License Agreement and Terms of Usage

360inControl License Agreement and Terms of Usage

Version: 1.0, April 14th 2018

 

1.  Definitions

Definitions in this Agreement are following international standards and common sense. The following definitions are outlined specifically as they are contract-specific and relevant for the Agreement.

(1)   360inControl – is a product available as a Software as a Service (SaaS) Platform.

(2)   INSTANCE – A physical set-up of 360inControl including architecture and configuration, owned or leased by the PROVIDER.

(3)   TENANT – A logical area on 360inControl, separated and secured. Licensed by the LICENSEE and accessed by Users.

(4)   LICENSEE – is a USER in 360inControl with admin rights. The LICENCEE has purchased 360inControl as a SaaS solution, according to the PRICEPLAN. The LICENCEE has a business relationship with CISS.

(5)   ADMINISTRATOR – is a USER in 360inControl with special rights and acting as the legal representative of the LICENSEE managing the TENANT.

(6)   USER – Individual registered in 360inControl. The USER is maintained in an INSTANCE-wide directory. A USER can be assigned to multiple TENANTS within 360inControl. A USER can be invited by the TENANT via an e-mail address. A USER cannot be searched across TENANTS.

(7)   THIRD-PARTY SERVICE PROVIDER – All individuals or legal companies contracted by CISS to provide, install, maintain and support 360inControl including time and material services.

(8)   PRICEPLAN – Plan defining the validity (start and end date), the number of USERS, (max. number of USERs), selected product (e.g. content-specific), selected content, selected functionality as outlined on www.360inControl.com.

2.  Parties

(9)   PROVIDER – CISS – Comprehensive Information Security Switzerland GmbH of Switzerland is providing 360inControl.

(10)LISENCEE – The LISENCEE can either be an individual or a legal entity. The LICENSEE has a legally binding relationship with the PROVIDER. The LICENSEE assigns at least one ADMINISTRATOR to interact with the PROVIDER in all contractual relevant terms, such as PRICEPLAN, renewals etc.

3.  Terms Acceptance

(11)The business language for communication and documentation is English.

(12)The actual pricing, service descriptions, functionality etc. is provided on website www.360inControl.com or within 360inControl.

(13)Every individual requiring access to 360inControl needs to accept this Agreement before access to 360inControl is granted. A PDF copy is available for download. With this acceptance, the USER explicitly accepts and allows the purpose to process the Personal Information (See Privacy Policy).

(14)This Agreement and the Privacy Policy are also serving as acceptable use guidance.

(15)By purchasing and/or using a PRICEPLAN on the 360inControl, the LICENSEE and the USERS agrees to and accepts

1.     this license Agreement, including acceptable use rules,

2.     the Privacy Policy, and

3.     the selected PRICEPLAN (LICENSEE and ADMINISTRATOR only)

(16)This Agreement shall come into force during the user registration upon accepting this Agreement and the Privacy Policy online [Consent and effective date is stored in User Profile].

(17)The PROVIDER will distribute updates of this Agreement with reasonable lead time for the LICENSEE and registered USER.

(18)Update of terms and their acceptance only happens electronically.

(19)USER not accepting new versions of this Agreement or Privacy Policy will be blocked from accessing the system.

(20)Certain Terms of this Agreement remain in force after terminating the subjects of this Agreement, see chapter “19 Effects of Termination”.

4.  Subject Matter of the Contract

(21)Object of this Agreement is the 360inControl offered by the PROVIDER and the usage by the LICENSEE and assigned USER during and after the expiration of the chosen PRICEPLAN and period.

(22)This Agreement is covering the license for the usage of 360inControl according to the PRICEPLAN all functionality and services. No ownership rights are transferred from the PROVIDER to the LICENSEE under this Agreement.

(23)Updates to 360inControl within the purchased functionality are included in the PRICEPLAN.

(24)Trial access, functionality and periods are provided on discretion of the PROVIDER. The LICENSEE and the involved USERS enter into no obligation to purchase a PRICEPLAN by using 360inControl Test and Trial version. Nevertheless, obligations of this Agreement are set in effect by accepting the license Agreement and the Privacy Policy when creating the user profile.

