Syntrio's Privacy Policy

Introduction

Syntrio has provided eLearning content and anonymous hotline services/products to its customers for over twenty years. This Privacy Policy covers all products/services offered by Syntrio and its divisions. Any reference to “Syntrio” represents Syntrio and its divisions.

This Policy relates to Personal Information (i.e., information that identifies a specific individual) and related data that Syntrio, Inc. (“Syntrio”) collects or otherwise receives, through its website, directly from customers, and through other means. It does not include Syntrio Human Resources information.

The Federal Trade Commission has jurisdiction over Syntrio’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Notice

Syntrio collects and otherwise receives the following types of Personal Information and related data:

Customer Service: Syntrio receives directly from business customers Personal Information related to their employees and third parties through its learning management system (LMS) and online courses. This data may include: name, email, employee number, department, function, and other non-sensitive Personally Identifiable Information (PII) pertaining to an employee’s demographic characteristics. In addition, Syntrio records certain education information such as employee course completion, course bookmark, course quiz score, course review, and other data that enables the customer to understand their employees’ performance and to help Syntrio improve its course quality.
Syntrio receives and processes anonymous hotline reports. The information contained on an anonymous hotline report may contain PII. Anonymous hotline report information can contain name, email, employee information, and complainant details regarding the incident being reported.
Customers may directly input PII, including Sensitive PII, into the Case Management System at their own discretion. Syntrio does not collect this information on behalf of the customer. Syntrio staff may access this information for technical maintenance purposes only. This staff has signed confidentiality agreements with respect to protection and non-disclosure of this information.
Marketing: Syntrio subscribes to various services that provide individuals’ names, titles, business email addresses, and other contact information of prospective and current customers for marketing purposes. Syntrio gathers customer and prospect names, telephone numbers, email addresses, and related contact information at trade shows and other events. Syntrio gathers the above contact information from visitors to our website when these individuals provide this data to us directly.

Syntrio complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Syntrio has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Syntrio has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) compliance not resolved by any of the other mechanisms. The following link provides additional information regarding binding arbitration:

https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2

Onward Transfers of Data

Syntrio provides Personal Information to the following types of third parties for the identified purposes to:

A. Business partners, serving as sub-processors, to assist us in delivering our products and services to customers. This data is not accessible by the third party under contract.

In transferring Personal Information to these parties as sub-processors, we:

- - Only provide data for limited and specific purposes related to delivering our products and services or other Company operations;
  - Ascertain that the sub-processor’s policies maintain a commensurate level of compliance regarding this data.
  - Take reasonable steps to ensure the sub-processor effectively processes this data in a manner consistent with our duties under the Principles;
  - Require the sub-processor to notify us if it makes a determination that it can no longer meet obligation commensurate with the Principles; upon such notice, we take reasonable steps to stop and remediate unauthorized processing;
  - Will provide a summary or a representative copy of relevant privacy provisions of our contract with that agent to the U.S. Department of Commerce upon request.

B. Business partners for co-marketing purposes (where we market to their customers and they market to our customers).

In transferring Personal Information to these parties as data controllers, we seek to:

- - Only transfer data for limited and specified purpose;
  - Determine that the organization is obligated to provide at least the same level of privacy protection as is required of Syntrio;
  - Take reasonable steps to ensure the organization effectively processes Personal Information in a manner consistent with Syntrio’s data privacy duties;
  - Expect the organization to notify us if it makes a determination that it can no longer meet its data protection obligation; upon notice, take reasonable steps to stop and remediate unauthorized processing;
  - Provide a summary or a representative copy of relevant privacy provisions of our contract with that organization or our third-party partners’ policies to the U.S. Department of Commerce upon request.

Syntrio does not provide its third-party Processors with personal information. However, Syntrio remains liable under the Data Privacy Frameworks if Syntrio’s third-party Processor onward transfer recipients process relevant Personal Data in a manner inconsistent with the Data Privacy Frameworks’ Principles, unless Syntrio proves that it is not responsible for the event giving rise to the damage.

Choice

Individuals from whom Syntrio collects and for whom it maintains Personal Information may limit use and disclosure of this Personal Information through the following:

To be disclosed to a third party, other than as an agent, or
To be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.

Syntrio provides opt-out mechanisms in related communications that allows individuals to remove themselves from future or unrelated communications. Individuals can always contact us directly to exercise their choice regarding these communications. Specifically, we provide an opt-out mechanism where we intend to share an email address with a third-party for a purpose other than that for which the Personal Information was collected.

