Uptick Service Agreement

Previous Update: May 18th, 2020

Updated: July 13th, 2020

This Uptick Service Agreement (“Service Agreement”) describes your rights and responsibilities as a customer of our Services.

These Terms are between you and Uptick Labs Inc., a Delaware corporation (“Uptick”, “Provider”) located at 44 Montgomery Street, Suite 300, San Francisco, CA 94104. “You” or “Customer” means the company you represent is accepting this Service Agreement or, if that does not apply, then you individually. If You are accepting on behalf of your employer or another company, then You represent that You: (i) have full authority to bind your employer or company to this Service Agreement; and (ii) agree to this Service Agreement on behalf of your employer or company. The exception to this is if your employer or company has a separate written agreement with Uptick covering the use of the Services, in which case that agreement governs.

If You do not have the legal authority to bind your employer or company (or do not agree with this Service Agreement), then do not click the “submit” button (or similar “I agree” checkbox) and do not use the Services.

To be eligible to register for an Uptick account, You must review and accept this Service Agreement. You may accept this Service Agreement by: (1) clicking a box indicating acceptance (such as a “I accept” or “submit” button); (2) executing an applicable order form that references this Service Agreement (each an “Order Form”).

This Services Agreement was last updated on July 13th, 2020. It is effective between You and Uptick as of the date of You accepting this Service Agreement.

1.  Access and Use.

(a)  Provision of Access. Subject to Customer’s full compliance with all terms and conditions of this Agreement, Provider hereby grants Customer a non-exclusive, non-transferable license to access and use the Services during the Term, solely by Authorized Users set forth in the applicable Order Form, for Customer’s internal use and in accordance with Provider’s documentation to the Services (“Documentation”). Provider shall provide to Customer the necessary user information and network links or connections to allow Customer to access the Services. Provider may in its sole discretion modify, enhance or otherwise change the Services, provided that such changes do not materially limit or adversely affect the Services provided to Customer hereunder.

(b)  Use Restrictions. Customer shall not, directly or indirectly: (i) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to or attempt to discover the source code, object code or underlying structure, ideas or algorithms of the Services or any software, Documentation or data related to the Services (“Software”) (provided that reverse engineering is prohibited only to the extent such prohibition is not contrary to applicable law); (ii) copy, modify, translate, or create derivative works of the Services or Software, in whole or in part; (iii) use or access the Services or Software for timesharing or service bureau purposes or for any purpose other than for the internal benefit of Customer as set forth in this Agreement; (iv) rent, lease, lend, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available the Services or Software; (v) remove any product identification, proprietary, copyright or other notices from the Services or Software; (v) use the Services or Software in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any person, or that violates any applicable laws or regulations (including but not limited to any privacy laws, and laws or regulations concerning intellectual property, consumer and child protection, obscenity or defamation); or (vi) permit any third party to do any of the foregoing. Customer will use reasonable efforts to prevent any unauthorized use of the Services or the Software and will promptly notify Provider of any unauthorized use that comes to Customer’s attention and provide all reasonable cooperation to prevent and terminate such use. 

(d)  Reservation of Rights. Except for the limited rights and licenses expressly granted under this Agreement, nothing in this Agreement grants, by implication, waiver, estoppel, or otherwise, to Customer or any third party any intellectual property rights or other right, title, or interest in or to the Provider IP.

(e) Suspension. Notwithstanding anything to the contrary in this Agreement, Provider may temporarily suspend Customer’s and any Authorized End User’s access to any portion or all of the Services if Provider reasonably determines that there is a threat or attack on any of the Provider IP (“Suspension”). Provider shall use commercially reasonable efforts to provide prior notice of any Suspension to Customer and to provide updates regarding resumption of access to the Services following any Suspension. Provider will have no liability for any damage, liabilities, losses (including any loss of data or profits), or any other consequences that Customer or any Authorized User may incur as a result of a Service Suspension.

2.  Customer Data Security.

Provider will maintain commercially reasonable administrative, physical and technical safeguards for the Services to protect against the accidental or unauthorized access, use, alteration or disclosure of Customer Data properly uploaded to the Services and processed or stored on a computer and/or computer network owned or controlled by Provider in connection with the Services.

If, at any time, Provider fails to comply with this Section, Customer may promptly notify Provider in writing of any such noncompliance. Provider will, within thirty (30) days of receipt of such written notification, either correct the noncompliance or provide Customer with a plan for correcting the noncompliance. If the noncompliance is not corrected or if a reasonably acceptable plan for correcting them is not established during such period, Customer may terminate this Agreement as its sole and exclusive remedy for such noncompliance. Provider will use commercially reasonably efforts to manage Customer Data in accordance with the Information Security Policy set forth in Exhibit A and the Data Processing Addendum set forth in Exhibit B.

3.  Customer Responsibilities. 

(a)  General. Customer is responsible and liable for all uses of the Services and Documentation resulting from access provided by Customer, including all acts and omissions of Authorized Users. Customer shall make all Authorized Users aware of this Agreement’s provisions as applicable to such Authorized User’s use of the Services and shall cause Authorized Users to comply with such provisions.

(b)  Third-Party Products. Provider may from time to time make third-party products provided with or incorporated into the Services (“Third-Party Products”) available to Customer. For purposes of this Agreement, such Third-Party Products are subject to their own terms and conditions and the applicable flow through provisions.

