Legal
Lens MSA

Truepic Lens MSA

TRUEPIC LENS

SERVICE AGREEMENT

This Service Agreement is a binding agreement made between, Truepic, Inc. (hereinafter, “Truepic,” “we” or “our”) and you, a customer of Truepic that has entered into an Enterprise Service Order (“Order”) which incorporates this Service Agreement in its entirety. As used herein, “you”, “your”, and “Customer” refer to the entity that entered into such Order, together with all Affiliates of such entity. You and Truepic are also sometimes each herein referred to as a “party” or collectively as the “parties”.

This Service Agreement, including Exhibit A (Description of Products and Services), Exhibit B (SDK License Agreement), Exhibit C (Service Level Agreement) and Exhibit D (Data Processing Agreement), together with the Order constitutes the entire agreement between the parties (the “Agreement”). The Agreement governs Customer’s access to and use of the Truepic product or service identified in the Order, as further described in Exhibit A (collectively, the “Services” or “Service”). Capitalized terms used herein shall have the meanings ascribed to them in this Agreement and the Order.

IF YOU CHOOSE NOT TO AGREE TO ALL OF THESE TERMS AND CONDITIONS, DO NOT ACCESS AND/OR USE THE SERVICES. YOUR ACCESS AND/OR USE OF THE SERVICES SHALL CONSTITUTE YOUR ACCEPTANCE OF ALL OF THE TERMS AND CONDITIONS SET FORTH IN THIS AGREEMENT.

TRUEPIC RESERVES THE RIGHT TO CHANGE THIS AGREEMENT OR ANY PART OF THE SERVICE AT ANY TIME. ALTHOUGH TRUEPIC MAY INCLUDE A NOTICE ON THE TRUEPIC WEBSITE OR WITHIN THE SERVICE THAT THIS AGREEMENT HAS BEEN MODIFIED, SUCH NOTICE MAY NOT REMAIN IN PLACE FOR ANY EXTENDED PERIOD OF TIME. ACCORDINGLY, YOU SHOULD REVIEW THIS AGREEMENT, AS POSTED ON THE SERVICE, FROM TIME TO TIME. TO THE FULLEST EXTENT PERMITTED UNDER ALL APPLICABLE LAWS. YOUR CONTINUED USE OF THE SERVICE AFTER ANY REVISED SERVICE AGREEMENT HAS BEEN POSTED CONSTITUTES YOUR ACCEPTANCE OF THE REVISED AGREEMENT AND YOU SHALL BE BOUND TO THE REVISED AGREEMENT AS THOUGH IT WAS IN EFFECT AT THE TIME YOU ORIGINALLY ENTERED INTO THE APPLICABLE ORDER.

This Agreement is effective between you and Truepic as of the date of the Contract Effective Date set forth on the Order (the “Effective Date”). This Agreement, as modified or amended, will continue in full force and effect until it is terminated or superseded as set forth herein.

  1. Definitions.  The following capitalized terms shall have the meanings set forth below:

Affiliate” means any entity that is controlled by, controls, or is under common control with a party for so long as such relationship exists. For purposes of this definition, “control” means (i) beneficial ownership (direct or indirect) of at least fifty percent (50%) of the equity interests of the subject entity entitled to vote in the election of directors (or, in the case of an entity that is not a corporation, in the election of the corresponding managing authority) or (ii) any other arrangement whereby an entity controls or has the right to control the board of directors or equivalent governing body of the subject entity, or the ability to cause the direction of the management or policies of such subject entity.

Aggregated Anonymous Data” means any of the following information that has been aggregated with other similar information of other Truepic customers, and anonymized so that it does not reveal any personally identifying information or information identifying Customer: (a) information related to how Truepic’s customers are using the Truepic Service, (b) information related to the performance of the Truepic Service, and (c) any other information that provides insight into Truepic’s business or the Truepic Service.

Applicable Law” means all applicable laws, rules, regulations and legal requirements.

End User” means any person or entity providing photo or video images to be authenticated or verified using the Service before such content is used, displayed or published on Customer’s website or in connection with Customer’s services.

Intellectual Property Right” means any patent, utility model, design patent, copyright, trademark, service mark, trade dress, trade name, logo, trade secret, moral right, know-how, all rights in computer software and data, database rights, and all other intangible property rights and privileges throughout the world, whether or not a party has applied for or been granted registration or other protection therefor.

