PIANO MASTER SERVICES AGREEMENT TERMS AND CONDITIONS

By purchasing a subscription to a Piano Entity’s (defined below; “Piano”) software and/or services, you (“Client”) agree to the following terms, which may be amended by Piano from time to time. Both Piano and Client are a “Party” and collectively, the “Parties”.

Piano Entity:

The relevant Piano Entity shall be specified in the Software Schedule and/or order form between Client and Piano. This may be:

• Piano Software, Inc. located at 111 S Independence Mall E, Philadelphia PA 19106;

• Piano Software Norway located at Drammensveien 165 0277, Oslo, Norway;

• Applied Technologies Internet SAS located at 85 avenue Président JF Kennedy 33700 Merignanc France;

• Applied Technologies Internet GmbH located at Mehringdamm 55, 10961 Berlin, Germany                                                                                                                                                                                                                               

DEFINITIONS

“Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Beta Service” means Piano services or functionality that may be made available to Client to try at Client’s option at no additional charge which is clearly designated as beta, pilot, limited release, developer preview, non-production, evaluation, or by a similar description.

“Client Data” means all electronic data or information submitted by Client to the Services, whether that data or information is submitted by Client, Authorized Users, or general public users of the Network. Client shall be responsible for (a) Client’s and Users’ use of the Services, and (b) the appropriateness and legality of all Client Data.

“Client Social Media Accounts” means any social media accounts controlled or purposed to be controlled or registered by or on behalf of Client. 

“Network” means the network of websites or web services operated by Client, and Authorized Users, and used in connection with the Services, including but not limited to the Client’s own website, or web services, and third party web sites or web services that directly or indirectly are using the Services.

1.      SERVICES.  

(a) Services.  Piano agrees to provide Client with content monetization services on a hosted basis, using Piano’s software as a service platform as it may be revised from time to time ("Software") including any customizations of the Software, reporting services, training, support, and/or consulting services (collectively, the “Services”) in accordance with this Agreement and as described in any executed software schedule or order form (“Software Schedule”) or executed Statements of Work to this Agreement (“SOW”) in the form attached hereto. Piano may, from time to time in its sole discretion, develop and provide Software updates, which may include upgrades, bug fixes, patches and other error corrections, Software optimization, and/or new features (collectively "Updates"). All Updates shall be considered Software. SOWs, Software Schedules, Order Forms, and any other attachments or exhibits to this Agreement are collectively referred to in this Agreement as “Schedules,” and are all hereby incorporated into this Agreement.  Each Schedule is subject to the terms and conditions of this Agreement, unless otherwise expressly stated therein, and shall include any terms and conditions that are specific to the Services identified therein.

(b) Schedules. To the extent applicable, each Schedule may include: (i) a description of the Software and Services; (ii) Client’s websites and/or mobile applications for which the Services will be provided (“Websites”): (iii) a description of the parties’ respective responsibilities; (iv) fees and payment terms; and (v) names and contact information of Piano and Client contacts.  

(c) Deliverables. The term “Deliverables” means all works of authorship, programs, code, processes, tools, reports, manuals, supporting materials, drawings, diagrams, flowcharts, and concepts which are created by Piano specifically for Client during the Term of this Agreement and described in a Schedule, along with any unique documentation created for Client related to any of the foregoing. During the course of Piano’s performance of Services under any Schedule, Client may request changes in the Software or Services (including the addition of other Websites). Piano will incorporate such changes, provided the parties mutually agree to the changes and execute a change order or new Schedule, signed by both parties, setting forth the amended scope of work and any changes in Websites, Software, Services, scheduled completion dates or applicable fees.

(d) Acceptance of Deliverables for Consulting Services. Services may be performed on either a time-and-materials basis or a fixed-cost basis, as specified in the applicable Software Schedule or SOW. Services performed on a time-and-materials basis shall be deemed accepted upon performance. If a Software Schedule or SOW specifies Deliverables provided on a fixed-cost basis, such Deliverables shall be subject to Client’s review and acceptance, which shall not be unreasonably withheld, delayed or conditioned and may only be withheld for material verifiable non-conformity to the specifications set forth in the applicable Software Schedule or SOW and this Agreement. 

(e) Accuracy of Data.  The Software may process, analyze, interpret, enrich or otherwise modify data collected on Client Websites.  Piano shall not be liable for any interpretations, predictions, evaluations, or assessments of such data by Client.  Except as provided in a separate SOW, Client shall remain solely liable for the interpretation of such data and shall not hold Piano liable for any damages or loss resulting therefrom.

(f) Precedence. The documents set forth in Section 1(a) constitute this agreement and must be read in the following order of precedence (from highest to lowest) unless explicitly stated: (i) the Software Schedule, (ii) the Schedules, (iii) the Agreement, and (iv) any other document which is incorporated into this agreement by reference.

(g) Beta Services:  From time to time, Piano may make Beta Services available to Client at no additional charge. Client may choose to try such Beta Services or not at its sole discretion. Beta Services are intended for evaluation purposes only and not for production use, are not supported, and may be subject to additional terms. Beta Services are specifically excluded from the Service Level Agreement set forth in Exhibit A. Piano may discontinue Beta Services at any time at its sole discretion and may make material modifications to the Beta Service before releasing a production version or may never make a production version available at all. Piano shall have no liability for any harm or damage arising out of or in connection with a Beta Service.

(h) Reports:  In order to enrich the Services, Client hereby grants Piano a royalty-free license during the Term, as defined below, to access, reproduce, display, and create reports or other derivative works including on the basis of Personal Data and/or Non-Personal Data, as defined below, which has already been processed for the purposes of providing the Services, in an aggregated and anonymized format only (“Reports”) and to distribute such Reports during the Term to third parties only when the Reports contain aggregated anonymous data in accordance with Article 89 of the GDPR..

2.      CLIENT OBLIGATIONS. In addition to obligations set forth elsewhere in this Agreement, Client shall have the following obligations hereunder. 

(a) General. Client agrees (i) to make available, at Client’s expense, any and all Client personnel reasonably necessary to provide information required by Piano to complete any of the Deliverables or provide the Services, and (ii) to the extent specified in a Schedule, to request and facilitate, at Client’s expense, the participation, as necessary, of any third-party vendors, solution providers, or other resources acceptable to Client, if any.  Client further agrees to allow Piano reasonable access to Client’s relevant information and materials as requested by Piano to enable Piano to provide the Deliverables and the Services, and access to Client’s systems, software and databases to enable Piano to provide the Services and the Deliverables, including providing Piano full administrative rights to Client’s accounts within the Software.  Where necessary, Client shall register, or instruct Piano to register on Client’s behalf, an account on Piano’s website in accordance with the registration process on such website and authorize or provide Piano access to the Client Social Media Accounts to the extent necessary for Piano to perform its obligations under this Agreement.  Client acknowledges and agrees that Piano’s ability to provide the Services and the Deliverables in accordance with the terms of this Agreement is dependent upon and subject to Client’s timely performance of its obligations under this Agreement and each Schedule, as well as any other tasks reasonably necessary to ensure the proper functioning of the Services. Client acknowledges further that Piano acts as a mere technological carrier and is not responsible for the content of Client Data or for evaluating the appropriateness of the Client Data in relation to the environment where such data are disclosed or published. Client is solely responsible for the implementation, configuration, alteration, administration, maintenance and removal of any pieces of code that must be implemented on Client Websites to allow for the proper functioning of the Software (“Tags”).  Client acknowledges that the Software cannot properly function without the implementation of Tags.  Client is solely responsible for monitoring and validating the Licensed Capacity, as defined in an applicable Schedule, generated through its website(s) or application(s) utilizing the Services. Client acknowledges the Services records the Licensed Capacity solely based on the Tags. Further, Client acknowledges that where a Software Update is made that requires Client to perform reasonable specific actions in order to ensure the proper functioning of the Software in accordance with this Agreement, Client shall follow Piano's reasonable instructions to perform such actions, including but not limited to the re-implementation of Tags. 

(b) Notification. Client shall immediately provide written notification to Piano of (i) any use of the Software or Services through any of Client's Websites or facilities by anyone other than Client’s employees, authorized agents, or other individuals Client has authorized to access and use the Software or Services on Client’s behalf (“Authorized Users”), or (ii) the actual or suspected disclosure, whether deliberate or accidental, of any usernames, passwords, URLs, or other access to information required for use of the Software or Services, to anyone other than Authorized Users who have a need to know such information.

(c) Translation. Client, at Client's sole discretion, may use Piano Software to present various email messages, alerts, interfaces and messages to Client’s online users. Piano provides translations of its administrative dashboard and End-User Communications for Client’s benefit in English, German, French, Spanish, and Portuguese, but makes no warranty regarding the accuracy or suitability of those translations. If deemed necessary by Client, Client shall be responsible for editing and/or translating any End-User Communications at Client’s sole expense.

(d) Legal Compliance. Client shall be responsible for ensuring that its use of the Software and Services is in compliance with all applicable laws, rules and regulations of the countries in which Client’s users are located (“Applicable Law”). In the event that, as part of this Agreement, either party collects personal data (as defined in EU Regulation No. 2016/679, the General Data Protection Regulation (the “GDPR”)) from data subjects located in the European Economic Area pursuant to this Agreement, the Parties shall conclude a Data Processing Agreement (“DPA”) pursuant to GDPR Article 28, and such DPA shall be attached as Exhibit B to this Agreement. Client will also ensure that its use of the Service is in compliance with Applicable Laws, to the extent such laws differ from the laws of the U.S. or the GDPR.  Both parties recognize that Piano participates in certain self-regulatory groups and shall ensure that their respective privacy disclosures are in line with the Digital Advertising Alliance Code and the IAB CCPA Compliance Framework for Publishers and Technology Companies (“IAB Framework”).

(e) Taxes. If applicable, Client will collect applicable sales tax, VAT, or other tax ("Tax") from each subscriber making a purchase through the Service on Client's Websites where required by applicable laws and remit any Tax due to the appropriate tax jurisdiction(s), file all applicable documents, retain copies of any relevant documents in determining Tax calculations, and handle and address any inquiry by any jurisdiction regarding Tax on the purchase.

(f) Compliance with Policies. Client will be responsible for compliance with the Acceptable Use Policy (https://piano.io/aup) and any other policies Piano makes aware to Client from time to time. Client acknowledges that Violations of this Section may result in: (i) immediate removal of the offending materials or suspension of the offending activity without notice to Client; (ii) blocked access to, or partial or full suspension of Services; or (iii) other reasonable actions appropriate to address the violation, as determined by Piano in its sole discretion.

3.      FEES AND PAYMENT TERMS. 

(a) Fees shall be as set forth in the applicable Schedule. Unless otherwise stated in a Schedule, Client will pay all undisputed amounts within thirty (30) days of the date of the applicable invoice. If Client disputes any invoiced amount in good faith, Client will notify Piano in detail in writing as to the nature of the disputed charges and the reason for Client’s disagreement prior to the due date of the applicable invoice or Client’s right to dispute such invoice shall be waived and Client will pay all undisputed charges on the applicable invoice by their due date. Piano will respond by providing documentation in reasonable detail for the disputed charges. The parties will make all reasonable attempts to resolve the dispute in good faith and as amicably as possible within thirty (30) days.  

(b) Client shall pay Piano all fees that are owed under this Agreement even if Client has not received payment from the transactions utilizing the Software and/or the Services. Except as otherwise specified in this Agreement or in any Schedule, (i) fees are payable based on Software or Services purchased and not actual usage, (ii) payment obligations are non-cancelable and, except as expressly provided herein, fees paid are non-refundable, and (iii) the agreed fee amount cannot be decreased during the relevant term stated in a Schedule.

(c) All payments due to either party hereunder shall be net of any bank or wire fees, delivered or mailed to the address listed for notices herein or wired to an account specified in writing by the party to which payment is due. Except as expressly stated in a Schedule, there will be no other fees owed (including to any third parties for any third-party components that may be included within the Software) by Client hereunder. All fees shall be payable in USD unless another currency is specified in the applicable Schedule.  Payments to Client, if applicable, shall be submitted to the address/account indicated in the Schedule. Payments to Piano shall be submitted to the account / address set forth on the relevant invoice.

(d) Client shall be deemed in default of this Agreement if any undisputed invoiced amounts remain unpaid thirty (30) days after the invoice due date (for clarity, where Client has 30-day payment terms, the late fees described in the following sentence shall only apply 30 days after the invoice due date, i.e. 60 days from the invoice date).  Late payments by Client will be subject to late fees at the rate of one and one-half percent (1.5%) per month, or, if lower, the maximum rate allowed by law, determined and compounded daily from the invoice due date until such invoice is paid in full.  If Client is in default of this Agreement, Piano may, without limiting its other rights and remedies under this Agreement and/or applicable laws, accelerate Client’s unpaid fee obligations under this Agreement including all Schedules and suspend the provision of the Software and/or Services, without penalty or liability to Piano, upon notice to Client. Suspension of the Software and/or Services shall not release Client of its payment obligations under this Agreement. If Client is in default of its payment obligations, Client shall be liable for any and all reasonable costs incurred by Piano in order to collect the overdue amounts.  

(e) Fees charged to Client hereunder do not include any local, state, federal or foreign taxes, levies or duties of any nature, including value-added, sales use or withholding taxes ("Taxes"). Client is responsible for paying all Taxes, excluding only taxes based on Piano's income. If Piano has the legal obligation to pay or collect Taxes for which Client is responsible under this Section, the appropriate amount shall be invoiced to and paid by Client unless Client provides Piano with a valid tax exemption certificate authorized by the appropriate taxing authority. Client will pay any additional taxes as are necessary to ensure that the net amounts received by Piano, after all such taxes are paid, are equal to the amounts that Piano would have been entitled to in accordance with this Agreement as if the taxes did not exist.

(f) Effective upon the one-year anniversary of any Schedule made pursuant to this Agreement, or if the effective term set forth in a Schedule is longer than one year, then up to one time during each Renewal Term as defined in such Schedule, Piano shall increase the fee on a per-unit pricing basis by the greater of: (i) seven percent (7%); or (ii) a percentage equal to the increase for the prior 12-month period, or the prior period of the same duration as the Initial Term as defined in a Schedule, if longer than 12-months, in the CPI - All Urban Consumers (U.S. All Items) or successor series, as published by the U.S. Bureau of Labor Statistics. If Client objects to such increase, Client must notify Piano of its intention to not renew the applicable Schedule at least sixty (60) days prior to the expiration of the term of such Schedule. Any such termination shall be effective on expiration of the then current Schedule term.  Except as expressly provided in the applicable Schedule, renewal of promotional or one-time priced subscriptions will be at Piano’s current per-unit pricing in effect at the time of the applicable renewal. Notwithstanding anything to the contrary, any renewal in which Licensed Capacity, as defined the applicable Schedule, or volume for any Services shall decrease for the subsequent renewal shall be priced at renewal without regard to the prior term’s per-unit pricing.

4.      OWNERSHIP OF INTELLECTUAL PROPERTY.

(a) Piano Intellectual Property. 

(i)      Pre-Existing Piano Intellectual Property. The parties agree that Piano shall exclusively own and retain all “Piano IP”, defined as follows: (A) the Software, and all modifications thereto and future versions thereof; (B) all works of authorship, programs, code, processes, tools, reports, manuals, supporting materials, drawings, diagrams, flowcharts, and concepts, any of which existed prior to the Effective Date of this Agreement, whether created by or for Piano (“Pre-Existing Materials”), including but not limited to the proprietary technology offered at Piano.io (and other sites operated by Piano) and other applications; (C) Piano’s business, templates, documents, materials, technology, software, source code, website(s), modifications, updates and enhancements; (D) any and all works of authorship, programs, code, processes, tools, reports, manuals, supporting materials, drawings, diagrams, flowcharts, and concepts that are developed by Piano (except Deliverables); and (E) all copyrights, trademarks, service marks, trade secrets, patents, patent applications, moral rights, contractual rights of non-disclosure or any other intellectual property or proprietary rights, however arising, throughout the world (collectively “Intellectual Property Rights”) with respect to any and all of the foregoing as set out in subsections (A) - (E).

(ii)     Feedback.  In addition, the parties acknowledge that Piano may continue to modify its Software and Services, and that Client may make requests or suggestions to Piano for changes or additions to the Software or Services (“Feedback”).  The parties agree that any modifications or enhancements to the Software or Services, regardless of whether they are derived from or related to Feedback shall also be Piano IP unless stated otherwise in a separate SOW between the parties. 

(iii)    Assignment of Intellectual Property Ownership. To the extent Piano is not automatically deemed to be the author, inventor or owner of any Piano IP, Client agrees to assign and hereby assigns, all right, title and interest it may have in any Piano IP to Piano and agrees to execute all documents necessary to effectuate Piano’s full ownership in and to all Piano IP.  Client appoints Piano its attorney in fact to execute such documents.  This appointment is coupled with an interest and is therefore irrevocable. 

(b) Data Rights.  The following data rights shall be applicable to this Agreement:

(i)      “Personal Data” consists of any personal information relating to an identified or an identifiable end-user within the meaning of Article 4(1) of the GDPR, such as name, email address, phone number, financial data, the specific content accessed, time and duration of the visit, offer conversion and/or interaction data, referring site, or other information relating to such natural person collected through the Service whether via cookies or other tracking technologies, the Service’s functionality, or otherwise. Personal Data will be owned by Client. 

(ii)     “Non-Personal Data” consists of information other than Personal Data, whether collected via cookies or other tracking technologies, the Service’s functionality, or otherwise, on an anonymous basis in cases without means reasonably likely used by the parties to identify a natural person to whom such data relates. Non-Personal Data will be owned by Client, subject to the exceptions described herein. 

(iii)    Piano shall adhere to the DPA attached in Exhibit B hereto and made a part hereof. If and to the extent of an express and direct conflict between the terms of this Section 4(b) and the DPA in Exhibit B, the terms of the DPA shall apply.

