Achieved Terms & conditions

 

latest update: 15/06/2019

Between you (referred to hereinafter as “the Subscriber”) and ACHIEVED, having its registered administrative offices in Belgium, enterprise VAT number: BE 0669 989 292, referred to hereinafter as ”Achieved”,

Referred to hereinafter individually as a “Party”, or jointly as the “Parties”,

It has been agreed as follows:

1.   DEFINITIONS

Account

all User accounts created by or on behalf of the Subscriber within a Usage plan.

Activate / Activation

the action by Achieved to make Seat(s) operational for the Subscriber.

Activation Date

the date of Activation of the Seat(s) by Achieved.

Affiliate

as regard to the Subscriber, means any entity which is directly or indirectly controlled by the Subscriber, and any other subsidiary (i.e. non-controlled) provided that both Parties agree in writing to include it in the scope of the Agreement.

Agreement

the current document, including its appendices.

Article

unless specified otherwise, it refers to an article of the Agreement.

Beta Services

a product, service or functionality provided by Achieved that may be made available to the Subscriber to try, which is clearly designated as beta, pilot, limited release, non-production, early access, evaluation, labs or by a similar description.

Billing Area

the place where the Subscriber finds all data of its account, including the payments and invoices, the current terms and conditions, etc.

Confidential Information

all information (whether commercial, financial, technical or otherwise) relating to a Party, its subcontractors, other customers and suppliers, disclosed to or otherwise obtained by the other Party under or in connection with the Agreement and which is either designated as being confidential, or which is by its nature clearly confidential.

Documentation

any written or electronic documentation, image, video, text or sound specifying the functionalities of the Service or describing Usage plans, as applicable, provided or made available by Achieved to the Subscriber.

Official Notice

shall have the meaning given to it in the Agreement under Article 18.

Order Form

any Achieved generated service order form executed or approved by the Subscriber with respect to its subscription to the Service, which form may detail, among others the number of Users registered to the Service and the Usage plan applicable to the subscription.

Personal Data

has the meaning given to it by the General Data Protection Regulation 2016/679 and any other applicable personal data protection regulation.

Seat

any account Activated by Achieved and administered and managed by the Subscriber.

Service / Services

as described in the Usage plan.

It includes its underlying software, its Updates and any Documentation provided by Achieved to the Subscriber in connection therewith.

Usage plan

means the packaged usage plan(s) and the functionality and services associated therewith (as detailed in the Billing Area) for the Service selected by the Subscriber in the Order Form.

Subscriber

the person who executes and approves the Agreement, and administers the Seat(s).

Subscription Period

the basic duration of a Usage plan, as specified in the Order Form.

Updates

any new or modified features added to or reducing or augmenting or otherwise modifying the Service or other updates, modifications or enhancements to the Service.

User

any own employees, officers, directors or other members of the Subscriber’s personnel, and of its service providers, partners or customers, whom the Subscriber has authorized to use the Service by giving an access through a Seat, identified through a unique login.

User Data

any electronic data, text, messages or other materials submitted to the Services by the Subscriber and/or by Users, including, without limitation, Personal Data.

 

 

 

 

 

2.   SERVICES, SERVICE LEVELS, UPDATES, CONNECTIVITY, DOMAIN NAMES

As from the Activation Date and subject to all terms and conditions of the Agreement, all Seats of the Subscriber will be subject to the same Usage plan.

SERVICE LEVELS

The service level corresponding to the Usage plan is specified in the Usage plan specification.

UPDATES

Achieved reserves the right to at any time deploy Updates, subject to the provisions of the Agreement.

CONNECTIVITY

A high-speed Internet connection is required for the proper transmission of the Service.

The Subscriber is responsible (1) for procuring and maintaining the network connections that connect its network to the Service, including, but not limited to, “browser” software that supports protocols used by Achieved, including the Secure Socket Layer (SSL) protocol or other protocols accepted by Achieved, and (2) to follow the procedures for accessing services that support such protocols.

Achieved is not responsible for notifying Users of any upgrades, fixes or enhancements to any such software or for any compromise of data, including the User Data, transmitted across computer networks or telecommunications facilities (including but not limited to the Internet) which are not owned, operated or controlled by Achieved.

Achieved assumes no responsibility for the reliability or performance of any connections as described in this clause.

3.   BETA SERVICES

From time to time, Achieved may make Beta Services available to the Subscriber and the Subscriber may choose to try such Beta Services in its sole discretion.

Beta Services are intended for evaluation purposes and not for production use, are not supported, and may be subject to additional terms.

Beta Services are not considered as “Services” under the Agreement; however, all restrictions, Achieved’s reservation of rights and the Subscriber obligations concerning the Service shall apply equally to the use of Beta Services.

Unless otherwise stated, any Beta Services trial period will expire upon the earlier of one (1) year from the trial start date or the date that a version of the Beta Services becomes generally available without the applicable Beta Services designation.

Achieved reserves the right to discontinue Beta Services at any time at its sole discretion, or never make them available in production.

Achieved will have no liability for any harm or damage arising out of or in connection with the use of a Beta Service.

4.   SEATS

The Subscriber takes all responsibility for the creation, administration and management of the Seats. Each Seat is strictly personal to the User associated therewith and may only be used by that individual person.

