These Planisware Orchestra Terms and Conditions govern Planisware Orchestra SaaS Service Orders and the related Professional Services Statement of Work entered into between Planisware USA, Inc. (“Planisware”) and the Customer listed therein (“You”). Planisware may from time to time update these Terms and Conditions in accordance with our product and services updates. In the event of any change, You will be notified by email and You will have thirty days from such notification to reject such change, after which you will be considered to have accepted the change.

If you subscribe to the Engage training services, such subscription is subject to the Engage Terms and Conditions (https://orchestra-engage.planisware.com/learn/terms-conditions/view;lng=en).

 

1. DEFINITIONS

 

“Agreement” means these Planisware Orchestra Terms and Conditions together with any SaaS Service Order and any related Professional Services Statement of Work entered into between You and Planisware.

“Affiliate” means any entity or person that controls, is controlled by or is under common control with, any of the parties of this Agreement.

“Control” means the possession, directly or indirectly, of at least 50% of the share capital or voting rights or of the power to direct or cause the direction of the management and policies of an entity, whether through the ownership of voting securities, by contract or otherwise.

“Customer Data” means any data, information or material of Customer uploaded by Customer to and hosted in the Planisware Orchestra SaaS Service.

“End-User” means an individual authorized to access and use the Planisware Orchestra SaaS Service in compliance with the Agreement.

“End-User Materials” means user and training manuals delivered to you as part of the Services.

“Intellectual Property Rights” means, all rights, title, and Interest in all copyright rights, patents, trademark, trade secrets, knowhow, and other intellectual property rights.

“Service(s)” means the service(s) described in a SaaS Service Order and any related Professional Services Statement of Work entered into between You and Planisware, including written, audio and visual information, documentation, materials, reports, programs and graphics contained in or made available to You in the course of the Services (excluding however Customer Data contained therein)

 

2. SERVICES

 

2.1. Planisware or its Affiliates shall deliver the Services to You as provided in a signed SaaS Service Order and related Professional Services Statement of Work. Planisware may also subcontract certain Professional Services to subcontractors. For Services provided by Planisware’s Affiliates and subcontractors, Planisware shall remain responsible to You and Planisware shall ensure that its Affiliates and subcontractors are subject to confidentiality terms with respect to Customer Data that are no less stringent than the confidentiality terms set forth herein.

2.2. Planisware shall implement security procedures consistent with current industry standards to protect Customer Data from unauthorized access, such as ISO and SOC standards. Neither Planisware nor its Affiliates shall be held responsible or liable for third parties’ unauthorized access to Customer Data through the exploitation of security gaps, weaknesses, or flaws generally unknown to the industry. You shall be solely responsible for acquiring and maintaining all technology, systems and procedures for maintaining the security your Internet connections as you connect to the Service and for maintaining the security of End-User passwords and login credentials. Planisware will report to You any security vulnerability or any unauthorized access to Customer Data promptly upon becoming aware of such and will remedy any breach of security that permitted any unauthorized access.

2.3 In processing the personal data of individual End-Users, Planisware shall comply with the terms of the Planisware Data Processing Addendum below which forms part of these Terms and Conditions

 

3. LICENSES

 

3.1. Subject to the terms and conditions of the Agreement, Planisware grants to You and your Affiliates, exercisable by and through End Users, a limited, nonexclusive, royalty-free, revocable (for breach), non-transferable, and non-sublicensable, right and license to access the Service only for your internal business purposes and for the term and number of End- Users specified in the SaaS Service Order. Deliverables created by Planisware in connection with the performance of a Professional Services Work Order may be used by Customer solely for internal business purposes.

3.2. The Services may provide access to open source software components made available by third parties (“Open-Source Software”). The Open-Source Software is not subject to the terms and conditions of this Agreement. Instead, each item of the Open-Source Software is licensed under its applicable license terms which accompany such Open-Source Software. The terms and conditions of the applicable license for the Open-Source Software are provided with the Service. Nothing in this Agreement limits Customer’s rights under, nor grants Customer rights that supersede the terms and conditions of any applicable license terms for the Open- Source Software. Any fees charged by Planisware in connection with the Services are not in consideration for the licenses granted to the Open-Source Software. Planisware makes no warranty with respect to any Open-Source Software.

3.3. The End-User Materials are provided solely to support your authorized use of the Service under this Agreement. You may copy and distribute the End-User Materials to End-Users but only in support of their authorized use of the Service, provided You reproduce and include Planisware’s copyright notice and proprietary legend on each such copy. This license specifically prohibits distribution – in any format – of the End-User Materials to persons outside of your company. You may not post or upload the End-User Materials to any publicly accessible websites, virtual cloud storage areas or the like.

3.4.You shall not, and shall not permit End-Users or any other person to:

a) attempt to gain unauthorized access to the Services, including by impersonating an End-User, using an End User’s log-in credentials without authorization, by passing or breaching any security device or other means of protection of the Services or accessing or using the Services other than by an End-User using their assigned user name and log-in;

b) license, sublicense, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available to any third party the Service, including via time-sharing, service bureau;

c) modify or make derivative works based upon the Service (for clarification, you are allowed to make derivative works of Customer Data obtained via the Services);

d) create Internet "links", “frames” or “mirroring” to or of the Service (for clarification, you are allowed to make screen captures of the Service, project the Service via a videoconference or share reports generated via the Services for your internal business purposes);

e) reverse engineer, disassemble, decompile, decode, adapt or access the Services to (i) build a competitive product or service, or (ii) build a product using similar features, functions, user interface or graphics of the Services;

f) access or use the Services beyond the scope of the license granted by the Agreement;

g) use the Services to send spam or otherwise duplicative or unsolicited messages;

h) send or store via the Services infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material harmful to children or violative of third party privacy rights;

i) send or store via the Services material containing software viruses, worms, Trojan horses or other harmful computer code, files, scripts, agents or programs;

j) knowingly interfere with or disrupt the integrity or performance of the Services. You are responsible to ensure that your employees and End-Users adhere to the restrictions set forth above.

3.5. You shall notify Planisware immediately of any unauthorized use of any End-User login credentials or any other known or suspected breach of security concerning the Service. You shall immediately report to Planisware any unauthorized access to, use, copying, or distribution of the Services that You become aware of, or reasonably suspect, and you shall promptly take measures to prevent the furtherance of any such activity.

3.6. Prior to accessing the Services for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, you shall notify Planisware and we will agree on a testing methodology so as not to disrupt the operation of the Service.

