DocuWare Cloud-Services Agreement with
4 Crotty Lane, Suite 200
New Windsor NY 12553
(hereinafter “Service Provider”)
1. Scope of this Agreement
1.1 This DocuWare Cloud-Services Agreement (“Agreement”) is by and between Service Provider and Customer. This Agreement shall govern Customer´s use of Cloud-Services consisting of the cloud based document management, applications (including Local Application Programs as defined below), storage space, computing capacity and other cloud based services as made available by DocuWare www.docuware.com/cloud to the extent contracted for by Customer with Service Provider in an Order (as defined below) hereunder and upon the effective date of such Order (collectively “Cloud-Services”). The commercial terms and other specifications of the Cloud-Services (e.g., fees, term, type of Cloud-Services etc.) will be agreed between Service Provider and Customer in an Order placed by Customer if confirmed by Service Provider (“Order”).
1.2 In consideration of the Customer´s compliance with this Agreement and the applicable Order, the Service Provider will (on and subject to the terms and conditions of this Agreement and the applicable Order) procure these Cloud-Services from a local affiliated company of the DocuWare-Group (such affiliate hereinafter referred to as “DocuWare”). DocuWare may, in its sole discretion, subcontract the provision of the Cloud-Services to third parties (e.g., external data centers) without notice to or approval of Customer (subject always to Schedule 1).
1.3 Use of Cloud-Services requires licenses under intellectual property or copyrights of DocuWare and its third party licensors, which intellectual property and copyrights are protected under governing law and under international statutory law. DocuWare reserves all rights, title and interest in and to the Cloud-Services, including all related intellectual property rights. No rights are granted to Customer hereunder other than as expressly set forth in this Agreement. The Cloud-Services are deemed DocuWare Confidential Information (as defined below).
2. Authorized User
Authorization for the use of Cloud-Services is limited to those individuals who are employed or otherwise working for Customer to the extent such individuals are specifically identified by Customer when configuring the Cloud-Services (hereinafter, “Authorized User”). Any use by third parties, including but not limited to users employed by or working for companies that are affiliated with Customer, shall require a prior express prior agreement with Service Provider in the Order.
3. Scope and Content of Cloud-Services
3.1 Scope and content of the Cloud-Services are described at http://go.docuware.com/CloudFunctions and in the applicable Order or in the most current whitepaper that has been published by DocuWare and are subject to change as per Sections 3.3 and 3.4.
3.2 The Authorized User will solely receive the online-support-documentation made available when accessing the Cloud-Services. Service Provider may, in its discretion, provide additional project documentation and/or workshops regarding the use of Cloud-Services upon Customer´s request.
3.3 The Service Provider reserves the right, in its sole discretion, to change, modify or alter the Cloud-Services during the term of this Agreement at any time (e.g., in relation to the user interface and functionalities of the applications); provided, however, Service Provider will not materially impair the overall functional scope with such modifications.
3.4 Changes to the Cloud-Services will, if any, be implemented through updates and upgrades, and Service Provider will inform Customer of any such changes through the Customer’s registered email address(es) with DocuWare. For the avoidance of doubt, Customer needs to register at least one email address with DocuWare for purposes of such notification.
4. Restrictions to the Authorized User´s Rights
4.1 The Authorized User may receive local application programs for the Cloud-Services. Authorized Users may use such local software application programs provided by Service Provider and accessible as part of the Cloud-Services (“Local Application Programs”) solely for the purposes of using the Cloud-Services. For the term of this Agreement the Authorized User shall have the revocable, non-exclusive, non-sublicensable, non-transferable right:
(i) to install such Local Application Programs on hardware devices operated and controlled by Customer; and
(ii) to use such Local Application Programs for the purpose of using the Cloud-Services in compliance with the online-support-documentation available as part of the Cloud-Services.
4.2 Neither Customer nor any Authorized User is permitted to: (i) modify, copy, create derivative works decompile or reverse-engineer the Cloud-Services or Local Application Programs other than as expressly permitted by applicable statute to permit interoperability and then only after notice to Service Provider; (ii) frame or mirror any content forming part of the Cloud-Services; or (iii) access the Cloud-Services in order to (a) build a competitive product or service, or (b) copy any ideas, features, functions or graphics of the Cloud-Services.
