Bridgit EU & UK Platform Terms of Service

Bridgit Inc. (“Bridgit”) owns certain software that it has developed and makes available to its customers in English as a service offering (the “Bridgit Platform” or “Platform”).

In connection with the use of the Bridgit Platform (as defined below), you and/or your organization or corporation, including affiliates (collectively, the “Customer” and together with Bridgit, the “Parties”) hereby agree to the terms of service and conditions contained herein (collectively, the “Terms of Service”).

BY ACCEPTING THESE TERMS OF SERVICE (THE “TERMS OF SERVICE”) BY SIGNING THE ORDER FORM (AS DEFINED BELOW) WHICH REFERENCES THE TERMS OF SERVICE, OR USING, OR ACCESSING THE SERVICE AFTER BEING MADE AWARE OF THESE TERMS OF BRIDGIT PLATFORM, CUSTOMER ACKNOWLEDGES THAT IT HAS READ AND UNDERSTOOD ALL OF THE PROVISIONS, AND HAS THE AUTHORITY TO AGREE TO, AND IS CONFIRMING THAT IT IS AGREEING TO, COMPLY WITH AND BE BOUND BY, ALL OF THE TERMS AND CONDITIONS CONTAINED HEREIN, TOGETHER WITH ANY ORDER FORM AND INCLUDING BRIDGIT’S PRIVACY POLICY, ALL OF WHICH ARE INCORPORATED BY REFERENCE AND DEEMED TO BE PART OF THE ENTIRE AGREEMENT ENTERED INTO BETWEEN BRIDGIT AND THE CUSTOMER.

IF, AFTER READING THESE TERMS OF SERVICE, CUSTOMER DOES NOT ACCEPT OR AGREE TO THE TERMS AND CONDITIONS CONTAINED HEREIN, CUSTOMER SHALL NOT USE, OR ACCESS THE BRIDGIT PLATFORM.

IF YOU ARE AN AGENT OR EMPLOYEE OF CUSTOMER THEN YOU HEREBY REPRESENT AND WARRANT THAT: (I) YOU ARE DULY AUTHORIZED TO ACCEPT THIS AGREEMENT ON CUSTOMER’S BEHALF AND TO BIND CUSTOMER, AND (II) CUSTOMER HAS FULL POWER, CORPORATE OR OTHERWISE, TO ENTER INTO THIS AGREEMENT AND PERFORM ITS OBLIGATIONS HEREUNDER.

INTERPRETATION

1.1 Definitions.  For the purposes of this Agreement, the following capitalized terms have the meanings set out below:

(a) “Agreement” means the Order Form and these Terms of Service.

(b) “Bridgit Platform” or “Platform” means, collectively, Bridgit’s proprietary online, web-based platforms, including without limitation Bridgit Bench™, as may be amended or developed from time to time, and including any and all Enhancements and New Features.

(c) “Claim” has the meaning ascribed in Section 11.1.

(d) “Confidential Information” means the information of a Party, or of third parties to which such Party has a duty of confidentiality, of a confidential and proprietary nature (whether in written, electronic or oral form), whether such information is or is not marked or identified as confidential or proprietary, including without limitation all Intellectual Property, financial, business or technical information, marketing and financial plans and data. Confidential Information does not include information that (i) is already known to the receiving party at the time it is disclosed and has not been obtained wrongfully; (ii) becomes publicly known without fault of the receiving party; (iii) is independently developed by the receiving party; (iv) is approved for release in writing by the disclosing party; or (v) is disclosed without restriction by the disclosing party to a third party.

(e) “Customer Data” means data submitted by or for Customer or Customer Users or collected and processed by or for Customer using the Bridgit Platform, including the data of and Personal Information belonging to Customer and Customer’s Users.

(f) “Customer User(s)” means any employee or contractor of Customer using the Bridgit Platform as a result of his, her or its affiliation with or connection to the Customer.

(g) “Documentation” means the written or electronic program documentation, including user manuals, handbooks and other materials  that Bridgit generally makes available describing the use, design, installation, operation and maintenance of the Bridgit Platform  or in the delivery of the Services.

(h) “Enhancements” means improvements and other changes intended to improve the performance of the Bridgit Platform.

(i) “Fee” means the Initial Term Fee and the Renewal Term Fee, as applicable.

(j) “Implementation Services” has the meaning ascribed to it in Section 6.1.

(k) “Initial Term” has the meaning ascribed to it in Section 12.1.

(l) “Initial Term Fee” has the meaning ascribed in Section 4.1.

(m) “Intellectual Property” includes without limitation any and all software (in object and source code form), inventions (whether or not patentable), trade secrets, ideas, techniques, processes, formulas, algorithms, schematics, research, development, software design and architecture, testing procedures, design and functional specifications, problem reports and performance information media content, distribution content, instructions, specifications, engineering designs, concepts, models, technology, patents, trademarks, trade secrets, and know-how.

(n) “Intellectual Property Rights” means all rights in Intellectual Property, whether protectable by copyright, trademark, patent, industrial design or trade secret laws and other intellectual property rights under laws, including common law.

(o) “New Features” means the addition of new functionality in the Bridgit Platform upon the payment of additional fees by Customer.

(p) “Order Form” means a document executed between Bridgit and Customer, in respect of Customer’s purchase of a subscription to use the Bridgit Platform and Services from Bridgit.

(q) “Personal Information” means any information relating to or about an identifiable individual as defined under Privacy Laws.

(r) “Privacy Laws” means laws relating to the collection, use, storage and disclosure of information about an identifiable individual, including but not limited to the Personal Information Protection and Electronic Documents Act (Canada) and the Canadian Anti-Spam Legislation, each as amended or superseded from time to time) applicable to the processing of Personal Information, and any other local, state, provincial, federal, or international laws relating to such activities.

(s) “Profile(s)”means the profile(s) of Customer employees and contractors, excluding Customer Users, that are tracked in an Account.

(t) “Renewal Term” has the meaning ascribed to it in Section 12.1.

(u) “Renewal Term Fee” has the meaning ascribed to it in Section 4.6.

(v) “Services” means the Bridgit Platform as provided by Bridgit to the Customer and Customer Users hereunder, including ancillary services available in connection with the Bridgit Platform, such as Implementation Services, and Support Services.

(w) “Support Services” has the meaning ascribed in Section 6.2.

(x) “Term” means the Initial Term and all Renewal Terms, as applicable.

1.2 General Interpretation

(a) Number and Gender. In this Agreement, words importing the singular include the plural and vice versa, and words importing gender include all genders.

(b) Section Headings. The insertion of headings and the division of this Agreement into Sections are for convenience of reference only and will not affect the interpretation hereof.  The words “hereof”, “hereunder”, “hereto” and similar expressions refer to this Agreement and not to any particular Section or other portion of this Agreement.

(c) Extended Meaning. The use of (i) the terms “including” or “include” mean “including, without limitation” or “include, without limitation” respectively; (ii) the term “Services” or “the Services” means “Services, or any part thereof” or “the Services, or any part thereof”, as applicable; and (iii) a definition applies to other forms of the word.

(d) Currency. All references to money amounts herein, unless otherwise specified on the Order Form, will be in United States Dollars ($USD).

(e) Generality. No specific representation, warranty or covenant contained herein will limit the generality or applicability of a more general representation, warranty or covenant contained herein.  A breach of, or inaccuracy in, any representation, warranty or covenant will not be affected by the fact that any more general or less general representation, warranty or covenant was not also breached or inaccurate.

(f) Technical Terms. Technical terms used in this Agreement that are not defined in this Agreement may be defined in the Documentation or will have the generally accepted industry or technical meaning given to such terms.

ARTICLE 2

BRIDGIT PLATFORM

2.1 Rights of Access and Use. Bridgit hereby grants to Customer a non-exclusive, non-sublicensable and non-transferable right in the territories of Canada, the United States, Australia and New Zealand (collectively, the “Territories”): (i) access and use (and to permit Customer Users to access and use) the Bridgit Platform; and (ii) access and use, and permit Customer Users to access and use the Documentation made available by Bridgit, all in accordance with the terms of this Agreement.