(25)This Agreement is also valid for the LICENSEE that uses the Test and Trial version of the 360inControl.

(26)The PROVIDER hereby grants to the LICENSEE, for the contract period, a worldwide, non-exclusive license for:

a)    usage of the 360inControl in accordance with the Agreement;

b)    usage within all legal entities where the LICENSEE has a share of more than 50%;

c)     usage by USERS and THIRD-PARTY SERVICE PROVIDER performing contractual work for the LICENSEE;

d)    extraction of the content by the functionality provided by the 360inControl to generate reports, graphs and extracts;

e)    modification and enhancement of the content with the functionality provided (e.g. generate company templates) in 360inControl.

5.  Obligations of the PROVIDER

The PROVIDER

(27)treats the information of the LICENSEE entered and operated by 360inControl as confidential

(28)choses secure and reliable THIRD-PARTY SERVICE PROVIDER and Data Processors

(29)ensures a secure system configuration

(30)keeps the system configuration up to date

(31)ensures an ongoing monitoring of 360inControl, to remediate any negative impact in reasonable time

(32)takes request coming from LICENSEE and USER serious to improve 360inControl

(33)Upon request, offers the LICENSEE the non-exclusive right to audit on LICENSEEs expenses. The LICENSEE resp. the potential LICENSEE can request an offer for a LICENSEE initiated audit in advance. The PROVIDER will estimate the effort for the audit and provide a written quote to the requestor. The requestor must provide a written order.

(34)On request, the PROVIDER informs the LICENSEE and USERS about incidents, breaches, outages, service interruptions.

6.  Obligations of the LICENSEE

The LICENSEE

(35)is obliged to evaluate if 360inControl, based on the information provided in this Agreement and the Privacy Policy can be used for the LICENSEE targeted purpose. The PROVIDER recommends, to evaluate 360inControl against the classification (confidentiality, integrity, availability) of the intended use

(36)ensures that its USERs, adhere to this Agreement, the Privacy Policy and terms are fulfilled. This explicitly includes the adherence to security and confidentiality policies

(37)has to pay the necessary charges required for the selected PRICEPLAN in advance

(38)has to keep information about USER in the TENANT confidential, especially Personal Information

(39)has to ensure that sharing of user accounts with multiple individuals is not allowed and a breach to this agreement

(40)is aware, that circumventing established system security measures is not allowed

(41)may not sub-license and must not strive to sub-license any rights granted under this Agreement

(42)must not sell, resell, rent, lease, loan, supply, publish, distribute or redistribute the 360inControl extracts and content

(43)must not store/keep full extracts for further use after the license Agreement expires

(44)ensures that added content e.g. new controls created respect and is legal and in alignment with intellectual rights e.g. copy rights of third parties. PROVIDER is not liable for such intellectual rights violation of the LICENSEE or any USER the LICENSEE grants access

(45)ensures that the ADMINISTRATOR assignment for its TENANT is kept up to date. The PROVIDER sends license Agreement relevant communication and updates to the LICENSEE and ADMINISTRATOR

(46)will be informed by e-mail prior to the expiry of the PRICEPLAN and understands the consequences, if the PRICEPLAN is not renewed.

(47)The LICENSEE is accountable to keep the USER population for its TENANT up-to-date to avoid unwanted access. We recommend to perform recurring user revalidations at least once per year.

7.  Obligations of the USER

(48)The USER is obliged to keep its user profile and information up-to-date

(49)The USER has to keep its system credentials especially the password or if applicable the two-factor credentials confidential

(50)The USER is obliged to report data loss, security breaches, data privacy breaches, misconfiguration to the LICENSEE or TENANT ADMINISTRATOR and to the PROVIDER (info@ciss.ch)

(51)The USER is advised to use a password different from the password the USER has for its e-mail account.

(52)The USER has to keep its devices used to access 360inControl secure. OS and applications are patched and an anti-virus/malware software is installed and kept up-to-date.

8.  Access to 360inControl

(53)The PROVIDER reserves the right to suspend access to 360inControl in case of;

1.     a court request,

2.     severe or ongoing violations to this Agreement or third party intellectual rights violations,

3.     system misuse, including suspected misuse.