Note that Syntrio must process certain Personal Information to provide its products and services to its customers. For example, Syntrio may need to provide product/service update information to fulfill the terms of its service. In such situations, no opt-out mechanism is available, other than cancelling the product or service.

For Sensitive Personal Information: If Syntrio collects Sensitive Personal Information, such as personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual, we will provide an opt-in mechanism before using it or sharing it with third parties if such use would be for a purpose other than what it was intended for when initially collected.

Hotline Services

Related to the company’s hotline services, Syntrio collects information from clients’ employees and other related parties to report ethics and compliance violations. Information can be submitted to Syntrio via web form, facsimile, mail, email, text message, and telephonically. Syntrio may collect information from users automatically when they contact us, which may include the name of the domain and host from which the users access the Internet; the Internet protocol (IP) address of their computer; the type of browser and software operating system being used; web log data, including the date and time of access to our website; the Internet address of the website from which the user linked to our site; and the phone number which the user called from.

For most communications with Syntrio regarding its hotline services, we do not require PII. There are opportunities where the user will be given the option to provide PII. The information that may be provided by the user may include name, email address, telephone number, and address. Depending on the request and other circumstances, other information may also be collected. It is the user’s discretion and determination whether to provide such information.

Syntrio may disclose aggregated data and statistics in order to describe the use of our services to our prospective and existing clients, partners, and other third parties, and for other lawful purposes. Syntrio may disclose part or all of a user’s PII when Syntrio believes, in good faith, that the law requires such disclosure. Additionally, Syntrio is required to disclose PII in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In most cases, Syntrio does not require a user to provide PII to use our services. By choosing to provide PII, the user agrees to the terms of this Privacy Policy.

Syntrio does not share any specific user information outside of Syntrio.

Anonymous Website Data

Syntrio uses tracking technologies on its website to provide our visitors with certain features, to better understand how visitors use our website, and to advertise to visitors, sometimes through relationships with third parties, such as Google or Yahoo. Our website visitors are able to control certain tracking technologies through their own browsers they use to visit our website.

External Links

Syntrio’s website may provide links to other organizations’ websites. Syntrio is not responsible for these organizations’ privacy practices or their website content

Security

Syntrio takes reasonable and appropriate measures to protect Personal Information that it creates, maintains, uses, or disseminates from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the personal data.

Data Integrity and Purpose Limitation

Data Processing

Personal Information is limited to information that is relevant for the purposes of processing.

Syntrio strives not to process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, Syntrio takes reasonable steps to ensure that Personal Information is reliable for its intended use, accurate, complete, and current. Syntrio adheres to the Principles for as long as it retains such information.

Data Retention

Syntrio retains Personal Information in a form identifying or making identifiable the individual only for as long as it serves the purpose of processing. Syntrio takes reasonable and appropriate measures in complying with this provision.

Syntrio seeks to maintain the accuracy, completeness, and relevance of Personal Information it maintains. It provides individuals subject to this data with an opportunity to review their Personal Information, upon request, to ensure that it is accurate, complete, current, timely, and reliable for its intended use. The Company will work with these individuals to ensure Personal Information meets these objectives.

Access

Syntrio provides individuals with Personal Information that the Company maintains with an opportunity to review their Personal Information, upon request, to ensure that it is accurate, complete, current, timely, and reliable for its intended use, and make corrections, as warranted. In certain instances, the Company may charge a fee for this service, provided that the fee is not excessive.

Individuals also can raise any complaints regarding the Company’s data privacy practices as follows. The Company will respond within a reasonable time to any request or complaint, not to exceed 45 days. Individuals can contact the following regarding any questions or complaints regarding their Personal Information: · https://syntrio.com/success-center/

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Syntrio commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Syntrio at: https://syntrio.com/success-center/

Policy Changes

Syntrio may change this policy to remain consistent with governing law and other good practices of data privacy protection. When changes are made to this Policy, the company will communicate these changes to all employees, update it on the Company’s website and maintain a copy of the previous privacy policies. The Company will also notify customers of any material changes to this policy to allow them to make any choices of how we will use their Personal Information going forward.

Recourse, Enforcement, and Liability

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Syntrio commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to Judicial Arbitration and Mediation Services, Inc., an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit www.jamsadr.com for more information or to file a complaint. The services of Judicial Arbitration and Mediation Services, Inc. are provided at no cost to you.