  1. Service
    1. Service. Truepic shall provide, and Customer shall use, the Service in accordance with the terms and conditions of this Agreement.
    2. Documentation. Truepic will provide or make available to Customer documentation (“Documentation”) that describes the major features and functionality of the Service.
  2. License Grants; Ownership.
    1. Truepic License Grant. Subject to the terms and conditions of this Agreement, Truepic grants Customer a non-exclusive, worldwide, non-transferable, non-sublicensable right and license during the Term to access and use the Service for the purposes contemplated in this Agreement.
    2. Ownership.  Truepic owns all right, title, and interest in and to the Service, and any related suggestions, ideas, enhancements, requests, feedback, and recommendations provided by Customer and its Affiliates to Truepic. This Agreement is not a sale and does not convey to Customer any rights of ownership in or related to the Service or Intellectual Property Rights of Truepic.
    3. Restriction on Modification. Except as otherwise provided herein, Customer shall not: (a) reverse engineer, disassemble or decompile the Service; (b) remove, obscure or alter any proprietary rights notices, branding, text, or images, affixed or related to the Service; (c) access or attempt to access Truepic’s other accounts, computer systems or networks not covered by this Agreement through password mining or any other means; or (d) use the Service to store or transmit any malicious code. Customer shall promptly notify Truepic if Customer becomes aware of any unauthorized use of the whole or any part of the Service.
    4. Limitations on Use. Except as expressly authorized by this Agreement, Customer may not: (a) copy, modify or create derivative works of the Service; (b) license, sublicense, sell, rent, lease, resell, transfer, assign or otherwise make available to any third party the Service or any part thereof; (c) use the Service to impersonate any person or entity or otherwise misrepresent its affiliation with a person or entity; (d) use the Service to breach any right of privacy, confidentiality or right under applicable privacy or data protection laws; (e) use the Service in breach of any third-party site’s terms and conditions; (f) interfere with the Service or disobey any requirements, procedures, policies or regulations of networks connected to the Service; or (g) work around any limitations or permissions of the Service.
    5. No Other Rights Granted. The parties acknowledge and agree that, except for the rights and licenses expressly granted by each party to the other party under this Agreement, each party will retain all right, title and interest in and to its software, hardware, technology or products, trademarks, and all content, information and other materials on its website(s), technology platforms and mobile applications, and nothing contained in this Agreement will be construed as conferring upon such party, by implication, operation of law or otherwise, any other license or other right. Neither party will, whether during or after the Term of this Agreement, contest or aid others in contesting, or doing anything which otherwise impairs the validity of any Intellectual Property Right of the other party. Notwithstanding the foregoing, Customer acknowledges and agrees that (i) Truepic may collect information and generate Aggregated Anonymous Data, (iii) Truepic is and will remain the sole and exclusive owner of all right, title and interest in and to all Aggregated Anonymous Data, including all intellectual property rights related thereto, and (iv) Truepic may freely use and make available Aggregated Anonymous Data for Truepic’s business purposes (including without limitation, for purposes of improving, testing, operating, promoting and marketing Truepic’s current and future products and services).
  3. Responsibilities of Customer.
    1. Connectivity. Customer or its End Users, as applicable, must provide all equipment and software (such as an internet browser) necessary to connect to the Service, including but not limited to, a computer or mobile device that is suitable to connect with and use the Service. Truepic shall not be responsible for any fees, including Internet connection or mobile fees, that may be incurred when accessing the Service.
    2. Usage Guidelines. Customer and Truepic will endeavor to explain, educate, and raise awareness on the content credentials and associated provenance information on the Customer’s applications and platform. Customer will provide its End Users with markings and indicators transparently explaining the meaning and facts behind outputs of the Service.  Customer and Truepic will each use good faith, reasonable efforts to promote responsible use conforming to best practices and principles of the C2PA open standard.  Deviation from responsible use principles and practices shall only occur upon mutual agreement of Customer and Truepic.  In addition, Customer agrees to include a ‘learn more’ (appendix) feature and pop-up bubbles or an equivalent on its platform and apps documentation explaining what C2PA compliant content credentials do and do not mean, including a prominent link to a webpage maintained by Truepic which provides further information regarding the Service.
    3. Notice Requirements. Customer agrees to immediately notify Truepic if Customer suspects illegal, fraudulent or abusive activity related to the Service, or any activity in violation of this Agreement. If Customer so notifies Truepic, or Truepic otherwise suspects such activity, Customer agrees to cooperate with Truepic in any investigation and to use any reasonable prevention measures prescribed by Truepic.
  4. Fees and Payment.
    1. Fees. Customer is responsible for timely payment of all fees specified in the Order (“Fees”). 
    2. Invoicing and Payment. All Fees shall be due and payable within thirty (30) days after the date the applicable invoice is electronically sent to Customer. In the event Customer disputes any invoiced Fees, Customer will provide written notice of the disputed amount within fourteen (14) days after receiving such invoice and timely pay any undisputed portion of such invoice. Upon resolution of the dispute, Customer will pay Truepic the portion of the disputed amount agreed or determined to be owing to Truepic.
    3. Taxes. The Fees are inclusive of all sales, use or VAT taxes that may be legally assessed by Truepic for the Service. 
  5. Term and Termination.
    1. Term. This Agreement is effective as of the Effective Date, and shall continue in force, unless otherwise terminated, for the contract length or initial term set forth in the Order (the “Initial Term”). Unless either party provides written notice to the other party of its intent not to renew this Agreement at least sixty (60) days prior to the end of the then-current term or the Agreement is otherwise terminated as provided herein, the Agreement shall automatically renew for an additional one (1) year term (any renewal and the Initial Term are referred to as the “Term”).
    2. Termination for Convenience and for Cause. 
      1. Customer may terminate this Agreement for convenience at any time upon ninety (90) days’ prior notice to Truepic. 
      2. Either party may terminate this Agreement for cause if any material breach or default of the terms and conditions of this Agreement remains uncured after thirty (30) days following written notice of such breach to the other party. 
    3. Termination for Bankruptcy or Insolvency. Either party may terminate this Agreement if the other party becomes insolvent, admits in writing its inability to pay its debts as they mature, makes an assignment for the benefit of creditors, becomes subject to control of a trustee, receiver or similar authority, or becomes subject to any bankruptcy or insolvency proceeding.
    4. Suspension of Service. Truepic reserves the right to suspend Customer’s access to the Service, without liability to Customer, if Customer is (a) more than sixty (60) days late in payment of the service Fees due under this Agreement; or (b) in material breach of this Agreement.  The foregoing shall be in addition to any other rights or remedies available to Truepic, including termination of this Agreement.
    5. Effect of Termination. In the event of termination or expiration of this Agreement, Customer shall discontinue all use of the Service and destroy or return copies of all Documentation or other documents provided by Truepic in its possession or control. Customer acknowledges that on expiration or earlier termination of this Agreement, Truepic may terminate Customer’s account, and its End-Users will therefore no longer have access to any of the Service. Termination for any reason shall not relieve Customer of the obligation to pay any Fees accrued or due and payable to Truepic prior to the effective date of termination or end of any applicable Transition Period.
    6. Transition Service; Data Transfer. Upon expiration or termination of this Agreement for any reason, Truepic will, at Customer’s written request, prior to the date of expiration or termination, continue to allow Customer to access and use the Service after the date of any such expiration or termination for the sole purpose of effecting an orderly transition from the Service.  During such period, the then-existing fees will continue to be in effect and the terms of this Agreement shall survive and continue to govern the parties’ rights and obligations with respect to the Service. This transition period shall end when the transition from the Service has occurred, which period shall not exceed six (6) months following the expiration or termination date (the “Transition Period”). 
    7. Survival.  The provisions of Sections 1 (Definitions), 3.2, 3.3, 3.4, 3.5, 5 (Fees and Payment), 6.5 (Effect of Termination), 6.6 (Transition Service; Data Transfer), 6.7 (Survival), 7 (Privacy and Data Protection), 8 (Confidentiality), 12 (Warranty Disclaimers and Exclusions), 13 (Indemnification), 14 (Limitation of Liability) and 15 (Miscellaneous) shall survive expiration or termination of this Agreement and any terms in the Exhibits to this Agreement which are stated to survive the expiration or termination of such exhibits shall also survive any expiration or termination of this Agreement. 
  6. Data Protection. Truepic shall use and access Customer Content for the purposes of providing the Service in accordance with the Agreement. Subject to Customer’s compliance with all laws applicable to the Customer Content provided to Truepic, Truepic will comply with its obligations under privacy and data protection laws applicable to it in connection with the Service. 
    1. Truepic will have no liability for any distribution, display or disclosure of Customer Content by Customer or by Customer’s End-Users, regardless of whether such distribution, display or disclosure results in a violation of any applicable privacy or data protection laws. 