(c) Client Intellectual Property.  Client exclusively owns and retains all right, title, and interest in and to (i) its business, technology, trademarks, and websites and all other Intellectual Property Rights in materials that are developed and owned by Client; (ii) any and all works of authorship, programs, data, code, processes, tools, reports, manuals, supporting materials, drawings, diagrams, flowcharts, and concepts that Client develops independently of any collaboration with Piano, and that are not derived from or that do not directly relate to the Services, Pre-Existing Materials or any other Piano IP, and that relate to Client’s Websites, properties or data; (iii) any and all content or data delivered into or stored into the Software by Client (or its users), subject to the data rights described in Section 4(b) above or in any Schedule; and (iv) Client Social Media Accounts (collectively, “Client Materials”).  Client exclusively owns and retains all Intellectual Property Rights, title, and interest in and to each of the Client Materials, subject to the rights and licenses granted in this Agreement or a Schedule.  Client grants to Piano a non-exclusive, fully-paid license to use, reproduce, and prepare derivative works of the Client Materials for purposes of performing the Services and creating Deliverables for the Term of this Agreement.

(d) Deliverables.  Client shall own the entire right, title and interest in any Deliverables. Piano agrees to assign and hereby assigns, all right, title and interest it may have in any Deliverables to Client. Piano agrees to execute all documents necessary to effect Client's full ownership in and to all Deliverables. For purposes of clarity, the Client Deliverables do not include Piano IP or any Open Source Software. 

5.      CLIENT RIGHTS. 

Piano grants Client a non-exclusive, non-transferable (except as set forth herein), limited license to use the Piano IP in accordance with the terms of this Agreement and each Schedule, and only for the purpose of utilizing the Services and any Deliverables. Except as otherwise expressly provided in this Agreement, no other license or right shall be deemed granted or implied with respect to the Piano IP.  Except as otherwise expressly allowed in this Agreement, Client shall not (i) use, distribute, sell, sublicense or disclose any of the Piano IP without written authorization of Piano; or (ii) reproduce, modify, prepare derivatives of, reverse assemble, reverse compile or otherwise reverse engineer the Piano IP.  Nothing herein will be construed as granting Client, by implication, estoppel or otherwise, any license or other right to any Intellectual Property Rights of Piano or its licensors except for the rights and license expressly granted herein. Piano and its licensors retain all rights not so granted.

6.      CONFIDENTIALITY.

(a) As used herein, the term “Confidential Information” shall mean all non-public information disclosed either before or after the execution of this Agreement, whether written or oral, that is designated as confidential or that, given the nature of the information or the circumstances surrounding its disclosure, reasonably should be considered as confidential. Confidential Information shall include Piano IP, Client Materials, Personal Data, the terms of this Agreement (including Schedules), and other information deemed proprietary or confidential by the party disclosing the Confidential Information (the “Disclosing Party”), and all record-bearing media containing or disclosing such information. For the avoidance of doubt, Piano’s Confidential Information shall include the Piano IP and Client’s Confidential Information shall include Client Materials, Personal Data and Non-Personal Data.

(b) A party receiving Confidential Information (the “Receiving Party”) shall not directly or indirectly, at any time, without the prior written consent of Disclosing Party, use or disclose Confidential Information or any part thereof other than necessary for the performance of that party’s obligations under this Agreement. Receiving Party agrees to and shall take all necessary steps to protect the confidentiality of Confidential Information.

(c) The term Confidential Information does not include information which: (i) has been or becomes published and publicly available or is now, or in the future, in the public domain without breach of this Agreement or breach of a similar agreement by a third party; (ii) prior to disclosure hereunder, is properly within the legitimate possession of Receiving Party which can be verified by independent evidence; (iii) subsequent to disclosure hereunder, is lawfully received from a third party having rights therein without restriction of third party’s or Receiving Party’s rights to disseminate the information and without notice of any restriction against its further disclosure; (iv) is independently developed by Receiving Party without use of or reference to such Confidential Information which can be verified by independent evidence; or (v) is disclosed pursuant to a requirement of a governmental entity or the disclosure of which is required by law, subject to Section 6(d) below.

(d) If Receiving Party is requested by a court, governmental entity or other third party to disclose any Confidential Information, it will promptly notify Disclosing Party (to the extent permitted) to permit Disclosing Party to seek a protective order or take other appropriate action.  Receiving Party will also reasonably cooperate (at Disclosing Party’s sole cost and expense) in Disclosing Party’s efforts to obtain a protective order or other reasonable assurance that confidential treatment will be afforded Confidential Information and shall only disclose the part of Confidential Information as is required by law to be disclosed and Receiving Party will use its reasonable efforts to obtain confidential treatment therefor.

(e) Confidential Information shall not, without the prior written consent of Disclosing Party, be disclosed to any person or entity other than employees or agents of Receiving Party who need to know Confidential Information and, in those instances, only to the extent justifiable by that need.  Receiving Party shall ensure that all such entities and personnel comply with the terms of this Agreement.  Receiving Party shall be responsible for any breach of this Agreement by its employees and/or agents and by any other person to whom Receiving Party has disclosed Confidential Information.  The foregoing will not be deemed to prevent Piano from disclosing anonymized Non-Personal Data when aggregated with similar information it has received from its other customers, such that the Non-Personal Data is not traceable to Client. 

(f) Receiving Party shall notify Disclosing Party as soon as reasonably possible, and cooperate with Disclosing Party, upon Receiving Party’s discovery of any loss or compromise of Confidential Information. 

(g) Except as otherwise expressly set forth herein, Receiving Party acknowledges that Confidential Information is the exclusive property of and belongs solely to Disclosing Party and shall not claim otherwise for any purpose.

(h) Receiving Party agrees to return to Disclosing Party, destroy and/or permanently delete, at Disclosing Party's discretion, and confirm in writing the destruction, permanent deletion and/or return, all written, tangible or otherwise accessible material in any form (including electronic media such as computer diskettes, CD-ROM, electronic copies or any material resident in the hard or external drive of any computer) containing or reflecting any Confidential Information (including all copies, summaries, excerpts, extracts or other reproductions) promptly following Disclosing Party’s request, provided, however, that subject to its ongoing obligation to maintain the confidentiality of such materials, Receiving Party may retain one copy of the Confidential Information for Receiving Party’s legal files for compliance and regulatory purposes and need not purge electronic archives and backups made in the ordinary course of business.

(i) In addition to any other rights and remedies available to Disclosing Party hereunder or at law, Receiving Party acknowledges and agrees that due to the nature of Confidential Information its confidentiality obligations to Disclosing Party hereunder are of a unique character and agrees that any breach of such obligations may result in irreparable and continuing damage to Disclosing Party for which there may be no adequate remedy in damages.  Notwithstanding anything to the contrary in this Agreement, Disclosing Party may seek injunctive relief, without the necessity of posting a bond or other security, even if otherwise normally required, and/or a decree for specific performance, and such further relief as may be proper from a court with competent jurisdiction.

7.      TERM AND TERMINATION. 

(a) Term. Unless earlier terminated in accordance with the rights set forth in this Agreement, the term of each Schedule shall be as set forth in such Schedule (“Term”).  This Agreement shall commence as of the Effective Date and remain in effect until all Schedules containing a specific Term have been terminated. The termination of any Schedule shall not automatically cause the termination of any other Schedule or of this Agreement, except as otherwise set forth in Section 7.(b) nor shall it relieve either party of any claims which the other party may have against it relating to this Agreement or impact the obligations of the parties under any other Schedule not terminated. 

(b) Termination. Either party may terminate this Agreement or any Schedule upon written notice of termination if the other party: (1) defaults in the performance of any material requirement or obligation created by this Agreement, or breaches any material provision of this Agreement, which default or breach is not cured within thirty (30) days following the defaulting party’s receipt of written notice of default or breach; (2) ceases doing business in the normal course; (3) is the subject of any state or federal proceeding (whether voluntary or involuntary) relating to its bankruptcy, insolvency or liquidation that is not dismissed within ninety (90) days; (4) makes an assignment for the benefit of creditors or a receiver is appointed for a substantial part of the other party’s assets or (5) for a period exceeding thirty (30) days, fails to fulfill its obligations under this Agreement by reason of a Force Majeure Event.  

Upon termination of this Agreement as set forth above, all Schedules to this Agreement shall also immediately terminate. However, termination of a Schedule shall not relieve Client of its obligation to pay to Piano (or allow Piano to retain from end-user payments it collects on Client’s behalf hereunder) fees and other sums that have accrued for Services rendered. For any termination of a Schedule or this Agreement, other than termination by Piano for Client’s breach, Client shall receive a refund from Piano of any prepaid and unused payments as of the effective date of termination.    

(c) Effects of Termination; Survival.  Upon termination of this Agreement, all rights and licenses granted hereunder shall cease, except as otherwise provided in this Agreement. Those provisions of this Agreement which, by their nature, are meant to survive termination shall so survive, and include without limitation provisions related to ownership of intellectual property, confidentiality, indemnification, limitation of liability, warranties and representations, governing law and venue, and payment (to the extent such payments were earned during the Term of this Agreement).  Notwithstanding the termination of this Agreement for any reason, neither party shall be relieved of any duty, obligation, debt or liability that arose or accrued prior to the termination of the Agreement or Schedule. Except in the event Client terminates the Agreement under Section 7 (b), Client will pay any unpaid fees payable under any applicable Schedule in effect prior to the termination date for the remainder of the relevant term of such Schedule.

(d) Return of Client Data:  Upon Client’s request made within thirty (30) days after the effective date of termination of this Agreement or any Schedule, Piano will make available to Client for download a file of Client Data. After such thirty (30) day period, Piano shall have no obligation to maintain or provide any of Client’s Data and may thereafter, unless legally prohibited, delete all of Client’s Data in Piano’s systems or otherwise in Piano’s possession or under Piano’s control.

8.      REPRESENTATIONS AND WARRANTIES. 

(a) Each party warrants and represents at all times during the Term of this Agreement that: (i) it has the right and full power and authority to enter into this Agreement and each Schedule; (ii) it is duly organized and validly existing and in good standing under the laws of the state and country of its incorporation or formation; (iii) it is under no contractual or other legal obligation which shall in any way interfere with its full, prompt and complete performance hereunder; (iv) it will comply with all applicable laws in its performance of this Agreement.  

(b) Piano further represents and warrants that, (i) to the best of its knowledge as at the Effective Date, the Services and Deliverables, do not infringe on any valid and enforceable Intellectual Property Right of any third party (provided that any indemnity related to a breach or alleged breach of this warranty will not be limited by a knowledge qualifier); (ii) all the Services performed hereunder will be rendered in a competent and professional manner; (iii) all Services shall materially conform to the specifications set forth in the applicable Schedule; (iv) neither the Software nor the Deliverables contain any Harmful Code; (v) Piano complies with all Open Source Software licenses embedded in its Software or otherwise used or incorporated in its Software and shall not cause Contamination of Client’s or Client licensor technology in performing its Services; and (vi) except as expressly stated in the Agreement or in a Schedule, there will be no additional third-party licenses or permissions necessary to obtain in connection with Client’s use of the Services under this Agreement.  For purposes of this Agreement, “Harmful Code” means any software or other materials that are intentionally designed to (a) disrupt, disable, harm or impede operation, or (b) impair operation based on the lapse of time, including but not limited to viruses, worms, time bombs, time locks, access codes or trap door devices. “Contamination” means that proprietary technology has become subject to the terms of an Open Source Software license under which downstream recipients or other third parties may claim the right to (a) copy, create derivative works of, or redistribute the proprietary technology, or (b) receive the source code of the proprietary technology.  If Piano, after using commercially reasonable efforts, is not able to substantially remedy any reported material non-conformity with this warranty, either party may terminate this Agreement and Client, as its sole remedy, will be entitled to receive a refund of any prepaid and unused payments as of the effective date of termination.

(c) Client further represents and warrants that, (i) to the best of its knowledge, Client Materials do not infringe on, violate or misappropriate any valid and enforceable Intellectual Property Rights of any third party (provided that any indemnity related to a breach or alleged breach of this warranty will not be limited by a knowledge qualifier); (ii) to the best of its knowledge, it has secured any and all necessary intellectual property rights associated with the Client Data and the content that is made available to consumers through its Websites, (provided that any indemnity related to a breach or alleged breach of this warranty will not be limited by a knowledge qualifier); (iii) it has secured the requisite permission or consent to use the Client Data and provide it to Piano for processing, (iv) has secured that the Client Data does not contain any messages or images that are in violation of Applicable Laws, (v) it will use the Services in accordance with the terms and conditions hereof and Applicable Law; and (vi) it will not use the Services for purposes of segmenting, re-targeting, creating or supplementing user profiles or inventory profiles, creating, supplementing or amending interest categories, or syndication or other distribution to third parties, unless such data collection and usage are authorized by or on behalf of the data owner.

(d) Client acknowledges that from time to time, Client may be required to provide Piano with materials that may have been developed by third parties (collectively, “Third-Party Materials”).  Client represents that at the time it delivers any Third-Party Materials to Piano, Client has obtained the right to use the Third-Party Materials, and that Piano’s use of such Third-Party Materials will not infringe the Intellectual Property Rights of any third party. 

(e) Except as otherwise expressly set out in this Agreement, Software is provided on an as-is basis. Client agrees that subscription to the Services is not contingent on the delivery of any future functionality or features, or dependent on any oral or written comments made by Piano regarding future functionality of features. Piano will service the Software and/or the Services in accordance with the Service Level Agreement set forth in Exhibit A.  Where Client exceeds the Licensed Capacity set forth in an applicable Schedule by fifteen percent (15%) or greater within one (1) month on a rolling basis, Piano shall not be liable for any breaches of the Service Level Agreement and Client shall not receive any Credits, as defined in the Service Level Agreement, from the date on which such Licensed Capacity was exceeded,  

9.      INDEMNIFICATION 

(a) “Losses” means losses, liabilities, damages, fines, penalties, settlements, judgments, costs and expenses, including reasonable attorneys’ fees and expert fees, and interest (including taxes) arising out of a third-party claim.  

(b) Indemnity by Piano. Piano will indemnify Client and Client’s officers, directors, employees, successors and assigns (the “Client Indemnified Parties”) from and against, any Losses suffered, incurred or sustained by a Client Indemnified Party or to which a Client Indemnified Party becomes subject, resulting from, arising out of, or relating to : (i) a claim by a third party alleging that Piano IP, when purchased and used in accordance with this Agreement, infringes any intellectual property right of such third party; (ii) any breach by Piano of this Agreement (including Schedules); or (iii) injury or death, or damage to any property caused by or arising from the negligent acts or omissions of Piano in connection with performance of the Agreement.

(c) Indemnity by Client. Client will indemnify Piano, its subsidiaries, and the officers, directors, employees, shareholders, successors and assigns of each of them (the “Piano Indemnified Parties”) from and against, any Losses suffered, incurred or sustained by a Piano Indemnified Party, or to which a Piano Indemnified Party becomes a subject, resulting from, arising out of, or relating to (i) a claim by a third party arising from or relating to any Client Materials or Personal Data used in connection with the Software; (i) any breach by Client of this Agreement (including Schedules); or (ii) Client’s failure to pay and discharge any taxes (including interest and penalties) for which Client is responsible pursuant to the provisions of this Agreement.

(d) Remedies for Infringement. Should any Piano IP become or, in Piano’s opinion, be likely to become the subject of any infringement claim, Piano shall have the right, at its sole discretion and at its expense, to either procure for Client the right to continue using or receiving the Piano IP, replace or modify the Piano IP so it becomes non-infringing, or remove the questionable Piano IP. This Section 9 states Piano’s entire liability, and Client’s sole and exclusive remedy for Intellectual Property Rights claims relating to or arising out of any Piano IP, other than the indemnification obligations set forth herein should Piano forego this right. Piano shall have no obligation to Client for indemnification with regard to any claim of infringement to the extent that the Piano IP infringement claim or allegation is based on: (1) a modification made by an entity other than Piano or its designee; (2) a violation by Client of this Agreement; (3) the inclusion by Client of any Client Materials or Third-Party Materials in any Piano IP if the claim would not have arisen but for such modification, violation or inclusion of Client Materials or Third-Party Materials respectively.

(e) Indemnification Procedures. If any third-party claim is commenced against a person or entity entitled to indemnification under this Section (the “Indemnified Party”), notice thereof shall be given to the party that is obligated to provide indemnification (the “Indemnifying Party”) as promptly as practicable.  The Indemnified Party will cooperate, at the cost of the Indemnifying Party, in all reasonable respects with the Indemnifying Party and its attorneys in the investigation, trial and defense of such claim and any appeal arising therefrom; provided, however, that the Indemnified Party may, at its own cost and expense, participate, through its attorneys or otherwise, in such investigation, trial and defense of such claim and any appeal arising therefrom.  No settlement of a claim that involves a remedy other than the payment of money by the Indemnifying Party will be entered into without the consent of the Indemnified Party.  

10.    WARRANTY DISCLAIMERS AND LIABILITY LIMITATIONS. 

EXCEPT AS EXPRESSLY PROVIDED HEREIN, NEITHER PARTY MAKES ANY WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS OF THE SERVICES OR PIANO IP FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT.  

TO THE EXTENT BEYOND PIANO OR ITS LICENSORS’ CONTROL, WHETHER THE FOLLOWING IMPACT PIANO OR ANY OF ITS THIRD-PARTY SERVICE PROVIDERS, INCLUDING WITHOUT LIMITATION AMAZON WEB SERVICES, SNOWFLAKE INC., GOOGLE, PAYPAL, OR ANY OTHER THIRD-PARTY SERVICE PROVIDER NAMED IN THE SCHEDULES ATTACHED HERETO, PIANO AND ITS LICENSORS SHALL NOT BE LIABLE TO CLIENT OR ANY THIRD PARTY FOR ANY TECHNICAL MALFUNCTION, SUSPENSION OF SERVICES, TELECOMMUNICATION OR INTERNET OUTAGES OR PROBLEMS, COMPUTER ERROR, CORRUPTION, INEFFECTIVENESS, LOSS OF INFORMATION, LOSS OF BUSINESS, LOSS OF DATA, LOSS OF COMMERCIAL REPUTATION, LOSS OF PROFITS OR OTHER ECONOMIC LOSS. 