Syntrio may be required to disclose Personal Information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

Syntrio has further committed to refer unresolved privacy complaints to an independent dispute resolution mechanism provided above.

If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the independent dispute resolution service provide listed above for more information and to file a complaint.

Self-Certification

Syntrio will assess its adherence to its privacy policies annually. This assessment will include the following:

A review of Syntrio privacy policies for ongoing conformance with applicable law.
Review of the Personal Data that Syntrio collects and means of collecting this data.
Inclusion of mechanisms, and related communications, so that individuals can review their Personal Data, correct it, ask questions, or file a complaint.
Training for Syntrio employees, based on their degree of involvement with Personal Data.

Business Transfer

If Syntrio should undergo a business transfer, such as a merger, acquisition, divestiture, or other such action, that will likely lead to Personal Information being transferred to a new entity, the Company will provide a notification on our website of any change in ownership or uses of this Personal Information, as well as any choices related parties may have regarding this Personal Information.

Syntrio Inc. complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom (and Gibraltar), and Switzerland to the United States. Syntrio Inc. has certified to the U.S. Department of Commerce that it adheres to these Data Privacy Framework Principles. If there is any conflict between the terms in this privacy policy and these Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/

This Privacy Policy supersedes a prior Privacy Policy dated May 2021. You can contact Syntrio to learn more about updates included in this Privacy Policy.

4. Proprietary rights

4.1 You shall own all right, title and interest in and to Your Data, in the form submitted to the Alyne Service. You shall be the sole controller and responsible for maintaining the accuracy of Your Data. Before terminating these Terms, you are responsible for extracting Your Data, if required.

4.2 Subject to these Terms, and solely to the extent necessary to provide the Alyne Service to you, you grant Alyne a worldwide, limited term licence to access, use, process, copy, transmit, distribute, perform, export, and display Your Data. Solely to the extent that reformatting Your Data for display in the Alyne Service constitutes a modification or derivative work or a modification to a database contained or represented in Your Data, the foregoing licence also includes the right to make such modifications and derivative works and/or create modified databases. We may also access your accounts, End User accounts, and your instance of the Alyne Service with End User permission in order to respond to your support requests.

4.3 You grant Alyne a worldwide, perpetual, irrevocable, royalty-free licence to use and incorporate any suggestion, enhancement request, recommendation, correction or other feedback provided by you or your End Users into the Alyne Service.

4.4 Alyne shall own and retain all right, title and interest in and to: (a) the Alyne Service and all improvements, enhancements or modifications thereto; (b) any software, applications, inventions or other technology developed in connection with Professional Services or support; and (c) all intellectual property rights related to any of the foregoing. No rights or licences are granted except as expressly set out in these Terms. Nothing in these Terms shall operate to assign or transfer any intellectual property rights from Alyne to you.

4.5 All of the Alyne Service and related documentation is copyrighted by Alyne. Unauthorised copying, distribution, modification, public display, communication to the public or public performance of copyrighted works is an infringement of Alyne’s copyrights.

4.6 Selecting a value for a variable in an Alyne Control Statement, adding a custom value to an Alyne Control Statement, creating a Custom Control Set or Funnel or Assessment or generating an Alyne Report does not affect Alyne’s intellectual property rights or provide you usage rights beyond the Subscription Term.

5. Payment of Fees

5.1 You shall pay Alyne the fees described in the Order for the Alyne Service and Professional Services in accordance with the terms stated on the Order (the “Fees”). If your use of the Alyne Service exceeds the User Quota set out on the Order or otherwise requires the payment of additional fees (per these Terms), you shall be billed for such usage and you agree to pay the additional fees at our then current rates.

5.2 Alyne reserves the right to change the Fees or applicable charges and to institute Fees and charges at the end of the Initial Term or then current renewal term, upon 30 days’ prior notice to you (which may be sent by email); in case you do not raise an objection to that increase, the change in Fees shall be deemed as accepted; in all other case, you shall have the right to terminate the Alyne Service under these Terms with 15 days’ notice prior to the applicable Initial Term. If you believe that Alyne has billed you incorrectly, you must contact Alyne no later than 60 days after the closing date on the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit. Inquiries should be directed to [email protected].

5.3 Alyne or one of its Affiliates at Alyne’s instruction may choose to bill through an invoice, in which case, full payment for invoices issued in any given month must be received by Alyne no later than 30 days after the mailing date of the invoice. Unpaid amounts are subject to a finance charge of 9 percentage points per year above the basic interest rate published by the German Federal Bank (Section 288, 247 BGB) on any outstanding balance, plus all expenses of collection. Failure to pay may result in immediate termination of Alyne Service.

