Terms of Service Agreement
Last Updated: December 7, 2021
This Terms of Service Agreement (“Agreement”) is between iboss, Inc. (“iboss”) and the customer listed on the Quote between iboss and such customer (“You” or “Your” or “Customer”), and governs Customer’s purchase of, access to and use of iboss Property (defined below). Capitalized terms are generally defined throughout this Agreement and otherwise in Section 2.
1. BACKGROUND. This Agreement describes Your rights to use iboss Property, inclusive of any associated media, printed materials and “online” or electronic documentation, identified in the Quote to which this Agreement applies. Except for any Hardware that You are purchasing or licensing from iboss under a Quote, You must provide all equipment and software necessary to connect to iboss Property, including devices that are suitable to connect with and use iboss Property. You are solely responsible for any fees, including internet connection or mobile fees, that You incur when accessing iboss Property.
2. DEFINITIONS. The following terms will have the meaning set forth below:
“Acceptable Use Policy” means iboss’ general rules and regulations governing use of iboss Property available here: Acceptable Use Policy.
“Affiliate” means any legal entity that owns, is owned by, or is commonly owned with a party.
“Own” means more than 50% ownership or the right to direct the management of the entity.
“App” means any mobile software application offered by iboss.
“Confidential Information” shall mean all proprietary or confidential information disclosed by one party to the other party, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information or the circumstances of disclosure, including, without limitation: (i) proprietary product, software or services information, or related technology, ideas and algorithms; (ii) trade secrets; (iii) either party’s technical, business or financial information and plans; and (iv) the pricing and other terms reflected on iboss quotes and/or purchase orders that Customer provides iboss pursuant to this Agreement. Confidential Information shall not include information that the receiving party can show (a) is or becomes generally known or publicly available through no fault of the receiving party; (b) is known by, or is in the possession of, the receiving party prior to its disclosure, as evidenced by business records, and is not subject to restriction; (c) was independently developed by the receiving party without the use of or reference to the Confidential Information of the disclosing party; or (d) is lawfully obtained without restriction from a third party who has the right to make such disclosure.
“Customer Content” means any information and other content uploaded by Customer to the Service.
“Documentation” means the manuals provided to Customer along with the Licensed Software.
“End-User” means an end-user of Customer who accesses iboss Property through a mobile device, computer, and/or computer system.
“Error” means a reproducible error of the Licensed Software, App, Hardware and/or Service, as applicable, to substantially conform to the Documentation in all material respects.
“Executable Code” means the fully compiled binary version of a software program that can be executed by a computer and used by an End-User without further compilation.
“Hardware” means any physically tangible electro-mechanical system or sub-system and any related equipment that iboss provides to Customer.
“Host Server” means the server(s) on which iboss has installed the Licensed Software and/or necessary components and services for utilizing Licensed Software or App for Customer’s use.
“iboss Property” means the App, Licensed Software, Host Server, Hardware and Service.
“Intellectual Property Rights” means all copyrights, trade secrets, patents, patent applications, moral rights, contract rights and other proprietary and/or intellectual property rights.
“Licensed Software” means the software program or programs described in the Quote or any software or firmware incorporated into the Hardware, and any modified, updated, or enhanced versions of such programs that iboss may provide to Customer pursuant to this Agreement, or a separate maintenance and support agreement. Licensed Software excludes any Apps.
“Quote” means the written or electronic quote or order form that expressly references, and is governed by, these Terms of Service and is executed by an authorized representative of each party hereto, electronically or in writing.
“Service” means the services ordered by Customer through a Quote.
“Source Code” means the human-readable version of a software program that can be compiled into Executable Code.
3. SOFTWARE LICENSES. iboss offers its software to customers on a subscription basis but delivers the software through one or more of the following technical means: (i) direct download and installation of the software on Your own devices (“Downloaded Software”), (ii) software-as-a-service (“SaaS”), (iii) pre-installed software on a server that iboss provides to You (“Server-Provided Software”), and/or (iv) via an App which is available for download and installation to Your mobile device. Regardless of which of these methods is used, the following license will apply to Your subscription during the Term. iboss grants You a non-exclusive, non-transferable, revocable, worldwide, royalty-free, limited license (without the right to sublicense) to (i) install and execute one copy of, and use the Licensed Software (in Executable Code form) on each device (in the case of Downloaded Software); (ii) access and use the Host Server solely for authentication and syncing purposes (in the case of Downloaded Software or Server-Provided Software); and (iii) use the Licensed Software and Service (whether Downloaded Software, Server-Provided Software, or SaaS) solely for Customer’s internal business purposes and according to the Acceptable Use Policy and Documentation.
In the event that You download and install an App, the Mobile Application Licenses Terms and Conditions shall apply.
4. EVALUATION LICENSES. If Customer is using iboss Property for evaluation purposes, then the license granted in Section 3 only permits Customer to use the Licensed Software, Hardware, App and/or Service, as applicable, for thirty (30) days, or such longer period set forth in the Quote (“Evaluation Period”), and solely to evaluate the performance and functionality of the Licensed Software, Hardware, App and/or Service, as applicable (“Evaluation Software”), according to the Documentation and Acceptable Use Policy. Unless Customer has purchased a subscription to continue using the applicable iboss Property, upon the expiration of the Evaluation Period, including any extensions to the Evaluation Period to which iboss agrees, Customer must (i) discontinue using the Evaluation Software, and (ii) return the Hardware, as applicable, to iboss within seventy-two (72) hours; otherwise, iboss reserves the right to charge Customer at the then current price for such usage of iboss Property. Hardware returned more than thirty (30) days following the Evaluation Period expiration date will not be accepted. Customer shall be liable to iboss, and agrees to pay iboss, for the cost of replacing or fixing Hardware lost or returned damaged, or attempted to be returned after thirty (30) days. Notwithstanding any other provision of this Agreement, iboss provides the Evaluation Software free of charge, without support and “AS IS” without indemnification or warranty of any kind. No support policies or service level agreements apply to the Evaluation Software. Certain features or services may not be available for the Evaluation Software.
5. LICENSE FROM CUSTOMER. During the Term, Customer grants to iboss a limited, non-transferable, royalty-free license to use the Customer Content solely to enable iboss to provide the Service to Customer and fulfill iboss’ obligations hereunder. iboss will maintain reasonable and appropriate physical, organizational, administrative, and technical safeguards designed to protect Customer Content from loss, misuse, unauthorized access, disclosure, alteration and destruction.
6. RESTRICTIONS. The rights granted to Customer in this Agreement are subject to the following restrictions. Customer shall not (a) reproduce, license, sublicense sell, resell, rent, lease, transfer, assign, distribute, host, outsource, disclose or otherwise commercially exploit iboss Property, or make iboss Property available to any third party, including but not limited to any Hardware; (b) make the iboss Property available to any third party for purposes of testing the Licensed Software, and disclosing publicly the results of the tests; (c) interfere with, disrupt, modify, make derivative works of, disassemble, reverse compile or reverse engineer any part of the Licensed Software; (d) access the Licensed Software for research and development or competitive assessment purposes, or to build a similar or competitive product or service or extend term of the license granted hereunder; (e) either publicly or privately, republish, downloaded, display, post or transmit in any form or by any means the Licensed Software or any component of iboss Property (including screenshots or other images of iboss Property), which includes but is not limited to electronic, mechanical, photocopying, recording or other means; (f) interfere with, disrupt, alter, translate, or modify the Licensed Software, or create an undue burden on the Licensed Software or networks or services connected to the Licensed Software; (g) use the Licensed Software on any mobile devices or other computer systems or hardware for which Customer has not received the necessary End-User consent(s); (h) remove any copyright or other proprietary rights notices in the Licensed Software; or (i) use the Licensed Software for any purpose other than the purpose for which the Licensed Software is intended.
7. CUSTOMER AND IBOSS OBLIGATIONS. Customer agrees to take all reasonable steps to safeguard iboss Property and the associated login credentials to ensure that no unauthorized person has access to either, and that no unauthorized copy, publication, disclosure or distribution, in whole or in part, in any form is made. Each party acknowledges and agrees that iboss Property and Customer Content contain valuable, confidential information and trade secrets and that the unauthorized use and/or copying of the same would be harmful to Customer or iboss. Each of Customer and iboss represents and warrants that it will comply with all laws, rules and regulations that apply to its use of iboss Property or Customer Content and any other activities in connection with this Agreement. Customer agrees to cause all its End-Users to comply with the Acceptable Use Policy. Customer hereby further represents and warrants that iboss Property will not be used to filter, screen, manage or censor Internet content for End-Users without permission from the affected End-Users. Customer hereby acknowledges and agrees that (a) Customer’s use of features, including, but not limited to detection, measurements and control relay (DMCR), logging and alerts, are subject to all state, local, and federals laws and regulations applicable within the country of deployment, and (b) Customer will comply with all such restrictions and required disclosures.
8. SUPPORT. Subject to the terms of this Agreement and payment of any applicable fees, during the Term, iboss will provide support services to Customer according to iboss’ Service Level Agreement.
9. UPDATES. iboss may revise, update, upgrade or discontinue any iboss Property at any time, without prior notice to You but will endeavor to provide You notice wherever possible. If iboss ceases to make available any iboss Property, iboss will provide a pro rata refund to You for any prepaid fees paid by You to iboss for the applicable iboss Property, based on the amount of time remaining in the applicable term. During the Term, iboss may, in its sole discretion, provide You with updates or upgrades. iboss and its suppliers are not obligated to provide any updates or upgrades to iboss Property. Any future release, update, or other addition to functionality of iboss Property shall be subject to the terms of this Agreement, unless iboss expressly states otherwise.
10. HARDWARE PRODUCTS. If You require Hardware in connection with Your use of the Licensed Software and Service, then in addition to any other terms of this Agreement that pertain to Hardware, the Hardware Products Purchases and Licenses Terms shall apply.
11. SUBSCRIPTION FEES AND PAYMENT.
11.1. Fees. In consideration for the Licensed Software and Service, Customer will pay to iboss all fees set forth in the Quote. If Customer elects to pay by credit card, (i) iboss will automatically renew and bill Customer’s credit card periodically per the Quote, and (ii) Customer hereby authorizes iboss to automatically charge or debit such credit card for the full amount due (on a recurring basis, if applicable) according to the Quote. Customer understands that the amounts charged or debited may vary and that this authorization will remain in effect until the expiration or termination of this Agreement.
11.2. Payment Terms. Excepting Section 9 (Updates) and Section 21 (Term and Termination), all payment obligations are non-cancellable and all amounts paid are non-refundable, except as expressly set forth herein or as required by applicable law. All payments are due from Customer net thirty (n/30) days from the date of iboss’ undisputed invoice. Past due invoices are subject to a monthly charge equal to the lesser of: (a) one and one-half percent (1.5%) per month; or (b) the highest rate of interest permitted by applicable law. If any undisputed invoice remains unpaid after thirty (30) days from the invoice date, then notwithstanding any agreement or course of dealing between iboss and Customer, iboss may suspend Customer’s access to and use of iboss Property until all outstanding invoices are paid. Delinquent amounts owed by Customer may be referred to a collection agency, and will be subject to additional fees.