3.7. You grant to Planisware and its Affiliates, a nonexclusive, royalty-free, irrevocable, non-transferable, and non-sublicensable, right and license to use any suggestions, ideas, enhancement requests, feedback, recommendations, specifications or other information provided by You or any of your employees and End-Users relating to the Service and End-User Materials.

 

4. COMPLIANCE WITH LAWS

 

Each party shall, and shall ensure that their respective employees, contractors, End Users, and Affiliates comply with all applicable laws and regulations in providing or using the Services, including laws with respect to the protection of personal data, export controls, and transmission of information. You are fully, solely, and exclusively responsible for the lawfulness and appropriateness of Customer Data uploaded by End-Users to the Service and the adequacy of intellectual property and other third party rights for use and distribution of Customer Data via the Services.

 

5. OWNERSHIP RIGHTS

 

5.1. Planisware and its licensors are the exclusive and sole owner of all Intellectual Property Rights in and to the Services, and any modification or configuration of the Services, End-User Materials, and other deliverables provided in the performance of professional services (such as the format, user interface and graphics of reports, programs, and other materials, but excluding any Customer Data included therein). Planisware will also own all data derived from your use of the Services and may use and disclose such data (i) to provide the Services, (ii) as aggregate Services statistics, which will not identify You or your End-Users, and (iii) to improve the Service or to develop future services.

5.2. You and your licensors are exclusive and sole owner of all Intellectual Property Rights in and to the Customer Data

 

6. FEES

 

6.1. In consideration for the Services, You agree to pay the fees set forth in the SaaS Service Order(s) and any related Professional Services Work Order, as well as any travel expenses as applicable under a Professional Services Work Order. SaaS subscription fees for all End-User access rights as provided in the SaaS Service Order must be paid in full upon the start of the subscription and are not cancellable or refundable (subject to Section 7.3), whether or not such End-User access rights are actively used. Unless otherwise specified the SaaS Service Order(s) and any related Professional Services Work Order, all invoiced amounts are due and payable within thirty (30) days of your receipt of the invoice.

6.2. If any Fees are not paid when due, Planisware may, within 30 days of sending a delinquency notice, at its option: (i) charge interest at a rate of 1.5% per month or, if less, the highest rate allowed by applicable law, and charge all expenses incurred by Planisware in its collection efforts, (ii) terminate this Agreement for material breach as provided in Section 7 below; and/ or (iii) suspend your access to the Services until payment is made in full, subject to, at Planisware’s discretion, your payment of a reactivation fee.

6.3. All fees payable under the Agreement do not include taxes. If Planisware is required to pay sales, use, property, value- added, or taxes based on licenses granted or Services performed, or on your use of the Service, then You shall be responsible for the payment, in full, of such taxes and Planisware shall bill You accordingly.

 

7. TERM AND TERMINATION

 

7.1. This Agreement shall be in effect (i) during any initial or renewal Subscription Term as provided in a SaaS Service Order, and (ii) until all Services have been performed under a Professional Services Work Order, unless the parties have terminated such Professional Services Work Order in accordance with its terms.

7.2. Any SaaS Service Order may be terminated by either party upon a material breach by the other party of the terms of this Agreement, which breach has not been cured within thirty (30) days after the breaching party has received written notice of such alleged breach.

7.3. Notwithstanding Section 6 of this Agreement, in the event a SaaS Service Order is terminated by You due to an uncured material breach of Planisware, you shall be entitled to a prorated refund of unused monthly fees. Such refund shall be paid within 30 days of the date of termination.

7.4. In the event this Agreement is terminated for any reason other than an uncured material breach by Planisware, You will owe Planisware all outstanding Fees concerning the Service for the remainder of the Term identified in any outstanding SaaS Service Order. Upon termination, all Fees under a Professional Services Work Order for services performed up until the date of such termination shall become immediately due and payable in full. Any Fees or Professional Services Fees not paid when due become subject to the late payment provision described in Section 6.1, above.

7.5. 7.4 Sections 5, 8 through 11, and any payment obligation under this Agreement shall survive termination of this Agreement and remain in full force and effect

 

8. CONFIDENTIALITY

 

8.1. “Confidential Information” means all nonpublic information disclosed between the parties, directly or indirectly, orally, electronically, visually or in a document or other tangible form, which is designated as “Confidential,” “Proprietary,” or some similar designation, or, which, by its nature, should reasonably be deemed confidential by the recipient. Customer Data shall be deemed your Confidential Information. Fees and payment terms under this Agreement are confidential information of Planisware. Future or contemplated services and products of Planisware shall be Confidential Information of Planisware. Notwithstanding the foregoing, information shall not be Confidential Information to the extent that it (a) is already known to the recipient and not subject to any confidentiality restrictions at the time it is obtained, (b) is or becomes publicly known through no fault of the recipient, (c) is rightfully received by the recipient from a third party with the legal right to disclose the information and without restrictions on further disclosure, (d) is required to be released by the recipient in compliance with a court order or other directive of law, or (e) is independently developed by the recipient. Each party will take reasonable measures to protect the secrecy of and avoid disclosure and unauthorized use of the other party’s Confidential Information. Without limiting the foregoing, each party will take at least those measures that it takes to protect its own most highly confidential information. Neither party will make any copies of the other party’s Confidential Information unless approved in writing by the other party.

8.2. Each Party will reproduce the other Party’s proprietary rights notices on any approved copies. Each party will not disclose the other party’s Confidential Information to third parties, except to their respective employees, contractors, attorneys, accountants and auditors, on a need to know basis, and if required by law so long as the recipient gives the disclosing party prompt written notice of the requirement prior to the disclosure and assistance in obtaining an order protecting the information from public disclosure.

8.3. Any use or disclosure of Confidential Information, including disclosure of any Confidential Information in violation of the terms of this Agreement may cause loss and/or damage to the disclosing party for which an adequate remedy at law may not exist, and the disclosing party may seek temporary or permanent injunctive relief from a court of competent jurisdiction for such violation.

 

LIMITED WARRANTY

 

9.1. Planisware represents, warrants and covenants to You that (i) Planisware will perform the Services using personnel of required skill, experience and qualifications and in a professional and workmanlike manner in accordance with generally recognized industry standards for similar services, and (ii) Planisware will devote adequate resources to meet its obligations under this Agreement.

