to a party’s liability in that section apply to the total combined liability of that party and its Affiliates under the Agreement and this DPA collectively. 

For clarity, Aprimo’s and its Affiliates’ total liability for all claims by Customer and its Authorized Affiliates under the Agreement and this DPA is a single aggregate limit, covering all claims collectively under both the Agreement and the DPA. This limit does not apply separately to each Authorized Affiliate or the Customer as individual contractual parties to any DPA. 


12 EUROPE SPECIFIC PROVISIONS 

12.1 Definitions.
For the purposes of this section 12, these terms shall be defined as follows: 
“European Personal Data” means the Personal Data subject to European Data Protection Laws. 
“European Data Protection Laws” means the Data Protection Laws applying in Europe. 
“SCC Module 2 and/or 3” means Standard Contractual Clauses, Module Two (Controller-to-Processor) and Module Three (Processor-to-Processor), respectively. 
“Third-Country Transfer” means a transfer of European Personal Data that is not subject to an adequacy decision by the European Commission. 

12.2 GDPR. Aprimo will Process Personal Data in accordance with the GDPR requirements directly applicable to Aprimo’s provision of its Services.
 
12.3 Transfer mechanisms for data transfers. If, in the performance or use of the Services, European Personal Data is subject to a Third-Country Transfer, and the Standard Contractual Clauses are required by European Data Protection Laws to lawfully transfer European Personal Data, the SCC Module 2 and/or 3 transfer mechanisms shall apply in Aprimo’s Processing of Personal Data in relation to the Services. Further, where data transfers are governed by United Kingdom Data Protection Laws, the required International Data Transfer Agreement (“IDTA”) (also commonly referred to as the “Approved Addendum”) issued and approved by the ICO and effective as of 21st of March 2022 shall apply and is fully restated and incorporated herein by reference. The information required to complete the relevant tables in the IDTA shall be deemed completed based upon and consistent with the terms and conditions set forth in this DPA, and in particular, this Section 12, as well as the information set forth in the attachments incorporated by reference. 

In relation to where the SCC Module 2 and/or 3 apply, the following shall be established, to the maximum extent permitted by Data Protection Law, provided that the following does not conflict with the Standard Contractual Clauses: 

Clause 7 of the Standard Contractual Clauses: The optional “Docking clause” shall apply.  

Clause 8.5 of the Standard Contractual Clauses: Section 9 of this DPA shall govern the rights and obligations regarding the deletion of Customer Data and Personal Data in connection therewith. 

Clause 8.9 of the Standard Contractual Clauses: Section 6 of this DPA shall govern Customer’s right to audit Aprimo under this DPA. 

Clause 9(a) of the Standard Contractual Clauses: Section 5 of this DPA shall govern Aprimo’s use of Sub-processors. For the avoidance of doubt, Customer hereby grants to Aprimo general written authorization to engage in Sub-processors in order to provide the Services.  

Clause 11(a) of the Standard Contractual Clauses: The optional paragraph shall not apply.  

Clause 13(a) of the Standard Contractual Clauses: The version of clause 13(a) that applies to Customer shall be included, and if, in accordance with the provisions of such clause 13(a), the Customer and Aprimo may select, the applicable Supervisory Authority, such Supervisory Authority shall be that of the United Kingdom. 

Clauses 14(f), 16(b) and 16(c) of the Standard Contractual Clauses: Where Customer exercises any of its rights to suspend the processing of Personal Data within the Services or its right to terminate any specific Services pursuant thereto, Customer shall notify Aprimo in writing setting out in sufficient detail the material non-compliance and the basis for such determination (including identifying the provisions of the Standard Contractual Clauses with which, in Customer’s reasonable opinion, there is a material non-compliance by Aprimo and the applicable laws and practices that are not met). Within 30 days after receipt of such notice or any other timeframe agreed by the parties, if Aprimo does not: (i) demonstrate that such material non-compliance is not in breach of the Standard Contractual Clauses or (ii) make available to Customer a change in the specific Services or Customer’s use or configuration of the Services that remedies such material non-compliance, then Customer may terminate the specific Services.  

Clause 15.1(a) of the Standard Contractual Clauses: Any and all communications, instructions, notifications, enquiries, requests, correspondence, co-operation, requests and assistance needs between Aprimo and Customer shall be made exclusively through Aprimo and Customer. 