12. TAXES. Unless iboss otherwise states in writing, all iboss fees are exclusive of transportation, insurance, federal, state, local, excise, value-added, use, sales, property (ad valorem) and similar taxes or duties now in force or hereafter enacted. Customer will pay all taxes, fees or charges of any nature whatsoever imposed by any governmental authority on, or measured by, the transaction between Customer and iboss; provided that such taxes shall exclude federal, state or local income taxes to which iboss may be subject. If iboss is required to collect any of the foregoing, such amounts will be separately stated on the invoice, and must be paid by Customer unless Customer provides iboss with a valid tax exemption certificate authorized by the appropriate taxing authority.
13. OWNERSHIP. All right, title, and interest, including all Intellectual Property Rights, in and to iboss Property other than Customer-purchased Hardware shall be owned and retained by iboss or its suppliers. Any rights not expressly granted by iboss in the Agreement are reserved. Customer acknowledges that it acquires no ownership interest in iboss Property. iboss acknowledges and agrees that Customer is the sole and exclusive owner of all Customer Content. Any third-party software included in iboss Property may only be used in conjunction with the applicable product or service, and is not licensed for use independent from such product or service.
14. CUSTOMER MARKS. Subject to Customer’s prior written consent, iboss may use Customer’s logo and trademarks on iboss’ website and in other marketing material, when referring to Customer. Customer will retain all title and rights to such logos and trademarks.
15. OPEN SOURCE SOFTWARE. Certain items of software may be provided to Customer with the Licensed Software or App and are subject to “open source” or “free software” licenses (“Open Source Software”). Some of the Open Source Software is owned by third parties. The Open Source Software is not subject to the terms and conditions of Section 3. Instead, each item of Open Source Software is licensed under the terms of the license that accompanies such Open Source Software. Nothing in this Agreement limits Customer’s rights under, or grants Customer rights that supersede, the terms and conditions of any applicable license for the Open Source Software. If required by any license for particular Open Source Software, Company makes such Open Source Software, and applicable Open Source Software copyright statements and license text available by Customer’s written request to [email protected].
16. CONFIDENTIAL INFORMATION.
16.1. Protection of Confidential Information. Each party shall protect the other party’s Confidential Information from unauthorized dissemination, and the receiving party shall use, and shall ensure that its employees and agents use, the same degree of care that it uses to protect its own like information, at all times employing at least a reasonable standard of care. The receiving party shall not disclose to third parties the disclosing party’s Confidential Information without the prior written consent of the disclosing party. The receiving party shall use the disclosing party’s Confidential Information solely as necessary to directly fulfill the receiving party’s obligations under this Agreement.
16.2. Disposition Upon Termination. Upon the termination of this Agreement for any reason whatsoever, or in the event that the disclosing party reasonably determines that the receiving party no longer requires access to the Confidential Information to perform its obligations, the receiving party shall return to the disclosing party, or shall destroy, as the disclosing party shall specify, all copies of all the Confidential Information in the receiving party’s possession.
16.3. Permitted Disclosure. Notwithstanding any provision in this Agreement to the contrary, the receiving party may disclose portions of disclosing party’s Confidential Information (i) to its lawyers and accountants who have a need to know such information and who are under the same protection and use obligations as in Section 16.2, above, and (ii) pursuant to an order of a governmental agency or court of competent jurisdiction compelling disclosure, provided that the receiving party shall provide the disclosing party reasonable advance notice of such intended disclosure. Additionally, iboss may disclose Customer Confidential Information to law enforcement agencies and/or social service organizations (each, a “Public Service Agency”) without Customer’s or a Customer End-User’s consent under the following circumstances: (a) an exigent circumstance has arisen, as determined by iboss in its reasonable discretion, in which a Customer End-User presents imminent risk of physical harm to self or others (the “Risk”); (b) iboss has undertaken a reasonable investigation to confirm that the exigency is genuine; (c) iboss has attempted unsuccessfully to contact Customer for purposes of (1) directing Customer to communicate directly with the Public Service Agency, or (2) obtaining Customer’s consent to make the disclosure to the Public Service Agency; (d) the Public Service Agency is unable to obtain a legal order to compel the disclosure of the Confidential Information in sufficient time to respond adequately to the Risk; and (e) iboss minimizes the scope of its disclosure solely to that Confidential Information which is determined by iboss in its sole discretion to be necessary to assist the Public Service Agency to address the Risk.
16.4. Remedies. The receiving party acknowledges that its breach of this Agreement may cause irreparable damage to the disclosing party, and hereby agrees that the disclosing party is entitled to seek, in addition to any other remedies available to it, injunctive and other relief as may be granted by a court of competent jurisdiction, associated with the receiving party’s breach.
17. LIMITED WARRANTY. For purchased or licensed Hardware, the only warranties are as set forth in the Hardware Products Purchases and Licenses Terms. For the avoidance of doubt, regardless of whether the Hardware is purchased or licensed from iboss, no warranty is provided with respect to the Licensed Software.
18. DISCLAIMER OF WARRANTIES. EXCEPT FOR THE WARRANTIES REGARDING PURCHASED AND LICENSED HARDWARE SET FORTH IN THE HARDWARE PRODUCTS PURCHASES AND LICENSES TERMS, THE IBOSS PROPERTY IS PROVIDED TO CUSTOMER ON AN “AS-IS” BASIS. ADDITIONALLY, NO WARRANTIES WILL BE EFFECTIVE, AND IBOSS WILL NOT BE OBLIGATED TO HONOR ANY WARRANTIES, UNLESS AND UNTIL IBOSS RECEIVES PAYMENT IN FULL FOR THE APPLICABLE IBOSS PROPERTY. IBOSS AND ITS SUPPLIERS DISCLAIM ALL EXPRESS, IMPLIED OR STATUTORY WARRANTIES RELATING TO THE IBOSS PROPERTY, INCLUDING BUT NOT LIMITED TO, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. IBOSS DOES NOT REPRESENT OR WARRANT THAT THE IBOSS PROPERTY OR ANY NETWORKS, SOFTWARE, OR SYSTEMS USED WITH SUCH PRODUCTS WILL BE FREE FROM VULNERABILITY, INTRUSION, ATTACK, OR OTHER DAMAGE. CERTAIN STATES AND/OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES SO THE EXCLUSIONS SET FORTH ABOVE MAY NOT APPLY TO YOU.
19. INDEMNIFICATION.
19.1. By iboss. iboss shall indemnify and hold Customer and its employees, officers, and directors harmless from and against any and all liabilities, claims, causes of action and suits (collectively “Claims”) arising out of third-party Claims that iboss Property infringes or misappropriates such third party’s intellectual proprietary rights. iboss shall, at its expense, defend such Claims and pay damages finally awarded against Customer, or paid by Customer pursuant to an executed settlement agreement, in connection therewith.
19.2. Exclusive Remedy. If iboss Property becomes, or in iboss’ opinion is likely to become, the subject of an infringement claim, iboss may, at its option and expense, in addition to its indemnity obligations in Section 19.1, above, either (a) procure for Customer the right to continue exercising the rights licensed to Customer in this Agreement, (b) replace or modify iboss Property so it becomes non-infringing, or (c) terminate this Agreement by written notice to Customer and promptly refund any prepaid amounts to Customer. Notwithstanding the foregoing, iboss will have no obligation under this Section or otherwise with respect to any infringement claim based upon (i) any unauthorized use, reproduction, or distribution of iboss Property by Customer or any End User, (ii) any use of iboss Property in combination with other products, equipment, software, or data not supplied by iboss, except such products, equipment software and data to which the parties mutually agree, (iii) any use, reproduction, or distribution of any release of iboss Property other than the most current release and the next most recent prior release of iboss Property if the Customer has been advised of the need to upgrade by iboss in order to protect against infringement, or (iv) any modification of the technology by any person other than iboss, if the infringement would not have occurred but for such modification. This Section 19.2 states iboss’ entire liability and Customer’s sole and exclusive remedy for Customer infringement Claims.
19.3. By Customer. Customer shall indemnify and hold iboss and its employees, officers, and directors harmless from and against any and all third-party Claims arising from Customer’s alleged or actual breach of Sections 5, 6 or 7 of this Agreement. Customer shall, at its expense, defend such Claims and pay damages finally awarded against iboss, or paid by iboss pursuant to an executed settlement agreement, in connection therewith.
19.4. Indemnification Procedures. The indemnification obligations in this Section 19 shall be subject to the indemnified party: (i) promptly notifying the indemnifying party in writing upon receiving notice of any threat or claim of such action; (ii) giving the indemnifying party exclusive control and authority over the defense and/or settlement of such claim (provided any such settlement unconditionally releases the indemnified party of all liability); and (iii) providing reasonable assistance requested by the indemnifying party, at the indemnifying party’s expense.
20. LIMITATION OF REMEDIES AND DAMAGES. EXCEPT FOR EITHER PARTY’S INDEMNITY OBLIGATIONS UNDER THIS AGREEMENT, TO THE MAXIMUM EXTENT PERMITTED BY LAW, (A) NEITHER PARTY NOR ITS SUPPLIERS SHALL BE RESPONSIBLE OR LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY, OR CONSEQUENTIAL DAMAGES INCLUDING, BUT NOT LIMITED TO LOSS OF REVENUES AND LOSS OF PROFITS EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE; AND (B) EACH PARTY AND ITS SUPPLIER’S AGGREGATE CUMULATIVE LIABILITY FOR ANY CAUSE WHATSOEVER HEREUNDER SHALL NOT EXCEED THE AMOUNT PAID BY CUSTOMER FOR IBOSS PROPERTY DURING THE 12 MONTHS IMMEDIATELY PRIOR TO THE DATE ON WHICH CUSTOMER ALLEGES THE EVENTS THAT CAUSED SUCH DAMAGE OCCURRED.
21. TERM AND TERMINATION.
21.1. Term. This Agreement and the licenses granted hereunder are effective upon Customer’s execution of the Quote, and shall continue for the subscription period set forth on the Quote unless and until this Agreement is terminated by either party pursuant to this Section 21 (the “Term”). Upon the expiration of the Term, this Agreement shall automatically renew for successive twelve (12) month periods (each such period is a “Renewal Term”) unless, not less than sixty (60) days prior to the commencement of a Renewal Term, a party notifies the other party in writing that the notifying party elects not to renew the Agreement. Additionally, iboss may increase the prices for the Licensed Software and/or Service applicable to a Renewal Term, provided that it notifies Customer in writing of such increase not less than (60) days prior to the commencement of the applicable Renewal Term. The price increase will apply to the Renewal Term unless Customer provides written notice of its objection to the price increase not less than thirty (30) days prior to the Renewal Term’s commencement.
21.2. Termination. Either party may terminate the Quote and this Agreement if the other party (a) materially breaches this Agreement and fails to cure such breach within thirty (30) days following receipt of a breach notice from the terminating party, provided that iboss may terminate this Agreement immediately upon notice if Customer breaches Section 6 of this Agreement; or (b) becomes insolvent, makes a general assignment for the benefit of creditors, files a voluntary petition of bankruptcy, suffers or permits the appointment of the receiver for its business or assets, or becomes subject to any proceeding under any bankruptcy or insolvency law.
