Revision Date May 7, 2018
PLEASE READ THESE SERVICES TERMS (THE “TERMS”) CAREFULLY. BY USING ANY AERIS SERVICES PROVIDED BY AERIS COMMUNICATIONS, INC. (“AERIS”), YOU AGREE TO BE BOUND CONTRACTUALLY BY THESE TERMS. IF YOU DO NOT AGREE WITH THESE TERMS, DO NOT USE THE AERIS SERVICES. IF YOU HAVE A SERVICES AGREEMENT WITH US, THESE TERMS ARE INCORPORATED INTO THAT AGREEMENT. YOUR USE OF ANY NEW PRODUCTS AND SERVICES AND/OR CONTENT THAT YOU GET FROM AERIS WILL BE GOVERNED BY THESE TERMS UNLESS SPECIFIED OTHERWISE BY US OR IN A WRITTEN AGREEMENT BETWEEN YOU AND AERIS.
- Parties and Definitions.
- Parties. The words “Aeris”, “we”, “us” or “our” mean Aeris Communications, Inc., owner and operator of the Aeris Services, and our Affiliated companies. The words “you” or “your” mean the individual person or legal entity, or any Representative of such a legal entity, that uses any Aeris Site, is interested in entering into or has agreed to a Services Agreement or, if there is no Services Agreement, has chosen to use the Aeris Services. We are each referred to as a “party”.
- Definitions. In these Terms, the following words have the meanings given to them:
- Acceptable Use Policy means the rules governing use of the Aeris Sites and Aeris Services, the current version of which is available at https://www.aeris.com/legal/.
- Account means any account established by or for you in order to allow you to purchase SIM Cards, to order and access any Aeris Services, or to manage Devices.
- Account User means any individual or entity that, directly or indirectly through another user, accesses your Account. The term “Account User” does not include individuals or entities when they are accessing or using Aeris Services under their own account rather than through your Account, or any End Users who use Aeris Services or Your Services without accessing your Account.
- Aeris IoT Services means the various Aeris Services which allow you to manage your Devices that are deployed with any available Carrier at an Aeris Platform or that receive and process data from your Devices at an Aeris Platform and then, at a Web Portal or through Mobile Apps, make that information available to you and enable you to take actions with respect to your Devices.
- Aeris Platform means the Aeris computing resources that receive Device data and host the Aeris Services, including any Web Portal.
- Aeris Services means Wireless Services, Aeris IoT Services and any other services that you receive from us under a Services Agreement or otherwise, including Support Services and Web Services.
- Aeris Sites means the main Aeris website at https://www.aeris.com, any Web Portal provided by Aeris for your interaction with the Aeris Services, any site hosting a Community Forum, and any other website provided by us. Unless otherwise indicated, all Aeris Sites, including those with a URL ending in “.com”, are operated on computing and data storage facilities located in the United States.
- Affiliate means any entity that controls, is controlled by, or is under common control with a party, where “control” means the power to direct or cause the direction of management and policies of an entity, either directly or indirectly, whether through direct or indirect ownership, voting rights, contract or otherwise.
- APIs means the application programming interfaces that allow communication between your computing facilities or your Devices and the Aeris Platform and Aeris Services.
- API Instructions means any instructions we make available to you for your use in developing your Applications, your Services, your Devices and your computing facilities that will access and use any Aeris Services through APIs.
- API Keys means any keys given to you by us or generated by you as permitted for access to your Account or for your use of Aeris Services through APIs.
- Application Data means all data, SMS or voice traffic data (including data resulting from any processing of such data, SMS or voice traffic by Your Applications, Your Services or by the Aeris IoT Services) that is transmitted by Carriers to or from your Devices or your computing facilities or to or from any Aeris Platform.
- Carriers means the wireless telecommunications operators or commercial Wi-Fi providers who enable transport of Application Data over cellular or other wireless networks.
- Carrier Partners means Carriers contracted by us to provide the Wireless Services.
- Community Forum means any online forum that we host or sponsor where users of Aeris Services and others can ask and respond to questions, share information or make comments.
- Community Forum Policy means the policies governing participation in any Community Forum, the current version of which is available at https://www.aeris.com/legal/.
