Terms of Service
These Terms of Service (this "Agreement") govern your access to and use of the BugProve Service (defined below as "the Services"). If you register for a free trial, evaluation or free Services, the applicable provisions of this Agreement also govern your access to such Services.
You agree to the terms of this Agreement by accepting them or by using the Services.
We periodically update the terms of this Agreement. If you have an active BugProve account, we will notify you of updates via an email or a notification on the BugProve platform. Unless the notice states otherwise, the updated terms of this Agreement will become effective and binding on the next business day after it is posted.
"You" means you are accepting these Terms or Service on behalf of an entity you represent, or you are accepting the terms on behalf of yourself, individually. If you are accepting on behalf of your employer or another entity, you represent and warrant that you have full legal authority to bind your employer or such entity to these Terms of Service, and you agree to these Terms of Service on behalf of that entity. If you do not have such authority, are under 18 years of age, or do not agree to the terms set forth in this Agreement, you must not use the Services. "BugProve", "we", "us" or "our" means the applicable BugProve contracting entity as specified in the 'BugProve Entity and Law and Jurisdiction' section below.
Direct competitors of BugProve are prohibited from accessing or using the Services and the Services may not be accessed for purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes.
This Agreement is effective as of the date on which you accept it either by means of the Order Form or by utilizing the Services. The following also apply to your use of the Services:
-
Our Data Processing Addendum which describes how we will process any personal data of those you authorised to use the Services. To the extent that we act as the data processor of any personal data of which you are the data controller, the Data Processing Addendum forms part of this Agreement.
Additionally, the following policies apply to your use of our website:
-
Our Privacy Policy, which sets out the terms on which we process any personal data we collect from you, or that you provide to us.
1. DEFINITIONS
In addition to the terms defined herein, the following terms shall be defined as follows:
Added Option
means any optional product, service, feature or functionality which BugProve makes available to you subject to the agreement of additional terms;
Confidential Information
all non-public information (however recorded or preserved) disclosed by a party to the other party after the date of this agreement, including but not limited to any information that would be regarded as confidential by a reasonable business person;
Crowdsourced Security Program
means a bug bounty program, vulnerability disclosure program, next-generation penetration test program or such other on-demand or annual program offered by third parties for independent security researchers.
User
means either an employee, agent or independent contractor who contributes, or has contributed, to the Protected Asset, including modification, programming and testing, recalculated on a rolling ninety (90) day basis or an employee, agent or independent contractor or security researcher who contributes to the testing services provided by you to third parties subject to terms set forth in section 'Your Use of the Services' below;
Documentation
the documents made available by BugProve online at https://bugprove.com/docs/ or such other web address notified by BugProve from time to time which sets out a description of the Services and the user instructions for the Services;
Intellectual Property Rights
patents, rights to inventions, copyright and related rights, trade marks, business names and domain names, rights in get-up, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets), and all other intellectual property rights;
Issue
a vulnerability, security misconfiguration or other issue identified by the Services as potentially negatively affecting the security, integrity or functioning of any Protected Asset;
Order Form
The online order process specifying the Services to be provided under this Agreement that is entered into between you and BugProve and your Subscription Allocation;
Personal Data
any information relating to an identified or identifiable natural person;
Protected Asset
any code, configuration file, firmware image, binary or other item relating to your software projects, in all cases in respect of which you use the Services during the term of this Agreement;
Service Data
information and data made available by BugProve to you in connection with the Services;
Services
the services and access to Software provided by BugProve to you under this agreement as more particularly may be described in the Order Form and the Documentation;
Software
the software applications provided by BugProve as part of the Services;
Subscription Allocation
the limits on the use of the Services comprised in your subscription (or, as the case may be, your free plan), as may be set out in an Order Form, including any limit on the number of Developers contributing to the Protected Asset;
Virus
any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, Trojan horses, viruses and other similar things or devices;
Your Data
the data inputted by you, or BugProve on your behalf for the purpose of using the Services or facilitating your use of the Services.