21.3. Effect of Termination. If iboss terminates this Agreement due to Customer’s material breach, then all amounts set forth in the Quote shall become immediately due and payable (including amounts not yet paid for the remainder of the subscription period set forth in the Quote) and Customer shall not be entitled to any refunds for any pre-paid amounts. In such case, Customer will promptly pay all such amounts to iboss upon receipt of the termination notice. If Customer terminates this Agreement due to iboss’ material breach, then iboss shall provide Customer a pro rata refund for any amounts pre-paid for the remainder of the then current term. iboss is not responsible or liable for any records or information that are made unavailable to Customer as a result of Customer’s termination of its account. Customer agrees that iboss will not be liable to Customer for any termination of Customer’s access to iboss Property. Upon termination, the license(s) granted hereunder shall terminate and Customer shall immediately cease all use of iboss Property and destroy any copies of the Licensed Software or App in its possession, if any. Notwithstanding any termination of this Agreement, those sections of this Agreement that, by their terms, are intended to survive the termination of this Agreement, will remain in effect.
22. DISPUTE RESOLUTION. Excluding any claims arising from or related to the infringement or misappropriation of iboss Property, the parties will attempt to resolve any claim, dispute or controversy between the parties (whether in contract, tort or otherwise) (a “Dispute”) through face-to-face negotiation between authorized representatives of each party or through mediation using a mutually agreeable mediator. If the parties are unable to resolve the Dispute through negotiation or mediation within a reasonable time period after a party has notified the other of the Dispute’s existence, the Dispute will be settled by binding arbitration, held in Boston, Massachusetts, according to the then current CPR Rules for Non-Administered Arbitration (“Arbitration”). Each party agrees that such arbitration shall be conducted on an individual basis and not in a class, consolidated or representative action. Notwithstanding any provision in this Agreement to the contrary, if the class-action waiver in the prior sentence is deemed invalid or unenforceable, neither party is entitled to arbitration. This arbitration agreement is subject to the Federal Arbitration Act. The arbitrator’s award may be entered in any court of competent jurisdiction. The existence or results of any negotiation, mediation or arbitration will be treated as confidential. If the arbitration provision in this Agreement is found unenforceable or not to apply for a given dispute, then the proceeding must be brought exclusively in a court of competent jurisdiction in Boston, Massachusetts.
23. EXPORT. iboss Property and Customer Content may be subject export requirements, including licenses, under United States or foreign laws. Each party shall comply with all applicable relevant laws, whether United States or foreign, governing the exports of iboss Property and/or Customer Content.
24. PRIVACY. iboss’ Privacy Policy (located at https://www.iboss.com/terms/#privacy-policy) explains how iboss treats personal data and protects individual privacy rights when customers use the Service. In using the Service, You agree that iboss may use such data according to the Privacy Policy. To the extent that iboss will, on Customer’s behalf, process any Customer Personal Data (as defined in the iboss Data Processing Addendum set forth at https://www.iboss.com/terms/#dpa (“Addendum”)) that is subject to the GDPR (as defined in the Addendum), the terms of the Addendum are hereby incorporated by reference and shall apply, and the parties agree to comply with such terms.
25. GOVERNING LAW. This Agreement is governed by the laws of the Commonwealth of Massachusetts without regard to conflict of law principles.
26. FORCE MAJEURE. Neither party will be liable to the other for failure to fulfill obligations hereunder if such failure is due to causes beyond its control, including, without limitation, acts of God, earthquake, fire, flood, embargo, catastrophe, sabotage, utility or transmission failures, governmental prohibitions or regulations, national emergencies, insurrections, riots or wars, acts of terrorism, Internet or power outages, or viruses which did not result from the acts or omissions of such party (“Force Majeure Event”). The time for any performance required hereunder will be extended by the delay incurred as a result of such Force Majeure Event.
27. HEADINGS; INTERPRETATION. The section headings used herein are for convenience of reference only and do not form a part of this Agreement. No construction or inference shall be derived therefrom. All references to “including” mean “including without limitation.”
28. WAIVER. iboss’ failure to enforce at any time, or for any period of time, any term of this Agreement shall not be construed as a waiver of iboss’ rights thereafter to enforce such term. iboss’ waiver of a Customer default will not be deemed a continuing waiver, but will apply solely to the instance to which the waiver is directed.
29. CONFLICTS; AMENDMENT. This Agreement sets forth the entire agreement and understanding between iboss and Customer regarding the subject matter hereof and supersedes any previous or contemporaneous communications, representations, proposals, commitments, understandings, negotiations, discussions, understandings or agreements (including non-disclosure or confidentiality agreements), whether oral or written, regarding the same subject matter. This Agreement expressly supersedes and replaces in their entirety any pre-printed terms on a Customer purchase order or similar document. In the event of a conflict between the terms of a Quote and the terms of this Agreement, the terms of the Quote shall govern. Any Amendment to this Agreement requires the written agreement of both parties.
30. SEVERABILITY. If any term or condition of this Agreement is deemed unenforceable, it shall be severed, and every other provision of this Agreement shall be enforced as if the unenforceable term or condition had never been a part hereof.
31. ASSIGNMENT. Neither party may assign this Agreement (or any rights or duties under it) without the other party’s prior written consent, provided that either party may assign this Agreement without the other party’s consent in connection with a merger, acquisition, or sale of all or substantially all of its assets. Either party who assigns this Agreement as permitted in this Section 31 shall provide the other party with prompt notice of such assignment. Subject to the foregoing, this Agreement will be binding upon and inure to the benefit of the parties and their permitted successors and assigns.
32. NO JOINT VENTURE OR THIRD PARTY BENEFCIARIES. The parties to this Agreement are independent contractors, and this Agreement does not create any partnership, joint venture or agency relationship between iboss and Customer. Except as this Agreement otherwise expressly states, the Agreement does not create any third-party beneficiaries.
33. NOTICES. Any notice delivered by iboss to Customer under this Agreement will be delivered by email to the email address set forth in the Quote. Customer will direct legal notices or other correspondence under this Agreement to iboss at 101 Federal Street, 23rd Floor, Boston, MA 02110, Attn: General Counsel
Privacy Policy
Last Updated: June 27, 2024
Welcome to the Privacy Policy of iboss, Inc. and its subsidiaries (collectively “iboss,” “our,” “we,” or “us”). iboss provides a software platform, Licensed Software, Services, hardware, mobile applications, and other related services and products (“Platform”) to defend our customers’ networks (including without limitation: enterprise, commercial, and home) against malware, advanced threats, and data loss. This Privacy Policy describes how we collect, use, disclose, store, and otherwise process your Personal Information when you use our website located at www.iboss.com or other successor URLs or other related websites (“Website”) and Platforms. It also states how you can control the collection, correction, and/or deletion of your information. We will not use or disclose your information with anyone except as described in this Privacy Policy. All terms referenced in this Privacy Policy, unless otherwise noted herein, shall have the meanings set forth in the iboss Terms of Service.
Please note that our Website and other Platforms may contain links to third-party websites/digital platforms that are provided for your convenience. We are only responsible for the privacy practices and security of our own products, services, and digital platforms. We recommend that you check the privacy and security policies and procedures of every other website/digital platform that you visit.
Personal Information refers to any information relating to an identified or identifiable natural person, such as an identification number, or physical, physiological, mental, economic, cultural, or social identifiers. Personal Information may include the following: name, address, date of birth, gender, and contact data (i.e., e-mail address, telephone number, and employer name). By providing your Personal Information to iboss in the ways described in this Privacy Policy, you agree that you are authorized to provide that information and are accepting this Privacy Policy and any supplementary privacy statement that may be relevant to you. If you do not agree to our practices, please do not register, subscribe, create an account, or otherwise interact with our Website or Platforms.
If you are a California resident or are located in Europe, please see “Regional Privacy Terms” below.
WHAT INFORMATION DO WE COLLECT AND FROM WHAT SOURCES?
Personal Information that You Disclose to Us
We collect Personal Information that you voluntarily provide to us when expressing an interest in obtaining information about us or our products and services, when using our Websites or Platforms, and when otherwise interacting with us.
The Personal Information that we collect depends on the context of your interactions with us. You may be providing Personal Information when (i) submitting questions and seeking information from us; (ii) subscribing to iboss’ marketing material; (iii) requesting product and/or services support; (iv) providing services to iboss; (v) applying for a job at iboss; or (vi) otherwise communicating with us via phone calls, chats, emails, web forms, social media, and other methods of communication.
When working with us or using our Websites or Platforms, you may be prompted to create an account that may hold Personal Information such as your name, mailing address, email address, or credit card information. Additionally, the nature of the services that we provide to our customers entails iboss processing Personal Information.
- In connection with operating the Platform, we may collect Personal Information (e.g., name, email address, and other contact information) from individuals associated with a customer, for example, a customer’s contact or administrator, or on their own behalf, as iboss customers. We store this administrator information in our systems and use it for account maintenance and recordkeeping purposes.
- The Platform permits our customers and their administrators to enable rules and functionality to monitor and secure their networks. In this way, the customer may elect to use the Platform to track its or the customer’s employees’ and end users’ Personal Information associated with their use of the customer’s networks, systems, and mobile devices, including but not limited to email addresses, IP addresses, login credentials, websites search terms, websites visited, and files downloaded (“Platform Personal Information”), and can correlate Platform Personal Information to the name or identity of the employee or end user.
- By default, our Platform processes Platform Personal Information. However, we do not ordinarily access or review Platform Personal Information because it is protected within segregated, containerized reporting databases that isolate this information. Additionally, critical information, such as passwords, is subject to security measures designed to prevent our direct access to the underlying information. By default, Platform Personal Information is only accessible to the customers or its administrator(s) and other authorized users (as applicable) who were designated by the customer or administrator(s). In some cases, however, a customer may provide us administrative access to the Platform Personal Information, typically to enable us to provide customer support.
- Customers may use the Platform to control, secure, and enforce policies on their and their users’ mobile devices (phones, tablets, PCs, etc.). Our mobile-device applications work in conjunction with our Platform to enforce these policies, and as such, we may be provided information related to bookmarks shortcuts.
Recruiting Information
If you choose to apply to work with or for us through our Website or by otherwise contacting us regarding opportunities to become an agent or contractor for us, we may collect the following: contact information, such as your first and last name, email and mailing addresses, phone number, professional title and company name; resume information, such as qualifications, skills, employment or education history, or other resume information; reference information, such as name and contact details of your references; or social media information, such as if you provide us a link to or other access to a social media account, we may collect or access any information you permit to be shared through or from your social media account and other information depending on the social media platform.
You may have the opportunity to refer friends or other contacts to us or otherwise provide us Personal Information of others. You may only submit a referral or otherwise provide us Personal Information of others if you have permission to provide to us the individual’s Personal Information and by providing such information you represent and warrant that you have the authority to do so and to permit us and our service providers to use such information in accordance with this Privacy Policy.