- Confidential Information means all confidential or proprietary information of a business or technical nature exchanged between us, whether disclosed orally, visually or in writing, which has clearly been identified as confidential or which by its nature or the circumstances of its disclosure should reasonably be understood to be proprietary and held in confidence, including, without limitation, product and service plans and information, marketing, sales and pricing data and plans, operational and financial information. Your Application Data will be considered your Confidential Information to the extent that it contains any of the foregoing or any personally-identifiable data relating to you or to your End Users. As between you and Aeris, we both agree that the API Instructions and the Documentation are Aeris Confidential Information and that anything you post on any Community Forum or any suggestions you make to us about how to improve any Aeris Services will not be treated as your Confidential Information.
- Device means any modem, radio, telephone, monitor or sensor, or other hardware or virtual device for use with the Aeris Services, including any physical or virtual SIM Card or any device containing a SIM Card.
- Dispute means any disagreement between you and Aeris relating to our relationship, including any disagreement relating to a party’s performance under the terms of a Services Agreement, to the validity, interpretation, execution, or termination of a Services Agreement or these Terms, or to compliance with any Aeris policies.
- Documentation means all of the information and materials we give to you or make available to you on a Web Portal or other Aeris Site about Aeris Services and the Requirements, including developer guides, getting started guides, user guides, quick reference guides, sample code and tools, software libraries, command line tools, API guides and API Instructions, support and troubleshooting guidelines and other technical and operations manuals and specifications for the operation of the Aeris Services, as may be updated by us from time to time.
- End User means your, or your customers’, authorized employees, subcontractors, customers, vendors and distributors who will operate any Device or interact with any Aeris Service directly or through your Account or Your Services.
- Intellectual Property means patents, patent applications, copyrights, trade secrets, trademarks and any other rights of a proprietary nature, existing anywhere in the world, whether registered or registrable or not, and including all derivative works thereof.
- Malicious Code means any virus, worm, Trojan, time bomb, ransomware or other disabling or harmful code, file or program intended to interfere with the operation of computer systems or to alter, delete or interfere with access to data.
- Managed Carriers means any Carriers contracted directly by you to transmit Application Data and with whom Aeris has made arrangements to permit you to use the Aeris Platform to perform some management of your Devices on such Carriers’ systems.
- Mobile App means any application we provide or make available that is designed for operation on a smartphone or other mobile device and that allows access to Aeris Services or any Web Portal.
- Representative means the directors, employees, agents, contractors, representatives, advisors or personnel of a party or its Affiliates who are authorized by a party, or who have apparent authority to act on behalf of a party, to take action on its behalf relating to the Aeris Services or the contractual relationship between the parties.
- Requirements means the guidelines available in the Documentation setting out technical and behavioral requirements for your Devices, Your Services, and Your Applications that use or interact with Aeris Services and Aeris Sites.
- Service Providers means the subcontractors or other parties who provide services to you in connection with your use of Aeris Services or provision of Your Services or to us in our provision of the Aeris Services, including call centers, third party support personnel, and cloud storage providers.
- Services Agreement means any agreement between you and Aeris that governs your use of and payment for Aeris Services.
- SIM Card means a physical subscriber identity module chip or virtual SIM supplied or approved by us to enable Devices to access Wireless Services.
- Support Services means any services that we provide to you under the terms of any Services Agreement (or other agreement) for support of the Aeris Services.
- Web Portal means any internet-accessible portal or dashboard for interacting with us in connection with your use or potential use of Aeris Services, including such activities as establishing an Account, signing up for Aeris Services, viewing Documentation, and accessing Aeris Services, including managing Devices and setting Device alerts, viewing Device or Application Data, viewing Device activity and billing information, and using other features of the Aeris Services.
- Web Services means (a) the API-based services for managing or monitoring Devices and activity or for routing Application Data, and (b) the services available at Aeris Sites and through any Web Portal.
- Wireless Services means the cellular, Wi-Fi and internet-based services, including, but not limited to, cellular connectivity services, we provide to enable the transmission of Application Data between your facilities or your or your End Users’ Devices on the one hand and the Aeris Platform on the other hand.
- Your Application means any software or firmware program that you use for your internal purposes or to provide Your Services to your End Users or any other party that accesses the Aeris Services or that sends, receives or processes Application Data.
- Your Services means the services, including Your Applications, that you provide to your End Users that rely on or incorporate any Aeris Service and to which you add material value in addition to the Aeris Services.
