Terms of Use

These terms apply to services purchased on National Business Research Institute, Inc. (NBRI) websites, not to services offered through NBRI’s enterprise sales team.

These Terms of Use are effective upon sign up for new users.

Introduction

Thanks for using NBRI’s products, services, websites, and apps which are branded as “NBRI” (“NBRI Services”) or “ClearView” (“ClearView Services”) or “NBRI ClearView” (“NBRI ClearView Services”), collectively “Services”.
These Terms of Use (“TOU”) contain the terms under which NBRI provides Services to you and describes how the Services may be accessed and used. These TOU do not apply to NBRI Services which are available solely through our enterprise sales channel.
You indicate your agreement to these Terms by clicking or tapping on a button or checkbox indicating your acceptance of these Terms, by executing a document that references them, or by using the Services.
If you will be using the Services on behalf of an organization, you agree to these Terms on behalf of that organization and you represent that you have the authority to do so. In such case, “you” and “your” will refer to that organization.
Certain country-specific terms listed later in this document may apply to you if you are located outside the United States.

1. Fees and Payments

1.1. Fees for Services.
You agree to pay to NBRI any fees for each Service you purchase or use (including any overage fees), in accordance with the pricing and payment terms presented to you for that Service. Where applicable, you will be billed using the billing method you select through your account details page. If you have elected to pay the fees by credit card, you represent and warrant that the credit card information you provide is correct and you will promptly notify NBRI of any changes to such information. Fees paid by you are non-refundable, except as provided in these Terms or when required by law.

1.2. Subscriptions.
Some of our Services are billed on a subscription basis (we call these “Subscriptions”). This means that you will be billed in advance on a recurring, periodic basis (each period is called a “billing cycle”). Billing cycles are typically monthly or annual, depending on what subscription plan you select when purchasing a Subscription. Your Subscription will automatically renew at the end of each billing cycle unless you disable auto-renewal through your online account details page. While we will be sad to see you go, you may disable auto-renewal on your Subscription at any time, in which case your Subscription will continue until the end of that billing cycle before terminating. You may disable auto-renewal on your Subscription immediately after the Subscription starts if you do not want it to renew.

1.3. Taxes.
Our prices listed do not include any taxes, levies, duties or similar governmental assessments of any nature such as value-added, sales, use, or withholding taxes, assessable by any jurisdiction (collectively, “Taxes”) unless otherwise indicated. You are responsible for paying Taxes associated with your purchase and keeping your billing information up to date.

(a) United States Sales Tax. If we have a legal obligation to pay or collect sales tax for which you are responsible, we will calculate the sales tax based upon the billing information we have about you and charge you that amount (which, if your billing information is incomplete or inaccurate, may be the highest prevailing rate then in effect), unless you timely provide us with a valid tax exemption certificate acceptable to the appropriate taxing authority.

• To be timely, you must provide us with a tax exemption certificate before your initial purchase or upgrade, or, if you miss that mark, within 90 days after such purchase or upgrade, unless your billing information is in Alabama, Louisiana, Maine, Massachusetts, Pennsylvania, or South Carolina in which case within 60 days; or if in Hawaii, Mississippi, or New Mexico within 45 days.

• If you provide us with a tax exemption certificate, you represent and warrant that it accurately reflects your tax status and that you will keep such document current and accurate.

• If we subsequently determine in our sole discretion that your tax exemption document is valid, we will refund the sales tax collected based on applicable state tax laws.

(b) Non-United States Sales Tax. If applicable, we will charge you VAT, GST or any other sales, consumption, or use taxes that arise in connection with your purchases of NBRI products unless you provide us with a tax identification number that entitles you to an exemption, a valid tax exemption certificate, or other documentary proof issued by an appropriate taxing authority that tax should not be charged. If you are located in a jurisdiction with multiple sales, consumption, or use taxes, we may charge you the highest prevailing rate if your billing information is incomplete or inaccurate.

If you are required by law to withhold any Taxes from your payments to NBRI, you must provide NBRI with an official tax receipt or other appropriate documentation to support such payments.

1.4. Price Changes.
NBRI may change the fees charged to you for the Services at any time, provided that, for Services billed on a subscription basis, the change will become effective only at the end of the then-current billing cycle of your Subscription.

1.5. Overage Fees.
Unless otherwise stated, any overage fees incurred by you will be billed in arrears. Overage fees which remain unpaid for 30 days after being billed are considered overdue. Failure to pay overage fees when due may result in the applicable Service being limited, suspended, or terminated (subject to applicable legal requirements), which may result in a loss of your data associated with that Service.

2. Privacy

2.1. Privacy.
In the course of using the Services, you may submit content to NBRI (including your personal data and the personal data of others) or third parties may submit content to you through the Services (all of the above will be referred to as your “Content”). We know that by giving us your Content you are trusting us to treat it appropriately. NBRI’s Privacy Policy, together with any Service-specific privacy notices or statements (collectively, “NBRI privacy policies”), detail how we treat your Content and we agree to adhere to those NBRI privacy policies. You in turn agree that NBRI may use and share your Content in accordance with the NBRI privacy policies and applicable data protection laws. If you are a customer who is operating as a “data controller” as defined in the European General Data Protection Regulation 2016/679 (“GDPR”) we have added some additional terms below to address your obligations under this law. You also agree that you are responsible for notifying these third parties who submit content to you through our Services about the NBRI privacy policies.

2.2. Confidentiality.
NBRI will treat your Content as confidential information and only use and disclose it in accordance with these Terms (including the NBRI privacy policies). However, your Content is not regarded as confidential information if such Content: (a) is or becomes public (other than through breach of these Terms by NBRI); (b) was lawfully known to NBRI before receiving it from you; (c) is received by NBRI from a third party without knowledge of breach of any obligation owed to you; (d) is shared in the context of your account being migrated to an organization’s Enterprise account, if your account is registered using a work email address within that organization; or (e) was independently developed by NBRI without reference to your Content. NBRI may disclose your Content when required by law or legal process, but only after NBRI, if permitted by law, uses commercially reasonable efforts to notify you to give you the opportunity to challenge the requirement to disclose.

2.3. Security.
NBRI will store and process your Content in a manner consistent with industry security standards. NBRI has implemented appropriate technical, organizational, and administrative systems, policies, and procedures designed to help ensure the security, integrity, and confidentiality of your Content and to mitigate the risk of unauthorized access to or use of your Content.

If NBRI becomes aware of any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of, personal data related to your account (“Security Incident”), NBRI will take reasonable steps to notify you without undue delay, but in any event within 72 hours of becoming aware of the Security Incident. NBRI will also reasonably cooperate with you with respect to any investigations relating to a Security Incident with preparing any required notices, and provide any other information reasonably requested by you in relation to any Security Incident, where such information is not already available to you in your account or online through updates provided by NBRI.

3. Your Content

3.1. You Retain Ownership of Your Content.
You retain ownership of all of your intellectual property rights in your Content. NBRI does not claim ownership over any of your Content. These Terms do not grant us any licenses or rights to your Content except for the limited rights needed for us to provide the Services, and as otherwise described in these Terms.

3.2. Limited License to Your Content.
You grant NBRI a worldwide, royalty free license to use, reproduce, distribute, modify, adapt, create derivative works, make publicly available, and otherwise exploit your Content, but only for the limited purposes of providing the Services to you and as otherwise permitted by the NBRI privacy policies. This license for such limited purposes continues even after you stop using our Services, with respect to aggregate and de-identified data derived from your Content and any residual backup copies of your Content made in the ordinary course of NBRI’s business. This license also extends to any trusted third parties we work with to the extent necessary to provide the Services to you. If you provide NBRI with feedback about the Services, we may use your feedback without any obligation to you.

3.3. Representations and Warranties
You represent and warrant that: (a) you own or control the appropriate rights in and to your Content, including any intellectual property owned by third parties; and (b) you will not submit, upload, or otherwise make available via the Services, any Content or materials that (i) you do not have the rights necessary to use, transmit, publish, or to grant us the license as described herein; or (ii) infringe, misappropriate, or otherwise violate any intellectual property, publicity, or other rights of any third party.

3.4 Customer Lists.
NBRI may identify you (by name and logo) as a NBRI Services customer on NBRI’s website and on other promotional materials. Any goodwill arising from the use of your name and logo will inure to your benefit.

3.5. Copyright Claims (DCMA Notices).
NBRI responds to notices of alleged copyright infringement in accordance with the U.S. Digital Millennium Copyright Act (DMCA). If you believe that your work has been exploited in a way that constitutes copyright infringement, you may notify NBRI at abuse@nbrii.com.

3.6. Other IP Claims.
NBRI respects the intellectual property rights of others, and we expect our users to do the same. If you believe an NBRI user is infringing upon your intellectual property rights, you may report it to abuse@nbrii.com. Claims of copyright infringement should follow the DMCA process outlined in these Terms, or any equivalent process available under local law.

4. NBRI IP

4.1. NBRI IP.
Neither these Terms nor your use of the Services grants you ownership in the Services or the content you access through the Services (other than your Content). These Terms do not grant you any right to use NBRI’s trademarks or other brand elements.

If you submit any feedback or suggestions to us regarding our Services, we may use and share them for any purpose without any compensation or obligation to you.

5. User Content

5.1. User Content.
The Services display content provided by others that is not owned by NBRI. Such content is the sole responsibility of the entity that makes it available. Correspondingly, you are responsible for your own Content and you must ensure that you have all the rights and permissions needed to use that Content in connection with the Services. NBRI is not responsible for any actions you take with respect to your Content, including sharing it publicly. Under no circumstances will NBRI be liable for any Content, any other third-party content or materials, or any loss or damage resulting from your use of, or reliance on, such Content or other third-party content or materials. Please do not use content from the Services unless you have first obtained the permission of its owner, or are otherwise authorized by law to do so.

5.2. Content Review.
You acknowledge that, in order to ensure compliance with legal obligations, NBRI may be required to review certain content submitted to the Services to determine whether it is illegal or whether it violates these Terms (such as when unlawful content is reported to us). We may also modify, prevent access to, delete, or refuse to display content that we believe violates the law or these Terms. In the event your Content includes third-party brands, logos, or other source identifiers, we may require you to submit a statement of non-affiliation before you may use such Content in connection with the Services. However, NBRI otherwise has no obligation to monitor or review any content submitted to the Services.