Information That We Collect Automatically
Website Technical Information
iboss may collect Technical Information about you when you visit our Website which your web browser automatically sends whenever you visit certain websites on the Internet. “Technical Information” may include your Internet Protocol (“IP”) address, browser type, browser language, and the date and time of your request. Gathering Technical Information helps us ensure our Website and Platforms work correctly and support our customer analytics efforts.
Email Communication
We use pixel tags and cookies in our marketing emails so that we can track your interaction with those messages, such as when you open the email or click a URL link that’s embedded within them. When recipients click on one of those URLs, they pass through a separate web server before arriving at the destination page on a company website. We use tools like pixel tags and cookies so that we can determine interest in particular topics and measure and improve the effectiveness of our communications.
Mobile-Device Applications & Communications
When you download or use our mobile-device applications, we may receive information about you and your mobile device, such as username, group names, and other device-specific information (e.g., UUID), which we transmit to iboss’ secure cloud gateway to authenticate your device and thereby enable our customers to control, secure, and enforce internet content filtering and other cybersecurity protocols on the device (“Policies”). The mobile-device applications also obtain permissions from a mobile-device user to access device settings and data, including but not limited to Bluetooth, WiFi, geolocation data, firewalls, and browser histories and bookmarks (collectively, “Settings”), to enable the application of Policies to those Settings. Our mobile-device applications may access geolocation data for the purpose of enabling our customers’ administrators to track end users’ devices, for example, in situations where the end user loses the device and seeks assistance from the administrator to locate it. Geolocation features are configured and applied solely by our customers and can be disabled by the mobile device user. We do not determine whether to collect geolocation information. Please contact the entity that collected your information for any questions regarding geolocation data.
The specific types of information the mobile-device applications collect may differ based on the cybersecurity package that you or your organization has purchased from iboss, the operating system (e.g., iOS or Android) of the device on which an application is installed, and the deployment and Policies chosen. Our mobile-device applications access the foregoing information automatically when installed on mobile devices, and solely to provide user functionality concerning our cybersecurity services. In addition, the gateway to which our mobile-device applications communicate may track and monitor content and URL destinations depending on the Policies applied to your device and your internet browsing activity.
Cookies and Similar Technologies
iboss uses cookies to operate and improve our Website as well as to simplify the interaction with you. When you visit our Websites, our servers send a cookie to your computer or mobile device to help personalize your experience and advertisements. Cookies help us better understand user behavior and facilitate effectiveness of advertisements. Please see Your Choices below for more information.
HOW DO WE USE PERSONAL INFORMATION?
We use Personal Information as set forth below.
- To operate, administer, protect, and provide our business, Website, and Platforms. For example, your information is hosted and processed by our Platform in order for you and our customers to utilize our services, create accounts, manage payments, and obtain customer support;
- To respond to your inquiries, comments, feedback or questions. For example, we use your information to respond to your requests for information about our Site and Platform and, if you are a current customer or employee of a customer and submit a request for technical support, to identify you as associated with a current customer and provide more accurate and personalized technical support;
- To manage our relationship with you, which includes sending administrative information to you relating to our Website and Platform and changes to our terms, conditions, and policies, and asking you to leave a review or take a survey;
- To analyze how you interact with our Website and Platform and provide, maintain, and improve the content and functionality of the Website and Platform and our customer relationships and experiences, develop our business, and inform our marketing strategy (please see the “Cookies and Similar Technologies” section to learn how we use cookies). For example, we may use your information to refine and improve the Platform and Website such as to add new features and improve the user experience, we may collect your information through forms that you submit, and may collect information automatically as set forth above to inform us about their performance and areas of improvement. We may also use your information to communicate with you about your use of the Website or Platform;
- To prevent fraud, criminal activity, or misuses of our Website or Platform. For example, we may process information you provide to identify any fraudulent, harmful, unauthorized, unethical, or illegal activity and we may use your information as necessary to defend ourselves in litigation or enforce our rights or agreements with others;
- To ensure the security of our IT systems, architecture, and networks (including troubleshooting, testing, system maintenance, support, and hosting of data);
- To comply with legal obligations and legal process as well as protect our, our affiliates, your and third parties’ rights, privacy, safety, or property, and to recover debts due to us. For example, we comply with lawfully issued orders to process data where we have determined there is a legal requirement for us to do so. We may provide information to government authorities or agencies as required by applicable law and in relation to their investigations; and
- To conduct recruiting and hiring activities for opportunities with iboss. If you apply to work with or for iboss, we will review the information you submit to determine if your qualifications and experience match any available opportunities at iboss, to conduct background checks and verify the information you provide, communicate with you regarding any opportunities, improve our recruiting processes, process your onboarding if hired, and comply with applicable labor and employment laws.
If you are located in the European Union (“EU”), UK, Switzerland, or other relevant countries, please see the “Regional Privacy Terms” section, below.
Marketing. We may contact you to provide information we believe will be of interest to you. For instance, if you elect to provide your email address, we may use that information to send you promotional information about our products and services. If we do, where required by law (for example if you are in Europe), we will only send you such emails if you consent to us doing so at the time you provide us with your Personal Information. You may opt out of receiving emails by following the instructions set forth in the Your Choices section below. If you unsubscribe from our marketing lists, you will no longer receive marketing communications, but we will continue to contact you regarding our Website and Platform and to respond to your requests.
Aggregate/Deidentified Data. We may aggregate and/or deidentify any information collected through the Website or Platform so that the information can no longer be linked to you or your device. We may use the aggregated and/or deidentified information for any purpose, including without limitation for research and marketing purposes, and may also disclose such data to any third parties, including advertisers, promotional partners, and sponsors.
WHAT PERSONAL INFORMATION DO WE DISCLOSE TO THIRD PARTIES?
Vendors and Service Providers
We may disclose personal information with third-party vendors and service providers that work with us. For example, if you purchase access to our Platforms via an authorized iboss distribution partner or reseller, we may provide your Personal Information to that partner or reseller to facilitate your use of those products and services.
We require that our third-party service providers agree to keep confidential all Personal Information that we disclose to them and to use the information only to perform their obligations in the agreements we have in place with them. These third-party service providers are expected to maintain privacy and security protections that are consistent with iboss’ privacy and information security policies.
Disclosure of Personal Information for Legal and Safety Reasons
iboss may be required to disclose Personal Information to the authorities, law enforcement agencies, government agencies, or legal entities to comply with valid legal process including subpoenas, court orders, or search warrants, and as otherwise authorized by law. Additionally, we may disclose Personal Information (i) to the extent permitted by applicable law in special cases in which we believe it is reasonably necessary to investigate, identify, or take preventive measures, or bring legal action against someone who may commit or cause harm, fraud, abuse, or illegal conduct, such as a threat of harm to you or anyone else, interference with our rights or property, or interference with U.S. homeland or national security or public safety anywhere in the world; or (ii) in the event of an emergency that threatens an individual’s life, health, or security.
Affiliates
iboss may disclose customer information within our family of companies for a variety of purposes, for example to provide you with the latest information about our Platform and other services, to conduct recruiting and hiring activities, and to provide you access to the Website and Platform.
Consent
We may disclose your information when we have your consent, for example, to prospective customers with whom you have agreed to speak regarding the Platform.
Business Transfers
As we continue to develop our business, we may buy, merge, or partner with other companies. In such transactions (including in contemplation of such transactions), user information may be among the transferred assets. If a portion or all of our assets are sold or transferred to a third-party, customer information (including information processed in accordance with this Privacy Policy) may be one of the transferred business assets. If such transfer is subject to additional mandatory restrictions under applicable laws, or contractual obligations, we will comply with such restrictions.
Aggregate/Deidentified Information
From time to time, we may disclose aggregate/deidentified information about use of the Platform or Website, such as by publishing a report on usage trends. The disclosure of such data is unrestricted.
DO WE TRANSFER PERSONAL INFORMATION INTERNATIONALLY?
To facilitate our global operations, iboss may transfer Personal Information from your jurisdiction to other iboss locations across the world. iboss primarily stores Personal Information about prospective and actual customers in the United States, but also stores that information in the United Kingdom. The United States may have data protections laws that are less stringent than or otherwise different from the laws in effect in your location. Transfers of Personal Information subject to this Privacy Policy to iboss in the United States are necessary to perform the agreement we have entered into, or are about to enter into, with you.
Personal Information that end users transmit through our Platform while accessing the Internet always resides within secured and containerized reporting databases. The Platform processes Personal Information anywhere in which a customer may be located (e.g., the US, EU, or other non-EU countries) via global data centers that are most proximate to an end user’s physical location when the end user is connected to a network and engaging in activity on the Internet. However, the customer can designate and control where the processed data are stored based on the customer’s geo-location requirements. Thus, for example, an EU-based customer may designate that all data from the customer’s end users – irrespective of where the end users are located globally – are processed and stored only in EU-based data centers.
If the Personal Information is transferred to countries without ‘adequate’ protection as determined by the European Commission, we will use additional safeguards to ensure any such transfers of Personal Information comply with applicable requirements based on the particular Personal Information, such as the EU Standard Contractual Clauses. You understand that in providing Personal Information to us via our Website, Platform, or through other interactions with us, you consent to the transfer of your Personal Information to the United States and other jurisdictions in which we operate.
In addition to EU Standard Contractual Clauses, the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield programs (“Privacy Shield”) previously provided a framework for companies to transfer Personal Information between the EU and United States. iboss was previously Privacy Shield certified, but due to the European Court of Justice’s July 16, 2020 decision invalidating Privacy Shield, iboss is no longer applying Privacy Shield to relevant transfers of Personal Information and is instead relying on EU Standard Contractual Clauses. To the extent Personal Information was transferred to iboss under our prior Privacy Shield Certification, and if we have retained such information, we will provide protection for such information according to the EU Standard Contractual Clauses.
WHAT IS OUR PERSONAL INFORMATION RETENTION POLICY?
iboss retains your Personal Information as long as reasonably necessary for the business purposes described in this Privacy Policy, and/or as long as is reasonably necessary to provide our Website and Platforms, or as reasonably necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
If you have elected to receive marketing communications from us, we retain information about your marketing preferences until you opt out of receiving these communications and in accordance with our policies.
To determine the appropriate retention period for your Personal Information, we will consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we use your Personal Information and whether we can achieve those purposes through other means, and the applicable legal requirements.
HOW DO WE HANDLE INFORMATION THAT WE RECEIVE FROM CHILDREN?
Our Website and Platforms are not directed to individuals under 16 years of age. We do not knowingly collect information about children under the age of 16, or minors otherwise defined in local law or regulation, without verifiable parental consent. If we learn that someone under 16 has provided Personal Information through our Website, we will use reasonable efforts to remove that information from our databases.
YOUR CHOICES
In this section, we describe the rights and choices available to you in how we process your Personal Information.
Choosing not to provide your Personal Information. You may choose not to provide Personal Information. If you choose not to provide Personal Information (or ask us to delete it), we may not be able to provide you with our Website or Platform or certain of their features. We will tell you what information you must provide to use certain features by designating it as required at the time of collection or through other appropriate means.