4.3 The Cloud-Services and the Local Application Programs referred to under Section 4.1 may be used by Authorized Users for Customer´s internal business purposes only. Except as set forth in Section 1.3, neither the Customer nor the Authorized User shall (i) have a right to license, sublicense, transfer, sell, resell, rent, lease, distribute, time share, assign share or otherwise commercially exploit or make the Cloud-Services available to any third party, other than to Authorized Users or as otherwise expressly contemplated by this Agreement; (ii) send spam or otherwise duplicative or unsolicited messages in violation of applicable laws; (iii) send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material that is harmful to children or violates third party privacy rights; (iv) send or store viruses, worms, time bombs, trojan horses or other harmful or malicious code, files, scripts, agents or programs; (v) interfere with or disrupt the integrity or performance of the Cloud-Services or the data contained therein; (vi) attempt to gain unauthorized access to the Cloud-Services or related systems or networks; (vii) access the Cloud-Services if Customer is a direct competitor of DocuWare; or (viii) access the Cloud-Services for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes.
4.4 Service Provider will exercise reasonable efforts to provide a 99.5% availability of the Cloud-Services per calendar year, excluding any Downtime. “Downtime” shall mean unscheduled downtime of the Cloud-Services caused by emergencies or Force Majeure Events (as defined below) and downtime due to scheduled maintenance activities of the Cloud-Services (“Scheduled Maintenance”). Service Provider will use reasonable efforts to limit any downtime due to Scheduled Maintenance to four (4) times per year for up to eight (8) hours each, and to notify by way of e-mail or via the DocuWare website with a notice period of at least five (5) calendar days.
4.5 The Customer will install and configure Cloud-Services in a way which avoids any excessive utilization of the DocuWare systems. In this case the Customer will be informed hereof and the Service Provider reserves all rights resulting from such breach.
4.6 The use of the Cloud-Services requires Internet access and computing facilities with the system requirements identified in the technical documentation available at http://go.docuware.com/whitepaper-cloud for the relevant Cloud-Services. Customer is aware and accepts that such requirements may during the term of this Agreement be changed from time to time, and Service Provider shall use reasonable efforts to provide at least four (4) weeks’ notice of any such changes. Customer is responsible for all activities that occur in Authorized User accounts and for Authorized Users' compliance with this Agreement. Service Provider is not responsible for determining the requirements of laws applicable to Customer’s business, including those relating to Cloud-Services that Customer acquires under this Agreement, or Service Provider’s provision of or Customer’s receipt of a particular Cloud-Services under this Agreement meets the requirements of such laws.
5. Service Provider´s Rights to Customer Provided Data and Documents
5.1 Customer hereby grants Service Provider free of any charges the right to copy, store, modify, alter, archive or otherwise use any data and documents provided by Customer and Authorized User when utilizing the Cloud-Services, including corresponding “have used” rights for DocuWare and DocuWare’s subcontractors, provided such subcontractors are subject to confidentiality and restricted use obligations similar to those under this Agreement. The Authorized User hereby represents, warrants and covenants to have been effectively granted all necessary rights by its customers, users and all affected third parties which are necessary for using the Cloud-Services.
5.2 Service Provider shall process personal data within the Cloud-Services only subject to Customer´s commission and instructions as per Schedule 1. The Customer and each Authorized User shall ensure that the collection, forwarding and such processing of personal data fully comply with all applicable data privacy and protection laws.
5.3 Customer shall and hereby covenants and agrees to defend and indemnify Service Provider against any third party claims and to hold Service Provider harmless from any and all damages, claims or losses, including reasonable attorneys’ fees, resulting from Customer´s breach of Sections 4.3, 5.1 and/or 5.2 of this Agreement.
5.4 Customer shall be liable and responsible for any acts and omissions of the Authorized Users to the same extent Customer is liable and responsible for its own acts and omissions.
5.5 The Customer and the Authorized User shall immediately notify Service Provider of any loss of any access codes and/or of any use of the Cloud-Services being not compliant with the terms of this Agreement.
6. Term / Termination of the Agreement and Order
6.1 This Agreement commences on the date the applicable Order is executed by both parties (“Effective Date”) and continues until such Order executed in connection with this Agreement has expired or been terminated (“Term”), unless this Agreement and the Order is terminated earlier pursuant to this Section 6.