2.2 Restrictions. The Customer shall not, and shall ensure the Customer Users do not: (i) use Bridgit Software for purposes other than in relation to the Order Form; (ii) reverse engineer or decompile, modify, translate, disassemble or revise the Bridgit Platform or any part thereof, or create adaption, combinations or derivative works thereof; (iii) make accessible, sub-license or transfer Bridgit Software to any third party; (iv) remove any proprietary notices, labels, or marks from the Platform or Documentation; (v) create any “links” to or “frame” or “mirror” of the Platform or any portion thereof; or (vi) use the Platform to create, collect, transmit, store, use or process any Customer Data that: (a) Customer does not have the lawful right to create, collect, transmit, store, use or process, or (b) violates any applicable laws (including Privacy Laws) or infringes, violates or otherwise misappropriates the Intellection Property Rights or other rights of any third party; and (vii) engage, directly or indirectly, in the research, development, manufacturing, marketing, distribution, sale, lease or licensing of any product, using in any way whatsoever any Bridgit’s Confidential Information or Intellectual Property Rights in the Bridgit Software or Services.

2.4 Reservation of Rights. Bridgit and its licensors own and shall retain all right, title and interest (including without limitation all patent rights, copyrights, trade-mark rights, trade secret rights and all other Intellectual Property Rights), in and to the Platform and Documentation and any copies, corrections, bug fixes, enhancements, modifications or new versions thereof, all of which shall be deemed part of the Platform and subject to all of the provisions of this Agreement.  Customer shall keep the Platform and Documentation free and clear of all liens, encumbrances and/or security interests.  Subject to the limited rights expressly granted in this Agreement, Bridgit reserves all rights, title and interest in and to the Platform and Documentation. No rights are granted to Customer pursuant to this Agreement other than as expressly set forth in this Agreement, provided that Customer and its Customer Users shall retain all ownership, right, title and interest to the Customer Data.

2.5 Aggregated Data. Customer acknowledges and agrees that the Platform compiles, stores and uses aggregated data and system usage, analytics and diagnostic information to monitor and improve the Platform and for the creation of new products. All data collected, used, and disclosed by Bridgit will be in aggregate, anonymized and/or de-identified form only and will not identify Customer, Customer Users, Customer Data, Personal Information, or any third parties utilizing the Platform.

ARTICLE 3

ACCOUNT ACTIVATION

3.1 Account. Customer is required to open an account with Bridgit (an “Account”) in order to use the Platform and track Profiles. During registration, a Customer User will be asked to provide Personal Information in order to create an Account on behalf of Customer. Customer shall ensure that such Account activation information is accurate and complete and that such information remains current throughout the Term. Customer is fully responsible for all activity that occurs in Customer’s Account, including for any actions taken by Customer Users.

3.2 Passwords. Customer is responsible for keeping all Account passwords secure. Bridgit will not be liable for any loss or damage caused by or arising from a failure by Customer or Customer Users to maintain the security of the Customer’s Account and password.

3.3 Customer and Customer Users. Customer is also responsible for all activity in the Account and for Customer Data uploaded, collected, generated, stored, displayed, distributed, transmitted or exhibited on or in connection with Customer’s Account by its Customer Users. Customer is responsible for its Customer Users’ compliance with this Agreement.  Customer shall:  (a) use commercially reasonable efforts to prevent unauthorized access to, or use of, the Platform, and notify Bridgit promptly of any such unauthorized access or use; and (b) use the Platform only in accordance with the Documentation and applicable laws and government regulations.

ARTICLE 4

FEES

4.1 Initial Term Fees. Customer shall pay Bridgit the fees stipulated in the Order Form for the Services during the Initial Term (the “Initial Term Fee”).

4.2 Invoicing and Payment. Bridgit shall invoice the Customer in advance for the Fees and otherwise in accordance with the relevant Order Form. Unless otherwise stated in the Order Form, Fees are due net thirty (30) days from the invoice date. Customer is responsible for maintaining complete and accurate billing and contact information with Bridgit.

4.3 Overdue Payments. Any payment not within thirty (30) days of receipt of invoice from Bridgit may accrue, at Bridgit’s discretion, late charges at the rate of one and a half percent (1.5%) per month on any past due amount (18% per annum), or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid. Customer will also be responsible for any costs incurred by Bridgit in collecting any past due amount.

4.4 Taxes. The Fee does not include applicable taxes, levies, duties or similar governmental assessments of any nature, including sales, use, excise, goods and services, value added, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases hereunder. For greater certainty, Bridgit is solely responsible for taxes assessable based against its income, property and employees.

4.5 Profile Usage. If, during the Term, the number of Profiles in an Account  exceeds more than fifteen percent (15%) of the actual Profiles paid for by Customer in the Order Form, Bridgit reserves the right to immediately charge Customer the pro-rated subscription fees applicable for such additional Profiles.

4.6 Fee Increase. Bridgit reserves the right to increase the Fees prior to any Renewal Term (the “Renewal Term Fee”) and shall provide written notice to Customer at least thirty (30) days’ in advance of any such Fee increase.

ARTICLE 5

CUSTOMER RESPONSIBILITIES

5.1 Equipment. Customer is solely responsible for acquiring, servicing, maintaining and updating all equipment, computers, software and communications services (such as Internet access) that are required to allow Customer to access and use the Platform and for all expenses relating thereto. Customer agrees to access and use, and shall ensure that all Customer Users access and use, the Platform in accordance with any and all operating instructions or procedures that may be issued by Bridgit from time to time.

5.2 Cooperation. Customer will provide Bridgit all reasonable information, assistance, documentation, cooperation and updates as requested or required by Bridgit to perform the Services.  Bridgit will not be liable for any failure to perform hereunder caused by the Customer’s failure to provide adequate, appropriate or correct information, assistance, documentation, cooperation or updates. Customer agrees to press mentions and authorizes Bridgit to include the Customer’s name and logo on Bridgit’s website and/or other marketing collateral.

5.3 Users.  Customer shall: (a) use commercially reasonable efforts to prevent unauthorized access to, or use of, the Platform, and notify Bridgit promptly of any such unauthorized access or use; and (b) use the Service only in accordance with these Terms of Service, the Documentation and applicable laws and government regulations.

5.4 Feedback. Customer may provide reasonable feedback to Bridgit including, but not limited to, suitability, problem reports, suggestions and other information with respect to the Platform (“Feedback”). Customer hereby grants to Bridgit a fully paid-up, royalty-free, worldwide, assignable, transferable, sublicenseable, irrevocable, perpetual license to use or incorporate into the Platform, Documentation and any other Bridgit products or services, or for any other purposes, any Feedback provided by Customer or its Customer Users.

ARTICLE 6

SERVICES AND SERVICE LEVELS

6.1 Implementation Services. Bridgit will provide implementation assistance with respect to the Bridgit Platform as further outlined in the Order Form (the “Implementation Services”) which shall be provided on a one-time basis prior to any training provided by Bridgit to Customer. Any additional implementation assistance or set-up, and any customization requested by Customer may be provided by Bridgit to Customer in its sole discretion, the terms and costs of which shall be mutually agreed upon by the parties and incorporated into the Order Form.

6.2 Support Services. Bridgit will provide support and maintenance services with respect to the Bridgit Platform (the “Support Services”) in accordance with the terms and service levels set out in the attached Schedule A. Support Services are included in the Fees payable by the Customer to Bridgit.

6.3 Enhancements and New Features. From time to time, Bridgit may make Enhancements to the Bridgit Platform at its sole discretion or add New Features to the Bridgit Platform upon the payment of additional fees by Customer. Customer will be given the option to upgrade and pay an additional fee for New Features.