5.3. Third Party Resources.
NBRI may publish links in its Services to internet websites maintained by third parties. NBRI does not represent that it has reviewed such third party websites and is not responsible for them or any content appearing on them. Trademarks displayed in conjunction with the Services are the property of their respective owners.

6. Account Management

6.1. Keep Your Password Secure.
If you have been issued an account by NBRI in connection with your use of the Services, you are responsible for safeguarding your password and any other credentials used to access that account. You, and not NBRI, are responsible for any activity occurring in your account (other than activity that NBRI is directly responsible for which is not performed in accordance with your instructions), whether or not you authorized that activity. If you become aware of any unauthorized access to your account, you should notify NBRI immediately. Accounts may not be shared and may only be used by one individual per account.

6.2. Keep Your Details Accurate.
NBRI occasionally sends notices to the email address registered with your account. You must keep your email address and, where applicable, your contact details and payment details associated with your account current and accurate.

6.3. Remember to Backup.
You are responsible for maintaining, protecting, and making backups of your Content. To the extent permitted by applicable law, NBRI will not be liable for any failure to store, or for loss or corruption of, your Content.

6.4. Account Inactivity.
NBRI may terminate your account and delete any Content contained in it if there is no account activity (such as a log in event) for over 12 months. However, we will attempt to warn you by email before terminating your account to provide you with an opportunity to log in to your account so that it remains active.

6.5. Customer Success.
NBRI may assign you a project manager (“PM”). The PM may review your use of the Services and your Content to help you to more effectively use the Services, including by providing reporting and usage insight.

7. User Requirements

7.1. Legal Status.
If you are an individual, you may only use the Services if you have the power to form a contract with NBRI. If you do not have the power to form a contract, you may not use the Services. If you are not an individual, you warrant that you are validly formed and existing under the laws of your jurisdiction of formation, that you have full power and authority to enter into these Terms, and that you have duly authorized your agent to bind you to these Terms.

7.2. Minors.
“Minors” are individuals under the age of 13 (or a higher age as provided in certain countries and territories). None of the Services are intended for use by Minors. If you are a Minor in your place of residence, you may not use the Services. By using the Services, you represent and warrant that you are not a Minor.

7.3. Embargoes.
You may only use the Services if you are not barred under any applicable laws from doing so. If you are located in a country embargoed by the United States or other applicable law from receiving the Services, or are on the U.S. Department of Commerce’s Denied Persons List or Entity List, or the U.S. Treasury Department’s list of Specially Designated Nationals, you are not permitted to purchase any paid Services from NBRI. You will ensure that: (a) your end users do not use the Services in violation of any export restriction or embargo by the United States; and (b) you do not provide access to the Services to persons or entities on any of the above lists.

8. Acceptable Uses

8.1. Legal Compliance.
You represent and warrant that you will comply with all laws and regulations applicable to your use of the Services.

8.2. Acceptable Uses Policy.
You agree to comply with our Acceptable Uses Policy.

9. PCI Compliance

9.1. PCI Standards.
If you use the Services to accept payment card transactions, you must comply with the Payment Card Industry Data Security Standards (PCI-DSS) to the extent they are applicable to your business (the “PCI Standards”). You must ensure that your business is compliant and the specific steps you will need to take to comply with the PCI Standards will depend on your implementation of the Services.

9.2. Cardholder Data.
YOU ACKNOWLEDGE AND AGREE THAT YOU ARE PROHIBITED FROM COLLECTING OR ENTERING CARDHOLDER DATA INTO ANY FORM OR DATA ENTRY FIELDS IN THE SERVICES, EXCEPT INTO THOSE FIELDS INTENDED SOLELY FOR THAT PURPOSE (i.e. where NBRI explicitly enables such data to be entered into such fields). Appropriate fields are clearly marked with labels such as ‘Card number’ or by having a credit card icon precede them. Similarly, excluding payment forms, you must never collect or enter any “Sensitive Authentication Data”, as defined by the PCI Standards (including CVC or CVV2) into any fields in the Services. You assume all responsibility for any Cardholder Data entered into the Services in violation of these terms.

10. Suspension and Termination of Services

10.1. By You.
You can terminate your Subscription and delete your account at any time through your account management page. Such termination and deletion will result in the deactivation or disablement of your account and access to it, and the deletion of content you collected through use of the Services. Terminations are confirmed immediately and you will not be charged again for that Subscription unless you purchase a new one. If you terminate a Subscription in the middle of a billing cycle, you will not receive a refund unless you are terminating these Terms for any of the following reasons: (a) we have materially breached these Terms and failed to cure that breach within 30 days after you have so notified us in writing; (b) a refund is required by law; or (c) we, in our sole discretion, determine a refund is appropriate. For clarity, we will not grant a refund where you have used our Services, collected responses, and/or downloaded your responses unless the termination is due to our material, uncured breach, or a refund is required by law.

10.2. By NBRI.
NBRI may terminate your Subscription at the end of a billing cycle by providing at least 30 days’ prior written notice to you. NBRI may terminate your Subscription for any reason by providing at least 90 days’ written notice to you and will provide a pro rata refund for any period of time you did not use in that billing cycle. NBRI may suspend performance or terminate your Subscription for any of the following reasons: (a) you have materially breached these Terms and failed to cure that breach within 30 days after NBRI has so notified you in writing; (b) you cease your business operations or become subject to insolvency proceedings and the proceedings are not dismissed within 90 days; or (c) you fail to pay fees for 30 days past the due date. Additionally, NBRI may limit, suspend, or terminate the Services to you: (i) if you fail to comply with these Terms, (ii) if you use the Services in a way that causes legal liability to us or disrupts others’ use of the Services; or (iii) if we are investigating suspected misconduct by you. Also, if we limit, suspend, or terminate the Services you receive, depending upon the reason, we will endeavor to give you advance notice and an opportunity to obtain a copy of your Content from that Service. However, there may be time sensitive situations where NBRI may decide that we need to take immediate action without notice. NBRI will use commercially reasonable efforts to narrow the scope and duration of any limitation or suspension under this Section as is needed to resolve the issue that prompted such action. NBRI has no obligation to retain your Content upon termination of the applicable Service.

10.3. Further Measures.
If NBRI stops providing the Services to you because you repeatedly or egregiously breach these Terms, NBRI may take measures to prevent the further use of the Services by you, including blocking your IP address.

11. Changes and Updates

11.1. Changes to Terms.
NBRI may change these Terms at any time for a variety of reasons, such as to reflect changes in applicable law or updates to Services, and to account for new Services or functionality. The most current version will always be posted on the NBRI website. If an amendment is material, as determined in NBRI’s sole discretion, NBRI will notify you by email. Notice of amendments may also be posted to NBRI’s blog or upon your login to your account. Changes will be effective no sooner than the day they are publicly posted. In order for certain changes to become effective, applicable law may require NBRI to obtain your consent to such changes, or to provide you with sufficient advance notice of them. If you do not want to agree to any changes made to the terms for a Service, you should stop using that Service, because by continuing to use the Services you indicate your agreement to be bound by the updated terms.

11.2. Changes to Services.
NBRI constantly changes and improves the Services. NBRI may add, alter, or remove functionality from a Service it provides to you at any time without prior notice. NBRI may also limit, suspend, or discontinue a Service provided to you at its discretion. If NBRI discontinues a Service, we will give you reasonable advance notice to provide you with an opportunity to obtain a copy of your Content from that Service. NBRI may remove content from the Services it provides you at any time in our sole discretion, although we will endeavor to notify you before we do that if it materially impacts you and if practicable under the circumstances.

11.3. Downgrades.
Downgrading your account plan may cause the loss of content, features, functionality, or capacity of your account.

11.4 Plan Response Limits
Any responses over your plan’s response limits will not be viewable, and each response over the limit will be deleted 60 days after it is received, unless you upgrade to a plan with appropriate limits to view and keep access to all responses before they are deleted. We encourage you to go to Account Details to see if you have extra responses over your plan’s response limit, in case you want to upgrade to a higher paid plan to view and keep them.

12. Disclaimers and Limitations of Liability

12.1. Disclaimers.
While it is in NBRI’s interest to provide you with a great experience when using the Services (and we love to please our customers), there are certain things we do not promise about them. We try to keep our online Services up, but they may be unavailable from time to time for various reasons. EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES AND ANY GUIDANCE OR RECOMMENDATIONS THEREIN ARE PROVIDED “AS IS” AND NBRI DOES NOT MAKE WARRANTIES OF ANY KIND, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OR ANY REPRESENTATIONS REGARDING AVAILABILITY, RELIABILITY, OR ACCURACY OF THE SERVICES.

12.2. Exclusion of Certain Liability.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, NBRI, ITS AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, SUPPLIERS, AND LICENSORS WILL NOT BE LIABLE FOR (A) ANY INDIRECT, CONSEQUENTIAL, SPECIAL, INCIDENTAL, PUNITIVE, OR EXEMPLARY DAMAGES WHATSOEVER, OR (B) LOSS OF USE, DATA, BUSINESS, REVENUES, OR PROFITS (IN EACH CASE WHETHER DIRECT OR INDIRECT), ARISING OUT OF OR IN CONNECTION WITH THE SERVICES AND THESE TERMS, AND WHETHER BASED ON CONTRACT, TORT, STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, EVEN IF NBRI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE.

12.3. Limitation of Liability.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE AGGREGATE LIABILITY OF EACH OF NBRI, ITS AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, SUPPLIERS, AND LICENSORS ARISING OUT OF OR IN CONNECTION WITH THE SERVICES AND THESE TERMS WILL NOT EXCEED THE LESSER OF: (A) THE AMOUNTS PAID BY YOU TO NBRI FOR USE OF THE SERVICES AT ISSUE DURING THE 12 MONTHS PRIOR TO THE EVENT GIVING RISE TO THE LIABILITY; AND (B) US$200.00.