Opt out of marketing communications. You may opt out of marketing-related emails by following the opt-out or unsubscribe instructions in the communication, or by contacting us as set forth below. If you opt out of marketing communications, you may continue to receive Platform-related and other non-marketing emails.
Cookies & browser web storage and targeted online advertising. We, or service providers or other third parties we contract with, may use cookies and similar technologies to track your browsing activity over time and across the Website and third-party websites or applications. If business partners collect information about your activities on or through the Website, they may be members of organizations or programs that provide choices to individuals regarding the use of their browsing behavior or mobile application usage for purposes of targeted advertising. For more details, see our Cookie Policy.
Do Not Track Signals. There are different ways to prevent tracking of online activities. Some web browsers may allow you to enable a do-not-track feature that alerts the websites you visit that you do not want your online activities to be tracked. Our Site currently does not respond to “Do Not Track” (“DNT”) signals and operates as described in this Privacy Policy whether or not a DNT signal is received. If we do respond to DNT signals in the future, we will describe how we do so in this Privacy Policy.
REGIONAL PRIVACY TERMS
If you are a California resident or you are located in Europe (including the UK and Switzerland), please see our Regional Privacy Policy Supplement.
HOW DOES IBOSS SECURE YOUR PERSONAL INFORMATION?
iboss uses technical and physical safeguards to protect the security of your Personal Information from unauthorized disclosure. We also make commercially reasonable attempts to ensure that only necessary people and third parties have access to Personal Information. Nevertheless, such security measures cannot prevent all loss, misuse, or alteration of Personal Information, and we are not responsible for any damages or liabilities relating to any such incidents to the fullest extent permitted by law.
DO WE UPDATE THIS PRIVACY POLICY?
iboss may review and update this Privacy Policy periodically without any prior notice. We will indicate in the Privacy Policy when it was most recently updated. In the case of material changes to the Privacy Policy, we may notify you of such changes.
HOW MAY I CONTACT IBOSS?
To contact iboss about any of the foregoing matters, please use the following addresses:
Mailing Address:
iboss, Inc.
101 Federal Street, 23rd Floor
Boston, MA 02110 USA
ATTN: General Counsel
Email Address: [email protected]
We have appointed a representative in the EU. You can contact them by post at Mishcon de Reya Representative Services (Europe) Limited, 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland, or by email at [email protected].
IBOSS, INC.
DATA PROCESSING ADDENDUM
Last Updated: June 27, 2024
This Data Processing Addendum (the “Addendum”) is made by and between iboss, Inc. with a registered office in Boston, Massachusetts, USA (“Company”) and the entity identified as Customer (collectively, “Customer”) in the iboss Terms of Service Agreement, in the iboss Cloud Services End User Terms of Service Agreement, in the iboss Quote, in the Master Software License and Services Agreement, or in such other agreement between Customer and iboss for the purchase of iboss software and services (in each case, the “Agreement”).
This Addendum is incorporated into the Agreement between Company and Customer and applies in respect of the provision of the Services (as defined in the Agreement) to Customer if the Processing of Customer Personal Data (as defined below) is subject to Data Protection Legislation. This Addendum shall be effective for so long as the Company Processes Customer Personal Data.
- Definitions
- “Customer Personal Data” means the Personal Data described under Section 2 of this Addendum, in respect of which Customer is the Controller and which is provided to Company by or on behalf of Customer and Processed by Company, each in connection with the Agreement for Company to provide Services to Customer;
- “Data Protection Legislation” means all applicable legislation relating to data protection and privacy including without limitation the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time;
- “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
- “Personal Data”, “Data Subject”, “Process”, “Processor” and “Controller” will each have the meaning given to them in applicable Data Protection Legislation; and
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed by Company that compromises the confidentiality, integrity, or availability of such Customer Personal Data.
- “Standard Contractual Clauses” or “SCC” means the Standard Contractual Clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- “Swiss Data Protection Legislation” means The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.
- “UK Addendum” means the UK Information Commissioner’s (“UK ICO”) International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Version B1.0 in force 21 March 2022.
- Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
- Details of The Processing
- Categories of Data Subjects. Categories of Data Subjects whose Personal Data may be included in Customer Personal Data include Customer’s customers, end users, partners, suppliers, employees, other personnel, and other Data Subjects about whom Customer receives or collects, and thereafter provides, Personal Data to Customer in the form of Customer Personal Data.
- Types of Personal Data. Customer Personal Data may include Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, such as names, email addresses, IP addresses, and web browsing data, including websites visited; location data; and browsing, search, and other network activity of authorized users of Customer’s network, each of which is provided to Company in connection with Customer’s use of the Services.
- Subject-Matter and Nature of the Processing. The subject-matter of Company’s Processing of Customer Personal Data is the provision of the Services to Customer, which include the Processing of Customer Personal Data. Customer Personal Data will be subject to those Processing activities that Company must perform to provide the Services pursuant to the Agreement and any applicable statement of work or other ordering document.
- Purpose of the Processing. Company will process Customer Personal Data for purposes of providing the Services described in the Agreement and any applicable statement of work or other ordering document.
- Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 10 of this Addendum.
- Processing of Customer Personal Data
- This Addendum applies to the Processing of Customer Personal Data. If applicable Data Protection Legislation recognizes the roles of “Controller” and “Processor” as applied to Customer Personal Data, then as between Company and Customer, Customer acts as Controller and Company acts as a Processor (or Subprocessor, as the case may be) of Customer Personal Data. Company will only Process Customer Personal Data as a Processor on behalf of and in accordance with the Agreement and this Addendum, including with respect to transfers of Customer Personal Data, unless Processing is required by applicable Data Protection Legislation to which Company is subject, in which case Company shall, to the extent permitted by applicable law, inform Customer of that legal requirement before so Processing that Customer Personal Data. The Parties agree that Company may Process Customer Personal Data as necessary to enable Company to provide the Services according to the Agreement. Any additional or different instructions from Customer pertaining to the Processing of Customer Personal Data require a signed agreement between Company and Customer and may be subject to additional fees. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Personal Data. Company will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Legislation, provided, however, Company is not responsible for performing legal research and/or for providing legal advice to Customer.
- If Company cannot process Customer Personal Data according to Customer’s instructions due to a legal requirement under any applicable Data Protection Legislation, Company will (i) promptly notify Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) Process (or continue to Process) Customer Personal Data to the extent Company is able to comply with Customer’s instructions in order to provide the Services as set forth in the Agreement.
- Each of Customer and Company will comply with their respective obligations under the Data Protection Legislation. Customer shall (a) provide all required notices and appropriate disclosures to all Data Subjects regarding Customer’s, and Company’s, Processing of Customer Personal Data and (b) ensure that Customer has obtained (or will obtain) and maintain during the term of the Agreement all rights and consents (if required) which are necessary for Company to Process Customer Personal Data in accordance with this Addendum and the Agreement. If Customer is not required by Data Protection Legislation to obtain and maintain valid consent from Data Subjects, Customer will otherwise comply with requirements under Data Protection Legislation to obtain and maintain a valid legal basis to Process Customer Personal Data and for providing such data to Company for Processing under the Agreement.
- Cross-border transfers of Customer Personal Data:
- The Services allow Customer to designate the location in which Customer Personal Data will be Processed based on compatibility with the Services. If Customer elects to transfer Customer Personal Data to Company outside a jurisdiction restricting the transfer of Personal Data relating to Data Subjects located in that jurisdiction, either directly or via onward transfer, to a jurisdiction which the Data Protection Legislation in such originating jurisdiction concluded does not provide an adequate level of protection for such Personal Data, such transfer shall be subject to the protections and provisions of the Standard Contractual Clauses (where Schedule 1 specifically delineates the terms in the SCC’s Appendix) or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Legislation.
- In Annex I, Customer shall be deemed to have signed the SCC in its capacity of “data exporter” and Company in its capacity as “data importer.” Module Two or Module Three of the SCC shall apply to the transfer depending on whether Customer is Data Controller of the Customer Personal Data (for Module Two) or a Data Processor of the Customer Personal Data on behalf of its customer (for Module Three). If Module Three applies, Customer hereby notifies Company that it is a Processor and the instructions shall be as set forth in Section 3.1. Clause 7 is omitted. In Clause 11(a), the optional provision shall not apply. For purposes of Clauses 17 and 18 of the SCCs, the Parties select The Netherlands. Additional provisions applicable to Customer Personal Data transferred pursuant to SCC are set forth in Schedule 2.
- The SCC will cease to apply if Company has implemented an alternative recognized compliance mechanism for the lawful transfer of personal data in accordance with applicable Data Protection Legislation and has informed Customer thereof.
- In the event of any conflict between any terms in the SCC and Addendum, the SCC shall prevail to the extent of the conflict.
- To the extent such a transfer includes Customer Personal Data subject to Swiss Data Protection Legislation, the SCC shall be adapted to use for Switzerland (where the Swiss Data Protection Legislation shall apply as the applicable Data Protection Legislation, Clauses 17 and 18 of the SCC shall refer to Switzerland, and data subjects in Switzerland shall be able to avail themselves of any rights conferred by the SCC).
- If the UK Addendum applies, then:
- Table 1 of the UK Addendum is completed with the parties’ details and Key Contacts of Customer (as data exporter) and Company (as data importer), as provided above. The “Start date” is the Effective Date or other similar date of the Agreement.
- Table 2 of the UK Addendum is completed by selecting “the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”.
- For the purposes of Table 2 and Table 3 of the UK Addendum, the “Approved EU SCCs” are completed with the Modules, selections, and details set forth above.
- Table 4 of the UK Addendum is completed by selecting “neither party”.
- Customer is responsible for compliance with all applicable Data Protection Legislation regarding its content, including without limitation that which regulates (a) content directed toward children (as defined under applicable Data Protection Legislation and for example, individuals under 13 years old in the United States or under 16 years old in certain other countries) (b) financial, payment, or credit data or (c) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or an individual’s genetic data, biometric data, health data, or data regarding sex life or sexual orientation ((a) – (c) collectively, “Sensitive Data”), where Customer is specifically responsible for obtaining express consent from individuals whose Personal Data is provided to Company for Processing, where required by Data Protection Legislation. Any Sensitive Data provided by Customer to Company is provided solely at Customer’s election, and Customer understands and agrees that Company does not differentiate between different types of data sensitivity when Processing Customer Personal Data or treat certain types of Customer Personal Data differently from other types and applies the same security measures to all Customer Personal Data as set forth in Section 5 of this Addendum.
- Confidentiality. Company shall implement processes designed to ensure that Customer Personal Data is only made available to those of its personnel, including its sub-Processors, who (i) need to access such Customer Personal Data in order to carry out their roles in the performance of Company’s obligations under the Agreement and this Addendum and (ii) have committed themselves to protect the confidentiality of such Customer Personal Data or are otherwise under an appropriate statutory obligation of confidentiality.
- Security Measures
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (described under Annex II to the Standard Contractual Clauses). Company may update its security practices from time to time but will not materially decrease the overall security of the Services during the term of a statement of work or other ordering document.