Clause 17 of the Standard Contractual Clauses: Except as otherwise expressly agreed in writing, Option 1 shall apply and the governing law shall be that of United Kingdom. 

Clause 18(b) of the Standard Contractual Clauses: The applicable jurisdiction shall be deemed the United Kingdom.  

Annex I: The details for Annex I are set out in Attachment 1 of this DPA. 
Annex II: The details for Annex II are set out in Attachment 2 of this DPA. 
Annex III: The details for Annex III set out in Attachment 3 of this DPA. 


13. COMPLIANCE 

13.1 Compliance with Laws. If either party determines that any applicable laws prevent its compliance with this DPA, it will promptly notify the other party and attempt to recommend or implement changes to the Processing or Services to address any legal or regulatory concerns. If no feasible solution is available, the Customer may terminate the affected Service or suspend data transfers. 

ATTACHMENT I

A. LIST OF PARTIES 

Data exporter(s): 
1. Name: Customer 
2. Address: As set out in the Agreement and/or Order Form(s) above. 
3. Contact person’s name, position and contact details:  
4. Activities relevant to the data transferred under these Clauses: Digital Asset Management, Software as a Service and related professional services, if set forth in the Agreement.  
5. Role: controller and data exporter.  

Data importer(s):  
1. Name: The Aprimo entity set forth in the Agreement. 
2. Address: Suite 1, 7th Floor, 50 Broadway, London, SW1H 0BL, United Kingdom 
3. Contact person’s name, position and contact details: Darren Del Duco, DPO darren.delduco@aprimo.com with a copy to SecurityTeam@Aprimo.com
4. Activities relevant to the data transferred under these Clauses: Digital Asset Management, Software as a Service and related professional services, if set forth in the Agreement.  
5. Role: Processor and importer.  

B. DESCRIPTION OF TRANSFER 
Categories of data subjects whose personal data is transferred 

  • Customer may submit Personal Data to the Services, the extent of which is determined exclusively by the Customer, provided Customer is compliant with the terms of the Agreement. Data Subjects may include, without limitation: Employees, contractors and/or other individuals who may be authorized to receive or participate in the receiving of Services from Aprimo, such as “end users” who access Aprimo’s software.  
  • With respect to Content Intelligence and Content Personalization (if applicable): Where Customer Data includes Personal Data of Customer, such Personal Data will be anonymized at the source with Customer prior to transmitting or transferring such Customer Data to Aprimo.  

Categories of personal data transferred

  • Individual Name (First and Last); 
  • Individual Business Email; 
  • Employer; 
  • Geo-location;  
  • Login time; 
  • Audit Analytics; 
  • Photos (if applicable, at Customer’s discretion); 
  • Only applicable for specific instances where certain Artificial Intelligence products and features are used: Aprimo may use Microsoft Corporation face recognition technology to process Customer’s users’ biometric data as its service provider or Sub-processor. Microsoft may process and store face templates for the purposes of providing face verification and/or identification services on Aprimo’s behalf. 

Frequency of personal data transferred

  • Continuous basis for the duration of the Agreement, as agreed between Aprimo and Customer.

Nature of the processing

  • To provide the Services described in this Agreement. 

Purpose(s) of the data transfer and further processing 

  • To provide the Services described in the Agreement, in accordance with instructions provided by Customer. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

C. COMPETENT SUPERVISORY AUTHORITY 

The Information Commissioner’s Office (ICO) UK  

ATTACHMENT II

Aprimo maintains the following technical, organizational measures to ensure the security of Personal Data: 