12.4. Consumers.
We acknowledge that the laws of certain jurisdictions provide legal rights to consumers that may not be overridden by contract or waived by those consumers. If you are such a consumer, nothing in these Terms limits any of those consumer rights.

12.5. Indemnification.
If you are a business, you will indemnify and hold harmless NBRI and its affiliates, officers, agents, and employees from all liabilities, damages, and costs (including settlement costs and reasonable attorneys’ fees) (“Indemnification Amounts”) arising out of a third party claim regarding or in connection with your or your end users’ use of the Services or breach of these Terms, to the extent that such liabilities, damages, and costs were caused by you or your end users.

If you are any kind of user, you will indemnify and hold Indemnified Entities harmless from any Indemnification Amounts arising out of a breach of your obligation in Section 1.3 to ensure your tax exemption certificate, if any, accurately reflects your current tax status.

13. Contracting Entity

13.1. Who you are contracting with.
Unless otherwise noted, the Services are provided by, and you are contracting with, NBRI.

13.2. NBRI
For any Service provided by NBRI, the following provisions will apply to any terms governing that Service:
• Contracting Entity. References to “NBRI”, “we”, “us”, and “our” are references to NBRI, located at 2701 Dallas Parkway, Suite 650, Plano, TX, 75093, USA.

• Governing Law. Those terms are governed by the laws of the State of Texas (without regard to its conflict of laws provisions).

• Jurisdiction. Except if prohibited by applicable law, each party submits to the exclusive jurisdiction of the federal or state courts located in Dallas, Texas.

14. Other Terms

14.1. Assignment.
You may not assign these Terms without NBRI’s prior written consent, which may be withheld in NBRI’s sole discretion. NBRI may assign these Terms at any time without notice to you.

14.2. Entire Agreement.
These Terms (including the Additional Terms) constitute the entire agreement between you and NBRI, and they supersede any other prior or contemporaneous agreements, terms and conditions, written or oral concerning its subject matter. Any terms and conditions appearing on a purchase order or similar document issued by you do not apply to the Services, do not override or form a part of these Terms, and are void.

14.3. Independent Contractors.
The relationship between you and NBRI is that of independent contractors, and not legal partners, employees, or agents of each other.

14.4. Interpretation.
The use of the terms “includes”, “including”, “such as”, and similar terms, will be deemed not to limit what else might be included.

14.5. No Waiver.
A party’s failure or delay to enforce a provision under these Terms is not a waiver of its right to do so later.

14.6. Precedence.
To the extent any conflict exists, the Additional Terms prevail over this TOU with respect to the Services to which the Additional Terms apply.

14.7. Severability.
If any provision of these Terms is determined to be unenforceable by a court of competent jurisdiction, that provision will be severed and the remainder of the terms will remain in full effect.

14.8. Third Party Beneficiaries.
There are no third party beneficiaries to these Terms.

14.9. Survival.
The following sections will survive the termination of these Terms: 1, 2, 3.2, 10, 12, 13, 14, and 15.

14.10 Survey Platform Service-Specific Terms
These service-specific terms apply to your use of NBRI’s online and mobile survey tools related to the creation, deployment, analysis, and administration of surveys under your NBRI account or subscription plan.

14.10.1 Teams
Each user account that belongs to your subscription is referred to as an “account user” and they collectively form the “Team”. A Team may represent a team, group, or other subdivision within your organization, or the whole organization. Each subscription represents one Team, and you may maintain multiple Teams by purchasing multiple subscriptions.

14.10.2 Administrative Responsibilities
The Service is designed to provide you as the primary admin with the ability to self-manage your Team. Management and administration of your Team is the responsibility of you and not NBRI (including responding to requests for account creation, deletion, and reassignment, and management of settings for users). NBRI will not be responsible for any liability arising from adding, removing, or otherwise managing your Team in accordance with your instructions.

14.10.3 Account Users
You will ensure that your account users comply with the terms under which the Service is made available to you, including any applicable acceptable use policies. You may not provision any seats to minors. “Minors” are individuals under the age of 13 (or under a higher age if permitted by the laws of their residence). If your user breaches these Terms, or uses the Service in a manner that NBRI reasonably believes will cause NBRI liability or disrupt others’ use of the Service, then NBRI may suspend or close the applicable end user account, or request that you do so.

14.10.4 Consequences of Termination of Service
If the Service terminates, all account users (including the primary admin account) will be terminated and will lose all functionality.

14.10.5 Downgrade Event
You acknowledge that a Downgrade may cause you to lose control of all of your Team upon termination. Account users that have converted to personal accounts will be regarded by NBRI to be controlled by the account user to whom the account is registered at the time of the Downgrade.

If you desire to retain control of your Team account users following a Downgrade, you are solely responsible for taking actions, before the Downgrade, that are necessary to achieve this, such as: (a) reassigning Team account users to appropriate personnel of yours; (b) changing access credentials to Team accounts; and (c) exporting data in your Team accounts and deleting any data you do not desire account users to have access to following the Downgrade.

14.10.6 Survey Closure
If NBRI closes a survey you are conducting because of a violation of NBRI’s terms, you should not re-open the survey without remedying the violation or getting NBRI’s prior written permission. Otherwise, NBRI may suspend the relevant account user or stop providing the Service to you.

14.11 Benchmarking Service-Specific Terms
These service-specific terms apply if you have purchased a subscription that includes the NBRI Benchmarking service (“Benchmarking”).

14.11.1 Definitions
Benchmarking provides you with access to certain benchmarking data (“Data”) derived from survey data that NBRI users have contributed for the purpose benchmarking. Benchmarking may be purchased as part of a subscription where ongoing access to benchmarking data is provided through your NBRI account.

If you purchase a subscription that includes Benchmarking you will be required to: (a) maintain an NBRI account on a plan that supports Benchmarking; (b) maintain a completed demographic profile (accessible through your Account Details page); and (c) contribute your own survey results to the Benchmarking service.

14.11.2 Benchmarking Data License
Subject to the payment of any applicable fees for Benchmarking, NBRI grants you a perpetual, non-exclusive, non-transferable, non-sublicensable, worldwide right to use the Data for your internal business purposes only (“License”).

The License also permits you to:
1. reproduce the Data for your internal backup purposes only.

You may not, and the License does not entitle you to:
1. resell, lend, or assign the Data;

2. publish, distribute, or otherwise disclose the Data to any third party, except to any of your contractors who need to access the Data to assist you to use the Data in accordance with the terms of the License. You will be liable for any breach of the License terms by your contractors;

3. imply or state that NBRI endorses, sponsors, or is affiliated with the purposes for which you use the Data; or

4. remove or modify any notice of copyright, trademark, or other proprietary right from any place where it is on or embedded in the Data.

14.11.3 Intellectual Property Ownership
These Terms do not grant or transfer to you any ownership rights to the Data, and ownership of all intellectual property rights subsisting in the Data are retained by NBRI. No licenses or rights to the Data are granted to you other than as expressly provided herein.

14.11.4 Termination of License
The License, with respect to any Data you have downloaded, will survive termination of your access to Benchmarking and will continue until terminated. NBRI may terminate the License upon 7 days’ written notice if you materially breach these Terms. Upon termination of the License, you will immediately cease all use of the Data and delete all copies of the Data you have in your possession, control, or custody.

14.11.5 Term and Termination
NBRI may cancel your access to Benchmarking at the end of a billing cycle by providing written notice before the end of that billing cycle.

14.11.6 Price Changes
If you have access to Benchmarking as part of a subscription, NBRI may change the fees charged for Benchmarking at any time, provided that the change will become effective only at the end of the then-current billing cycle for your NBRI account.

14.11.7 Warranty Disclaimer
EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE DATA IS PROVIDED “AS IS” AND NBRI DOES NOT MAKE WARRANTIES OF ANY KIND, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OR ANY REGARDING RELIABILITY, VERACITY, OR ACCURACY OF THE DATA.

14.11.8 Payment Terms
Access to Data will be granted after payment in full of any fees invoiced by NBRI for Benchmarking. Fees paid are non-refundable.

14.11.9 Contracting Entity
Benchmarking is provided to you by NBRI.

15. Terms for Certain Customers and Countries

15.1. Language.
These Terms are prepared and written in English. To the extent that any translated version conflicts with the English version, the English version controls, except where prohibited by applicable law.

15.2. Customer-Specific Terms.
The following amendments automatically apply to you upon acceptance of these Terms if you are one of the types of entities identified below:

15.2.1 Amendment to NBRI Terms of Use (TOU) Applicable to U.S. Government Users and Subscribers

This Amendment is an agreement between NBRI and the United States Government and applies to any U.S. Government agency users and account holders, who use or access the Services (the “Agency” or “you“).

You, as a United States Government entity, are required, when entering into agreements with other parties, to follow applicable federal laws and regulations, including those related to ethics; privacy and security; accessibility; federal records; limitations on indemnification; fiscal law constraints; advertising and endorsements; freedom of information; and governing law and dispute resolution forum. NBRI and the Agency (together, the “Parties“) agree that modifications to NBRI’s Terms of Use are appropriate to accommodate your legal status as a government entity, your public (in contrast to private) mission, and other special circumstances. Accordingly, the Agreement is hereby modified by this Amendment as it pertains to the Agency’s use of the Services. Capitalized terms that are not expressly defined in this Amendment have the meanings given to them in the Agreement.

A. Government entity.
“You” and “your” within the Agreement shall mean the Agency itself and shall not apply to, or bind in their individual capacity (i) the individual(s) who utilize the Services on the Agency’s behalf, or (ii) any individual users who happen to be employed by, or otherwise associated with, the Agency. NBRI will look solely to the Agency to enforce any violation or breach of the Agreement by such individuals, subject to U.S. federal law.

B. Public purpose.
Any requirement(s) set forth in the Agreement that use of the Services be limited to private, personal and/or non-commercial purposes is hereby waived.

C. Agency content serving the public.
NBRI agrees that the Agency may distribute or otherwise publish, via the Services, Agency Content which may contain or constitute promotions, advertisements or solicitations for goods or services, so long as the material relates to the Agency’s mission and complies with any requirements set forth in the Agreement relating to Content.