6.2 Any Order executed under this Agreement shall have an initial minimum term of at least twelve (12) months (or such longer period as set forth in the applicable Order; the “Initial Term”). Thereafter, each Order shall automatically renew for consecutive twelve (12) month periods (each, a “Renewal Term”) upon the expiration of the Initial Term and any Renewal Term; provided, however, either party may elect not to renew an Order upon at least twenty-eight (28) days’ written notice prior to end of the Initial Term or any Renewal Term of such Order. Upon at least twenty-eight (28) days’ notice to Service Provider prior to the end of the Initial Term and/or Renewal Term of an Order, Customer may also elect to reduce or increase the scope under the applicable Order (i.e., volumes and/or capacities), which reduction or increase shall take effect upon the end of the applicable Initial Term and/or Renewal Term.
6.3 Either party may terminate this Agreement and the applicable Order for cause. For purposes of this Agreement, “cause” shall exist: (i) in case of a material breach of the Agreement if such breach remains uncured for more than 28 days following receipt of a written notice of such material breach; or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.
6.4 Upon termination of this Agreement or the applicable Order, the Service Provider will keep the Customer’s relevant data from such Cloud-Services for at least sixty (60) days after the effective date of the termination of this Agreement or the applicable Order (i.e., the termination of the Cloud-Services) and will delete such data no later than ninety (90) after the effective date of the termination of the Cloud-Services. Notwithstanding the foregoing, Customer is solely responsible for retrieving any data stored or used with the Cloud-Services while Customer has access to the Cloud-Services, and upon the effective date of the termination of the Cloud-Services, Customer will not have access to the Cloud-Services.
7. Payment Terms/Invoicing
7.1 Customer shall pay to Service Provider monthly (i.e., only available for on-line orders with a credit card account), yearly or multiyear fees for the relevant Cloud-Services and the ordered service categories in advance as set forth in the applicable Order or as modified pursuant to Section 7.2.
7.2 Service Provider may adjust prices at any time by issuing a new price list. Unless the price list expressly specifies a different start date for the price adjustment, such new price list shall apply with immediate effect for: (i) Orders placed after the issuance of the new price list and (ii) existing Orders entering into a Renewal Term more than twenty-eight (28) days after the earlier to occur of either (x) issuance of the new price list and (y) notification to Customer of the new price list.
7.3 The date of receipt of the full payment due in Service Provider´s bank account shall be of sole relevance in determining whether or not Customer misses a payment due date. In the event of any delayed payment by Customer, Service Provider may, at its option, terminate or suspend the provision of the Cloud-Services to Customer, and such termination or suspension shall be effective upon ten (10) days’ notice to Customer. Service Provider shall have no liability or responsibility for any termination or suspension pursuant to this Section 7.3.
7.4 Any payment in respect of the Cloud-Services not received by the Service Provider by the due date may allow the Service Provider to:
(i) suspend or terminate the Cloud-Services in accordance with Section 7.3 above; and/or
(ii) charge the Customer interest on the overdue amount at the rate of the lesser of 1.5% of the outstanding balance per month or the highest interest permitted under governing law (which interest will accrue daily and be compounded quarterly).
7.5 Unless otherwise expressly provided, Service Provider’s fees do not include any direct or indirect local, state, federal or foreign taxes, levies, duties or similar governmental assessments of any nature, including value-added, use or withholding taxes (collectively, "Taxes"). Customer is responsible for paying all Taxes associated with Customer’s purchases hereunder, excluding taxes based on Service Provider’s net income or property. If Service Provider has the legal obligation to pay or collect Taxes for which Customer is responsible under this Section, the appropriate amount shall be invoiced to and paid by Customer, unless Customer provides Service Provider with a valid tax exemption certificate authorized by the appropriate taxing authority.
8. Cooperation duties of Authorized User
Customer and the Authorized User shall implement effective measures and processes enabling and safeguarding an additional backup archiving of all relevant documents and data outside of the IT system provided by the Cloud-Services as protection against any temporarily or permanent failures of the Cloud-Services.