The Subscriber shall inform Achieved promptly if it becomes aware of any suspected, unauthorized or prohibited use of a Seat, User password, or of the Service.

5.   PROMOTIONAL CREDITS POLICY

Achieved may, at its sole discretion, choose to offer credits for the Service in various ways, including but not limited to coupons or promotional campaigns (such as free trial).

Such credits

 have no monetary or cash value;

 can only be used by the Subscriber to offset subsequent payment of subscription fees for the Service specifically identified by Achieved on the credit voucher

 are non-transferable

 (unless specified otherwise) shall expire and no longer be redeemable after twelve (12) months from the date the credit was issued.

6.   SUBSCRIPTION PROCEDURES, TERM AND TERMINATION

REGISTRATION

To register, the Subscriber shall use an e-mail address.

If the Subscriber chooses to register via a third party account (i.e. Google sIgn-In), it must adhere to the authentication and rights of use set forth by such third party service. The Subscriber represents and warrants that it has the right and authority to access the Service via that e-mail address.

If the Subscriber accesses the Service with an e-mail address provided by its employer, the Subscriber confirms that it is permissible for it to use such e-mail address associated with its employer's domain and that its use of the Service shall be in compliance with its employer's terms and policies, as well as any third party service authentication and rights of use policies (i.e. Google sign-In). It is the Subscriber’s sole responsibility to check that its use of the Service is in conformance with its employer’s and/or e-mail provider’s access rights and data handling practices. Achieved cannot control, and is not responsible for, the practices or restrictions imposed by the Subscriber’s employer and/or e-mail provider surrounding its use of the Service.

SUBSCRIPTION USING PROMOTIONAL CREDITS

When the Subscriber uses promotional credits specified in Article 5, the subscription procedure consists in filling the appropriate Order Form, with the requested information and the selection of a Usage plan.

Before the end of the promotional credits period, the Subscriber may opt for a paying Subscription, as specified hereunder.

Under a promotional credit period, the Service will be available until the earlier of (1) the end of the promotional credits period; (2) the Activation start date of any paying subscription by the Subscriber; or (3) Achieved’s decision to terminate the promotional credits period, at its sole discretion.

At the end of the promotional credit period, unless a paying Subscription is initiated, Achieved will delete all Seats and all User Data.

PAYING SUBSCRIPTIONS

For an initial subscription, the Subscriber fills the Order Form with the requested information and the selected Usage plan, the number of Seats and the Subscription Period. The number of Seats selected will be Activated after the payment is processed by Achieved.

At the end of the Subscription Period, the subscription will be automatically renewed under the same Usage plan for the same Subscription Period and the same number of Seats, and the Subscriber will be charged with the corresponding fees.

At any time, the Subscriber may subscribe to additional Seats (under the same Usage plan) by filling an Order Form; the subscription fees for the additional Seats are calculated prorata temporis until the end of the current Subscription Period, and the Subscriber will be charged with the corresponding fees.

If the subscriber has opted to pay by credit card, he may, at any point in time, to reduce the number of Seats by filling an Order Form; there will be no refund of subscription fees. If the subscriber has opted to pay by invoice, the subscriber may elect reduce to reduce the number of Seats for the next subscription period by filling an Order Form at the latest three (3) calendar months before the end of the current Subscription Period.

If the subscriber has opted to pay by credit card, he may, at any point in time, to switch to another Usage plan for all current Seats; the additional subscription fees (as the case may be) are calculated prorata temporis until the end of the current Subscription Periods, and the Subscriber will be charged with the corresponding fees. In case of downgrading of Usage plan, there will be no refund of subscription fees. If the subscriber has opted to pay by invoice, the subscriber may elect to upgrade its Usage plan for all current Seats at any point in time by filling an Order Form. The additional subscription fees (as the case may be) are calculated prorata temporis until the end of the current Subscription Periods, and the Subscriber will be charged with the corresponding fees. If the subscriber has opted to pay by invoice, the subscriber may elect to downgrade its Usage plan for all current Seats for the next subscription period by filling an Order Form at the latest three (3) calendar months before the end of the current Subscription Period.

 

REVERSIBILITY

Except for the Subscriptions under promotional credits, before the end of the current Subscription Period, the Subscriber may ask for a copy of the User Data. Achieved will make such copy available to the Subscriber in a standard data format, at no additional charge.

EARLY TERMINATION

Before the expiration of the Subscription Period, either Party may elect to terminate the subscription at any time,  by providing an Official Notice to the other Party, taking into account the following notice period :

-   If the Subscriber has opted to pay by credit card : one (1) business day

-   If the Subscriber has opted to pay upon invoice : three (3) calendar months before the end of the current Subscription Period.

The Subscription will then terminate at the end of the current Subscription Period.

CONSEQUENCES OF TERMINATION

At the end of the current Subscription Period, unless a new paying Subscription Period is started, Achieved will delete all Seats and all User Data.

Upon termination due to unpaid invoices at the due date, Achieved will delete all Seats and all User Data corresponding to the unpaid invoice.

7.   SUBSCRIPTION FEES AND PAYMENT TERMS

The subscription fees for the selected Usage plan are specified in the Billing Area.