9.2. EXCEPT FOR THE WARRANTY IN THIS SECTION, THE SERVICE ARE PROVIDED “AS IS”. NEITHER PLANISWARE NOR ITS AFFILIATES MAKE ANY OTHER WARRANTIES, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT, THOSE ARISING FROM A COURSE OF DEALING OR USAGE OR TRADE, AND ALL SUCH WARRANTIES ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW. FURTHER, PLANISWARE DOES NOT WARRANT THE SERVICES WILL BE ERROR-FREE OR THAT THE USE OF THE SAAS SERVICE WILL BE UNINTERRUPTED. ALL SERVICES ARE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS. NEITHER PLANISWARE NOR ITS AFFILIATES ARE RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR OTHER DAMAGE THAT MAY RESULT FROM SUCH LIMITATIONS AND PROBLEMS.

9.3. FURTHER, PLANISWARE DOES NOT WARRANT NOR PROMISE THAT THE PROFESSIONAL SERVICES, INCLUDING ANY CONSULTING AND/OR CONFIGURATION SERVICES WILL BE ERROR FREE. PLANISWARE DOES NOT INDEMNIFY YOU IN ANY MANNER FOR ANY DAMAGES, LOSSES OR THIRD-PARTY CLAIMS, INCLUDING INTELLECTUAL PROPERTY CLAIMS, IN RELATION TO THE PROFESSIONAL SERVICES.

 

10. INDEMNITY

 

10.1. Planisware will defend and hold you and your Affiliates harmless from any third party claim that the Services infringe any US patent, copyright, trademark, trade secret or any other third party intellectual property rights. You will defend and hold harmless Planisware and its Affiliates from any third party claim that the Customer Data infringe any US patent, copyright, trademark, trade secret or any other third party intellectual property rights.

10.2. Notwithstanding the foregoing, Planisware has no duties and no obligation to indemnify You to the extent that a third- party claim is based on 1) the combination, operation, or use of the Service with any hardware, system, software, network or other materials or service not provided by Planisware or 2) the modification of the Services done by You or any other third-party without Planisware’s prior written approval or 3) your End-Users using the Services in breach of this Agreement. To the extent that any claim is based on the exclusions in 1) through 3) above, You agree to defend and hold Planisware harmless against any such claim and fully indemnify Planisware against all related damages and losses.

10.3. If an infringement claim concerns the Services, Planisware may, at its option, (a) secure for You the right to continue to use the Services, (b) modify or replace the Services so they are non-infringing, or, (c) if Planisware determines that neither of the foregoing options are feasible, terminate this Agreement, in which case Planisware shall refund to You any and all subscription fees that You paid in advance for the Service and provide, at your request and free of charge, the Customer Data in a database format. This section states your sole and entire remedy with respect to any claim of Infringement regarding the Services.

10.4. The above indemnification obligations of the parties are subject to (i) the indemnifying party notifying the indemnified party in writing of the alleged infringement claim immediately upon receipt of such claim; (ii) the indemnified party fully cooperating with the indemnifying party by providing all documents and information reasonably required to defend the claim; and (iii) the indemnifying party having control over the defense and settlement of the claim, provided that the settlement of a claim regarding Customer Data shall be subject to your written approval, which shall not be unreasonably withheld, and the settlement of a claim regarding the Services shall be subject to Planisware’s written approval, which shall not be unreasonably withheld.

 

11. LIMITATION OF LIABILITY

 

11.1. IN NO EVENT SHALL EITHER PARTY’S TOTAL AGGREGATE LIABILITY IN CONNECTION WITH USING OR PROVIDING THE SERVICES EXCEED THE AMOUNTS PAID BY AND/OR DUE UNDER THE APPLICABLE SAAS ORDER FORM OR PROFESSIONAL SERVICES STATEMENT OF WORK RELATING TO THE CLAIM FOR THE LAST 12 MONTHS PRECEDING THE CLAIM.

11.2. IN NO EVENT SHALL EITHER PARTY, OR THEIR RESPECTIVE AFFILIATES BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, SPECIAL, INDIRECT, PUNITIVE OR EXEMPLARY DAMAGES, INCLUDING WITHOUT LIMITATION LOST PROFITS, LOSS OF USE, BUSINESS INTERRUPTIONS, LOSS OF DATA, REVENUE, GOODWILL, PRODUCTION, ANTICIPATED SAVINGS, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, IN CONNECTION WITH OR ARISING OUT OF THE PERFORMANCE OF OR FAILURE TO PERFORM THIS AGREEMENT, WHETHER ALLEGED AS A BREACH OF CONTRACT OR TORTIOUS CONDUCT, INCLUDING NEGLIGENCE, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

11.3. THE FOREGOING LIMITATION OF LIABILITY AND EXCLUSION OF CERTAIN DAMAGES SHALL APPLY REGARDLESS OF THE SUCCESS OR EFFECTIVENESS OF OTHER REMEDIES. EACH PARTY ACKNOWLEDGES THAT THE LIMITATIONS OF LIABILITY SET FORTH IN THIS SECTION REFLECT THE ALLOCATION OF RISK BETWEEN THE PARTIES UNDER THIS AGREEMENT, AND THAT IN THE ABSENCE OF SUCH LIMITATIONS OF LIABILITY, THE ECONOMIC TERMS OF THIS AGREEMENT WOULD BE SIGNIFICANTLY DIFFERENT.

 

12. MISCELLANEOUS

 

12.1. Notices. All notices or other communications required to be given under this Agreement shall be in writing and delivered either personally, by electronic mail, or by U.S. mail, certified, return receipt requested, postage prepaid, addressed to the contact person as set forth in the SaaS Purchase Order or as subsequently reasonably requested by the receiving party. Notices delivered personally or by electronic mail shall be effective upon delivery, and notices delivered by mail shall be deemed received three (3) business days after deposit in the mail.

12.2. Assignment. Neither party may assign this Agreement, in whole or in part, without the prior written consent of the other party, provided that no such consent will be required to assign this Agreement in its entirety to (i) an Affiliate that is able to satisfy the obligations of the assignor under this Agreement or (ii) a successor in interest in connection with a merger, acquisition or sale of all or substantially all of the assigning party’s assets, provided that the assignee has agreed to be bound by all of the terms of this Agreement.

12.3. Governing Law. This Agreement shall be governed by and construed and enforced in accordance with the laws of the State of California as it applies to a contract made and performed in such state. Venue shall be in the County of San Francisco, California.