9. Warranty of Service Provider
9.1 Customer shall immediately notify Service Provider in writing of any Defects (as defined below) associated with the provision of the Cloud-Services, which notification shall describe the Defect and root cause in detail. Subject to receipt of a proper notice as provided in this Section, Service Provider shall endeavor to remedy Defects within a reasonable time. Service Provider may, at its discretion, remedy Defects either by providing patches, workarounds, updates or upgrades or by providing or having provided remote support as available under http://support.docuware.com. In case the remediation of a warranted Defect would require commercially unreasonable expenditures or efforts, Service Provider may terminate the affected Order without any further liability upon thirty (30) days’ notice. For purposes of this Section 9, “Defect” shall mean a material deviation of the quality of the Cloud-Services from the quality described in Section 3.1 provided (i) such defect must be reproducible or documented by automatically created output; (ii) the usability of the Cloud-Services must be materially adversely affected; and (iii) written notice of the defect must be provided to Service Provider by Customer or an Authorized User on a timely basis pursuant to this Section 9.1.
9.2 In no event shall Service Provider be responsible for defects, operational, performance issues or other events resulting from Customer’s technology infrastructure, including but not limited to software applications, drivers, network hardware or software or broadband service, to the extent not provided by Service Provider. Customer shall not report the foregoing issues associated with such Customer technology infrastructure to Service Provider as Defects in the Cloud-Services. Customer shall compensate Service Provider for any efforts related to such non-warranty issues at Service Provider´s then current rates.
9.3 EXCEPT AS EXPRESSLY PROVIDED IN THIS SECTION 9, SERVICE PROVIDER MAKES NO WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AVAILABILITY OF THE CLOUD-SERVICES, TITLE OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.
10. Copyright- Indemnification
10.1 Subject to Sections 10.2 to 10.4, Service Provider will indemnify the Customer against any third party claim that the Cloud-Services infringes that third party's copyrights.
10.2 The Customer shall:
(i) give Service Provider prompt notice of any relevant claim;
(ii) not admit any liability or attempt to settle the claim without Service Provider’s prior consent;
(iii) provide reasonable co-operation at its own expense to Service Provider in the defense and settlement of the claim; and
(iv) give Service Provider sole authority to defend or settle the claim.
10.3 In the defense or settlement of any claim under Section 10.1, Service Provider may procure the right for the Customer to continue using the Cloud-Services or replace or modify it so that it becomes non-infringing or, if these remedies are not reasonably available, terminate this Agreement and applicable Order on thirty (30) working days' notice to the Customer without any additional liability or costs.
10.4 Service Provider will not be liable under this Section 10 to the Customer if an alleged copyright infringement is based on:
(i) any modification of the Cloud-Services by anyone other than Service Provider or DocuWare; or
(ii) the Customer's use of the Cloud-Services is contrary to the instructions given to the Customer or documentation provided by Service Provider or DocuWare; or
(iii) the Customer's continued use of the Cloud-Services after receiving notice of the alleged or actual infringement; or
(iv) a combination of the Cloud-Services with any other product or service which in the absence of such combination would not have resulted in any infringement.
10.5 THIS SECTION 10 STATES THE CUSTOMER'S SOLE AND EXCLUSIVE RIGHTS AND REMEDIES, AND SERVICE PROVIDER'S ENTIRE LIABILITY, FOR INFRINGEMENT OF ANY INTELLECTUAL PROPERTY RIGHTS.
11. Limited Liability of Service Provider
11.1 IN NO EVENT SHALL SERVICE PROVIDER’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT OR ORDER, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, IN RELATION TO COSTS AND DAMAGES NOT EXCLUDED UNDER SECTION 11.2 EXCEED THE AMOUNTS ACTUALLY PAID BY AND DUE FROM CUSTOMER UNDER THE APPLICABLE ORDER IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE INCIDENT GIVING RISE TO THE LIABILITY.
11.2 CUSTOMER AGREES THAT THE CONSIDERATION WHICH SERVICE PROVIDER IS CHARGING HEREUNDER DOES NOT INCLUDE CONSIDERATION FOR ASSUMPTION BY SERVICE PROVIDER OF THE RISK OF ANY INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES. IN NO EVENT SHALL SERVICE PROVIDER AND/OR ITS LICENSORS BE LIABLE TO ANYONE FOR ANY INDIRECT, PUNITIVE, SPECIAL, EXEMPLARY, INCIDENTAL, CONSEQUENTIAL OR LOSS OF, OR DAMAGE TO, CUSTOMER DATA, REVENUE, PROFITS, USE OR OTHER ECONOMIC ADVANTAGE (WHETHER DIRECT OR INDIRECT) ARISING OUT OF, OR IN ANY WAY CONNECTED WITH THE CLOUD-SERVICES, WHETHER OR NOT EITHER PARTY HAS BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
11.3 All liability claims of Customer against Service Provider shall become time barred after one year following the date on which a material breach of Service Provider’s obligations or responsibilities occurred.