- Company will provide Customer with legally-required and reasonable assistance as necessary for the fulfilment of Customer’s obligations under applicable Data Protection Legislation.
- Customer is responsible for security relating to its environment and databases and security relating its configuration of the Services. This includes implementing and managing procedural, technical, and administrative safeguards on its software and networks sufficient to: (a) ensure the confidentiality, security, integrity, and privacy of Customer Personal Data in transit, at rest, and in storage; (b) protect against any anticipated threats or hazards to the security and integrity of Customer Personal Data; and (c) protect against any unauthorized processing, loss, use, disclosure or acquisition of or access to Customer Personal Data. Notwithstanding any other provision of this Addendum, the Agreement or any other agreement related to the Services, Company will have no obligations or liability as to any breach or loss resulting from: (x) Customer’s environment, databases, systems or software, or (y) Customer’s security configuration or administration of the Services.
- Sub-Processing
- Customer authorizes Company to appoint the entities identified in Company’s support portal at https://support.ibosscloud.com as Sub-Processors of Customer Personal Data and generally authorizes Company’s engagement of additional Sub-Processors and Company’s replacement of any Sub-Processors identified within https://support.ibosscloud.com. For the avoidance of doubt, the above authorization constitutes Customer’s prior written consent to the Sub-Processing of Customer Personal Data for purposes of Clause 9, Option 2 of the Standard Contractual Clauses. Company will inform Customer of any intended changes concerning the addition or replacement of any Sub-Processors. If Customer can show on reasonable and objective grounds that a new Sub-Processor does not or cannot comply with applicable Data Protection Legislation and wishes to object to Company’s use of such Sub-Processor, then Customer has fifteen (15) days after Company notifies customer of such new Sub-Processor to notify Company in writing of its reasonable and objective basis, supported by documentary evidence, for objection to the use of the new Sub-Processor. Upon receipt of Customer’s written objection, Customer and Company will work together without unreasonable delay to find a mutually acceptable resolution to address the objection, including but not limited to reviewing additional documentation supporting the Sub-Processor’s ability to comply with Data Protection Legislation. To the extent Customer and Company do not reach a mutually acceptable resolution within a reasonable timeframe, Company will use reasonable endeavors to make available to Customer a change in the Services or will recommend a commercially reasonable change to the Services to prevent the applicable Sub-Processor from Processing Customer Personal Data. If Company is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, Customer shall have the right, as its sole remedy, to terminate the relevant Services (i) in accordance with the termination provisions in the Agreement; (ii) without liability to Customer or Company, and (iii) without relieving Customer from its payment obligations under the Agreement up to the date of termination.
- Company will enter into a binding written agreement with the Sub-Processor that imposes on the Sub-Processor the same level of restrictions that apply to Company under this Addendum to the extent applicable to the nature of the services provided by such Sub-Processor. Where any of its Sub-Processors fails to fulfil its data protection obligations in relation to the Services provided to Customer, such that Company would be found to have violated its obligations to Customer under this Addendum, Company will be responsible to Customer for the performance of its Sub-Processors’ obligations.
- Data Subject Rights
- To the extent legally permitted, and where a Data Subject identifies Customer as the entity that collected its Personal Data, Company shall notify Customer without undue delay of receiving any request or complaint from Data Subjects regarding Customer Personal Data (“Data Subject Inquiry”). Company shall not respond to Data Subject Inquiries without Customer’s prior written consent and written instructions. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Inquiry, Company will provide Customer with assistance necessary for the fulfilment of Customer’s obligation to respond to requests for the exercise of Data Subjects’ rights in accordance with Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from Company’s provision of such assistance.
- If a Data Subject does not identify an entity that collected its Personal Data, Company will instruct the Data Subject to identify and contact the relevant entity that collected its Personal Data.
- Company shall comply with Customer’s instructions regarding the handling of a Data Subject Inquiry, subject to the terms of Section 3.1.
- Personal Data Breaches
- Company will notify Customer at the contact information on file without undue delay and in any event within forty-eight (48) hours after it becomes aware of and confirms any Personal Data Breach. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to Company, Company will also provide Customer with information regarding (i) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned; (ii) the reasonably anticipated consequence of the Personal Data Breach; (iii) measures taken to mitigate any possible adverse effects; and (iv) other information concerning the Personal Data Breach reasonably known or available to Company that Customer is required to disclose to a Supervisory Authority or Data Subjects under Data Protection Legislation. Company’s contact point for additional details regarding a Personal Data Breach is [email protected]. Except as required by applicable Data Protection Legislation, the obligations set out in this Section shall not apply to Personal Data Breaches caused by Customer. Company’s provision of any notification of a Personal Data Breach shall not constitute an admission of fault.
- Customer is solely responsible for complying with data incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any data incidents. Customer and Company shall work together in good faith within the timeframes for Customer to provide Personal Data Breach notifications in accordance with Data Protection Legislation to finalize the content of any notifications to Data Subjects or Supervisory Authorities, as required by Data Protection Legislation. In any event, Customer shall not disclose any confidential or proprietary information of Company in the content of any notification.
- Data Protection Impact Assessment; Prior Consultation. Company will provide Customer with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, including by providing Customer with documentation regarding Company’s Processing operations, if Customer is required to engage in such activities under applicable Data Protection Legislation and such assistance relates to the Processing by Company of Customer Personal Data.
- Return or Deletion of Customer Personal Data
- Subject to Section 10.2 below, and unless Company and Customer otherwise agree in writing in the Agreement, Company shall, following termination or expiration of the Agreement, delete and use all reasonable efforts to procure the deletion of all copies of Customer Personal Data Processed by Company or any Sub-Processors, and where deletion is not possible, sufficiently de-identify Customer Personal Data such that it is no longer Personal Data, except if required or permitted by applicable law or for compliance, audit, or security purposes. Company and Customer may agree in writing for Company to provide certain log data containing Customer Personal Data.
- Company and its Sub-Processors may retain Customer Personal Data to the extent required by applicable laws, only to the extent and for such period as required by applicable laws, and provided that Company shall protect the confidentiality of all such Customer Personal Data and Process such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
- Information
- Company will provide Customer with all information reasonably necessary to enable Customer to demonstrate compliance with its obligations under Data Protection Legislation (which such information is Company Confidential Information under the Agreement), and, subject to the terms below, allow for and participate in audits, including inspections, conducted by Customer or an auditor mandated by Customer, to the extent that such information is within Company’s control and Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
- Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Company shall make available to Customer that is not a competitor of Company (or Customer’s independent, third-party auditor that is not a competitor of Company) a copy of Company’s security documentation and summaries of any available and recent third-party audits or certifications, as applicable, each for the sole purposes of confirming Company’s compliance with this Addendum and to assist Customer with complying with its obligations under Data Protection Legislation. If no such audit report is available at the time of Customer’s request, Company will allow and contribute to audits as set forth below.
- Customer may, upon reasonable notice and at reasonable times, and at Customer’s own expense, audit (either by itself or using independent third-party auditors) Company’s compliance with this Addendum. Company shall assist with and contribute to any audits conducted in accordance with this Section 11. Such audits may be carried out once per year or more often if required by Data Protection Legislation.
- Any third party engaged by Customer to conduct an audit must be pre-approved by Company (such approval not to be unreasonably withheld) and sign Company’s confidentiality agreement. Customer must provide Company with a proposed audit plan at least two weeks in advance of the audit, after which Customer and Company shall discuss in good faith and finalize the audit plan prior to commencement of any audit activities.
- Audits may be conducted only during regular business hours, in accordance with the finalized audit plan and Company’s security and other policies, and may not unreasonably interfere with Company’s regular business activities. Customer shall reimburse Company for any reasonable costs or expenses incurred by Company in connection with the audit.
- Information obtained or results produced in connection with an audit are Company Confidential Information under the Agreement and may only be used by Customer to confirm compliance with this Addendum and for complying with its requirements under Data Protection Legislation.
- Fees. Company may charge Customer a reasonable fee for time spent in connection with any assistance or cooperation required by Customer under this Addendum if such assistance or cooperation involves the commitment of resources over a prolonged period of time, which are not included as part of the Services, or involve third-party costs and does not arise from any breach by Company of this Addendum.
- Liability
- Each party’s liability to the other under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.
- Customer acknowledges that Company is reliant on Customer for direction as to the extent to which Company is entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently, Company will not be liable under the Agreement or this Addendum for any claim brought by a Data Subject arising from any action or omission by Company, to the extent that such action or omission resulted from Customer’s instructions or from Customer’s failure to comply with its obligations under the applicable Data Protection Legislation.
- General Provisions
- With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail.
- To the extent the California Consumer Privacy Act (“CCPA”) applies to Customer Personal Data and no exemptions in the CCPA apply, (i) Company shall not (a) sell or share (as such terms are defined in the CCPA) Customer Personal Data; (b) retain, use or disclose Customer Personal Data for any purpose other than providing Services under the Agreement, (c) retain, use or disclose Customer Personal Data outside of the direct business relationship between Company and Customer, or (d) except as otherwise permitted by the CCPA, combine Customer Personal Data with Personal Data that Company receives from or on behalf of another person or persons, or collects from its own interaction with the data subject and (ii) Customer may, as specifically permitted by the CCPA: (a) take reasonable and appropriate steps as set forth in Section 11 to help to ensure that Company uses Customer Personal Data in a manner consistent with the Customer’s obligations under CCPA; (b) require Company to notify Customer if Company makes a determination that it can no longer meet its obligations under CCPA; and (c) upon written notice to Company and as set forth in Section 11, take reasonable and appropriate steps to stop and remediate Company’s unauthorized use of Customer Personal Data.
- Company may disclose Customer Personal Data in connection with, or during the negotiation of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of Company’s business by or to another company, including the transfer of contact information and data of Customer’s customers, partners and end users, and Customer Personal Data Processed in connection with the Services.
- The parties agree that the bundling of Customer’s data exporters, for example, if Customer consists of multiple global affiliates, as controllers within this single Addendum is undertaken for efficiency purposes (i.e., to avoid a multitude of different contract documents) and (i) shall result in legally separate Addenda between the respective Customer entity and Company solely for purposes of addressing any such obligations under Data Protection Legislation; (ii) shall not create any new or different legal or other relationship whatsoever between the “bundled” Customer entities; (iii) does not create any additional rights or remedies for such bundled Customer entities; (iv) all processing instructions must be provided by the Customer entity that is signatory to the Agreement and Company is not responsible for consolidating or evaluating the validity of instructions received from other Customer entities; (v) any commercial terms not provided by the Addendum are provided by the Agreement regardless of whether the bundled Customer entities signed or were consulted regarding the terms of the Agreement; and (vi) any audits conducted in accordance with the Addendum shall be conducted only by and through the Customer entity that is signatory to the Agreement.