    2. The parties shall incorporate the data processing agreement attached as Exhibit D solely to the extent required under applicable law.
    3. Customer instructs Truepic to process Personal Data for the following purposes (each a permitted purpose): (i) processing in accordance with the Agreement; (ii) processing in order to authenticate and verify certain photos and videos as directed by Customer and/or Customer’s End-Users; and (iii) processing to comply with other reasonable instructions provided by Customer where such instructions are acknowledged by Truepic as consistent with the terms of the Agreement. Truepic may process Personal Data other than on the instructions of the Customer if it is mandatory under applicable law to which Truepic is subject but otherwise shall not sell such Personal Data and may not share Personal Data except as instructed in writing by Customer.  
    4. Except to the extent expressly otherwise provided herein, Customer is solely responsible for ensuring that its use of the Service complies with all applicable privacy and data protection laws. Without limiting the foregoing, to the extent that Customer Content includes Personal Information, Customer is responsible for ensuring that it has provided all necessary notices, obtained all necessary consents, and otherwise has all requisite authority to provide such Personal Information to Truepic and for Truepic to collect, use, store and disclose the Personal Information for the purposes of providing the Service. 
  7. Confidentiality.
    1. Confidential Information” means any of either party’s proprietary information, technical data, trade secrets or know-how, including, but not limited to, computer code, data, analytics, and related tools, stems and/or processes, product plans, designs, costs, prices, names, finances, marketing plans, business opportunities, personnel, research, development, know how, source code, products, services, customers, customer lists, markets, software, developments, inventions, processes, formulas, technology, designs, drawings, engineering, hardware configuration information, marketing, finances or other business information disclosed by one party or its Affiliates (“Discloser”) to the other party or its Affiliates (“Recipient”), either directly or indirectly in writing, orally or by drawings or inspection of parts or equipment, or the existence and terms of this Agreement. Confidential Information shall not include information that: (a) is or becomes generally available to the public through no fault or breach on the part of Recipient or its Affiliates, employees and contractors; (b) Recipient can demonstrate to have had rightfully in its possession prior to disclosure to Recipient by Discloser; or (c) Recipient rightfully obtains from a third party who has the right to transfer or disclose it.
    2. Non-Use and Non-Disclosure. Recipient shall not, during or subsequent to the Term of this Agreement, use Discloser’s Confidential Information for any purpose whatsoever other than in connection with the performance of the Service, or disclose Discloser’s Confidential Information to any third party. Recipient may disclose the Confidential Information to its employees and contractors with a bona fide need to know in order to fulfill the performance of the Service, and who have signed a nondisclosure agreement at least as protective of the disclosing party’s rights as those terms and conditions applicable to Recipient under this Agreement. It is understood that said Confidential Information will remain the sole property of Discloser.
    3. Return or Destruction of Materials. Upon the termination or expiration of this Agreement, or upon receipt of written request by a party, each party shall promptly deliver to the other party (or delete or destroy at such party’s request) any property and/or Confidential Information of the other party in its possession or control. Upon written request, such party will provide to the other party a written certificate stating that all such property and copies have been so delivered, deleted or destroyed.
  8. Marketing and Promotion
    1. Customer hereby grants to Truepic a worldwide, non-exclusive, royalty-free right and license to use Customer’s trade names, trademarks, service marks, domain names and other logos of Customer (the “Customer Trademarks”) on Truepic’s website and one or more Truepic press releases (which press release(s) shall be subject to Customer’s prior approval). All use by Truepic of the Customer Trademarks (including any goodwill associated therewith) will inure to the benefit of Customer. Truepic agrees to state in appropriate places on all materials using the Customer Trademarks that they are trademarks of Customer and to include the symbol ™ or ® as appropriate. Truepic agrees not to take any action inconsistent with Customer's ownership of the Customer Trademarks and to cooperate, at Customer's request and expense, in any action that Customer deems necessary or desirable to establish or preserve Customer's exclusive rights in and to the Customer Trademarks.  Truepic will not adopt, use, or attempt to register any trademarks or trade names that are confusingly similar to the Customer Trademarks or in such a way as to create combination marks with the Customer Trademarks. Truepic will comply with Customer's then-current branding guidelines in its use of the Customer Trademarks. 
    2. Truepic hereby grants to Customer a worldwide, non-exclusive, royalty-free right and license to use Truepic’s trade names, trademarks, service marks, domain names and other logos of Truepic  (the “Truepic Trademarks”) for the purpose of marketing and promoting the Service. Customer agrees to include "powered by Truepic" or equivalent language within its integration of the Service with Customer Apps and on Customer’s websites promoting or explaining the Service in mutually agreed upon placement. All use by Customer of the Truepic Trademarks (including any goodwill associated therewith) will inure to the benefit of Truepic. Customer agrees to state in appropriate places on all materials using the Truepic Trademarks that they are trademarks of Truepic and to include the symbol ™ or ® as appropriate. Customer agrees not to take any action inconsistent with Truepic's ownership of the Truepic Trademarks and to cooperate, at Truepic's request and expense, in any action that Truepic deems necessary or desirable to establish or preserve Truepic's exclusive rights in and to the Truepic Trademarks.  Customer will not adopt, use, or attempt to register any trademarks or trade names that are confusingly similar to the Truepic Trademarks or in such a way as to create combination marks with the Truepic Trademarks. Customer will comply with Truepic's then-current branding guidelines in its use of the Truepic Trademarks.
  9. Mutual Representations and Warranties. Each party represents and warrants to the other that as of the Effective Date: (i) it has full power and authority to enter into this Agreement, (ii) it is duly organized, validly existing and in good standing under the laws of its state of organization, (iii) its signatory to the Order has the right and authority to enter into the Order and this Agreement and to legally bind it to the terms and obligations of the Order and this Agreement, and (iv) no agreement previously entered into by such party will interfere with such party's performance of its obligations under this Agreement.
  10. Service Level Agreement. Truepic will use commercially reasonable efforts to deliver, operate, maintain, and provision the Service in a manner that meets the service levels set forth in the Service Level Agreement set forth in Exhibit C.
  11. Warranty Disclaimers and Exclusions.
    1. Disclaimer of Warranties. EXCEPT AS OTHERWISE SPECIFICALLY SET FORTH HEREIN, THE SERVICE, AND ANY OTHER APPLICATIONS, SERVICES, OR MATERIALS HEREUNDER ARE PROVIDED BY TRUEPIC AND ACCEPTED BY CUSTOMER “AS IS” AND WITHOUT WARRANTY OF ANY KIND AND THE PARTIES EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
    2. Warranty Exclusions. EXCEPT AS OTHERWISE SPECIFICALLY SET FORTH HEREIN, TRUEPIC DOES NOT WARRANT THAT THE SERVICE, OR ANY OTHER APPLICATIONS, SERVICES, MATERIALS PROVIDED UNDER THIS AGREEMENT WILL MEET CUSTOMER’S REQUIREMENTS OR THAT THEY OR THEIR ACCESS OR USE WILL BE UNINTERRUPTED OR ERROR FREE OR THAT THE SERVICE WILL BE SUITABLE FOR CUSTOMER’S NEEDS OR CUSTOMER’S INTENDED APPLICATIONS, OR THAT THE SERVICE WILL BE COMPATIBLE WITH OR OPERATE IN THE HARDWARE, SOFTWARE, OR WEBSITE CONFIGURATIONS THAT CUSTOMER OR ANY END-USER SELECTS. TRUEPIC IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES OR OTHER DAMAGES RESULTING FROM USE OF THE INTERNET OR ELECTRONIC COMMUNICATIONS OR RELATED EQUIPMENT TO WHICH THE SERVICE MAY BE SUBJECT. TRUEPIC MAKES NO REPRESENTATIONS OR WARRANTIES AS TO THE SUITABILITY OF THIRD-PARTY SERVICES OR FOR THE ACTS OR OMISSIONS OF PROVIDERS OF SUCH THIRD-PARTY SERVICES.
  12. Indemnification.
    1. Truepic Indemnification. Truepic shall indemnify, defend and hold harmless Customer, its Affiliates and their respective directors, officers and employees (the “Customer Indemnitees”) from and against any and all damages, losses, liabilities, costs or expenses, including reasonable attorneys’ fees (collectively “Losses”), related to third-party claims, demands, assessments, actions, suits, investigations or proceedings (collectively “Claims”), resulting from (a) a breach by Truepic of its representations, warranties or other obligations set forth in this Agreement; (b) a failure by Truepic to comply with any Applicable Law; (c) allegations that the Service, when used in accordance with this Agreement, infringes the Intellectual Property Rights of a third-party; except, in each case, to the extent such Claims or Losses resulted from any action, inaction or circumstance for which Customer is obligated to indemnify, defend and hold harmless Truepic pursuant to Section 13.2 below.
    2. Customer Indemnification. Customer agrees to indemnify, defend and hold harmless Truepic and its directors, officers and employees (the “Truepic Indemnitees”) from and against any and all Losses related to third-party Claims resulting from (a) a breach by Customer of its representations, warranties or other obligations set forth in this Agreement; (b) a failure by Customer to comply with any Applicable Law; (c) any unauthorized use of the Service or any violation, through use of the Service, of the rights of a third-party, including violation of privacy rights but excluding intellectual property infringement covered by Section 13.1(c).
    3. Indemnification Process. Any party providing indemnification under this Agreement shall have the right to control the defense and settlement of any Claims or Losses for which such party is providing indemnification. The indemnified party shall reasonably cooperate in the defense of any Claims or Losses and provide prompt notice to the indemnifying party of any Claims or Losses for which indemnification is sought. The indemnified party shall have the right to obtain separate legal counsel at its own expense, if it so chooses. No settlement shall be entered into without the consent of the indemnified party, provided that such consent shall not be unreasonably withheld or delayed. 