12. Force Majeure Event
12.1 “Force Majeure Event” means an event, or a series of related events, that is outside the reasonable control of the party affected (including, but not limited to power failures, industrial disputes affecting any third party, changes to the law, natural disasters, epidemics, explosions, fires, floods, riots, terrorist attacks and wars).
12.2 Where a Force Majeure Event gives rise to a failure or delay in either party performing its obligations under this Agreement (other than obligations to make payment hereunder), those obligations will be suspended for the duration of the Force Majeure Event.
12.3 A party who becomes aware of a Force Majeure Event which gives rise to, or which is likely to give rise to, any failure or delay in performing its obligations under this Agreement, will: (a) forthwith notify the other; and (b) inform the other of the period for which it is estimated that such failure or delay will continue.
12.4 The affected party will take reasonable steps to mitigate the effects of the Force Majeure Event.
13.1 As used herein, "Confidential Information" means all confidential and proprietary information of a party ("Disclosing Party") disclosed to the other party ("Receiving Party"), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including the terms and conditions of this Agreement or the applicable Order (including pricing), the Cloud-Services, business and marketing plans, technology and technical information, product designs, and business processes. Each party shall keep confidential and use any such Confidential Information only to the extent required for the purposes of this Agreement and to impose similar obligations to persons who have a right and need to know such Confidential Information (e.g., Authorized Users).
13.2 Confidential Information does not include information which (and only to the extent that) the Receiving Party can establish through documentary evidence that such information:
(i) was rightfully received without restrictions from third parties who owe no obligations of confidentiality to the Disclosing Party with respect to such information;
(ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party;
(iii) was independently developed by the Receiving Party without breach of any obligation owed to the Disclosing Party; or
(iv) was already publicly known at the time of disclosure or subsequently becomes publicly known through no breach by the Receiving Party of its obligations under this Section.
13.3 Each party agrees to protect the confidentiality of the Confidential Information of the other party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind (but in no event using less than reasonable care).
13.4 If the Receiving Party is compelled by law to disclose Confidential Information of the Disclosing Party, it shall provide the Disclosing Party with prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure.
13.5 If the Receiving Party discloses or uses (or threatens to disclose or use) any Confidential Information of the Disclosing Party in breach of confidentiality protections hereunder, the Disclosing Party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the parties that any other available remedies are inadequate.
13.6 The Business Associate Agreement, attached hereto as Schedule 2 (Business Associate Agreement), is deemed incorporated by reference herein. In the event of any conflict between the terms of this Section 13 and the terms of the Business Associate Agreement, the terms of the Business Associate Agreement shall govern.
14.1 Customer represents and warrants that it will comply with all applicable laws, statutes, regulations, rules, ordinances, codes, and standards, including but not limited to any export laws of the EU and U.S. Without limiting the foregoing, (i) Customer represents that it and any Authorized User is not named on any U.S. government list of persons or entities prohibited from receiving exports, and (ii) Customer shall not permit Authorized Users to access or use Cloud-Services in violation of any U.S. export embargo, prohibition or restriction.
14.2 All disputes and litigation arising out of or related to this Agreement and each Order, including without limitation matters connected with their conclusion, performance or termination, will be construed, interpreted, applied and governed in all respects in accordance with the laws of the State of New York, United States of America, without reference to conflict of laws principles. The provisions of the United Nations Convention on Contracts for the International Sale of Goods will not apply. Any dispute or litigation arising out of or in connection with this Agreement and each Order, without limitation matters connected with its performance, including any question regarding their existence, validity or termination, will be subject to the exclusive jurisdiction of the State or Federal courts of Orange County, NY, USA. Each party hereby irrevocably submits to the personal jurisdiction of such courts and irrevocably waives all objections to such venue and governing law.
14.3 Changes to this Agreement must be made by a written agreement.
14.4 Should any provision of this Agreement or Order be held by a court to be invalid, the validity of the remaining provisions shall not be affected thereby.
14.5 The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties.
14.6 No failure or delay by either party in exercising any right under this Agreement or Order shall constitute a waiver of that right.