4.  Fees and Payment.

(a)  Fees. Customer shall pay Provider the fees (“Fees”) as set forth in the applicable Order Form without offset or deduction. Customer shall make all payments hereunder in US dollars on or before the due date set forth in applicable Order Form. If Customer use of the Services exceeds the Service Capacity set forth on the applicable Order Form, Customer will be invoiced at the end of each calendar month for the excess usage over the Service Capacity, at the rate set forth on the applicable Order Form. If Customer fails to make any payment when due, without limiting Provider’s other rights and remedies: (i) Provider may charge interest on the past due amount at the rate of 1.0% per month calculated daily and compounded monthly or, if lower, the highest rate permitted under applicable law; (ii) Customer shall reimburse Provider for all costs incurred by Provider in collecting any late payments or interest, including attorneys’ fees, court costs, and collection agency fees; and (iii) if such failure continues for 10 days or more, Provider may suspend Customer’s and its Authorized Users’ access to any portion or all of the Services until such amounts are paid in full.

(b)  Taxes. All Fees and other amounts payable by Customer under this Agreement are exclusive of taxes and similar assessments. Customer is responsible for all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental or regulatory authority on any amounts payable by Customer hereunder, other than any taxes imposed on Provider’s income.

5.  Confidential Information.

From time to time during the Term, either Party may disclose or make available to the other Party information about its business affairs, products, confidential intellectual property, trade secrets, third-party confidential information, and other sensitive or proprietary information, whether or not marked, designated or otherwise identified as “confidential” (collectively, “Confidential Information”). Confidential Information does not include information that, at the time of disclosure is: (a) in the public domain; (b) known to the receiving Party at the time of disclosure; (c) rightfully obtained by the receiving Party on a non-confidential basis from a third party; or (d) independently developed by the receiving Party. The receiving Party shall not disclose the disclosing Party’s Confidential Information to any person or entity, except to the receiving Party’s employees or consultants who have a need to know the Confidential Information for the receiving Party to exercise its rights or perform its obligations hereunder. Notwithstanding the foregoing, each Party may disclose Confidential Information to the limited extent required (i) in order to comply with the order of a court or other governmental body, or as otherwise necessary to comply with applicable law, provided that the Party making the disclosure pursuant to the order shall first have given written notice to the other Party and made a reasonable effort to obtain a protective order; or (ii) to establish a Party’s rights under this Agreement, including to make required court filings. Provider may use Customer Data to (i) provide the Services to Customer and perform this Agreement; and (b) to test, improve, and provide Provider products and services in a manner that does not disclose Customer Data or Confidential Information of Customer. If Customer or any of its employees or contractors sends or transmits any communications or materials to Provider by mail, email, telephone, or otherwise, suggesting or recommending changes to the Provider IP, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (”Feedback”), Provider is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. On the expiration or termination of the Agreement, the receiving Party shall promptly return to the disclosing Party all copies, whether in written, electronic, or other form or media, of the disclosing Party’s Confidential Information, or destroy all such copies and certify in writing to the disclosing Party that such Confidential Information has been destroyed. Each Party’s confidentiality obligations with regard to Confidential Information are effective as of the Effective Date and will expire Three (3) years from the date first disclosed to the receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.

6.  Warranties and Disclaimers.

(a)  Mutual. Each Party represents and warrants that (i) it is duly organized, validly existing, and in good standing under the laws of the state of its organization; (ii) it has full power and authority to enter into this Agreement, to carry out its obligations under this Agreement, and to grant the rights granted to the other Party herein; (iii) the execution of this Agreement by such party, and the performance by such party of its obligations and duties hereunder do not and will not violate any other agreement to which such party is a party or by which it is otherwise bound; and (iv) it and its performance hereunder will comply with all applicable laws and regulations.

(b) Provider. Provider warrants that (i) it will not knowingly include, in any Software released to the public and provided to Customer hereunder, any computer code or other computer instructions, devices or techniques, including without limitation those known as disabling devices, trojans, or time bombs, that intentionally disrupt, disable, harm, infect, defraud, damage, or otherwise impede in any manner, the operation of a network, computer program or computer system or any component thereof, including its security or user data, and (iii) it will provide the support and professional services under this Agreement in a professional and workmanlike manner.

(c)  Disclaimers. EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 8, THE PROVIDER IP IS PROVIDED “AS IS” AND PROVIDER HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. PROVIDER SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ALL WARRANTIES ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE. EXCEPT FOR THE LIMITED WARRANTY SET FORTH IN SECTION 8, PROVIDER MAKES NO WARRANTY OF ANY KIND THAT THE PROVIDER IP, OR ANY PRODUCTS OR RESULTS OF THE USE THEREOF, WILL MEET CUSTOMER’S OR ANY OTHER PERSON’S REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, ACHIEVE ANY INTENDED RESULT, BE COMPATIBLE OR WORK WITH ANY SOFTWARE, SYSTEM OR OTHER SERVICES, OR BE SECURE, ACCURATE, COMPLETE, FREE OF HARMFUL CODE, OR ERROR FREE.