2. PROVISION OF SERVICES
-
Subject to your compliance with the terms of this Agreement, we will provide you with access to use the Services, Service Data and the Documentation during the Term solely for your internal business operations in accordance with your Subscription Allocation.
-
If you have a paid subscription, this Agreement shall remain in effect for the initial period stated on the Order Form and thereafter, will renew automatically for additional twelve (12) month periods until terminated by either you or us providing the other with notice of termination prior to the end of the Term (all such periods together referred to as the "Term"). If you are on a free plan, "the Term" is the period commencing on your acceptance of these Terms of Service and ending when either we or you terminate this Agreement as set out in the Termination section below.
-
This Agreement will apply to any new services, feature, or functionality which we may introduce from time to time, except to the extent that they are Added Options which may be subject to the additional terms to which you will be required to agree and additional fees which you will be required to pay before being permitted to use the Added Options.
-
The Service-Specific Terms set out in the Schedule below highlight some of the important things about using particular features and functions of certain individual Services. To the extent that your Order Form specifies any of those Services as being included in your subscription, the relevant additional Service-Specific Terms form part of these Terms of Service and apply additionally to your use and our provision of those Services.
3. YOUR ORDER AND SUBSCRIPTION ALLOCATION
If you have a paid subscription, your Order Form sets out the subscription plan that you have agreed to purchase. You shall ensure that the maximum number of users shall not exceed your Subscription Allocation. We may track the number of Users to verify that you are paying for the correct number of subscriptions and invoice you for any additional fees due.
4. PAYMENT
-
If you choose a paid-subscription plan, you agree to pay us fees in accordance with the relevant pricing plan. Details of those fees are set out on our Pricing Page at https://bugprove.com/pricing/ (which do not include VAT), unless specified in a custom order form.
-
Your payment shall be made for Services provided by the BugProve in US Dollars (USD) by credit card or bank wire transfer. In case your payment is done via card, depending on the pricing plan chosen by you, our third party payment processor will (and you hereby authorise it to) bill your payment card for the applicable fee in advance on or shortly after the date you subscribe for a paid plan and each month or anniversary thereafter, until terminated by you or us.
The fees are non-cancellable and non-refundable, except as expressly stated otherwise in these Terms of Service.
-
If you move to a higher tier of a paid plan, the change will take effect immediately and we will charge you for the additional fees associated with the new paid plan on a pro-rata basis. If you move to a lower tier of a paid plan, the fee change will take effect in the next billing cycle. You acknowledge that you will not receive a refund for the then-current billing cycle if you move to a lower tier of a paid plan, or to a non-payment subscription plan. Features of the higher tier paid plan will remain available until the next billing cycle. In case of wire transfer payment, the change will take effect within 24 hours from receipt of payment on a pro-rata basis.
-
We reserve the right not to provide you with the Services until the relevant fee has been received in full and cleared funds.
-
We also reserve the right to change our fees or payment plans at any time. If you do not agree to such change, you must ask us to delete your account via email to support@bugprove.com and stop using the Services within 30 days of the date the new fee or payment plan becomes effective, at which point this Agreement will be deemed to have been terminated by you. We will only charge you in respect of the period before termination and based on the old fee or payment plan. If you do agree to such change (which will be deemed from your continued use of the Services after the date the new fee or payment plan becomes effective), your next bill will include the new fees on a pro rata basis.
-
You will pay fees without any set-off, counterclaim, deduction or withholding of any kind, except as may be required by law. If any withholding or deduction is required by law, you will, when making the payment to which the withholding or deduction relates, pay to us such additional amount as will ensure that we receive the same total amount that it would have received if no such withholding or deduction had been required.
5. YOUR USE OF THE SERVICES
-
You shall prevent unauthorized access or use of the Services, Service Data, Documentation, and in the event of a breach, you will notify us immediately. You are responsible for all use of our Services with your account details, which includes all user passwords issued to your organization for each Authorized User, and for protecting your account details from unauthorized use. You are also responsible for the security of any computer from which you sign into your account. You shall ensure that all your BugProve account credentials are kept confidential. You will maintain a written, up to date list of current Users at all times, and upon our request, you shall either produce such list or the results of source control logs to us within 5 business days. You agree to ensure that all use of the Services, Service Data, Platform and Documentation by you or under your BugProve account are in compliance with the terms and conditions of this Agreement (including the Acceptable Use Policy) and in compliance with all applicable laws, rules and regulations governing this Agreement. You are responsible for any breach of this Agreement by any person using your BugProve account credentials.
