Legal conditions

Privacy and Data Security Requirements

A- General  

The Privacy and Data Security Requirements supplement the Agreement and sets out the terms that apply to the collection, use and disclosure of Personal Information when Personal Information is:

  1. collected by Customer (as the Controller, as defined under the applicable privacy laws), for such Personal Information to be disclosed to AMILIA in connection with the Services and used by Amilia as necessary for the performance the Services; and /or
  2. processed by AMILIA (as the Processor, as defined under relevant applicable privacy laws) in connection with the Services.

Capitalized terms not defined in this Schedule shall have the meaning defined in the Agreement.

Representation and warranties:  

  1. Each party represents and warrant that it shall not disclose, sell, share or otherwise make available any Personal Information to any third party, unless made i) in accordance with this Agreement, or ii) in accordance written consent obtained from End-Users.  
  2. If Customer collects Personal Information in connection with the Services, on behalf of Amilia and as required for the performance of the Services (including for data migration purposes in connection with the Services), Customer shall :
    1. collect, use, copy, process and disclose Personal Information only to the extent and in such manner as is specified in the Agreement, as is reasonably required to carry out the Services, and/or in accordance with Amilia’s reasonable instructions from time to time, and at all times, in full compliance with Applicable Laws;
    2. obtain express consent of End-Users in accordance with Applicable Laws (and provide required privacy notices as applicable) prior to disclosing such Personal Information to AMILIA, for use and Processing of their Personal Information on behalf of Customer in connection with the Services;
    3. collect only the minimum Personal Information required for AMILIA to perform the Services and at all time maintain the confidentiality of Personal Information;
    4. ensure that all reasonable and appropriate, organizational and technological safeguards are in place to protect Personal Information from loss, theft, or unauthorized use, access, disclosure, processing, copying, alteration, or destruction, including, without limitation, as appropriate:
      • access controls and data integrity controls, including regular testing and auditing of safeguards and controls;
      • disaster recovery plan, which meets or exceeds industry standards;
    5. secure retention and disposal policies and procedures; and
    6. provide, at Amilia’s request, a copy of all Personal Information held by Customer and provide reasonable cooperation, in relation to any third-party complaint or request by an individual to have access to that person’s Personal Information;
  3. Each party shall restrict access to Personal Information solely to its employees, representatives, and subcontractors who: (a) have a need to know the Personal Information and (b) are subject to confidentiality obligations similar to obligations set forth in the Agreement;
  4. Each party shall notify the other party of any request by any government or government agency for access to Personal Information, to the extent permitted by Applicable Laws; and
  5. In the event of any resonantly suspected or confirmed Data Breach, Each party shall (a) promptly notify the other party in writing (in accordance with procedure set forth below) and shall furnish the other party with full details whether such Data Breach involved Personal Information; and (b) take all reasonable appropriate steps, to promptly contain, mitigate and remediate any Data Breach, including without limitation, taking corrective action as reasonably requested to prevent or minimize damage and prevent any such future occurrences.
  6. Each Party’s liability for obligations governed by this Schedule shall be subject to the limitations set out in the Agreement. Without limiting the foregoing, or Section 8.3 of the Agreement, Customer shall indemnify, defend and hold harmless AMILIA and its affiliates from and against any third-party claims, regulatory fines and Losses arising out of or relating to (i) Customer’s failure to obtain or maintain the appropriate consents, lawful basis or notices required for AMILIA’s Processing of Personal Information; (ii) instructions provided by Customer that would not be compliant with Applicable Laws; or (iii) the accuracy, quality or legality of Personal Information provided by or on behalf of Customer. 

B- Notification Procedures

1. Each Party will notify promptly the other Party in writing immediately, but in no case longer than 72 hours after it becomes aware of any confirmed Data Breach (including any Data Breach giving rise to a real risk of significant harm to an individual) relating to the other Party's customers and the corrective action taken or to be taken by the other Party. Each Party will promptly take all necessary corrective actions (and will cooperate with the other Party in all commercially reasonable efforts) to prevent, mitigate, rectify or remediate such Data Breach including providing reasonably necessary information to enable the Party to comply with its notification and disclosure obligations under Applicable Laws.

2. Each Party will exercise the necessary and appropriate supervision over its applicable Personnel to maintain appropriate privacy, confidentiality and security of Personal Information.

3. Each Party will notify the other party immediately in writing of any of the following, to the extent they pertain to Personal Information for which it is responsible: (a) inquiry received from any individual relating to, among other things, the individual's right to access, modify or correct Personal Information; (b) complaints received relating to the Processing of Personal Information; (c) order, demand, warrant or any other document purporting to compel the production of Personal Information; (d) notice from any governmental authority alleging failure to comply with Privacy Laws in connection with the Agreement.  

4. In the event AMILIA learns that a Data Breach has occurred, AMILIA shall:  

  1. provide immediate written notice to Customer, and in any event not later than 72 hours, via email and promptly investigate the Data Breach.  
  2. obtain written consent from Customer not to be unreasonably withheld, prior to disclosing Confidential Information to any third party in connection with the Data Breach, except that no such consent shall be required for disclosures (i) to AMILIA’s legal, insurance, forensic, audit or other professional advisors under duties of confidentiality, (ii) to AMILIA’s sub-processors or service providers involved in investigating or remediating the Data Breach, or (iii) as required by Applicable Laws or by any competent regulatory authority.  
  3. to the extent required by Applicable Laws, notify the individuals whose information was disclosed that a Data Breach has occurred.  
  4. provide all proposed third-party notification materials to Customer for review and approval prior to distribution, which consent shall not be unreasonably withheld.

5. In the event Customer learns that a Data Breach has occurred, Customer shall:

  1. provide immediate written notice to AMILIA, and in any event not later than 72 hours via email to privacy@amilia.com and promptly investigate the Data Breach.  
  2. obtain written consent from AMILIA, not to be unreasonably withheld, prior to disclosing any Confidential Information to any third party in connection with the Data Breach.  
  3. to the extent required by law, notify the individuals whose information was disclosed that a Data Breach has occurred.  
  4. provide all proposed third-party notification materials to AMILIA for review and approval prior to distribution, which consent shall not be unreasonably withheld.