    4. Restrictions. Truepic shall have no obligation to indemnify and defend or any liability in respect of a Claim to the extent that the Claim results from: (a) any use of the Service other than in accordance with the terms of this Agreement; (b) any modification, configuration or change made to the Service or Truepic’s software other than by Truepic (or a third-party acting at its direction); and (c) failures by third-party-internet service providers, cloud services, telecommunications equipment or the like.
    5. Remedies. In the event the Service becomes subject to a third-party claim of infringement for which Truepic may be liable, Truepic may, at its own option and expense, take one of the following courses of action: (a) procure the right for Customer to continue using and allowing access to the Service in accordance with this Agreement; (b) make such alterations, modifications or adjustments to the Service so that it becomes non-infringing; (c) replace the Service with a non-infringing substitute; or (d) if Truepic determines that it is not possible or commercially reasonable to exercise any of the foregoing options, then Truepic may terminate this Agreement immediately with no liability to Customer except Truepic shall refund any payments which have been made by Customer in advance which exceed amounts due. The indemnity obligations contained in this Section 13 are the sole and exclusive remedy available to Customer for an allegation of breach by Truepic of third-party intellectual property rights.
  13. Limitation of Liability.  
    1. General Limitation of Liability. EXCEPT FOR A BREACH OF THE INTELLECTUAL PROPERTY LICENSES SET FORTH HEREIN, SECTION 8 (CONFIDENTIALITY), OR SECTION 13 (INDEMNIFICATION), IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, RELIANCE, OR EXEMPLARY DAMAGES, WHETHER FORESEEABLE OR NOT, AND INCLUDING, BUT NOT LIMITED TO, DAMAGE OR LOSS OF PROPERTY, EQUIPMENT, INFORMATION OR DATA; LOSS OF PROFITS, REVENUE, GOODWILL, OR OTHER PECUNIARY LOSS; BUSINESS INTERRUPTION; REGARDLESS OF THEORY OF LIABILITY WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHER THEORY AT LAW OR IN EQUITY. THESE LIMITATIONS WILL APPLY EVEN IF THE OTHER PARTY HAS BEEN ADVISED OR IS AWARE OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY PROVIDED HEREIN. 
    2. EXCEPT FOR A BREACH OF THE INTELLECTUAL PROPERTY LICENSES SET FORTH HEREIN, SECTION 8 (CONFIDENTIALITY), OR SECTION 13 (INDEMNIFICATION), IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY DAMAGES THAT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO TRUEPIC UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS PRIOR TO THE ACTIONS GIVING RISE TO THE CLAIM OR $1,000, WHICHEVER AMOUNT IS GREATER.
    3. TRUEPIC’S LIABILITY FOR AN INTELLECTUAL PROPERTY INFRINGEMENT CLAIM UNDER SECTION 13.1, SHALL NOT EXCEED ONE MILLION DOLLARS OR THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO TRUEPIC UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS PRECEDING SUCH CLAIM, WHICHEVER AMOUNT IS GREATER.
    4. The foregoing limitations and exclusions apply to the fullest extent permitted under applicable laws, however, nothing herein is intended to limit or exclude any liability in a way that is not permitted under such laws.
  14. Miscellaneous.
    1. Assignment. Neither party may assign, license, sub-license, or transfer this Agreement or any of its rights hereunder, without the prior written consent of the other party, such consent not to be unreasonably withheld or delayed. Notwithstanding the foregoing, in the event of a sale, merger, acquisition or similar corporate activity, either party may assign its rights and obligations under this Agreement to the successor in interest or title to all or substantially all of that part of the business to which this Agreement relates.
    2. Successors and Assigns. All references in this Agreement to the parties shall be deemed to include, as applicable, a reference to their respective successors and assigns. The provisions of this Agreement shall be binding on and shall inure to the benefit of the successors and assigns of the parties.
    3. Notices. Any notice under this Agreement must be in writing and delivered to the other party by personal delivery, overnight mail courier, registered mail, or by email.  Notices will be deemed effective if sent to the other party (a) five (5) working days after deposit, if mailed with postage prepaid; (b) upon electronic delivery confirmation if sent by overnight courier; or (c) the same day if sent by email during the receiver’s normal business hours (or the following day if sent after normal business hours).
    4.  Governing Law; Venue. The laws of Delaware without regard to any conflict-of-laws rules shall govern this Agreement, and the United Nations Convention on Contracts for the International Sale of Goods is hereby excluded. The sole jurisdiction and venue for actions related to the subject matter hereof shall be the state and federal courts located in Wilmington, Delaware, and both parties hereby consent to such jurisdiction and venue. 
    5. Export. Each party agrees to comply all export laws, restrictions, national security controls and regulations of the United States or other applicable national or foreign agency or authority, and not to export or re-export, or allow the export or re-export of any software or other Confidential Information, or any copy or direct product thereof, in violation of any such restrictions, laws or regulations
    6. Equitable Relief. Notwithstanding anything to the contrary herein, the parties agree that a material breach of this Agreement adversely affecting either party’s intellectual property rights or either party’s rights in Confidential Information may cause irreparable injury to the other party for which monetary damages would not be an adequate remedy and that either party shall be entitled to apply for equitable relief, without the posting of a bond, in addition to any remedies it may have hereunder or at law.
    7. Severability. If any provision, or part thereof, of this Agreement is held to be invalid or unenforceable, the parties shall use their best efforts to replace such provision by a provision that, to the extent permitted by applicable law, achieves the purposes originally intended.  If it cannot be so reformed, it shall be omitted and the balance of this Agreement shall remain valid and unchanged and in full force and effect.
    8. Independent Contractors. Each party will act at all times as an independent contractor to the other party and will have no right or authority to act on behalf of, create any obligation for, or bind the other party in any way. Nothing in this Agreement will be deemed to create a partnership or joint venture between the parties.
    9. Attorney’s Fees. In the event of any litigation between the parties hereto, the prevailing party shall be entitled to recover reasonable attorney’s fees in addition to other relief as the court may award. 
    10. Force Majeure. Neither party shall be liable to the other for acts beyond its reasonable control including, but not limited to, acts of God, or public enemy, the acts or failure to act of any governmental authority, civil unrest, acts of civil or military authority, war, embargos, labor disputes, fires, earthquakes, epidemics, floods, unusually severe weather, or shortage or absence of power, without limitation including primary power and failure of backup systems.
    11. Compliance with Laws. The parties shall at all times comply with laws and regulations and conventions and treaties to which their countries are a party or relating to this agreement and the parties’ performance of this Agreement, including the US Children’s Online Privacy Protection Act, and all other laws and regulations relating to the gathering, handling and dissemination of all data from or concerning End-Users. Each party, at its own expense, shall negotiate and obtain any approval, license or permit required in the performance of its obligations and shall declare, record or take steps to render this Agreement binding, including the recording of this Agreement with any appropriate governmental authorities where required.
    12. Forms. Pre-printed or standard terms and conditions of any purchase or other ordering document issued by Customer in connection with the Order shall be void, and as such shall not be binding on Truepic and shall not be deemed to supersede or replace any terms and conditions hereof or otherwise modify the Order or this Agreement, regardless of whether such documents claim to do so.
    13. Counterparts; Electronic Signatures. The Order may be executed in counterparts by emailed pdf, or similar form, each of which shall be an original, and all of which when taken together shall constitute one and the same agreement. Additionally, the parties consent to the use of electronic signatures and agree that electronic signatures appearing on the Order are the same as handwritten signatures for all purposes.
    14. Headings, Captions and Names. The name of this Agreement, and all headings and captions herein contained, are for reference and convenience only and do not define, limit or expand the scope or intent of any provision hereof and shall not be relied upon in or in connection with the construction or interpretation of this Agreement.  The words “herein,” “hereunder,” “hereof” and similar terms refer to this entire Agreement and shall not be limited to the specific sections in which they are used.
    15. Modification. As indicated in the preamble of this Agreement, Truepic reserves the right to change this Agreement at any time by posting an updated version at the link that is part of the associated Order. To the fullest extent permitted under Applicable Law, Customer’s continued use of the Services after any revised Service Agreement has been posted constitutes Customer’s acceptance of the revised Agreement, and Customer shall be bound to the revised Agreement as though it was in effect at the time Customer originally entered into the applicable Order. This Agreement may also be amended by Customer entering into a new Order if such new Order expressly provides that the new Order will supersede the terms of any prior Service Agreement between the parties.
    16. Entire Agreement. This Agreement, along with all exhibits, the Order and Truepic’s Privacy Policy, sets forth the entire agreement between the parties and supersedes any and all prior proposals, agreements and representations between them, whether written or oral. In the event of any conflict in terms and conditions, this Service Agreement will prevail over any Exhibit, Appendix or Annex.