-
You promise not to access, store, distribute or transmit any Viruses, or any material during the course of your use of the Services, the Platform, Service Data or Documentation that infringes any Intellectual Property Right of any other person and/or advocates, promotes or assists any unlawful act or illegal activity, and BugProve reserves the right, without liability or prejudice to its other rights to you, to disable your access to any material that breaches the provisions of this clause.
-
You may not, except to the extent expressly permitted under this Agreement, (i) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software, Service Data, Platform or the Documentation in any form or media or by any means; or (ii) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software; or (iii) access all or any part of the Services in order to build a product or service which competes with the Services; or (iv) access without authority, interfere with, manipulate, damage or disrupt all or any part of the Services or any equipment or network owned or used by any third party, or assist any third party in doing such acts, or (v) license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services, Service Data, Platform or the Documentation available to any third party.
-
You may use the Services, Service Data, Platform or the Documentation to provide services to third parties subject to additional terms which BugProve makes available to you as an Added Option;
-
You may use the free subscription plan to enter Crowdsourced Security Programs ("Bug Bounty programs") and report Issues or other testing results, vulnerabilities discovered using the BugProve Services, Service Data, Platform or the Documentation subject to third party security disclosure terms.
6. YOUR DATA AND PRIVACY
For the purposes of providing the Services, BugProve may collect, process and store certain data concerning your users and Developers. Personal Data such as their email addresses. To the extent that BugProve processes Personal Data on your behalf as data processor when performing its obligations under this Agreement, the Data Processing Addendum shall apply.
7. OUR RESPONSIBILITIES TO YOU
-
BugProve will make commercially reasonable efforts to ensure that the Services will be performed substantially in accordance with the Documentation. However, we will have no obligations to the extent of any non-conformance which is caused by use of the Services contrary to our instructions, or modification or alteration of the Services by any party other than BugProve or BugProve's duly authorised contractors or agents. Your sole remedy and our only obligations to you if the Services do not conform with the foregoing undertaking is for us to (at our expense), use all reasonable commercial endeavours to correct any such non-conformance promptly, or provide you with an alternative means of accomplishing the desired performance.
-
Any operation or transaction completed via any third-party application or service is between you and the relevant third party, and not BugProve. BugProve recommends that you refer to the third party's terms and conditions and privacy policy prior to using the relevant third-party application or service. Our provision of features enabling interoperation with any third party application or service does not constitute endorsement or approval of it.
-
You acknowledge and agree that:
-
the Services will evolve over time and that functionality may be added and removed from time to time;
-
BugProve does not warrant that use of the Services will be uninterrupted or error-free, or that the Services and/or the information obtained through the Services will meet your requirements; and
-
BugProve is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the Internet, and you acknowledge that the Services may be subject to limitations, delays and other problems inherent in the use of such communications facilities.
-
-
We have no obligation to modify Software to support your use of the Services and you acknowledge that the accuracy and completeness of the Services is dependent on a number of factors outside our control, including design, implementation, and use of the Protected Asset, erroneous dependency or Issue data, and changes to the environment in which the Protected Asset is used.
-
While we use commercially reasonable efforts to properly identify dependencies and Issues for review, you acknowledge that we do not warrant that:
-
the Services will be able to find and monitor all Issues included in, applicable to or used by the Protected Asset or your applications containing it.
-
Whilst BugProve endeavours to keep up to date and build on its vulnerability and license database, the Services do not constitute professional advice (including legal advice) in relation to the Protected Asset and we do not guarantee it is a complete source of all Issues, nor that it is relevant or suited to the Protected Asset or your software projects generally;
-
we will be able to provide a remediation for all Issues discovered using the Services;
-
-
You also agree that:
-
You assume sole responsibility for results obtained from the use of the Services, and for conclusions drawn from such use.