5.4 Your Fees under these Terms exclude any taxes or duties payable in respect of the Alyne Service in the jurisdiction where the payment is either made or received. To the extent that any such taxes or duties are payable by Alyne, you must pay to Alyne the amount of such taxes or duties in addition to any fees owed under these Terms. Notwithstanding the foregoing, if you have obtained an exemption from relevant taxes or duties as of the time such taxes or duties are levied or assessed, you may provide Alyne with such exemption information, and Alyne shall use reasonable efforts to provide you with invoicing documents designed to enable you to obtain a refund or credit from the relevant revenue authority, if such a refund or credit is available.

5.5 Purchased subscriptions and paid Fees are not refundable; provided, however, that your warranty rights under clause 7 (Warranty and disclaimer) and the Non-excludable Australian Conditions shall remain unaffected. Without affecting your termination rights under clauses 6.2 and 6.5 and subject to the Non-excludable Australian Conditions, partial refunds of usage costs for the current term are also not refundable upon termination.

5.6 If you make any purchases through an authorised partner or reseller of Alyne (“Reseller”):

instead of paying Alyne, you shall pay the applicable amounts to the Reseller, as agreed between you and the Reseller;
your order details (for example, the User Quota, the Initial Term, etc.) shall be as stated in the order placed with Alyne by the Reseller on your behalf, and the Reseller is responsible for the accuracy of any such Order as communicated to Alyne;
if you are entitled to a refund under these Terms, then unless Alyne otherwise specifies and subject to Non-excludable Australian Conditions, it shall refund any applicable fees to the Reseller and the Reseller shall be solely responsible for refunding the appropriate amounts to you; and
Resellers are not authorised to modify these Terms or make any promises or commitments on Alyne’s behalf, and Alyne is not bound by any obligations to you other than as set forth in these Terms.

6. Term and termination

6.1 Subject to earlier termination as provided below, these Terms are for the Initial Term as specified in the Order, and shall be automatically renewed for additional periods of the same duration as the Initial Term (collectively, the “Subscription Term”), unless either party requests termination at least 30 days prior to the end of the then-current term. For the avoidance of doubt, if you terminate before the end of the Subscription Term, subject to the Non-excludable Australian Conditions, you shall not be entitled to any refund of any prepaid amounts.

6.2 Either party may also terminate these Terms upon 30 days’ notice (or without notice in the case of non-payment), if the other party fails to remedy a material breach of any of the terms or conditions of these Terms within 30 days after notice. You shall pay in full for the Alyne Service up to and including the last day on which the Alyne Service is provided, except where you terminate these Terms due to a culpable breach of these Terms by Alyne and subject to the Non-excludable Australian Conditions.

6.3 Upon any termination, you must cease use of the Alyne Service and delete (or at our request, return) all confidential Information and intellectual property of Alyne in your possession.

6.4 Upon any termination, Alyne will make Your Data available to you for electronic retrieval for a period of 30 days (in a common file format as reasonably required), but thereafter Alyne will delete Your Data according to its obligations by law; provided that Alyne’s statutory obligations of data retention shall remain unaffected.

6.5 If you terminate these Terms in accordance with clause 6.2, we will refund you any prepaid Fees covering the remainder of the then current term after the effective date of termination. If we terminate these Terms in accordance with clause 6.2, you shall pay any unpaid Fees covering the remainder of the then-current term after the effective date of termination. In no event shall termination relieve you of your obligation to pay any fees payable to us for the period prior to the effective date of termination, subject to the Non-excludable Australian Conditions.

6.6 Except where an exclusive remedy may be specified in these Terms, the exercise by either party of any remedy, including termination, shall be without prejudice to any other remedies it may have under these Terms, by law or otherwise.

6.7 All clauses of these Terms which by their nature should survive termination shall survive termination or expiration of these Terms, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, indemnities and limitations of liability.

6.8 In addition to any other remedies it may have, Alyne reserves the right to suspend your access to the Alyne Service, without prior notice, if: (a) any amount you owe to Alyne is more than 30 days overdue; or (b) if Alyne believes you or your End Users have violated any of these Terms.

