AMENDMENT #1
To the Software License and Hosting Services Agreement
This amendment (“Amendment #1”), with an effective date of December 1, 2014 (“Amendment #1 Effective Date”), is hereby made to the Software License and Hosting Services Agreement, having an Effective Date of November 19, 2013 (the “Agreement”) between Covisint Corporation (“Licensor” or “Covisint”) and Cisco Systems, Inc. (“Cisco”). By way of this Amendment #1, the following modifications shall be made to the Agreement:
I.
The following definitions are hereby added to Section 1 of the Agreement:
1.30
“Covisint Cloud Data Exchange Service" means the hosted Licensor service that provides cloud data exchange, integration broker, cloud service bus capabilities that allows for routing, delivery, translation, publishing, subscription, archiving and retrieval of messages, service interfaces and API’s based on a central messaging hub and global protocol support that supports message tracking and trading partner management, any-to-any data transformation, and a range of standard and custom connectivity options.
II.
Attachments 1 and 2 to Exhibit H to the Agreement are hereby deleted and replaced in their entirety, as attached to this Amendment #1.
III.
Attachment 4 to Exhibit H is hereby added to the Agreement, as attached to this Amendment #1.
IV.
Exhibit I is hereby added to the Agreement, as attached to this Amendment #1
V.
All remaining and unmodified terms and conditions in the Agreement shall continue on in full force and effect.
IN WITNESS WHEREOF, the parties have caused this Amendment #1 to be executed, which may be in duplicate counterparts, each of which will be deemed to be an original instrument.
Covisint Corporation
Cisco Systems, Inc.
By: /s/ Joel Kremke
By: /s/ John Morrell
Printed Name: Joel Kremke
Printed Name: John Morrell
Title: SVP
Title: Senior Director
Date: February 5, 2015
Date: February 5, 2015
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
ATTACHMENT 1 TO EXHIBIT H
DESCRIPTION OF HOSTING SERVICES
2.0 THE LICENSOR SERVICE
The Hosting Service includes:
•high-speed Internet connection
•all required software and all required third-party software
•system administration and operations
•system and data backups and backup storage
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
3.0 MAINTENANCE AND SUPPORT
Licensor will perform the following technical support and maintenance services at no additional cost:
•Operation and maintenance of Hosting Services;
•Service Level management;
•Scheduled and unscheduled maintenance;
•Change Request management;
•Backup and disaster recovery;
•Covisint service desk support;
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
ATTACHMENT 2 TO EXHIBIT H
FEES
Licensor shall issue invoices to Cisco for all fees due under this Exhibit. All Fees shall be subject to acceptance by Cisco. The Licensor Fees, Setup Service Fees and Monthly Support Fees shall be invoiced as due according to the schedule set forth in Attachment 1 to Exhibit H.
* * *
Item #
Product/Service Description
Price
1.0
Cisco Exchange Portal
1.01
Cisco Exchange Portal Setup
***
1.02
Cisco Exchange Portal Recurring Subscription ***
***
1.03
Additional End Users ***
***
1.04
Catalog SSO Application Setup
***
1.05
Non-Catalog SSO Application Setup
***
1.06
SSO Application Recurring Subscription
***
1.07
Additional Covisint IDBridge (see Exhibit A, Section 5)
1.08
End Point Integration Setup
***
1.09
End Point Integration Recurring Subscription
***
1.10
End Point Throughput Subscription per Cisco Customer
***
***
***
***
***
***
***
***
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
ATTACHMENT 4 TO EXHIBIT H
DEFINITIONS
For this Agreement, the following capitalized terms not defined herein have the meanings set forth below:
“API” means application programming interface.
“Authentication” means the action performed by the system to determine the identity of an End User by collecting End User credentials, validating the correct entry of End User credentials against the End User registry, and producing a success or failure response.
“Data Source” means an entity from which a specific set of data is obtained by Covisint via a single internet connection, organized in a Covisint approved format.
“End Point” means one (1) IDP or one (1) SP or a single application, data source that is configured to send data to and/or from Covisint Cloud Data Exchange Services.
“Identity Provider” or "IDP" means an entity that performs the Authentication of an End User's Identity and provides the appropriate Authentication statements to downstream systems and/or Service Providers asserting that the End User did authenticate to the IDP at a particular time, using a particular method of Authentication.
“Identity” means the minimum set of data required to create a unique record in Covisint Cloud Identity Service representing one (1) End User and the credentials required to authenticate that End User.
“Service Provider" or "SP" means an entity that provides subscription or web services to other entities.
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
EXHIBIT I
Personal Data Transfer Agreement (Processor -Sub-processor)
This Personal Data Transfer Agreement (this “Agreement”) is made and entered into as of July 24, 2014.