-
a recommended remediation will not break the functionality of your code or will not result in the introduction of new Issues. You acknowledge that it is your responsibility to assess the impact of the remediation before applying it.
-
that remediations are provided for general information only, and have not been made with your particular requirements in mind. It is therefore not intended to amount to advice on which you should solely rely.
-
-
From time to time, BugProve may make Beta Services available at no charge. Beta Services are made available "AS IS" and BugProve shall have no liability for any harm or damage arising out of or arising out of or in connection with the Beta Services. You may choose to try such Beta Services at your sole discretion. BugProve may discontinue Beta Services at any time in its sole discretion and may never make them generally available.
8. INTELLECTUAL PROPERTY RIGHTS
-
BugProve and/or its licensors owns all Intellectual Property Rights in the Services, Service Data, Software, Platform and the Documentation and except as expressly stated herein, BugProve does not grant to you any rights to, or in, such Intellectual Property. If you create any derivative works or developments based on BugProve Intellectual Property Rights, you agree to assign to BugProve all ownership rights and title to such developments.
-
BugProve claims no Intellectual Property Rights in and to your applications and software, Protected Asset or any material you provide or otherwise transmit to BugProve via the Platform. However, you acknowledge and agree that in order for us to provide Services, we will be inspecting, using, sending to BugProve servers, displaying and storing: (i) the Protected Asset; (ii) information relating to the Protected Asset (such as the project name and metadata), information relating to the dependencies (including open source and proprietary as available to the Platform) being used and how they are referenced by the Protected Asset, BugProve-related files and environmental information and the license information applicable to the Protected Asset (together, "Project Information"); (iii) Project Information for each of the Protected Asset's dependencies ("Dependency Information"); (iv) information relating to unconfirmed and confirmed vulnerabilities discovered in code and associate metadata ("Vulnerability Information") ;and (v) any of Your Data, in all cases for the purposes of providing the Services.
-
Additionally, you acknowledge and agree that BugProve may use the Project Information, Vulnerability Information, the Dependency Information and any of Your Data for analytical purposes and to improve the Services. BugProve shall continue such use indefinitely and it will not end upon termination of this Agreement or upon your deletion of the relevant project on the project page of the Platform until and unless you send us written notice to cease such use via email at support@bugprove.com.
9. CONFIDENTIALITY
-
We each may be given access to Confidential Information from the other party in order to perform our respective obligations under this Agreement. Confidential Information does not include information that: (i) is or becomes publicly known other than through any act or omission of the receiving party; (ii) was in the other party's lawful possession before the disclosure; (iii) is lawfully disclosed to the receiving party by a third party without restriction on disclosure; (iv) is independently developed by the receiving party, which independent development can be shown by written evidence; (v) or is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body. Details of the Services, the Service Data, the Documentation, and the results of any performance tests of the Services, constitutes BugProve's Confidential Information.
-
Each party shall hold the other's Confidential Information in confidence and, unless required by law, not make the other's Confidential Information available to any third party, or use the other's Confidential Information for any purpose other than the implementation of this Agreement.
-
Each party shall take all reasonable steps to ensure that the other's Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement.
-
The obligations of confidentiality and non-use in this Section shall survive termination of this Agreement.
10. INDEMNIFICATION
You will defend, indemnify and hold harmless BugProve against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with your use of the Services, the Platform, Service Data and/or Documentation other than in accordance with this Agreement.
11. LIMITATION OF LIABILITY
-
Nothing in this agreement excludes the liability of either party:
-
for death or personal injury caused by the negligence of the other party; or
-
for fraud or fraudulent misrepresentation; or
-
any liability that cannot be excluded or limited by law.
-
-
Neither party shall be liable whether in tort, contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement; and
-
Except for your liability under the Indemnification section above (which will not be subject to any limit), the total aggregate liability of either party arising in connection with the performance or contemplated performance of this Agreement shall be limited to the greater of USD $100, or the total fees paid by you for the Service during the 12 months immediately preceding the date on which the claim arose.