9.  PROVIDER Service Support Model & Options

(54)The PROVIDER provides all support information and documentation in English.

(55)Each support request will be answered in due time. Support requests from LICENSEES with an active PRICEPLAN will be dealt with high priority.

10.      Costs, Payments, Upgrade and Renewals

(56)The actual PRICEPLAN is outlined on www.360inControl.com.

(57)The details of the chosen PRICEPLAN, including the total amount will be outlined to the LICENSEE before payment.

(58)Successful payment by ‘credit card’, enables the LICENSEE to use 360inControl straight away.

(59)Successful payment by ‘in advance payment’ requires that the LICENSEE transfers the invoice amount to the PROVIDER. To enable a smooth connection to 360inControl the LICENSEE has to provide evidence to the PROVIDER that payment was transferred.

(60)Upgrade of existing PRICEPLAN, with

1.     ‘credit card’: the remaining period of time will be charged pro rata, already paid amount deducted. Details listed on invoice.

2.      ‘in advance payment’: the LICENSEE has to contact PROVIDER.

(61)Detailed invoice is stored in 360inControl, accessible by LICENSEE and ADMINISTRATOR.

(62)The LICENSEE has to wave the “Right to Withdraw from a Contract” based on the Directive 2011/83/EU on Consumer Rights “Art. 16 (m) the supply of digital content”. Under no circumstances is the PROVIDER obliged, to pay back any purchased PRICEPLANS, even if the LICENSEE does not want to use 360inControl anymore.

(63)If the PRICEPLAN is due for renewal, the LICENSEE and ADMINISTRATOR will receive an e-mail with the notice to renew the PRICEPLAN. If the price plan is not renewed, a grace period is automatically initiated. The grace period is a voluntary service provided by the PROVIDER. The LICENSEE will be informed of the length of the grace period and that if the price plan is not renewed, access to 360inControl will be blocked. From this point on, the PROVIDER can delete all accesses and data of the LICENSEE without prior warning.

(64)Taxes and VAT will be charged for Swiss customers. For all other countries, the LICENSEE is obliged to settle applicable taxes and VAT according to country specific regulations.

11.      Warranties

(65)The PROVIDER guarantees the LICENSEE and USER on the security of 360inControl that;

1.     independent security evaluations are performed regularly

2.     360inControl will incorporate security features reflecting the requirements of industry best practice and international standards

3.     infringements of intellectual property rights are taken seriously and are investigated

4.     security incident (or suspicion of) are taken seriously and are investigated.

12.      Exclusions & Limitations of Liabilities

(66)The PROVIDER shall not be liable to the LICENSEE in respect of any loss of life, profits, resources, anticipated savings, revenue or income, any loss of use or production, any loss of business, contracts or opportunities, any loss or corruption of any data or database and any special, indirect or consequential loss or damage.

(67)Hereby the PROVIDER makes the LICENSEE especially aware that a missed PRICEPLAN renewal can lead to unrecoverable data loss of the TENANT.

(68)The LICENSEE can purchase auto-renewal options for its TENANT; subject to availability.

(69)Implementation of the provided controls of the 360inControl will not guarantee organizational compliance to any standard.

(70)The PROVIDER shall not be liable to the LICENSEE in respect of any direct or indirect losses arising out of a Force Majeure Event, fraud, fraudulent mis-representation, spyware, malware, technical problems, hackers etc.

(71)Although the PROVIDER aligns and implements industry standards in 360inControl, no guarantees are given by the PROVIDER that the system is compatible to other firm-, soft- and hardware used by the LICENSEE and USER.

(72)The PROVIDER shall not be liable to the individuals, if LICENSEE or USER granted access by a LICENSEE process personal information or even sensitive personal information outside the defined purpose of this Agreement or the related Privacy Policy. If the PROVIDER gets to know about those cases, a notice to the authorities will be initiated, if required by the applicable legislation.

(73)The PROVIDER shall not be liable to third parties, if LICENSEE or USER granted access by a LICENSEE violate third party right, intellectual property rights etc. using 360inControl.