ARTICLE 7

CONFIDENTIALITY

7.1 Obligation of Confidentiality. Each party agrees: (i) to take all measures necessary to keep the Confidential Information of the other party confidential; and (ii) to not release, disclose, divulge or otherwise make available, directly or indirectly, any of the Confidential Information of the other party to any third person except:

(a) employees of the receiving party who need to use the Confidential Information for the purposes of this Agreement;

(b) necessary subcontractors, representatives or legal and professional advisors of the receiving party; or

(c) to the extent required pursuant to an order of a court of competent jurisdiction or as otherwise required by law, provided that the disclosing party is notified forthwith of any such requirement, and provided that reasonable efforts are made by the receiving party to maintain the confidentiality of the Confidential Information in any required disclosure, and provided that the receiving party shall, if possible, provide the disclosing party an opportunity to object to the disclosure.

7.2 Protection. Each party agrees to protect the confidentiality of the Confidential Information of the other party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind (but in no event using less than reasonable care).

7.3 Right to Injunctive Relief. Each Party acknowledges that monetary damages may not be a sufficient remedy for a breach of its obligations and that the other Party will be entitled, without waiving any of its other rights or remedies, to such injunctive or equitable relief as may be deemed proper by a court of competent jurisdiction. 

ARTICLE 8

CUSTOMER DATA AND PERSONAL INFORMATION

8.1 Customer Data. As between Bridgit and Customer, Customer exclusively owns and shall at all times retain all ownership, right, title and interest in and to the Customer Data. Bridgit does not acquire any rights, title or interest whatsoever, express or implied, in any of the Customer Data. Customer hereby authorizes Bridgit to use Customer Data as required to provide the Services in accordance with the terms hereof and in accordance with the applicable Privacy Laws.

8.2 Technical and Organizational Safeguards. In connection with the provision of the Services, Bridgit will maintain commercially reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of the Platform and Customer Data. Those safeguards will include, but will not be limited to, measures for preventing access, use, modification or disclosure of Customer Data by Bridgit personnel except (a) to provide the Platform and prevent or address service or technical problems, (b) as compelled by law and upon identification of lawful authority, (c) as expressly permitted in writing by Customer, or (d) as allowed under applicable Privacy Laws. Bridgit shall, in connection with the provision of the Platform, comply with Privacy Laws, as well as Bridgit’s Privacy Policy.

8.3 Customer Data Portability and Deletion. Upon request by Customer made during the Term or within thirty (30) days after the effective date of termination of this Agreement, Bridgit will delete or destroy all copies of Customer Data in its systems or otherwise in its possession or control as provided in the Documentation, unless legally prohibited.

8.4 Customer’s Obligations Regarding Personal Information. Customer’s instructions to Bridgit for the processing of Personal Information shall comply with applicable Privacy Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Information and the means by which Customer acquired the Personal Information. Customer hereby represents and warrants to, and covenants with Bridgit that Customer Data will only contain Personal Information in respect of which Customer has provided all notices and disclosures, obtained all applicable third party consents and permissions and otherwise has all authority, in each case as required by applicable Privacy Laws, to enable Bridgit to provide the Platform, including with respect to the collection, storage, access, use, disclosure and transmission of Personal Information, including by or to Bridgit and to or from all applicable third parties.

8.5 Bridgit’s Processing of Personal Information. Bridgit shall secure Personal Information with all necessary safeguards appropriate to the level of sensitivity of the Personal Information. Bridgit shall only process Personal Information on behalf of and in accordance with applicable Privacy Laws for the following purposes: (a) processing in accordance with the Agreement; (b) processing initiated by Customer’s Users or customers in their use of the Platform; and (c) processing to comply with other documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement and applicable Privacy Laws. Bridgit shall ensure that its personnel engaged in the processing of Personal Information: (x) are informed of the confidential nature of the Personal Information, (y) have received appropriate training on their responsibilities, and (z) are under contractual or statutory obligations to maintain the confidentiality of Customer Data.  Bridgit shall take commercially reasonable steps to ensure the reliability of any Bridgit personnel engaged in the Processing of Personal Information.

8.6 Messaging. If using the messaging functionality, Customer represents and warrants that it has and will continue to comply with all Privacy Laws applicable to email, SMS, or text campaigns, that Customer has obtained all appropriate and required consents to send such messages, and that Customer’s deployment of any such email, SMS or campaigns comply with all applicable Privacy Laws. Bridgit shall have no responsibility or liability to Customer relating to Customer’s compliance with Privacy Laws applicable to any such messaging, nor will Bridgit be responsible for any type of record creation or maintenance of records in relation to information sent by Customer to its Customer’s Users through use of the messaging functionality. Bridgit will provide opt-out functionality and link our privacy policy in all messages sent to Customer’s Users.

8.7 European Economic Area, or United Kingdom Provisions. Where Customer is established in European Economic Area, or United Kingdom Schedule B shall apply.

ARTICLE 9

LIMITED WARRANTIES AND DISCLAIMERS

9.1 Bridgit’s Platform Warranty. Bridgit hereby represents and warrants to Customer that: (i) During the Term, the Platform will perform materially in accordance with the Documentation; and (iii) the Platform will not contain any code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and Trojan horses. 

9.2 Warranty Disclaimer. EXCEPT FOR THE EXPRESS WARRANTIES PROVIDED HEREIN, THE PLATFORM IS PROVIDED “AS IS” AND “AS AVAILABLE” AND BRIDGIT MAKES NO REPRESENTATIONS OR WARRANTIES, AND THERE ARE NO CONDITIONS, ENDORSEMENTS, UNDERTAKINGS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, (INCLUDING WITHOUT LIMITATION ANY EXPRESS OR IMPLIED WARRANTIES OR CONDITIONS OF QUALITY, PERFORMANCE, RESULTS, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY OR ARISING BY STATUTE OR OTHERWISE IN LAW OR FROM A COURSE OF DEALING OR USAGE OF THE TRADE) AS TO, ARISING OUT OF OR RELATED TO THE FOLLOWING: (I) THIS AGREEMENT; (II) THE PLATFORM; AND/OR (III) SECURITY ASSOCIATED WITH THE TRANSMISSION OF INFORMATION OR CUSTOMER DATA TRANSMITTED TO OR FROM BRIDGIT VIA THE PLATFORM. BRIDGIT DOES NOT REPRESENT OR WARRANT THAT THE PLATFORM WILL MEET ANY OR ALL OF CUSTOMER’S PARTICULAR REQUIREMENTS, THAT THE PLATFORM WILL OPERATE ERROR-FREE OR UNINTERRUPTED OR THAT ALL PROGRAMMING ERRORS IN THE PLATFORM CAN BE FOUND IN ORDER TO BE CORRECTED.

ARTICLE 10

LIMITATION OF LIABILITY

10.1 Exclusion of Indirect and Consequential Damages.  SUBJECT TO SECTION 10.3 HEREOF, IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF DATA, LOST SAVINGS OR OTHER SIMILAR PECUNIARY LOSS).

10.2   Limitation of Liability. SUBJECT TO SECTION 10.3 HEREOF, IN NO EVENT SHALL EITHER PARTY’S MAXIMUM, CUMULATIVE AND AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT OR RELATING TO THE SUBJECT MATTER HEREOF FOR ALL CLAIMS, COSTS, LOSSES AND DAMAGES EXCEED THE AMOUNTS ACTUALLY PAID BY AND DUE FROM CUSTOMER HEREUNDER IN THE TWELVE (12) MONTHS PRECEDING THE INCIDENT GIVING RISE TO LIABILITY. THE EXISTENCE OF MORE THAN ONE CLAIM SHALL NOT ENLARGE THIS CUMULATIVE LIMIT.

10.3   Certain Damages Not Excluded or Limited.  NOTWITHSTANDING THE FOREGOING, NO LIMITATION OF EITHER PARTY’S LIABILITY SET FORTH IN THIS AGREEMENT SHALL APPLY TO (I) DAMAGES ARISING FROM A PARTY’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS HEREUNDER, (II) INDEMNIFICATION CLAIMS , (III) DAMAGES ARISING FROM INFRINGEMENT CLAIMS (AS DEFINED HEREIN); (IV) ANY CLAIMS FOR NON-PAYMENT, (V) GROSS NEGLIGENCE, FRAUD OR WILLFUL MISCONDUCT, OR (VI) BODILY INJURY OR DEATH.