The subscription fees for the initial Subscription Period and each renewal, increase in the number of Seats, or upgrade of the Usage plan will be calculated based on Achieved’s then-current pricing as specified on the Achieved website, unless otherwise agreed to by the Parties in the applicable Order Form or otherwise in writing. In the Order Form, the Subscriber provides the requested information, selects a Usage plan, specifies the number of Seats, the Subscription Period and a method of payment.

If the Subscriber has opted to pay by credit card, the fees are immediately debited from the Subscriber credit card account specified in the Order Form.

If the Subscriber has opted to pay upon invoice, the invoice is due upon fifteen (15) days invoice date.

In all cases, an invoice is generated and put in the Subscriber Billing Area and an e-mail message is sent to the Subscriber’s address.

Unpaid invoices at the due date will result in the immediate cancellation and termination of the corresponding order.

All fees are committed amounts, and are non-cancelable and non-refundable.

Unless stated otherwise, all fees are exclusive of VAT (or any other tax).

8.   SUBSCRIBER OBLIGATIONS

THE SUBSCRIBER AGREES AND COMMITS THAT IT WILL

1.         use the Service only for its internal business purposes;

2.         comply with all applicable laws, including, without limitation, privacy laws, intellectual property laws, anti-spam laws, export control laws, tax laws, and regulatory requirements;

3.         use its real identity;

4.         use the Services in an ethical and professional manner;

5.         use a non-offensive domain name for the identification of its platform;

6.         take all responsibility for acquiring and maintaining all equipment (including services) necessary to allow the Subscriber and its Users to access and use the Service;

7.         take all responsibility and full liability for the use it (and each of its Users) makes of the Service and for the User Data each User stores under its Seat;

8.         ensure that each of its Users respects the rights (including intellectual property rights) of any third party in relation to such User Data and abides by all applicable laws when using the Service.

THE SUBSCRIBER AGREES AND COMMITS THAT IT WILL NOT

1.     license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise commercially exploit or make the Service available to any third party, other than the Users as expressly permitted by the Agreement;

2.     use the Service to process Personal Data on behalf of any third party other than the Users;

3.     use the Service to store or transmit files, materials, data, text, audio, video, images or other content that infringes on any person’s intellectual property rights;

4.         use or attempt to use the User Data in any other manner or for any use of the Services other than foreseen in the Agreement;

5.         create a false identity, misrepresent an identity, create a profile for anyone other than themselves, or use or attempt to use another’s Seat;

6.         develop, support or use software, devices, scripts, robots, or any other means or processes (including crawlers, browser plugins and add-ons, or any other technology) to scrape the Services or otherwise copy profiles and other data from the Services;

7.         override any security feature or bypass or circumvent any access;

8.         violate the intellectual property rights of others, including copyrights, patents, trademarks, trade secrets, or other proprietary rights;

9.         neither decompile, disassemble, analyze the Services source code, structure, algorithms or ideas underlying the Services (except to the extent expressly permitted by law), nor take any other action in derogation of Achieved’s intellectual property rights, nor develop a program or service having any functional attributes, functions or other features equal or similar to those of the Services, nor compete with Achieved;

10.  post anything that contains software viruses, worms, or any other harmful code;

11.  monitor the Services’ availability, performance or functionality for any competitive purpose;

12.  engage in “framing,” “mirroring,” or otherwise simulating the appearance or function of the Services;

13.  interfere with the operation of, or place an unreasonable load on, the Services (e.g., spam, denial of service attack, viruses, gaming algorithms, etc.);

14.  store any data that it is or should reasonably be aware of that they contain viruses, worms, Trojan horses or other harmful or malicious computer code or any data that are prohibited by law;

15.  undertake any acts that constitute computer criminality as determined by the applicable laws, nor interfere with nor disrupt the integrity or performance of the Service;

16.  (if the Subscriber is a direct competitor of Achieved,) access the Service for any purpose, except with Achieved’s prior written consent;

17.  attempt, now or in the future, to claim any rights in Achieved’s trademarks names and logos, degrade their distinctiveness, or use them to disparage or misrepresent Achieved, its services or products.

9.   ACHIEVED’S RIGHTS

Achieved reserves the right to refuse the registration of a Subscriber.

Achieved shall have the right to occasionally communicate to the Users some necessary information regarding updates, release notes, best practices and surveys, and the use, operation or maintenance of the Service.

Achieved reserves the right to modify, suspend or terminate the Service (or any part thereof), the subscription, or any Seat, and remove, disable and discard any of the User Data if Achieved has reasons to believe that the Subscriber has violated any provision of the Agreement. When taking any of the foregoing actions and unless legally prohibited from doing so, Achieved will use commercially reasonable efforts to notify the Subscriber via email.

Achieved accepts no liability whatsoever to the Subscriber or any other third party for any such modification, suspension or discontinuation of the Subscriber’s access and use of the Service.

Any suspected fraudulent, abusive, or illegal activity by the Subscriber may be referred to law enforcement authorities at Achieved’s sole discretion.

10. INTELLECTUAL PROPERTY RIGHTS

USER DATA

All User Data remains the property of the Subscriber. The Agreement does not transfer any rights on any User Data to Achieved.