7. Warranty and disclaimer

7.1 Alyne will use commercially reasonable efforts consistent with prevailing industry standards to maintain the Alyne Service in a manner which minimises errors and interruptions in the Alyne Service and will perform the Professional Services in a manner which enables you to use the Alyne Service in accordance with these Terms. The Alyne Service may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Alyne or by third-party providers, or because of other causes beyond Alyne’s reasonable control, but Alyne will use commercially reasonable efforts to provide advance notice by email of any scheduled service disruption. The Alyne Service may also be temporarily unavailable due to circumstances beyond our control, including, but not limited to, natural disasters, acts of governments, civil unrest, acts of terror, strike, cyber security incidents or service provider failures.

7.2 Alyne will provide basic support to you at no additional cost. Support requests may be raised by emailing [email protected] and Alyne will take commercially reasonable efforts to respond within 2 business days. Alyne reserves the right to define additional commercial arrangements for the resolution of complex support requests.

7.3 Subject to the Non-excludable Australian Conditions, your statutory rights in respect of defects in the Alyne Service are limited as follows:

Alyne does not assume any liability for initial material defects in the Alyne Service;
You are entitled to terminate the Alyne Service if Alyne has not successfully remedied a defect, despite that you have notified and set consecutively to Alyne two reasonable periods to remedy the defect;
Your right to reduction of Fees is excluded. This does not affect your right of reimbursement of overpayment of Fees; and
Your right to claim damages resulting from defects is limited as per clause 8 (Limitation of liability).

7.4 Subject to Non-excludable Australian Conditions, your rights against Alyne for defects shall expire 12 months after the beginning of the statutory warranty period. For clarification: the parties agree that updates or upgrades that Alyne provides for the Alyne Service during the Subscription Term shall not extend the warranty period.

7.5 The parties agree that any guarantee within the meaning of Sections 443, 444 German Civil Code shall require an express written commitment on the part of Alyne, in which the terms “guarantee” or “guaranteed” are used.

7.6 The Alyne Service (including Control Statements, Control Sets, Reports, Insights, Assessments and Funnels) are advisory in nature and do not constitute assurance, legal advice or audit results. Consequently, no opinions or conclusions intended to convey assurance are expressed through the Alyne Service. Due to the nature of the Alyne Assessment approach, it is possible that errors, unidentified risks or other irregularities may occur and remain undetected. Alyne cannot guarantee completeness of its content libraries or your usage of the Alyne Service. Relying solely on the results produced through the Alyne Service does not alleviate your Management’s responsibility to implement and maintain adequate controls over your entire operation, or to detect and prevent fraud and other violations of regulatory or legal responsibilities.

8. Limitation of liability

8.1 Subject to the provisions in clause 8.2, Alyne’s statutory liability for damages shall be limited as follows:

Alyne shall be liable only up to the amount of damages as typically foreseeable at the time of entering into the contract in respect of damages caused by a slightly negligent breach of a material contractual obligation (i.e. a contractual duty the fulfilment of which is essential for the proper execution of the contract, the breach of which endangers the purpose of the contract and on the fulfilment of which a customer regularly relies); and
Alyne shall not be liable for damages caused by a slightly negligent breach of a non-material contractual obligation.

8.2 The aforesaid limitation of liability shall not apply to any mandatory statutory liability (in particular to liability under the German Product Liability Act), liability for assuming a specific guarantee or liability for damages caused by wilful misconduct or gross negligence, or any kind of wilfully or negligently caused personal injuries, or liability pursuant to the Non-excludable Australian Conditions.

8.3 You shall take all reasonable measures to mitigate and/or to avoid damages, including, in particular, an obligation for you to make back-up copies of data on a regular basis and to carry out security checks (in particular for the purpose of defending or detecting viruses, malware and other disruptive programmes within your own IT System).

8.4 Regardless of the legal grounds giving rise to liability, subject to Non-excludable Australian Conditions, Alyne shall not be liable for indirect and/or consequential damages, including, in particular, loss of profit and loss of interest, unless any such damage has been caused by Alyne’s wilful misconduct or gross negligence.

8.5 Unless otherwise specified in an Order and other than in case of wilful misconduct or gross negligence and subject to the Non-excludable Australian Conditions, Alyne’s liability shall be capped to a sum equivalent of 100% of the Fees paid or payable under the Agreement per year regardless of the number of incidents.

8.6 To the extent Alyne’s liability is limited or excluded, the same shall apply in respect of any personal liability of Alyne’s legal representatives, employees and vicarious agents.