Measures of pseudonymisation and encryption of personal data  • Pseudonymization, where possible; 
• Encryption at rest and encryption in transit;  
• Limited timespan for using personal data “in the clear” (i.e., in identifiable form); 
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services  • Confidentiality arrangements; 
• Information security policies and procedures;  
• Backup procedures; 
• Remote storage; 
• Mirroring of hard disks (e.g., RAID technology); 
• Uninterruptible power supply; 
• Anti-virus/firewall protection, security patch management; 
• Intrusion prevention, monitoring and detection; 
• Availability controls to protect personal data against accidental destruction or loss; 
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident  • Business continuity plan; 
• Disaster recovery procedure; 
• Incident response plan; 
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing  • Internal and external audit program, audit reports and documentation; 
• Testing of back up processes and business continuity procedures; 
• Risk evaluation and system monitoring on a regular basis; 
• Vulnerability and penetration testing on a regular basis; 
Measures for user identification and authorisation  • Internal policies and procedures; 
• User authentication controls, including secure methods of assigning selecting and storing access credentials and blocking access after a reasonable number of failed authentication access; 
• Restricting access to certain users; 
• Access granted based on a need-to-know, supported by protocols for access authorization, establishment, modification and termination of access rights; 
• Logging and reporting systems; 
• Control authorization schemes; 
• Differentiated access rights (profiles, roles, transactions and objects);  
• Monitoring and logging of accesses; 
• Disciplinary action against employees who access personal data without authorization; 
• Reports of access; 
• Access procedure; 
• Change procedure; 
Measures for the protection of data during transmission  • Encryption in transit;  
• Pseudonymization, where possible; 
• Transport security; 
• Network segregation; 
• Logging; 
• Electronic signatures; 
Measures for the protection of data during storage  • Encryption at rest; 
• Access controls; 
• Separation of databases and logical segmentation of Customer personal data from data of other vendor customers; 
• “Internal client” concept / limitation of use; 
• Segregation of functions (production/testing); 
• Procedures for storage, amendment, deletion, transmission of data for different purposes; 
• Process Personal Data in multiple separate locations or by using multiple parties; 
Measures for ensuring physical security of locations at which personal data are processed  • Establishing security areas, restriction of access paths;  
• Establishing access authorizations for employees and third parties with a need-to-know; 
• Access control system (ID reader, magnetic card, chip card);  
• Key management, card-keys procedures; 
• Door locking (electric door openers etc.); 
• Security staff, janitors; 
• Surveillance facilities, video/CCTV monitor, alarm system;  
• Securing decentralized processing equipment and personal computers; 
Measures for ensuring events logging  • User identification and authentication procedures; 
• ID/password security procedures (special characters, minimum length, change of password); 
• Automatic blocking (e.g., password or timeout); 
• Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; 
• Creation of one master record per user; 
• Encryption and pseudonymization; 
Measures for ensuring system configuration, including default configuration  • Up-to-date baseline configuration documentation and settings; 
Measures for internal IT and IT security governance and management  • Information security policies and procedures; 
• Incident response plan; 
• Regular internal and external audit:  
• Review and supervision of information security program; 
Measures for certification/assurance of processes and products  • ISO27001 comply with requirements but not certified 
• SOC II 
Measures for ensuring data minimisation  • Documentation regarding which data categories need to be processed; 
• Ensure that the minimum amount of data is processed to fulfill the purpose of the processing; 
• Personal data is stored in the EU or US and only remote access or view-only access is enabled; 
Measures for ensuring data quality  • Personal data is kept accurate and up to date; 
• Data is corrected upon request or where necessary; 
Measures for ensuring limited data retention  • Records retention schedule; 
• Data retention policy; 
• Personal data is deleted or irreversibly anonymized after expiration of the retention period; 
Measures for ensuring accountability  • Internal policies and procedures; 
• Privacy by design and by default; 
• Records of data processing activities; 
• Privacy Impact Assessments, where required; 
• Adequate agreements with third parties; 
• Criteria for selecting the sub-processors; 
• Vendor onboarding process and questionnaire; 
• Monitoring of contract performance; 
• Information Security training program; 

ATTACHMENT III

Name of a Sub-processor Processing Activities Country/Location of processing 
Microsoft Corporation Hosting Provider and Enablement of Artificial Intelligence Features (Only applicable where customer purchases certain AI productsUSA 
Service Now, Inc. Customer Support Portal USA 
Pendo Informational Guidance USA 
Aprimo Philippines Inc. Operations, Support, R&D Philippines 
Aprimo Marketing Operations UK Ltd. (if Aprimo’s contracting entity is Aprimo US LLC) Operations, Support, R&D United Kingdom 
Aprimo US LLC (if Aprimo’s contracting entity is Aprimo Marketing Operations UK Ltd.) Operations, Support, R&D USA 
Aprimo Australia Pty Ltd Operations, Support, R&D Australia 
Aprimo Belgium NV Operations, Support, R&D Belgium 
Salesforce, Inc. Information management USA 
Hubspot, Inc. Information Management USA 
PlanHat Information Management Sweden 
Posh Support USA 
Bria Artificial Intelligence, Ltd. Enablement of Artificial Intelligence Features
(Only applicable where customer purchases certain AI products
Israel/USA 
Fastly, Inc. CDN Provider USA