7.  Indemnification.

(a)  Provider Indemnification. Provider shall indemnify, defend, and hold harmless Customer from and against any and all losses, damages, liabilities, costs (including reasonable attorneys’ fees) (”Losses”) incurred by Customer resulting from any third-party claim, suit, action, or proceeding (”Third-Party Claim”) that the Services infringes or misappropriates such third party’s [US] patents, copyrights, or trade secrets, provided that Customer promptly notifies Provider in writing of the claim, cooperates with Provider, and allows Provider sole authority to control the defense and settlement of such claim.  If such a claim is made or appears possible, Customer agrees to permit Provider, at Provider’s sole discretion, to (A) modify or replace the Services, or component or part thereof, to make it non-infringing, or (B) obtain the right for Customer to continue use. If Provider determines that neither alternative is reasonably available, Provider may terminate this Agreement, in its entirety or with respect to the affected component or part, effective immediately on written notice to Customer. This Section 9(a) will not apply with respect to portions or components of the Services (A) not created by Provider, including but not limited to Customer Data or Third-Party Products, (B) that are modified by anyone other than Provider where the alleged infringement relates to such modification, (C) combined with other products, processes or materials where the alleged infringement relates to such combination, (D) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (E) where Customer’s use thereof is not strictly in accordance with this Agreement and all related documentation.

(b)  Customer Indemnification. Customer shall indemnify, hold harmless, and, at Provider’s option, defend Provider from and against any Losses resulting from any Third-Party Claim that the Customer Data infringes or misappropriates such third party’s intellectual property rights, or any Claims excluded from indemnity obligation in Section 9(a) above, provided that Customer may not settle any Third-Party Claim against Provider unless Provider consents to such settlement, and further provided that Provider will have the right, at its option, to defend itself against any such Third-Party Claim or to participate in the defense thereof by counsel of its own choice.

(c)  Sole Remedy. THIS SECTION 9 SETS FORTH CUSTOMER’S SOLE REMEDIES AND PROVIDER’S SOLE LIABILITY AND OBLIGATION FOR ANY ACTUAL, THREATENED, OR ALLEGED CLAIMS THAT THE SERVICES INFRINGE, MISAPPROPRIATE, OR OTHERWISE VIOLATE ANY INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY.

8.  Limitations of Liability.

(a) Indirect Liabilities. IN NO EVENT WILL PROVIDER BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY: (A) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES; (B) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES, OR PROFITS; (C) LOSS OF GOODWILL OR REPUTATION; (D) USE, INABILITY TO USE, LOSS, INTERRUPTION, DELAY OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (E) COST OF REPLACEMENT GOODS OR SERVICES, IN EACH CASE REGARDLESS OF WHETHER PROVIDER WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES OR SUCH LOSSES OR DAMAGES WERE OTHERWISE FORESEEABLE.

(b) Direct Liability. IN NO EVENT WILL PROVIDER’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE EXCEED THE TOTAL AMOUNTS PAID TO PROVIDER UNDER THIS AGREEMENT IN THE THREE MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

(c) Exclusions. THE FOREGOING LIMITATIONS IN THIS SECTION 10 SHALL NOT LIMIT PROVIDER’S INDEMNIFICATION OBLIGATION SET FORTH IN SECTION 9(A) OR DAMAGES ARISING OUT OF PROVIDER’S BREACH OF ITS CONFIDENTIALITY OBLIGATIONS SET FORTH IN SECTION 7.

9. Term and Termination.

(a)  Term. Subject to earlier termination as provided below, this Agreement is for the Term as specified in the applicable Order Form. 

(b)  Termination. In addition to any other express termination right set forth in this Agreement: (i)  either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party materially breaches this Agreement and such breach: (A) is incapable of cure; or (B) being capable of cure, remains uncured 30 days (or 10 days for Customer’s failure to pay any amount when due) after the non-breaching Party provides the breaching Party with written notice of such breach; or (ii)  either Party may terminate this Agreement, effective immediately upon written notice to the other Party, if the other Party: (A) becomes insolvent or is generally unable to pay, or fails to pay, its debts as they become due; (B) files or has filed against it, a petition for voluntary or involuntary bankruptcy or otherwise becomes subject, voluntarily or involuntarily, to any proceeding under any domestic or foreign bankruptcy or insolvency law; (C) makes or seeks to make a general assignment for the benefit of its creditors; or (D) applies for or has appointed a receiver, trustee, custodian, or similar agent appointed by order of any court of competent jurisdiction to take charge of or sell any material portion of its property or business.

(c)  Effect of Expiration or Termination. Upon expiration or earlier termination of this Agreement, Customer shall immediately discontinue use of the Provider IP and, without limiting Customer’s obligations under Section 7, Customer shall delete, destroy, or return all copies of the Provider IP and certify in writing to the Provider that the Provider IP has been deleted or destroyed. No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due before such expiration or termination or entitle Customer to any refund 

(d)  Survival. This Section 11(d) and Sections 1, 6, 7, 8(c), 9, 10, 12 and 13 survive any termination or expiration of this Agreement. No other provisions of this Agreement survive the expiration or earlier termination of this Agreement.

10. Miscellaneous.

(a)  Entire Agreement. This Agreement, together with any other documents incorporated herein by reference and all related Exhibits, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this Agreement and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. In the event of any inconsistency between the statements made in the body of this Agreement, the related Exhibits, and any other documents incorporated herein by reference, the following order of precedence governs: (i) first, this Agreement, excluding its Exhibits; (ii) second, the Exhibits to this Agreement as of the Effective Date; and (iii) third, any other documents incorporated herein by reference.