EXHIBIT A

DESCRIPTION OF PRODUCTS AND SERVICES

TRUEPIC LENS

Truepic Lens is a server SDK, a web API, and a browser library that securely enables the signing of images and videos via proprietary software embedded within a customer’s server, or cloud infrastructure, and the display of those signed details within a customer’s website.

Components of Truepic Lens

  • Lens CLI - A compiled command line tool or an containerized application that generates a securely stored public/private key pair, securely enrolls with Truepic’s Web API, acquires a signed certificate, and signs and timestamps C2PA-compliant JPEGs, PNGs and MP4s. The CLI must be implemented into the customer’s infrastructure by the customer. Regular updates are provided, but the customer must integrate these updates into their infrastructure themselves.
  • Web API - A web API for securely enrolling a server CLI. The server requires internet connectivity for initial enrollment, which may include device attestation, confirmation of customer’s preconfigured key and details, and pre-registration of enrollment against Truepic’s Certificate Authority. The server optionally requires internet connectivity for Timestamping signatures if desired using Truepic’s Timestamping Authority.
  • Display Library – A hosted javascript library that the customer must implement within their own Website to read and display C2PA data. The library will receive updates automatically, and the User Interface will be included within the provided library.
  • Certificate Authority – A web API and corresponding public key infrastructure that enables a pre-registered server to issue a certificate signing request and receive a signed certificate to be used in conjunction with a private key when singing a C2PA-compliant claim for a JPEG, PNG, or MP4. The Certificate Authority will label each certificate with customer’s pre-configured details and will allow a device or server to request a certificate with a pre-configured validity window.
  • Timestamping Authority – A web API and corresponding Timestamping Authority infrastructure that enables a CLI to request a C2PA-compliant digital signature be C2PA-compliantly timestamped.
  • The CLI and API gather and store, on Truepic’s own servers, certain, non-PII pieces of information for the purposes of billing, product usage, customer reporting, and to make product improvements. Truepic does not on its own provide a way to opt out at the customer or end-user level.
  • During onboarding, customers must submit a developer credentials request to Truepic for each of the organizations, organizational units, and apps or server that the customer requires access for. Truepic issues customers sets of developer API keys which may only be used by authorized users. Keys can be revoked upon request or at Truepic’s behest such as the termination of a contract. Additional keys can be requested at any time.

Additional Terms Applicable to Truepic Lens Which Are Not Described in the Service Agreement

Notwithstanding anything to the contrary in the Service Agreement, Customer and Truepic agree that the following additional terms shall apply to the Truepic Lens Service:

  • Rate limit: the rate limit for the Web API is 120 requests per minute per device or IP address. Truepic may deny requests that go over the limit, throttle Customer’s service, or temporarily suspend it until Customer can resolve the issue.
  • The CLI and Display library are Confidential Information owned by Truepic. Customer, including all its employees and independent contractors, shall not include all or any portion of the CLI or Display Library in public code repositories or sharing services, such as but not limited to GitHub, GitLab, CodePen.
  • Releases follow semantic versioning. All changes and testing are made against the latest published version. Truepic does not branch, fork, or patch from prior releases. (For example, if Truepic is up to version 1.8.0 and a bug is discovered by a customer still running 1.5.0, Truepic will fix it in 1.8.x or later, but Truepic will not branch and fix from 1.5, i.e. will not make 1.5.1.) All updates are available for all customers; Truepic does not create, maintain, or update specific versions for specific customers.
  • Truepic reserves the right to change minimum system requirements from time to time. Those are published in Truepic’s documentation.
  • Truepic will notify Customer at least 90 days in advance of a breaking change coming in an upcoming version.
  • Truepic will notify Customer at least 90 days in advance of a version that is to be deprecated.
  • Customer agrees to update the CLI to the latest version at least once every six months.

SUPPORT SERVICES

Support Services for Truepic Lens

Provided that Customer has paid all Fees due and owing to Truepic and is otherwise in material compliance with the terms of the Service Agreement, then Truepic shall provide Customer with the following service and support on its standard terms at no additional charge:

  • Product updates and maintenance
  • Technical documentation, including periodic updates
  • On-going support
    • Account Manager
    • Telephone, email, and website-based technical support as reasonably required to assist Customer in utilizing the Truepic Service

EXHIBIT B

SDK LICENSE AGREEMENT

For Customers who subscribe to Truepic Lens, this SDK License Agreement (“SDK License Agreement”) is entered into between Truepic and Customer effective as of the Effective Date. Truepic’s Software Development Kit (“SDK”) is part of the Truepic Lens Service. This SDK License Agreement allows Customer access to the Truepic SDK to enable Customer to embed Truepic Lens into its own software applications.  Capitalized terms used herein have the meanings given to them in the Service Agreement between Customer and Truepic of which this SDK License Agreement is a part (the “Service Agreement”).