D. Advertisements.
NBRI agrees to disable, or provide you with functionality that allows you to disable, the serving or display of any third party commercial advertisements or solicitations on any pages or screens of the Services, displaying Content created by or under the control of the Agency. The foregoing obligations are contingent upon the email address designated on your account details page ending in “.gov” or “.mil” (excluding U.S. state or other non-federal government agency domain names with such endings) and shall not preclude house ads, which NBRI may serve on such pages in a non-intrusive manner. If you have a Subscription (see provisions in Section R (Separate future action for fee based services)), NBRI agrees to provide you with functionality, as is currently provided to private and commercial users who hold Subscriptions, that allows you to disable the placing of any screen or link inviting survey respondents to engage in other surveys or to join NBRI programs.

E. Indemnification.
All provisions of the Agreement whereby you indemnify NBRI are hereby waived. Liability of the Agency for any breach of the Agreement or this Amendment or any claim arising from the Agreement or this Amendment, shall be determined under the U.S. Federal Tort Claims Act, or other U.S. governing authority. Liability of NBRI for any breach of the Agreement or this Amendment, or any claim arising from the Agreement or this Amendment, shall be determined by applicable U.S. federal law.

F. Governing law and jurisdiction.
Provisions in the Agreement related to dispute resolution are deleted. In their place, the Agreement and this Amendment shall be governed, interpreted, and enforced in accordance with the federal laws of the United States of America, and jurisdiction shall be in U.S. federal courts. By mutual consent, the Parties may elect to use alternative dispute resolution (ADR) methods. To the extent permitted by U.S. federal law, the laws of the State of Texas will apply in the absence of federal law.

G. Changes to standard Agreement.
NBRI may update or change the Agreement after 30 days’ prior notice to you at the email address you designate on your account details page. You shall notify NBRI of any change in the notification email address during the life of this Amendment.

H. Access and use.
NBRI acknowledges that the Agency’s use of the Services may energize significant citizen engagement. Language in the Agreement allowing NBRI to terminate any Services, or close the Agency’s account, is modified to reflect the Parties’ agreement that NBRI may unilaterally terminate Services and/or terminate the Agency’s account only for breach of the Agency’s obligations under the Agreement or its material failure to comply with the instructions and guidelines posted on the websites of the Services, or if NBRI ceases to operate any Services generally. NBRI will provide the Agency with a reasonable opportunity to cure any breach or failure on the Agency’s part.

I. Provision on crawlers.
Any provision(s) in the Agreement prohibiting “crawling” or “spidering” of any NBRI website, or any similar processes, is amended to allow the Agency to apply such processes solely to its pages, channels, or repositories, and solely to fulfill the Agency’s obligations under the U.S. Federal Records Act or other applicable U.S. federal law or regulation.

J. Ownership of names.
Any provision(s) in the Agreement related to NBRI’s ownership of and right to change your selected user name(s), user ID(s), domain name(s), channel name(s), and group name(s), are modified to reasonably accommodate the Agency’s proprietary, practical, and/or operational interest in its own publicly-recognized name and the names of Agency programs.

K. Modifications of user Content.
NBRI agrees that the right reserved in the Agreement to modify your Content is limited to technical actions necessary to index, format, display, troubleshoot, and make accessible to the public your Content. It does not include the right to substantively edit or otherwise alter the meaning of your Content, other than at your direction. Notwithstanding the foregoing, nothing in this Amendment shall result in an expansion of your rights as a United States Government entity under the Copyright Act of 1976 (17 U.S.C. §§101 et sec.), specifically including Section 105 of the Act.

L. Limitation of liability.
The Parties agree that nothing in the Agreement limiting NBRI’s liability in any way grants NBRI a waiver from, release of, or limitation of liability pertaining to any past, current, or future violation of any applicable U.S. federal law.

M. Uploading, deleting.
The Parties understand and agree that you are not obligated to provide any Content to the Services, and you reserve the right to remove any and all of your Content at your sole discretion, subject to the data deletion and retention practices described in the Privacy Policy.

N. No endorsement.
NBRI agrees that your seals, insignia, trademarks, logos, flags, program identifiers, service marks, trade names, and the fact that you use the Services, shall not be used by NBRI in such a manner as to state or imply that the Services are endorsed, sponsored, or recommended by the Agency or by any other element of the U.S. Federal Government, or are considered by you or these entities to be superior to the products or services of other providers. Except for pages, screens, and other Content whose design and substance is under the control of the Agency, or for links to or promotion of such pages, screens or Content, NBRI agrees not to display any Agency or government seal, insignia, logo, flag, program identifier, service mark, or trade name on the NBRI website, unless permission to do so has been granted by the Agency or by other relevant federal government authority. NBRI may list the Agency’s name in a publicly available customer list so long as the name is not displayed in a more prominent fashion than that of any other third party name.

O. No business relationship created.
The Parties are independent entities and nothing in the Agreement or this Amendment creates an agency, partnership, joint venture, or employer/employee relationship.

P. No cost agreement.
Nothing in the Agreement or this Amendment obligates you to expend appropriations or incur financial obligations. The Parties acknowledge and agree that none of the obligations arising from the Agreement or this Amendment are contingent upon the payment of fees by one party to the other. Despite the foregoing, the provisions in Section R (Separate future action for fee based services) will apply if Agency decides to purchase a Subscription or any other fee-based service provided by NBRI.

Q. Provision of data.
In the case of termination of service by NBRI, within 30 days of such termination NBRI will provide you, at your written request, with all Agency-related user-generated survey content that is publicly visible on the websites of the Services. Data will be provided in a commonly used file or database format as NBRI deems appropriate. NBRI will not provide data if doing so would violate its Privacy Policy. The Agency acknowledges that the backup of Agency-related user-generated Content is the sole responsibility of the Agency. If the Agency cancels its NBRI account, it is the Agency’s sole responsibility to download or export (using the relevant functionality provided by the Services) any survey data from its account that it desires to retain before effecting such cancellation.

R. Separate future action for fee based services.
NBRI provides the Services at a basic level free of charge to the public, but this may change in the future. You acknowledge that while NBRI will provide you with some services and features for free, NBRI reserves the right to begin charging for those services and features at some point in the future. NBRI will provide you with at least 30 days’ advance notice of a change involving the charging of fees for the basic level of service. You also understand that NBRI may currently offer other premium and enterprise services for a fee. The Parties understand that fee-based services are categorically different than free products, and are subject to federal procurement rules and processes. Before the Agency decides to enter into a premium or enterprise subscription, or any other fee-based service that NBRI or alternative providers may offer now or in the future, you agree to determine that the Agency has a need for those additional services for a fee, to consider the subscription’s value in comparison with comparable services available elsewhere, to determine that Agency funds are available for payment, to properly use the Government Purchase Card if that card is used as the payment method, to review any then-applicable Agreement for conformance to federal procurement law, and in all other respects to follow applicable federal acquisition laws, regulations, and agency guidelines when initiating that separate action.

S. Precedence; Further amendment; Termination.
This Amendment constitutes an amendment to the Agreement; any language in the Agreement indicating it may not be modified or that it alone is the entire agreement between the Parties is waived. If there is any conflict between this Amendment and the Agreement, or between this Amendment and other addenda, rules, or policies associated with the Services, this Amendment shall prevail. This Amendment may be further amended only upon written agreement executed by both Parties. The Agency may close the Agency’s account and terminate this Agreement at any time, but the Agency shall not be entitled to a refund of any fees paid.

T. Posting and availability of this Amendment.
This Amendment shall be posted with the Terms of Use posted on the NBRI website either by incorporation of its text or via an integral link. The Parties agree this Amendment contains no confidential or proprietary information, and either Party may release it to the public at large. You may also post it for the benefit of other U.S. Government agencies interested in using the Services on federal informational websites.

U. Security.
NBRI will, in good faith, exercise due diligence using generally accepted commercial business practices for IT security, to ensure that systems are operated and maintained in a secure manner, and that management, operational, and technical controls will be employed to ensure security of systems and data. Recognizing the changing nature of the Web, NBRI will continuously work with users to ensure that its Services meet users’ requirements for the security of systems and data. NBRI agrees to discuss implementing additional security controls as deemed necessary by the Agency to conform to the Federal Information Security Management Act (FISMA), 44 U.S.C. 3541 et seq.

V. Federal records.
The Agency acknowledges that use of the Services may require management of federal records. The Agency and user-generated content may meet the definition of federal records as determined by the Agency. If NBRI holds federal records, the Agency must manage those federal records in accordance with all applicable records management laws and regulations, including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33), and regulations of the National Archives and Records Administration (NARA) at 36 CFR Chapter XII Subchapter B. Managing the records includes, but is not limited to, secure storage, retrievability, and proper disposition of all federal records including transfer of permanently valuable records to NARA in a format and manner acceptable to NARA at the time of transfer. The Agency is responsible for ensuring that NBRI is compliant with applicable records management laws and regulations through the life and termination of its relationship with NBRI.

W. Assignment.
Neither party may assign its obligations under this Amendment or Agreement to any third party without prior written consent of the other. Despite the foregoing, NBRI may, without the Agency’s consent, assign its obligations under this Amendment or Agreement to an affiliate or to a successor or acquirer, as the case may be, in connection with a merger, acquisition, corporate reorganization or consolidation, or the sale of all or substantially all of NBRI’s assets.

Additional items for discussion and possible inclusion in this Amendment: NBRI understands current federal law, regulation, and policy may affect the Agency’s use of NBRI’s products and services in ways not addressed in the clauses above. Much depends on the nature of the products and services offered by NBRI (which may change from time to time), and how the Agency makes use of those services (which also may change). Among the topics the Agency may seek to discuss with NBRI in the future, and which may lead to an agreement on amendments or additional clauses to this Amendment, are the matters of privacy and accessibility.