ARTICLE 11

INDEMNIFICATION

11.1 Indemnification by Bridgit. Bridgit agrees to defend, indemnify and hold harmless the Customer against any claim, suit, demand or action (a “Claim”) demands, suits or proceedings made or brought against Customer by a third party alleging that Customer’s use or the Customer Users’ use of the Platform as contemplated hereunder infringes the intellectual property rights of, or has otherwise harmed, a third party (each, an “Infringement Claim”) ; provided, however, that: Customer will (i) provide Bridgit with prompt written notice of such Claim; (ii) give Bridgit sole control of the defense and settlement of the Infringement Claim (provided that Bridgit may not settle or defend any Infringement Claim unless it conditionally releases Customer of all liability); and (ii) provide to Bridgit, at Bridgit’s cost, all reasonable assistance and information. The foregoing will not apply to the extent that the Infringement Claim arises from Customer’s use of the Platform in a manner that was not intended or not in accordance with this Agreement.

11.2 Other Remedies. If (a) Bridgit becomes aware of an actual or potential Infringement Claim, or (b) Customer provides Bridgit with notice of an actual or potential Infringement Claim, Bridgit may (or in the case of an injunction against Customer, shall), at Bridgit’s sole option and determination: (i) procure for the Customer the right to continue using the Platform; (ii) replace or modify the infringing component so that it no longer infringes upon such Intellectual Property Rights; or (iii) where (i) or (ii) are not practical in the sole discretion of Bridgit, terminate the rights granted to Customer herein to access and use the Platform.  If Customer is prevented from using the Platform or terminated pursuant to this Section 11.2, then Bridgit shall provide Customer with a pro rata refund of any Fees already paid by Customer for those periods during which it does not have access to Platform.

11.3 Exclusive Remedy. Sections 10.3, 11.1 and 11.2 set forth the exclusive and entire remedy of Customer against Bridgit with respect to the indemnification of any third-party Claims.

11.4 Indemnification by Customer. Customer agrees to defend, indemnify and hold harmless Bridgit, its employees, officers, directors, shareholders, agents and affiliates from and against any Claims, demands, suits or proceedings made or brought against Bridgit by a third party (a) alleging that Customer’s or the Customer Users’ use of the Platform as contemplated hereunder infringes the intellectual property rights of, or has otherwise harmed, a third party, but only to the extent the Claim, demand, suit, or proceeding arises from Customer’s use of the Platform in a manner that was not intended or not in accordance with this Agreement; (b) based on a breach of any Privacy Laws or a breach of this Agreement by Customer or its employees, contractors, or agents; or (c) caused by any negligent act or omission of Customer or its employees, contractors, or agents (each a “Customer Indemnified Claim”); provided, however, that Bridgit will (i) provide Customer with prompt written notice of the Customer Indemnified Claim; (ii) give Customer sole control of the defense and settlement of the Customer Indemnified Claim (provided that Customer may not settle or defend any Customer Indemnified Claim unless it conditionally releases Bridgit of all liability); and (iii) provides to Customer, at Customer’s cost, all reasonable assistance and information.

ARTICLE 12

TERM AND TERMINATION

12.1 Term, Renewal. This Agreement will be effective on the date of the initial Order Form and will continue for the period outlined in the Order Form (the “Initial Term”), or until otherwise terminated by either part as provided below. Unless otherwise agreed upon in the applicable Order Form, an Order Form shall automatically renew for additional periods of one (1) year (each, a “Renewal Term”) at the Renewal Term Fee, unless Customer gives Company written notice of non-renewal at least thirty (30) days prior to the end of the Initial Term or then-current Renewal Term.

12.2 Termination for Cause. Either party may terminate this Agreement for cause as follows: (i) upon fifteen (15) days’ written notice to the other party of a material breach if such breach remains uncured or the breaching party has failed to take diligent steps to commence cure of the breach within five (5) days following written notice from the non-breaching party, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.

12.3 Payment on Termination. Customer shall be responsible to pay the Fee up to the effective date of termination. If this Agreement is terminated mid-month, the Fee shall be prorated. . In no event will termination relieve Customer of its obligation to pay any Fees payable to Bridgit for the period prior to the effective date of termination. Customer shall pay any and all other amounts that may be owing to Bridgit under this Agreement forthwith on receipt of final invoice from Bridgit.

12.4 Effects of Termination or Expiration. In the event of termination or expiration of this Agreement, on the termination date or expiration date, as applicable, (i) the rights  granted to Customer and the provision of the Services will terminate and expire immediately; (ii) Customer will immediately cease to access the Platform and shall notify Customer Users to cease to access the Platform under the terms of this Agreement; and (iii) Customer will immediately return or destroy, at Bridgit’s sole discretion, all Documentation and any other materials containing Bridgit’s Confidential Information and, at the request of Bridgit, confirm in writing that such information has been returned or destroyed.

12.5 Survival. Any provision of this Agreement which by its nature would survive the termination or expiration of this Agreement, shall survive termination or expiry of this Agreement and will remain in full force and effect thereafter. 

12.6 Termination pursuant to other clauses. Other clauses of this Agreement may provide for events triggering the early termination of this Agreement.

ARTICLE 13

MISCELLANEOUS

13.1 Force Majeure. Neither party will be deemed to be in default of any provision of this Agreement (other than Customer’s obligation to pay amounts due to Bridgit hereunder) for any failure in performance resulting from acts or events beyond its reasonable control, including, but not limited to, fire, flood, other natural disasters, war, labour difficulties, interruption of transit and power telecommunication outages, accident, explosion, civil commotion and acts of any governmental authority; provided, however, that the party so affected will give prompt notice thereof to the other party.

13.2 Governing Law. This Agreement and the rights and obligations of the Parties under this Agreement are governed by, and are to be construed and interpreted in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable in the Province of Ontario, without regard to its conflict of law principles. The Parties agree that the courts of such jurisdiction constitute a convenient forum for any litigation and both parties attorn and submit to the non-exclusive jurisdiction of such courts. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded and does not apply to this Agreement

13.3 Dispute Resolution.

(a) Negotiation. The parties will negotiate in good faith and use reasonable efforts to settle any dispute, controversy or claim arising from or related to this Agreement.  If the Parties fail to reach a mutually satisfactory resolution within thirty (30) days from the date of notice given of such dispute, then the dispute shall be subject to arbitration in accordance with the Arbitration Act (Ontario).

(b) Interim Relief. Notwithstanding anything herein to the contrary, nothing in this Section 13.3 will preclude either party from seeking interim or provisional relief in the courts in the jurisdiction designated in Section 13.2, including a temporary restraining order, preliminary injunction or other interim equitable relief.  This Section 13.3(b) will be specifically enforceable.

13.4 Non-Assignment. The Customer may not assign this Agreement or any rights or obligations hereunder, in whole or in part, without the prior written consent of Bridgit and any attempt to assign this Agreement without such consent will be deemed null and void. This Agreement will enure to the benefit of and be enforceable by and against the parties and their successors and permitted assigns, and if applicable, Customer’s personal representative or estate trustee.

13.5 Entire Agreement; Amendment. This Agreement constitutes the entire agreement between Bridgit and Customer with respect to the subject matter hereof, superseding any other agreements or discussions, oral or written.  In the event of a contradiction between the body of this Agreement and the Order Form, the provisions contained in the Order Form will prevail.  No supplement, modification, or amendment of this Agreement will be binding, unless executed in writing by a duly authorized representative of each party.

13.6 Independent Contractors.  The parties hereto are and will remain independent contractors. Nothing herein will be deemed to establish a partnership, joint venture or agency relationship between the parties.  Neither party will have the right to obligate or bind the other party in any manner to any third party.