(74)The PROVIDER shall not be liable to third parties, for LICENSEE or USER intellectual right infringement of third parties.

(75) The LICENSEE/USER acknowledges that

1.     software is never entirely free from defects, errors and bugs; the PROVIDER gives no warranty or representation that the Hosted Services will be wholly free from defects, errors and bugs.

2.     complex software is never entirely free from security vulnerabilities; the PROVIDER gives no warranty or representation that the Hosted Services will be entirely secure.

3.     the PROVIDER does not provide any legal, financial, accounting, taxation advice under this Agreement.

13.      System Security

(76)The PROVIDER considers security and compliance as crucial aspects. Therefore, system development includes security reviews, security testing among other principles like data privacy by design and data privacy by default. The LICENSEE and USER understand that security breaches are possible, although security is taken serious in development and operations of software solutions.

(77)The PROVIDER is committed to establish necessary measures to protect the licenses information and USER’S personal information against loss and unauthorized access.

(78)The PROVIDER allows access to the system via latest versions of the most common browsers with a defined patch level. Access through older versions and unsecure browsers might be suppressed automatically and on short notice. The LICENSEE is hereby advised to use the Trial period to evaluate compatibility of the environment used.

(79)All data transfers are encrypted using state of the art protocols e.g. https.

(80)Data at rest is encrypted whenever possible.

(81)If mobile apps are provided, they are only distributed through certified stores.

(82)“Jail broken” mobile device access to 360inControl is not allowed.

(83)Availability provided; LICENSEE with higher information security requirements can chose from additional options that come with additional cost:

1.     On premises installation of their own 360inControl INSTANCE.

2.     Proxy encryption between their enterprise network and their 360inControl TENANT.

3.     An own 360inControl INSTANCE with private encryption keys.

4.     Other new security technologies after evaluation of the PROVIDER if feasible.

14.      Personal Information & sensitive Personal Information

(84)The PROVIDER followed the Privacy by Design and Privacy by Default principles when designing the system.

(85)Every individual can register as a USER in 360inControl with valid personal e-mail address. Generic e-mail addresses like e.g. info@xx.com are explicitly not allowed. The system will send a registration invitation to that e-mail address. If this request link is not used for 24h, the system deletes the e-mail unrecoverable.

(86)To register, in addition to the already provided e-mail, the intended USER has to provide the following mandatory fields:

1.     User ID

2.     First Name (stored as User Name in Combination with the Last Name)

3.     Last Name (stored as User Name in Combination with the First Name)

(87)Before the system stores the user registration successfully and allows system usage, the individual must confirm the LICENSEE Agreement (this document) and the Privacy Policy. Other user profile information (mobile phone, office phone, skype ID etc.) is optional and transparent to the individual at any time.

(88)To purchase a PRICEPLAN, the LICENSEE needs to provide an invoice address (private or company) which is stored with the TENANT Master data. This address will be used to determine Tax eligibility.

(89)The USER can request account deletion. To do this, the USER must notify the PROVIDER by e-mail. PROVIDER reserves the right to contact the USER to ensure that the request is legitimate.

15.      Purpose of Data Processing

(90)The LICENSEE is in full control and accountability of who (USER) has access to its TENANT.

(91)In addition to the Users that the LICENSEE manages, named individuals of the PROVIDER (Instance ADMINISTRATORs) have access to the TENANT and user information. Every TENANT ADMINISTRATOR has the right to request a list of these individual once per calendar year for free.

(92)USER has full control over its Personal Data in the user profile.

(93)To ensure system reliability and security all USER actions are tracked in an audit trail, covering; timestamp, user name, performed action, result of action.

(94)The website www.360 incontrol.com and 360inControl use common tracking and analytics tools e.g. google analytics, cookies etc. The USER can block these mechanisms e.g. in the used web browser. This blocking might have negative impact on the functionality of 360inControl.

16.      Data Protection

(95)The PROVIDER is fully committed to Data Protection and individual Data Privacy rights. Therefore, a dedicated Privacy Policy is maintained which is published on the product website https://www.360inControl.com/privacy-policy .