9. Indemnity

9.1 You agree to indemnify and hold harmless Alyne (and its Affiliates, officers and representatives) from and against any claims, costs, damages, losses, liabilities and expenses (including attorneys’ fees under the applicable statutory fee schemes) resulting from any claim culpably caused by you, finally awarded against Alyne by a court of competent jurisdiction once all appeal rights are exhausted or agreed to in a written settlement agreement signed by you arising out any claim or allegation by any third party and arising from or related to: (a) any claims or disputes brought by your End Users arising out of their use of the Alyne Service; (b) your culpable breach of clause 2 (Customer restrictions and responsibilities; audit right); or (c) Your Materials.

9.2 Alyne will defend and indemnify you against any and all costs, damages, and expenses (including attorneys’ fees under the applicable statutory fee schemes) finally awarded against you by a court of competent jurisdiction once all appeal rights are exhausted or agreed to in a written settlement agreement signed by Alyne arising out of any claim or allegation by a third party that the Alyne Service infringes, misappropriates or violates any intellectual property rights of any third party. In the event that the Alyne Service is held to infringe a third party’s intellectual property rights, Alyne may, at its option and expense (a) replace or modify the Alyne Service to be non-infringing, without materially adversely affecting the Alyne Service’s specified functionalities; (b) obtain for you a licence to continue using the Alyne Service; or (c) terminate this Agreement and return to you any prepaid fees unearned by Alyne. Alyne’s liability for claims of infringement for damages under this clause 9.2 shall be subject to the limitation of liability under clause 8. Alyne shall not be obligated to defend, and indemnify you for any claims to the extent based on: (i) any of your or any third party’s intellectual property or software incorporated in or combined with the Alyne Service where in the absence of such incorporated or combined item, there would not have been infringement, but excluding any third party software or intellectual property incorporated into the Alyne Service at Alyne’s discretion; or (ii) the Alyne Service that has been altered or modified by you, by any third party or by Alyne at the request of you (where Alyne had no discretion as to the implementation of modifications to the Alyne Service or Documentation directed by you), where in the absence of such alteration or modification the Alyne Service would not be infringing.

9.3 Each party’s obligations under this clause 9 are conditioned upon (a) prompt written notification by the indemnified party of any threatened or actual claim or suit; provided that a failure of prompt notification shall not relieve the indemnifying party of liability hereunder except to the extent that defences to such claim are materially impaired by such failure of prompt notification; (b) allowing the indemnifying party to have sole control of the defence or settlement of any claim or suit, except that the indemnifying party may not, without the indemnified party’s prior written consent, enter into any settlement that does not unconditionally release the indemnified party from liability; and (c) the indemnified party providing the indemnifying party, at the indemnifying party’s request and expense, with the assistance, information and authority necessary to perform the indemnifying party’s obligations under this clause 9.

10. Privacy

10.1 You acknowledge that Alyne collects, uses, stores and otherwise processes Your Data, including your or your End Users’ personal information, utilisation data and any data created, stored or uploaded through you, and your End Users using the Alyne Service and may share such data with third party service providers for the purposes of improving or providing the Alyne Service. For more information please refer to Alyne’s Data Privacy Notice, available here.

10.2 Processed data includes your name, email address, postal address including this data from your End Users. If you have provided credit card details, our PCI-DSS compliant payment processor will store and use this data for purposes of performing authorised payment transactions.

10.3 All personal data will be treated confidentially and in compliance with the EU General Data Protection Regulation 2016/679 (“GDPR”) and other applicable legislation.

10.4 You acknowledge that Alyne may access, preserve and disclose your personal information and Your Data created, stored or uploaded to the Alyne Service if required to do so by law or to comply with a legal process.

10.5 Without prejudice to the restrictions in clause 2.3, you further agree to inform Alyne if you are using the Alyne Service to process Sensitive Personal Data.

10.6 Alyne will use domestic and international service providers to support the provision of the Alyne Service. Alyne will apply the Terms as defined in clauses 10 and 11 to the contracts with these subcontractors. A subcontractor outside of the European Economic Area will only be selected by Alyne, if an adequate level of data privacy and protection is provided.

11. Commissioned data processing

11.1 If you are operating in the European Union and intend on processing personally identifiable information (as defined in the GDPR) with the Alyne Service, the requirements from Article 28 of the GDPR apply to these Terms.

11.2 Alyne will not assume data ownership or control of Your Data and will only process this data on your behalf and upon your request.

11.3 You shall be responsible for implementing the requirements defined in the GDPR as the data controller, while Alyne shall be responsible for technical and organisational protection measures for Your Data.