14.7 Customer shall not assign its rights or delegate its obligations under this Agreement or Order without the prior written consent of Service Provider.
This Schedule 1 specifies the obligations of the parties in relation to the Cloud-Services described in the DocuWare Cloud-Services Agreement (“Agreement”).
1. Data Processing
1.1 Subject-Matter, Nature and Term of the Data Processing
Service Provider processes personal data forwarded by the Customer or Authorized Users solely on behalf of the Customer. This Schedule 1 shall govern all issues between the Customer and the Service Provider concerning such processing. As used herein, ”personal data” means information that personally identifies a natural person, including without limitation name, personal address, personal telephone number, personal e-mail address, government identifiers (such as a Social Security number, passport number or driver’s license number), unique biometric identifiers, financial account numbers or health or medical treatment or payment information, as well as any other personal information that is regulated under applicable U.S. state and federal data privacy or data protection laws (”Privacy Laws”).
2. Obligations of the Customer
2.1 The Customer shall have sole responsibility for the accuracy, quality, and legality of personal data and for the means by which the Customer or Authorized User has acquired personal data.
2.2 The Customer may, not more than once in any calendar year, request from Service Provider reasonable written assurance of Service Provider´s compliance with this Schedule 1. The Service Provider undertakes to provide the Customer with the information reasonably required to respond to such request (e.g., a summary of any applicable audit reports on Service Provider’s controls applicable to personal data received from Customer). The Service Provider shall be entitled to compensation for expenses resulting from instructions from the Customer that exceed the legal requirements related to an audit or exceeds commercially reasonable audit assistance on the basis of the then-current hourly rates of the Service Provider.
2.3 The Customer shall inform the Service Provider immediately, if errors/irregularities are encountered in the audit results.
3 Obligations of the Service Provider
3.1 The Service Provider personnel engaged in the processing of personal data have received appropriate training on their responsibilities and are subject to obligations of confidentiality with the Service Provider.
3.2 The Service Provider shall only process personal data on behalf of and in accordance with Customer’s instructions and shall treat personal data as confidential information. The Customer instructs the Service Provider to process personal data for the following purposes: (I) processing in accordance with the Agreement and applicable orders placed by Customer under the Agreement, and (II) processing to comply with other reasonable instructions provided by the Customer where such instructions are consistent with the terms of the Agreement. The Service Provider shall not use the data provided for data processing for other purposes and shall not store this data for a period longer than that specified by the Customer or required by law.
3.3 The data shall be processed exclusively within the territory of the USA, except when customer provides documents or data in a support case to the Service Provider or as otherwise mutually agreed in writing by Customer and Service Provider. Any other forwarding of data to a third country requires the prior consent of the Customer and is subject to the parties’ compliance with the special requirements of applicable data protection laws.
3.4 The Service Provider shall promptly notify the Customer where the Service Provider becomes aware of any unlawful access to any Customer personal data stored on the Service Provider’s equipment or in Service Provider’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of the Customer’s personal data. The Service Provider will investigate the incident and provide the Customer with information about the incident and take reasonable steps to mitigate the effects and to minimize any damage resulting from the incident. The Customer agrees that Service Provider’s obligation under this Section is not and will not be constructed as an acknowledgement by the Service Provider of any fault or liability with respect to the incident or an obligation on the part of Service Provider to provide legal advice or otherwise to advise Customer or monitor Customer’s legal obligations with respect to Privacy Laws.
3.5 Upon termination of the Cloud-Services the Service Provider will keep any data produced in connection with the commission at least for further 60 days and will delete them no later than 90 days after the end-date of the Agreement, and this Schedule 1 shall continue to apply within this period of time. The Customer shall have the right to request an earlier deletion in writing. The Customer hereby acknowledges agrees with these cancellation rules. Notwithstanding the foregoing, the Customer is responsible for saving of all personal data provided to Service Provider throughout the duration of the term of the Agreement. Documentation intended as proof of proper data processing shall be kept by the Service Provider beyond the end of the Agreement as may be required under laws applicable to Service Provider and Service Provider’s data retention policies.
4.1 The Customer acknowledges and agrees, that Service Provider’s affiliates, as well as third-party sub-contractors engaged by an affiliate or Service Provider itself (including Microsoft Azure) are permitted have access to personal data in connection with the provision of the Cloud-Services. Any of such sub-contractors will be permitted to obtain personal data only to deliver the service the Service Provider has retained them to provide.