13.7 Severability. The invalidity or unenforceability of any provision hereof will in no way affect the validity or enforceability of any other provision. Any provision declared invalid or unenforceable by a court of competent jurisdiction will be deemed to be automatically amended and replaced by a valid and enforceable provision that accomplishes as far as possible the purpose and intent of such original provision, and the remaining terms and conditions of this Agreement will remain in full force and effect.

13.8 Waiver. Any term or condition of this Agreement may be waived at any time by the party that is entitled to the benefit thereof solely with respect to such party, but no such waiver will be effective unless set forth in a written instrument duly executed by or on behalf of the party waiving such term or condition. The waiver by either party of any right hereunder or of the failure to perform or of a breach by the other party will not be deemed a waiver of any other right hereunder or of any other breach or failure by such other party whether of a similar nature or otherwise.

13.9 Notice. Any notice or other communication required or permitted hereunder will be in writing and shall be sufficiently given if delivered by hand or sent by registered mail, courier, email or facsimile addressed to the other party to such other person as designated by a party or address as the parties may from time-to-time designate in writing delivered pursuant to this notice provision.  Any such notices, requests, demands or other communications shall be deemed received and effective:  (i) upon delivery, if delivered personally; (ii) on the date of receipt of facsimile, mail, email or courier, where a confirmation of receipt is provided for such facsimile, mail, email or  courier; or (iii) on the 5th Business Day after demonstrable proof of sending by facsimile, mail, email or  courier, where confirmation of receipt is not provided for such facsimile, mail, email or courier. Legal notices or other communication required hereunder sent by email to Bridgit shall be sent to: legal@gobridgit.com.

SCHEDULE A

SERVICE LEVELS

UPTIME

Bridgit will use commercially reasonable efforts to achieve a Service Availability (as defined below) of at least 99% during each calendar month. If Bridgit fails to meet such service commitment it will report the remedial steps taken to address such service commitment failure. “Service Availability” means the number of minutes in a month that the key components of the Platform are operational as a percentage of the total number of minutes in such month, excluding downtime resulting from (a) scheduled maintenance, (b) events of force majeure, (c) malicious attacks on the Platform, (d) issues associated with Customer’s network or equipment, or (e) inability to deliver the Platform because of acts or omissions of Customer. Bridgit reserves the right to take the Platform offline for scheduled maintenance for which Customer has been provided reasonable notice and Bridgit reserves the right to change its maintenance window upon prior notice to Customer. Notwithstanding the foregoing, full functionality of the Platform is only guaranteed in Canada, the United States, the European Economic Area, United Kingdom, Australia and New Zealand (collectively, the “Territories”). Any use of the Platform outside of the Territories is subject to availability.

SEVERITY DEFINITIONS

Bridgit will address reported incidents in accordance with the following provisions:

• Level 1 Severity is any issue that directly affects the Customer’s ability (or a Customer User) to use the Bridgit Platform.
• Level 2 Severity is any issue that interrupts the normal course of business of a Customer (or a Customer User) but does not directly impact the ability to use the Bridgit Platform.
• Level 3 Severity is any issue that does not impact business processes or the ability to use the Bridgit Platform.

RESOLUTION TIMES

* Resolution refers to the ability to circumvent the problem. This may be done by fixing a defect and releasing new code or by online/offline workarounds until the problem is fixed.

COMMUNICATION

All issues will be reported via Bridgit’s Support Centre. Account login credentials will be provided to Customer upon execution of an Order Form.

SCHEDULE B

Data Processing Addendum

This Data Processing Addendum (“Addendum” or “DPA”) forms a part of the Platform Terms of Service (the “Agreement”) entered into between Bridgit Inc whose registered office is at 55 Northfield Dr. East, Suite #150, Waterloo, Ontario (“Bridgit”) and [INSERT COMPANY NAME] (“Customer”), and with Bridgit, each a “Party” and together, “Parties” on the Effective Date, for the purpose of ensuring that any Personal Data (as defined below) collected or utilized by Bridgit is handled in a manner that is secure and otherwise in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law. In the event of any conflict between the terms of this Addendum and the terms of the Agreement, prior data processing agreements, addenda, or similar terms between the Parties, the terms of this Addendum shall prevail.

Table of Contents:

1. Definitions
2. Role of the Parties
3. Processing of Personal Data
4. Sub-Processors
5. Deletion or Return of Customer Data
6. Information Rights and Audits
7. Security Incidents
8. General Terms

Annex 1 – Description of Processing Activities

Annex 2 – Cross-Border Transfer Mechanism

Annex 3 – Security Measures

1. Definitions

1.1. “Applicable Data Protection Law” means applicable law, rule or regulation relating to the privacy, confidentiality, security or protection of Personal Data, as they may be amended from time to time, in the relevant jurisdiction(s) in which data processing occurs including without limitation the Personal Information Protection and Electronic Documents Act, SC 2000 c. 5, the European General Data Protection Regulation (“GDPR”), and the UK General Data Protection Regulation (“UK GDPR”).

1.2. “Authorized Persons” means Bridgit’s employees, officers, partners, principals, contractors, sub-contractors, Sub-Processors, or other agents who Process Customer Data.

1.3. “Business Purpose”, or “Processing Purpose” means the use of Data Subject’s Personal Data for Customer’s operational purposes, or other notified purposes, or for the Bridgit’s operational purposes, provided that the use of Personal Data shall be reasonably necessary and proportionate to achieve the purpose for which the Personal Data was collected or processed or for another operational purpose that is compatible with the context in which the Personal Data was collected.

1.4. “Controller” means the natural or legal person that alone or jointly with others determines the purposes and means of the Processing of Personal Data.

1.5. “Customer Data” includes Personal Data, transactional data, and any reports, analyses, compilations, studies, or other documents that contain or otherwise reflect any of the foregoing. However, for purposes of this addendum, it is limited to Personal Data provided by Customer to Bridgit in connection with the provision of the Services, or obtained by Bridgit in the course of providing the Services to Customer that pertains to Customer’s employees, customers, users, or other individuals.

1.6. “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.7. “Personal Data” or “Personal Information” has the meaning given by applicable Laws and shall include information (regardless of the medium in which it is contained), whether alone or in combination with other available information that directly or indirectly identifies an identified or identifiable natural person to whom Personal Data relates. Personal Data shall have the same meaning as Personal Information under applicable Laws.

1.8. “Process”, “Processed” or “Processing” means any operation or set of operations that is performed upon Customer Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction.

1.9. “Processor” means the natural or legal person that Processes Customer Data on behalf of Customer, and which receives from or on behalf of Customer a Data Subject’s Personal Data for a Business or Processing Purpose pursuant to a written contract. For the avoidance of doubt, the term Processor shall also include “Service Provider” and “Contractor” as the terms are defined by Applicable Data Protection Law.

1.10.  “Regulator” means any entity which has jurisdiction to enforce the Parties’ compliance with the Applicable Data Protection Law.

1.11.  “Restricted Transfer” means: (i) where the EU GDPR applies, transferring Personal Data collected from a Data Subject located in the EEA either directly or via onward transfer to a country that has not been issued an adequacy determination by the European Commission, and; (ii) where the UK GDPR applies, transferring, either directly or via onward transfer, Personal Data collected from a Data Subject located in the United Kingdom to or within any other country which is not subject based on adequacy regulations under Section 17A of the United Kingdom Data Protection Act 2018.

1.12.  “Security Incident” means a known breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise Processed pursuant to the Agreement and this Addendum.

1.13.  “Services” means the services and other activities to be supplied to or carried out by or on behalf of Bridgit for Customer pursuant to the Agreement.

1.14.  “Share”, “shared”, or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Customer Data by Bridgit to a third party.

1.15.  “Sub-Processor” is the natural or legal person that Processes Customer Data on behalf of the Processor and which receives from or on behalf of the Processor, a Data Subject’s Personal Data.