IN NO EVENT SHALL (A) EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, EVEN IF SUCH PARTY IS MADE AWARE OF THE POSSIBILITY OF SUCH DAMAGES, AND (B) NEITHER PARTY’S AGGREGATE LIABILITY FOR DAMAGES UNDER THIS AGREEMENT SHALL EXCEED AN AMOUNT EQUAL TO THE TOTAL SUM OWED OR PAYABLE BY CLIENT TO PIANO DURING THE TWELVE (12) MONTH PERIOD PRIOR TO THE DATE ON WHICH THE LIABILITY AROSE.

11.    DATA SECURITY AND TECHNICAL MEASURES.  

(a) Piano will provide the Services in compliance with all Applicable Laws (including without limitation those regarding data privacy and security and consumer protection) and the GDPR. 

(b) If Client or its third-party service provider processes any credit card information using the Software and Services, Client (and/or such service provider, as applicable) shall: (i) comply with their responsibilities under the Payment Card Industry Data Security Standard (“PCI DSS”); (ii) implement and maintain reasonable security measures to protect all cardholder data in their possession or control; and (iii) not take any action in connection with using the Software and Services that places Piano in non-compliance with the PCI DSS (for example, storing any cardholder data in any custom fields of the Software and Services).

12.    MISCELLANEOUS.

(a) Notices. Notices, demands, requests, consents or other communications required or permitted under this Agreement or any Schedule will be in writing and deemed duly served on or delivered (i) when delivered personally, (ii) when sent to the other party by certified mail, return receipt requested, (iii) when delivered by hand or sent by recognized overnight courier (with acknowledgement received by the courier), or (iv) sent by email (provided that email shall not be sufficient for Indemnification), if receipt is confirmed by the recipient.  

Notices shall be delivered or sent to the parties at the respective addresses shown above or as set forth in the relevant Schedule.  

(b) Entire Agreement; Severability; Modification. This Agreement, including any Schedules, is the entire agreement of the parties, and supersedes all prior agreements and communications between the parties with respect to the subject matter of this Agreement, and represents the complete integration of the parties’ agreement.  

(c) No Waiver. The failure of a party in any one or more instances to exercise any right or privilege arising out of this Agreement shall not constitute a waiver and shall not preclude it from requiring that the other party fully perform its obligations or preclude it from exercising such a right or privilege at any time. 

(d) Independent Contractors.  Piano and the Client shall each act as independent contractors.  Nothing in this Agreement shall be deemed to create or construed as creating a joint venture or other relationship between the parties. Neither party shall have the authority, express or implied, to commit or obligate the other party in any manner whatsoever, except as specifically authorized from time to time in writing by an authorized representative of the party.

(e) Non-Exclusivity. Piano and Client each acknowledge that this Agreement is non-exclusive and that each of them reserves the right to engage in business with other persons. Each party acknowledges and agrees that the other party may, without limitation, accept agreements from or grant licenses to other persons, firms, corporations, or other entities, including entities that compete with the other party, for Services and products, on any terms that party deems appropriate.

(f) Assignment. This Agreement shall not be assigned or transferred in whole or in part by either party without the prior written consent of the other, provided that either party may assign this Agreement without prior written consent in connection with a public offering of its securities or in a sale or transfer of all or substantially all of its assets or equity to which this Agreement relates or by way of merger, consolidation, or similar transaction. Any purported assignment or transfer in violation of this Section shall be void.  Nothing in this Agreement shall be construed as permitting a trustee or purchaser in bankruptcy to assume this Agreement without the written consent of the other party.  Subject to the foregoing restrictions, this Agreement will bind and benefit the parties and their successors and permitted assigns. 

(g) Force Majeure. Neither party shall be responsible for delays or failures in performance of this Agreement resulting from a Force Majeure Event.  Termination under this Section will not relieve Client of its obligation to pay for Services rendered prior to the date of the Force Majeure Event.  Piano will make commercially reasonable efforts to re-establish Services as soon as possible in the event of a Force Majeure Event. If any Force Majeure Event prevents a party from performing its material obligations hereunder for more than thirty (30) consecutive days, the other party may elect to terminate this Agreement or any Schedule upon written notice, with no further obligation to the other party other than payment for accrued but unpaid fees for Services rendered prior to the date of such Force Majeure Event.  “Force Majeure Event” means an event or circumstance which is beyond the control and without the fault or negligence of either party and which by the exercise of reasonable diligence neither party was able to prevent.  Such events include, but are not limited to, (a) riot, war, invasion, act of foreign enemies, hostilities (whether war be declared or not) acts of terrorism, civil war, rebellion, revolution, insurrection of military or usurped power, requisition or compulsory acquisition by any governmental or competent authority; (b) ionizing radiation or contamination, radioactivity from any nuclear fuel or from any nuclear waste from the combustion of nuclear fuel, radioactive toxic explosive or other hazardous properties of any explosive assembly or nuclear component; (c) earthquakes, flood, fire or other physical natural disaster, but excluding weather conditions regardless of severity; and (d) strikes at national level or industrial disputes at a national level.

(h) Marketing. Provided that at least three (3) clients are named, Piano shall have the right to use Client's name and logo in customer lists and other marketing materials.  Subject to Client's approval, which shall not be unreasonably withheld, Piano shall also have the right to issue a press release, case study and/or a testimonial, and develop marketing material related to any speaking engagements that the Client agrees to participate in on Piano’s behalf at industry events (live events, webinars, or video).  

(i) Access to Client Websites. During the term of this Agreement or any Schedule, Piano staff shall have access to content on Client Websites. 

(j)  Compliance with Policies. Client will provide to Piano in advance, and Piano will use commercially reasonable efforts to ensure that its personnel or subcontractors comply with, Client’s written security and other regulations in any activities at Client sites or in connection with Client’s systems. Client, its personnel or subcontractors will, at all times, adhere to Piano Acceptable Use Policy set forth in https://piano.io/aup and incorporated herein by reference.

(k) Non-Solicitation. During the term of this Agreement and for twelve (12) months thereafter, neither party shall, directly or indirectly, on behalf of itself, a subsidiary, third-party or otherwise affiliated entity, knowingly hire or engage to hire any person who was an employee or sub-contractor of the other party at any time during the above-referenced period or knowingly solicit any such person to terminate or reduce the scope of their employment or business relationship with the other party. This clause does not prevent either party from employing any employee or sub-contractor of the other who responds to a published general advert not specifically targeted at such person.

(l) Merchant of Record: If applicable, Client shall act as the Merchant of Record for purposes of the Agreement and will comply with all applicable PCI and legal requirements.

(m) Insurance. Piano and Client will each maintain insurance protection covering each of their respective activities contemplated hereunder throughout the Term of the Agreement.  

(n) Disputes and Governing Law. This Agreement will be governed and interpreted in accordance with the laws of the jurisdiction dependent on the Piano Entity which is subject to this Agreement and as set forth below (“Applicable Jurisdiction”) without reference to conflicts of laws principles. Disputes between the parties concerning this Agreement, or any amendment, Software Schedule, or SOW shall be resolved as follows:

       i.       The senior executives of Piano and Client shall have thirty (30) days in which to meet and attempt to resolve the dispute.

      ii.       In the event that a business resolution cannot be reached, the parties agree to submit the dispute to the state or federal courts located in the Applicable Jurisdiction, and the parties hereby consent to the exclusive jurisdiction and venue of such courts for matters involving immediate injunctive relief.

     iii.       In the event that either party brings an action to enforce or exercise its rights under this Agreement, or any amendment, Software Schedule, or SOW, including binding arbitration, the prevailing party in such action (meaning a party in whose favor judgment is rendered, regardless of the amount of damages awarded or whether the party receives less relief than was sought or even nominal relief, but limited to those circumstances where the fact-finder declares a winner and the court enters judgment in that party’s favor) shall be entitled to reimbursement for its reasonable attorneys’ fees and expenses incurred in connection with such action.

The Applicable Jurisdiction shall depend on the Piano Entity which is subject to this Agreement:

(o) Cumulative Remedies. Other than as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a party under applicable laws.

13.    RULES OF INTERPRETATION.

(a) The term “including” (in all of its forms) means “including, without limitations” unless expressly stated otherwise.

(b) Any headings set forth in this Agreement are solely for convenience or reference and do not constitute a part of this Agreement, nor do they affect the meaning, construction or effect of this Agreement.

(c) All references to a number of days mean calendar days, unless expressly stated otherwise.

(d) The recitals and Schedules to this Agreement shall be deemed to be a part of this Agreement and are incorporated by reference herein. 

(e) No documents exchanged or course of dealings by the parties shall be deemed to modify or amend any of the terms of this Agreement unless in writing and signed by an authorized representative of both parties.

(f) In the event of an inconsistency, ambiguity, contradiction or conflict between the terms of this Agreement, its Schedules, and any amendments to any of the foregoing, such documents shall be interpreted in the following order of precedence:  (i) the terms of any amendment to this Agreement shall take precedence, unless a Schedule expressly states that it overrides, (ii) followed by the terms of this Agreement, unless a Schedule expressly states that it overrides; (iii) followed by the terms of the Schedules to this Agreement.

EXHIBIT A  

Service Level Agreement

Piano will furnish support as follows:

1.      As long as Client is current in payment of the fees set forth in any given Schedule, Piano will provide email support during the Term to Client for questions or problems with the use of the Services. The support will be available during the hours of Monday 02:00 to Friday 23:00 UTC on business days (excluding bank holidays). After-hour emergency support is available 24/7 for Severity 1 incidents via email and the severity level response set forth below still applies.

2.      Piano will make the Services available each calendar quarter, excluding periods of Maintenance Downtime, Third-Party Downtime, and Force Majeure Events at an uptime of 99.9% (the "Uptime Guarantee"). If the Services fail to be available for the amount of time set forth in the Uptime Guarantee, then Piano will issue a credit (the “Credit") equal to 1% of the quarterly SaaS Subscription Fee for each one-tenth of one percent decrease in availability in the affected quarter. The total Credit will be capped at 100% of the SaaS Subscription Fee for the quarter in which service is so affected. If the parties have a performance-based or revenue sharing agreement in place, any consideration due Piano as a result of that agreement shall not be considered as SaaS Subscription Fees for the purposes of computing the Credit. Piano is not liable for any delays or decrease in the availability of the Services nor will Piano issue a Credit in situations of (i) force majeure, (ii) inability to access the Services due to issues with Client’s internet network, (iii) defective or incorrect implementation of the Services by Client, and (iv) where Client is in breach of the Agreement or its Schedules.

3.      Client acknowledges and agrees that Piano may, from time to time, need to perform routine maintenance or repair of the Services or update the Software and that during such times of maintenance or repair ("Maintenance Downtime"), the Services may not be available for the Client's use. Piano shall endeavor to inform Client of such maintenance at least two (2) business days in advance and will perform maintenance during the specified windows set forth below for no more than ninety (90) minutes per month. 

 4.      Client acknowledges that Piano relies on third parties, including but not limited to Amazon Web Services, Cloudflare, Google and several payment providers (a full list of payment providers can be found at http://docs.piano.io/payment-providers), for providing its services. Client agrees that unavailability of third-party systems ("Third-Party Downtime"), (i) may affect the availability of the Software and/or the Services, (ii) is beyond the control of Piano, (iii) will not be part of computations regarding the Uptime Guarantee, and (iv) will result in no refunds or credits to Client. 

 5.      Problem Response

a.      Definition and Classification of Problems.

                                    i.     “Severity" is the assessed possible risk or effect of a problem with the Services. All notifications, escalations and standards for responding to problems are set by Severity.

                                    ii.     As used below, the term "Problem" shall mean any problem, inquiry or request. Problems shall be initially classified by Piano in accordance with the following Severity level classifications:

1.      Severity 1: 

a.      The Services are causing the availability of the Client website or applications to be significantly affected; 

b.      There is a complete outage of a critical service or a recurring temporary outage of a critical service;

c.      There is a security breach that exposes the personally identifiable information of Client customers; or

2.      Severity 2: 

a.      Due to a problem with the Services, users are not able to properly purchase access for, or gain access to, Client content; 

b.      The Services administrative applications (e.g. reporting, authoring, etc.) are unavailable;

c.      There is an error, bug, or issue with the experience of a subset of Client customers (e.g. transactional emails are not being delivered properly / some but not all Client customers are viewing unintended media, content, or messages); or

3.      Severity 3: 

a.      Client is experiencing operational inconvenience caused by the Services; 

b.      Client needs or expects different functionality or presentation of information than Piano currently provides; 

c.      An individual user has reported a problem that has not been evidenced to be prevalent among Client customers. 

                                   iii.     Upon becoming aware of any Problem (whether by notification or self-discovery), Piano shall promptly verify the problem and, if necessary, open a Trouble Ticket for such Problem. Upon verification, Piano shall promptly respond to Client and advise Client of the severity level classification assigned to such Problem.

6.      Problem Escalation and Resolution

Piano Support Team representatives are available to attend to all issues by email at all times at: support@piano.io 

If Client experiences a Severity 1 disruption to its business which is believed to be related to the Piano platform, contact the on-call urgent response team by sending an email to urgent@piano.io, and cc the client services representative.  Include name and contact information and the Piano application ID for the affected property, along with any screen grabs or error message details describing the issue.  The operational lead of the on-call urgent response team will get back to Client within 30 minutes of the initial outreach.  If the issue has not already been resolved before that initial response, Client will receive periodic updates as they are available until the issue is resolved.

Client may use the Piano client services representative as escalation contact, if:

·       The Piano Support Team did not respond within the expected time; or

·       The Problem is not being handled properly; or

·       The Piano Support Team representative was communicating unprofessionally in any way.

Client should then expect a response within a maximum of two (2) hours.

Piano recommends that Client subscribe to Piano’s status page to receive real-time system updates and status at https://status.piano.io.

EXHIBIT B (1)

DATA PROCESSING AGREEMENT FOR ALL PRODUCTS OTHER THAN PIANO ANALYTICS AND WHERE PIANO ENTITY IS PIANO SOFTWARE, INC.

This Data Processing Agreement shall only apply to Client’s use of Products other than Piano Analytics and where the Piano Entity is Piano Software, Inc. For the Data Processing Agreement applicable where the applicable Piano Entity is not Piano Software, Inc. or to Client’s use of Piano Analytics, see Exhibit B (2) and Exhibit B (3), respectively.  

WHEREAS: 

(1)    The Parties concluded the Agreement; 

(2)    By provision of the Services pursuant to the Agreement, Piano will process personal data about the Users on behalf of the Client;

(3)    GDPR applies directly to the Client but also to Piano by virtue of having an establishment in the EU pursuant to Article 3 of the GDPR;

(4)    The Agreement and this DPA foresee and allow Piano to use Piano Affiliates and Sub-Processors for the processing of personal data about the Users in accordance with conditions laid down in this DPA; 

(5)    The Agreement and this DPA foresee and allow Piano to process personal data about the Users on a cross-border basis and/or outside the European Economic Area in accordance with conditions laid down in this DPA; 

(6)    The Client shall only use data processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR while this DPA documents why the Client is satisfied with the guarantees provided by Piano; 

(7)    Parties wish to explicitly agree on the scope and distribution of the obligations stemming from the GDPR mainly towards the Users as data subjects; 

THEREFORE, PARTIES AGREED AS FOLLOWS: 

1.         Definitions. The terms used in this DPA shall be interpreted and construed in accordance with GDPR. Any terms defined in the Agreement shall have the same meaning if used in this DPA. As used in this DPA, the following terms shall have the following meanings:

“Agreement” means the Piano Master Services Agreement Terms and Conditions concluded between the Parties; 

“Clauses” means standard contractual clauses approved by the Commission (Commission Decision (EU) 2021/914

Standard Contractual Clauses) to safeguard the cross-border transfer of Personal Data between parties. 