The Service Provider shall exercise the due care required by law by the selection of subcontractors. The Service Provider may engage its own affiliated companies or other sub-contractors for the performance of the Agreement without written consent of Customer.
5. Technical and Organizational Security Measures
5.1 The Service Provider shall maintain administrative, physical and technical safeguard for protection of the security, confidentiality and integrity of personal data.
Schedule 2 – Business Associate Agreement
This Business Associate Agreement (this “Agreement”) is made between Customer and DocuWare Corporation (“DocuWare”), each individually a “Party” and together the “Parties.”
A. Purpose. The purpose of this Agreement is to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 and the associated regulations, 45 C.F.R. parts 160-164, as may be amended (including the “Privacy Rule” and the “Security Rule”) (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act and the associated regulations, as may be amended (“HITECH”). “HIPAA” and “HITECH” are hereafter collectively referred to in this Agreement as “HIPAA.” Unless otherwise defined in this Agreement, capitalized terms have the meanings given in HIPAA. This Agreement is only effective when Required by Law, when Customer is either a HIPAA Covered Entity or Business Associate, and when HIPAA requires DocuWare to provide reasonable assurances to Customer that DocuWare will appropriately safeguard Protected Health Information (“PHI”).
B. Relationship. DocuWare and Customer have entered into a relationship under which DocuWare may receive, use, obtain, access, maintain, transmit, or create PHI from or on behalf of Customer in the course of performing services for Customer (the “Services”).
The Parties agree as follows:
Section 1. Permitted Uses and Disclosures.
DocuWare may use and/or disclose PHI only as permitted or required by this Agreement or as otherwise Required by Law. DocuWare may disclose PHI to, and permit the use of PHI by, its employees, contractors, agents, or other representatives to the extent directly related to and necessary for the performance of the Services. DocuWare will request from Customer no more than the minimum PHI necessary to perform the Services. DocuWare will request, use and disclose only PHI that constitutes a Limited Data Set, if practicable, and will otherwise limit any request, use or disclosure of PHI to the minimum necessary for the intended purpose of the request, use or disclosure. DocuWare will not use or disclose PHI in a manner (i) inconsistent with Customer’s obligations under HIPAA, or (ii) that would violate HIPAA if disclosed or used in such a manner by Customer if and to the extent DocuWare’s performance of the Services involves carrying out Customer’s Privacy Rule obligations.
Section 2. Safeguards for the Protection of PHI.
DocuWare will implement and maintain appropriate administrative, physical and technical security safeguards to ensure that PHI obtained by or on behalf of Customer is not used or disclosed by DocuWare in violation of this Agreement. Such safeguards will be designed to protect the confidentiality and integrity of such PHI obtained, accessed, created, maintained, or transmitted from or on behalf of Customer. DocuWare will comply with the applicable requirements of the Security Rule.
Section 3. Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures.
DocuWare will promptly report, upon discovery, in writing and in accordance with Section 9.7 of this Agreement, any Security Incident or Breach (as defined below) by it or any of its employees, directors, officers, agents, subcontractors or representatives concerning the use or disclosure of PHI. For purposes of this Agreement, “Breach” means any acquisition, access, use or disclosure of PHI under this Agreement that is (a) in violation of the Privacy Rule or (b) not permitted under this Agreement. DocuWare will be deemed to have discovered a Breach as of the first day on which the Breach is, or should reasonably have been, known to (a) DocuWare or (b) any employee, officer, or other agent of DocuWare other than the individual committing the Breach. DocuWare further will investigate the Breach and promptly provide to Customer information Customer may require to make notifications of the Breach to Individuals and/or other persons or entities (“Notifications”). DocuWare will cooperate with Customer in addressing the Breach.
DocuWare will establish and implement procedures and other reasonable efforts for mitigating any harmful effects arising from any improper use and/or disclosure of PHI.
Section 4. Use and Disclosure of PHI by Subcontractors, Agents, and Representatives.
DocuWare will require any subcontractor, agent, or other representative that is authorized to receive, use, maintain, transmit, or have access to PHI obtained or created under the Agreement, to agree, in writing, to: (1) adhere to the same restrictions, conditions and requirements regarding the use and/or disclosure of PHI and safeguarding of PHI that apply to DocuWare under this Agreement; and (2) comply with the applicable requirements of the Security Rule.