Between:
(1)Cisco Systems, Inc. in representation of all the Cisco Affiliates, hereinafter “Data Processors”;
(2)Covisint Corporation, hereinafter “Sub-processors”;
Whereas
(1)
Data Processor enters into contractual agreements with its customers established in the EEA (hereinafter the “Customer” or the “Customers” or the “Data Controller”) for the provision of Cisco products and services and in providing such services, including data processing agreements providing the instructions for the Data Processor to abide by when processing personal data on behalf of Customer, Data Processors may involve Sub-processors to perform part of the services to Customers;
(2)
In providing Cisco products and services, Data Processor may have access to personal data belonging to Customers’ end users and transfer them outside the EEA area to Sub-processors to make them carry out part of the service, and in order to secure such transfer Customers request Data Processor to enter into Standard Model Clauses (hereinafter “EUMC”) for the purposes of Article 26(2) of the Directive 95/46/EC (hereinafter the “Directive”) “for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection” and under the EUMC, Data Processor is appointed, as data importer;
(3)
According to the EUMC between Data Processor and Customers, when personal data are processed in countries not ensuring adequate level of protections, companies established in such countries and processing personal data on behalf of the Data Processor are obliged to respect the terms and conditions set forth under these clauses as Sub-processors.
Now, therefore, the Parties hereto agree as follows:
Definitions
(a)
"personal data", "special categories of data/sensitive data", "process/processing", "controller", "processor", "data subject" and "supervisory authority/authority" shall have the same meaning as in Directive 95/46/EC of 24 October 1995 (whereby "the authority" shall mean the competent data protection authority in the territory in which the data exporter is established), under this Agreement data subjects are Customers’ end users;
(b) "the data exporter" shall mean the controller who transfers the personal data, under this Agreement data exporters are the Customers;
(c)
"the data importer" shall mean the processor who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country's system ensuring adequate protection, under this Agreement data importers are the Data Processors;
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
(d)
“the sub-processor” means any processor engaged by the data importer or by any other sub-processor of the data importer and who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for the processing activities to be carried out on behalf of the data exporter after the transfer in accordance with the data exporter's instructions, the standard contractual clauses set out in the Annex C, and the terms of the written contract for sub-processing, under this Agreement sub-processors are all the entities listed in Annex B.
1.1 This Agreement is entered into by and between Data Processor and Sub-processor to provide adequate protection for Customers’ end users’ personal data transferred by the Data Processor to Sub-processor in order to carry out part of the services requested by Customers, which may include without limitation (a) customer service activities, such as processing orders, providing technical support and improving offerings, (b) sales and marketing activities as permissible under applicable law, (c) consulting, professional, security, storage, hosting and other services delivered to Customers, including services offered by means of the products and solutions described at www.cisco.com, and (d) internal business processes and management, fraud detection and prevention, and compliance with governmental, legislative and regulatory bodies (collectively, “Cisco Services”). In particular the parties to this Agreement agree that Sub-processors in providing such services to Customers shall abide by the terms and conditions provided for the data importer in the EUMC and theirs Appendixes duly incorporated in this Agreement as Annex A into which Data Processor will enter with their Customers every time:
(a)
Data Processor is providing a service which entails processing Customers’ End Users’ personal data; and
(b)
In order to provide such service Customers’ End Users’ personal data shall be transferred to one of the Sub-processors
1.2 Where a Cisco entity located in within the EEA has signed the processing agreement with Customer, and such Cisco entity is acting as data exporter on behalf of Customer (by power of attorney or agency agreement or otherwise), this Agreement shall be considered as entered by and between such Cisco entity (acting as data exporter) and the Sub-processors.
2.
Obligation on processing of personal data.
2.1 The Sub-processors shall process Customers’ end users’ personal data in according to the instructions included herein and in Annex A, using its data processing facilities for the purposes described in the Recitals of this Agreement and in Clause 1.1.
2.2 In particular, Sub-processor warrants and undertakes that:
(a)
it will follow the instructions contained in Appendix 1 of the EUMC included in Annex A concerning the types of processing allowed;
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
(b)
it will implement the appropriate technical and organizational measures provided in Appendix 2 of the EUMC included in Annex A to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access;
(c)
it will promptly notify the Data Processor:
i.
any legal binding request for disclosure of personal data by law enforcement authority unless otherwise prohibited under relevant law in order to maintain the necessary confidentiality of a law enforcement investigation;
ii.
any accidental or unauthorized access to personal data and any other breach which caused loss or alteration of personal data; and
iii.
any request received directly from Customers’ end users without responding to such request directly;
(d)
it will inform the Data Processor about all the inquires received directly by Customers;
(e)
upon reasonable request of the Customers, it will submit their data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by Customers (or any independent or impartial inspection agents or auditors, selected with the agreement of Customers and, when applicable with the supervisory authority) to ascertain compliance with the warranties and undertakings in these clauses and the Annex A, with reasonable notice and during regular business hours.