(b)  Notices. All notices, requests, consents, claims, demands, waivers, and other communications hereunder (each, a “Notice”) must be in writing and addressed to the Parties at the addresses set forth on the first page of this Agreement (or to such other address that may be designated by the Party giving Notice from time to time in accordance with this Section). All Notices must be delivered by personal delivery, nationally recognized overnight courier (with all fees pre-paid), facsimile or email (with confirmation of transmission) or certified or registered mail (in each case, return receipt requested, postage pre-paid). Except as otherwise provided in this Agreement, a Notice is effective only: (i) upon receipt by the receiving Party; and (ii) if the Party giving the Notice has complied with the requirements of this Section.

(c)  Force Majeure. In no event shall either Party be liable to the other Party, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement (except for any obligations to make payments), if and to the extent such failure or delay is caused by any circumstances beyond such Party’s reasonable control, including but not limited to acts of God, flood, fire, earthquake, explosion, war, terrorism, invasion, riot or other civil unrest, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority, including imposing an embargo.

(d)  Amendment and Modification; Waiver. No amendment to or modification of this Agreement is effective unless it is in writing and signed by an authorized representative of each Party. No waiver by any Party of any of the provisions hereof will be effective unless explicitly set forth in writing and signed by the Party so waiving. Except as otherwise set forth in this Agreement, (i) no failure to exercise, or delay in exercising, any rights, remedy, power, or privilege arising from this Agreement will operate or be construed as a waiver thereof and (ii) no single or partial exercise of any right, remedy, power, or privilege hereunder will preclude any other or further exercise thereof or the exercise of any other right, remedy, power, or privilege.

(e)  Severability. If any provision of this Agreement is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability will not affect any other term or provision of this Agreement or invalidate or render unenforceable such term or provision in any other jurisdiction. Upon such determination that any term or other provision is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to modify this Agreement so as to affect their original intent as closely as possible in a mutually acceptable manner in order that the transactions contemplated hereby be consummated as originally contemplated to the greatest extent possible.

(f)  Governing Law; Submission to Jurisdiction. This Agreement is governed by and construed in accordance with the internal laws of the State of California without giving effect to any choice or conflict of law provision or rule that would require or permit the application of the laws of any jurisdiction other than those of the State of Delaware. Any legal suit, action, or proceeding arising out of or related to this Agreement or the licenses granted hereunder will be instituted exclusively in the federal courts of the United States or the courts of the State of Delaware, and each Party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding.

(g)  Assignment. Neither Party may assign any of its rights or delegate any of its obligations hereunder without the prior written consent of the other Party, which consent shall not be unreasonably withheld, conditioned, or delayed, except that either Party may assign this Agreement without consent of the other Party to its successor in interest pursuant to a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets to which this Agreement relate. Any purported assignment or delegation in violation of this Section will be null and void. No assignment or delegation will relieve the assigning or delegating Party of any of its obligations hereunder. This Agreement is binding upon and inures to the benefit of the Parties and their respective permitted successors and assigns.

(h)  Export Regulation. The Services utilize software and technology that may be subject to US export control laws, including the US Export Administration Act and its associated regulations. Customer shall not, directly or indirectly, export, re-export, or release the Services or the underlying software or technology to, or make the Services or the underlying software or technology accessible from, any jurisdiction or country to which export, re-export, or release is prohibited by law, rule, or regulation. Customer shall comply with all applicable federal laws, regulations, and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Services or the underlying software or technology available outside the US.

(i)  US Government Rights. Each of the Documentation and the software components that constitute the Services is a “commercial item” as that term is defined at 48 C.F.R. § 2.101, consisting of “commercial computer software” and “commercial computer software documentation” as such terms are used in 48 C.F.R. § 12.212. Accordingly, if Customer is an agency of the US Government or any contractor therefor, Customer only receives those rights with respect to the Services and Documentation as are granted to all other end users, in accordance with (a) 48 C.F.R. § 227.7201 through 48 C.F.R. § 227.7204, with respect to the Department of Defense and their contractors, or (b) 48 C.F.R. § 12.212, with respect to all other US Government users and their contractors.

(j)  Equitable Relief. Each Party acknowledges and agrees that a breach or threatened breach by such Party of any of its obligations under Section 7 or, in the case of Customer, Section 2(b), would cause the other Party irreparable harm for which monetary damages would not be an adequate remedy and agrees that, in the event of such breach or threatened breach, the other Party will be entitled to equitable relief, including a restraining order, an injunction, specific performance and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity or otherwise.

(k)  Publicity. Customer agrees that Provider may reference Customer as a customer in its marketing and promotional materials and activities, including but not limited to Provider’s website, and agrees to participate in press announcements, case studies, trade shows, or other forms reasonably requested by Provider, provided that Provider’s use of Customer’s name and trademarks will be in accordance with Customer’s trademark guidelines, if any, provided to Provider.

(l) Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement.

 

EXHIBIT A

INFORMATION SECURITY POLICY

Uptick uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration, or disclosure of Customer Data stored on systems under Uptick’s control. Uptick maintains these security measures in accordance with ISO 27001.