“Commission” means the Commission of the EU; 

“Conditions” means the following conditions: (i) Piano concludes a data processing agreement with Piano Affiliates and Sub-Processors ensuring that any processing of Personal Data is compliant with the terms and level of protection of Personal Data required under this DPA; (ii) the current list of all Piano Affiliates and Sub-Processors is made available and kept updated by Piano via https://piano.io/privacy-policy; (iii) the Personal Data will be only transferred to and processed only by Piano Affiliates and Sub-Processors located in the EEA, the United Kingdom, the United States, Russia, Sri Lanka, Philippines or third countries ensuring adequate level of protection according to the Commission’s decision or where applicable according to the equivalent decision under the UK law; (iv) in case Piano Affiliates or Sub-Processors are located in the United Kingdom, Russia, Sri Lanka, Philippines or the United States, cross-border transfer is made by Piano on the basis of EU standard contractual clauses or Commission’s adequacy decisions or in compliance with the Binding Corporate Rules adopted by Piano and located at https://piano.io/bcr; (v) in case Piano Affiliates or Sub-Processors are located in the Russia, Sri Lanka, Philippines or the United States, Piano shall adopt supplementary technical, contractual and organizational measures to ensure safe cross-border transfer such a 1) assessing whether Piano Affiliate or Sub-processor falls under local surveillance legislation along with assessment of local law and practices 2) encryption of the Personal Data together with keeping encryption keys out of Piano Affiliate or Sub-processor disposal locally controlled only by Piano´s dev-op engineers in EEA/EU, 3) assessment of publicly available information published and information provided upon request 4) intragroup organization methods (trainings, internal policies) 5) data minimalization measures; (vi) Client shall be entitled, upon written request, to receive copies of the relevant terms of internal Piano data processing agreement concluded between Piano and Piano Affiliates; (vii) Client may request that Piano audit Piano Affiliate or Sub-Processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Client in obtaining a third-party audit report concerning Piano Affiliate's or Sub-Processor's operations) to ensure compliance with such obligations, provided however that section 16.19 of this DPA applies mutatis mutandis; and (viii) Piano shall be liable for the acts and omissions of Piano Affiliates and its Sub-Processors to the same extent Piano would be liable if performing the services of each Piano Affiliate and Sub-Processor directly under the terms of this DPA, except as otherwise set forth in this DPA and/or in Privacy and Data Protection Requirements;

“Client Data” means any and all data and information delivered by or on behalf of, or collected directly or indirectly from, Client, its affiliates, or their respective clients, customers and Users, including without limitation any such data or information collected via the Software and/or Service, which may include, without limitation, Credit Card Data (as defined in Section 17 below), Non-Personal Data or the Personal Data. For clarity, all Personal Data is Client Data but not all Client Data is Personal Data (Non-Personal data are not Personal Data);

“EEA” means European Economic Area;

“EU” means European Union; 

“European Economic Area” means all EU member states plus Iceland, Norway and Liechtenstein;  

“Non-Registered Users” means non-registered users of Websites; 

“Piano Affiliates” means companies which are controlled by Piano where control refers to possession, directly or indirectly, of the power to direct or cause the direction of the management of an entity whether through ownership, voting rights, by contract or otherwise, a list of which is published at https://piano.io/privacy-policy and regularly updated therein; 

“Privacy and Data Protection Requirements” means the GDPR, ePrivacy Directive (2002/58/EC) and all applicable national laws and regulations relating to the processing of the personal data and privacy notified to Piano by Client;

“Purposes” means purposes of processing of Personal Data determined by Client while such purposes are derived from the functionality of the Software, in particular: (i) audience experiences, i.e. the core processing activities undertaken for Client (i.e. Services) such as analysis of subscription performance, user trends, preferences, and segmentation and other processing which typically occurs in the course of Client’s use of the Software; (ii) billing and accounting purposes, i.e. service of processing payments and financial information in accordance with the applicable billing, accounting and tax laws; and (iii) other purpose of processing foreseen by the functionality of the Software;  

“Registered Users” means registered users of Websites;  

“Security Regulations” means reasonable security measures as requested by Client with respect to Piano’s physical access to Client’s facilities for performing Services and with respect to remote or virtual access, if applicable, to Client software, systems, data, information and materials;

“Sub-Processors” means sub-processors that Piano uses to process the Personal Data, a list of which is published at https://piano.io/privacy-policy and regularly updated therein; 

“Users” means collectively Registered Users and Non-Registered Users; 

As used herein, references to the “Services” shall mean the Software and/or the Services.

2.         Subject-Matter. Piano shall provide the Services in accordance with the provisions of this DPA. Piano is entrusted and entitled to process Client Data in accordance with the provisions of the Agreement including this DPA. Parties wish to make any processing of Client Data that is subject to the GDPR compliant with the GDPR. For clarity, this DPA does not relate to any processing of personal data by the Parties, but only to the processing of the Personal Data in respect to the Agreement. 

3.         Duration and Termination. This DPA forms an inseparable part of the Agreement. It is impossible to provide Services in accordance with the Agreement without processing Client Data pursuant to this DPA. Therefore, this DPA can only be terminated by termination of the Agreement as its inseparable part. Upon termination or expiration of the Agreement, Piano shall at the choice of the Client either return or securely delete all Client Data, unless there is a requirement to store such data under the EU or the EU member state law that applies to Piano or Piano Affiliates. 

4.         Nature of Personal Data Processing. The nature of Personal Data processing under this DPA is determined by the nature of Services provided by Piano and the functionality of the Software. The Software is designed to help digital content companies to drive page views, engagement, and registrations, decrease ad blocking, and sell or otherwise grant access to premium content. The nature of Personal Data processing by Piano is also determined by the fact that Piano does not have a direct relationship with data subjects and by Piano’s Software as a Service business model that does not include data monetization techniques like brokerage of data or databases or selling of data to third parties. 

5.         Purpose of Personal Data Processing. As the Client’s data processor, Piano is entitled to process the Personal Data for the Purposes. Piano will process Personal Data solely for the provision of the Services, and will not otherwise (i) process or use Personal Data for purposes other than those set forth in this DPA and/or the Agreement or as instructed by Client, or (ii) disclose such Personal Data to third parties other than Piano Affiliates or Sub-Processors in accordance with Section 8 below or as required by law.   

6.         Types of Personal Data. Types of the Personal Data processed by Piano on the basis of this DPA include, as the case may be, name, email address, phone number, financial data, the specific content accessed, time and duration of the visit, IP address, geographical location of the end-user device, offer conversion and/or interaction data, referring site, or other information or other information relating to such natural person collected through the Service whether collected via cookies or other tracking technologies, the Service’s functionality, or otherwise. Parties do not foresee processing of special categories of Personal Data pursuant to the Article 9 of the GDPR. 

7.         Categories of Data Subjects. The Personal Data processed by Piano will relate to Users of the Client’s Websites and persons using the Software/Services.  

8.         Sub-Processors & Transfers. Through this DPA Client provides Piano with a specific documented instruction/authorization to use Piano Affiliates and Sub-Processors for processing of Personal Data pursuant to the Conditions including to transfer personal data to them. Provided that the Conditions are met, Piano is authorized to use and change Piano Affiliates and Sub-Processors without additional instructions or approvals by the Client. Piano shall specifically notify to the Client any change of Piano Affiliates and/or Sub-Processors where the Conditions would not be fulfilled and shall provide Client the opportunity to object to such changes. If Client does not respond within fifteen (15) days, Piano is authorized to undertake the change and transfer. At any time, Piano shall provide a current list of Piano Affiliates and/or Sub-Processors upon request of Client. 

9.         EU Standard Contractual Clauses. If applicable, the Parties hereby conclude the Clauses (attached as Exhibit A hereto) and agree to update or replace such Clauses if and when such Clauses will be updated or replaced by new Clauses in line with the GDPR. The Parties agree to interpret such Clauses in line with the GDPR regime. 

10.       Documented Instructions. Piano shall process the Personal Data for the Purposes only in accordance with documented instructions from Client including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by the EU or the Member State law to which Piano is subject; in such a case, Piano shall inform Client of that legal requirement before processing, unless such law prohibits such information on important grounds of public interest. Certain general authorizations and documented specific instructions/authorizations are already contained in this DPA, mainly in Section 8 above, which are hereby given by Client to Piano and which can only be altered if mutually agreed by the Parties. Any other general authorizations or documented specific instructions/authorizations of Client must be given to Piano in accordance with Section 12(a) of the Agreement (Notices). Piano is obliged to inform Client if it believes that Client’s instruction would infringe the GDPR. Piano shall not be liable for breaching any contractual obligations under the Agreement and/or this DPA if such breach is caused by compliance with documented instruction of Client under this DPA. For the avoidance of doubt, Client’s instructions for the processing of Personal Data shall comply with Privacy and Data Protection Requirements. Client shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which Client acquired Personal Data.

11.       Data Subject Rights. According to Article 28(3)(e) of the GDPR, Piano acting as a data processor shall insofar as this is possible and taking into account the nature of the processing, assist Client as a data controller, with the fulfillment of the controller’s obligation to respond to requests for exercising the data subject’s rights under the GDPR. Piano will comply with this obligation by providing supporting information available to it upon request of Client. Such supporting information may include an updated list of Sub-Processors, Piano Affiliates, recipients and respective third countries. Upon request from Client, Piano shall delete, release, correct, provide a copy of or block access to specific Personal Data or, if the foregoing is not practicable and only to the extent permitted by applicable law, follow Client’s detailed written instructions to delete, release, correct or block access to Personal Data held in Client’s Services environment. However, Piano is not entitled to handle or respond to the data subject request if it relates to the Purposes. Such requests should be handled and responded to by Client. Should Piano receive a data subject request that is of general nature and might be or is related to the Purposes, Piano will forward such request to Client without undue delay.

12.       Transparent Information. Every data controller has a general obligation to provide certain information to data subjects mainly pursuant to the Article 13 or Article 14 of the GDPR. Client remains fully responsible for providing this information to data subjects via its own privacy policy. Client is entitled but not obliged to refer to or to use information from Piano’s privacy policy and information about GDPR published and updated at https://piano.io/privacy-policy. 

13.       Legal Grounds for Processing of Personal Data. The legal grounds for processing Personal Data are determined solely by Client. Such legal grounds must always be compliant with the Article 6 of the GDPR. By concluding this DPA, the Client warrants and guarantees to Piano, that it has sufficient legal grounds for processing the Personal Data including a consent of data subject where required by the GDPR. 

14.       Confidentiality. Piano shall implement such organizational measures that ensure that access to the Personal Data by Piano staff is limited to what is necessary to achieve the Purposes. Piano shall also implement such organizational measures that ensure all Piano staff are committed to the confidentiality in respect to the Personal Data. These obligations may be complied by adopting an appropriate internal policy at Piano group. 

15.       General Client Data Obligations. Client shall own and retain all rights in and to the Client Data. All Client Data must be stored only on servers located in the EU unless otherwise expressly authorized in this DPA or by Client in writing. Piano may only use Client Data to the extent necessary to perform its obligations hereunder. In the course of providing the Services, Piano shall not access and shall not permit its personnel and/or third-party service providers to access, Client Data except as necessary to perform the Services and only in accordance with the requirements of the Agreement and this DPA. Piano shall not be liable to Client for any damages incurred by Client in connection with any unauthorized access resulting from the actions of Client. Piano shall have the appropriate knowledge of Client’s business to perform its duties under this DPA.

15.1     Global Approach. Piano treats all Personal Data in a manner consistent with the requirements of this DPA in all locations globally.  Piano's information policies, standards and governance practices are managed on a global basis.

15.2     Security Procedures. Piano will enforce physical and logical security procedures with respect to its access and maintenance of the Service and any Client Data contained therein. Piano will take appropriate organizational and technological measures to protect the security of the Client Data and defend its location and equipment against “hackers” and any person or entity who may seek to modify or access Piano systems or the information found therein without authorization. Piano will also use its best commercial efforts to take all reasonable measures to secure and defend Client Data and use of the Service from other third-party users.

15.3     Monitoring & Security Breaches. Piano will monitor its networks, connectivity and systems on a continual basis and will perform penetration testing on its systems for potential security breaches not less than once per year; Piano will meet with Client once per year to review the results of such security test(s). Piano will report to Client immediately, but no less than within 24 hours of becoming aware of, any breaches of security or unauthorized access affecting Client Data that Piano detects or becomes aware of. Piano will remedy such breach of security or unauthorized access as soon as possible and deliver to Client a root cause assessment and future incident mitigation plan. Client or its third-party designee may, but is not obligated to, at Client’s expense, perform audits of Piano’s environment during the Term, including coordinated penetration and security tests, as it relates to the receipt, maintenance, use or retention of personally identifiable information or other Client Data. Piano is entitled to claim remuneration for the Client’s audits or inspections. Such audits shall be conducted in accordance with Section 16.19 below. Subject to the foregoing, any of Client’s regulators shall have the same right upon request. Piano agrees to consider all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes and will inform Client of its plans and timeline for addressing and/or implementing any such recommendations.

15.4     Circumvention. If at any time Client or Piano determines that any Piano Personnel: (i) has sought to circumvent or has circumvented the Security Regulations; (ii) has accessed or may access the Client Network without authorization; or (iii) has engaged in activities that may lead to the unauthorized access, destruction, alteration, or loss of data, information or software, Piano will immediately terminate any such Piano Personnel’s access and will immediately, in any event within 24 hours of becoming aware of such breach, notify Client of the events warranting such termination. If Client reasonably determines that any Piano Personnel has attempted to circumvent or has circumvented the Security Regulations, Client may immediately terminate such Piano Personnel’s access to the Client Network and will advise Piano of such termination. Notwithstanding anything to the contrary in this DPA, any failure by Piano, any Piano Personnel or other agents or representatives to comply with the Security Regulations will constitute a breach of this DPA entitling Client to terminate the Agreement immediately upon written notice to Piano for cause. At any time during the Term, Client may audit Piano’s use of the Client Network. Piano agrees that Client may review any information, electronic mail communications, and other data stored on or contained in any computer hard drive, disk, or any other storage medium to determine whether there has been any breach of security or violation of this DPA. In the event that Client concludes, in its reasonable judgment, that there has been any breach of security or violation of this DPA by Piano or any Piano Personnel, agent or representative, Client reserves the right to disclose any computer files or electronic mail messages to third parties, including (but not limited to) law enforcement officials, as Client deems appropriate, without any prior notice to any individuals who may have written, sent or received such files or messages.

16.       Appropriate Security Measures. Piano acknowledges and agrees that from time to time during the term of this DPA, Piano, Piano Affiliates, its employees, agents and Sub-Processors or assigns may be exposed to or have access to Client Data, some of which may be Personal Data. Piano will process or disclose Personal Data only for the Purposes, or other purposes of processing required by a court of competent jurisdiction or by any competent national or EU governmental authority. Piano acknowledges that due to certain mandatory data protection laws, the processing of Personal Data is subject to certain legal requirements. Piano shall assist Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Piano. To the extent applicable to the Services and related activities of Piano, Piano shall comply with all provisions of any applicable privacy policies, including Client’s applicable privacy policy, if reasonably required by the Client and provided in advance to Piano. Piano will not view, de-encrypt, or otherwise access Personal Data unless such access is necessary for the performance of Piano’s obligations under this DPA. Piano will maintain, implement and enforce safety and security procedures in performing the Services that are: (a) equal to or better than industry standards for such Services and networks (if any), but in any case, in accordance with a reasonable standard of care; (b) are compliant with the requirements of the Privacy and Data Protection Requirements; and (c) compliant with the security requirements set forth in this Section below. Such measures shall include, by way of example and not limitation, firewalls, intrusion detection systems, locking file cabinets, and other appropriate physical and electronic security mechanisms, including current revisions of all software releases and all software patches. Piano shall have adequate security audits in place, and Piano shall submit evidence of passing an annual security audit in conformance with industry standard security standards acceptable to Client, in Client’s sole discretion. Upon request, Piano will complete Client’s Security Assessment Questionnaire. Piano shall comply with an implemented written information security policy (“Information Security Policy”) that includes administrative, technical, and physical safeguards that ensure the confidentiality, integrity, and availability of Personal Data, protect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of the Personal Data, and protect against unauthorized access, use, disclosure, alteration, or destruction of the Personal Data. In addition to any specific and or supplemental security safeguards established in any agreement between the parties, Piano’s Information Security Policy shall include, but not be limited to, the following safeguards where appropriate or necessary to ensure the protection of Personal Data:

16.1     Pseudonymization. Where appropriate Piano shall implement security measures comprising of pseudonymization of the Personal Data. 

16.2     Access Controls. Policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons, including, but not limited to; limiting access to physical servers at the production data center to authorized individuals, logging and monitoring of unauthorized access attempts to the data center by the data center security personnel, controlling ingress/egress to the facility using control access points (e.g. guards and electronic badge reader), and maintaining physical access to logs for entry/exit points; (ii) to ensure that all members of its workforce who require access to Personal Data have appropriately controlled access, and to prevent all other workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Personal Data or information relating thereto to unauthorized individuals; and (iv) to encrypt and decrypt Personal Data where appropriate.

16.3     Security Awareness and Training. A security awareness and training program for all members of Piano’s workforce (including management), which includes training on how to implement and comply with its Information Security Policy and the Privacy and Data Protection Requirements.

16.4     Security Incident Procedures. Policies and procedures to detect, respond to, and otherwise address security incidents, which shall mean, but not be limited to, unauthorized access, acquisition, disclosure or use of Personal Data (“Security Incident”), including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known Security Incidents, mitigate harmful effects of Security Incidents, and document Security Incidents and their outcomes.

16.5     Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including a data backup plan and a disaster recovery plan.

16.6     Device and Media Controls. Policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of a Piano facility, and the movement of these items within a Piano facility, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.

16.7     Audit Controls/Logging. Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and applicable laws and regulations and compliance therewith.

16.8     Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.

16.9     Storage and Transmission Security. All Personal Data that is stored or transmitted has to be encrypted. Stored Personal Data will be encrypted with then current industry standards, such as, if applicable, AES-128 or better, or Triple-DES (3-DES) or better. All Personal Data in transmission will be protected by at least industry standard encryption such as SSLv3/TLS.

16.10   Secure Disposal. Policies and procedures regarding the disposal of Personal Data, and tangible property containing Personal Data, taking into account available technology so that Personal Data cannot be practicably read or reconstructed.

16.11   Assigned Security Responsibility. Piano shall designate a security official responsible for the development, implementation, and maintenance of its Information Security Policy. Piano shall inform Client as to the person responsible for security.

16.12   Testing. Piano shall regularly and no less than one time per year test the key controls, systems and procedures of its Information Security Policy to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

16.13   Program Adjustment. Piano shall monitor, evaluate, and adjust, as appropriate, the Information Security Policy in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Piano or the Personal Data, requirements of applicable work orders, and Piano’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

16.14   Environmental Controls. Establish and maintain environmental controls to detect, prevent and control disruption and/or destruction to information systems containing or storing Personal Data as a result of environmental extremes.

16.15   Security Patch Management. Maintain system upgrades, patches and configurations with at least industry standard and commercially reasonable frequency

16.16   Testing. Piano shall regularly and no less than one time per year test the key controls, systems and procedures of its Information Security Policy to ensure that they are properly implemented and effective in addressing the threats and risks identified, including but not limited to vulnerability scans and penetration testing. Penetration tests should be conducted or reviewed by independent third parties or staff.