15.2.2 Amendment to NBRI Terms of Use (TOU) Applicable to Other Government Entities in the U.S.

This Amendment applies if you are a government, an agency, or other unit of government located in the United States, or a federally recognized Indian tribe (a “Government Entity”), and applies to any Governmental Entity users and accountholders who use or access the Services. This Amendment amends NBRI’s general Terms of Use (the “TOU”) as it pertains to the Government Entity’s use of the Services. This Amendment does not apply to you if the “Amendment to NBRI Terms of Use Applicable to U.S. Government Users and Subscribers” applies to you. Capitalized terms that are not expressly defined in this Amendment have the meanings given to them in the TOU.

The Terms (as defined in the TOU) are amended as follows:

1. Indemnities.
Any provision in the Terms under which the Government Entity indemnifies NBRI are waived. The liability of the Government Entity for any breach of the Terms or any claim arising from the Terms shall be determined under the relevant State Tort Claims Act, or other state governing authority. The liability of NBRI for any breach of the Terms, or any claim arising from the Terms, shall be determined by applicable state law.

2. Governing Law.
If the law establishing or otherwise governing the Government Entity expressly requires the Government Entity to enter into contracts under a particular law and/or prohibits any choice of law provision imposing any law other than the law under which the Government Entity is authorized to act, then all “Governing Law” and “Jurisdiction” clauses in the TOU, and all other provisions related to dispute resolution are deleted. In lieu thereof, the Terms shall be governed, interpreted, and enforced in accordance with the applicable laws of the Government Entity’s state and jurisdiction shall reside in the courts of such state. For the avoidance of doubt, in the absence of applicable law (and unless prohibited by law), the laws of the State of Texas will apply. The Government Entity and NBRI may, by mutual consent, elect to use alternative dispute resolution methods.

15.3. Country-Specific Terms.
If you are located in one of the following locations, the terms thereunder apply (with the exception of section EU2, which applies to you irrespective of geographic location if you are a “data controller” as referred to in the GDPR).

Australia
AU1. ACL.
Nothing in these Terms will restrict, exclude, or modify, or purport to restrict, exclude, or modify, any statutory consumer rights under the Competition and Consumer Act 2010 (Cth).

Brazil
BR1. Additional Responsibilities.
If you are younger than 16 years old, you must be represented by your parents or guardians in order to agree to these Terms and to use the Services. If you are aged 16 or 17, you must be assisted by your parents or guardians to agree to these Terms and to use the Services.

BR2. Right of Withdrawal.
If you are a consumer, you may withdraw your Subscription within 7 days of the date your Subscription first starts by sending us a notice of withdrawal. If you withdraw your Subscription under this Section, the fees you paid for that Subscription will be refunded upon NBRI’s receipt of your notice of withdrawal.

BR3. Consumer Rights.
If you are a consumer: (a) statutory warranties provided in the Law No. 8.078/1990 (“Consumer Protection Code”) apply to you despite anything to the contrary in Section 11.1 (Disclaimers); (b) Section 11.2 (Exclusion of Certain Liability) will not apply to you in relation to the damages caused to you due to defects in the Services, as provided by Article 14 of Law No. 8.078/1990 (“Consumer Protection Code”); and (c) Section 11.3 (Limitation of Liability) will not apply to you.

Europe
EU1. Right of Withdrawal.
If you are a consumer who has signed up for a new, paid NBRI subscription and are located in one of the countries listed below, you have a right to cancel your subscription within 14 calendar days. If you exercise this right, we will refund the subscription fees you have paid and your account will be downgraded to the free plan.

How to Exercise this Right
You must exercise this right of cancellation by sending a written notice of cancellation via email to contact@nbrii.com and include the following information:

• I, [your name], hereby give notice that I would like to cancel my contract of sale for the provision of the NBRI ClearView Service.

• I initially ordered/received the Service on: [MM/DD/YYYY].

• Your account username

• Your address [Name, Street Address, Address Line 2, City, State/Province/Region, Postal/Zip Code, Country]

• Your account username

• Email address

• Phone number (optional)

You don’t need to provide a reason why you’re cancelling, but we’d be interested in hearing why so we can make improvements.

If you sent us notice within the applicable time frame, your subscription payment will be reimbursed within 14 days of sending of the notice of cancellation. If the time period has lapsed, you can still disable auto-renewal on your account and you will not be billed after the current billing cycle.

Applicable Countries
The 14-day time period starts on the date you receive an email confirming your subscription is active. This cancellation policy applies to the following countries:

• Austria
• Belgium
• Bulgaria
• Croatia
• Cyprus
• Czech Republic
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• Ireland
• Italy
• Latvia
• Lithuania
• Luxembourg
• Malta
• The Netherlands
• Poland
• Portugal
• Romania
• Slovakia
• Slovenia
• Spain
• Sweden
• The United Kingdom

EU2. GDPR Terms for Customers
EU 2.1 Effective Date and Definitions.

These additional terms will apply to you from May 25, 2018, where you are a customer operating as a “data controller” of “personal data” of “data subjects” located in the EU (as those terms are defined in the GDPR) in your use of the Services.

The terms “personal data,” “data subject,” “processing,” and “processor” shall have the meanings given to those terms respectively in the GDPR.

EU 2.2 Processing Instruction.
By requesting the Services and agreeing to these Terms and the NBRI privacy policies, you are providing us with instructions to process any personal data collected by you through the Service, on your behalf.

EU 2.3 Customer Obligations.
You shall ensure and hereby warrant and represent that you are entitled to transfer personal data to NBRI so that NBRI may lawfully process and transfer the personal data in accordance with these Terms. You shall ensure that relevant data subjects have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection laws and have sole responsibility for the accuracy, quality and legality of personal data processed by NBRI in the provision of the Services.

EU 2.4 NBRI Obligations.
Where NBRI is processing personal data on your behalf, it will:

(a) only do so on your documented instructions and in accordance with applicable law, including with regard to transfers of personal data to a third country or an international organization, and the parties agree that these terms and the NBRI privacy policies constitute such documented instructions;

(b) ensure that all NBRI personnel involved in the processing of personal data have committed themselves to confidentiality;

(c) where applicable to you and where it is technically feasible, make available information necessary for you to demonstrate compliance with your obligations under Article 28 of the GDPR, where such information is held by NBRI and is not otherwise available to you through your account and user areas or on NBRI websites, provided that you provide NBRI with at least 14 days’ written notice of such an information request;

(d) promptly redirect a data subject to you where they are seeking to exercise their rights in respect of any personal data collected by you through use of the Services, and where the data subject has difficulty reaching you directly, we will assist them in doing so where possible;

(e) upon deletion by you, not retain personal data from within your account other than in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes (which are also deleted no later than 9-12 months after data is deleted from an account);

(f) to the extent reasonably able, assist you as reasonably required (at your expense) where you wish to conduct a data protection impact assessment involving the Services; and

(g) inform you immediately if, in our opinion, an instruction to process personal data you have provided infringes the GDPR.

EU 2.5 NBRI sub-processors.
NBRI uses trusted partners in facilitating certain elements of our Services (“sub-processors”). By agreeing to these Terms, you provide a general authorization to NBRI to engage onward sub-processors, subject to compliance with the requirements set out here.

EU 2.6 Liability.
NBRI will be liable for the acts and omissions of its sub-processors to the same extent NBRI would be liable if performing the services of each of those sub-processors directly under these Terms, except as otherwise set forth in these Terms and NBRI ensures that all sub-processors are bound by contractual terms that are in all material respects no less onerous than those contained in these Terms.

EU 2.7 Security Measures.
NBRI has, taking into account the state of the art, cost of implementation and the nature, scope, context and purposes of the Services and the level of risk, implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of unauthorized or unlawful processing, accidental loss of and/or damage to your personal data. At reasonable intervals, NBRI tests and evaluates the effectiveness of these technical and organizational measures for ensuring the security of the processing.

EU 2.8 Audits.
You will allow one month for NBRI to respond to any audit request which you make. No person/party conducting an audit on your behalf, shall be, or shall act on behalf of, a competitor of NBRI (“Auditor”). You will only be entitled to conduct an audit once per year (during the course of a 12 month subscription) unless otherwise legally compelled or required by a regulator with established authority over you to perform or facilitate the performance of more than 1 audit in that same year (in which circumstances you and NBRI will, in advance of any such audits, agree upon a reasonable reimbursement rate for NBRI’s audit expenses). The scope of an audit will be as follows (unless you are compelled by a regulator with authority over the processing activities involving the Services to vary this format for audit):

(a) NBRI agrees, subject to any appropriate and reasonable confidentiality restrictions, to provide evidence of any certifications and compliance standards it maintains and will, on request, make available to you an executive summary of NBRI’s most recent penetration tests, which summary shall include remedial actions taken by NBRI resulting from such penetration tests.

(b) The scope of the certifications and penetration tests provided will be limited to NBRI systems, processes, and documentation relevant to the processing and protection of personal data undertaken for the Services obtained by you, and Auditor will conduct audits subject to any appropriate and reasonable confidentiality restrictions requested by NBRI.

(c) You will promptly notify and provide NBRI with full details regarding any perceived non-compliance or security concerns discovered during the course of an audit.

The parties agree that, except as otherwise required by order or other binding decree of a regulator with authority over you, this section sets out the entire scope of your audit rights of NBRI.

EU 2.9 International Transfer.
To the extent applicable, NBRI relies (in order of precedence) upon (i) NBRI’s Privacy Shield certification; (ii) standard contractual clauses, for data transfer to the United States. NBRI also relies on standard contractual clauses for data transfers to other third parties based in countries outside the European Economic Area, the United States, or countries that do not have adequate levels of data protection as determined by the European Commission.

EU 2.10 Liability for Data Processing.
The parties’ respective aggregate liability whether in contract, tort (including negligence), breach of statutory duty, or otherwise for any and all claims arising out of or in connection with this Section EU2 shall be as set out in these terms, unless otherwise agreed in writing.

France
FR1. Overdue Payments.
Overdue payments may result in a penalty at an interest rate equal to 3 times the legal interest rate or the statutory minimum rate, whichever is higher. Additionally, the statutory penalty for collection costs may be payable by you in the event of late payment.