1. Customer Data and Management.

Uptick limits its personnel’s access to Customer Data as follows:

1.1. Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for Cloud Hosting administrator access

1.2.  Limits the Customer Data available to Uptick personnel on a “need to know” basis.

1.3.  Restricts access to Uptick’s production environment by Uptick personnel based on business need.

1.4.  Encrypts user security credentials for production access; and

1.5.  Prohibits Uptick personnel from storing Customer Data on electronic portable storage devices such as computer laptops, portable drives, and other similar devices.

1.6. Uptick physically and logically separates each of its customers’ data and maintains measures designed to prevent Customer Data from being exposed to or accessed by other customers.

2. Data Encryption. 

Uptick provides industry-standard encryption for Customer Data as follows:

2.1.  Implements encryption in transport and at rest.

2.2.  Uses strong encryption methodologies to protect Customer Data, including AES 256-bit encryption for Customer Data stored in Uptick’s production environment; and

2.3. Encrypts all Customer Data located in cloud storage while at rest.

3. Network Security, Physical Security and Environmental Controls.

3.1. Uptick uses firewalls, network access controls and other techniques designed to prevent unauthorized access to systems processing Customer Data.

3.2. Uptick maintains measures designed to assess, test, and apply security patches to all relevant systems and applications used to provide the Services.

3.3. Uptick monitors privileged access to applications that process Customer Data, including cloud services.

3.4. The Services operate on Amazon Web Services (“AWS”) and are protected by the security and environmental controls of Amazon and Google, respectively. Detailed information about AWS security is available at https://aws.amazon.com/security/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.

3.5. Customer Data stored within AWS is always encrypted . AWS does not have access to unencrypted Customer Data.

3.6 Each customer has a separate namespace with enhanced security controls. Uptick maintains physical separation of data at rest.

4. Independent Security Assessments.

Uptick periodically assesses the security of its systems and the Services as follows:

4.1. Annual detailed security and vulnerability assessments of the Services conducted by independent third-party security experts that include a code analysis and a comprehensive security review. Uptick shall attest to Customer the date of the most recent security and vulnerability assessment at Customer’s reasonable request.

4.2. Uptick hires accredited third parties to perform audits and to attest to various compliance and certifications annually including ISO 27001.

4.3. Bi-annual penetration testing of Uptick systems and applications to test for exploits including, but not limited to, XSS, SQL injection, access controls, and CSRF.

4.4. Monthly vulnerability scanning.

5. Incident Response.

If Uptick becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach”), Uptick will:

5.1. Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.

5.2. Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay. Notwithstanding the foregoing, Uptick is not required to make such notice to the extent prohibited by Laws, and Uptick may delay such notice as requested by law enforcement and/or in light of Uptick’s legitimate needs to investigate or remediate the matter before providing notice.

5.3. Each notice of a Breach will include:

5.3.1. The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired, or disclosed during the Breach.

5.3.2. A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known.

5.3.3.  The scope of the Breach, to the extent known; and

5.3.4.  A description of Uptick’s response to the Breach, including steps Uptick has taken to mitigate the harm caused by the Breach.

6. Business Continuity Management.

Uptick maintains an appropriate business continuity and disaster recovery plan.

Uptick maintains processes to ensure failover redundancy with its systems and networks.

7. Personnel Management.

7.1. Uptick performs employment verification, including proof of identity validation and criminal background checks for all new hires, including contract employees, in accordance with applicable law.

7.2. Uptick provides training for its personnel who are involved in the processing of the Customer Data to ensure they do not collect, process or use Customer Data without authorization and that they keep Customer Data confidential, including following the termination of any role involving the Customer Data.

7.3.  Uptick conducts routine and random monitoring of employee systems activity.

7.4.  Upon employee termination, whether voluntary or involuntary, Uptick immediately disables all access to Uptick systems, including Uptick’s physical facilities.

EXHIBIT B

UPTICK DATA PROCESSING ADDENDUM

This DATA PROCESSING ADDENDUM (the “DPA”) is entered into by and between Customer and Uptick.

RECITALS

Customer has subscribed to Uptick Service Agreement for the receipt of certain services from Uptick as described in the contract (the Services). In delivering the Services under the Contract, Uptick may process Personal Data controlled by Customer.

To comply with Applicable Privacy Law(s) (including EU Data Protection Law), Customer must ensure the appropriate protection of all data, including Personal Data when Customer engages third party vendors. Accordingly, Customer’s engagement of Uptick is conditioned upon Uptick’s agreement to the terms and conditions of this DPA.

1. DEFINITIONS

1.1. “Applicable Privacy Law(s)” means the relevant data protection and privacy laws and regulations to which Customer is subject, including, where applicable, EU Data Protection Law.

1.2 “Authorized Persons” means any person who processes Personal Data on Uptick’s behalf, including Uptick’s employees, officers, partners, principals, contractors, and Subcontractors.

1.3 “CCPA” means the California Consumer Privacy Act of 2018, as amended from time to time.

1.4 “EU Data Protection Law” means (a) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the Processing of
Personal Data and on the free movement of such data (the “Directive”); and (b) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).

1.5 “Model Clauses” means the standard contractual clauses for Processors as approved by the European Commission and available at:
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en (as amended or updated from time to time).