INTELLECTUAL PROPERTY RIGHTS OF ACHIEVED

All rights, title and interest related to the Service and to all software used to provide the Service, including all related intellectual property rights, will remain with and belong exclusively to Achieved.

SUGGESTIONS AND FEEDBACK

Achieved shall have a worldwide, non-exclusive, perpetual, irrevocable, royalty-free license to use, share and incorporate into the Services any suggestion, enhancement request, recommendation, correction or other feedback provided by the Subscriber, for any purpose, without compensation.

TRADEMARKS

Achieved’s service names and logos used or displayed on the Service are trademarks; the Subscriber may only use such names and logos to identify itself as a Subscriber.

11. DATA PRIVACY AND SECURITY

DATA PROTECTION

Achieved will maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality, and integrity of the User Data. These safeguards include encryption of the User Data in transmission (using SSL or similar technologies). Achieved’s compliance with the provisions of this clause shall be deemed compliant with Achieved’s obligations on confidentiality in Article 12.

ACHIEVED ACCESS TO SEATS AND INFORMATION

The Subscriber agrees that Achieved shall have the right to access the Seats and to use, modify, reproduce, distribute, display and disclose the User Data solely to the extent necessary to provide the Service, including, without limitation, in response to the Subscriber support requests. Any third party service provider called by Achieved will only be given access to the User Data as is reasonably necessary to provide the Service and will be subject to (a) confidentiality obligations which are commercially reasonable and substantially consistent with these provisions ; and (b) their agreement to comply with the data transfer restrictions applicable to Personal Data.

Achieved may also access or disclose information about Users, including the User Data, in order to (a) comply with the law or respond to lawful requests or legal process ; (b) protect Achieved’s or its customers’ or partners’ rights or property, including enforcement of the Agreement or other policies associated with the Service ; (c) act on a good faith belief that such disclosure is necessary to protect personal safety or avoid violation of applicable law or regulation.

COLLECTION OF INFORMATION

Achieved collects certain information about Users as well as the Subscriber and their respective devices, computers and use of the Service. Achieved uses, discloses, and protects this information as described in Achieved’s Privacy Policy, the then-current version of which is available at www.getachieved.com/privacy_policy and is incorporated into the Agreement.

CONTROLLER AND PROCESSOR

To the extent the User Data include any Personal Data, the Subscriber acknowledges in all cases that Achieved acts as the processor of such Personal Data and that the Subscriber remains the controller of such Personal Data for GDPR and any other applicable Personal Data protection regulations. The Subscriber understands that if it gives an integration provider access to the Subscriber Achieved account, the Subscriber serves as the controller of such information and the integration provider serves as the processor for the purposes of those data laws and regulations that apply to the Subscriber. In no case are such integration providers subprocessors of Achieved. The Appendix 1 to the Agreement includes Data Processing Agreement between the Subscriber and Achieved which shall govern the terms of Achieved’s processing of Service Data.

DATA CENTER LOCATION

The User Data is currently hosted by Achieved or its authorized service partners in data centers located in the European Economic Area. If the Subscriber’s principal location is within the European Economic Area, Achieved will use commercially reasonable efforts to notify it at least thirty (30) days before Achieved’s election to host Personal Data provided to Achieved in connection with the use of the Service, in data centers located outside the European Economic Area. If the Subscriber is entitled to this notice and does not wish to have the Personal Data hosted in data centers located in such other country, the Subscriber may terminate the subscription with immediate effect upon written notice to Achieved within thirty (30) days of the Subscriber receipt of Achieved’s notice.

12. CONFIDENTIALITY

In respect of Confidential Information of which it is the recipient, each Party undertakes:

    to treat such information as confidential;

    not to communicate or disclose, without the disclosing Party’s prior written consent, any part of such information to any person except:

a.   only to those employees, agents, subcontractors and other suppliers on a need-to-know basis who are directly involved in the provision of the Services;

b.   the recipient’s auditors, professional advisers and any other persons or bodies having a legal right or duty to have access to or knowledge of the Confidential Information in connection with the business of the recipient;

    to ensure that all persons and bodies mentioned in paragraph (b) above are made aware, prior to disclosure, of the confidential nature of the Confidential Information and that they owe a duty of confidence to the disclosing Party and to use all reasonable endeavors to ensure that such persons and bodies comply with the provisions of the present Article;

    not to use or circulate such Confidential Information within its own organization except to the extent necessary for the purposes of the Agreement.

The obligations in this Article will not apply to any Confidential Information which:

    was in the recipient’s possession (with full right to disclose) before receiving it; or

    is or becomes public knowledge other than by breach of this Article; or

    was independently developed by the recipient without access to or use of the Confidential Information; or

    was lawfully received from a third party (with full rights to disclose).

The provisions of this Article will continue in force notwithstanding the termination of the Agreement for any reason, for a period of five (5) years after such termination.

13. WARRANTIES

Achieved warrants that the Service will perform in a manner consistent with generally accepted industry standards and that the Service will substantially perform in accordance with the Usage plan. The Services uses state-of-the-art security technology including user authentication, secured firewalls and secured communication links.

Achieved makes neither warranty as to the merchantability or fitness for a particular purpose of the Service, nor that the Services will be uninterrupted or 100% error-free.