FR2. Right of Withdrawal.
If you are a consumer, starting from the date your Subscription first starts, you have 14 days to exercise your right of withdrawal without cause, provided that you have not benefited from or started to use the Services before the end of that 14 day period.

FR3. Media.
The limited license you grant to NBRI under Section 3.2 (Limited License to Your Content) allows NBRI to exploit your Content in any form and on any medium, including paper or digital media such as hard disks and flash drives, and by any means or process, including by wired, wireless, or online transmission of digitized or analog data. The duration of such limited license extends only for the legal term of protection of the intellectual property rights attached to your Content.

FR4. Warranties.
If you are a consumer, statutory warranties and the warranty of merchantability apply to you despite anything to the contrary in these Terms. Any disclaimer of warranties in these Terms does not derogate from any of your statutory warranty rights listed below:

Article R. 211-4 of the French Consumer Code: “In contracts entered into between professionals, on the one hand, and, on the other hand, non-professionals or consumers, the professionals cannot contractually warrant the item to be delivered or the service to be rendered without clearly stating that, whatever the circumstances, the legal warranty binding the professional seller to cover the purchaser against any consequences of faults or hidden defects in the item being sold or the service being rendered, applies.”

Article L. 211-4 of the French Consumer Code: “The seller is required to deliver a product which is conformed to the contract and is held liable for any lack of conformity which exists upon delivery. He is also held liable for any lack of conformity caused by the packaging or the assembly instructions, or the installation if he assumed responsibility therefor or had it carried out under his responsibility.”

Article L. 211-5 of the French Consumer Code: “To be in conformity with the contract, the product must: (1) be suitable for the purpose usually associated with such a product and, if applicable: correspond to the description given by the seller and have the features that the seller presented to the buyer in the form of a sample or model; [and] have the features that a buyer might reasonably expect it to have considering the public statements made by the seller, the producer or his representative, including advertising and labeling; or (2) have the features defined by mutual agreement between the parties or be suitable for any special requirement of the buyer which was made known to the seller and which the latter agreed to.”

Article L. 211-12 of the French Consumer Code: “Action resulting from lack of conformity lapses two years after delivery of the product.”

Article 1641 of the French Civil Code: “A seller is bound to a warranty on account of the latent defects of the product sold which render it unfit for the use for which it was intended, or which so impair that use that the buyer would not have acquired it, or would only have given a lesser price for it, had he known of them.”

Article 1648 §1 of the French Civil Code: “The action resulting from redhibitory vices must be brought by the buyer within a period of two years following the discovery of the vice”.

FR5. Limitation.
Section 11.3 (Limitation of Liability) does not apply to you if you are a consumer.

Germany
DE1. Right of Withdrawal.
If you are a consumer, you may withdraw your contractual declaration within 14 days without giving reasons in text form (e.g. by mail, fax, email). The time period commences upon your receipt of this information notice in textual form, but not before the conclusion of the contract and also not before we have met our information requirements as set forth under Article 246 § 2 in conjunction with § 1 paragraph 1 and 2 of the Introductory Act to the German Civil Code and our information requirements under § 312 g paragraph 1, first sentence German Civil Code in conjunction with Article 246 § 3 of the Introductory Act to the German Civil Code. Punctual dispatch of the declaration of withdrawal suffices to observe the withdrawal period. The declaration of withdrawal has to be directed to our customer support team by email at contact@nbrii.com.

DE2. Consequences of Withdrawal.
In the case of a valid withdrawal, the mutually received deliverables will be returned and any benefits obtained, if any (e.g. interest), will be handed over. To the extent that you are unable to return or, where applicable, to deliver up the received deliverable and benefits obtained (e.g. use and enjoyment) in whole or in part, or only in a deteriorated condition, you may have to compensate us accordingly for loss of value, if any. This may possibly lead to the result that you will nevertheless have to fulfill the contractually owed payment obligations for the time period until withdrawal. Any obligation to reimburse payments must be fulfilled within 30 days. The period for the payment of costs will begin, in your case, with the dispatch of your declaration of withdrawal and in our case, upon receipt of same.

DE3. Special Notifications.
Your right of withdrawal expires prematurely if the contractual relationship was fully discharged by both sides at your explicit request before you have exercised your right of withdrawal.

DE4. Termination for Breach.
A failure to comply with these Terms must be material, repeated, or persistent before NBRI may exercise its right of termination under Section 9.2 (By NBRI).

DE5. Specific Works.
NBRI is not obliged to create any specific works for you.

DE6. Liability Provisions.
Sections 11.2 (Exclusion of Certain Liability) and 11.3 (Limitation of Liability) do not apply and are replaced with the following: “NBRI’s liability to you for damages caused by slight negligence will, irrespective of its legal ground, be limited as follows: (a) NBRI will be liable up to the amount of foreseeable damages typical for this type of contract for a breach of material contractual obligations; and (b) NBRI will not be liable for a breach of any non-material contractual obligations nor for the slightly negligent breach of any other applicable duty of care. The above limitations of liability, as well as any other limitations of liability contained in these Terms, will not apply to any mandatory statutory liability, in particular to liability under the German Product Liability Act (Produkthaftungsgesetz), and liability for culpably caused personal injuries. Additionally, such limitations of liability will not apply if and to the extent that NBRI has assumed a specific guarantee. The above will apply accordingly to NBRI’s liability to you for futile expenses. You are obliged to take adequate measures to avert and reduce damages.”

Japan
JP1. Privacy Disclosures.
You agree that you are responsible for notifying the respondents of any surveys that you create through the Services about how NBRI may use the respondents’ survey responses and personal data as described in the privacy policies and obtaining a prior consent for disclosing personal data to NBRI from the respondents of your surveys.

JP2. Liability.
Sections 11.2 (Exclusion of Certain Liability) and 11.3 (Limitation of Liability) will not apply in relation to the damages caused by the willful misconduct or gross negligence of NBRI, its affiliates, officers, employees, agents, supplier, or licensors.

Korea
KR1. Right of Withdrawal.
If you are a consumer, you may withdraw your Subscription within 7 days of the date your Subscription first starts (or the date a copy of these Terms are made available to you, if later), provided that you have not benefited from or started to use the Services before the end of that 7 day period. If you withdraw your Subscription under this paragraph, the fees you paid for that Subscription will be refunded within 3 business days of receiving your notice of withdrawal.

KR2. Assignment.
Despite anything to the contrary in these Terms, if you are a consumer, we will provide you with advance notice of assignment and an opportunity to terminate these Terms as required by Korean law.

Luxembourg
LU1. Survival.
Sections of these Terms which are expressly stated to survive its termination will not survive indefinitely, but survive for a period of 30 years.

16. Exhibit A. Data Processing Agreement

PERSONAL DATA PROCESSING AGREEMENT FOR NBRI SERVICES

This Data Processing Addendum (“DPA”) is entered into BETWEEN (1) Customer; and (2) NBRI.

1. BACKGROUND
(a) Purpose and Application. This document is incorporated into the Agreement and forms part of a written (including in electronic form) contract between NBRI and Customer. This DPA applies to Personal Data processed by NBRI and its Subprocessors in connection with its provision of the Service. This DPA does not apply to non-production environments of the Service if such environments are made available by NBRI, and Customer shall not store Personal Data in such environments.

(b) Structure. Appendices 1 and 2 are incorporated into and form part of this DPA. They set out the agreed subject-matter, the nature and purpose of the processing, the type of Personal Data, categories of data subjects and the applicable technical and organizational measures.

(c) GDPR. NBRI and Customer agree that it is each party’s responsibility to review and adopt requirements imposed on Controllers and Processors by the General Data Protection Regulation 2016/679 (“GDPR”), in particular with regards to Articles 28 and 32 to 36 of the GDPR, if and to the extent applicable to Personal Data of Customer/Controllers that is processed under the DPA. For illustration purposes, Appendix 3 lists the relevant GDPR requirements and the corresponding sections in this DPA.

(d) Governance. NBRI acts as a Processor and Customer and those entities that it permits to use the Service act as Controllers under the DPA. Customer acts as a single point of contact and is solely responsible for obtaining any relevant authorizations, consents, and permissions for the processing of Personal Data in accordance with this DPA, including, where applicable approval by Controllers to use NBRI as a Processor. Where authorizations, consent, instructions, or permissions are provided by Customer these are provided not only on behalf of the Customer but also on behalf of any other Controller using the Service. Where NBRI informs or gives notice to Customer, such information or notice is deemed received by those Controllers permitted by Customer to use the Service and it is Customer’s responsibility to forward such information and notices to the relevant Controllers.

2. SECURITY OF PROCESSING
(a) Appropriate Technical and Organizational Measures. NBRI has implemented and will apply the technical and organizational measures set forth in Appendix 2. Customer has reviewed such measures and agrees that as to the Service selected by Customer the measures are appropriate taking into account the state of the art, the costs of implementation, nature, scope, context and purposes of the processing of Personal Data.

(b) Changes. NBRI applies the technical and organizational measures set forth in Appendix 2 to NBRIs’ entire customer base hosted out of the same Data Center and receiving the same Service. NBRI may change the measures set out in Appendix 2 at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data.

3. NBRI OBLIGATIONS
(a) Instructions from Customer. NBRI will process Personal Data only in accordance with documented instructions from Customer. The Agreement (including this DPA) constitutes such documented initial instructions and each use of the Service then constitutes further instructions. NBRI will use reasonable efforts to follow any other Customer instructions, as long as they are required by Data Protection Law, technically feasible, and do not require changes to the Service. If any of the before-mentioned exceptions apply, or NBRI otherwise cannot comply with an instruction or is of the opinion that an instruction infringes Data Protection Law, NBRI will immediately notify Customer (email permitted).

(b) Processing on Legal Requirement. NBRI may also process Personal Data where required to do so by applicable law. In such a case, NBRI shall inform Customer of that legal requirement before processing unless that law prohibits such information on important grounds of public interest.

(c) Personnel. To process Personal Data, NBRI and its Subprocessors shall only grant access to authorized personnel who have committed themselves to confidentiality.