16.17   Application Security Testing. Utilize at least industry standard testing and security assessments (e.g. Veracode)

16.18   Consultant/Vendor Background Checks. Implement and maintain verifiable and at least industry standard processes (based on, among other factors, the circumstances and level of access) for performing background checks on personnel with access to Client Personal Data. Upon reasonable request from Client, Client may request more specific requirements for such background checks.

16.19   Audits. Client may, at its own cost, request, upon within (3) weeks written notice to Piano, access to facilities, systems, records and supporting documentation in order to audit Piano’s compliance with its obligations under or related to the Information Security Policy. Client may audit Piano’s compliance with the terms of this DPA and Privacy and Data Protection Requirements not more than once per year. Client may perform more frequent audits of the Service computer systems that process Personal Data to the extent required by laws applicable to Client.  If a third party is to conduct the audit, the third party must be mutually agreed to by Client and Piano and must execute a confidentiality agreement acceptable to Piano before conducting the audit. As part of the audit request, Client shall submit a detailed audit plan at least three (3) weeks in advance of the proposed audit date to Piano describing the proposed scope, duration, and start date of the audit.  Piano will review the audit plan and provide Client with any concerns or questions (for example, any request for information that could compromise Piano security, privacy, employment or other relevant policies).  Piano will cooperate with Client in good faith to agree on a final audit plan. Audits shall be subject to all applicable confidentiality obligations agreed to by Client and Piano and shall be conducted in a manner that minimizes any disruption of Piano’s performance of services and other normal operations, i.e. outside regular business hours. Such audits may at Client's option and request, include penetration and security tests, of any and all Piano systems and their housing facilities and operating environments. Client may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA and/or Privacy and Data Protection Requirements.  The audit reports are Confidential Information of the Parties under the terms of the Agreement. Should the audit reveal confidential information or intellectual property of a third party, any audit must be done in compliance with such third party’s applicable confidentiality or license terms. 

16.20   The Parties will notify each other without undue delay about any potential or actual regulatory or court action or request in respect to the Personal Data processed in connection with this DPA. Piano will notify Client and obtain Client’s consent before sharing any Personal Data with any government authorities unless sharing of such Personal Data is required by applicable law.

16.21   When and as required by Client from time to time, Piano shall execute and/or shall cause its Piano Affiliates to execute supplemental privacy and security terms, with Client or Client’s affiliates that receive Services under the Agreement as required in Client’s sole judgment for the processing and/or transfer of Personal Data in accordance with applicable law. At the time of the signing of this DPA the application of the ePrivacy Regulation has not been fully set out by either European authorities or the local supervisory authority of Client. Consequently, the Parties agree to amend this DPA where necessary to ensure the Services compliance with the ePrivacy Regulation.

16.22   If any country outside of the EU where Services are to be rendered under the Agreement has or enacts a data protection-related law that Client concludes, in its sole judgment, requires the execution of any supplemental privacy and security terms, then Piano shall execute and/or cause any Piano Affiliates to execute such supplemental terms promptly with Client and/or Client’s affiliates, subject to the same terms and conditions as set forth above; provided, however, that the parties shall make reasonable efforts to leverage existing supplemental privacy and security terms that have been executed with respect to the EU data protection-related law to fulfill any such requirement, so as to minimize the cost and effort involved in achieving compliance with such requirement.

16.23   Notwithstanding any provisions in the Agreement to the contrary, in the event that any Party becomes aware of any personal data breach pursuant to the Article 4(12) of the GDPR (e.g. breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed) (the “Personal Data Breach”) that might have impact on the other Party’s obligations under the Article 32 and 33 of the GDPR, each Party shall notify the other Party immediately of any such Personal Data Breach (i.e., within 24 hours). Parties will then co-operate to evaluate the potential risk to rights and freedoms of natural persons stemming from such Personal Data Breach, mitigate such risk and will agree on notification or communication of the Personal Data Breach pursuant to the Article 32 and 33 of the GDPR. 

16.24   Piano shall ensure procedures are put in place to ensure that Personal Data is portable, in a machine-readable format, and that Piano will be in a position to provide Client with any Personal Data within three working days. In addition, Piano shall be in a position to delete all of the Client Data, if requested by Client.

17.       Payment Card Industry Data Security Standard (PCI DSS). If and to the extent Piano will have access to any Credit Card Data, then this paragraph shall apply. For purposes, hereof, (a) “PCI DSS” means the Payment Card Industry Data Security Standard; and (b) “Credit Card Data” means any and all data designated as “Cardholder Data” or “Sensitive Authentication Data” in PCI DSS. Piano shall comply with industry standards and practices, including without limitation, PCI DSS. If and when applicable, Piano shall only use Cardholder Data only for assisting in completing a card transaction, for fraud control services, or as specifically agreed to by Visa, MasterCard, American Express, and/or Discover (collectively, the “Issuers”), or as required by applicable law. In the event of unauthorized use, modification, destruction or disclosure of, or access to, Cardholder Data (any of the foregoing events or circumstances, a “Security Incident”) stored by or for Piano (or otherwise within Piano’s control), Piano shall immediately notify Client and provide Client or its designee, the Issuers, and the acquiring financial institution and their respective designees access to Piano’s facilities and all pertinent records to conduct a review of Piano’s compliance with these requirements. Piano shall maintain appropriate business continuity procedures and systems to ensure security of Cardholder Data in event of a disruption, disaster or failure of Piano’s primary data systems which involve a risk to Cardholder Data. Piano shall provide access to its security systems and procedures, as reasonably requested by Client or its designee. Piano shall cooperate fully with any reviews of its facilities and records provided for in this paragraph. Piano is and will continue to be, in compliance with the PCI DSS security standards as they may be amended from time to time. Piano is responsible for the security of all data obtained, stored, viewed, or accessed in connection with this DPA whether provided by Client or its customers, Piano will maintain records that demonstrate its PCI compliance and provide them to Client upon request. Piano will immediately contact Client if a security breach or serious threat arises that relates to Client Data and will fully cooperate with Client in investigating and prosecuting any security breaches.

18.       Disaster Recovery. The parties agree that Piano has previously supplied Client with a copy of its written disaster and recover plan (the “Disaster Avoidance and Recovery Plan”) and that Piano has implemented and is maintaining such Plan. Piano’s Disaster Avoidance and Recovery Plan shall be actively reviewed on a quarterly basis and updated during the Term using American Institute of Certified Public Accountants standards as guidance. Piano shall notify Client of the completion of any such audit and make the audit available to Client or its designee for review. Piano’s Disaster Avoidance and Recovery Plan shall contain procedures designed to safeguard Client Data and the availability of the Services, throughout the Term. Such Disaster Avoidance and Recovery Plan shall include, without limitation, the following:

(a)                  Fire Protection. Piano represents that the fire protection system at the Piano site(s) consists of the appropriate type and quality of equipment required to provide effective fire protection and that it is regularly reviewed and updated, and that the system currently consists of smoke detectors (with remote enunciators and zone indicators), automatic sprinkler systems, and a two-part halon system in any computer areas. Piano further represents that each room at the Piano site(s) has its own supply of halon and all Piano service location(s) computer rooms have a second halon system to provide backup. Piano represents that water detection devices and drains are installed under all raised floor areas.

(b)                  Power Supply. Piano shall maintain multiple levels of power backup designed to provide uninterrupted operation of the Piano equipment in the event of a loss of power. Piano shall maintain multiple feeds to the Piano site(s) from different processing stations of the local power company which furnishes the main power to the Piano site(s). Piano shall maintain two (2) levels of uninterrupted power systems to provide smooth transition to the use of Piano’s alternative energy sources (e.g., diesel generators) in the event of an extended power company outage.

(c)                   Equipment/Air Conditioning. Piano shall maintain multiple levels of protection against loss of cooling, including a primary backup system which shall provide adequate backup cooling capacity, and a secondary backup system, which shall be capable of providing continuous cooling during a power outage so as to maintain equipment at all times within the tolerances specified by the appropriate manufacturer.

(d)                  Computer Equipment. Piano agrees that the Piano site(s) shall maintain the appropriate backup equipment that is capable of maintaining operations in the event of hardware failures at the Piano site(s). In addition, Piano agrees that it will maintain at the Piano site(s) detailed, written recovery procedures which its personnel are familiar with and which enable Piano personnel to switch to backup hardware expeditiously.

(e)                  Hardware and Software Changes. Piano shall maintain a strict change control process, which Piano personnel are familiar with, and which is used for both hardware and software changes.

(f)                     Testing. Piano agrees that its disaster recovery testing will be performed at the Piano site(s) twice per year. The testing shall include, but not be limited to, testing of hardware, installation and operation of all systems, processing of data and generation of reports, and testing of telecommunications facilities.

(g)                  Recovery Procedures. Piano shall maintain appropriate recovery procedures and automated recovery tools for a call center operations facility.

(h)                  Off-Site Data Vaulting. Piano shall store daily a current copy of data and system files on magnetic media in damage resistant, fire proof vaults at an off-site facility. The off-site facility shall be guarded twenty-four (24) hours a day, seven (7) days a week. Piano shall also maintain a tape management system, manual or otherwise, which controls the daily process of vaulting files.

(i)                     Operations Interruptions. In the event of any unplanned or unscheduled interruptions of the operations of, or accessibility to, the Piano site(s), Piano shall use its commercially reasonable best efforts to restore service to Client as expeditiously as possible. Piano shall notify Client at least ten (10) minutes prior to any unscheduled interruptions. Piano shall notify Client at least within two (2) minutes of occurrence of any unplanned interruptions.

(j)                     Time Frames for Recovery. The time frames for restoration of Client’s service will vary according to the nature and magnitude of the disaster event, the availability of replacement equipment for drop-shipment and the speed with which alternate telecommunication circuits can be made available. Piano shall use commercially reasonable best efforts to work with telecommunications carriers and equipment vendors to restore service as expeditiously as possible.

(k)                   Maintenance of Safeguards. In addition to those requirements specifically set forth in this DPA, Piano agrees that it shall maintain safeguards throughout the Term against destruction, loss, or alteration of Client Data, which are no less rigorous than those in effect at other similar vendor site(s) as of the Effective Date of this DPA.

19.       Data Protection Impact Assessment. Each Party remains solely responsible for conducting a data protection impact assessment pursuant to Article 35 of the GDPR and prior consultation pursuant to Article 36 of the GDPR with respect to the Purposes. Nevertheless, if any Party conducts such data protection impact assessment which relates to this DPA, the other Party agrees to reasonably assist such Party by providing reasonable assistance or information.  In good faith, Piano may provide Client with its own data protection impact assessment with respect to the Purposes on the basis of the available information prior to concluding this DPA in order to help the Client to make its own data protection impact assessment.  

20.       Acceptable Use. Piano shall have an Acceptable Use Policy acceptable to Client. Among other things, such policy shall prohibit use by Piano employees and agents of non-business applications that could affect network and/or tool performance and shall mandate that under no circumstances shall any peer to peer applications/use be permitted on the network. Piano’s Acceptable Use Policies are subject to review and approval by Client. The Acceptable Use Policy shall have adequate, reasonable and at least industry standard access controls.

21.       Liability. Pursuant to the Article 82 of the GDPR, Piano shall be liable for the damage caused by processing only where it has not complied with obligations of GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Client. Piano shall be exempt from liability if Piano proves that it is not in any way responsible for the event giving rise to the damage.

22.       Where Client is domiciled in the United Kingdom (“UK”), any reference to GDPR shall be interpreted as a reference to the UK law that is equivalent to the GDPR or that implements the GDPR not affecting validity and effectiveness of this DPA. The Parties wish to interpret this DPA in line with applicable UK legislation. Client is obliged to inform Piano about any requirements stemming from the UK law beyond the requirements stemming from the GDPR. This Section 22 shall not apply where Client is not domiciled in the UK.

23.       Service Analysis. As part of the Services and foreseen processing of Personal Data, Piano may (i) compile statistical and other information related to the performance, operation and use of the Services, and (ii) use Client Data from the Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (clauses (i) and (ii) are collectively referred to as “Service Analyses”).  Piano may make Service Analyses publicly available; however, the resulting Service Analyses will not incorporate Client Data or Confidential Information in a form that could identify or serve to identify Client or any data subject. Piano shall retain all intellectual property rights in said Service Analyses as its own confidential information.  

24.       Data Protection Officer. Piano has appointed Louis-Marie Guerif (privacy@piano.io) as its Data Protection Officer. 

Exhibit A

Commission Decision (EU) 2021/914
Standard Contractual Clauses (controller-processor)

For the purposes to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 May 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation  for the transfer of personal data to a third country.

SECTION I

Other information needed to identify the organisation:

________________________________________________
(the data exporter)

and

Other information needed to identify the organisation:

________________________________________________
(the data importer)

each a “party”; together “the parties”, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Purpose and scope

(a)  The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 May 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)[1] for the transfer of personal data to a third country.

(b)  The Parties:

(i)           the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii)         the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c)   These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d)  The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a)  These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b)  These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a)    Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i)           Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii)         Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(iii)        Clause 8 –Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iv)       Clause 9 –Clause 9(a), (c), (d) and (e); 

(v)         Clause 12 - Clause 12(a), (d) and (f);

(vi)       Clause 13;

(vii)     Clause 15.1(c), (d) and (e);

(viii)    Clause 16(e);

(ix)       Clause 18 –Clause 18(a).

(b)    Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a)    Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b)    These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c)     These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 

Docking clause

(a)    An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b)    Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c)     The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.

8.1   Instructions

(a)    The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b)    The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2   Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3   Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4   Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5   Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6   Security of processing

(a)    The data importer and, during transmission, also the data exporter shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organizational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b)    The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c)     In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d)    The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7   Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8   Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union[2] (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i)           the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)         the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii)        the onward transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv)       the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9   Documentation and compliance

(a)    The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b)    The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c)     The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d)    The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e)    The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a)    The data importer has the data exporter’s general authorization for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least fifteen (15) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b)    Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.[3] The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c)     The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d)    The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e)    The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a)    The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorized to do so by the data exporter.

(b)    The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organizational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c)     In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a)    The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b)    In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c)     Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i)           lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii)         refer the dispute to the competent courts within the meaning of Clause 18.

(d)    The Parties accept that the data subject may be represented by a not-for-profit body, organization or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e)    The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f)     The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a)    Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b)    The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c)     Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d)    The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e)    Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f)     The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g)    The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a)    Where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

(b)    Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

(c)     Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(d)    The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a)    The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)    The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i)           the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii)         the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards (12);

(iii)        any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c)     The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d)    The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e)    The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f)     Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organizational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1   Notification

(a)    The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary, with the help of the data exporter) if it:

(i)           receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii)         becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b)    If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c)     Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). 

(d)    The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e)    Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2   Review of legality and data minimization

(a)    The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b)    The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c)     The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a)    The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b)    In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)     The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i)           the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii)         (ii)the data importer is in substantial or persistent breach of these Clauses; or

(iii)        (iii)the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d)    Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.

(e)    Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Slovak republic.

Clause 18

Choice of forum and jurisdiction

(a)    Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b)    The Parties agree that those shall be the courts of Slovak republic.

(c)     A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d)    The Parties agree to submit themselves to the jurisdiction of such courts.

ANNEX I

A.              LIST OF PARTIES

Other information needed to identify the organisation:

________________________________________________
(the Data Exporter)

and

Other information needed to identify the organisation:

________________________________________________
(the Data Importer)

B.              DESCRIPTION OF TRANSFER

Data Exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Operator of Websites which chose to use the Data importer to assist in providing certain web audience measuring services that necessarily involves processing of personal data. 

Data Importer

The data importer is (please specify briefly activities relevant to the transfer):

Provider of certain web audience measuring services to the Data exporter that necessarily involves processing of personal data.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Mainly Users of the Client’s Websites, as is explained in more detail in the above Data Processing Agreement concluded between the Parties. 

Categories of data

The personal data transferred concern the following categories of data (please specify):

Name, email address, phone number, financial data, the specific content accessed, time and duration of the visit, offer conversion and/or interaction data, referring site, or other information or other information relating to such natural person collected through the Service whether collected via cookies or other tracking technologies, the Service’s functionality, or otherwise

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

No special categories of personal data are transferred to the best of the knowledge of both Parties. 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis

Nature of the processing

Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, cross-border transfer, erasure or destruction.

Purpose(s) of the data transfer and further processing

Services provision

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Data will be retained until the purpose is fulfilled, which will be either: (a) contract termination or; (b) controller sends a request for data deletion

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

C.              COMPETENT SUPERVISORY AUTHORITY

Office for personal data protection of the Slovak republic

Hraničná 12

820 07 Bratislava 27

Slovak Republic

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

EXPLANATORY NOTE:

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

These technical and organizational measures are described in detail in the above Data Processing Agreement concluded between the Parties. 

EXHIBIT B (2)

DATA PROCESSING AGREEMENT FOR ALL PRODUCTS OTHER THAN PIANO ANALYTICS AND WHERE PIANO ENTITY IS NOT PIANO SOFTWARE, INC.

This Data Processing Agreement shall only apply to Client’s use of Products other than Piano Analytics and where the Piano Entity is not Piano Software, Inc. For the Data Processing Agreement applicable where the applicable Piano Entity is Piano Software, Inc. or to Client’s use of Piano Analytics, see Exhibit B (1) and Exhibit B (3), respectively. 