14. LIABILITY

Either Party shall indemnify, defend and hold harmless, at its sole expense, the other Party and its directors, officers, employees and agents from any claims, liabilities, damages, losses, costs and expenses (including reasonable attorney fees) arising out of or connected with the Subscriber’s (and its Users’) use of the Service and the User Data, and Achieved’s supply of the Services (including but not limited to infringement of third party rights and breaches of the law) or breach of the Agreement.

To the maximum extent permitted by law, the total aggregate liability of each Party for all claims for damages, arising from negligence, breach of contract or otherwise under or in connection with the Agreement shall be limited to the amounts of subscription paid by the Subscriber during the 1 (one) month period preceding the damage causing event.

Neither Party will be liable hereunder to the other Party for any indirect or consequential damages, even if such Party has been advised of the possibility of such damages.

Achieved shall not be liable for any interruption in the Service that is due to circumstances beyond its reasonable control (such as but not limited to internet, network or electronic communications delays, or (delivery) failures or interruptions caused by its third party service providers), or to a Force Majeure event.

15. FORCE MAJEURE

Neither Party shall be liable to the other for failure to comply with the Agreement to the extent caused by any Force Majeure event, including acts of God or mother of dragons attacks, subject to the Party being unable to comply with the Agreement immediately giving notice to the other Party, such notice containing the following information: (1) details of the Force Majeure event that has occurred ; (2) the date from which the Force Majeure event has prevented or hindered the Party in the performance of its Services ; (3) the Services so affected ; and (4) its best estimate of the date upon which it may be able to resume performance of the affected Services. Such notice will be confirmed by Official Notice within two (2) business days of the occurrence of the Force Majeure event.

Meanwhile, the affected Party will continue at all times to take all steps to (1) resume full performance of its obligations under the Agreement, and (2) mitigate the consequences of the Force Majeure event.

16. ASSIGNMENT

Subject to written confirmation of the assignee to Achieved that it agrees to remain bound by all provisions hereof, the Subscriber may assign the Agreement only to (a) a purchaser of or successor to substantially all of its business, or (b) an Affiliate; provided such purchaser, successor or Affiliate is not, or (at the time of the assignment) will reasonably not become, a competitor of Achieved.

17. REFERENCE

Each Party may mention the other Party in any communication to the public referring to its commercial references and use the other Party's logo and trademark for this purpose. This right to use the name, logo and other trademarks in its marketing materials and press releases is non-exclusive, non-transferable and free.

Any communication containing additional details about the project must be submitted to prior validation by the Subscriber.

18. OFFICIAL NOTICE

All official communications necessary for the application of the Agreement shall be delivered in writing by any of the following delivery methods, and shall be deemed to have been received as follows :

Delivery method

Assumed reception

        by registered Postal letter :

two (2) business days after being deposited

        by a nationally recognized delivery service to the address below :

one (1) business day after being deposited

        by e-mail with delivery receipt to the e-mail address below :

one (1) business day after being sent

 

The Subscriber

Postal address as specified in the Order Form

 

e-mail address as specified in the Order Form

Achieved / ACHIEVED

Avenue Demolder 4A, B1342 Limelette, Belgium

For the attention of the CEO

info@getachieved.com

Any change to these data shall be communicated by Official Notice to the above address.

19. GOVERNING LAW AND JURISDICTION

The Agreement is governed by, and shall be interpreted in accordance with, the Belgian law.

The Parties agree that all disputes arising out of or in connection with the Agreement shall be finally settled by one or more arbitrators under the rules of arbitration of the International Chamber of Commerce. The arbitration shall be conducted in French and the seat of the arbitration shall be Nivelles (Belgium). Each Party irrevocably submits to the jurisdiction of such arbitrators and waives any objection to proceedings before any such court on the ground of venue or on the ground that proceedings have been brought in an inconvenient forum.

20. MISCELLANEOUS

ENTIRE AGREEMENT

The Agreement, including its Appendixes and the Order Forms, constitutes the entire agreement between the Parties on the subject of the Services and supersedes and replaces all previous representations, negotiations, engagements, and written communications on this subject.

SEVERABILITY

The nullity or non-applicability of one of the clauses in the Agreement shall not compromise the continued validity or the applicability of the Agreement as a whole or of the remaining terms or rights.

INTERPRETATION

The original version of the Agreement has been made in English. Should the Agreement be translated in whole or in part into another language, the original English version shall prevail between the Parties hereto to the fullest extent possible.

INCORPORATION AND PRECEDENCE

The Agreement consists of the body of the Agreement and the Appendices.

In the event of any conflict between the provisions of the body of the Agreement and those of its Appendices, the provisions of the Appendices shall prevail, it being understood that the provisions of a more recent Appendix prevail on those of an older one.

21. APPENDICES

Upon signature of the Agreement, the following appendices are an integral part of the Agreement: Appendix 1 - Data Processing Agreement.

 

APPENDIX 1 – Data Processing Agreement

This Data Processing Agreement (the “DPA”) is made between the Subscriber, as registered in the Order Form, hereinafter called “Subscriber”, and Achieved, with registered office in Belgium, and listed in the national Companies Register under company number: 0669989292, hereafter referred to as “Achieved”,

Hereinafter called separately the “Party”, or collectively the “Parties”.