(96)The PROVIDER’s Privacy Policy is an integral part of the Agreement, it outlines in detail e.g.;

1.     The USER’s right for information

2.     The PROVIDER’s Data Privacy Officer contact information

3.     Retention periods

(97)All parties have to comply with the data privacy laws applicable.

17.      System Availability & Maintenance

(98)The PROVIDER takes all necessary effort to ensure an uninterrupted availability of the system 7×24/365 with all functionality offered.

(99)The PROVIDER performs backups of the entire 360inControl system every 24 hours (RPO).

(100)      Trial TENANTs are not backed up. With buying a PRICEPLAN the TENANT will be covered by the backup process.

(101)      The LICENSEE can purchase special backup and recovery service, subject to availability.

(102)      Recovery from major outages (RTO) is best effort.

(103)      Necessary maintenance windows and planned outages are whenever possible scheduled for Saturdays and announced to all USERs with sufficient lead time.

(104)      LICENSEE with higher availability requirements can chose from additional options that come with additional cost:

1.     On premises installation with own 360inControl INSTANCE.

2.     TENANT mirroring.

3.     An own 360inControl instance with private own backup and recovery plan and own encryption keys.

4.     Other recovery options are constantly evaluated by the PROVIDER and if deemed appropriate offered to LICENSEE.

18.      Termination of Agreement

(105)      A dedicated termination notice by the LICENSEE is not required. Not renewing a PRICEPLAN represents a termination notice under this Agreement.

(106)      LICENSEE initiates terminations during the PRICEPLAN period, including an ultimate and unrecoverable deletion of the TENANT with all data need to be submitted in written by registered letter to the PROVIDER.

(107)      The PROVIDER can terminate all PRICEPLANs in electronic form at any time without stating a reason. Purchased PRICEPLANs in 360inControl will remain active and accessible for the LICENSEE and Users until the purchased period is expired.

(108)      No breach of any provision of this Agreement shall be waived except with the express written consent of the party not in breach.

19.      Effects of Termination

(109)      The termination of this Agreement shall not affect the accrued rights of either party.

(110)      LICENSEE respectively its ADMINISTRATORs have the opportunity to download their data for further use until the PRICEPLAN expires.

(111)      Upon the termination of the license period, the LICENSEE must immediately cease to use any of the licensed controls and audit templates of the 360inControl.

(112)      Any export and further use of 360inControl content for future audits, import into other audit tools etc. is prohibited. Such a use is violating the intellectual property rights of the PROVIDER;

(113)      Controls which have been created, uploaded, substantially modified by the LICENSEE and the TENANT Users are excluded from this restriction.

20.      Third-Party Service PROVIDER

(114)      The PROVIDER reserves the rights for sub-contracting.

(115)      The PROVIDER works with reseller, distribution and implementation partners to provide timely and quality service in all locations.

(116)      The PROVIDER ensures adequate vetting of all subcontractors, reseller, distribution and implementation partner.

(117)      Conditions for reseller, distribution and implementation partners are subject to special contracts.

(118)      This Agreement is also applicable for USERS and regular use of 360inControl by resellers, distribution and implementation partners.

21.      No assignment of Intellectual Property Rights

(119)      The design, functionality, process, workflows etc. of 360inControl are protected intellectual property rights of the PROVIDER.

(120)      Nothing in this Agreement shall operate to assign or transfer any Intellectual Property Rights from the PROVIDER to the Customer or from the Customer to the PROVIDER.

(121)      The LICENSEE acknowledges to be liable for any infringement of intellectual property rights.

22.      General

(122)      This Agreement in combination with the actual version of the PROVIDER Privacy Policy constitutes the entire Agreement.

(123)      If any provision of this Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions of this Agreement will continue in effect.

(124)      No breach of any provision of this Agreement shall be waived except with the express written consent of the party not in breach.

(125)      This Agreement shall be governed by and construed in accordance with Swiss law.

(126)      The courts of Basel and Baselland, Switzerland shall have exclusive jurisdiction to adjudicate any dispute arising under or in connection with this Agreement.

(127)      Amendments are only valid in written Agreements signed by the PROVIDER and the legal representative of the LICENSEE.