1.6 “Personal Data” means any information provided or made available to Uptick, by or on behalf of Customer, in connection with the Services and which relates to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. For the avoidance of doubt, Personal Data includes personally identifiable information.

1.7 “Security Incident” means an accidental, unauthorized or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data.

1.8 “Subcontractor” means any third party engaged by Uptick to process any Personal Data relating to this DPA and/or the Contract.

1.9 The terms “Controller”, “Processor”, and “processing”, have the meanings given to them in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in EU Data Protection Law will apply.

2. ROLE AND SCOPE OF PROCESSING

2.1. Uptick shall process Personal Data under the Contract only as a Processor acting on behalf of Customer. Uptick agrees that it will process Personal Data as described at Annex A.

2.2. Uptick will at all times process Personal Data only for the purpose of providing the Services to Customer under the Contract and in accordance with Customer’s documented instructions, unless Uptick is required to process the Personal Data for other purposes by EU Data Protection Law. Where such a requirement is placed on Uptick, it shall provide prior notice to Customer unless the relevant law prohibits giving such notice.

2.3. Each Party shall comply with its obligations under Applicable Privacy Law(s) in respect of any Personal Data it processes under this DPA.

2.4. Uptick shall promptly notify Customer if it makes a determination that it cannot comply with its obligations under this DPA, and in such event, Uptick shall work with Customer and take all reasonable and appropriate steps to stop and remediate (if remediable) any processing until such time as the processing complies with the requirements of this DPA. Uptick shall immediately cease (and request all Subcontractors to immediately cease) processing Personal Data if Customer determines that Uptick has not or cannot correct any non-compliance in accordance with this Section 2.4 within a reasonable time frame.

3. SUBPROCESSING

3.1. Uptick shall not subcontract any processing of Personal Data to a Subcontractor without the prior written consent of Customer. Notwithstanding the foregoing, Customer hereby expressly consents to Uptick engaging Subcontractors to process Personal Data provided that:
(a) Uptick provides Customer with a list of all Subcontractors engaged to process Personal Data on Uptick’s behalf (an initial copy of which is set out at Annex C and is up-to-date as of the date of this DPA), and shall promptly provide Customer with an updated copy of the Subcontractor list in the event Uptick adds or replaces any Subcontractor;
(b) Uptick provides at least 30 days prior written notice to Customer of the engagement of any new Subcontractor (including details of the processing and location);
(c) Uptick imposes the same data protection terms on any Subcontractor it engages as contained in this DPA (including the Model Clauses and/or other data transfer provisions, where applicable); and
(d) Uptick remains fully liable for any breach of this DPA or the Contract that is caused by an act, error or omission of such Subcontractor.

3.2 If, following receipt of a notice of the engagement of a new Subcontractor in accordance with Section 3.1(b) above, Customer objects to the engagement of that Subcontractor on data protection grounds, then either Uptick will not engage the Subcontractor to process the Personal Data or Customer may elect to suspend or terminate the Contract and this DPA pursuant to the terms of the Contract.

4. DATA ACCESS & SECURITY MEASURES

4.1. Uptick shall ensure that any Authorized Person is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they process the Personal Data only for the purpose of delivering the Services under the Contract(s) to Customer.

4.2. Uptick will implement and maintain all appropriate technical and organizational security measures to meet the requirements of EU Data Protection Law, and in particular, to protect against the occurrence of Security Incidents and to preserve the security, integrity and confidentiality of Personal Data (“Security Measures”). Such Security Measures shall take into account industry standards, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risk of a Security Incident and potential impact on the rights and freedoms of natural persons. At a minimum, Uptick agrees to the Security Measures identified in Annex B.

4.3. Uptick shall implement such measures to ensure a level of security appropriate to the risk involved,
including as appropriate:
(a) the anonymization and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing
systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of security measures.

5. SECURITY INCIDENTS AND BREACH NOTIFICATION

5.1. In the event of a Security Incident, Uptick shall promptly (and in no event later than 48 hours of Uptick becoming aware of such Security Incident) inform Customer and provide written notification of the Security Incident. Such notification shall include (a) a detailed description of the Security Incident, (b) the type of Personal Data that was the subject of the Security Incident and (c) the identity of each affected person (or, where not possible, the approximate number of data subjects and of Personal Data records concerned), and (d) a description of the measures taken or proposed to be taken by Uptick to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

5.2. Furthermore, in the event of a Security Incident, Uptick shall:
(a) provide timely information and cooperation as Customer may require to fulfill Customer’s data breach reporting and notification obligations under Applicable Privacy Laws; and
(b) take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Incident and shall keep Customer up-to-date about all material developments in connection with the Security Incident.

5.3. The content and provision of any notification, public/regulatory communication or press release concerning the Security Incident (a “Communication”) shall be solely at Customer’s discretion, except as otherwise required by applicable laws. If and to the extent Uptick is referenced by name in any such Communication, Uptick shall be provided with an opportunity to review and approve the Communication for accuracy, such approval not to be unreasonably withheld.

6. SECURITY REPORTS & INSPECTIONS

Uptick shall maintain records in accordance with ISO 27001 or similar Information Security
Management System (“ISMS”) standards and shall provide Customer with copies of relevant ISMS certifications, audit report summaries and/or other documentation reasonably required by Customer to verify Uptick’s compliance with this DPA, upon Customer’s request.