Preamble

Given that :

·    The Parties wish to enter into a Usage plan Agreement (hereafter the “Agreement”);

·    The Parties wish that the Processing of Data be executed according to the provisions of the General Data Protection Regulation (hereafter the “GPDR”), and of all applicable Data Protection legislation;

·    The Agreement is therefore completed with the present appendix to it (hereinafter, “Appendix”) that becomes an inherent part of the Agreement;

·    Within the scope of the Appendix, the Subscriber Processes Data for which it is the Controller, and possibly Data for which it is a Processor on behalf of third-party controllers;

·    Within the scope of the Appendix, Achieved is the Processor of the Data which it receives from the Subscriber, or to which the Subscriber gives it access.

The Parties have agreed that the preamble in the Appendix is binding on them and further also agree as follows :

1.     Definitions

In this Appendix, the following terms will have the following meaning, taken from the GDPR Regulation :

« Article » : unless specified otherwise, it refers to an article of the Appendix.

« Controller » : see Data Controller.

« Data » : see Personal Data.

« Data Breach » : « a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed » (GDPR Article 4.12).

« Data Controller » or simply « Controller » : « the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law » (GDPR Article 4.7). Within the scope of the Agreement, the Controller is the Subscriber.

« Data Processor » or simply « Processor » : « a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller » (GDPR Article 4.8). Within the scope of the Agreement, the Processor is Achieved.

« Data Subject » : an identified or identifiable natural person (GDPR Article 4.1).

« Data Subprocessor » or simply « Subprocessor » : third parties possibly engaged by Achieved to provide parts of the Services, as specified under Article 12.

« Documented Instructions » are the functional specifications of the Usage plan, complemented with any documented instructions from the Subscriber which have been expressly approved by Achieved.

« Notification » is the official notification of one Party to the other Party, according to the provisions of Article 16.

« Personal Data » or simply « Data » : « any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person » (GDPR Article 4.1).  In the Appendix, Data refers to the personal data which Achieved receives from the Subscriber, or to which the Subscriber gives it access.

« Processing », and, by extension, « Process » or « Processed » : « any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction » (GDPR Article 4.2).

« Processor » : see Data Processor.

« Services » : the services provided by Achieved to the Subscriber under the Agreement.

« Subprocessor » : see Data Sub-processor.

« Term » : the period from the date of signature of the Appendix until the end of provision of the Services, including, as the case may be, any post-termination period during which Achieved may continue to provide the Services for transitional purposes.

« Third Country » : is a country outside of the European Economic Area (EU + Iceland, Lichtenstein, Norway).

2.         Objective

2.1.  In the performance of its missions, the Subscriber Processes Data.  In order to execute the Processing covered by the Agreement, the Subscriber will give access to, and/or transfer to Achieved the Data which the Subscriber deems necessary.

3.         Duration

3.1.  The provisions of the Appendix apply during the Term and will remain in effect until deletion of all Data by Achieved or by the Subscriber as specified in Article 10.

4.         Data and Processing of Data

4.1.  The Subscriber certifies that it has collected the Data – be it “normal” Data (in the sense of GDPR Article 6) or “special” or “sensitive” Data (in the sense of GDPR Article 9) - in accordance with all applicable legislation with respect to data protection.

4.2.  The details of Processing entrusted by the Subscriber to Achieved (i.e. the object of Processing, the nature and purpose of Processing, the type of Data, the categories of data subjects, the Sub-processors and the security measures applied by Achieved) are specified in Schedule 1 to the Appendix.

4.3.  Achieved recognises the importance of appropriate Data protection and confirms that each Processing will be executed in accordance with the Documented Instructions and to any applicable legislation with respect to data protection.

4.4.  Achieved Processes the Data only on the Documented Instructions, including with regard to transfers of Data to a Third Country or an international organization, unless required to do so by Union or Member State law to which Achieved is subject; in such a case, Achieved shall inform the Subscriber of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest (GDPR Article 28.3.a).

4.5.  Achieved shall immediately inform the Subscriber if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions (GDPR Article 28.3.last §).

4.6.  Unless forbidden by law, Achieved will inform the Subscriber without delay when Achieved or any of its Subprocessors :

·  receives a question, a summons or a request for inspection or audit from a competent public authority regarding the Processing;

·  intends to divulge Data to any competent public authority outside of the contractual Processing scope; upon the request of the Subscriber, Achieved will communicate to it a copy of the documents supplied to the competent authority.

4.6.  With regard to the Processing, the complete instructions of the Subscriber to Achieved comprise the Agreement and its Appendixes, the other documents included or incorporated by reference as well as any other agreement between the Parties, including any complementary or alternative instruction agreed in writing between the Parties.

4.7.  Achieved recognises that, if it determines the purposes and means of Processing, Achieved shall be considered to be a Controller in respect of that Processing (GDPR Article 28.10).

5.     Records of Processing activities

5.1.  These records comprise (GDPR Article 30.2) :

a)  the name and contact details of Achieved and of the Subscriber, and of the data protection officer;

b)  the categories of Processing carried out on behalf of the Subscriber;

c)   where applicable, transfers of personal data to a Third Country or an international organisation, including the identification of that Third Country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) [of the GDPR], the documentation of suitable safeguards;

d)  a general description of the technical and organisational security measures referred to in GDPR Article 32 §1.