  1. Service
    1. Truepic Service. Customer has entered into the Service Agreement which sets for the terms and conditions for Customer’s use of the Truepic Lens service. In addition, pursuant to this SDK License Agreement, Truepic will provide Customer access to the Truepic SDK in order to allow Customer to embed Truepic Lens into its Customer Apps. This SDK License Agreement and the Service Agreement are intended to be viewed as one contract, and together the products and services they to cover constitute the Truepic Lens Service.
  2. License Grants; Ownership.
    1. Truepic SDK License Grant. Subject to the terms and conditions of this SDK License Agreement, Truepic grants Customer a non-exclusive, worldwide, non-transferable, non-sublicensable right and license during the Term to install, use and embed the Truepic SDK into Customer App(s) for the purposes of using the functionality offered by Truepic Lens. Customer acknowledges that the foregoing license does not include any right to redistribute, sell, lease, license, or modify any portion of the Truepic SDK. Any modifications or derivative works of the Truepic SDK created by Customer or any third party shall be owned by and be the exclusive property of Truepic.
    2. Ownership.  Truepic owns all right, title, and interest in and to the Truepic SDK, and any Truepic SDK related suggestions, ideas, enhancements, requests, feedback, and recommendations provided by Customer to Truepic during the Term. This SDK License Agreement is not a sale and does not convey to Customer any rights of ownership in or related to the Truepic SDK, the Truepic Service, or Intellectual Property Rights of Truepic.
    3. Limitations on Use; Restriction on Modification. Customer may not license, sublicense, sell, rent, lease, resell, transfer, assign or otherwise make available to any third party the Truepic SDK. Except as otherwise provided herein, Customer shall not: (a) reverse engineer, disassemble or decompile the Truepic SDK; (b) remove, obscure or alter any proprietary rights notices, branding, text, or images, affixed or related to the Truepic SDK; (c) access or attempt to access Truepic’s other accounts, computer systems or networks not covered by this SDK License Agreement or the Service Agreement, through password mining or any other means; or (d) use the Truepic SDK to store or transmit any malicious code. Customer shall promptly notify Truepic if it becomes aware of any unauthorized use of the whole or any part of the Truepic SDK or the Truepic Service.
    4. No Other Rights Granted. The parties acknowledge and agree that, except for the rights and licenses expressly granted by each party to the other party under this SDK License Agreement and the Service Agreement, each party will retain all right, title and interest in and to its software, hardware, technology or products, trademarks, and all content, information and other materials on its website(s), technology platforms and mobile applications, and nothing contained in this SDK License Agreement will be construed as conferring upon such party, by implication, operation of law or otherwise, any other license or other right. Without limiting the generality of the foregoing, the parties agree that Truepic shall maintain all Intellectual Property Rights in and to the Truepic SDK. 
    5. Technical Support. During the Term, and provided that Customer has paid all fees due and owing to Truepic pursuant to the Service Agreement, and is not otherwise in material non-compliance with the terms of this SDK License Agreement and the Service Agreement, Truepic will provide Customer with telephone, email, and website-based technical support services to assist Customer in utilizing the Truepic SDK.  In the event Customer requires more assistance than Truepic’s standard technical support, Truepic and Customer may enter into a separate professional services agreement whereby Truepic would provide services on a time and materials basis pursuant to a fee structure mutually agreed to by the parties. 
  3. Term and Termination.  This SDK License Agreement shall be coterminous with the Service Agreement. The term of this SDK License Agreement (“Term”) shall begin on the Effective Date and end on the date that the Service Agreement expires or is terminated for any reason. In the event of termination of this SDK License Agreement, Customer shall discontinue all use of the Truepic SDK and destroy or return to Truepic all copies of the Truepic SDK in its possession or control. The provisions of Sections 2.2, 2.3 2.4, and 3 through 8 of this SDK License Agreement shall survive the termination of this SDK License Agreement. 
  4. Confidentiality. The Confidentiality provisions of the Service Agreement shall apply equally to this SDK License Agreement and the Truepic SDK. The Truepic SDK and all related documentation shall be Confidential Information of Truepic hereunder and thereunder.
  5. Compliance with Laws.  The parties shall at all times comply with laws and regulations and conventions and treaties to which their countries are a party or relating to this agreement and the parties’ performance of this SDK License Agreement. Each party, at its own expense, shall negotiate and obtain any approval, license or permit required in the performance of its obligations and shall declare, record or take steps to render this SDK License Agreement binding, including the recording of this SDK License Agreement with any appropriate governmental authorities where required.
  6. Warranty Disclaimers and Exclusions. EXCEPT AS OTHERWISE SPECIFICALLY SET FORTH HEREIN, THE TRUEPIC SDK IS PROVIDED BY TRUEPIC AND ACCEPTED BY CUSTOMER “AS IS” AND WITHOUT WARRANTY OF ANY KIND AND THE PARTIES EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT WITH RESPECT TO THE TRUEPIC SDK AND ANY RELATED DOCUMENTATION. TRUEPIC DOES NOT WARRANT THAT THE TRUEPIC SDK AND ANY RELATED DOCUMENTATION WILL MEET CUSTOMER’S REQUIREMENTS OR THAT THEY OR THEIR ACCESS OR USE WILL BE UNINTERRUPTED OR ERROR FREE OR THAT THEY WILL BE SUITABLE FOR CUSTOMER’S NEEDS OR CUSTOMER’S INTENDED APPLICATIONS, OR THAT THE TRUEPIC SDK WILL BE COMPATIBLE WITH OR OPERATE IN THE HARDWARE, SOFTWARE, OR WEBSITE CONFIGURATIONS THAT CUSTOMER SELECTS. 
  7. Limitation of Liability.  EXCEPT FOR A BREACH OF THE INTELLECTUAL PROPERTY LICENSES SET FORTH HEREIN OR SECTION 4 (CONFIDENTIALITY), IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, RELIANCE, OR EXEMPLARY DAMAGES, WHETHER FORESEEABLE OR NOT, AND INCLUDING, BUT NOT LIMITED TO, DAMAGE OR LOSS OF PROPERTY, EQUIPMENT, INFORMATION OR DATA; LOSS OF PROFITS, REVENUE, GOODWILL, OR OTHER PECUNIARY LOSS; BUSINESS INTERRUPTION; REGARDLESS OF THEORY OF LIABILITY WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHER THEORY AT LAW OR IN EQUITY. THESE LIMITATIONS WILL APPLY EVEN IF THE OTHER PARTY HAS BEEN ADVISED OR IS AWARE OF THE POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY PROVIDED HEREIN.  EXCEPT FOR A BREACH OF THE INTELLECTUAL PROPERTY LICENSES SET FORTH HEREIN OR SECTION 4 (CONFIDENTIALITY) IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY DAMAGES THAT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO TRUEPIC UNDER THE SERVICE AGREEMENT IN THE TWELVE (12) MONTHS PRIOR TO THE ARISING OF THE CLAIM.  

TRUEPIC SHALL NOT BE RESPONSIBLE FOR ANY LOSSES, DAMAGES OR CLAIMS ARISING FROM OR AS A RESULT OF ANY USE OF THE CUSTOMER APP(S).

The foregoing limitations and exclusions apply to the fullest extent permitted under applicable laws, however, nothing herein is intended to limit or exclude any liability in a way that is not permitted under such laws.

  1. Other Provisions.
    1. Independent Contractors. Each party will act at all times as an independent contractor to the other party and will have no right or authority to act on behalf of, create any obligation for, or bind the other party in any way. Nothing in this SDK License Agreement will be deemed to create a partnership or joint venture between the parties.
    2. Assignment. Neither party may assign, license, sub-license, or transfer this SDK License Agreement or any of its rights hereunder, without the prior written consent of the other party, such consent not to be unreasonably withheld or delayed. Notwithstanding the foregoing, in the event of a sale, merger, acquisition or similar corporate activity, Truepic may assign its rights and obligations under this SDK License Agreement to the successor in interest or title to all or substantially all of that part of the business to which this SDK License Agreement relates.
    3. Governing Law; Venue. The laws of Delaware without regard to any conflict-of-laws rules shall govern this SDK License Agreement, and the United Nations Convention on Contracts for the International Sale of Goods is hereby excluded. The sole jurisdiction and venue for actions related to the subject matter hereof shall be the state and federal courts located in Wilmington, Delaware, and both parties hereby consent to such jurisdiction and venue. 
    4. Miscellaneous. This SDK License Agreement and the Service Agreement, along with all exhibits and appendices, sets forth the entire agreement between the parties and supersedes any prior proposals, agreements and representations between them, whether written or oral, with respect to the subject matter hereof. All references in this SDK License Agreement to the parties shall be deemed to include, as applicable, a reference to their respective successors and assigns. The provisions of this SDK License Agreement shall be binding on and shall inure to the benefit of the successors and assigns of the parties. No amendment, change, or modification of this SDK License Agreement shall be valid or take effect unless it is in writing, signed by authorized representatives of each of the parties. If any provision, or part thereof, of this SDK License Agreement is held to be invalid or unenforceable, the parties shall use their best efforts to replace such provision by a provision that, to the extent permitted by applicable law, achieves the purposes originally intended. If it cannot be so reformed, it shall be omitted and the balance of this SDK License Agreement shall remain valid and unchanged and in full force and effect. In the event of any litigation between the parties hereto, the prevailing party shall be entitled to recover reasonable attorney’s fees in addition to other relief as the court may award.

EXHIBIT C

Service Level Agreement

A. Availability. Truepic will use commercially reasonable efforts to operate, maintain, and provision the Service in accordance with this Agreement in a manner that ensures at least 99.9% availability in any given calendar month (the "Uptime Commitment").  "Availability" is calculated as follows: (total minutes in any calendar month – total minutes of downtime) divided by (the total minutes in such calendar month), where "downtime" means any period of time during which the Service is not functioning in accordance with the specifications or fails to respond within 500 ms. Downtime resulting from any of the following does not count as a period of unavailability for purposes of calculating the Uptime Commitment: (i) scheduled maintenance of no more than three (3) hours per week (currently 5:30am US ET Saturday to 8:30am US ET Saturday, or such other alternative time outside of 9:00am US ET through 9:00pm US ET Monday through Friday, upon no less than forty-eight (48) hours' notice to Customer); (ii) unavailability caused by acts or omissions of Customer or its agents or caused by any breach by Customer of this Agreement; (iii) unavailability caused by network unavailability or bandwidth limitations outside of the Truepic network; or (iv) hacks, malicious introduction of viruses, disabling devices, and other forms of third-party attacks that disrupt access to the Service, provided such disruptions did not result from Truepic's breach of this Agreement or gross negligence or willful misconduct.

B. Support Response Times.  Customer/technical support hours are business days from 9am-6pm ET, and Truepic's required response times are dictated by the severity of the issue as follows:

Severity Level

Description

Response Time

1

Business impact & critical software defects

2 hours

2

Major issues or defects

8 hours

3

Minor issues or defects

24 hours

4

Cosmetic, trivial, or general inquiries

48 hours

EXHIBIT D

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is part of and will be deemed to be incorporated into the Service Agreement (the “Agreement”) between Customer and Truepic, pursuant to which Truepic provides the Services (as defined in the Agreement) to Customer. All capitalized terms that are not defined in this DPA shall have the meanings ascribed to such terms in the Agreement.