12.4. Entire Agreement; Modifications and Waivers. This Agreement constitutes the full and entire understanding and agreement between the Parties with regard to the subjects hereof. No term of this Agreement may be modified except by a writing signed by authorized representatives of both parties. It is agreed that no use of trade or other regular practice or method of dealing between the parties hereto shall be used to modify, interpret, supplement, or alter in any manner the terms of this Agreement.

12.5. Severability. In the event that any provision of this Agreement is found invalid or unenforceable pursuant to judicial decree or decision, the remainder of this Agreement shall remain valid and enforceable according to its terms.

12.6. Force Majeure. Neither party shall be responsible for any failure to perform due to unforeseen circumstances or to causes beyond the parties’ reasonable control, including but not limited to acts of God, invasion, war, riot or other civil unrest embargoes or blockades, acts of civil or military authorities, fire, floods, earthquake or explosion, accidents, strikes, labor stoppages or slowdowns or other industrial disturbances or shortages of transportation, facilities, fuel, energy, labor, or materials; passage of law or any action taken by a governmental or public authority, including imposing an embargo, export or import restriction, quota or other restriction or prohibition or any complete or partial government shutdown, or national or regional shortage of adequate power or telecommunications or transportation. In the event of any such delay, either party may defer any delivery dates for a period equal to the time of such delay. Notwithstanding the foregoing, if either party is in default under this Section for more than forty-five (45) days, the non-defaulting party may terminate this Agreement.

12.7. Arbitration. Any controversy or claim arising out of or relating to this Agreement, or the breach thereof shall be settled by binding arbitration in California, administered by the American Arbitration Association in accordance with its then current Commercial Arbitration Rules, and judgment on the award rendered by the arbitrator may be entered in any court having jurisdiction thereof. The arbitrator may award monetary damages, punitive damages, injunctive relief, rescission, restitution, costs and attorneys’ fees. The arbitration award shall be final and binding regardless of whether one of the parties fails or refuses to participate in the arbitration. The arbitrator shall not have the power to amend this Agreement in any respect. Notwithstanding the foregoing, the parties agree that this Section does not apply to the breach of provisions pertaining to proprietary rights, and that either party may petition a court of law for injunctive relief and such other rights and remedies as it may have at law or equity against such breaches.

12.8. Attorneys’ Fees. In the event of any dispute with respect to this Agreement, the prevailing party shall be entitled to reasonable attorneys’ fees and other costs and expenses incurred in resolving such dispute

PLANISWARE ORCHESTRA DATA PROCESSING ADDENDUM

 

This Data Processing Addendum (“DPA”) forms part of the Orchestra Services Terms and Conditions agreed  between Planisware and the Orchestra Customer in an Orchestra SaaS Service Order (the “Agreement”) and  applies to any additional services for which Planisware processes personal data of Customer. The purpose of the  DPA is to reflect the parties’ agreement about the processing of personal data, in accordance with the  requirements of applicable data protection laws and regulations.

 

1. DEFINITIONS

 

Unless otherwise defined in this DPA, capitalized terms shall have the meaning set forth in the Agreement.

“Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data. Data Controller shall also reference the “business” as defined in the CCPA. For purposes of this DPA, Customer is the Data Controller.

“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. Data Processor shall also reference the “service provider” as defined in the CCPA. For purposes of this DPA, Planisware is the Data Processor.

“Data Protection Laws and Regulations” all mandatory laws and regulations that may be applicable to the Processing of Personal Data under the Agreement, including: - Regulation (EU) 2016/679 - General Data Protection Regulation (GDPR)  - Version of the GDPR signed into law by the government of the United Kingdom (UK GDPR) - Swiss Federal Act on Data protection 1992 (FADP) - Brazilian Lei General de Proteção de Dados Pessoais, Federal Law no. 13,709/2018 (LGPD) - Argentinian Law 25,326 - the Personal Data Protection Law (PDPL) and Decree 1558 of 2001 includes regulations issued under the PDPL - California Consumer Protection Act (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA) - Virginia Consumer Data Protection Act (VCDPA) - Colorado Privacy Act (CPA) - the Utah Consumer Privacy Act (“UCPA”) - the Connecticut Data Privacy Act (“CTDPA”) - Any other regional, national, provincial or state privacy and data protection laws, rules, and regulations in effect on or after the effective date of this DPA - any other U.S. federal, state, or local privacy and data protection laws, rules, and regulations in effect on or after the effective date of this DPA

“Data Subject” means an individual who is subject to Data Protection Laws and Regulations and to whom Personal Data relates.

“Personal Data” means data about a specific natural person transmitted to or collected by Planisware as part of Planisware’s services to Customer under the Agreement from which that person is identified or identifiable, as defined in Data Protection Laws and Regulations.

“Planisware Binding Corporate Rules” means the binding corporate rules adopted by Planisware and its Affiliates, available at via the Planisware customer portal at https://portal.planisware.com/portal/planisware-bindingcorporate-rules-bcrs. Affiliates of Planisware are listed in Schedule 1 of the Planisware Binding Corporate Rules. 

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not  by automatic means, such as collection, organization, storage, retrieval, consultation, use, disclosure by transmission, blocking, or deletion.

“Security Measures” means the security measures described in the Schedule below.

“Security Incident” means an unauthorized disclosure of or access to Personal Data or an accidental or unlawful destruction, loss or alteration of Personal Data.  

“Services” means the SaaS, hosting, support and/or professional services provided by Planisware to Customer under the Agreement.

“Standard Contractual Clauses” means, as applicable:  - For the EEA and Switzerland, the Standard Contractual Clauses for international transfers Module 2 as adopted by the EU Commission Implementing Decision on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 dated June 4 2021, published at  https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en (“EU SCCS”);  - For the United Kingdom, the EU SCCS supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0 in force as of 21 March 2022 issued by Commissioner under S119A(1) Data Protection Act 2018 published at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf ( “UK Addendum”); - for Argentina, the Contrato modelo de transferencia internacional de datos personales con motivo de prestación de servicios published at http://www.jus.gob.ar/media/3202473/disp_e2016_60_anexoii.pdf (“Argentina SCCs”); - any other model clauses as required and approved by the data protection authority of any additional country of residence of Data Subjects for the transfer of personal data from such countries to the countries of processing of such Data Subjects’ Personal Data.

“Sub-processor” means any third party, including Planisware Affiliates, engaged by Planisware for the Processing of Personal Data.

 

2. PROCESSING OF PERSONAL DATA

2.1 Customer’s Processing of Personal Data. Customer shall, in its use of the Services, comply with Data Protection Laws and Regulations to the extent they are applicable. For the avoidance of doubt, Customer’s instructions to Planisware for the Processing of Personal Data must comply with applicable Data Protection Laws and Regulations. In addition, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data, including providing any required notices to, and obtaining any necessary consent from Data Subjects. 