WHEREAS: 

(1)    The Parties concluded the Agreement; 

(2)    By provision of the Services pursuant to the Agreement, Piano will process personal data about the Users on behalf of the Client;

(3)    The Agreement and this DPA foresee and allow Piano to use Piano Affiliates and Sub-Processors for the processing of personal data about the Users in accordance with conditions laid down in this DPA; 

(4)    The Agreement and this DPA foresee and allow Piano to process personal data about the Users on a cross-border basis and/or outside the European Economic Area in accordance with conditions laid down in this DPA; 

(5)    The Client shall only use data processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR while this DPA documents why the Client is satisfied with the guarantees provided by Piano; 

(6)    Parties wish to explicitly agree on the scope and distribution of the obligations stemming from the GDPR mainly towards the Users as data subjects; 

THEREFORE, PARTIES AGREED AS FOLLOWS: 

1.      Definitions. The terms used in this DPA shall be interpreted and construed in accordance with GDPR. Any terms defined in the Agreement shall have the same meaning if used in this DPA. As used in this DPA, the following terms shall have the following meanings:

“Agreement” means the Piano Master Services Agreement Terms and Conditions concluded between the Parties; 

“Clauses” means standard contractual clauses approved by the Commission (Commission Decision (EU) 2021/914

Standard Contractual Clauses) to safeguard the cross-border transfer of Personal Data between parties. 

“Commission” means the Commission of the EU; 

“Conditions” means the following conditions: (i) Piano concludes a data processing agreement with Piano Affiliates and Sub-Processors ensuring that any processing of Personal Data is compliant with the terms and level of protection of Personal Data required under this DPA; (ii) the current list of all Piano Affiliates and Sub-Processors is made available and kept updated by Piano via https://piano.io/privacy-policy, Piano Software, Inc., Philadelphia, US is automatically regarded as Piano Affiliate whether or not on the list); (iii) the Personal Data will be only transferred to and processed only by Piano Affiliates and Sub-Processors located in the EEA, the United Kingdom, the United States, Russia, Sri Lanka, Philippines or third countries ensuring adequate level of protection according to the Commission’s decision or where applicable according to the equivalent decision under the UK law; (iv) in case Piano Affiliates or Sub-Processors are located in the United Kingdom, Russia, Sri Lanka, Philippines or the United States, cross-border transfer is made by Piano on the basis of EU standard contractual clauses or Commission’s adequacy decisions or in compliance with the Binding Corporate Rules adopted by Piano and located at https://piano.io/bcr; (v) in case Piano Affiliates or Sub-Processors are located in the Russia, Sri Lanka, Philippines or the United States, Piano shall adopt supplementary technical, contractual and organizational measures to ensure safe cross-border transfer such a 1) assessing whether Piano Affiliate or Sub-processor falls under local surveillance legislation along with assessment of local law and practices 2) encryption of the Personal Data together with keeping encryption keys out of Piano Affiliate or Sub-processor disposal locally controlled only by Piano´s dev-op engineers in EEA/EU, 3) assessment of publicly available information published and information provided upon request 4) intragroup organization methods (trainings, internal policies) 5) data minimalization measures; (vi) Client shall be entitled, upon written request, to receive copies of the relevant terms of internal Piano data processing agreement concluded between Piano and Piano Affiliates; (vii) Client may request that Piano audit Piano Affiliate or Sub-Processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Client in obtaining a third-party audit report concerning Piano Affiliate's or Sub-Processor's operations) to ensure compliance with such obligations, provided however that section 15.19 of this DPA applies mutatis mutandis; and (viii) Piano shall be liable for the acts and omissions of Piano Affiliates and its Sub-Processors to the same extent Piano would be liable if performing the services of each Piano Affiliate and Sub-Processor directly under the terms of this DPA, except as otherwise set forth in this DPA and/or in Privacy and Data Protection Requirements;

“Client Data” means any and all data and information delivered by or on behalf of, or collected directly or indirectly from, Client, its affiliates, or their respective clients, customers and Users, including without limitation any such data or information collected via the Software and/or Service, which may include, without limitation, Credit Card Data (as defined in Section 16 below), Non-Personal Data or the Personal Data. For clarity, all Personal Data is Client Data but not all Client Data is Personal Data (Non-Personal data are not Personal Data);

“EEA” means European Economic Area;

“EU” means European Union; 

“European Economic Area” means all EU member states plus Iceland, Norway and Liechtenstein;  

“Non-Registered Users” means non-registered users of Websites; 

“Piano Affiliates” means companies which are controlled by Piano Software Inc., Philadelphia, US where control refers to possession, directly or indirectly, of the power to direct or cause the direction of the management of an entity whether through ownership, voting rights, by contract or otherwise, a list of which is published at https://piano.io/privacy-policy and regularly updated therein including Piano Software, Inc., Philadelphia, US which is always regarded as Piano Affiliate whether or not on the list; 

“Privacy and Data Protection Requirements” means the GDPR, ePrivacy Directive (2002/58/EC) and all applicable national laws and regulations relating to the processing of the personal data and privacy notified to Piano by Client;

“Purposes” means purposes of processing of Personal Data determined by Client while such purposes are derived from the functionality of the Software, in particular: (i) audience experiences, i.e. the core processing activities undertaken for Client (i.e. Services) such as analysis of subscription performance, user trends, preferences, and segmentation and other processing which typically occurs in the course of Client’s use of the Software; (ii) billing and accounting purposes, i.e. service of processing payments and financial information in accordance with the applicable billing, accounting and tax laws; and (iii) other purpose of processing foreseen by the functionality of the Software;  

“Registered Users” means registered users of Websites;  

“Security Regulations” means reasonable security measures as requested by Client with respect to Piano’s physical access to Client’s facilities for performing Services and with respect to remote or virtual access, if applicable, to Client software, systems, data, information and materials;

“Sub-Processors” means sub-processors that Piano uses to process the Personal Data, a list of which is published at https://piano.io/privacy-policy and regularly updated therein; 

“Users” means collectively Registered Users and Non-Registered Users; 

As used herein, references to the “Services” shall mean the Software and/or the Services.

2.         Subject-Matter. Piano shall provide the Services in accordance with the provisions of this DPA. Piano is entrusted and entitled to process Client Data in accordance with the provisions of the Agreement including this DPA. Parties wish to make any processing of Client Data that is subject to the GDPR compliant with the GDPR. For clarity, this DPA does not relate to any processing of personal data by the Parties, but only to the processing of the Personal Data in respect to the Agreement. 

3.         Duration and Termination. This DPA forms an inseparable part of the Agreement. It is impossible to provide Services in accordance with the Agreement without processing Client Data pursuant to this DPA. Therefore, this DPA can only be terminated by termination of the Agreement as its inseparable part. Upon termination or expiration of the Agreement, Piano shall at the choice of the Client either return or securely delete all Client Data, unless there is a requirement to store such data under the EU or the EU member state law that applies to Piano or Piano Affiliates. 

4.         Nature of Personal Data Processing. The nature of Personal Data processing under this DPA is determined by the nature of Services provided by Piano and the functionality of the Software. The Software is designed to help digital content companies to drive page views, engagement, and registrations, decrease ad blocking, and sell or otherwise grant access to premium content. The nature of Personal Data processing by Piano is also determined by the fact that Piano does not have a direct relationship with data subjects and by Piano’s Software as a Service business model that does not include data monetization techniques like brokerage of data or databases or selling of data to third parties. 

5.         Purpose of Personal Data Processing. As the Client’s data processor, Piano is entitled to process the Personal Data for the Purposes. Piano will process Personal Data solely for the provision of the Services, and will not otherwise (i) process or use Personal Data for purposes other than those set forth in this DPA and/or the Agreement or as instructed by Client, or (ii) disclose such Personal Data to third parties other than Piano Affiliates or Sub-Processors in accordance with Section 8 below or as required by law.   

6.         Types of Personal Data. Types of the Personal Data processed by Piano on the basis of this DPA include, as the case may be, name, email address, phone number, financial data, the specific content accessed, time and duration of the visit, IP address, geographical location of the end-user device, offer conversion and/or interaction data, referring site, or other information or other information relating to such natural person collected through the Service whether collected via cookies or other tracking technologies, the Service’s functionality, or otherwise. Parties do not foresee processing of special categories of Personal Data pursuant to the Article 9 of the GDPR. 

7.         Categories of Data Subjects. The Personal Data processed by Piano will relate to Users of the Client’s Websites and persons using the Software/Services.  

8.         Sub-Processors & Transfers. Through this DPA Client provides Piano with a specific documented instruction/authorization to use Piano Affiliates and Sub-Processors for processing of Personal Data pursuant to the Conditions including to transfer personal data to them. Provided that the Conditions are met, Piano is authorized to use and change Piano Affiliates and Sub-Processors without additional instructions or approvals by the Client. Piano shall specifically notify to the Client any change of Piano Affiliates and/or Sub-Processors where the Conditions would not be fulfilled and shall provide Client the opportunity to object to such changes. If Client does not respond within fifteen (15) days, Piano is authorized to undertake the change and transfer. At any time, Piano shall provide a current list of Piano Affiliates and/or Sub-Processors upon request of Client. 

9.         EU Standard Contractual Clauses. INTENTIONALLY OMITTED. 

10.       Documented Instructions. Piano shall process the Personal Data for the Purposes only in accordance with documented instructions from Client including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by the EU or the Member State law to which Piano is subject; in such a case, Piano shall inform Client of that legal requirement before processing, unless such law prohibits such information on important grounds of public interest. Certain general authorizations and documented specific instructions/authorizations are already contained in this DPA, mainly in Section 8 above, which are hereby given by Client to Piano and which can only be altered if mutually agreed by the Parties. Any other general authorizations or documented specific instructions/authorizations of Client must be given to Piano in accordance with Section 12(a) of the Agreement (Notices). Piano is obliged to inform Client if it believes that Client’s instruction would infringe the GDPR. Piano shall not be liable for breaching any contractual obligations under the Agreement and/or this DPA if such breach is caused by compliance with documented instruction of Client under this DPA. For the avoidance of doubt, Client’s instructions for the processing of Personal Data shall comply with Privacy and Data Protection Requirements. Client shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which Client acquired Personal Data.

11.       Data Subject Rights. According to Article 28(3)(e) of the GDPR, Piano acting as a data processor shall insofar as this is possible and taking into account the nature of the processing, assist Client as a data controller, with the fulfillment of the controller’s obligation to respond to requests for exercising the data subject’s rights under the GDPR. Piano will comply with this obligation by providing supporting information available to it upon request of Client. Such supporting information may include an updated list of Sub-Processors, Piano Affiliates, recipients and respective third countries. Upon request from Client, Piano shall delete, release, correct, provide a copy of or block access to specific Personal Data or, if the foregoing is not practicable and only to the extent permitted by applicable law, follow Client’s detailed written instructions to delete, release, correct or block access to Personal Data held in Client’s Services environment. However, Piano is not entitled to handle or respond to the data subject request if it relates to the Purposes. Such requests should be handled and responded to by Client. Should Piano receive a data subject request that is of general nature and might be or is related to the Purposes, Piano will forward such request to Client without undue delay.

12.       Transparent Information. Every data controller has a general obligation to provide certain information to data subjects mainly pursuant to the Article 13 or Article 14 of the GDPR. Client remains fully responsible for providing this information to data subjects via its own privacy policy. Client is entitled but not obliged to refer to or to use information from Piano’s privacy policy and information about GDPR published and updated at https://piano.io/privacy-policy. 

13.       Legal Grounds for Processing of Personal Data. The legal grounds for processing Personal Data are determined solely by Client. Such legal grounds must always be compliant with the Article 6 of the GDPR. By concluding this DPA, the Client warrants and guarantees to Piano, that it has sufficient legal grounds for processing the Personal Data including a consent of data subject where required by the GDPR. 

14.       Confidentiality. Piano shall implement such organizational measures that ensure that access to the Personal Data by Piano staff is limited to what is necessary to achieve the Purposes. Piano shall also implement such organizational measures that ensure all Piano staff are committed to the confidentiality in respect to the Personal Data. These obligations may be complied by adopting an appropriate internal policy at Piano group. 

15.       General Client Data Obligations. Client shall own and retain all rights in and to the Client Data. All Client Data must be stored only on servers located in the EU unless otherwise expressly authorized in this DPA or by Client in writing. Piano may only use Client Data to the extent necessary to perform its obligations hereunder. In the course of providing the Services, Piano shall not access and shall not permit its personnel and/or third-party service providers to access, Client Data except as necessary to perform the Services and only in accordance with the requirements of the Agreement and this DPA. Piano shall not be liable to Client for any damages incurred by Client in connection with any unauthorized access resulting from the actions of Client. Piano shall have the appropriate knowledge of Client’s business to perform its duties under this DPA.

15.1     Global Approach. Piano treats all Personal Data in a manner consistent with the requirements of this DPA in all locations globally.  Piano's information policies, standards and governance practices are managed on a global basis.

15.2     Security Procedures. Piano will enforce physical and logical security procedures with respect to its access and maintenance of the Service and any Client Data contained therein. Piano will take appropriate organizational and technological measures to protect the security of the Client Data and defend its location and equipment against “hackers” and any person or entity who may seek to modify or access Piano systems or the information found therein without authorization. Piano will also use its best commercial efforts to take all reasonable measures to secure and defend Client Data and use of the Service from other third-party users.

15.3     Monitoring & Security Breaches. Piano will monitor its networks, connectivity and systems on a continual basis and will perform penetration testing on its systems for potential security breaches not less than once per year; Piano will meet with Client once per year to review the results of such security test(s). Piano will report to Client immediately, but no less than within 24 hours of becoming aware of, any breaches of security or unauthorized access affecting Client Data that Piano detects or becomes aware of. Piano will remedy such breach of security or unauthorized access as soon as possible and deliver to Client a root cause assessment and future incident mitigation plan. Client or its third-party designee may, but is not obligated to, at Client’s expense, perform audits of Piano’s environment during the Term, including coordinated penetration and security tests, as it relates to the receipt, maintenance, use or retention of personally identifiable information or other Client Data. Piano is entitled to claim remuneration for the Client’s audits or inspections. Such audits shall be conducted in accordance with Section 15.19 below. Subject to the foregoing, any of Client’s regulators shall have the same right upon request. Piano agrees to consider all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes and will inform Client of its plans and timeline for addressing and/or implementing any such recommendations.

15.4     Circumvention. If at any time Client or Piano determines that any Piano Personnel: (i) has sought to circumvent or has circumvented the Security Regulations; (ii) has accessed or may access the Client Network without authorization; or (iii) has engaged in activities that may lead to the unauthorized access, destruction, alteration, or loss of data, information or software, Piano will immediately terminate any such Piano Personnel’s access and will immediately, in any event within 24 hours of becoming aware of such breach, notify Client of the events warranting such termination. If Client reasonably determines that any Piano Personnel has attempted to circumvent or has circumvented the Security Regulations, Client may immediately terminate such Piano Personnel’s access to the Client Network and will advise Piano of such termination. Notwithstanding anything to the contrary in this DPA, any failure by Piano, any Piano Personnel or other agents or representatives to comply with the Security Regulations will constitute a breach of this DPA entitling Client to terminate the Agreement immediately upon written notice to Piano for cause. At any time during the Term, Client may audit Piano’s use of the Client Network. Piano agrees that Client may review any information, electronic mail communications, and other data stored on or contained in any computer hard drive, disk, or any other storage medium to determine whether there has been any breach of security or violation of this DPA. In the event that Client concludes, in its reasonable judgment, that there has been any breach of security or violation of this DPA by Piano or any Piano Personnel, agent or representative, Client reserves the right to disclose any computer files or electronic mail messages to third parties, including (but not limited to) law enforcement officials, as Client deems appropriate, without any prior notice to any individuals who may have written, sent or received such files or messages.

16.       Appropriate Security Measures. Piano acknowledges and agrees that from time to time during the term of this DPA, Piano, Piano Affiliates, its employees, agents and Sub-Processors or assigns may be exposed to or have access to Client Data, some of which may be Personal Data. Piano will process or disclose Personal Data only for the Purposes, or other purposes of processing required by a court of competent jurisdiction or by any competent national or EU governmental authority. Piano acknowledges that due to certain mandatory data protection laws, the processing of Personal Data is subject to certain legal requirements. Piano shall assist Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Piano. To the extent applicable to the Services and related activities of Piano, Piano shall comply with all provisions of any applicable privacy policies, including Client’s applicable privacy policy, if reasonably required by the Client and provided in advance to Piano. Piano will not view, de-encrypt, or otherwise access Personal Data unless such access is necessary for the performance of Piano’s obligations under this DPA. Piano will maintain, implement and enforce safety and security procedures in performing the Services that are: (a) equal to or better than industry standards for such Services and networks (if any), but in any case, in accordance with a reasonable standard of care; (b) are compliant with the requirements of the Privacy and Data Protection Requirements; and (c) compliant with the security requirements set forth in this Section below. Such measures shall include, by way of example and not limitation, firewalls, intrusion detection systems, locking file cabinets, and other appropriate physical and electronic security mechanisms, including current revisions of all software releases and all software patches. Piano shall have adequate security audits in place, and Piano shall submit evidence of passing an annual security audit in conformance with industry standard security standards acceptable to Client, in Client’s sole discretion. Upon request, Piano will complete Client’s Security Assessment Questionnaire. Piano shall comply with an implemented written information security policy (“Information Security Policy”) that includes administrative, technical, and physical safeguards that ensure the confidentiality, integrity, and availability of Personal Data, protect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of the Personal Data, and protect against unauthorized access, use, disclosure, alteration, or destruction of the Personal Data. In addition to any specific and or supplemental security safeguards established in any agreement between the parties, Piano’s Information Security Policy shall include, but not be limited to, the following safeguards where appropriate or necessary to ensure the protection of Personal Data:

16.1     Pseudonymization. Where appropriate Piano shall implement security measures comprising of pseudonymization of the Personal Data. 

16.2     Access Controls. Policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons, including, but not limited to; limiting access to physical servers at the production data center to authorized individuals, logging and monitoring of unauthorized access attempts to the data center by the data center security personnel, controlling ingress/egress to the facility using control access points (e.g. guards and electronic badge reader), and maintaining physical access to logs for entry/exit points; (ii) to ensure that all members of its workforce who require access to Personal Data have appropriately controlled access, and to prevent all other workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Personal Data or information relating thereto to unauthorized individuals; and (iv) to encrypt and decrypt Personal Data where appropriate.