SCHEDULE 1
APPENDIX TO THE STANDARD CONTRACTUAL CLAUSES
ANNEX 1
A. LIST OF PARTIES
Data exporter
Name: | The data exporter is the entity identified as “Customer” in the Addendum |
Address: | As set forth in the Agreement |
Contact person: | As set forth in the Notices provision in the Agreement |
Activities relevant to the data transferred under these Clauses: | As set forth in the Agreement |
Signature and date: | Refer to Addendum |
Role: | Controller, except when processing data on behalf of another entity, in which case data exporter is a processor |
Data importer
Name: | The data importer is the entity identified as “Company” in the Addendum |
Address: | As set forth in the Agreement |
Contact person: | As set forth in the Notices provision in the Agreement |
Activities relevant to the data transferred under these Clauses: | As set forth in the Agreement |
Signature and date: | Refer to Addendum |
Role: | Processor, or sub-processor if data exporter is a processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: | Data subjects are defined in Section 2.1 of the Addendum |
Categories of personal data transferred: | Categories of personal data are defined in Section 2.2 of the Addendum. |
Sensitive categories of data (if appropriate): | As determined and controlled by Customer in its sole discretion, and if provided to data importer, data exporter shall comply with Section 3.5 of the Addendum. |
The frequency of the transfer: | As set forth in the Agreement |
Nature of the processing: | As set forth in Sections 2 and 3 of the Addendum and in the Agreement |
Purposes of the data transfer and further processing: |
As set forth in Sections 2 and 3 of the Addendum and in the Agreement |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | As set forth in Sections 2.5 and 10 of the Addendum, and in the Agreement |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | As set forth in Sections 2, 6, and 10 of the Addendum, and in the Agreement |
C. COMPETENT SUPERVISORY AUTHORITY
The data protection authority competent for the Data Exporter or, if the Data Exporter is not established in the European Union or has not appointed a representative in the European Union, is the data protection authority competent for the data subjects whose personal data are transferred under the clauses.
ANNEX II
Technical and organizational measures, including technical and organizational measures,
to ensure the security of the data:
- The iboss architecture, platform, points of presence, security controls and security program are audited and assessed both internally and by external third parties. iboss holds ISO 27001 and ISO 9000 certifications and contracts with an external audit firm for ongoing SOC 1 and SOC 2 Type II audits. iboss also contracts with multiple industry leading assessment and testing organizations to complete external and internal penetration and vulnerability scanning on a routine basis.
- The iboss Information Security Policy is an umbrella policy for other policies, including:
- Access Control and Business Continuity Policies (incl. Data backup and Recovery)
- Asset management
- Human resources security
- Data encryption
- Physical access
- Network security
- Access control
- Compliance
- Each customer service delivery environment is deployed in an isolated containerized node(s), inclusive of any gateway nodes and a separate reporter node. Nodes are deployed in iboss datacenters or the customer’s own managed environment. Containerization allows iboss to decommission and destroy IT assets and data in a customer-specific methodology.
- Customer Personal Data are input within the containerized environment from the gateway node to the reporter node.
- Customers may configure their deployment to redirect Customer Personal Data to its SIEM environment. This data can be controlled, downloaded and reported on via the Services’ administrative web application. This application is wholly accessed and managed by Customer administrators.
- Adoption of architecture design principles that minimize system surface area that can be attacked, remove exposure to protocols or applications from where there is no expectation of communication, and provide dynamic scale in the gateway design to mitigate volumetric attacks that consumer heavy resources and prioritize the ability to quickly scale computation resources up or down.
- An Information Security awareness program is in place for all employees.
- An Access Management Policy is in place that establishes access control rules for iboss information, IT systems and resources (non-critical and critical) and details how iboss manages system accounts, including establishing, activating, modifying, reviewing, disabling and removing accounts. The iboss Access Management Policy covers the following supporting standards: Application Access Control, Network access control, password settings, and user access management and administration.
- Remote network access is restricted by role to limit access to employees as necessary to perform their duties. Remote network access is only granted through the provisioning process with proper approvals from iboss Human Resources and Management. Remote access is only granted to iboss-owned and configured equipment. Two factor authentication, Active Directory, and VPN services are used to deliver the Service.
- iboss conducts monthly, quarterly and annual reviews of systems and procedures. Review processes include providing evidence of policy and procedure compliance. Additionally, annual internal and external audits, semiannual compliance audits, and annual external technology platform testing are conducted.
- Data retention configuration and backups are customizable by customer administrators. Backups of customer environments are encrypted using AES 256 by private key and stored solely in the Customer’s node environment and not stored with the data backup. iboss can return or security destroy Customer data upon written request.
- An iboss information security group, separate from iboss operations, daily reviews all alarms, alerts and reports from the tools, information systems and network appliances deployed in the Services environment and results in the categorization, escalation, remediation and tracking of any identified issues.
- iboss maintains an asset inventory including hardware, software and information assets. Documentation is maintained in dedicated or existing inventories. Ownership of assets is assigned and a classification is defined for each asset.
- All assets and data are destroyed with techniques aligned with NIST 800-88 (industry standard DOD 5220-22M).
- iboss maintains an Information Classification Policy to help manage and protect its information assets. Iboss personnel are required to abide by the Information Classification Policy and handle information accordingly.
- iboss utilizes secured datacenters in appropriately staffed co-location facilities featuring cement walled buildings, no windows, no external signage to identify facility, and natural barriers to secured/video protected parking areas. Physical protection is provided by a combined effort of iboss and the co-location facility. The co-location facility provides alarms, fire, water, power, generators, monitoring, video surveillance cameras and a secure card-key with additional biometric access system. Additionally, all iboss servers are in a secured cage in locked cabinets with keys distributed only as needed for specific entry and only at the time entry is needed. Servers are locked at the OS level, with all administrators using identifiable, auditable and privileged IDs. Remote access tools are password protected.
- A software development methodology requires architects and developers to consider security aspects. Design reviews focus on potential security exposure and provide for identification of security best practices for application and database design, as well as for all related infrastructure elements. The development methodology requires that developers consider the appropriate treatment of data capture, validation, storage, presentation and security. Where appropriate, audit and transaction records are captured and stored within the databases. Access to application and database source code is restricted to the appropriate members of the application development team. Personnel performing testing are independent from the original developer.
ANNEX III
List of iboss Sub-processors
Please refer to the list provided at https://support.ibosscloud.com/
SCHEDULE 2 – ADDITIONAL SCC PROVISIONS
BASED ON EUROPEAN DATA PROTECTION BOARD RECOMMENDATIONS 01/2020
- Company shall promptly notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) (“Disclosure Request”) unless otherwise prohibited by law or a legally binding order of such body or agency and without responding to such request, unless otherwise required by applicable law (including to provide acknowledgement of receipt of the request). Company will review applicable law to evaluate any Disclosure Request, for example the ability of the requesting authority to make the Disclosure Request, and to challenge the Disclosure Request if, after a careful assessment, it concludes that there are grounds under applicable law to do so. When challenging a Disclosure Request, Company shall seek interim measures to suspend the effects of the Disclosure Request until an applicable court or other authority has decided on the merits. Company shall not disclose Customer Personal Data requested until required to do so under applicable law. Company shall only provide the minimum amount of Customer Personal Data permissible when responding to the Disclosure Request, based on a reasonable interpretation of the Disclosure Request. If the Disclosure Request is incompatible with the SCCs or other data transfer mechanism utilized in accordance with Section 3.4 in this Addendum, Company will so notify the requesting authority and, if permitted by applicable law, notify the competent EEA government authority with jurisdiction over the Customer Personal Data subject to the Disclosure Request. Company will maintain a record of Disclosure Requests and its evaluation, response, and handling of the requests. Company will provide Customer with such records relevant to Customer Personal Data except as prohibited by applicable law or legal process or in the interest in protecting Company’s legal rights in connection with threatened, pending, or current litigation.
- Company will utilize industry standard encryption while Customer Personal Data are being Processed by Company as set forth in Schedule 1, Annex II.
- Company has not purposefully created “back doors” or similar programming in its systems that provide Services that could be used to access the systems and/or Customer Personal Data, nor has Company purposefully created or changed its business processes in a manner that facilitates access to Customer Personal Data or its systems that provide the Services. To the best of Company’s knowledge, United States Data Protection Legislation does not require Company to create or maintain “back doors” or to facilitate access to Customer Personal Data or systems that provide Services or for Company to possess or provide the encryption key in connection with a United States Disclosure Request.
- Company shall use reasonable efforts to assist Customer and its Data Subjects, as instructed by Customer (in accordance with Section 7 of the Addendum), regarding Disclosure Requests, unless prohibited by applicable law, for example to provide information to Customer in connection with the Data Subject’s efforts to exercise its rights and obtain legally available redress, provided Company shall not be required to provide Customer or Data Subjects with legal advice.
- Customer may request to audit Company access logs regarding access to Customer Personal Data, subject to the terms of Section 11 of the Addendum.
- Company has established an internal policy and procedure regarding handling of Disclosure Requests and applicable transfers of Personal Data of customers. Company Legal and Audit personnel are provided information regarding applicable transfers of Customer Personal Data prior to the transferring of any such data, where such information may include an explanation of the necessity of the transfer and any data protection safeguards in scope.
- In the event Company receives a request to voluntarily disclose unencrypted Customer Personal Data to a government authority, Company will use reasonable efforts to first obtain Customer’s consent, either on its behalf or on behalf of the relevant Data Subject.
Regional Privacy Policy Supplement
Last Updated: June 27, 2024
INTRODUCTION
This Regional Privacy Policy Supplement (“Regional Supplement”) is provided as a supplement to the iboss Privacy Policy to provide additional information to individuals who are residents of California or are located in the European Union, United Kingdom, and Switzerland (“Relevant Regions”) as required under applicable data protection laws in those regions (“Regional Laws”). This Regional Supplement includes information such as our purposes for personal information processing, the rights you have regarding our processing of your personal information, and how to contact us if you have any questions regarding our processing of your personal information.
Your Consumer Rights
Certain Relevant Laws provide individuals in Relevant Regions rights regarding their Personal Information, as set forth below. If a Relevant Law applies to you, you may submit a request to exercise your right(s) in relation to your Personal Information as set forth in the Privacy Policy.
- Know/Access: You may request access to the specific pieces of Personal Information we have collected about you, which may, in accordance with Relevant Laws, be limited to the information collected in the prior 12 months. You may also request additional details about our information practices, including the categories of Personal Information we have collected about you, the sources of such collection, the categories of Personal Information we share for a business or commercial purpose, and the categories of third parties with whom we share your Personal Information.
- Correct/Rectify: You may request that we correct or rectify the Personal Information we have collected about you. Please note that we may decline to correct certain information as required or permitted by applicable law, and we may deny your correction request if retaining the Personal Information in its current state is necessary for us or our service providers under any permitted exceptions. We are required by law to verify your identity prior to correcting your information in order to protect your privacy and security. If you request to change your Personal Information, certain features of our Website or Platforms may no longer be available to you or may no longer operate correctly.
- Limit Use of Sensitive Personal Information: You may request that we limit the use of sensitive Personal Information, as defined in Relevant Laws, to certain purposes as set forth in the Relevant Laws.