- Modification of Terms, Services or APIs. Except as provided in subsection (d) below, and except as otherwise provided in any Services Agreement, we may, without your approval and at any time, modify these Terms, any other terms or policies applicable to use of Aeris Services, any Documentation, any price lists, or any Requirements, and may change, discontinue, or deprecate any aspect or functionality of the Aeris Services (including APIs or any service as a whole). We will use commercially reasonable efforts to limit the frequency of any changes materially affecting the operation of any Aeris Service. The following terms apply to these changes:
- Modification of Services. Aeris will use commercially reasonable efforts to keep the Aeris Services up to date with industry developments relevant to that Aeris Service. You acknowledge that we engage in a process of continuous improvement of our technology and services and, subject to our compliance with this Section 2, have the right to modify our services across our customer base from time to time without your consent. If we create material new functionality for any existing Aeris Services, or offer new services that will be considered Aeris Services, we reserve the right to make the new functionality or Aeris Services available for an additional charge.
- Modification of APIs. If we change, discontinue or deprecate any APIs, we will use commercially reasonable efforts to continue supporting the previous version of any such API for 12 months unless doing so would pose a security risk or intellectual property issue, would be economically or technically burdensome, or if the change is needed to comply with the law or requests of relevant stakeholders, including Carriers or governmental entities.
- Notice of Changes. If we contemplate any modification of an existing Aeris Service that is not covered by subsection (d) (i) through (iv) below, we agree to provide reasonable prior notice of such change to you and to cooperate in good faith with you, at no additional charge, to minimize the impact on your business and your End Users, including making the changes with adequate notice and support and implementing them smoothly. Our support and maintenance obligations to you will extend to any such updated Aeris Service. We will post notice of all changes made on the Aeris Sites and, for any changes that we think are material, will use reasonable efforts to notify you by email to the designated contact in your Account. Except for emergency changes required to protect any Aeris Service, any Carrier or any customers, all changes will take effect thirty (30) days from the date we post notice of the change on the Aeris Sites. Your continued use of the Aeris Sites or any Aeris Services indicates your acceptance of such change. You should check the Aeris Sites periodically for any changes.
- Excluded Changes. Changes that fall within any of the following categories will be treated as an amendment of the applicable Services Agreement between us:
- Changes made by us that increase your total costs of receiving the Aeris Services during any guaranteed term of your Services Agreement by more than an immaterial amount, excluding changes due to increases in costs charged by roaming partners of Carrier Partners;
- Changes that require you or your End Users to make any material changes to your or their systems, software, equipment or Devices, policies or procedures, including any obligation to install or use new hardware or Devices or to make changes to software, firmware or settings of deployed Devices other than through over-the-air campaigns;
- Changes that have a material adverse impact on the functionality, interoperability, performance, reliability, security or resource efficiency of any of the Aeris Services; or
- Changes that materially reduce the scope of the affected Aeris Services.
- Right to Use Services and Restrictions.
- Right to Use Services. So long as you are in compliance with these Terms, your Services Agreement or any other agreement or terms applicable to the Aeris Services you are using and, as applicable, the Acceptable Use Policy and the Community Forum Policy, you are granted the limited, non-exclusive, revocable, non-transferable, non-sublicensable and worldwide right to use the Aeris Sites, the Aeris Services, the APIs and the Documentation only for your own internal business purposes, which may include providing Your Services to your End Users. We reserve all rights not expressly granted to you in these Terms.
- Means of Access.
- You agree not to access (or attempt to access) the Aeris Sites or any Web Services by any means other than through the interfaces and URLs we provide, unless you have been specifically allowed to do so in a separate agreement signed by us. If we have agreed that you will access Aeris Services using an appropriately configured VPN, you will do so.
- For any of the Web Services accessible only through use of APIs, you agree that you will access the Web Services only using appropriate APIs and API Keys that are compliant with the API Instructions we provide, and you will not access the Web Services through any other automated means, such as scripts or web crawlers.
- We may limit the number of times you can visit or log into the Aeris Sites or Web Services within a certain period of time. Abuse, fraudulent activity, disruptive activity, or excessively frequent requests to the Web Services by any person acting through your Account may result in the temporary or permanent suspension of your access to Web Services or your Account or to any API or API Key.