The parties agree to comply with the following provisions with respect to any Personal Data Processed by Truepic for Customer in connection with the provision of the Services. References to the Agreement will be construed as including this DPA. To the extent that the terms of this DPA differ from those in the Agreement, the terms of this DPA shall govern.

  1. DEFINITIONS
    1. CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq.), as may be amended, superseded, or replaced, as well as any regulations promulgated by the California Attorney General’s office and/or the California Privacy Protection Agency.
    2. Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
    3. Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
    4. Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (a) the GDPR; (b) the Federal Data Protection Act of 19 June 1992 (Switzerland), (c) the Data Protection Act 2018 (United Kingdom) (d) the General Law for the Protection of Personal Data, Law 13.709 of Brazil and/or (e) CCPAand applicable to the Processing of Personal Data under the Agreement.
    5. Data Subject” means the individual to whom Personal Data relates.
    6. GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. For purposes of clarity, references to the GDPR shall include the Federal Data Protection Act of 19 June 1992 (Switzerland) and the Data Protection Act 2018 (United Kingdom).
    7. Personal Data” means any information relating to an identified or identifiable person that is subject to the Data Protection Laws as specified in Appendix A, including but not limited to any personal information as defined by the CCPA.
    8. Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
    9. Security Breach” has the meaning set forth in Section 7 of this DPA.
    10. Sub-processor” means any sub-processor engaged by Truepic for the Processing of Personal Data.
    11. Term” means the period from the Effective Date to the date the DPA is terminated in accordance with Section 11.1.
    12. Third Party Partner” means any entity engaged by Customer for the Processing of Personal Data.
  2. ROLES OF THE PARTIES IN PROCESSING OF PERSONAL DATA
    1. To the extent the Services involve the Processing of Personal Data governed under Data Protection Laws, the parties agree that Customer is the Data Controller and Truepic is a Data Processor and that the subject matter and details of the processing of such Personal Data are described in Appendix A. To the extent that CCPA applies to the Services, the parties agree that Truepic is a service provider of such Personal Data. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Truepic shall keep a record of all processing activities with respect to Customer’s Personal Data as required under GDPR.
    2. Each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Personal Data, including but not limited to providing the other party contact details for each party’s Data Protection Officer which are accurate and up to date. Customer shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws and Customer will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws. If Truepic believes or becomes aware that any of Customer’s instructions conflicts with any Data Protection Laws, Truepic shall inform Customer. As between the parties, Customer shall have sole responsibility for determining the legal basis for processing of Personal Data and (to the extent legally required) obtain all consents from Data Subjects necessary for collection, storage (e.g., via HTTP cookies) and Processing of Personal Data in the scope of the Services. Both parties shall post a publicly facing privacy policy in compliance with Data Protection Laws and shall adhere to such policy in its execution of the Agreement.
    3. The objective of Processing of Personal Data by Truepic is the performance of the Services pursuant to the Agreement. During the Term of the Agreement, Truepic shall only Process Personal Data on behalf of and in accordance with the Agreement and Customer’s instructions and shall treat such Personal Data as Confidential Information. Customer instructs Truepic to Process Personal Data for the following purposes (each a permitted purpose): (i) Processing in accordance with the Agreement; (ii) Processing in order to authenticate and verify certain photos and videos as directed by Customer and/or Customer’s End-Users; and (iii) Processing to comply with other reasonable instructions provided by Customer where such instructions are acknowledged by Truepic as consistent with the terms of the Agreement. Truepic may Process Personal Data other than on the instructions of the Customer if it is mandatory under applicable law to which Truepic is subject but otherwise shall not sell such Personal Data and may not share Personal Data except as instructed in writing by Customer.  In this situation Truepic shall inform the Customer of such a requirement unless the law prohibits such notice. Both parties agree that Customer instructions may include Customer directing Truepic to send data to one or more Third Party Partner(s) for further processing.
  3. RIGHTS OF DATA SUBJECTS; DATA DELETION
    1. Truepic shall provide reasonable and timely assistance to the Customer to enable the Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject in connection with the processing of the Data.
  4. TRUEPIC PERSONNEL
    1. Truepic shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Data.
    2. Truepic will take appropriate steps to ensure compliance with the Security Measures outlined in Annex II of Appendix A by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with Truepic.
    3. Truepic shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Services.
  5. SUB-PROCESSORS
    1. Customer acknowledges and agrees that (i) Truepic Affiliates may be retained as Sub-processors; and (ii) Truepic may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services Truepic has retained them to provide, and are prohibited from using Personal Data for any other purpose. Truepic will have a written agreement with each Sub-processor and agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in this DPA.
    2. A list of Sub-processors is available in the Truepic user interface and/or in Annex III to Appendix A. Truepic may change the list of such other Sub-processors by no less than twenty (20) business days’ notice to Customer. If Customer objects to Truepic’s change in such Sub-processors on reasonable data protection grounds, Truepic may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days’ written notice to Customer. In the event of such termination, that parties shall negotiate in good faith regarding a pro-rata refund for Customer.
    3. Truepic shall be liable for the acts and omissions of its Sub-processors to the same extent Truepic would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
    4. Customer acknowledges and agrees that Third Party Partners are not Sub-processors and Truepic assumes no responsibility or liability for the acts or omissions of such Third-Party Partners.
  6. SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS
    1. Truepic shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Customer’s Personal Data. Truepic will implement and maintain technical and organizational measures to protect Customer’s Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Annex II of Appendix A (the “Security Measures”). As described in Annex II of Appendix A, the Security Measures include measures to protect Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Truepic’s systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. Truepic may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
    2. Truepic will (taking into account the nature of the processing of Customer Personal Data and the information available to Truepic) assist Customer in ensuring compliance with any of Customer’s obligations with respect to the security of Personal Data and Personal Data breaches applicable to GDPR, including (if applicable) Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Security Measures in accordance with Annex II of Appendix A; and (b) complying with the terms of Section 7 of this DPA.
    3. No more than once per year, Customer may engage a mutually agreed upon third party to audit Truepic solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the General Data Protection Regulation (“GDPR”).  To request an audit, Customer must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to compliance@getambassador.com. The auditor must execute a written confidentiality agreement acceptable to Truepic before conducting the audit. The audit must be conducted during regular business hours, subject to Truepic’s policies, and may not unreasonably interfere with Truepic’s business activities.  Any audits shall be at Customer’s expense.
    4. Any request for Truepic to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law.  Customer shall reimburse Truepic for any time spent for any such audit at the rates agreed to by the parties. Before the commencement of any such audit, Customer and Truepic shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Truepic.
    5. Customer shall promptly notify Truepic with information regarding any non-compliance discovered during the course of an audit.
  7. SECURITY BREACH MANAGEMENT AND NOTIFICATION
    1. If Truepic becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Customer Personal Data transmitted, stored or otherwise Processed on Truepic’ equipment or facilities (“Security Breach”) which, in the reasonable opinion of Truepic’ Data Protection Officer, requires such notification, Truepic will promptly notify Customer of the Security Breach. Notifications made pursuant to this Section will describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and steps Truepic recommends Customer take to address the Security Breach.
    2. Customer agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Customer Personal Data or to any of Truepic’s equipment or facilities storing Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
    3. Notification(s) of Security Breaches, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means Truepic selects, including via email. It is Customer’s sole responsibility to ensure it maintains accurate contact information on Truepic’s support systems at all times.
    4. Truepic’s notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by Truepic of any fault or liability with respect to the Security Breach.
    5. Truepic shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk in respect to the Customer Personal Data. As technical and organizational measures are subject to technological development, Truepic is entitled to implement alternative measures provided they do not fall short of the level of data protection set out by Data Protection Law.
    6. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures provide a level of security appropriate to the risk in respect to the Customer Personal Data.
  8. RETURN AND DELETION OF CLIENT DATA
    1. Truepic will enable Customer to delete Customer’s Personal Data during the Term in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer’s Personal Data during the Term and that Customer’s Personal Data cannot be recovered by Customer, this use will constitute an instruction to Truepic to delete the relevant Customer’s Personal Data from Truepic’s systems in accordance with Data Protection Laws. Truepic will comply with instructions from the Customer to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.
    2. On expiry of the Agreement, Customer instructs Truepic to delete all Customer’s Personal Data (including existing copies) from Truepic’s systems and discontinue processing of such Customer’s Personal Data in accordance with Data Protection Law. Truepic will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that Truepic has archived Customer’s Personal Data on back-up systems so long as Truepic securely isolates and protect such data from any further processing except to the extent required by applicable law. Without prejudice to this Section, Customer acknowledges and agrees that Customer will be responsible for exporting, before the Agreement expires, any Customer’s Personal Data it wishes to retain afterwards. Notwithstanding the foregoing, the provisions of this DPA will survive the termination of this Agreement for as long as the Truepic retains any of the Customer Personal Data.
  9. CROSS-BORDER DATA TRANSFERS
    1. Truepic may, subject to this Section 9, store and Process the relevant Personal Data in the European Economic Area, Switzerland, the United Kingdom and the United States.
    2. If the Services involve the storage and/or Processing of Customer’s Personal Data which transfers such Personal Data out of the European Economic Area or Switzerland to a jurisdiction that does not have adequate Data Protection Laws, and the Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), the parties agree that the EU Commission Implementing Decision (EU) 2021/914 and available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj(as amended or updated from time to time) (“Standard Contractual Clauses”) will apply and such Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA. Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between Customer and Truepic, the parties agree that: (a) Roles of the Parties: Customer is a Data Controller and “data exporter” and Truepic is the Data Processor and “data importer” under the Standard Contractual Clauses, (b) Governing Law and Supervisory Authority: The Standard Contractual Clauses shall be governed by the law of the EU Member State in which the data exporter is established and enforced by the Supervisory Authority of such EU Member State. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of an EU Member State that does allow for third-party beneficiary rights. In such case, the Parties agree that this shall be the laws of Ireland; (c) Sub-Processors: the parties select general written authorization for Sub-processors; (d) Redress: The parties elect to omit the optional text; and (e) Annex I, II and III are provided at the end of this DPA as part of Appendix A and to the extent that there’s a conflict as between the DPA and Appendix A, Appendix A shall govern.
    3. The parties further agree that if Transferred Personal Data includes Personal Data from Data Subjects located in the United Kingdom, and the Data Protection Laws apply to the transfers of such data, both parties agree that the Standard Contractual Clauses for transfers reflecting the roles of the parties as described in the DPA in the form approved by the UK Information Commissioner’s Office and currently available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf (as amended or updated from time to time) (“UK Standard Contractual Clauses”) shall be incorporated by reference and form an integral part of this DPA. For the purposes of the UK Standard Contractual Clauses, Appendix A of these Terms shall take the place of Annex I, Annex II and Annex III respectively of the UK Standard Contractual Clauses.
    4. At Customer’s written request, or if the Services involve the storage and/or processing of Customer’s Personal Data collected from persons located in Argentina, Brazil or another jurisdiction not described above but which restricts the transfer of such Personal Data (each a “Restricted Transfer Country”) outside of each Restricted Transfer Country to a place that does not have adequate data protection laws, the parties agree to execute each applicable Restricted Transfer Country’s model clause agreement to ensure that such transfers are conducted in accordance with Data Protection Laws.
    5. To the extent Customer is the recipient of Personal Data from Truepic pursuant to this DPA, Customer agrees that Customer will provide at least the same level of protection for the information as Truepic has agreed to provide herein.
    6. If the Standard Contractual Clauses or any other model clause transfer agreement are deemed invalid by a governmental entity with jurisdiction over Transferred Personal Data (e.g., the EU Court of Justice) or if such governmental entity imposes additional rules and/or restrictions regarding such Transferred Personal Data, the parties agree to work in good faith to find an alternative and/or modified transfer mechanism.
  10. LIABILITY
    1. Both parties agree that their respective liability under this DPA shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party.
    2. Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
  11. MISCELLANEOUS
    1. This DPA will take effect on the Effective Date and will remain in effect until, and automatically expire upon, the deletion of all Customer’s Personal Data by Truepic as described in this DPA.
    2. Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
    3. Where Customer’s Affiliates are Data Controllers of the Personal Data, they may enforce the terms of this DPA against Truepic directly.