- Delete/Erase: You may request that we delete the Personal Information we have collected about you. Please note that we may retain certain information as required or permitted by applicable law, and we may deny your deletion request if retaining the Personal Information is necessary for us or our service providers under any permitted exceptions. If you request to delete your Personal Information, certain features of our Website or Platforms may no longer be available to you.
- Restrict or Object: You may request that we limit the way we use your Personal Information or object to certain forms of processing.
- Data Portability: You may request for your Personal Information to be transferred directly to another organization.
- Automated Decision Making and Profiling: You have the right not to be subject to automated decision-making if it produces a legal effect that significantly affects you, with certain exceptions. Please note that we do not generally engage in this activity and do not as a matter of course control or process Personal Information for this purpose, and if we do, we comply with Relevant Laws in connection with such data processing.
- Not to Receive Direct Marketing Communications: In some Relevant Regions, you may request to not receive our direct marketing messages, as more fully set forth below.
Certain other details regarding the processing of Personal Information that individuals located in Relevant Regions may be entitled to receive are contained in other provisions of the Regional Supplement.
How To Exercise Your Rights
You may be able to access, correct, or delete your Personal Information using your account settings and tools that we offer, but if you aren’t able to do that, or you don’t have an account, or you would like to contact us about one of the other rights, our contact information is set forth in “How May I Contact iboss?” below. Individuals in the European Economic Area, Switzerland, and United Kingdom (collectively, “Europe”) also have the right to make a complaint to a government supervisory authority.
Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child. Under some Relevant Laws, you may only make a verifiable consumer request for access twice within a 12-month period. The verifiable consumer request must (i) provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative, and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We will respond to a verifiable consumer request within the time periods permitted under Relevant Laws. If we require more time, we will inform you of the reason and extension period in writing, in accordance with Relevant Laws.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We may not be able to provide all of the information requested, for example: (i) if the Personal Information was collected for a single one-time transaction and if, in the ordinary course of business, such information was not retained; (ii) we would be required to reidentify or otherwise link any data that, in the ordinary course of business, was not maintained in a manner that would be considered Personal Information; or (iii) the consumer used different browsers, devices or identifying information and we have not linked all such information together.
Please note that you may designate an authorized agent to exercise these rights on your behalf by providing written materials demonstrating that you have granted the authorized agent power of attorney. Please note that if an authorized agent submits a request on your behalf, we may need to contact you to verify your identity and protect the security of your Personal Information.
Additional Terms
California Privacy Rights Act (“CPRA”) Notice
If you are a California resident, the CPRA requires us to disclose the following information with respect to our collection, use, and disclosure of Personal Information.
- Categories and Specific Pieces of Personal Information Collected: In the preceding 12 months, we have collected the following categories of Personal Information: certain identifiers, certain of the Personal Information categories listed in the California Customer Records statutes, commercial information, internet or other similar network activity, professional or employment-related information, and geolocation data. For more detail regarding the Personal Information we collect, please see “What Information Do We Collect And From What Sources” in our Privacy Policy.
- Business or Commercial Purpose for Collecting and Using Personal Information: We collect Personal Information for the business purposes described in “How Do We Use Personal Information” in our Privacy Policy.
- Categories of Sources of Personal Information: We collect Personal Information directly from you, automatically, and from other sources, each of which is more particularly described in “What Information Do We Collect And From What Sources” in our Privacy Policy.
- Categories of Personal Information Disclosed: In the preceding 12 months, we have disclosed the categories of Personal Information for business or commercial purposes as set forth in “What Information Do We Collect And From What Sources” in our Privacy Policy.
- Categories of Third Parties with whom We Share Personal Information: We may share your Personal Information with the third parties as described in “What Personal Information Do We Disclose to Third Parties” in our Privacy Policy.
- “Sale” or “Sharing” of Personal Information: iboss does not as a matter of course “sell” or “share” (as those terms are specifically defined in the CPRA) your Personal Information.
- Retention of Data. Please see “What Is Our Personal Information Retention Policy” in our Privacy Policy for details regarding the time period for which we retain Personal Information or the criteria we use to determine how long we retain Personal Information.
Non-Discrimination and Non-Retaliation
We will not discriminate or retaliate against you for exercising any of your CPRA rights. Unless permitted by the CPRA, we will not deny you goods or services; charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; provide you a different level or quality of goods or services; and/or suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
California “Shine the Light” Law
California residents may request certain information regarding our disclosure (if any) of Personal Information to third parties for their direct marketing purposes, pursuant to California Civil Code Section 1798.83 (the California “Shine the Light” law). To make such a request, please contact us, identify yourself as a California resident and provide sufficient information so we can take appropriate action, such as your name, email address or any additional information required.
Individuals Located in Europe
If you are located in Europe (as defined above), the legal bases for using your Personal Information as set out in our Privacy Policy are as follows:
- Necessary for Performance of a Contract: If we or our affiliates have entered into a contract with customers, partners, suppliers or other third parties, we may need to process your Personal Information or we may need to process your Personal Information to enter into a contract with you for employment purposes if you have applied for a job with iboss.
- Consent: Where you have provided your consent for us to engage in marketing activities with you, we may need to process your Personal Information or where you have provided us with explicit consent to process your sensitive or special categories of Personal Information in connection with our recruiting activities.
- Legitimate Interest: We may need to process your Personal Information where we have a legitimate interest in doing so, such as (1) to communicate with you in response to your requests, questions, inquiries, and submissions; (2) to conduct advertising, marketing and promotional activities in connection with operating our business; (3) for research and development, operation, security and optimization of our Websites, Platforms, and business; (4) to process a job application, conduct recruiting activities, develop and improve our recruiting process or websites, and communicate with you regarding your interest in current or future employment opportunities with us; and (5) for fraud prevention and know-your-customer obligations.
- Comply with Legal Obligations: Where we are required to comply with laws or legal obligations.
International Transfer of Data
We may transfer to, process, and store the data we collect about you in countries other than the country in which the data was originally collected, including the USA, Canada, or other destinations outside Europe. Those countries may not have the same data protection laws as the country from which you provided the data. When we transfer your data to other countries, we will protect the data as described in our Privacy Policy and comply with Relevant Laws providing adequate protection for the transfer of data to countries outside Europe.
We transfer your Personal Information outside Europe with appropriate organizational safeguards in place. Specifically, we transfer your Personal Information in accordance with the Standard Contractual Clauses (“SCCs”). The SCCs are part of our Data Processing Addendum. By utilizing our Website and Platforms, you agree to the transfer of your Personal Information in accordance with our Data Processing Addendum.
You may request more information about the safeguards that we have put in place in respect of transfers of Personal Information by contacting us as described below.
Data Processing Roles
Data protection laws in the Europe differentiate between the “data controller” and “data processor” of Personal Information.
Data Controller. iboss is the data controller for the processing of your Personal Information relating to customer accounts, marketing, and Personal Information collected through our Website and the Platforms when we engage in the foregoing activities. You can find our contact information, and the contact information of our EU-based representative, below.
Data Processor. iboss is the data processor for the processing of Employee Personal Information (as defined in our Privacy Policy). If you are an employee or end user of one of our customers, please contact the appropriate customer of iboss to exercise the rights described above.
DO WE UPDATE THIS REGIONAL SUPPLEMENT?
iboss may review and update this Regional Supplement periodically without any prior notice. We will indicate in this Regional Supplement when it was most recently updated. In the case of material changes to the Supplement, we may notify you of such changes.
HOW MAY I CONTACT IBOSS?
To contact iboss about any of the foregoing matters, please contact us as set forth in the Privacy Policy.
Cookie Policy
Last Updated: June 27, 2024
This Cookie Policy explains how iboss, Inc. uses cookies and similar technologies to recognize you when you visit our Website or use our Platforms. It explains what these technologies are and why we use them, as well as the choices for how to control them.
Cookies and similar technologies
We may process Personal Information about you when we use cookies or similar technologies, for example, your IP address, username, unique identifier, or an email address. Where we do so we will only process your Personal Information in compliance with our Privacy Policy.
What is a cookie?
A cookie is a piece of data contained in a very small text file that is stored in your browser or elsewhere on your hard drive.
Cookies set by iboss on the Website or the Platforms are called “first party cookies.” Cookies on the Website or the Platforms set by parties other than iboss are called “third party cookies.” Third party cookies enable third party features or functionality to be provided on or through the Website or Platforms.
Why do we use cookies?
We use first party and/or third party cookies on our Website and Platforms for various purposes such as:
- to facilitate the operation and functionality of our Website and Platforms;
- to improve your experience while using our Website and Platforms and make navigating around them quicker and easier;
- to allow us to make a bespoke user experience for you and for us to understand what is useful or of interest to you;
- to analyze how our Website and Platforms are used and how best we can customize them; and
- to facilitate safe and secure payment processing.
What types of cookies does iboss use and what are they for?
We use the cookies set forth on our Cookies Used On This Site page.
Third-Party Cookies
Some cookies that have been set on our Website or are Platforms are not set on a first party basis by iboss. These third party service providers may set their own cookies on your web browser. We do not control the use of these third party cookies as cookies can only be accessed by the third party that originally set them. The parties that set these third-party cookies can recognize your device both when it visits our Website and also when it visits certain other websites.
What We Do With IP Addresses
When you visit the Website or use our Platforms, we collect your IP addresses to track and analyze information about the devices that are connecting to our systems and about where those devices are located. For example, we use IP addresses to track which regions visitors to our Website or users of our Platforms come from and to detect possible fraud.
Choices
You can typically remove and reject cookies from our Website and Platforms with your browser settings. Many browsers are set to accept cookies until you change your settings. If you remove or reject our cookies, it could affect how our Website or Platforms work for you. If you access the Website or Platforms from multiple devices, you may need to update your settings on each individual device.
You may utilize the “Cookie Settings” link on our page to obtain more information regarding the cookies used by our Website and Platforms and disable or enable certain categories of cookies. Note that by disabling certain categories of cookies you may be prevented from accessing some features of our Website or Platforms, certain content or functionality may not be available, or the Website or Platforms may not operate correctly.
Some web browsers may allow you to enable a do-not-track feature that alerts the websites you visit that you do not want your online activities to be tracked. Our Platforms may not recognize or react in response to do-not-track signals. At present, no generally accepted standards exist on how companies must respond to do-not-track signals. In the event a final standard is established, we will assess and provide an appropriate response to these signals.
Depending on your location, you may also opt out of third-party cookies relating to behavioral advertising by visiting the following websites:
- European Interactive Digital Adverting Alliance (EDAA): www.youronlinechoices.eu and http://www.edaa.eu/
- Digital Advertising Alliance (DAA): http://www.aboutads.info/choices/
- Network Advertising Initiative (NAI): http://optout.networkadvertising.org
DO WE UPDATE THIS COOKIE POLICY?
iboss may review and update this Cookie Policy periodically without any prior notice. We will indicate in the Cookie Policy when it was most recently updated. In the case of material changes to the Cookie Policy, we may notify you of such changes.
HOW MAY I CONTACT IBOSS?
To contact iboss about any of the foregoing matters, please contact us as set forth in the Privacy Policy.