-
BugProve will not be liable for our failure to find, fix and monitor Issues, any 'false positives' incorrectly identified by the Services as requiring consideration of a remediation; or for any damage or loss suffered as a result of a recommended remediation deployed. Nor shall BugProve have any responsibility for any damage caused by errors or omissions in any content or omissions in any information, instructions, or scripts provided by you in connection with the Services or any action taken by us at your direction.
-
All other warranties, conditions, representations or other terms implied by statute or common law in relation to the Services, Documentation, Service Data, and Platform are excluded to the fullest extent permitted by law.
12. TERMINATION
-
If you do not have a paid subscription to the Services, we may suspend, limit, or terminate the Services and terminate this Agreement for any reason at any time without notice, and you may terminate this Agreement at any time by deleting your account by means of the Service, or asking us to do so via email to support@bugprove.com If you have a paid subscription to the Services, you or we may terminate by giving thirty (30) days' notice before the end of the then current Term via email to support@bugprove.com
-
Without affecting any other right or remedy available to us, we may terminate this agreement with immediate effect by giving written notice to you if (i) you commit a material or persistent breach of these terms
-
On termination of this Agreement: (i) the rights granted to you under this Agreement Shall immediately terminate; and (ii) you shall pay any and all fees outstanding, delete all copies of the Service Data and cease all use of the same; and immediately uninstall, delete or remove from all computer equipment in your possession or control, and destroy or return to BugProve all copies of, any software used in the provision of the Services.
-
Any provision of this agreement that expressly or by implication is intended to come into or continue in force on or after termination of this agreement shall remain in full force and effect.
13. WAIVER
No failure or delay by either party in exercising any right under this Agreement will constitute a waiver of that right.
14. SEVERANCE
If any provision of this Agreement or any Order Form, shall be held to be invalid or unenforceable for any reason, the remaining provisions shall continue to be valid and enforceable. If a court of competent jurisdiction finds that any provision of this Agreement or any Order Form is invalid or unenforceable, but that by limiting such provision it would become valid or enforceable, then such provision shall be deemed to be written, construed, and enforced as so limited.
15. ENTIRE AGREEMENT
This Agreement, the Documentation, and each respective Order Form contain the entire agreement of the parties with respect to the Services specified in each Order Form, and there are no other promises or conditions in any other agreements, whether oral or written. This Agreement supersedes any prior written or oral agreements between the parties with respect to those Services provided under this Agreement, or specified in each Order Form (if applicable). The parties agree that any term or condition stated in a purchase order provided by You or in any other order documentation provided by You is void. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (a) the applicable Order Form, (b) this Agreement, and (c) the Documentation. Titles and headings of sections of this Agreement are for convenience only and shall not affect the construction of any provision of this Agreement.
16. ASSIGNMENT
You may not assign or transfer this Agreement or any rights or obligations hereunder without our prior written consent. Notwithstanding the foregoing, no consent is required for you to assign your rights and obligations under this Agreement to an Affiliate or to a successor in interest through merger, reorganization, consolidation, or acquisition, provided that you provide us with notice of the assignment. Any attempted assignment, transfer, or other conveyance in violation of the foregoing shall be null and void. No assignment shall relieve the assigning party of any of its obligations hereunder. This Agreement shall be binding upon and shall inure to the benefit of the parties hereto and their respective successors and permitted assigns.
17. NO PARTNERSHIP OR AGENCY
The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. Each party will be solely responsible for payment of all compensation owed to its employees, as well as all employment-related taxes.
18. THIRD PARTY BENEFICIARIES
There are no third party beneficiaries under this Agreement.
19. LEGAL NOTICES
To contact us for technical issues, please email support@bugprove.com For legal notices, please contact legal@bugprove.com. A notice sent by email shall be deemed to have been received at the time of transmission.