- You understand that the identification numbers (IMSI, MSISDN, MIN or similar) assigned to a SIM Card or a Device to allow a SIM Card or Device to use cellular or other wireless services are assigned by Carriers. You also understand that regulations about portability of numbers generally do not apply to IoT devices, and that if you wish to move your Devices to use services from a different Carrier, you may need to reconfigure your Devices or replace any SIM Card in your Devices, and that a different Carrier may assign different numbers to your Devices. You will be responsible for any expense in reconfiguring Devices, managing replacement numbers or replacing SIM Cards.
- Suspension or Termination. We may suspend, reduce or terminate the Aeris Services to you or to particular Devices associated with you or your End Users or suspend access to your Account in certain circumstances if your Devices, Your Services or use of the Aeris Sites or Aeris Services by you or your End Users are causing or could cause disruption or congestion or could damage us, our other customers, to Carrier Partners or to Service Providers. We may take these steps for reasons such as your failure to comply with the Requirements or otherwise, in cases of suspected fraud, in cases of aberrant Device behavior causing issues, such as repetitive registration attempts, congestion or reduction of availability of resources for other customers on our networks or those of any Carrier Partners, if we reasonably believe your Account has or is at risk of a security breach, or if you or your End Users are in violation of the Acceptable Use Policy, the Community Forum Policy, these Terms or any Services Agreement or other terms applicable to your use of Aeris Services, including payment terms. We will use reasonable efforts to notify you promptly of any suspension or termination and the reason for taking such action, and to restore service if and when the issue has been satisfactorily resolved. We will have no liability to you, any End User or any other third party for any actions reasonably taken by us under this provision.
- Maintenance. We, our Services Providers or our Carrier Partners may make temporary changes to the Aeris Sites or Aeris Services required by an emergency, as well as take actions deemed reasonably necessary to protect or optimize our or their networks or services. In addition, Managed Carriers may engage in maintenance activities that affect ability to manage Devices on the Aeris Portal. Some of these actions may interrupt or prevent legitimate communications and usage, including, for example, use of message filtering/blocking software to prevent SPAM or viruses, limitations on throughput, scheduled or emergency maintenance and the like. We will provide as much advance notice as reasonably possible of any planned or emergency maintenance activities that we perform or of which we are notified by Service Providers or Carriers by email or by posting on a Web Portal.
- Additional Restrictions. You agree that you will not do any of the following (or permit or enable any other person, including any Account User or End User, to do any of the following), without our prior written consent:
- resell, copy, host, or otherwise use the Aeris Services for your personal gain except as may be necessary for your internal business purposes or for you to provide Your Services to your End Users;
- modify or make derivative works based on the Aeris Sites, any Aeris Services, the Documentation or APIs or any SIM Cards, or reverse engineer any of the software or content used in any of the foregoing, except for software tools identified as open source or for which permission to modify is explicitly granted;
- share or otherwise distribute any non-public information about the operation of the Aeris network or any Aeris Services to any third parties, other than with your End Users or with respect to appropriate use of a Community Forum;
- bypass or circumvent measures we use to limit access to the Aeris Sites or Web Portal or take any actions intended to artificially disguise the extent of usage of the Aeris Services to avoid payment of fees;
- use the Web Services or any other means to access the accounts of any other users, to interfere with the ability of other users to access Aeris Sites or Aeris Services, or to intercept, collect or store personal information about other users or their customers, other than as may be necessary for you to provide support to your End Users;
- take or permit any actions that you reasonably ought to know may overload or crash the Web Services, the Aeris Platform or any Aeris Site or the systems of any other party, including Carrier Partners or cloud hosting providers;
- benchmark any of the Aeris Services, perform penetration testing or engage in any other activity to probe the Aeris Platform, any Aeris Site or any other Aeris systems, or collect or share information about the performance of the Aeris Services;
- engage in excessively high-volume data transfers or bandwidth use, including without limitation by hosting a webserver, internet relay, chat server or any other server, via any use of the Web Services;
- “frame” or “mirror” the Aeris Sites or any Aeris Services or content on any other server or Internet-enabled device;
- take any action to modify, avoid or override any Aeris or Carrier Partner lists or algorithms for blocking or preferring any wireless service network;
- participate in any Community Forum in violation of the Community Forum Policy; or
- use the Aeris Services in violation of the Acceptable Use Policy.