2.2 Planisware’s Processing of Personal Data. Planisware will process and use Personal Data on behalf of and only in accordance with instructions (including via email) of Customer, and to the extent required by law. Customer hereby acknowledges that by virtue of using the Services it gives Planisware instructions to process and use Personal Data in order to provide the Services in accordance with the Agreement and as further described in the Schedule below. Planisware will comply with all applicable Data Protection Laws and Regulations in processing Personal Data.

2.3 Data Protection Impact Assessment. Upon Customer’s request, Planisware shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under applicable Data Protection Laws and Regulations to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Planisware. Planisware shall provide reasonable assistance to Customer in the event of a prior consultation with or required response to enquiries from any competent data protection authority.

2.4 Processing of Personal Information of California Data Subjects. Without limiting the foregoing, Planisware will process Personal Data only for business purposes and operational purposes applicable to the Customer’s instructions that are permissible under the CCPA for a service provider (the “Qualified Business Purposes”) and not for Planisware’s own purposes. Planisware shall not use or process any Personal Data outside of the scope of the Services or its relationship with Customer. Planisware will not contact individual Data Subjects for direct marketing purposes nor sell any Personal Data, as selling is defined in the CCPA. Planisware will not combine Personal Data received from Customer with the personal data it receives from other sources. In the event of any material update in Planisware’s processing of Personal Data, Planisware will immediately notify the Customer of such updates. Planisware certifies that it understands and will comply with the foregoing restrictions.

2.5 Customer Instructions. Planisware will notify Customer about (i) any instruction which, in its opinion, infringes applicable law; (ii) any circumstance where its obligations under Privacy Laws and regulations and this DPA cannot be met and, at such notice, allow Customer to suspend and remedy any unauthorized use of Personal Data; (iii) and any change in legislation applicable to Planisware or a Subprocessor which is likely to have a substantial adverse effect on the warranties and obligations in this DPA. 

2.6 Deletion of Personal Data. Within thirty (30) days of the termination of the Agreement or as otherwise instructed in writing by Customer, Planisware will delete all Personal Data Processed according to this DPA or anonymize End-User data so as to remove any Personal Data and request corresponding deletion/anonymization from its Sub-processors, provided that Planisware may retain data necessary to evidence compliance with applicable legal and regulatory requirements and recordkeeping.

 

3. RIGHTS OF DATA SUBJECTS

3.1 Data Subject Rights. Customer is solely responsible for informing Data Subjects about the Processing of their Personal Data in accordance with Data Protection Laws and Regulations and for managing their requests to exercise their rights under Data Protection Laws and Regulations. Planisware shall, unless prohibited by law, notify Customer in a timely manner if it receives a request from a Data Subject for access to, correction, amendment or deletion of such Data Subject’s Personal Data. Planisware shall reasonably cooperate with Customer to provide all Data Subjects with the ability to effectively exercise any right to access and correct Personal Data. Planisware shall not respond to any such Data Subject request without being instructed by Customer in writing (including email) except to confirm to the Data Subject that the request relates to Customer.

3.2 Complaints or Notices related to Personal Data. In the event Planisware receives any official complaint, notice, or communication that relates to Planisware's processing of Personal Data or either party's compliance with Data Protection Laws and Regulations in connection with Personal Data, unless prohibited by law, Planisware shall promptly notify Customer and Planisware shall provide Customer with commercially reasonable cooperation and assistance in relation to any such complaint, notice, or communication. Customer shall be  responsible for any substantial out of pocket costs arising from Planisware’s provision of such assistance. 

3.3 No provision in this DPA or the Services Agreement shall be construed to limit any rights of any Data Subject under any Privacy Laws and Regulations. 

3.4 Planisware represents, warrants, and covenants to Customer that it has not been, and that it is not likely to be, subject to a request for disclosure of Personal Data or the direct access to Personal Data by a law enforcement authority or state security body of a country or state that is massive, disproportionate, or indiscriminate (“Government Request”). In the event Planisware receives or becomes aware of any Government Request, Planisware will notify Customer in a timely manner to the extent permitted by applicable law. Where Planisware  notifies Customer, the Parties shall discuss in good faith the additional measures and whether to notify the appropriate supervisory authority and/or suspend further transfers of Personal Data. In the event Planisware incurs any material cost in exercising recourses against a Government Request, including reasonable legal fees, such costs shall be borne and reimbursed by Customer on presentation of justifying documentation. 

 

4. PLANISWARE PERSONNEL

 

4.1 Confidentiality. Planisware shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Planisware shall ensure that such confidentiality obligations survive the termination of the personnel engagement. 

4.2 Limitation of Access. Planisware shall ensure that access to Personal Data is limited to those personnel who require such access to perform Services.

4.3 Data Protection Officer. Planisware has appointed a data protection officer if and whereby such appointment is required by Data Protection Laws and Regulations. Any such appointed person may be reached at  dpo@planisware.com.

 

5. SUB-PROCESSORS

5.1 Appointment of Sub-processors. Customer hereby acknowledges and expressly agrees that (i) Planisware is entitled to retain its Affiliates as Sub-processors, and (ii) Planisware or any such Affiliate may respectively engage any third parties to process Customer Data on Planisware’s behalf in connection with the provision of Services. Planisware will only disclose Personal Data to Sub-processors that are parties to written agreements with Planisware including obligations no less protective that the obligations of this DPA. Planisware shall ensure that access to Personal Data is limited to those Sub-processors who require such access to perform their services to Planisware for the provision of the Services to Customer. Planisware will, following the Customer's written request, provide to the Customer the names of its Sub-processors processing the Personal Data and the countries outside of the European Economic Area in which such data is or may be processed, provided that such request will not be made more than once in each calendar year. The list of Sub-processors at the date of the DPA is set out in the Schedule below.

5.2 Objection Right for new Sub-processors. Planisware shall notify Customer prior to appointing any new Subprocessor. If Customer is legally prohibited from consenting to Planisware’s use of a new Sub-processor, then Customer will notify Planisware of such prohibition in writing within 10 business days after receipt of Planisware’s notice. Planisware will use reasonable efforts to (i) make available to Customer a change in the affected Services (ii) recommend a commercially reasonable change to Customer’s configuration or use of the affected Services to avoid processing of Personal Data by said new Sub-processor, or (iii) work with the Subprocessor to ensure that any sub-processing is performed in a manner reasonably satisfactory to Customer. If the parties are not able to find a suitable solution within a reasonable period of time, which shall not exceed 60 days, then Customer may terminate any applicable Agreement in respect only to those Services that cannot be provided by Planisware without the use of the objected-to new Sub-processor, by providing written notice to Planisware.