6.     Security and protection of Data

6.1.  Achieved certifies that it will inform and train its collaborators who Process Data, in accordance with applicable regulatory provisions.

6.2.  Achieved is responsible for the user identity management and for the authentication methods such as passwords and tokens attributed to its collaborators. Achieved recognises that the protection of these authentication methods is an integral part of its own security policies and procedures, and takes all necessary measures to protect them adequately.

6.3.  Achieved and its collaborators will only access the Data supplied by the Subscriber for the purposes directly bound to their mission, as described in the Agreement.

6.4.  When deleting Data, electronic media or paper documents during the Term, Achieved shall in all circumstances delete them in a sure manner, in such way that their results will cease to be either readable or usable for any purpose whatsoever.

6.5.  The Subscriber agrees that, without prejudice to Achieved’s obligations under this Article and Article 12 (Data Breach), the Subscriber is the sole responsible for (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Data, and (2) securing the account authentication credentials, systems and devices which the Subscriber uses to access the Data.

6.6.  Achieved has no obligation to protect Data that the Subscriber elects to store or transfer outside of Achieved’s and its Sub-processors’ systems (for example, on-premises or offline storage).

7.         Technical and organizational measures for the protection of Data

7.1.  Achieved shall take appropriate technical and organisational measures to (1) protect the Data from any Data Breach, as specified under Article 12 (Data Breach), and (2) provide commercially reasonable assistance to help the Subscriber fulfil its obligation to follow up on the requests brought by the Data Subjects in the exercise of their rights (GDPR Article 28.3.e), as specified under Article 12.

8.     Confidentiality of Data

8.1.  Achieved warrants that the persons it authorises to Process the Data will respect the confidentiality of said Data, especially if and where they would otherwise not be submitted to an appropriate legal obligation of confidentiality (GDPR Article 28.3.b).

9.         Deletion of Data and disposal of Data at the end of the Agreement

9.1.  During the Term : Achieved’s Services include tools enabling the Subscriber to delete Data during the Term in a manner consistent with the functionality of the Services.  In case the available tools do not enable such deletion, the Subscriber may instruct Achieved to delete the relevant Data from Achieved’s systems in accordance with the applicable law (GDPR Article 28.3.g).  Achieved will comply with this instruction as soon as reasonably practicable, unless EU or EU Member State law requires storage of the Data.

9.2.  At the end of the Term : Within a reasonable timeframe before the end of the provision of Services, the Subscriber may require that Achieved transfers all Data back to it ; either following the successful transfer of all Data, or without delay if such transfer was not requested within ten (10) working days of the end of the provision of the Services, Achieved (1) deletes all Data from its systems, and (2) deletes all existing copies, unless Union or Member State law requires storage of the Data (GDPR Article 28.3.g).

9.3.  Deletion : When it deletes Data or electronic media or paper documents, Achieved always deletes them in a secure manner, in such a way that their results are neither readable nor usable for any purpose.  For the sake of clarity, « delete » or « deletion » means the complete, integral and irreversible erasure of the Data.

10.   Location of the Processing of Data

10.1.           No transfer of Data to a Third Country or to an international organization will be authorised except with the Subscriber’s prior written agreement ; if Achieved is submitted to a different legal obligation, then it will inform the Subscriber of such legal obligation before the Processing, unless that law prohibits such information on important grounds of public interest (GDPR Article 28.3.a).

10.2.       Any transfer of Data by Achieved to a Third Country shall be submitted to the respect of legally recognised mechanisms for Data transfer to a Third Country, including the execution of an additional Agreement for Data Processing on the basis of standard data protection provisions approved by the European Commission.

11.   Subprocessors

11.1.       The list of Subprocessors identified at the date of signature of this Appendix is specified in Schedule 1.

11.2.       The Subscriber gives a general authorisation to Achieved to engage Subprocessors (GDPR Article 28.2).

11.3.       Achieved will notify the Subscriber of any update to the list of Subprocessors, at least thirty (30) days before the new Subprocessor Processes its Data, thereby giving the Subscriber the opportunity to object to such change (GDPR Article 28.2).  Such Notification will be made according to Article 16.

11.4.       If the Subscriber has justified and reasonable objections to a new Subprocessor, properly notified to Achieved, the Subscriber’s sole and exclusive remedy will be to terminate the Agreement immediately, upon written notice to Achieved, provided such notice is issued within thirty (30) days of Achieved’s Notification to the Subscriber.

11.5.       With each Subprocessor, Achieved shall execute written Agreements containing obligations which are no less protecting than the obligations of the Appendix, in particular with respect to sufficient warranties about the implementation of appropriate technical and organisational measures, in such a way that the Processing will meet the contractual requirements (GDPR Article 28.4).  In particular, Achieved will ensure that each Subprocessor which Processes Data (1) shall be authorised to Process these Data exclusively to execute the Processing specified by Achieved, and (2) shall refrain from using these Data for any other purpose.

11.6.       In case the Subprocessor does not fulfil its obligations with respect to Data protection, Achieved remains totally responsible towards the Subscriber of the performance by the Subprocessor of its obligations according to the Agreement, including the Appendix covering Data protection.