2.3 Sub-processor has no reason to believe, at the time of entering into this Agreement, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses and Annex A and in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this Agreement, the interested Sub-processor will promptly notify the change of legislation to the Data Processor as soon as the Sub-processor is aware, in which case the Data Processor is entitled to suspend the access to the personal data to the interested Sub-processor.
2.4 At the request of the Customers and/or Data Processor, Sub-processor will provide the Customers with evidence of financial resources sufficient to fulfil its responsibilities under clause 3;
2.5 Upon termination of the provision of services provided to Customers under which Data Processor and Sub-processor process Customers’ End Users’ personal data, Data Processor will inform Sub-processors with a reasonable notice to destroy or return the personal data received and certify Data Processor that it has been done, so that they will pass the information to Customers, unless legislation imposed on any of Sub-processor prevents it from returning or destroying all or part of the personal data transferred. In that case, the Sub-processor warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2.6 In the event that Customer requires the fulfillment of additional obligations to those set forth herein mandatory under applicable law, Data Processor will communicate to the Sub-processor such obligations.
3.
Liability and third party rights
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
3.1 Sub-processor shall be liable to the Data Processor of any damages caused by the breach of third party rights under these clauses. Data Processor shall be liable to the Customers and Customers’ end users for damages any of the parties causes by any breach of third party rights under these clauses. This does not affect the liability of the Customers as data exporter under its data protection law.
3.2 Sub-processor agree that where Customers and the Data Processor have factually disappeared or ceased to exist in law, then
a.Customers’ end users can enforce against the Sub-processors Clause 1 and 2 and Annex A;
b.Customers’ end users who suffered damages as a result of any violation of the provisions of Clause 1 and 2 and Annex A by the Sub-processor are entitled to receive compensation from the Sub-processor.
3.3 Sub-processor agrees that if Customers’ end users invoke against them third-party beneficiary rights and/or claims compensation for damages under the Clauses, Sub-processor will accept the decision of Customers’ end users to:
a)
refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
b)
refer the dispute to the courts in the Member State in which the Customer is established.
3.4 Sub-processor agrees that the choice made by the Customers’ end users will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
4.
Law applicable to the clauses
4.1 These clauses shall be governed by the law of the country in which Customer is established.
5.
Resolution of disputes with Customers’ end users or the authority
5.2 In the event of a dispute or claim brought by Customers’ end users or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
5.3 The parties agree to respond to any generally available non-binding mediation procedure initiated by Customers’ end user or by the authority. The parties also agree to consider participating in any
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
5.4 Each party shall abide by a decision of a competent court of the Customers’ country of establishment or of the authority which is final and against which no further appeal is possible.
6.1 In the event that Sub-processor is in breach of its obligations under these clauses and Annex A, then the Customers may temporarily suspend the transfer of personal data to Sub-processor until the breach is repaired or the contract is terminated.
6.2 The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause 5.2) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.
7.
Variation of these clauses
7.1 The parties may not modify these clauses except with appropriate notice to and consent of relevant Customers and competent authorities, where required. This does not preclude the parties from adding additional commercial clauses where required.
8.1 Sup-processor agrees that Appendix 1 and 2 of Annex A may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause 2.
8.2 These clauses together with the Annex A constitute the entire agreement and understanding of the parties and supersede any prior agreement or understanding between the parties in respect of the transfer of personal data for the purposes specified in Annex A
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
Annex A
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation: Cisco, Inc.
Address: 170 West Tasman Drive, San Jose, CA 95134
Tel.: 1-408-526-4000 ; fax: ; e-mail:
Other information needed to identify the organisation
……………………………………………………………
(the data exporter)
And
Name of the data importing organisation: Covisint Corporation
Address: One Campus Martius, Suite 700, Detroit, MI 48226
Tel.: 1-313-961-4100 ; fax: ; e-mail:
Other information needed to identify the organisation:
…………………………………………………………………
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a)
'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b)
'the data exporter' means the controller who transfers the personal data;
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
(c)
'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d)
'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e)
'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f)
'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1.
The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2.
The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3.
The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4.
The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a)
that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b)
that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c)
that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d)
that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e)
that it will ensure compliance with the security measures;
(f)
that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g)
to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h)
to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i)
that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j)
that it will ensure compliance with Clause 4(a) to (i).