Section 5. Individual Rights.
DocuWare will comply with the following individual rights requirements as applicable to PHI used or maintained by DocuWare:
5.1 Right of Access. DocuWare agrees to provide access to PHI, at the request of Customer, as necessary to satisfy Customer’s obligations with regard to the individual access requirements under HIPAA. DocuWare will otherwise comply with its obligations regarding an Individual’s right of access to PHI under HIPAA.
5.2 Right of Amendment. DocuWare agrees to make any amendment(s) to PHI as necessary to meet the amendment requirements under HIPAA.
5.3 Right to Accounting of Disclosures. DocuWare agrees to document any disclosures of PHI as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA, and to provide all such documentation to Customer or to an Individual, as necessary to satisfy Customer’s obligations with regard to an Individual’s right to an accounting of disclosures. DocuWare will otherwise comply with its obligations regarding an Individual’s right to an accounting of disclosures under HIPAA.
Section 6. Use and Disclosure for DocuWare’s Purposes.
6.1 Use. Except as otherwise limited in this Agreement, DocuWare may use PHI for the proper management and administration of DocuWare or to carry out the legal responsibilities of DocuWare.
6.2 Disclosure. Except as otherwise limited in this Agreement, DocuWare may disclose PHI for the proper management and administration of DocuWare or to carry out the legal responsibilities of DocuWare, provided the disclosures are Required by Law, or DocuWare obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies DocuWare immediately upon discovery of any instances in which the confidentiality of the PHI has been Breached, as defined and described in Section 3 of this Agreement.
Section 7. Access to Records.
DocuWare will make its internal practices, books, records, and policies and procedures relating to the use and disclosure of PHI received from, or created or received by DocuWare on behalf of Customer, available to the federal Department of Health and Human Services (“HHS”), the Office for Civil Rights (“OCR”), or their agents for purposes of monitoring compliance with HIPAA.
Section 8. Term and Termination.
8.1 Term. This Agreement will become effective on the Effective Date. Unless terminated sooner pursuant to Section 8.2, this Agreement will remain in effect for the duration of all Services provided by DocuWare and for so long as DocuWare will remain in possession of any PHI received from Customer, or created or received by DocuWare on behalf of Customer.
8.2 Termination. In the event of a material breach of this Agreement, the non-breaching Party may immediately terminate this Agreement. Alternatively, in the non-breaching Party’s sole discretion, the non-breaching Party may provide the breaching Party with written notice of the existence of the material breach and afford the breaching party thirty (30) days to cure the material breach. In the event the breaching Party fails to cure the material breach within such time period, the non-breaching Party may immediately terminate this Agreement.
8.3 Effect of Termination. Upon termination of this Agreement, DocuWare will recover any PHI relating to this Agreement in the possession of its subcontractors, agents or representatives. DocuWare will return to Customer or destroy all such PHI plus all other PHI relating to this Agreement in its possession, and will retain no copies. If DocuWare cannot feasibly return or destroy the PHI, DocuWare will ensure that any and all protections, requirements and restrictions contained in this Agreement will be extended to any PHI retained after the termination of this Agreement, and that any further uses and/or disclosures will be limited to the purposes that make the return or destruction of the PHI infeasible.
Section 9. Miscellaneous.
9.1 Survival. The respective rights and obligations of the Parties under Sections 7 (Access to Records), 8.3 (Effect of Termination) and 9 (Miscellaneous) will survive termination of this Agreement indefinitely.
9.2 Amendments. This Agreement constitutes the entire agreement between the Parties with respect to its subject matter. It may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The Parties agree to amend this Agreement from time to time as necessary for the Parties to comply with their respective obligations under HIPAA.
9.3 Waiver. A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
9.4 Compliance with HIPAA. Any ambiguity in this Agreement will be resolved in favor of a meaning that permits the Parties to comply with their respective obligations under HIPAA.
9.5 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor will anything herein confer, upon any person other than the Parties and their respective successors and permitted assigns, any rights, remedies, obligations or liabilities whatsoever.
9.6 Inconsistencies. If any of the terms of this Agreement conflict with or are inconsistent with the terms of the Services agreement, the terms of this Agreement will prevail.