- Account Security. You agree that you have certain security obligations with respect to accessing Aeris Services and, if applicable, your Account and that we will not be liable for any loss or damage from your failure to comply with these obligations. In particular, you agree that you will:
- limit access to your Account and the Web Services to your authorized Account Users;
- establish account logins and API Keys for your Account Users in accordance with our policies including, if required, providing the legal full name, valid email address, and any other information requested for each person for whom a login is created;
- not grant access to the Web Services to your End Users without our prior written consent and, if access is granted, require your End Users to establish their own access credentials and to agree to these Terms;
- safeguard all usernames and passwords, API Keys and other Account access credentials for your Account Users who have access to the Web Services, and use appropriate security to protect your connection point with any VPN established between our facilities;
- be responsible for all activities that occur through your Account using your usernames, passwords or API Keys or using your Devices; and
- notify us immediately if you believe that the security of your Devices or Account access credentials or of your connection point with any VPN has been compromised and cooperate in the correction of these security issues or resetting of any access credentials.
- Security and Data Protection. We each agree to comply with the requirements of Addendum 1 – System Security, Data Privacy and Data Processing.
- Ownership of Intellectual Property and Data.
- Ownership of Intellectual Property. You agree that, as between you and Aeris, we are the exclusive owner of all Intellectual Property relating to the Aeris Services, all APIs, the Aeris Sites and all Documentation and in all developments, enhancements, new versions and other modifications of or additions to the foregoing made by or for us, including in the course of providing Aeris Services to you. We agree that, as between you and Aeris, you are the exclusive owner of all Intellectual Property relating to Your Services (excluding any Aeris Services that are used in or incorporated in Your Services). Unless we have agreed otherwise in writing, we may use any suggestions that you make to us for improvements to our services without any obligation to you.
- Ownership of Data. The rights of each of us with respect to ownership of any data will be as set out in Addendum 1.
- Independent Development. Nothing in these Terms will be construed as a restriction on the right of either of us to develop our technology, products or services independently of and without reference to the Confidential Information of the other, even if they are the same or similar to the technology, products or services contemplated by the other, or as an obligation to share ownership of any such developments with the other. Any agreement on transfer of or joint ownership of Intellectual Property will be subject to a separate written agreement signed by our authorized Representatives.
- Duty to Protect and Restriction on Disclosure or Use. We each agree to use at least a reasonable degree of care to protect any Confidential Information of the other in our possession and to use that Confidential Information only for purposes related to your use of or our provision of Aeris Services. We agree not to disclose the Confidential Information of the other without the consent of the other, other than to our Representatives who need to know and who are bound by appropriate confidentiality obligations. We will each be responsible for any breach of this Section 6 by our Representatives.
- Term of Obligations. We will each adhere to these obligations of confidentiality for three (3) years after any particular Confidential Information has been disclosed to us. The obligations of Aeris with respect to Personal Data, as such term defined in Addendum 1, will continue (a) for so long as we have possession of any such Personal Data, or (b) until such time as we have certified in writing to you that we have destroyed or are no longer in possession of any Personal Data, whichever is longer.
- Exclusions. These obligations will not apply to any Confidential Information that one of us discloses to the other that was (i) rightfully in possession of the other party before being disclosed, or that became publicly known after disclosure not due to any action of the other party; (ii) that was given to the other party by someone reasonably understood to have the right to disclose it; (iii) that was developed independently by the other party without use of or reference to the disclosed Confidential Information; or (iv) that the other party is required to disclose by court order or otherwise, provided that, if permitted, the other party gives prompt notice of the requirement to the disclosing party and provides reasonable assistance to the disclosing party (at the disclosing party’s expense) in resisting or limiting any disclosure.
- Return of Confidential Information. Upon request after expiration or termination of a Services Agreement, each of us agrees to promptly return or destroy (and certify in writing the destruction of) the Confidential Information of other (including Personal Data) relating to that Services Agreement, provided that each of us may retain such Confidential Information as is necessary to comply with applicable laws or for appropriate and reasonable archival purposes, provided that such information will continue to remain subject to these confidentiality obligations so long as it is retained.
- Limitation of Liability. Except as we may explicitly agree in a Services Agreement, the liability of each of you, Aeris and Carrier Partners will be limited as provided below. We agree that these limitations of liability are essential to our economic relationship, and the prices and other terms on which Aeris Services would be available would be different without them.