7. COOPERATION, ASSESSMENTS & AUDITS

7.1 Uptick shall reasonably cooperate with Customer to enable Customer to respond to any requests, complaints or other communications from data subjects and regulatory or judicial bodies relating to the processing of Personal Data under the Contract, including requests from data subjects seeking to exercise their rights under Applicable Privacy Laws. In the event that any such request, complaint or communication is made directly to Uptick, Uptick shall, unless prohibited by applicable law, promptly pass this onto Customer and shall not respond to such communication without Customer’s express authorization.

7.2 If Uptick receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Data, Uptick shall not, unless otherwise required by applicable law or advised by counsel that it is so required by applicable law, disclose any information but shall immediately notify Customer in writing of such request, and unless otherwise required by applicable law, reasonably cooperate with Customer if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.

7.3 Uptick shall assist Customer in carrying out any privacy impact assessment of the Services as is reasonable in light of the Personal Data that is being processed. Uptick shall reasonably cooperate with Customer to implement such mitigation actions as are reasonably required to address privacy risks identified in any such privacy impact assessment. If Customer is not satisfied with Uptick’s mitigation actions, Customer may elect to suspend or terminate the Contract and this DPA pursuant to the terms of the Contract.

7.4 Uptick shall, upon receipt of written request from Customer, make available to Customer such information as is reasonably necessary to demonstrate Uptick’s compliance with the Applicable Privacy Law and permit Customer and/or its authorized agents to audit its records to the extent reasonably required in order to confirm that Uptick is complying with its obligations under this DPA or any Applicable Privacy Law, provided always that any such audit does not involve the review of any third party data and that the records and information accessed in connection with such audit are treated as confidential information by Customer. Customer shall bear its own costs to conduct such audit. Unless Customer’s request for such request follows a Security Incident, or is otherwise required by Applicable Privacy Law, Customer shall not make any such request more than once in any 12 month period.

8. DATA EXPORTS

8.1. Uptick will at all times provide an adequate level of protection for the Personal Data, wherever processed, in accordance with the requirements of Applicable Privacy Laws.

8.2. Uptick shall not process or transfer any Personal Data in or to a territory other than the territory in which the Personal Data was first received from Customer (nor permit the Personal Data to be so processed or transferred) unless: (i) it has first obtained Customer’s prior written consent; and (ii) it takes all such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Privacy Laws (including such measures as may be communicated by Customer to Uptick from time to time). For purposes of the foregoing, the EEA (including the United Kingdom and Switzerland) is a territory.

8.3. Customer acknowledges and agrees that, for so long as Uptick has in place a valid Privacy Shield certification or such other subsequent or additional certification or adequacy finding issued by the appropriate EU authorities permitting the transfer of personal data to the United States (and the Privacy Shield or other subsequent or additional certification remains a valid means of legitimizing personal data exports under EU Data Protection Law), and subject to Section 3, Uptick may transfer Personal Data to the United States without need for Customer’s prior written consent.

8.4. Where Uptick processes Personal Data under this DPA that originates from the EEA
(including the United Kingdom) and/or Switzerland, any such consent shall be conditioned on Uptick complying with (and requiring any Subcontractor to comply with) the Model Clauses, which are incorporated by reference and form an integral part of this DPA. For the purposes of the descriptions in the Model Clauses and only as between Uptick and Customer, Uptick agrees that it is a “data importer” and Customer is the “data exporter” under the Model Clauses (notwithstanding that Customer is located outside the EEA). Further, Annexes A and B of this DPA will take the place of Appendixes 1 and 2 of the Model Clauses respectively.

8.5. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail. In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.

9. DELETION & RETURN

9.1. Upon Customer’s request, or upon termination or expiration of this DPA, Uptick shall destroy or return to Customer all Personal Data (including copies) in its possession or control (including any Personal Data processed by its Subcontractors). This requirement shall not apply to the extent that Uptick is required by any applicable law to retain some or all of the Personal Data, in which event Uptick shall isolate and protect the Personal Data from any further processing except to the extent required by such law.

10. CALIFORNIA CONSUMER PRIVACY ACT (CCPA)

10.1. For purposes of this section, the terms “business”, “commercial purpose”, “service provider”, “sell” and “personal information” have the meanings given in the CCPA.

10.2. With respect to Customer Personal Data, Uptick is a service provider under the CCPA.

10.3. Uptick will not:
(a) sell Customer Personal Data;
(b) retain, use or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Personal Data for a commercial purpose other than providing the Services; or
(c) retain, use or disclose the Customer Personal Data outside of the direct business relationship between Uptick and Customer.

10.4. The parties acknowledge and agree that the Processing of Customer Personal Data authorized by Customer’s instructions described in Section 2 of this Addendum is integral to and encompassed by Uptick’s provision of the Services and the direct business relationship between the parties.

10.5. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the parties acknowledge and agree that Uptick’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

10.6. To the extent that any Usage Data (as defined in the Agreement) is considered Personal Data, Uptick is the business with respect to such data and shall process such data in accordance with its Privacy Policy, which can be found at https://www.uptick.com/privacy-policy/

11. GENERAL

11.1. This DPA shall be governed by and construed in accordance with the laws of country where Customer has its main establishment and shall be subject to the exclusive jurisdiction of the Courts of this country.