20. BUGPROVE ENTITY AND LAW AND JURISDICTION
(i) you are contracting with BugProve, Inc. (whose principal place of business is at 3500 South Dupont Highway, Dover, Delaware 19901.);
(ii) any dispute or claim arising out of or in connection with this Agreement shall be governed by and construed in accordance with the law of the state of Delaware; and,
(iii) the parties hereby submit and consent to the exclusive jurisdiction of the state of Delaware and agree that any such litigation shall be conducted only in the courts of Delaware or the federal courts of the United States located in Delaware and no other courts.
DATA PROCESSING ADDENDUM
"CONTROLLER"
The customer of BugProve, Inc. (as the case may be), as set out in any ordering document or agreement between the parties under which the Processor provides services to the Controller ("BugProve Main Agreement").
NAME AND ADDRESS OF PROCESSOR ("PROCESSOR")
'BugProve' as defined in the BugProve Main Agreement.
SUBJECT MATTER OF THE PROCESSING
The processing of Personal Data as part of the BugProve services under the BugProve Main Agreement ("Services").
DURATION OF THE PROCESSING
Start date - the date Personal Data is first processed by Processor. End date - the date of termination or expiry of the BugProve Main Agreement. The frequency of the processing is continual and ongoing during the term of the BugProve Main Agreement.
NATURE OF THE PROCESSING
The processing of certain personal data by the Processor on behalf of the Controller in relation to allowing access of the Controller's users to the Processor's platform for the purposes of reviewing software projects submitted to the platform.
PURPOSE OF THE PROCESSING
- Collection of the specified data so that the Processor may provide the Services to the Controller
- Storage on secure cloud storage facilities
- Digest and comparison for authentication and authorization purposes
- Messaging regarding the Controller's use of the Processor's products and services
TYPE OF PERSONAL DATA
- First and last name, employer, title and position
- Email Addresses
- User ID on source code repositories and other services integrated with BugProve by the Controller's users
- Connection and/or localization data The data shall not include any 'special category' data as defined under GDPR.
CATEGORIES OF DATA SUBJECTS
Employees, developers, contractors of the Controller.
The Data Processing Details above together with the terms and conditions below constitute this "Data Processing Addendum" or "DPA". This DPA forms part of BugProve Main Agreement.
TERMS AND CONDITIONS
1. INTERPRETATION
-
The following definitions and meanings apply to this DPA:
"Adequate Territory" means: (i) in respect of Personal Data which is subject to the GDPR, the European Economic Area and any other territory which the European Commission has determined ensures an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR; (ii) in respect of Personal Data which is subject to the UK GDPR, the United Kingdom and any other territory which the UK Secretary of State has by regulations specified ensures an adequate level of protection for Personal Data pursuant to Article 45 of the UK GDPR and Section 17A of the UK Data Protection Act 2018
"Applicable Data Protection Laws" means, with respect to a party, all data protection laws applicable to such party's processing of Personal Data, including the GDPR, the UK GDPR, the CCPA and as applicable, and any legislation which amends, re-enacts or replaces them.
"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations ("CCPA"), "Data Subject", "Data Processor", "Data Controller" and "Processing" shall have the meanings set out in the GDPR.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
"Personal Data" means any information relating to an identified or identifiable natural person, which is processed by the Processor solely on behalf of the Controller, as part of the Services under the BugProve Main Agreement.
"Security Measures" means the technical and organizational security measures to be applied by Processor in respect of the Personal Data
"SCCs" means the standard contractual clauses annexed to the European Commission's Decision (EU) 2021/914 of 4 June 2021; as they may be amended, superseded or replaced from time to time.
"UK GDPR" has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
"UK Transfer Addendum" means the template Addendum B.1.0 issued by the UK Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof ("UK Mandatory Clauses").
-
Clause headings shall not affect the interpretation of this DPA.
-
The words "include" and "including" shall not limit the generality of any words preceding them.
2. RIGHTS AND OBLIGATIONS
-
Controller and Processor shall each comply with the Applicable Data Protection Laws. For the purposes of the Applicable Data Protection Laws, Controller is the Data Controller (under CCPA, the 'business') and Processor is the Data Processor (under CCPA, the 'service provider'), of the Personal Data.