Terms such as “Data Protection Officer”, “Data Breach”, “Sensitive Data”, and “Sensitive Personal Information” shall have the meaning ascribed to them in the Applicable Data Protection Law if the jurisdictional definition differs from what has been ascribed in the Definition section of this Addendum.

2. Role of the Parties

2.1. The Parties acknowledge that for the purposes of Applicable Data Protection Law and this Addendum, Customer shall have exclusive authority to determine purposes for and means of Processing Customer Data as the Controller. Bridgit is the Processor, or a “service provider” or a “contactor” under Applicable Data Protection Law, in respect of Customer Data and shall Process Customer Data only on behalf of and for the benefit of Customer in accordance with the terms of the Agreement and this Addendum. Bridgit understands its compliance with obligations and restrictions imposed on it by Applicable Data Protection Law in its Processing of Customer Data.

2.2. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Laws, in respect of its Processing of Personal Data and any processing instructions it issues to Bridgit; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Bridgit to Process Personal Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any content created, sent or managed through the Services.

3. Processing of Personal Data

Bridgit represents and agrees that: 

3.1. Processing Customer Data. It shall Process Customer Data only to the extent, and in such a manner, as is necessary for the purposes of fulfilling its obligations under and for the specific purposes set forth in the Agreement and Customer’s documented instructions. Any Customer Data will at all times be and remain the sole property of Customer and Bridgit will not have or obtain any rights therein, except as may otherwise be agreed to by the Parties. For the avoidance of doubt, this Addendum, together with the Agreement and any Order Forms, change orders, or other written directives from Customer, shall constitute all of Customer’s documented instructions.

3.2. Compliance with Applicable Law. Bridgit represents that nothing in the Applicable Data Protection Law prevents it from performing its obligations as described in this Addendum. It shall promptly inform Customer if, in its opinion, a Processing instruction conflicts or infringes an Applicable Data Protection Law. In such case, Bridgit shall inform Customer in writing and with specificity of related legal requirement(s), giving details of how Customer instructions conflict or infringe an Applicable Data Protection Law, giving details of Customer Data that it must nevertheless retain before such conflict or infringement is resolved, unless Applicable Data Protection Law prohibits or exempts such information on important grounds of public interest. Bridgit shall cooperate in good faith to resolve the conflict or infringement to achieve the goals of such instruction.

3.3. Bridgit’s Use of Customer Data. Bridgit shall take reasonable actions to assist Customer in ensuring that the Bridgit’s use of Customer Data is consistent with the obligations under Applicable Data Protection Law and the terms of this Addendum.

3.4. Confidentiality. Bridgit shall take reasonable steps to ensure that access to Customer Data is limited to Bridgit’s employees, agents, and subcontractors who have a need to know or otherwise access Customer Data to enable Bridgit to perform its obligations under the Agreement and this Addendum.

3.5. Security Measures. Bridgit shall implement and maintain commercially reasonable technical and organizational measures that are designed to protect against Security Incidents involving, and unauthorized or accidental destruction, loss, alteration or damage, unauthorized disclosure of or access to, Personal Data and designed to preserve the security and confidentiality of Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in accordance with the security standards described in Annex 2.

3.6. Cross-Border Data Transfers. Customer acknowledges that, as of the date of this DPA, Bridgit’s primary Processing facilities are located in the United Kingdom with back-up in Germany. However, in providing the Services, Bridgit may process Personal Data in, or transfer Personal Data to a Sub-Processor in, a third country provided that there are mechanisms in place for the transfer to be compliant with the Applicable Data Protection Laws.

3.7. Data Subject Requests. Bridgit shall notify Customer without undue delay of any request it receives from a Data Subject located in the respective jurisdiction(s) for which the Agreement applies concerning the exercise of any rights related to Personal Data provided to Data Subject under Applicable Data Protection Law (“Data Subject Requests”). Bridgit shall provide Customer with reasonable assistance to ensure that Customer is able to comply with its obligations concerning any Data Subject Requests.

3.8. Regulator Requests. Bridgit shall provide reasonable assistance to Customer in addressing any communications and abiding by any advice or orders from any Regulator empowered to enforce Applicable Data Protection Law (“Regulator Requests”).

4. Sub-Processors

4.1. Customer generally authorizes the use of Sub-Processors to Process Personal Data in connection with fulfilling Bridgit’s obligations under the Agreement and/or this DPA. Customer hereby authorizes Bridgit to engage the Sub-Processors listed in Annex 1 of this DPA. Customer hereby grants Bridgit general written authorization to engage any Sub-Processors required by Bridgit, in its sole discretion, and to use, add or replace Sub-Processors. As changes are made Bridgit shall update its list of Sub-Processors hosted online (https://trust.gobridgit.com/subprocessors) and will notify Customer on no less than a semi-annual basis of any changes made. The Customer will have seven (7) days from the date of receipt of the notice to approve or object to the change.  In the event of no response from the Customer, the Sub-Processor will be deemed accepted.  If the Customer objects to the replacement Sub-Processor, both parties shall in good faith discuss the Processing activities and agree an alternative option provided that such option may incur additional charges payable to Bridgit in accordance with the Agreement.  If both Parties cannot agree to an alternative, the Bridgit may terminate this Addendum (and the Agreement) with immediate effect on written notice to the Customer without incurring any liability under this Addendum or the Agreement.

4.2. Bridgit’s obligations under the Addendum shall apply to any Sub-Processor as set forth in this Addendum. Where Bridgit engages a Sub-Processor, equivalent data protection obligations as set out in this Addendum shall be imposed on that Sub-Processor by way of a contract or other legal act under Applicable Data Protection Law.

4.3. Where Bridgit engages a Sub-Processor to process Customer Data, Bridgit shall (i) conduct reasonable diligence on such Sub-Processor to attain reasonable assurance that such Sub-Processor complies with its obligations under Applicable Data Protection Law, and (ii) enter into a written contract with the Sub-Processor that imposes obligations that are no less restrictive on the Sub-Processor as is imposed on Bridgit under the Agreement and this Addendum.

4.4. To the extent Bridgit’s provision of the Services involves a Restricted Transfer of Customer Data, the terms set forth in Annex 2 (Cross-Border Transfer Mechanisms) shall apply. In the event of any conflict or inconsistency exists between this Addendum and the terms set forth in Appendix 2, in relation to Personal Data collected from individuals while they were located in the EEA or the United Kingdom, the terms in Appendix 2 shall apply.

5. Deletion or Return of Customer Data

Upon termination or expiration of this Addendum, Bridgit shall (at Customer’s election) delete or return to Customer all existing copies of Personal Data, unless Data Protection Laws require Bridgit’s continued retention of the Personal Data.

6. Information Rights and Audits

6.1. Bridgit shall, in accordance with Applicable Data Protection Law, make available to Customer such information in Bridgit’s possession or control as Customer may reasonably request to demonstrate Bridgit’s compliance with the obligations of Processor under Applicable Data Protection Laws in relation to its Processing of Customer Data.

6.2. Upon request by Customer, Bridgit shall make available once per year to Customer all information reasonably necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by Customer to assess compliance with this Addendum. Customer may provide Bridgit with an audit report. Bridgit shall, at its sole cost and expense, prepare a corrective action plan to fully address any deficiencies identified in the audit report. Bridgit shall, at its sole expense, implement the action plan and promptly notify Customer when the deficiencies have been corrected. If Customer is subject to an audit or investigation by a governmental authority related to services and/or products provided by Bridgit under the Agreement, Bridgit shall provide, and cause any applicable Sub-processors to provide, access to the information necessary to fully cooperate with such governmental authority. If Customer is subject to an audit or investigation by a governmental authority related to services and/or products provided by Bridgit under the Agreement, Bridgit shall provide, and cause any applicable Sub-processors to provide, access to the information necessary to fully cooperate with such governmental authority.

7. Security Incidents

7.1. Notification. In the event that Bridgit becomes reasonably aware of any Security Incident, Bridgit will use good faith efforts to notify Customer of the Security Breach without undue delay after Bridgit becomes reasonably aware of the Security Breach. 