APPENDIX A

ANNEX I

Data exporter – The data exporter is Customer

Data importer – The data importer is Truepic, Inc., a company that provides a platform to verify photos and videos on behalf of Customer.

Purpose of Processing – As described in the Agreement.

Data subjects – The personal data transferred concern the following category of data subjects: Customer’s End-Users of the Truepic platform and Services as described in the Agreement as well as Customer and Truepic personnel to the extent necessary to provide the Services.

Categories of data – The personal data transferred concern the following categories of personal data:

  • The name, user ID and login information of Customer’s End Users.
  • GPS Coordinates, Address, OS Type, OS Version, IP Address, Device name, Screen height and width.
  • In order to manage the Agreement, Truepic will process Personal Data from Customer’s employees and other personnel such as name, title, email address, telephone number and (for billing purposes) Customer’s payment details.  Customer will process Personal Data from Truepic’s employees and other personnel such as name, title, email address, telephone number.

Special categories of data (if appropriate): None.

Processing operations – The personal data transferred will be subject to the following basic processing activities: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

ANNEX II

Set forth below is a summary description of the technical and organizational Security Measures implemented by Truepic:

  1. Access control to premises and facilities: Truepic is a fully remote company without physical offices or facilities.
  2. Access control to systems: Truepic uses standard personal computers which are managed by MDM. Each employee has his own account secured with a password and encrypted. In order to access the platform, which is hosted by Amazon Web Services, access is determined by AWS and Okta SSO including MFA. These accounts are managed by Truepic’s Security Team who ensure that only employees who need to access the platform at Truepic can do so.
  3. Access control to data: Admission control is performed by Truepic’s Security Officer, who, for example, creates, manages and terminates user accounts for employees as needed. Each account can be assigned with specific user roles with role specific admissions.
  4. Disclosure control: All Truepic employees sign a non-disclosure agreement as part of their working contract. In addition, all employees sign a data privacy statement according to CCPA and GDPR data privacy law under which they undertake to comply with data secrecy requirements. Furthermore, data is encrypted with VPN and SSL technology when transferred between Truepic’s systems.
  5. Input control: Truepic’s Security Officer regularly checks the logs of deployed systems and software. He or she checks the plausibility of log entries, errors and warnings usually issued by respective systems. Depending on the configured log level, the logs give insights on data manipulation within the systems and, depending on the system, by whom the data has actually been changed or manipulated.
  6. Job control: The wording of applicable agreements, such as the Service Agreement, defines the responsibilities between Truepic and Customer and ensures that all commissioned data processing must be carried out according to such agreements or Customer instructions. Where subcontractors are employed, Truepic carefully selects subcontractors and requires them to demonstrate their measures in terms of data security and privacy.
  7. Availability control: Truepic has installed data backups to ensure the availability of Customer data. Data such as addresses, emails and calendars are stored and backed-up by respective service providers. Furthermore, Truepic deploys antivirus software on its computers. The antivirus software is updated on a regular basis. Firewalls provided by the operating systems are also activated for protection.
  8. Segregation control: Truepic’s employees are instructed to only access data that is necessary to do their work. Truepic’s Security Officer manages master accounts to access the systems on which the UIP is operated and to process Customer data so that such data cannot be accessed by all Truepic employees.

ANNEX III

LIST OF SUB-PROCESSORS

Name Nature of Processing Territory(ies)
Twilio Send SMS text messages to users to initiate inspections USA
ChurnZero Customer Success USA
Google Communications USA
Slack Communications USA
Auth0 Customer authentication USA
Branch Metrics Build authenticated deep links to inspections USA
Sendgrid Send emails to users to initiate inspections USA
Amazon Web Services Cloud platform USA
Freshworks Customer support USA
Dropbox Deliver customer data USA