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a)
to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b)
that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c)
that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d)
that it will promptly notify the data exporter about:
(i)
any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii)
any accidental or unauthorised access, and
(iii)
any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e)
to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f)
at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g)
to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h)
that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i)
that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j)
to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
Clause 6
Liability
1.
The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2.
If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3.
If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1.
The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a)
to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b)
to refer the dispute to the courts in the Member State in which the data exporter is established.
2.
The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
Clause 8
Cooperation with supervisory authorities
1.
The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2.
The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3.
The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely England .
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
1.
The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2.
The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3.
The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely England .
4.
The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1.
The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2.
The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
Name (written out in full): John Morrell
Position: Senior Director
Address: 10 West Tasman Drive
Other information necessary in order for the contract to be binding (if any):
Signature…/s/ John Morrell……………………….
(stamp of organisation)
On behalf of the data importer:
Name (written out in full): Joel Kremke
Position: SVP
Address: 1 Campus Martius, Detroit, MI 48226
Other information necessary in order for the contract to be binding (if any):
Signature…/s/ Joel Kremke………………………….
(stamp of organisation)
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
Cisco Systems, Inc. in representation of all the Cisco affiliates Activities relevant to the transfer include the performance of Cisco Services for Customers.
Data importer
The data importer is (please specify briefly activities relevant to the transfer):
Convisint Corporation Hosting of Software for Cisco’s use, which may include direct or indirect access or use by Cisco End Users. Activities relevant to the transfer include the performance of Services for Cisco.
Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
Employees, contractors, business partners, representatives and end customers of Customers, and other individuals whose personal data is collected by or on behalf of Customers and delivered to a Data Processor as part of the Cisco Services.
Categories of data
The personal data transferred concern the following categories of data (please specify):
Data related directly or indirectly to the delivery of Cisco Services, including online and offline Customer, prospect, partner and supplier data, and data provided by
Customers in connection with the resolution of support requests.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union memberships, and data concerning health or sex life, and data relating to offenses, criminal convictions or security measures.
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
The personal data transferred will be subject to the following basic processing activities, as may be further set forth in contractual agreements entered into from time to time between the Data Processors and Customers: (a) customer service activities, such as processing orders, providing technical support and improving offerings, (a) sales and marketing activities as permissible under applicable law, (c) consulting, professional, security, storage, hosting and other services delivered to Customers, including services offered by means of the products and solutions described at www.cisco.com, and (d) internal business processes and management, fraud detection and prevention, and compliance with governmental, legislative and regulatory bodies .
DATA EXPORTER
Name: John Morrell
Authorised Signature: /s/ John Morrell
DATA IMPORTER
Name: Joel Kremke
Authorised Signature: /s/ Joel Kremke
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
1.
Data Protection Executives; Notices. The following executives are responsible for the obligations set forth on this Appendix 2:
Cisco Data Protection Executive:
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
Sub-processor Data Protection Executive: Jenny Heinze
Any notices under this Appendix or the underlying agreement regarding obligations related to the Customer personal data (“Agreement”) should be communicated as follows:
a.
communications regarding the day-to-day obligations should be communicated in writing via email or other written notice to each of the Data Protection Executives, and
b.
communications regarding any proposed changes to the terms of this Appendix or the terms of a party’s Customer personal data obligations under the Agreement should be directed as required under the notice provisions of the Agreement with copies provided to the Data Protection Executives. No such changes will modify this Appendix or the Agreement unless agreed by the parties pursuant to the appropriate change management procedure under the Agreement.
2.
General Security Practices
2.1 ***
3.
Technical and Organizational Security Measures
3.1 Organization of Information Security
***
3.2 Human Resources Security
***
3.3 Asset Management
***
3.4 Personnel Access Controls
***
3.5 Cryptography
***
3.6 Physical and Environmental Security
***
3.7 Operations Security
***
3.8 Communications Security and Data Transfer
***
3.9 System Acquisition, Development and Maintenance
***
3.10 Supplier Relationships
***
3.11 Information Security Incident Management
***
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.
3.12 Information Security Aspects of Business Continuity Management
***
4. The security measures described in this Appendix 2 are in addition to any confidentiality obligations contained in any other agreement related to the Services between Data Processor and Customer with respect to Customer personal data. In the event a conflict between the terms of such other agreement and this Appendix 2, the terms of this Appendix 2 shall control.
DATA EXPORTER
Name:
Authorised Signature:
DATA IMPORTER
Name:
Authorised Signature:
Copyright 2014 Covisint Corporation. Confidential and Proprietary. All Rights Reserved.
CERTAIN CONFIDENTIAL PORTIONS OF THIS EXHIBIT WERE OMITTED AND REPLACED WITH “***”. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO AN APPLICATION FOR CONFIDENTIAL TREATMENT.