16.3     Security Awareness and Training. A security awareness and training program for all members of Piano’s workforce (including management), which includes training on how to implement and comply with its Information Security Policy and the Privacy and Data Protection Requirements.

16.4     Security Incident Procedures. Policies and procedures to detect, respond to, and otherwise address security incidents, which shall mean, but not be limited to, unauthorized access, acquisition, disclosure or use of Personal Data (“Security Incident”), including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known Security Incidents, mitigate harmful effects of Security Incidents, and document Security Incidents and their outcomes.

16.5     Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Personal Data or systems that contain Personal Data, including a data backup plan and a disaster recovery plan.

16.6     Device and Media Controls. Policies and procedures that govern the receipt and removal of hardware and electronic media that contain Personal Data into and out of a Piano facility, and the movement of these items within a Piano facility, including policies and procedures to address the final disposition of Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for re-use.

16.7     Audit Controls/Logging. Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and applicable laws and regulations and compliance therewith.

16.8     Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.

16.9     Storage and Transmission Security. All Personal Data that is stored or transmitted has to be encrypted. Stored Personal Data will be encrypted with then current industry standards, such as, if applicable, AES-128 or better, or Triple-DES (3-DES) or better. All Personal Data in transmission will be protected by at least industry standard encryption such as SSLv3/TLS.

16.10   Secure Disposal. Policies and procedures regarding the disposal of Personal Data, and tangible property containing Personal Data, taking into account available technology so that Personal Data cannot be practicably read or reconstructed.

16.11   Assigned Security Responsibility. Piano shall designate a security official responsible for the development, implementation, and maintenance of its Information Security Policy. Piano shall inform Client as to the person responsible for security.

16.12   Testing. Piano shall regularly and no less than one time per year test the key controls, systems and procedures of its Information Security Policy to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

16.13   Program Adjustment. Piano shall monitor, evaluate, and adjust, as appropriate, the Information Security Policy in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Piano or the Personal Data, requirements of applicable work orders, and Piano’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

16.14   Environmental Controls. Establish and maintain environmental controls to detect, prevent and control disruption and/or destruction to information systems containing or storing Personal Data as a result of environmental extremes.

16.15   Security Patch Management. Maintain system upgrades, patches and configurations with at least industry standard and commercially reasonable frequency

16.16   Testing. Piano shall regularly and no less than one time per year test the key controls, systems and procedures of its Information Security Policy to ensure that they are properly implemented and effective in addressing the threats and risks identified, including but not limited to vulnerability scans and penetration testing. Penetration tests should be conducted or reviewed by independent third parties or staff.

16.17   Application Security Testing. Utilize at least industry standard testing and security assessments (e.g. Veracode)

16.18   Consultant/Vendor Background Checks. Implement and maintain verifiable and at least industry standard processes (based on, among other factors, the circumstances and level of access) for performing background checks on personnel with access to Client Personal Data. Upon reasonable request from Client, Client may request more specific requirements for such background checks.

16.19   Audits. Client may, at its own cost, request, upon within (3) weeks written notice to Piano, access to facilities, systems, records and supporting documentation in order to audit Piano’s compliance with its obligations under or related to the Information Security Policy. Client may audit Piano’s compliance with the terms of this DPA and Privacy and Data Protection Requirements not more than once per year. Client may perform more frequent audits of the Service computer systems that process Personal Data to the extent required by laws applicable to Client.  If a third party is to conduct the audit, the third party must be mutually agreed to by Client and Piano and must execute a confidentiality agreement acceptable to Piano before conducting the audit. As part of the audit request, Client shall submit a detailed audit plan at least three (3) weeks in advance of the proposed audit date to Piano describing the proposed scope, duration, and start date of the audit.  Piano will review the audit plan and provide Client with any concerns or questions (for example, any request for information that could compromise Piano security, privacy, employment or other relevant policies).  Piano will cooperate with Client in good faith to agree on a final audit plan. Audits shall be subject to all applicable confidentiality obligations agreed to by Client and Piano and shall be conducted in a manner that minimizes any disruption of Piano’s performance of services and other normal operations, i.e. outside regular business hours. Such audits may at Client's option and request, include penetration and security tests, of any and all Piano systems and their housing facilities and operating environments. Client may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA and/or Privacy and Data Protection Requirements.  The audit reports are Confidential Information of the Parties under the terms of the Agreement. Should the audit reveal confidential information or intellectual property of a third party, any audit must be done in compliance with such third party’s applicable confidentiality or license terms. 

16.20   The Parties will notify each other without undue delay about any potential or actual regulatory or court action or request in respect to the Personal Data processed in connection with this DPA. Piano will notify Client and obtain Client’s consent before sharing any Personal Data with any government authorities unless sharing of such Personal Data is required by applicable law.

16.21   When and as required by Client from time to time, Piano shall execute and/or shall cause its Piano Affiliates to execute supplemental privacy and security terms, with Client or Client’s affiliates that receive Services under the Agreement as required in Client’s sole judgment for the processing and/or transfer of Personal Data in accordance with applicable law. At the time of the signing of this DPA the application of the ePrivacy Regulation has not been fully set out by either European authorities or the local supervisory authority of Client. Consequently, the Parties agree to amend this DPA where necessary to ensure the Services compliance with the ePrivacy Regulation.

16.22   If any country outside of the EU where Services are to be rendered under the Agreement has or enacts a data protection-related law that Client concludes, in its sole judgment, requires the execution of any supplemental privacy and security terms, then Piano shall execute and/or cause any Piano Affiliates to execute such supplemental terms promptly with Client and/or Client’s affiliates, subject to the same terms and conditions as set forth above; provided, however, that the parties shall make reasonable efforts to leverage existing supplemental privacy and security terms that have been executed with respect to the EU data protection-related law to fulfill any such requirement, so as to minimize the cost and effort involved in achieving compliance with such requirement.

16.23   Notwithstanding any provisions in the Agreement to the contrary, in the event that any Party becomes aware of any personal data breach pursuant to the Article 4(12) of the GDPR (e.g. breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed) (the “Personal Data Breach”) that might have impact on the other Party’s obligations under the Article 32 and 33 of the GDPR, each Party shall notify the other Party immediately of any such Personal Data Breach (i.e., within 24 hours). Parties will then co-operate to evaluate the potential risk to rights and freedoms of natural persons stemming from such Personal Data Breach, mitigate such risk and will agree on notification or communication of the Personal Data Breach pursuant to the Article 32 and 33 of the GDPR. 

16.24   Piano shall ensure procedures are put in place to ensure that Personal Data is portable, in a machine-readable format, and that Piano will be in a position to provide Client with any Personal Data within three working days. In addition, Piano shall be in a position to delete all of the Client Data, if requested by Client.

17.       Payment Card Industry Data Security Standard (PCI DSS). If and to the extent Piano will have access to any Credit Card Data, then this paragraph shall apply. For purposes, hereof, (a) “PCI DSS” means the Payment Card Industry Data Security Standard; and (b) “Credit Card Data” means any and all data designated as “Cardholder Data” or “Sensitive Authentication Data” in PCI DSS. Piano shall comply with industry standards and practices, including without limitation, PCI DSS. If and when applicable, Piano shall only use Cardholder Data only for assisting in completing a card transaction, for fraud control services, or as specifically agreed to by Visa, MasterCard, American Express, and/or Discover (collectively, the “Issuers”), or as required by applicable law. In the event of unauthorized use, modification, destruction or disclosure of, or access to, Cardholder Data (any of the foregoing events or circumstances, a “Security Incident”) stored by or for Piano (or otherwise within Piano’s control), Piano shall immediately notify Client and provide Client or its designee, the Issuers, and the acquiring financial institution and their respective designees access to Piano’s facilities and all pertinent records to conduct a review of Piano’s compliance with these requirements. Piano shall maintain appropriate business continuity procedures and systems to ensure security of Cardholder Data in event of a disruption, disaster or failure of Piano’s primary data systems which involve a risk to Cardholder Data. Piano shall provide access to its security systems and procedures, as reasonably requested by Client or its designee. Piano shall cooperate fully with any reviews of its facilities and records provided for in this paragraph. Piano is and will continue to be, in compliance with the PCI DSS security standards as they may be amended from time to time. Piano is responsible for the security of all data obtained, stored, viewed, or accessed in connection with this DPA whether provided by Client or its customers, Piano will maintain records that demonstrate its PCI compliance and provide them to Client upon request. Piano will immediately contact Client if a security breach or serious threat arises that relates to Client Data and will fully cooperate with Client in investigating and prosecuting any security breaches.

18.       Disaster Recovery. The parties agree that Piano has previously supplied Client with a copy of its written disaster and recover plan (the “Disaster Avoidance and Recovery Plan”) and that Piano has implemented and is maintaining such Plan. Piano’s Disaster Avoidance and Recovery Plan shall be actively reviewed on a quarterly basis and updated during the Term using American Institute of Certified Public Accountants standards as guidance. Piano shall notify Client of the completion of any such audit and make the audit available to Client or its designee for review. Piano’s Disaster Avoidance and Recovery Plan shall contain procedures designed to safeguard Client Data and the availability of the Services, throughout the Term. Such Disaster Avoidance and Recovery Plan shall include, without limitation, the following:

(i)                     Fire Protection. Piano represents that the fire protection system at the Piano site(s) consists of the appropriate type and quality of equipment required to provide effective fire protection and that it is regularly reviewed and updated, and that the system currently consists of smoke detectors (with remote enunciators and zone indicators), automatic sprinkler systems, and a two-part halon system in any computer areas. Piano further represents that each room at the Piano site(s) has its own supply of halon and all Piano service location(s) computer rooms have a second halon system to provide backup. Piano represents that water detection devices and drains are installed under all raised floor areas.

(j)                     Power Supply. Piano shall maintain multiple levels of power backup designed to provide uninterrupted operation of the Piano equipment in the event of a loss of power. Piano shall maintain multiple feeds to the Piano site(s) from different processing stations of the local power company which furnishes the main power to the Piano site(s). Piano shall maintain two (2) levels of uninterrupted power systems to provide smooth transition to the use of Piano’s alternative energy sources (e.g., diesel generators) in the event of an extended power company outage.

(k)                   Equipment/Air Conditioning. Piano shall maintain multiple levels of protection against loss of cooling, including a primary backup system which shall provide adequate backup cooling capacity, and a secondary backup system, which shall be capable of providing continuous cooling during a power outage so as to maintain equipment at all times within the tolerances specified by the appropriate manufacturer.

(l)                     Computer Equipment. Piano agrees that the Piano site(s) shall maintain the appropriate backup equipment that is capable of maintaining operations in the event of hardware failures at the Piano site(s). In addition, Piano agrees that it will maintain at the Piano site(s) detailed, written recovery procedures which its personnel are familiar with and which enable Piano personnel to switch to backup hardware expeditiously.

(m)                Hardware and Software Changes. Piano shall maintain a strict change control process, which Piano personnel are familiar with, and which is used for both hardware and software changes.

(n)                  Testing. Piano agrees that its disaster recovery testing will be performed at the Piano site(s) twice per year. The testing shall include, but not be limited to, testing of hardware, installation and operation of all systems, processing of data and generation of reports, and testing of telecommunications facilities.

(o)                  Recovery Procedures. Piano shall maintain appropriate recovery procedures and automated recovery tools for a call center operations facility.

(p)                  Off-Site Data Vaulting. Piano shall store daily a current copy of data and system files on magnetic media in damage resistant, fire proof vaults at an off-site facility. The off-site facility shall be guarded twenty-four (24) hours a day, seven (7) days a week. Piano shall also maintain a tape management system, manual or otherwise, which controls the daily process of vaulting files.

(ii)                   Operations Interruptions. In the event of any unplanned or unscheduled interruptions of the operations of, or accessibility to, the Piano site(s), Piano shall use its commercially reasonable best efforts to restore service to Client as expeditiously as possible. Piano shall notify Client at least ten (10) minutes prior to any unscheduled interruptions. Piano shall notify Client at least within two (2) minutes of occurrence of any unplanned interruptions.

(l)                     Time Frames for Recovery. The time frames for restoration of Client’s service will vary according to the nature and magnitude of the disaster event, the availability of replacement equipment for drop-shipment and the speed with which alternate telecommunication circuits can be made available. Piano shall use commercially reasonable best efforts to work with telecommunications carriers and equipment vendors to restore service as expeditiously as possible.

(m)                Maintenance of Safeguards. In addition to those requirements specifically set forth in this DPA, Piano agrees that it shall maintain safeguards throughout the Term against destruction, loss, or alteration of Client Data, which are no less rigorous than those in effect at other similar vendor site(s) as of the Effective Date of this DPA.

19.       Data Protection Impact Assessment. Each Party remains solely responsible for conducting a data protection impact assessment pursuant to Article 35 of the GDPR and prior consultation pursuant to Article 36 of the GDPR with respect to the Purposes. Nevertheless, if any Party conducts such data protection impact assessment which relates to this DPA, the other Party agrees to reasonably assist such Party by providing reasonable assistance or information.  In good faith, Piano may provide Client with its own data protection impact assessment with respect to the Purposes on the basis of the available information prior to concluding this DPA in order to help the Client to make its own data protection impact assessment.  

20.       Acceptable Use. Piano shall have an Acceptable Use Policy acceptable to Client. Among other things, such policy shall prohibit use by Piano employees and agents of non-business applications that could affect network and/or tool performance and shall mandate that under no circumstances shall any peer to peer applications/use be permitted on the network. Piano’s Acceptable Use Policies are subject to review and approval by Client. The Acceptable Use Policy shall have adequate, reasonable and at least industry standard access controls.

21.       Liability. Pursuant to the Article 82 of the GDPR, Piano shall be liable for the damage caused by processing only where it has not complied with obligations of GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Client. Piano shall be exempt from liability if Piano proves that it is not in any way responsible for the event giving rise to the damage.

22.       Where Client is domiciled in the United Kingdom (“UK”), any reference to GDPR shall be interpreted as a reference to the UK law that is equivalent to the GDPR or that implements the GDPR not affecting validity and effectiveness of this DPA. The Parties wish to interpret this DPA in line with applicable UK legislation. Client is obliged to inform Piano about any requirements stemming from the UK law beyond the requirements stemming from the GDPR. This Section 22 shall not apply where Client is not domiciled in the UK.

23.       Service Analysis. As part of the Services and foreseen processing of Personal Data, Piano may (i) compile statistical and other information related to the performance, operation and use of the Services, and (ii) use Client Data from the Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (clauses (i) and (ii) are collectively referred to as “Service Analyses”).  Piano may make Service Analyses publicly available; however, the resulting Service Analyses will not incorporate Client Data or Confidential Information in a form that could identify or serve to identify Client or any data subject. Piano shall retain all intellectual property rights in said Service Analyses as its own confidential information.  

24.       Data Protection Officer. Piano has appointed Louis-Marie Guerif (privacy@piano.io) as its Data Protection Officer. 

EXHIBIT B (3)

DATA PROCESSING AGREEMENT FOR PIANO ANALYTICS 

Preamble 

This DPA applies to the processing of personal data by the Client and Piano soley for Piano Analytics. This DPA aims to define the obligations of each Party to ensure compliance with the current legislation on processing personal data and respecting personal privacy. It does not include the business provisions also agreed between the Parties in separate business agreements.  This DPA only applies to Piano Analytics. Any other Products purchased by Client shall be subject to a separate Data Processing Agreement. 

 Article 1. Definitions

For the purposes of this agreement, the terms “personal data”, “processing”, “restriction of processing”, “filing system”, “controller”, “processor”, “recipient”, “third party”, “consent”, “personal data breach” and “supervisory authority” have the same meaning as in EU Regulation 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”).

“Authorized Personnel” means any natural person authorized by the Controller to access the Solution and which was granted access rights by the Controller (or where applicable the Processor upon request of the Controller). Authorized Personnel may include for example, employees, consultants, self-employed persons and agents of the Controller, as well as third parties having commercial relations with the Controller. 

“Controller” means the Client.

“Data” means all the data defined below:

·       Available Raw Data means a part of the Raw Data accessible in real time to allow the Data Controller to check the implementation and the tagging.

·       Processed Data is all data accessible to the Controller in the secured web interface, via API or in exports (in all their formats: Excel, CSV, Word, etc.) after restructuring and enrichment by the Processor (geolocation, device detection, robot exclusion, etc.).

·       Raw Data means all data collected, before being enriched by the Processor. It comprises the hit[4] and the http header containing the IP address, the User Agent, the device ID (cookie ID, mobile ID, etc.) and the URL of the page that generated the hit (web mode). This data is not accessible to the Controller.

 Article 2. Compliance with European principles 

Each Party undertakes to comply with the legislation applicable to personal data and respect for private life, in particular with EU Regulation 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and with Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

 Article 3. Purpose

The objective of this Agreement is to determine the terms & conditions under which the Processor undertakes on behalf of the Controller to process the personal data defined below to provide a digital-analytics solution.

 Article 4. Compliance with instructions

The Processor undertakes to process the data in compliance with the Controller’s instructions as defined in this Agreement. 

The Controller benefits from a digital-analytics SaaS solution developed by the Processor for all its customers. Any special instruction particular to the Controller shall therefore be subject to the Processor’s prior approval, and the Processor reserves the right to accept or to refuse to follow the instruction based on the resources necessary to implement it, their costs and/or the feasibility of integrating it into the solution’s technical platform. Specific instructions shall only be implemented after the signature of a written agreement between the Controller and the Processor, which will set forth, where applicable, the related fees to be paid by the Controller.

If the Processor considers that an instruction shared by the Controller or r any Authorized Personnel's usage of the Solution constitutes a violation of the regulations in force, he/she shall immediately inform the Controller.

 Article 5. Lawfulness of processing 

The Controller alone guarantees that the processing carried out by the Processor is lawful. In this respect, the Controller undertakes firstly to inform the users of its web and mobile sites and mobile applications of the digital-analytics service; and secondly to validly collect the consent of the persons concerned, when consent is required, and to inform them of their right to withdraw their consent at any time. The Controller undertakes to gather and preserve evidence related to the consent obtained to prove its obtention. 