7.2. Bridgit’s notification of the Security Incident to Customer, to the extent known, shall include: (i) the nature of the Security Incident; (ii) the date and time upon which the Security Incident took place and was discovered; (iii) the number of Data Subjects affected by the Security Incident; (iv) the categories of Customer Data involved; and (v) a description of the likely consequences of the Security Incident.

7.3. Bridgit shall make no public announcement or communications to any third party regarding such Security Incident without Customer’s prior written approval, unless such communication is required by Applicable Data Protection Law.

8. General Terms

8.1. Assignment. Neither Bridgit nor the Customer shall be entitled to assign its rights or benefits and/or transfer its obligations or burdens under this Addendum or any other agreement under which the Personal Data are or are to be Processed in each case, either in whole or in part.

8.2. Entire Agreement. This Addendum, its Annex, and the Platform Terms of Service constitute the entire understanding and agreement of the Parties in relation to the Processing of the Personal Data and supersede all prior agreements, discussions, negotiations, arrangements and understandings of the Parties and/or their representatives in relation to such Processing. However, nothing in this Addendum shall exclude or limit either Party’s liability for fraudulent misrepresentation in relation to this Addendum whether occurring before or after the effective date of the Platform Terms of Service.

8.3. Expiration or Termination. Upon expiration or termination of the Agreement for any reason, Bridgit’s obligations under this Addendum in relation to the Processing of Customer Data shall continue for as long as Bridgit has access to Customer Data. Termination or expiration of this Addendum shall not discharge the Bridgit (and its Sub-Processor(s)) from obligations meant to survive the termination or expiration of the Agreement.

8.4. Governing Law. This Addendum shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.

8.5. Severability. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either: (i) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

8.6. Waiver. Delay in exercising, or failure to exercise, any right or remedy in connection with this Addendum will not operate as a waiver of that right or remedy.

8.7. Liability. Bridgit’s liability in connection with this Addendum shall be capped and limited in accordance with the lessor of Two Million ($2,000,000) USD or the provisions of the Platform Terms of Service. Such provisions shall operate, apply and be construed as establishing a single cap on Bridgit’s liability that applies both to Bridgit’s liability under the Platform Terms of Service and to its liability under this Addendum.

8.8. Changes to Terms. Should a change in Applicable Data Protection Law require a variation to this Addendum, the Parties shall agree to discuss and negotiate in good faith the necessary variation to remain compliant with the said Applicable Data Protection Law.

8.9. Signatures. This Addendum is governed by the Platform Terms of Service to which this Addendum is attached. The signatures on the Platform Terms of Service are hereby incorporated by reference and shall apply to this Addendum as if they were directly executed herein. No additional signatures are required for the validity or enforceability of this Addendum.

Annex 1 – Description of Processing Activities

This Annex forms part of the Addendum and describes the basic nature and scope of Personal Data processing carried out by Bridgit on behalf of Customer under and/or in connection with the Agreement.

1. Purpose(s) for which Bridgit will process Personal Data: Bridgit is a software supplier and has been contracted to support the Customer on the carrying out of resource management activities, as instructed from time to time. This includes setting up personal profiles in order to access and use Bridgit platform. Bridgit uses aggregated data and system usage, analytics and diagnostic information to monitor and improve the Platform and for the creation of new products. All data collected, used by Bridgit will be for internal use only and will be in aggregate, anonymized and/or de-identified form only and will not identify Customer, Customer Users, Customer Data, Personal Data, or any third parties utilizing the Platform.

2. Categories of Personal Data that may be accessed and/or will be processed pursuant to the Agreement: Name, email addresses, location, contact details, ID proof, employment experience details, salary, user and log in details.

3. Special Categories of Personal Data that may be accessed and/or will be processed pursuant to the Agreement: N/A

4. Categories of Data Subjects whose Personal Data may be accessed and/or will be processed pursuant to the Agreement: Customer employees

5. Retention Period: Personal data is stored for the duration of the Platform Terms of Service after which the personal data is erased by Bridgit.

6. How will Customer Data be shared with You: Customer will provide Bridgit with the Customer Data via email or by using the Egnyte platform or a similar platform for data transfer.  

7. Technical and Organizational Data Protection Measures: Bridgit shall adopt all those technical and organizational measures which, based on risk analysis, are considered necessary to guarantee an adequate level of security, considering the state of the technique and the cost of its application with respect to the risks and the nature of the Personal Data to be protected. These measures are described in ANNEX II – Security Measures.

Notwithstanding with the prior, Bridgit shall deploy the appropriate control mechanisms, organizational and technical, based on SSAE16 SOC 2 Type II standards. These mechanisms will be audited annually by an independent auditor hired by Bridgit, who will make available to the Customer the appropriate audit reports, from which Bridgit should implement the recommendations issued by it.

8. List of Authorized Sub-Processors: The Sub-processors authorized by the Customer are included at the following link: https://trust.gobridgit.com/subprocessors

9. Contact Details for Communications Regarding Data Protection Matters: The Parties agree that in order to deal with issues concerning the Processing of Personal Data, including for Bridgit to assist the Customer by providing information and for the Customer to provide further instructions: 

1. Bridgit shall send any communications to the Customer by email: the Customer’s Data Protection Officer: [insert Customer designated email address]; and
2. Customer shall communicate with the Bridgit by email: Bridgit’s Data Protection Officer dpo@gobridgit.com.

Annex 2 – Cross-Border Transfer Mechanism

1. Definitions

1. “EC” means the European Commission
2. “EEA” means the European Economic Area.
3. “EEA Data” means Data collected from data subjects when they are located in the EEA.
4. “Standard Contractual Clauses” means (i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for transferring personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCC”), and; (ii) where the UK GDPR applies the International Data Transfer Agreement A1.0 issued by the ICO (“UK IDTA”).
5. “UK Data” means Data collected from data subjects when they are located in the United Kingdom.

2. Cross-Border Data Transfer Mechanisms

1. Written Consent. Customer acknowledges and authorizes Bridgit to transfer, or participate in transfers of EEA Data and UK Data to other jurisdictions. Bridgit represents and warrants that any onward transfer of EEA Personal Data or UK Personal Data to a country that is not recognized by the European Commission as providing as adequate level of protection for Personal Data, as described by the EU GDPR and the UK GDPR, complies with applicable legal framework, to ensure the adequate level of security for the data transfer. Upon request, Bridgit shall share with Customer copies of its contracts with such Sub-Processors.
2. EEA Data. The parties agree that the Standard Contractual Clauses will apply to any Restricted Transfer of Customer Data from the EEA, either directly or via onward transfer. To the extent there is any conflict between the DPA and the applicable EU SCC in relation to the processing of EEA Personal Data, the terms of the EU SCC will prevail.  To the extent applicable, the Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
   1. Module Two (Controller to Processor) of the Standard Contractual Clauses, with Annexes I through VI, will apply where Customer is a Controller of Customer Data and Bridgit is Processing Customer Data. A copy of Module Two of the EU SCC can be found at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.
   2. For Module Two, where applicable, the Parties agree that the following terms apply:
      1. in Clause 7, the optional docking clause will not apply;
      2. certification of deletion of Customer Data that is described in Clause 8.5 of the Standard Contractual Clauses shall be provided by Bridgit to Customer only upon Customer’s request;
      3. in Clause 9, Option 2 Use of Sub-Processors shall apply and the “time period” for prior notice of Sub-Processor changes will be as set forth in this EEA/ UK Addendum; 
      4. in Clause 11(a), Redress the optional language will not apply;
      5. in relation to Clause 13(a), see “i)” below;
      6. in Clause 17 (Option 1), the Standard Contractual Clauses will be governed by the law of Ireland;
      7. in Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;

ANNEX I

Part A. LIST OF PARTIES (Annex 1.A. of the Standard Contractual Clauses) of the Standard Contractual Clauses is deemed completed with information set forth below:

Data exporter(s):

Name: Customer, as defined in the Agreement.