5.3 Liability. Planisware shall be liable for the acts and omissions of its Sub-processors to the same extent Planisware would be liable if performing the services of each Sub-processor directly under the terms of this DPA, subject to any limitations set forth in the Agreement.

 

6. SECURITY; AUDIT RIGHTS

 

6.1 Controls for the Protection of Personal Data. Planisware will maintain appropriate technical and organizational measures, as described in the Security Measures, against Security Incidents. Planisware shall provide upon request by Customer all information necessary to demonstrate compliance with Data Protection Laws and Regulations and this DPA.

6.2 Audit Rights. Planisware shall respond within a reasonable period of time to any specific written questions submitted to it by Customer regarding Planisware’s data security technical and organizational measures. Planisware will allow Customer to perform an on-site audit of Planisware for verification of compliance with the technical and organizational measures set forth in the Security Measures in the following circumstances: (i) Following the notification of Customer by Planisware of a Security Incident, (ii) Customer reasonably believes that  Planisware is not in compliance with its security commitments under this DPA (and in such case Customer’s audit rights may not be exercised for more than once per calendar year), or (iii) such audit is required under Data Protection Laws and Regulations (such as annual inspection rights of Customer under CPRA) or required by instruction of a competent data protection authority. Any such audit must be conducted in accordance with the procedures set forth in Section 6.3. 

6.3 Audit Process. Customer must provide at least 3 weeks’ prior written notice to Planisware of a request to audit. The scope of any audit shall be limited to Planisware’s policies, procedures and controls relevant to the protection of Personal Data as set forth in the Security Measures. All audits will be conducted via exchange of documents. Upon receipt of a written request to audit, and subject to Customer’s agreement, Planisware may satisfy such audit request by providing Customer with a confidential copy of an independent auditor’s report produced by Planisware that enables Customer to verify Planisware’s compliance with the technical and organizational measures set forth in the Security Measures. An audit will be conducted at Customer‘s sole cost and by a mutually agreed upon third party contractor who is engaged and paid by Customer, and is under a nondisclosure agreement containing confidentiality provisions obligating it to maintain the confidentiality of all audit findings as well as Planisware’s Confidential Information. Before the commencement of any such audit, Planisware and Customer shall mutually agree upon the timing, duration of the audit as well as audit methodology, and executive summary information. For the avoidance of doubt, no Personal Data will be shared or disclosed by Planisware in the course of any audit. Customer shall, at no charge, provide to Planisware a full copy of all findings of the audit. In the event where, after review of documentation provided by Planisware in response to an audit request, Customer reasonably believes that Planisware is not in compliance with its Security Measures, then Customer can request an on-site audit, with at least 3 week’s prior written notice. Planisware will provide Planisware’s then-current professional services rates and estimate of time spent by Planisware staff for responding to and cooperating with auditors. Customer shall be responsible for such costs. Planisware will  cooperate with the audit, including providing auditors access to Planisware security information or materials.

6.4 Notice of Failure to Comply. After conducting an audit under this Section 6 or after receiving an audit report from Planisware, Customer must notify Planisware of the specific manner, if any, in which Planisware does not comply with any of the security, confidentiality, or data protection obligations in this DPA or Data Protection Laws and Regulations, if applicable. Any such information will be deemed Confidential Information of Planisware. Upon such notice, Planisware will use commercially reasonable efforts to make any necessary changes to ensure  compliance with such obligations. 

 

7. SECURITY BREACH MANAGEMENT AND NOTIFICATION

 

If Planisware has determined that a Security Incident has occurred affecting Personal Data of Customer, Planisware will (i) immediately take actions as may be necessary to minimize the disclosure, loss, or breach and the effect of the Security Incident; (ii) take measures to determine the scope of the disclosure, loss, or breach with respect to the Customer Personal Data and (iii) notify Customer not later than twenty-four (24) hours after confirming that Customer Personal Data was impacted; (iv) restore or enhance the security of the Customer Personal Data to avoid further Security Incident (v) conduct a post-Security Incident review to determine if any changes are necessary to its information security policies and procedures; and (vi) assist and support Customer in the event of an investigation by a data protection regulator or similar authority. Planisware will further fully  cooperate with Customer to provide assistance to mitigate the effects of the Security Incident and to comply with any notification provisions to affected Data Subjects, regulatory authorities or third parties as required by Data Protection Laws and Regulations.

 

8. ADDITIONAL TERMS FOR CERTAIN JURISDICTIONS AND TRANSFER OF PERSONAL DATA 

 

8.1 Any Processing of Personal Data originating from within the European Economic Area (the “EEA”) by Planisware and its Affiliates as Data Processors or Sub-Processors to Customer in countries which do not ensure an adequate level of data protection as determined by the European Commission shall be on the basis of the Planisware Binding Corporate Rules. Planisware undertakes to process Personal Data on behalf of Customer in accordance with the Planisware Binding Corporate Rules and shall notify Customer in a timely manner in the event of a material change to the Planisware Binding Corporate Rules that would impact the processing of Personal Data as described in Appendix 1, in order to give Customer the possibility to object such change. Where Planisware Binding Corporate Rules are not applicable, all transfers of Personal Data originating from within the EEA, restricting the export of Personal Data to countries which do not ensure an adequate level of data protection (as determined for the EEA by the European Commission’s decision of 4 June 2021) is on the basis of and subject to the Standard Contractual Clauses. 

8.2. When Planisware receives Personal Data from End-Users located in any other country restricting the export of Personal Data to countries which do not ensure an adequate level of data protection such as Switzerland, the United Kingdom or Argentina, all transfers of Personal Data originating from within such countries is on the basis of and subject to the Standard Contractual Clauses.

8.3 For the purpose of the Standard Contractual Clauses, this DPA and the Agreement are the complete and final instructions of Customer (“data exporter”) to Planisware (“data importer”) for the Processing of Personal Data. In the event of inconsistencies between the provisions of the Standard Contractual Clauses and this DPA or other agreements between the Parties, the Standard Contractual Clauses shall take precedence. The terms of this DPA shall not vary the Standard Contractual Clauses in any way. The Standard Contractual Clauses may be amended or terminated only as specifically described in the Standard Contractual Clauses.