When the Controller uses third-party cookies from Piano/AT Internet, the Processor undertakes to provide the Controller with the technical means allowing the persons concerned to oppose the collection and processing of their personal data (an opt-out), it being understood that making such a technical solution available to the persons concerned remains the responsibility of the Controller.

When the Controller uses a first-party cookie for the digital-analytics solution, it undertakes to provide the persons concerned with its own opt-out system.

 Article 6. Description of the processing to be sub-contracted

6.1     Scope of the processing

In providing a digital-analytics SaaS solution to the Controller, the Processor collects and processes data based on the tagging effected by the Controller in order to measure the audience for its internet, intranet and mobile sites, and for its mobile applications; the Controller may also measure the audiences for third-party sites and mobile applications, if this is duly authorized by the owner of the third-party site and/or third-party application (the Controller shall provide proof of this authorization at the Processor’s first request).

6.2    Purpose of the processing

The solution designed by the Processor is intended to produce data and analyses relating to audience statistics and digital intelligence, and to deliver them via the solution (web interface available to the Controller, data exports, API, etc.) 

In addition to the main purpose set out above, the Controller may wish to use the digital-analytics solution for other ancillary purposes, in particular related to the Controller’s activity sector and/or to the digital strategic objectives that it is pursuing.

Furthermore, the accessibility of the Available Raw Data is only permitted to allow the Data Controller to verify the implementation and the tagging.

6.3    Period of processing

Notwithstanding the data retention period defined in Article 11 of the DPAt, the collection and processing of personal data shall continue throughout the duration of the business relationship between the Parties.

6.4    Persons concerned

The personal data relates to the following categories of persons concerned:

·       Authorized personnel of the Controller. 

·       Users of web sites, mobile sites and mobile applications audited using the Processor’s digital-analytics solution.

6.5    Type of personal data

The personal data belongs to one of the following categories of data:

·       Authorized personnel of the Controller: surname, first name, job title, business email address, business phone number, photograph, identifier/password (hashed) for connecting to the solution.

·       Users of web sites, mobile sites and mobile applications:

-        Data necessarily collected by the tag to achieve the main purpose:

§  IP address of visitor to the audited web or mobile site.

§  Cookie ID, identifier generated by the Piano/AT Internet cookie when activated in the web browser used by the visitor to the audited web site.

§  Mobile ID.

§  All browsing data related to these identifiers.

-        Data created by the Processor to achieve the main purpose: 

§  Visitor ID.

§  All digital analytics data restructured by the Processor that relates to this identifier.

-        Any data collected by the tag for the Controller’s ancillary purposes (collected not systematically but depending on the Controller’s implementation of the solution):

§  GPS coordinates of the visitor to the audited site or mobile application.

§  User ID, an identifier that enables an identified user (logged user) to be identified.

§  Transaction ID, an identifier enabling an order to be identified when using the e-commerce module.

§  Emailing recipient ID.

§  Other personal data collected via the Controller’s particular implementation of the solution.

§  Any digital-analytics data associated with such an identifier or such personal data.

-        Any data imported into the solution by the Controller for the Controller’s ancillary purposes:

§  Any personal data held by the Controller that it imports into the digital-analytics solution, and any digital-analytics data associated with this personal data.

6.6    Nature of processing

·       Authorized personnel of the Controller:

The personal data of the Controller’s authorized personnel is collected and used by the Processor in order to conduct the contractual relationship (access to the solution’s secured web interfaces, orders, project monitoring, invoicing, etc.).

The Processor also monitors how the Client’s authorized personnel use the solution in order to improve the services and best advise the Controller on using the solution.

This data is retained for up to one (1) month after termination of the business relationship between the Controller and the Processor or in compliance with the legal retention periods where applicable.

·       Digital-analytics solution:

The Processor, in supplying the digital-analytics SaaS solution, implements the processing in the following way:

1.      The Controller defines the sites, applications and connected devices for which it wishes to implement the solution, and the objectives it expects to achieve by using the Processor’s digital-analytics solution. It nominates one or more administrator(s) from among its Authorized personnel.

2.      The Processor informs the designated administrator(s) of the access rights and makes the Piano/AT Internet tag available to them in its secured web interface.

3.      The Controller, either the designated administrator or any other person authorized by him/her and to whom he/she has given corresponding access rights, sets the AT Internet tag in the pages of its web and mobile sites and its mobile applications.

4.       Depending on the technology chosen, and if the user consents or in cases when no consent is required, a tracer (cookie ID, mobile ID, etc.) is used during the user’s visit for the audited perimeter.

 In order to determine if the same user has made several visits, the Processor uses the visitor’s IP address and/or the Cookie ID and/or the Mobile Identifier) to automatically generate a numerical identifier, the Visitor ID. In no circumstances will this identifier allow the user to be identified by name. It is also not reversible: once it is determined, the Processor cannot track back to the IP address, Cookie ID or Mobile Identifier from which it came. 

5.       The tags implemented by the Controller automatically prompt the sending of Raw Data to the Processor’s collection servers. The Controller has no access to these. In addition to various data items about logins, the Raw Data also contains personal data relating to the users of the audited perimeters. However, the Data Controller may have access to the Available Raw Data.

6.       The Processor performs initial processing on the Raw Data to put it in a form usable by a database. The Processed Data results from this conversion The Controller may, if it wishes, and to pursue its own purposes, enrich the Processed Data with other files it has in its possession. In addition to the data collected for ancillary purposes as listed above, the Controller is technically capable of setting up an Piano/AT Internet tag to collect other personal data, such as data from forms completed by the user of the web site or the audited application. Data collected in this way will thus form part of the Raw Data and may also be contained in the Processed Data and hence accessible from the solution.

7.      The Processor allows the analyses and audience data to be recovered via the solution accessible only to the Controller’s Authorized personnel. The Controller accesses the Processed Data in this way. The Data is not transferred to any third party unless the Controller expressly requests it in writing beforehand, for instance if technology partnerships are available as part of the solution and are adopted by the Controller.

 Article 7. Obligation to inform

The Controller undertakes to inform visitors to audited sites and applications of the data processing and of their resulting rights in a concise, transparent, comprehensible and easily accessible way, under the terms and conditions set out in Articles 13 and 14 of the GDPR.

The Processor undertakes to cooperate with the Controller in order to help it fulfill its obligation to inform the persons concerned and to respond to requests for information from the Controller as quickly as possible. 

 Article 8. Limitation on purposes

The main purpose of the processing implemented by the Processor is to provide the Controller with a digital-analytics SaaS solution allowing it to measure the audience for its internet and mobile sites and for its mobile applications. The solution collects statistical audience data on these digital platforms, which is later replicated in a secured web interface. This data enables the Controller to improve in particular the ease-of-use of its digital platforms, its offering and also the quality of its products and services.

Technically, the Controller is able to use the solution for its own ancillary purposes. If it does so, the Processor shall not be responsible for any use of the solution or the data by the Controller for purposes other than the statistical analysis of the audience for its sites, and in particular if non-essential personal data is collected, if personal data is imported into the solution, or if data from the solution is triangulated with the Controller’s own data or systems. Thus, if the Controller goes beyond the main purpose, it alone shall be liable to any third party or any supervisory authority.

The Processor shall refrain from any use of the Data other than that strictly necessary to provide the Solution to the Controller.

 Article 9. Minimizing the data

The Controller can install tags on the sites and applications it wishes to audit and can import data into the solution. It thus has full technical control over the scope of the data.

The personal data collected for the main purpose (see the first part of the table inserted in Article 6.6) is the only data collected by the tags that is strictly necessary to provide the digital-analytics solution. Collection of this data alone is relevant and appropriate to the main purpose of the processing. Collection of this data alone is relevant and appropriate to the main purpose of the processing. 

In addition to the above, the Controller can still technically use the digital-analytics solution to collect or import data, and in particular personal data, to pursue its own ancillary purposes. The Controller undertakes to consider its obligation to minimize data and remains responsible for ensuring that the data introduced into the solution is in proportion to and suitable for the objectives it is pursuing. The Processor accepts no responsibility for such collection or importation, and informs the Controller that the technical and organizational measures ensuring the security, confidentiality and integrity of the data collected and/or imported for the Controller’s ancillary purposes will be identical to those used for the main purposes.

In any event, the Controller shall refrain from collecting or importing so-called “sensitive data” (Article 9 of the GDPR, special categories of personal data) or data relating to criminal convictions and offences (Article 10 of the GDPR). 

 Article 10. Accuracy of the data

The Controller undertakes to take all reasonable steps to ensure that inaccurate personal data is corrected or deleted. The Processor undertakes to cooperate with the Controller and to process requests for correction or deletion issued by the Controller and/or by users of its web and mobile sites and mobile applications.

 Article 11. Limit on retention

11.1 Retention during the business agreement

·       Standard retention

Raw and Processed Data is conserved by the Processor for twenty-five (25) months after collection. 

·       Customized retention

The Controller remains free to determine another retention time, provided storage time is shorter than twenty-five (25) months. The Controller’s administrator shall send a written request to the Processor’s Support Centre to enable the Processor to customize the retention period of Raw and Processed Data. 

Any storage time longer that the standard period must be subject to a specific agreement (billable option)

11.2 Purge at the end of the business agreement

The Processor undertakes to destroy the Controller’s Data and keep no copy of it beyond a date of one (1) month after the end of the business relationship between the Controller and the Processor, if there is no dispute with the Controller. The Controller also remains free to request immediate destruction of all Data upon the end of the business relationship.

 Article 12. Exercise of rights by the persons concerned

It is understood that the persons concerned are free to exercise the rights that the processing confers on them as regards and against the Controller. The Parties undertake to cooperate mutually in order to deal with all requests quickly and efficiently, and to be capable of responding to the person concerned within the legal period of one (1) month from the date the request is received.

When the request is made to the Controller, if it cannot take the matter further without the Processor’s support, the Controller undertakes to approach the Processor’s contact person as soon as possible and at most within five (5) working days of receiving the request, by emailing privacy@piano.io or the Processor Support Center. The Controller shall supply the Processor with all that is required to understand and review the request. The Processor shall supply the Controller with the information required within a time allowing the Controller to respond to the person concerned within the legal period of one (1) month. If the Processor cannot supply the Controller with the information required in time, and/or if it proves impossible to supply the information, the Processor shall inform the Controller that it must obtain additional time, or that it is not possible to fulfill the request of the person concerned.

When the request is made to the Processor and relates only to processing carried out on behalf of the Controller, the Processor undertakes to inform the Controller in writing of the request as quickly as possible and at most within five (5) working days of receiving it. The Processor shall supply the Controller with the information required within a time allowing the Controller to respond to the person concerned within the legal period of one (1) month. If the Processor cannot supply the Controller with the information required in time, and/or if it proves impossible to supply the information, the Processor shall inform the Controller that it must obtain additional time, or that it is not possible to fulfill the request of the person concerned.

 Article 13. Data integrity, confidentiality and security

The Processor undertakes to ensure the security of personal data, and more generally, the security of the Controller’s data, and to safeguard its integrity and confidentiality. In this regard, it undertakes to design and implement all appropriate technical and organizational measures to keep the data secure and to protect it against any accidental or unlawful destruction, accidental loss, distortion, diffusion or unauthorized access.

The technical and organizational measures must at minimum include:

-        Designating a Data Protection Officer, raising the awareness of its staff as to the confidentiality of personal data, and imposing a strict confidentiality obligation on its staff;

-        Having an IS security policy and updating it regularly;

-        Having a disaster recovery plan so that service can continue should an incident occur;

-        Carrying out regular intrusion tests and, should a weakness or vulnerability be identified, implementing any corrective measures quickly.

The Processor undertakes to restrict access to personal data just to those staff who need to know it, and the Processor reiterates that the Controller alone is responsible for and manages the access rights to the solution.

The Controller retains the right to carry out an annual audit of the solution in order to check that the technical and organizational measures implemented by the Processor are adequate. This right is subject to its giving reasonable notice (not less than 10 working days beforehand) of its intention to carry out such an audit during the Processor’s working hours. The Controller bears the cost of the audit and the Processor shall invoice the Controller for any resources, human or machine, that the Controller calls on during the audit. Both Parties shall be subject to an obligation of confidentiality as regards the results of these audits.

 Article 14. Data protection by design and by default

The Processor undertakes to protect personal data by default from the time the processing is designed, and the solution functionality developed. The methods used to achieve this include in particular nominating a Data Protection Officer with the required technical skills, raising employees’ awareness of data protection, and imposing on employees a strict confidentiality obligation.

 Article 15. Subcontracting

The Processor states that, with the agreement of the Controller, Processor’s affiliate located in France (Applied Technologies Internet SAS, registered in the Trade and Companies Register of Bordeaux as number 403 261 258, having its head office at 85 avenue J F Kennedy 33700 Mérignac, France) is entrusted with the development, provision and maintenance of the solution, with customer support services and with administrative support (such as marketing and sales administration services).

To perform the services listed above, the Processor’s affiliate Applied Technologies Internet SAS (hereinafter the “ Sub processor”)  involves the contractors (hereinafter the “Contractors”) listed on following link: https://www.atinternet.com/en/processor-sub-processor-information-subsidiaries . By signing the quote referring to this Data Processing Agreement, the Controller acknowledges having read and accepted the said list.

In all circumstances, the Processor shall alone remain responsible to the Controller for all the obligations following from this Agreement. It is the initial Processor’s responsibility to ensure that the Sub-processor offers adequate guarantees that it has implemented technical and organizational measures such that the processing complies with the requirements of the GDPR. If the Sub-processor does not fulfill its obligations to protect data, the initial Processor shall remain fully accountable to the Controller for the execution by the Sub-processor of its obligations.

The Processor is free to change the list of Sub-processors. It must however inform the Controller beforehand of any planned change involving adding or replacing Sub-processors. The information must state clearly the subcontracted processing activities and the identity and contact details of the Sub-processor. The Controller shall have eight (8) calendar days from the day it receives the information to present its objections. The subcontracting cannot be finalized unless the Controller has made no objection during the agreed period.

 Article 16. Transfer outside the European Union

The Controller's audience data, i.e. that relating to visitors to sites and applications audited by the AT Internet solution, is stored in the European Union. As the solution is SaaS, the Processed Data nevertheless remains accessible to all authorized staff with the necessary access rights and an internet connection, irrespective of their location.

However, the Processor is authorized by the Controller to use processing facilities located in a third country within the meaning of the GDPR if the Processor complies with one of the following guarantees:

-        The legislation of the third country concerned provides an adequate level of protection for personal data and is recognized as such by a decision of the European Commission;

-        The Processor has concluded with a Sub-processor outside Europe a contract for the transfer of personal data in accordance with the model clauses drawn up by the European Commission;

-        The Processor's subsequent non-European Sub-Processor has subscribed to an authorized transfer mechanism for personal data validated by the European Union institutions;

-        The Processor's non-European Sub-processor has adopted "Binding Corporate Rules" validated by a competent supervisory authority.

 Article 17. Liability

Pursuant to the Article 82 of the GDPR, Piano shall be liable for the damage caused by processing only where it has not complied with obligations of GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Client. Piano shall be exempt from liability if Piano proves that it is not in any way responsible for the event giving rise to the damage. 

 Article 18. Competent supervisory authority

The competent supervisory authority as regards the activities and processing carried out by the Processor is the authority supervising the Controller. 

The Parties undertake to cooperate with the competent supervisory authority and to provide it without delay with any information it requires to carry out its work.

 Article 19. Notification should personal data be compromised

If a personal data breach occurs, the Processor undertakes to notify the Controller of the breach without undue delay after having become aware of it. The notification shall have the form and content required by the GDPR so that the Controller can report the breach to the competent supervisory authority. 

The Controller is responsible for informing the persons concerned without undue delay, for instance by publishing a notice on the web and mobile sites and mobile applications from which the compromised data has come.

 Article 20. Documentation and register of processing operations

The Processor states that it keeps a register of the processing carried out on behalf of the Controller. The register has the content and form required by the GDPR. The Processor shall also make available to the Controller the documentation necessary to demonstrate compliance with all its obligations and to enable the Controller to perform audits.

 Article 21. Impact assessment and prior consultation

The Processor undertakes to provide any necessary assistance to the Controller if the Controller is required to carry out an impact assessment on a processing operation covered by this agreement. If this impact assessment indicates that the processing presents a high risk to the rights and freedoms of data subjects, the Processor shall also provide assistance to the Controller so that he/she can respond to the information requested by the competent supervisory authority in the event of consultation prior to the implementation of the processing operation.

 Article 22. Point of contact: Data Protection Officer (DPO)

The Processor undertakes to designate a Data Protection Officer (DPO) for the term of the contractual relationship between the Controller and the Processor, and to give the Controller his/her contact details.

The Controller undertakes to do likewise if it meets the criteria listed in the GDPR that require a Data Protection Officer (DPO) to be designated. Otherwise, it shall give the contact details of the person responsible for dealing with issues related to protecting personal data and respecting privacy.

The Controller will appoint a contact point for data privacy matters by sending a notification to the Support Center of the Processor. In the case where the Controller did not appoint a specific contact point, the account administrator(s) shall be the contact point. 

The contacts above may be approached not only by the other Party but also directly by any person concerned, who shall find their contact details on the web sites of both the Processor and the Controller.

Piano has appointed Louis-Marie Guerif (privacy@piano.io) as its Data Protection Officer.

Each Party undertakes to notify the other immediately of any change to the named contact person.

[1]   Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 May 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.

[2] The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.

[3] This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7

[4] The “hit” is the HTTP request (or HTTPS request, depending on the Controller configuration) to the Processor’s servers that generally comes from the JavaScript Tag of the mobile SDK as supplied by the Processor and containing the user’s raw browsing data.