11.4 If the requirements stated in clause 11.1 of these Terms are met you can request that Alyne and you agree a contractual addendum meeting the legal requirements for commissioned data processing.

12. Miscellaneous

12.1 If any provision of these Terms is found to be unenforceable or invalid, that provision shall be eliminated, but this Agreement shall otherwise remain in full force and effect and enforceable.

12.2 The claims under these Terms are not assignable or sublicensable by you except with Alyne’s prior written consent. Alyne may assign any of its claims under these Terms without consent.

12.3 These Terms is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of these Terms.

12.4 All waivers and modifications must be in writing signed by both parties including this written form clause, except as otherwise provided herein.

12.5 The Alyne Service and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Alyne and you each represent that it is not named on any U.S. government denied-party list. You shall not permit any End User to access or use the Alyne Service in a U.S.-embargoed country or region or in violation of any U.S. export law or regulation.

12.6 No joint venture, or employment is created as a result of these Terms and you do not have any authority of any kind to bind Alyne in any respect whatsoever.

12.7 All notices under these Terms shall be in writing. There are no third-party beneficiaries under these Terms.

12.8 We may identify you as an Alyne customer in our promotional materials and on our website, without disclosing any further detail of your usage of the Alyne Service or any other commercial arrangements. We will promptly stop doing so upon your request sent to [email protected].

13. Alyne contracting entity; governing law

13.1 The Alyne entity entering into these Terms, the law that shall apply in any dispute or lawsuit arising out of or in connection with these Terms, and the courts that have jurisdiction over any such dispute or lawsuit, shall depend on where you are domiciled. The terms of the United Nations Convention on Contracts for the Sale of Goods do not apply to these Terms. The Uniform Computer Information Transactions Act (UCITA) shall not apply to these Terms regardless of when or where adopted. Each party agrees to the applicable governing law below without regard to choice or conflicts of law rules, and to the exclusive jurisdiction of the applicable courts below.

13.2 If you are domiciled in Australia the Alyne entity entering into these Terms is Alyne Australia Pty Ltd (an Australian corporation), the governing law is the laws of the State ofVictoria, Australia, and the courts of Victoria, Australia shall have exclusive jurisdiction.

13.3 If you are domiciled outside of Australia, the Alyne entity entering into these Terms is Alyne GmbH (a German corporation), the governing law is the laws of Germany, and the courts ofMunich, Germany shall have exclusive jurisdiction.

14. Definitions

Certain capitalised terms used in the Terms are defined in this clause 14, and others are defined contextually in these Terms.

“Affiliate” means an entity which, directly or indirectly, owns or controls, is owned or is controlled by or is under common ownership or control with a party, where “control” means the power to direct the management or affairs of an entity, and “ownership” means the beneficial ownership of greater than 50% of the voting equity securities or other equivalent voting interests of the entity.

“Alyne Policies” means Alyne’s standard published policies, as updated from time to time.

“Alyne Service” means the Alyne Software as a Service, including Alyne’s content libraries (specifically the Alyne Control Statement Library and the Alyne Risk Library), reference material, glossary, and help text purchased by you and made available online by Alyne.

“End User” means an individual you or an Affiliate permitted or invited to use the Alyne Service. For the avoidance of doubt: (a) individuals invited by your End Users, (b) individuals under managed accounts, (c) individuals interacting with the Alyne Service as your customer, (d) Admin & Expert Users, Expert Users and Business Users (as specified in your instance of the Alyne Service), and (e) individuals who respond to an Assessment in your instance of the Alyne Service, are also considered End Users.

“HIPAA” means the Health Insurance Portability and Accountability Act, as amended and supplemented.

“Initial Term” means your initial permitted subscription period for the Alyne Service, as set out in the applicable Order.

“Laws” means all applicable local, state, federal and international laws, regulations and conventions, including those related to data privacy and data transfer, international communications and the exportation of technical or personal data.

“Non-excludable Australian Conditions” means any statutory or implied condition, warranty or guarantee under Australian law including applicable Australian Consumer Law as set out the Australian Specific Terms, the exclusion of which from a contract would contravene any statute or cause any part of these Terms to be void.

“Order” means Alyne’s approved ordering document or process describing the Alyne Service you are ordering from Alyne, including the agreed: (a) User Quota; (b) Initial Term; (c) Professional Services (if any); and (d) Fees.

“PCI DSS” means the Payment Card Industry Data Security Standards.