8.4 For the purposes of the EU SCCs as applicable for transfers from the EEA and Switzerland: (a) the Optional Clause 7 (Docking Clause) shall be considered included in the Standard Contractual Clauses (b) in Clause 9 (Use of Subprocessors), Option 1 (specific prior authorization) shall be applicable (c) in Clause 11 (Redress) the optional language (data subject right to lodge a complaint) shall be considered excluded (d) in Clause 17 (Governing) law, Option 1 shall be applicable, and the parties designate French Law (e) in Clause 18 (Forum and Jurisdiction) the parties designate the courts of France (f) the information to be provided in Section B of Annex I of the SCCs is as set forth in Appendix 1 of this DPA.

8.5 For the purposes of the EU SCCs as applicable for transfers from Switzerland: (a) any references to the GDPR shall refer to the FADP (b) All references in the 2021 SCCs to “EU,” “Union” or “Member State” will be interpreted as references to Switzerland; (c) For the purpose of Clause 17 of the 2021 SCCs, the 2021 SCCs will be governed by the law of Switzerland for transfer of Personal Information subject to the data protection laws of Switzerland; (d) For the purposes of Clause 18 of the 2021 SCCs, any dispute from the 2021SCCs will be resolved by the courts of Switzerland.

8.6 For the purposes of the UK Addendum as applicable for transfers from the United Kingdom: (a) the parties in Table 1 are Customer as Data Exporter and Planisware as Data Importer (b) Table 2 is completed with the information in Appendix 1 of this DPA (c) Table 3 is completed with the information in Appendix 1 of this DPA (d) Table 4 is updated to indicate that both Importer and Exporter may end this DPA.

8.7 For the purposes of the Argentina SCCs as applicable for transfers from Argentina: (a) the parties in the preamble are Customer as Data Exporter and Planisware as Data Importer (b) the information to be provided in Annex A is as set forth in Appendix 1 of this DPA. (c) The following terms will be understood to be defined as follows:

(i) “Personal Data’, ‘special Categories of Data’, ‘Processing of Data’, ‘Controller’, ‘Processor’, ‘Data Owner’  and ‘Supervisory Authority’ shall have the same meaning as define in Law No. 25,326 of the Argentine  Data Protection Act and its amendments and regulations.

(ii) “Competent Authority” is the Argentine Agency for Access to Public Information (AAAPI).

(iii) “The Data Importer”, is the service provider within the meaning of Section 25 of the Argentine Data Protection Act, Law 25,326 located outside the Argentine Jurisdiction that receives personal data from the data exporter for processing in accordance with the present terms.

(iv) The Applicable Data Protection Law’ shall mean the Argentine Data Protection Act, Law No. 25,326 and its amendments.

(v) “Governing Law”, the clauses of the Special Jurisdiction section shall be governed by the Argentine Data Protection Act, Law No. 25,326 and its amendments in the rights and obligations applicable to this contract.

(vi) “Jurisdiction” shall be the administrative jurisdiction of the AAAPI.

8.8 In the event that any of the Standard Contractual Clauses are amended, replaced or repealed, the parties shall work together in good faith to enter into any updated version of the Standard Contractual Clauses or negotiate in good faith a solution to enable a transfer of Personal Data to be conducted in compliance with Data Protection Laws.

8.9 Customer shall inform Planisware prior to granting access to the Service to any individual located in China. If access to the Service is granted to any individual located in China, Customer represents and warrants to Planisware that Customer has all rights and authorizations necessary to export personal data of Data Subjectslocated in China to the United States and that Planisware’s hosting of such data in its US data centers is not a violation of the Chinese Personal Information Protection Law (PIPL).

8.10 Customer shall inform Planisware prior to granting access to the Service to any individual located in Russia. If access to the Service is granted to any individual located in Russia, Customer acknowledges that all personal  data collected with respect to Data Subjects located in Russia will be hosted and stored only in data centers located in the United States and Customer shall be solely responsible for hosting Personal Data in Russia as may be required under any applicable Russian data privacy and localization laws.

 

9. NEW PRIVACY LAWS AND REGULATIONS

 

It is understood and agreed that various jurisdictions where Data Subjects are located are considering the promulgation of new data protection and privacy laws and regulations similar to the Data Protection Laws and Regulations, including without limitation amendments to any existing privacy and data protection laws and regulations (all of the foregoing, “New Privacy Laws”). The parties agree that they will comply with such New Privacy Laws and will implement such policies and commitments as required for compliance with such New Privacy Laws, including without limitation, work together in good faith to agree upon and to amend this DPA as may be required by applicable New Privacy Laws. If the parties cannot reach agreement on how to address New Privacy Laws, Planisware may terminate the Agreement, subject to a transition period designated by Planisware during which Planisware will continue to provide the Services and assist in transitioning the Services to a new provider, and Customer shall be responsible for fees and costs on a pro rata basis through the post-transition termination date.

 

10. LEGAL EFFECT; TERMINATION

 

This DPA shall only become legally binding between Customer and Planisware when fully executed and will terminate when the Agreement terminates, without further action required by either party.

 

11. CONFLICT

 

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA will prevail.

DPA SCHEDULE

SUBJECT MATTER AND DATA PROCESSING DETAILS

PARTIES TO THE DATA TRANSFER(S)

DATA CONTROLLER/EXPORTER is the Customer of Planisware’s Services pursuant to the Agreement.

DATA PROCESSOR/IMPORTER Planisware USA, Inc. offers SaaS and hosted software solutions, enabling  project prioritization, portfolio balancing, and capacity planning.

SUB-PROCESSORS

Ad hoc and incidental processing in connection with support or professional services during the term of the Agreement and during a post Agreement service transition period as agreed between Planisware and Customer.