12.   Data Breach

12.1.       When it notices a Data Breach or when it is victim of one, or when it is notified of one by a Subprocessor, Achieved will deliver a Notification to the Subscriber without undue delay after having become aware of it.

12.2.       Achieved will not assess the contents of Data involved in a Data Breach.  The Subscriber is the sole responsible for (1) complying with incident notification laws applicable to the Subscriber, and (2) fulfilling any third-party notification obligation related to any Data Breach.

12.3.       Achieved agrees to cooperate with the Subscriber to the examination of the Data Breach, and to provide commercially reasonable assistance as necessary to mitigate or remediate the Data Breach (GDPR Article 33.5).

12.4.       Achieved’s notification of, or response to, a Data Breach under this Article will in no way be construed as an acknowledgement of any fault or liability with respect to such Data Breach.

13.   Data Subject requests

13.1.           The Subscriber is the sole responsible for processing the requests from Data Subjects in connection with the Processing.

13.2.           When Achieved is able to identify with certainty, with a reasonable effort, the relationship between the Data Subject and the Subscriber, Achieved shall promptly inform the Subscriber of the request of the Data Subject or of any other request relating to the Agreement received by it or by any Subprocessor.  Achieved shall not respond to the substance of the request but shall acknowledge receipt of it.

13.3.           If Achieved cannot identify with certainty the relationship between the Data Subject and the Subscriber, Achieved's only obligation is to reply to the Data Subject that it is not the controller of the Data Subject's personal data and that the Data Subject must address his request to the controller concerned.

13.4.           Achieved will provide commercially reasonable assistance to the Subscriber in fulfilling its obligation to respond to requests from Data Subjects (GDPR Article 28.3.e).

13.5.           Where the Subscriber is required to provide information to a Data Subject in connection with the Processing or to take any other action reasonably required to comply with the Data Subject's requests, Achieved shall make all required information available to the Subscriber in a format required to comply with such requests from the Data Subject.

13.6.           In the event of a dispute or other claim by a Data Subject concerning the Processing against a Party, the Parties shall inform each other without delay and undertake to cooperate and coordinate with a view to effectively defending themselves against such claims and/or settling them amicably and promptly.

14.   Data Protection Impact Analysis

14.1.       If the Subscriber is obliged to perform a data protection impact analysis, Achieved will provide commercially reasonable assistance and support to the Subscriber in the performance of such analysis in order to enable the Subscriber to respect its obligations with regard to that matter.

15.   Audit and compliance

15.1.           The Subscriber reserves the right to proceed with any verification which it would deem useful to establish the respect by Achieved of the obligations specified in the Agreement.

15.2.           The Subscriber has the right to carry out an audit mission, at its own costs, at most once (1) a year at the Achieved premises where the Data is being Processed, to check the proper respect of the Agreement.

15.3.           Upon request from the Client, Achieved shall communicate to the Client all information necessary to (1) demonstrate the respect of its obligations, to (2) enable the performance of audit missions, including inspections, by the Client or another auditor mandated by it, or a competent authority, and to (3) contribute to these audit missions (GDPR Article 28.3.h).

15.4.       Upon request from the Subscriber, Achieved shall make commercially reasonable efforts to communicate to the Subscriber all information necessary to (1) demonstrate the respect of its obligations, to (2) enable the performance of audit missions, including inspections, by the Subscriber or another auditor mandated by it, or a competent authority, and to (3) contribute to these audit missions (GDPR Article 28.3.h).  This information shall be considered as Achieved’s Confidential Information under the confidentiality provisions of the Agreement.

16.   Notifications

16.1.           A notification from Achieved to the Subscriber will be sent to the Subscriber’s e-mail address specified in the Order Form, using e-mail with registered return receipt, and will be deemed having been received one (1) working day after the date of electronic mailing.

16.2.           A notification from the Subscriber to Achieved will be sent to privacy@getachieved.com using e-mail with registered return receipt, and will be deemed having been received: one (1) working day after the date of electronic mailing.

17.   Miscellaneous

17.1.        In case of discrepancy between the terms of the DPA and those of the body of the Agreement, the DPA terms will prevail.

 

Schedule 1 to the DPA - Processing details - List of Subprocessors – Security measures

Subject-matter of the Processing

Achieved’s provision of the Services and related technical support to the Subscriber.

Duration of the Processing

The applicable Subscription Term (as defined in the Terms) plus the period from expiry of such Subscription Term until deletion of all Service Data by Achieved in accordance with the DPA.

Nature and purpose of the Processing

Achieved Processes the Data for the purposes of providing the Services and the related technical support to the Subscriber in accordance with the DPA.

Categories of Data

The Data may include the following categories of data: user IDs, email, documents, presentations, images, calendar entries, tasks and other data.

Data Subjects

The Data may concern the following categories of Data Subjects: the Users.

Current List of Sub-processors

For an updated list of the Subprocessors, please refer to the following page: https://www.getachieved.com/legal/third-party-services/.

Security measures

For your information, we take all necessary precautions, as well as the appropriate organizational and technical measures, to maintain the security, integrity and confidentiality of your personal data, and in particular to prevent it from being deformed or damaged and to prevent any unauthorized third party from accessing it.