-
Processor shall process Personal Data only on documented instructions from Controller, unless required to do so by applicable law. Processor shall not "sell" the Personal Data within the meaning of the CCPA. To the extent the CCPA is applicable, the parties acknowledge that Controller's transfer of Personal Data to Processor is not a "sale" and Processor provides no monetary or other valuable consideration to Controller in exchange for the Personal Data.
-
Processor shall ensure that persons authorized by it to process the Personal Data are bound by enforceable confidentiality obligations not to disclose it.
-
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, Processor shall implement appropriate technical and organizational measures (to ensure a level of security appropriate to the risk) supported by a written Information Security Management System in such a manner that the Processing of Personal Data will meet the requirements of the Applicable Data Protection Laws and ensure the protection of the rights of each Data Subject. Such measures shall include the Security Measures.
-
Processor shall take account of the risks that are presented by Processing the Personal Data in assessing the level of security required for Personal Data.
-
Controller authorizes Processor to engage third party sub-processors ("Sub-processors") to process the Personal Data. Processor provides reasonable prior notice before the proposed addition or replacement of any Sub-processor by posting details at https://bugprove.com/legal/privacy-policy/, in order to allow Controller to raise in writing any reasonable objections on grounds of data protection within 14 days of such notice. In the event of such an objection, the parties will discuss Controller's concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Processor will, at its sole discretion, either not appoint the new Sub-processor, or permit Controller to suspend or terminate the BugProve Main Agreement without liability to either party. Processor shall not be obliged to make any refund of any sums paid under the BugProve Main Agreement.
For the purposes of the SCCs (including Clause 9(c) of the SCCs), Controller acknowledges that Processor may be restricted from disclosing to Controller its contract terms with Sub-processors due to confidentiality obligations.
Processor shall ensure each Sub-processor is appointed under a binding written contract conferring a materially similar level of obligation on the Sub-processor in relation to protection of the Personal Data as under this DPA (including those relating to sufficient guarantees to implement appropriate technical and organizational measures) and shall be responsible for ensuring each such Sub-processor complies with all such obligations.
-
Processor shall, taking into account the nature of the Processing, provide reasonable assistance to Controller by appropriate technical and organizational measures (insofar as this is possible) in Controller's compliance with its obligations to respond to requests from Data Subjects under Applicable Data Protection Laws.
-
To the extent required under Applicable Data Protection Laws, Processor shall (taking into account the nature of processing and the information available to the Processor) assist Controller in ensuring compliance with Controller's obligations under Applicable Data Protection Laws in respect of security of Processing, notification of Personal Data breaches, data protection impact assessments and prior consultation with supervisory authorities.
-
Processor shall upon termination or expiry of the BugProve Main Agreement delete or return to Controller all Personal Data processed under this DPA (including any copies of it) unless required to retain it under applicable law.
-
Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Controller, or another auditor mandated by Controller on 10 working days' notice and mutual agreement of a suitable scope and agenda.
-
Processor shall immediately inform Controller if it becomes aware that Controller's processing instructions infringe GDPR or UK GDPR (as applicable) but without obligation to actively monitor Controller's compliance with them.
-
The Controller acknowledges and agrees that the Processor may transfer, access and process Personal Data on a global basis as necessary to provide the BugProve service in accordance with the BugProve Main Agreement. The Processor will make any such transfers in compliance with Applicable Data Protection Laws. This paragraph forms part of Controller's instructions to Processor.
-
Solely to extent required to ensure Processor's Processing of Personal Data complies with any international transfer rules set out in Applicable Data Protection Laws, in the event that the transfer of Personal Data from Controller to Processor involves a transfer of Personal Data, that is subject to GDPR or UK GDPR, outside of an Adequate Territory, the SCCs shall be incorporated by reference and form an integral part of this DPA -- with Controller as "data exporter" and Processor as "data importer" -- in the following manner:
-
In relation to any such transfer made subject to the EU GDPR, for the purposes of the SCCs: (i) Module Two (controller to processor) terms shall apply and the module one, three and four terms shall be deleted; (ii) in Clause 9, Option 2 shall apply and the "time period" shall be 14 days (iii) in Clause 11, the optional language shall not apply; (iv) in Clause 17 (Option 1) the SCCs shall be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) Annex 1 and 3 of the SCCs shall be populated with the information set out in this DPA; and (vii) Annex 2 of the SCCs shall be deemed to refer to the Security Measures.