Address: Detailed in the Agreement.

Contact person’s name, position and contact details: The name, position, and contact details of the person signing the Agreement, on behalf of the Customer, to which these Clauses are attached.

Signature and date: These Clauses are governed by the Agreement to which these Clauses are attached. The signatures on the Agreement are hereby incorporated by reference and shall apply to these Clauses as if they were directly executed herein. No additional signatures are required for the validity or enforceability of these Clauses.

Role controller/processor): Controller

Data importer(s):

Name: Bridgit, as defined in the Agreement to which these Clauses are attached.

Address: Detailed in the Agreement to which these Clauses are attached.

Contact person’s name, position and contact details: Bridgit’s Data Protection Officer dpo@gobridgit.com.

Activities relevant to the data transferred under these Clauses: Fulfilment of the Services subject to the Agreement to which these Clauses are attached.

Signature and date: These Clauses are governed by the Parent Agreement to which these Clauses are attached. The signatures on the Parent Agreement are hereby incorporated by reference and shall apply to these Clauses as if they were directly executed herein. No additional signatures are required for the validity or enforceability of these Clauses.

Role (controller/processor): Processor

Part B. DESCRIPTION OF TRANSFER (Annex 1.B. of the Standard Contractual Clauses)

Categories of data subjects whose personal data is transferred

See Appendix 1 of the DPA.

Categories of personal data transferred

See Appendix 1 of the DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

See Appendix 1 of the DPA.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

☐ One-off transfer ☒ Transfer on a continuous basis

Nature of the processing

See Appendix 1 of the DPA.

Purpose(s) of the data transfer and further processing

See Appendix 1 of the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

See Appendix 1 of the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

See Appendix 1 of the DPA.

Part C. COMPETENT SUPERVISORY AUTHORITY (Annex 1.C. of the Standard Contractual Clauses)

Identify the competent supervisory authority/ies in accordance with Clause 13.

Detailed in the Agreement.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Detailed in Annex 3 (Security Measures) of this DPA.

ANNEX III

LIST OF SUB-PROCESSORS

Detailed in the Agreement.

c. UK Data. If the processing of Customer Data involves a Restricted Transfer of UK Data, the Parties agree that such transfer(s) will be carried out in accordance with and subject to the International Data Transfer Addendum B1.0 issued by the ICO (“UK IDTA”), which can be found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. To the extent there is any conflict between this EEA/ UK Addendum and the UK IDTA in relation to the processing of UK Data, the terms of the UK IDTA will prevail. To the extent applicable, the UK IDTA will be deemed entered into (and incorporated into this EEA/ UK Addendum by this reference) and completed as follows:

1. Part 1: Tables

Table 1: Parties and Signatures.

Start date	Date of execution of the DPA to which this addendum is attached
The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties’ details	Full legal name: See Annex I of the EU SCCs herein.  Trading name (if different): N/A Main address (if a company registered address): See Annex I.A. of the EU SCCs herein. Official registration number (if any) (company number or similar identifier):	Full legal name: See Annex I of the EU SCCs herein. Trading name (if different): N/A  Main address (if a company registered address): See Annex I.A. of the EU SCCs herein. Official registration number (if any) (company number or similar identifier):
Key Contact	Full Name (optional): See Annex I.A. of the EU SCCs herein. Job Title: See Annex I.A. of the EU SCCs herein. Contact details including email: See Annex I.A. of the EU SCCs herein.	Full Name (optional): See Annex I.A. of the EU SCCs herein. Job Title: See Annex I.A. of the EU SCCs herein.  Contact details including email: See Annex I.A. of the EU SCCs herein.
Signature (if required for the purposes of Section ‎2)	N/A	N/A

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

☒ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date:  19 July 2021 Reference (if any): N/A Other identifier (if any): N/A Or ☐ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: N/A

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties

Annex 1B: Description of Transfer

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data

Annex III: List of Sub processors (Modules 2 and 3 only)

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section ‎19: ☒ Importer ☒ Exporter ☐ neither Party

2. Part 2: Mandatory Clauses. Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

ANNEX 3 – SECURITY MEASURES

ORGANIZATIONAL CHART AND ALLOCATION OF FUNCTIONS

• Have an organization chart of assignments in the field of information security, including positions and functions attributed to each job position
• Have an access control procedure that includes, among others:
  • Management of entries/exits in the registry of users of the repositories of information, ensuring that a unique identifier is assigned to each user account and appropriate controls are maintained over them.
  • Management of rights and access credential assigned to users.
  • Password policy that contemplates a policy of secure keys in terms of validity and currency, generation of keys and usage guidelines.
  • Management of special access privileges according to the impact that may follow from the inadequate use of personal data.
  • Management of confidential information of authentication of users
  • Cancellation policy of access and credentials.
  • Criteria of minimum privilege to the access to the information.

MANAGEMENT OF MEDIA AND INFORMATION

• Carry out an inventory of media and asset management, including:
  • A record of asset ownership.
  • An internal policy of acceptable uses of assets
  • A return/replacement of assets policy
  • A record of allocation of assets to the staff in charge

PASSWORD MANAGEMENT PROCEDURE

• Have a procedure to manage user passwords. The password management policy must be designed by Bridgit, guaranteeing, in any case, an adequate efficiency to prevent unauthorized access. The password management policy may include, by way of illustration:
  • With specific terms of validity and currency that require updating of passwords.
  • Stablish a protocol of quality passwords (alphanumeric combinations, use of signs, minimum characters, etc.).
  • Stablish a protocol of quality passwords (alphanumeric combinations, use of signs, minimum characters, etc.).
  • With the ability to monitor possible security breaches or unauthorized access, identifying elements such as equipment, number of attempts, time and date access.
  • Have a policy of maximum attempts and implement contrast passwords, recovery or modification (security words, questionnaires, security questions…). Allow users to select and change their own passwords and include a confirmation procedure that takes input errors into account.
  • Passwords should be encrypted and stored irreversibly

TEMPORARY FILES

• Temporary files shall only be created when necessary for the performance of temporary or ancillary work. Once the work that justified the creation of the file is finished, the file must be destroyed.

BACKUPS AND RESILIENCE

• Have a backup procedure to ensure the making of necessary copies, depending on the availability needs identified by the business area in each case.
• Have an IT Service Continuity Plan covering all IT systems and components that process personal data, including other locations and data processing centers.

DESTRUCTION OF DOCUMENTS

• Have a procedure for secure destruction of information that:
  • Make use of the physical and logical measures necessary to guarantee the irrecoverability of the destroyed documentation.
  • Prevent documents or electronic media containing personal data from being discarded without guaranteeing their destruction.

COMPUTER THREATS

• About updating computers and devices: The devices and computers used for the storage and processing of personal data must be kept up to date.
• Prevention against malware: Computers and devices where the automated processing of personal data is carried out will have a system of protection against malware that guarantees as far as possible the theft and destruction of information and personal data. The system must be updated periodically.
• List of security elements: Security elements, such as firewalls, ids/ips, etc., must be in place to ensure the protection of the storage and/or processing of personal data.

DATA ENCRYPTION

• When it is necessary to extract personal data outside the premises where it is processed, either by physical means or by electronic means, the possibility of using an encryption method to guarantee the confidentiality of personal data in the event of improper access to the information should be considered.

MANAGEMENT OF SECURITY INCIDENTS AND SECURITY BREACHES

• Bridgit shall establish, within the context of the service provided, a formal incident and security breach management procedure to (a) respond to situations, intentional and unintentional, that may result or result in a loss or breach of confidentiality, integrity or availability of the information assets of the Customer, (b) minimize the impact of incidents on those assets and (c) comply with applicable data protection regulations.
• Any security incident, whether satisfactory (resulting in a loss or breach of the confidentiality, integrity or availability of the information assets of the Customer) or unsatisfactory (not resulting in a loss or breach of the confidentiality, integrity or availability of the information assets of the Customer), must be reported to the Customer; the former as a matter of urgency; the latter periodically.