The Subprocessors are the following: Planisware S.A.S - 200 av. de Paris, 92320 Châtillon Planisware Deutschland GmbH - 52-58 Leonrodstrasse, 80636 München, Germany

Planisware UK Ltd. - 4th Floor, White Tower, Arrive - MediaCityUK, Manchester M50 2NT, Great Britain

IFT PLANISWARE K.K. - 1-5-15 Hirakawa-Cho, Chiyoda-Ku - Tokyo 102-0093 Japan

Planisware Singapore Pte Ltd. - 16 Raffles Quay #38-03, Hong Leong Building Singapore 048581

PLW Tunisia SUARL 53 bis avenue de la Livre, 1053 Tunis, Tunisia

Docebo S.p.A. Via Parco 47 - 20853 Biassono (MB) - ITALY Hosting of Engage platform Docebo Sub-processor list:  https://tos.docebo.com/Docebo-sub-processorslist.pdf

LiveChat, Inc. 101 Arch Street, 8th Floor - Boston MA 02110, United States of  America. In application chat service LiveChat Sub-processor list:  https://www.livechat.com/help/livechat-list-ofsubprocessors/

DESCRIPTION OF TRANSFER

DATA SUBJECTS

The Data Controller may submit Personal Data to Planisware, the extent of which is determined and controlled by the Data Controller in its sole discretion, and which include the following categories of data subjects: • Employees of the Data Controller • Independent contractors of the Data Controller • Other End-Users of the Orchestra Service as the Data Controller authorizes under the Agreement • Any individual whose Personal Data is Processed by the Controller through projects managed with Planisware Orchestra SaaS solution.

CATEGORIES OF DATA

The Personal Data transferred concern the following categories of data: • The categories of Personal Data Processed to access the Services under the Agreement: 

---- Mandatory Personal Data to allow Software usage: End-User ID, IP address

---- Optional Personal Data (upon Customer’s choice of software configuration): First and last name, End-User email, Phone number, Job titles/roles, Curriculum Vitae

• Activity of End-User in connection with Customer’s account,

• Communication between End-Users and Planisware staff in connection with support services,

• Where applicable, communication between End-Users and Planisware staff in  connection with Professional Services.

SPECIAL CATEGORIES OF DATA

Customer must not use the Services to process Personal Data deemed special categories of data under Data Protection Laws and Regulations without prior agreement of Planisware’s signatory of this DPA. Where Planisware agrees to process special categories of data, the Parties undertake to jointly agree, where necessary, on appropriate additional safeguards for the processing.

FREQUENCY OF TRANSFER

The personal data is transferred on an ongoing basis during the duration of the Agreementand post Agreement transition period

PROCESSING OPERATIONS

The Personal Data processed will be subject to the following basic Processing activities:

• Collecting, hosting and back-up storage of personal data for purposes of:

---- Recognizing authorized End-User of the Service

---- Enabling administration of Customer account by data exporter

---- Providing support services

---- Where applicable, providing professional services

• Deletion or anonymization of Personal Data upon instruction of Customer or at the end of the Agreement.

PURPOSE(S) OF THE DATA TRANSFER 

Planisware’s data centers are located in the United States and Planisware’s software solutions accessed by users of the Services is hosted in such data centers. Planisware’s and its Affiliates’ support operations are located in the United States and countries listed above.

PERIOD FOR WHICH THE PERSONAL DATA WILL BE RETAINED

Duration of the Agreement as well as post Agreement a service transition period as agreed between Planisware and Customer in the Agreement

 

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES 

Planisware has implemented and maintains a comprehensive written information privacy and security program (including provisions regarding retention of records and incident response plan) that includes appropriate administrative, organizational, technical, and physical safeguards and other security measures appropriate to the size and complexity of the data processing, the harm that might result from a Security Incident and the nature and scope of the personal data processing activities. Planisware may update these technical and organizational security measures from time to time so long as they do not materially decrease the overall security of the personal data processing.

 

1. PSEUDONYMISATION OF PERSONAL DATA/ENCRYPTION OF PERSONAL DATA Measures are used to ensure that personal data cannot be read, copied, modified, or deleted without authorisation during electronic transmission or transport, and that the target entities for any transfer of personal data by means of data transmission facilities can be established and verified.

 

2. ABILITY TO ENSURE THE ONGOING CONFIDENTIALITY AND INTEGRITY OF PROCESSING SYSTEMS AND SERVICES

2.1 Measures to prevent unauthorized persons from gaining physical access to personal data processing systems: a) Definition of persons who are granted physical access to systems where personal data is Processed; b) Electronic access control; c) Issuance of access IDs; d) Implementation of policy for external individuals; e) Alarm device or security service outside service times; f) Division of premises into different security zones; g) Implementation of key(-card) handling policy; h) Security doors (electronic door opener); i) Implementation of measures for on-premise security (e.g. intruder alert/notification).

2.2 Measures to prevent unauthorized persons from using personal data processing equipment: a) Definition of persons who may access personal data processing equipment; b) Implementation of policy for external individuals; c) Password protection of personal computers.

2.3 Measures ensuring that persons entitled to use a data processing system gain access only to such personal data as they are entitled to accessing in accordance with their access rights: a) Implementation of access rights for respective personal data and functions; b) Requirement of identification vis-à-vis the data processing system (e.g. via ID and authentication); c) Implementation of policy on access- and user-roles; d) Evaluation of protocols in case of damaging incidents.

2.4 Measures such as logging of data entry, to ensure that it is possible to check and ascertain whether personal data have been entered into, altered or removed from personal data processing systems and if so, by whom.

2.5 Measures to ensure that personal data processed on behalf of others are Processed in compliance with Customer’s (data controller and data exporter) instructions, including training of Planisware personnel and documentation of Customer support requests.

2.6 Measures to ensure that personal data collected for different purposes can be processed separately such as the use of logical separation of personal data of each of data processor's clients.

 

3. ABILITY TO ENSURE THE AVAILABILITY AND RESILIENCE OF PROCESSING SYSTEMS AND SERVICES

Measures to ensure that personal data is protected against accidental destruction or loss: a) Realization of a regular backup schedule; b) Control of condition of data carriers for personal data backup purposes; c) Safe storage of personal data backups; d) Implementation and regular control of emergency power systems and overvoltage protection systems.

 

4. ABILITY TO RESTORE THE AVAILABILITY TO ACCESS PERSONAL DATA IN A TIMELY MANNER IN THE EVENT OF A PHYSICAL OR TECHNICAL INCIDENT

Measures to ensure that personal data can be restored in a timely manner in the event of accidental destruction or loss: a) Implementation of an emergency plan; b) Protocol on the initiation of crisis- and/or emergency management.

 

5. PROCEDURES FOR REGULAR TESTING, ASSESSING AND EVALUATING THE EFFECTIVENESS OF TECHNICAL AND ORGANIZATIONAL MEASURES FOR ENSURING THE SECURITY OF THE PROCESSING

a) Regular review of IT security related certifications (e.g. ISO 27001); b) Monitoring by Planisware’s Data Protection Officer, if designated, and IT review concerning the compliance with the determined processes and requirements for the configuration and operation of the systems