11.2. All terms of this DPA are hereby incorporated into the Contract. In the event of a conflict between a term in the Contract and a term in this DPA, the term contained in this DPA shall prevail.

11.3. The obligations placed upon the Uptick under this DPA shall survive so long as Uptick and/or its Subcontractors process Personal Data on behalf of Customer.

11.4. This DPA may not be modified except by a subsequent written instrument signed by both parties.

11.5. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.

11.6. This DPA may be executed in any number of counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.

11.7. Each party acknowledges that it has read and understood the terms of this DPA and agrees to be bound by them, effective as of the date both parties sign below

 

ANNEX A

DETAILS OF THE PROCESSING

Nature of Services provided by Uptick: 

Uptick is focused on transforming B2B sales and maximizing lifetime customer value through AI optimized customer success and account management.

Type(s) of Personal Data processed: 

Uptick collects customer’s data from multiple sources (including, but not limited to Accounts, opportunities, contacts, product purchases, cases from CRM system, emails and calendar events, Support tickets and application logs)

Categories of Data Subjects: 

Controller’s end users and/or employees;

Controller’s customers, prospects, contractors, collaborators, suppliers and subcontractors.

Nature of Processing Operations: 

The objective of Processing of Personal Data is the performance of the Services pursuant to the Contract, detailed above.  The duration of processing will be the period during which Uptick provides the Services to Customer in accordance with the Contract.  

 

ANNEX B

SECURITY MEASURES

Description of the technical and organizational security measures implemented by Uptick in accordance with Section 4.2 of the DPA: 

1. Access Control of Processing Areas  

Uptick implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely database, storage and application servers and related hardware) where Personal Data are processed or used. This is accomplished by: 

• establishing security areas;  

• establishing access authorizations for employees and third parties, including the respective documentation;  

• regulations and restrictions on issuance and use of card-keys; 

• all access to the data center where Personal Data are hosted is logged, monitored, and tracked; 

• the data center where Personal Data are hosted is secured by a security alarm system, and other appropriate security measures. 

2. Access Control to Data Processing Systems  

Uptick implements suitable measures (including industry standard encryption) to prevent its data processing systems from being used by unauthorized persons. This is accomplished by: 

• using the AWS Workspaces with limited Internet access and disabled copy-paste functionality; 

• MFA in order to access assets where Personal data is processed; 

• requirements to store Personal data only encrypted at rest; 

• requirements for passwords (minimum length, use of special characters, etc.); and 

• all access to data is logged, monitored, and tracked. 

Uptick ensures that the persons entitled to use its data processing systems are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied or modified or removed without authorization. This is accomplished by: 

• change request procedure i.e. all changes must be approved by relevant parties;

• Confidentiality agreements with all Authorized persons; 

• protecting data against unauthorized access by means of encryption or pseudonymization (as appropriate); 

• effective and measured disciplinary action against individuals who access Personal Data without authorization; 

• release of data to only authorized persons;

• training in respect of each employee’s access rights to Personal Data; and

• policies controlling the retention of back-up copies. 

 

Uptick implements suitable measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: 

• use of firewall and encryption technologies to protect the gateways and pipelines through which the data travels;  

• avoiding to store data on mobile storage media for transportation purposes and on laptops or other mobile devices;

• monitoring of the completeness and correctness of the transfer of data;

 

Uptick implements suitable measures to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems or removed. This is accomplished by: 

• an authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data;   

• authentication of Authorized Persons; 

• protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; 

• automatic log-off of user ID’s that have not been used for a substantial period of time;  

 

Uptick implements suitable measures to ensure that, in the case of commissioned processing of Personal Data, the data are processed strictly in accordance with the instructions of the principal. This is accomplished by: 

• allowing data exporter the right, upon reasonable notice and during the Uptick’s usual business hours, to audit, review and inspect Uptick’s facilities, practices and procedures with respect to commissioned processing of Personal Data.

 

Uptick implements suitable measures to ensure that Personal Data are protected from accidental destruction or loss, and that Uptick is able to restore the availability and access to Personal Data in a timely manner in the event of a Security Incident. This is accomplished by: 

• infrastructure redundancy; 

• policies prohibiting permanent local (work station) storage of data;  

• disaster recovery and business continuity plans. 

 

Uptick implements suitable measures to ensure that data collected for different purposes can be processed separately. This is accomplished by: 

• access to data is separated through application security for the appropriate users; 

• modules within the Uptick’s data base separate which data is used for which purpose, i.e. by functionality and function; 

• at the database level, data is stored (where possible) in different normalized tables, separated per component or function they support.

 

Uptick regularly tests, assesses and evaluates the effectiveness of the technical and organizational measures it has in place for ensuring the security of its processing of Personal Data. 

 

 

Uptick performs a vulnerability assessment against the Service, application infrastructure, and Uptick assets, which is accomplished by:

• In-house penetration testing of every major release;

• Annual penetration testing conducted by 3rd-party;

• Static code analysis for every code commit;

• Container security of Uptick-developed components;

• Automated daily scans of laptops and servers against CVE database;

• Agreed internal SLAs for patching and remediation of found vulnerabilities with respect to criticality classification of vulnerability itself.

 

ANNEX C

 

https://www.uptick.com/sub-processors/