(d) Cooperation. At Customer’s request, NBRI will reasonably cooperate with Customer and Controllers in dealing with requests from Data Subjects or regulatory authorities regarding NBRIs’ processing of Personal Data or any Personal Data Breach. NBRI shall notify the Customer as soon as reasonably practical about any request it has received from a Data Subject in relation to the Personal Data processing, without itself responding to such request without Customer’s further instructions, if applicable. NBRI shall provide functionality that supports Customer’s ability to correct or remove Personal Data from the Service, or restrict its processing in line with Data Protection Law. Where such functionality is not provided, NBRI will correct or remove any Personal Data, or restrict its processing, in accordance with the Customer’s instruction and Data Protection Law.

(e) Personal Data Breach Notification. NBRI will notify Customer without undue delay after becoming aware of any Personal Data Breach and provide reasonable information in its possession to assist Customer to meet Customer’s obligations to report a Personal Data Breach as required under Data Protection Law. NBRI may provide such information in phases as it becomes available. Such notification shall not be interpreted or construed as an admission of fault or liability by NBRI.

(f) Data Protection Impact Assessment. If, pursuant to Data Protection Law, Customer (or its Controllers) are required to perform a data protection impact assessment or prior consultation with a regulator, at Customer’s request, NBRI will provide such documents as are generally available for the Service (for example, this DPA, the Agreement, audit reports or certifications). Any additional assistance shall be mutually agreed between the Parties.

4. DATA EXPORT AND DELETION
(a) Export and Retrieval by Customer. During the Subscription Term and subject to the Agreement, Customer can access its Personal Data at any time. Customer may export and retrieve its Personal Data in a standard format. Export and retrieval may be subject to technical limitations, in which case NBRI and Customer will find a reasonable method to allow Customer access to Personal Data.

(b) Deletion. Before the Subscription Term expires, Customer may use NBRIs’ self-service export tools (as available) to perform a final export of Personal Data from the Service (which shall constitute a “return” of Personal Data). At the end of the Subscription Term, Customer hereby instructs NBRI to delete the Personal Data remaining on servers hosting the Service within a reasonable time period in line with Data Protection Law unless applicable law requires retention.

5. CERTIFICATIONS AND AUDITS
(a) Customer Audit. Customer or its independent third party auditor reasonably acceptable to NBRI (which shall not include any third party auditors who are either a competitor of NBRI or not suitably qualified or independent) may audit NBRIs’ control environment and security practices relevant to Personal Data processed by NBRI only if:

1. NBRI has not provided sufficient evidence of its compliance with the technical and organizational measures that protect the production systems of the Service through providing applicable documentation;

2. A Personal Data Breach has occurred;

3. An audit is formally requested by Customer’s data protection authority; or

4. Mandatory Data Protection Law provides Customer with a direct audit right and provided that Customer shall only audit once in any twelve month period unless mandatory Data Protection Law requires more frequent audits.

(b) Other Controller Audit. Any other Controller may audit NBRIs’ control environment and security practices relevant to Personal Data processed by NBRI in line with Section 5.1 only if any of the cases set out in Section 5.1 applies to such other Controller. Such audit must be undertaken through and by Customer as set out in Section 5.1 unless the audit must be undertaken by the other Controller itself under Data Protection Law. If several Controllers whose Personal Data is processed by NBRI on the basis of the Agreement require an audit, Customer shall use all reasonable means to combine the audits and to avoid multiple audits.

(c) Scope of Audit. Customer shall provide at least sixty days advance notice of any audit unless mandatory Data Protection Law or a competent data protection authority requires shorter notice. The frequency and scope of any audits shall be mutually agreed between the parties acting reasonably and in good faith. Customer audits shall be limited in time to a maximum of three business days. Beyond such restrictions, the parties will use current certifications or other audit reports to avoid or minimize repetitive audits. Customer shall provide the results of any audit to NBRI.

(d) Cost of Audits. Customer shall bear the costs of any audit unless such audit reveals a material breach by NBRI of this DPA, then NBRI shall bear its own expenses of an audit. If an audit determines that NBRI has breached its obligations under the DPA, NBRI will promptly remedy the breach at its own cost.

6. SUBPROCESSORS
(a) Permitted Use. NBRI is granted a general authorization to subcontract the processing of Personal Data to Subprocessors, provided that:

1. NBRI shall engage Subprocessors under a written (including in electronic form) contract consistent with the terms of this DPA in relation to the Subprocessor’s processing of Personal Data. NBRI shall be liable for any breaches by the Subprocessor in accordance with the terms of this Agreement;

2. NBRI will evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection to establish that it is capable of providing the level of protection of Personal Data required by this DPA; and

3. NBRIs’ list of Subprocessors in place on the effective date of the Agreement is published by NBRI or NBRI will make it available to Customer, upon request including the name, address and role of each Subprocessor NBRI uses to provide the Service.

2. New Subprocessors. NBRIs’ use of Subprocessors is at its discretion, provided that:

(a) NBRI will inform Customer in advance (by posting within the Service) of any intended additions or replacements to the list of Subprocessors including name, address and role of the new Subprocessor; and

(b) Customer may object to such changes as set out in Section 6.3

3. Objections to New Subprocessors.
(a) If Customer has a legitimate reason under Data Protection Law to object to the new Subprocessors’ processing of Personal Data, Customer may terminate the Agreement (limited to the Service for which the new Subprocessor is intended to be used) on written notice to NBRI. Such termination shall take effect at the time determined by the Customer which shall be no later than thirty days from the date of NBRIs’ notice to Customer informing Customer of the new Subprocessor. If Customer does not terminate within this thirty day period, Customer is deemed to have accepted the new Subprocessor.

(b) Within the thirty day period from the date of NBRIs’ notice to Customer informing Customer of the new Subprocessor, Customer may request that the parties come together in good faith to discuss a resolution to the objection. Such discussions shall not extend the period for termination and do not affect NBRIs’ right to use the new Subprocessor(s) after the thirty day period.

(c) Any termination under this Section 6.3 shall be deemed to be without fault by either party and shall be subject to the terms of the Agreement.

4. Emergency Replacement. NBRI may replace a Subprocessor without advance notice where the reason for the change is outside of NBRIs’ reasonable control and prompt replacement is required for security or other urgent reasons. In this case, NBRI will inform Customer of the replacement Subprocessor as soon as possible following its appointment. Section 6.3 applies accordingly.

7. INTERNATIONAL PROCESSING
(a) Conditions for International Processing. NBRI shall be entitled to process Personal Data, including by using Subprocessors, in accordance with this DPA outside the country in which the Customer is located as permitted under Data Protection Law.

(b) Standard Contractual Clauses. Where (i) Personal Data of an EEA or Swiss based Controller is processed in a country outside the EEA, Switzerland and any country, organization, or territory acknowledged by the European Union as a safe country with an adequate level of data protection under Art. 45 GDPR, or where (ii) Personal Data of another Controller is processed internationally and such international processing requires an adequacy means under the laws of the country of the Controller and the required adequacy means can be met by entering into Standard Contractual Clauses, then:

1. NBRI and Customer enter into the Standard Contractual Clauses;

2. Customer enters into the Standard Contractual Clauses with each relevant Subprocessor as follows, either (i) Customer joins the Standard Contractual Clauses entered into by NBRI and the Subprocessor as an independent owner of rights and obligations (“Accession Model”) or, (ii) the Subprocessor (represented by NBRI) enters into the Standard Contractual Clauses with Customer (“Power of Attorney Model”). The Power of Attorney Model shall apply if and when NBRI has expressly confirmed that a Subprocessor is eligible for it through the Subprocessor list provided under Section 6.1(c), or a notice to Customer; and/or

3. Other Controllers whose use of the Service has been authorized by Customer under the Agreement may also enter into Standard Contractual Clauses with NBRI and/or the relevant Subprocessors in the same manner as Customer in accordance with Sections 7.(a) (1) and (2) above. In such case, Customer will enter into the Standard Contractual Clauses on behalf of the other Controllers.

3. Relation of the Standard Contractual Clauses to the Agreement. Nothing in the Agreement shall be construed to prevail over any conflicting clause of the Standard Contractual Clauses. For the avoidance of doubt, where this DPA further specifies audit and subprocessor rules in sections 5 and 6, such specifications also apply in relation to the Standard Contractual Clauses.

4. Governing Law of the Standard Contractual Clauses. The Standard Contractual Clauses shall be governed by the law of the country in which the relevant Controller is incorporated.

8. DOCUMENTATION; RECORDS OF PROCESSING
Each party is responsible for its compliance with its documentation requirements, in particular maintaining records of processing where required under Data Protection Law. Each party shall reasonably assist the other party in its documentation requirements, including providing the information the other party needs from it in a manner reasonably requested by the other party (such as using an electronic system), in order to enable the other party to comply with any obligations relating to maintaining records of processing.

9. DEFINITIONS
Capitalized terms not defined herein will have the meanings given to them in the Agreement.

(a) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; for the purposes of this DPA, where Customer acts as processor for another controller, it shall in relation to NBRI be deemed as additional and independent Controller with the respective controller rights and obligations under this DPA.

(b) “Data Center” means the location where the production instance of the Service is hosted for the Customer.

(c) “Data Protection Law” means the applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data under the Agreement (and includes, as far as it concerns the relationship between the parties regarding the processing of Personal Data by NBRI on behalf of Customer, the GDPR as a minimum standard, irrespective of whether the Personal Data is subject to GDPR or not).

(d) “Data Subject” means an identified or identifiable natural person as defined by Data Protection Law.

(e) “EEA” means the European Economic Area, namely the European Union Member States along with Iceland, Liechtenstein, and Norway.

(f) “Personal Data” means any information relating to a Data Subject which is protected under Data Protection Law. For the purposes of the DPA, it includes only personal data which is (1) entered by Customer or its Authorized Users into or derived from their use of the Service, or (2) supplied to or accessed by NBRI or its Subprocessors in order to provide support under the Agreement. Personal Data is a sub-set of Customer Data (as defined under the Agreement).

(g) “Personal Data Breach” means a confirmed (1) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized third-party access to Personal Data or (2) similar incident involving Personal Data, in each case for which a Controller is required under Data Protection Law to provide notice to competent data protection authorities or Data Subjects.