-
In relation to any such transfer made subject to the UK GDPR, the SCCs shall apply as varied by the UK Transfer Addendum -- for which purpose, the parties agree: (i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details and selections described in paragraph 13.1 above; (ii) Table 4 to the UK Transfer Addendum is completed by only 'Importer' being selected; (iii) to be bound by the UK Mandatory Clauses; and (iv) to the presentation of information required by 'Part 1: Tables' of the UK Transfer Addendum in the manner determined by this paragraph 13.2 (as permitted by Section 17 of the UK Mandatory Clauses).
-
-
To the extent that Processor makes an onward transfer of the Personal Data to a third party (including any entity in Processor's group of companies, or a Sub-processor), to a country other than an Adequate Territory or the country in which the Personal Data was first processed by Processor, it shall take such measures as may be necessary to ensure that the transfer is made in compliance with Applicable Data Protection Laws. Such measures may include (as necessary and applicable, and without limitation) transferring the Personal Data to a recipient that has a contract with Processor that ensures the Personal Data will be protected to the standard required by Applicable Data Protection Laws.
-
Processor shall notify Controller without undue delay in writing of any request with respect to Personal Data received directly from a Data Subject. Processor shall co-operate with Controller in fulfilling, or responding to, such request.
-
Processor shall to the extent required by Applicable Data Protection Laws keep a written record of the processing of Personal Data it carries out under this DPA.
-
In the event that there is a confirmed personal data breach (as defined in GDPR) in respect of the Personal Data provided by Controller, Processor shall without undue delay (and in any event within 72 hours of confirming such breach) notify Controller of that data breach in writing including the following details:
-
the nature of the personal data breach including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
-
the likely consequences of the personal data breach; and
-
the measures which Processor proposes to take to remediate the cause of the breach.
In the event of a personal data breach in respect of the Personal Data provided by Controller, Processor shall provide Controller with such reasonable cooperation and assistance with managing that personal data breach as may be agreed between the parties, acting in good faith.
-
-
In the event that Controller notifies Processor that it should cease processing the Personal Data or any part of the Personal Data, including, without limitation, the Personal Data of an individual Data Subject, Processor shall without undue delay return such Personal Data to Controller and shall cease processing that Personal Data or part of the Personal Data. Controller acknowledges and agrees that Processor shall not have any liability under the remainder of the Main Agreement for any failure to provide the Services which results from such cessation.
-
In the event that Processor receives a request directly from an individual Data Subject relating to Personal Data, it shall promptly forward that request onto Controller.
-
In the event Processor becomes subject to a request from a public authority to disclose any Personal Data, Processor shall review the legality of such a request prior to acceding to it. To the extent permitted by law, Processor shall promptly notify Controller in writing of any such request. Processor shall only comply with such requests in the event that it reasonably considers that it is lawfully compelled to do so. Processor shall in respect of any such request (i) only disclose the minimum amount of Personal Data required, and (ii) retain evidence that any disclosure of Personal Data to public authorities was made in accordance with the restrictions under this paragraph, and (to the extent permitted by law) make such evidence available to Controller promptly upon request.
3. UPDATES
- Processor may modify this DPA as required as a result of (a) changes in Applicable Data Protection Laws; (b) a merger, acquisition, corporate reorganization or other similar occurrence; or (c) the release of new features, functions, products or services or material changes to any of the existing Services. Processor may make such modifications by posting a revised version of this DPA at https://bugprove.com/legal/terms-of-service/ or by otherwise notifying Controller. Processor will provide at least 7 days' advance notice of any modifications. Subject to the 7 day advance notice requirement, the modified version of the DPA will become effective upon posting. By continuing to use the Services after the effective date of any modifications to this DPA, the Controller agrees to be bound by the modified DPA.