“Professional Services” means any professional services related to Customer’s use of the Alyne Service, such as consulting, implementation, or training services, provided by Alyne to Customer as expressly identified in the Order, which – if subject to German law – are of a service contractual nature within the meaning of Sections 611 et. seq. German Civil Code and shall in no case be interpreted in such a way that Alyne owes a certain outcome to the customer when performing the Professional Services, unless the parties have expressly specified in writing that Ayne shall provide an implementation service under a works contract (“Werkvertrag”) within the meaning of Sections 631 et. seq. German Civil Code.

“Sensitive Personal Data” means any: (a) categories of data enumerated in European Union Regulation 2016/679, Article 9(1) or any successor legislation; (b) patient, medical or other protected health information regulated by HIPAA; (c) credit, debit or other payment card data subject to PCI DSS; (d) other information subject to regulation or protection under specific laws such as the Gramm-Leach-Bliley Act (or related rules or regulations); (e) social security numbers, driver’s licence numbers or other government ID numbers; or (f) any data similar to the foregoing that is protected under foreign or domestic laws or regulations.

“Subscription Term” has the meaning given in clause 6.1.

“User Quota” means the User Quota specified in the Order.

“Your Data” means any data, content, code, video, images or other materials of any type that you (including any of your End Users) submit to the Alyne Service, including personal information of you or your End Users, comments, object descriptions, file attachments, and fully custom created control statements or risks. In this context, “submit” (and any similar term) includes submitting, uploading, transmitting or otherwise making available Your Data to or through the Alyne Service.

“Your Materials” means your materials, systems, personnel or other resources.

Addendum

Australian Specific Terms

Each party agrees that the following Australian Specific Terms shall apply in addition to the Terms above if the laws of Australia are applicable due to clause 13.2 and provided that Australian Consumer Law is applicable to the Customer.

If there is a conflict between the Terms above and these Australian Specific Terms, these Australian Specific Terms shall prevail.

1. Definitions

Capitalised terms have the meaning given in the Terms above unless otherwise defined below:

“ACL” or “Australian Consumer Law” means the Australian Consumer Law set out at Schedule 2 to the Competition and Consumer Act 2010 (Cth).

“Non-excludable Australian Conditions” shall have the meaning set forth in clause 14 of the Terms.

“Sensitive Personal Data” includes, without limiting the definition set out in the Terms above, sensitive information as defined in the Privacy Act 1998 (Cth) and health information, or any similar term, as defined in any applicable Australian Federal, State or Territory legislation relating to the handling of health records or health information.

2. Consumer Laws

2.1 If Alyne is liable for a failure to comply with a Non-excludable Australian Condition, including in respect of the guarantees described in paragraphs 2.5 and 2.6 below, where it would be permitted by law, Alyne limits its liability (at its absolute discretion and option) to:

in the case of goods, either the repair or replacement of the goods, or the supply of equivalent goods or payment of the cost of having the goods repaired or replaced or of acquiring equivalent goods; and
in the case of services, the supply of the services again or payment of the cost of supplying the services again.

2.2 Any warranty against defects (as defined in the ACL) set out in the Terms above are provided by the following Alyne entity:

Alyne Australia Pty Ltd
Level 1 Front Suite, 19 to 21 Toorak Rd
South Yarra VIC, Australia 3141
+49 89 4581 9940
[email protected]

2.3 Claims under a warranty against defects set out in the Terms above must be made by written notice to Alyne Australia Pty Ltd using the address above, setting out the nature of the defect. You are responsible for the costs of claiming under a warranty against defects.

2.4 The benefits of any warranties against defects provided in the Terms above are in addition to your other rights and remedies under a law in relation to the goods and services to which the warranty relates.

2.5 If you are obtaining our goods or services as a consumer under the Australian Consumer Law, our goods and services come with guarantees that cannot be excluded under the Australian Consumer Law. For major failures with the Alyne Service, you are entitled to cancel your service contract with us and to a refund for the unused portion, or to compensation for its reduced value.

2.6 You are also entitled to choose a refund or replacement for major failures with goods. If a failure with the goods or a service does not amount to a major failure, you are entitled to have the failure rectified in a reasonable time. If this is not done you are entitled to a refund for the goods and to cancel the contract for the service and obtain a refund of any unused portion. You are also entitled to be compensated for any other reasonably foreseeable loss or damage from a failure in the goods or service.

3. Privacy

For the purpose of clause 10.3 in the Terms above, other applicable legislation includes, without limitation, the Privacy Act 1998 (Cth).