(h) “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller, be it directly as processor of a controller or indirectly as subprocessor of a processor which processes personal data on behalf of the controller.

(i) “Standard Contractual Clauses” or sometimes also referred to the “EU Model Clauses” means the (Standard Contractual Clauses (processors)) or any subsequent version thereof published by the European Commission (which will automatically apply). The Standard Contractual Clauses current as of the effective date of the Agreement are attached hereto as Appendix 4.

(j) “Subprocessor” means NBRI affiliates and third parties engaged by NBRI in connection with the Service and which process Personal Data in accordance with this DPA.

Appendix 1 to the DPA and, if applicable, the Standard Contractual Clauses

Data Exporter
The Data Exporter is the Customer who subscribed to a Service that allows Authorized Users to enter, amend, use, delete, or otherwise process Personal Data. Where the Customer allows other Controllers to also use the Service, these other Controllers are also Data Exporters.

Data Importer
NBRI and its Subprocessors provide the Service that includes the following support: NBRI and its Affiliates support the Service data centers remotely from NBRIs’ locations. Support includes:

• Monitoring the Service

• Backup & restoration of Customer Data stored in the Service

• Release and development of fixes and upgrades to the Service

• Monitoring, troubleshooting and administering the underlying Service infrastructure and database

• Security monitoring, network-based intrusion detection support, penetration testing

NBRI and its Affiliates provide support when a Customer requests support because the Service is not available or not working as expected for some or all Authorized Users. NBRI answers phones and performs basic troubleshooting, and handles support tickets in a tracking system that is separate from the production instance of the Service.

Data Subjects
The Data Exporter solely determines the categories of Data Subjects which may include: employees, contractors, business partners, or other individuals having Personal Data stored in the Service.

Data Categories
Customer solely determines the categories of data per Service subscribed. Customer can configure the data fields during implementation of the Service or as otherwise provided by the Service. The transferred Personal Data typically relates to the following categories of data: name, phone numbers, e-mail address, time zone, address data, system access / usage / authorization data, company name, contract data, invoice data, plus any application-specific data that Authorized Users enter into the Service.

Special Data Categories (if appropriate)
The transferred Personal Data concerns special categories of data as set out in the Agreement, if any.

Processing Operations / Purposes
The transferred Personal Data is subject to the following basic processing activities:

• use of Personal Data to set up, operate, monitor, and provide the Service (including operational and technical Support)

• provision of Services;

• communication to Authorized Users

• storage of Personal Data in dedicated Data Centers (multi-tenant architecture)

• upload any fixes or upgrades to the Service

• back up of Personal Data

• computer processing of Personal Data, including data transmission, data retrieval, data access

• network access to allow Personal Data transfer

• execution of instructions of Customer in accordance with the Agreement.

Appendix 2 to the DPA and, if applicable, the Standard Contractual Clauses – Technical and Organizational Measures

1. TECHNICAL AND ORGANIZATIONAL MEASURES The following sections define NBRIs’ current technical and organizational measures. NBRI may change these at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data.

(a) Physical Access Control. Unauthorized persons are prevented from gaining physical access to premises, buildings, or rooms where data processing systems that process and/or use Personal Data are located. Measures:

• NBRI protects its assets and facilities using the appropriate means.

• In general, buildings are secured through access control systems (e.g., smart card access system).

• As a minimum requirement, the outermost entrance points of the building must be fitted with a certified key system including modern, active key management.

• Depending on the security classification, buildings, individual areas, and surrounding premises may be further protected by additional measures. These include specific access profiles, video surveillance, intruder alarm systems, and biometric access control systems.

• Access rights are granted to authorized persons on an individual basis according to system and data access control measures. This also applies to visitor access. Guests and visitors to NBRI buildings must register their names at reception and must be accompanied by authorized NBRI personnel.

• NBRI employees and external personnel must wear their ID cards at all NBRI locations.

Additional measures for Data Centers:

• All Data Centers adhere to strict security procedures enforced by guards, surveillance cameras, motion detectors, access control mechanisms, and other measures to prevent equipment and Data Center facilities from being compromised. Only authorized representatives have access to systems and infrastructure within the Data Center facilities. To protect proper functionality, physical security equipment (e.g., motion sensors, cameras, etc.) undergo maintenance on a regular basis.

• NBRI and all third-party Data Center providers log the names and times of authorized personnel entering NBRIs’ private areas within the Data Centers.

2. System Access Control. Data processing systems used to provide the Service must be prevented from being used without authorization. Measures:

• Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing Personal Data. Authorizations are managed via defined processes.

• All personnel access NBRIs’ systems with a unique identifier (user ID).

• NBRI has procedures in place so that requested authorization changes are implemented only in accordance with the NBRI security policies (for example, no rights are granted without authorization). In case personnel leave the company, their access rights are revoked.

• NBRI has established a password policy that prohibits the sharing of passwords, governs responses to password disclosure, and requires passwords to be changed on a regular basis, and default passwords to be altered. Personalized user IDs are assigned for authentication. All passwords must fulfill defined minimum requirements and are stored in encrypted form. In the case of domain passwords, the system forces a password change at regular intervals in compliance with the requirements for complex passwords. Each computer has a password-protected screensaver.

• The company network is protected from the public network by firewalls.

• NBRI uses up–to-date antivirus software at access points to the company network (for e-mail accounts), as well as on all file servers and all workstations.

• Security patch management is implemented to provide regular and periodic deployment of relevant security updates. Full remote access to NBRIs’ corporate network and critical infrastructure is protected by strong authentication.

3. Data Access Control. Persons entitled to use data processing systems gain access only to the Personal Data that they have a right to access, and Personal Data must not be read, copied, modified, or removed without authorization in the course of processing, use, and storage. Measures:

• As part of NBRI security policeis, Personal Data requires at least the same protection level as “confidential” information.

• Access to Personal Data is granted on a need-to-know basis. Personnel have access to the information that they require in order to fulfill their duty. NBRI uses authorization concepts that document grant processes and assigned roles per account (user ID). All Customer Data is protected in accordance with the NBRI security policies.

• All production servers are operated in the Data Centers or in secure server rooms. Security measures that protect applications processing Personal Data are regularly checked. To this end, NBRI conducts internal and external security checks and penetration tests on its IT systems.

• An NBRI security standard governs how data and data carriers are deleted or destroyed once they are no longer required.

4. Data Transmission Control. Except as necessary for the provision of the Service in accordance with the Agreement, Personal Data must not be read, copied, modified, or removed without authorization during transfer. Where data carriers are physically transported, adequate measures are implemented at NBRI to provide the agreed-upon service levels (for example, encryption and lead-lined containers). Measures:

• Personal Data in transfer over NBRI internal networks is protected according to NBRI security policies.

• When data is transferred between NBRI and its customers, the protection measures for the transferred Personal Data are mutually agreed upon and made part of the relevant agreement. This applies to both physical and network based data transfer. In any case, the Customer assumes responsibility for any data transfer once it is outside of NBRI-controlled systems (e.g. data being transmitted outside the firewall of the NBRI Data Center).

5. Data Input Control. It is possible to retrospectively examine and establish whether and by whom Personal Data have been entered, modified, or removed from NBRI data processing systems. Measures:

• NBRI only allows authorized personnel to access Personal Data as required in the course of their duty.

• NBRI has implemented a logging system for input, modification and deletion, or blocking of Personal Data by NBRI or its subprocessors within the Service to the extent technically possible.

6. Job Control. Personal Data being processed on commission (i.e., Personal Data processed on a customer’s behalf) is processed solely in accordance with the Agreement and related instructions of the customer. Measures:

• NBRI uses controls and processes to monitor compliance with contracts between NBRI and its customers, subprocessors, or other service providers.

• As part of the NBRI security policies, Personal Data requires at least the same protection level as “confidential” information.

• All NBRI employees and contractual subprocessors or other service providers are contractually bound to respect the confidentiality of all sensitive information including trade secrets of NBRI customers and partners.

7. Availability Control. Personal Data is protected against accidental or unauthorized destruction or loss. Measures:

• NBRI employs regular backup processes to provide restoration of business-critical systems as and when necessary.

• NBRI uses uninterruptable power supplies (for example: UPS, batteries, generators, etc.) to protect power availability to the Data Centers.

• NBRI has defined business contingency plans for business-critical processes and may offer disaster recovery strategies for business critical Services as further set out in the Documentation or incorporated into orders for the relevant Service.

• Emergency processes and systems are regularly tested.

8. Data Separation Control. Measures:

• NBRI uses the technical capabilities of the deployed software (for example: multi- tenancy, system landscapes) to achieve data separation among Personal Data originating from multiple customers.

• Customer (including its Controllers) has access only to its own data.

9. Data Integrity Control. Personal Data will remain intact, complete, and current during processing activities. Measures: NBRI has implemented a multi-layered defense strategy as a protection against unauthorized modifications. In particular, NBRI uses the following to implement the control and measure sections described above:

• Firewalls

• Security Monitoring Center

• Antivirus software

• Backup and recovery

• External and internal penetration testing

• Regular internal audits to prove security measures

Appendix 3

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

(Pursuant to Commission Decision of 5 February 2010 (2010/87/EU))

For the purposes of Article 26(2) of Directive 95/46/EC (or, after 25 May 2018, Article 44 et seq. of Regulation 2016/79) for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Customer also on behalf of the other Controllers

(in the Clauses hereinafter referred to as the ‘data exporter’)

and

NBRI

(in the Clauses hereinafter referred to as the ‘data importer’)

each a ‘party’; together ‘the parties’

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1
Definitions
For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

(a) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

(b) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(b), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

(c) The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

(d) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

2. any accidental or unauthorised access; and

3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

(a) The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

(b) If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub- processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

(c) If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs (a) and (b), arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

(a) The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

2. to refer the dispute to the courts in the Member State in which the data exporter is established.

(b) The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

(a) The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

(b) The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

(c) The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9
Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Sub-processing

(a) The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub- processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

(b) The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

(c) The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

(d) The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the termination of personal data-processing services

(a) The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

(b) The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.