- Your Use of Aeris Services. You will be solely responsible for determining how to use the Aeris Services and for the results of such use. Aeris will have no responsibility to you, to any End User or any other party for any use of the Aeris Services, including any action that you or any other party choose to take or not to take based upon data generated from the use of the Aeris Services. In addition to any other limitations included in any Services Agreement, you understand that the Aeris Services may not be designed to collect or send data continuously, that there is unavoidable latency in the operation of any wireless-based system, and that data collected from Devices may not be complete or current. You also understand that the accuracy and performance of Aeris Services may be compromised by failures of your Devices or equipment or Your Applications. You are encouraged to take reasonable steps to confirm the accuracy of data before taking actions that have the potential to cause harm to an End User or any other person or property.
- Excluded Damages and Losses. Neither of us will have any liability to the other for any indirect, special, consequential or punitive damages or for any loss of data, profit, business or other economic advantage arising out of a Services Agreement or your use of any Aeris Services, even if that party was aware of the possibility of such damage or loss.
- Maximum Liability for Direct Damages. The maximum aggregate liability of one of us to the other for any direct damages not otherwise excluded will not exceed the greater of (a) $10,000 or (b) the aggregate fees paid by you to us for Aeris Services relating to the claim in any twelve (12) month period prior to the events giving rise to the claim.
- Maximum Liability for Other Obligations. The maximum liability of one of us to the other with respect to (a) any indemnification obligations under Section 10, or (b) any breach of confidentiality or data protection obligations, including those obligations set forth in Addendum 1, will not exceed $500,000.
- Exclusions from Liability Caps. The foregoing exclusions and caps on liability will not apply to any damages arising out of (i) any violation by you, your Account Users or your End Users of the Acceptable Use Policy, or (ii) for claims arising out of a party’s willful default or gross negligence. In addition, these limitations will not apply to any damages that may not be limited or excluded under applicable laws.
- No Liability for Coverage or Internet Availability. You understand that the availability of Wireless Services or internet services in any given area depends on a combination of Device capabilities and facilities, the actions of internet service providers, mobile network operators and others, and other factors affecting the internet. Aeris Services may also be limited or interrupted by such factors as buildings, weather, topographical features (artificial or natural), usage by other parties, or maintenance activities by us or Service Providers or Carrier Partners. Neither we nor our Service Providers or any Carrier Partners will have any liability to you, any End User or other third parties for any such limitation or interruption of Aeris Services.
- No Liability for Interception of Application Data. Neither we nor Carrier Partners can guarantee the privacy or security of any transmission using Wireless Services. The possibility exists that third parties may be able to intercept Application Data without the knowledge or permission of you, us or any Carrier Partner, and that you bear primary responsibility for protecting your Application Data or any other data under your control, including, if you desire, encrypting it in transit or at rest. You agree that we and the Carrier Partners will not be liable to you, any End User or other third party for interception or unauthorized use of any Application Data transmitted using Wireless Services and may have no obligation to report any such interception to you, if discovered.
- Obligations to Third Parties.
- Obligations Applicable to Account Users and End Users. You will be responsible for requiring that your Account Users and End Users comply with these Terms and with any other terms applicable to the Aeris Services, including the Requirements, the Acceptable Use Policy and the Community Forum Policy, and for enforcing that compliance.
- No Obligations of Aeris to End Users. You agree that we and our Service Providers have no contractual relationship with or any obligations to your End Users for operation of any of your Devices or Your Services. Unless we have specifically agreed otherwise, you will have the sole responsibility to provide first line support to your End Users. You agree that your End Users will have no direct claim against us or our Service Providers of any kind, including (i) claims for injury or death, or (ii) any liability arising out of any use or failure of your Devices, Your Applications or Your Services, even if this failure is due to a failure of the Aeris Services. You will not make any promises or representations to any End Users inconsistent with these Terms, any Services Agreement or any other terms applicable to the Aeris Services you use.
- No Liability of Carrier Partners. You agree that the Carrier Partners have no contractual relationship with or any obligations to you or any of your End Users, and that you and your End Users will have no claim under any legal theory against any Carrier Partner for any use of or failure of the Aeris Services or any damage, including death or personal injury, arising out of such use or failure.
- Malicious Code; Disclaimer of Warranties.
- Malicious Code. We will follow commercial best practices in our industry to mitigate the risk that any Aeris Service, Mobile App or Web Service contains any Malicious Code, including scanning all code prior to deployment to production. If at any time we discover any Malicious Code in an Aeris Service, Mobile App or any Web Services that we do (or should) reasonably expect to have a material adverse effect upon you, or any of your End Users, we will remove it as quickly as possible.
- Disclaimer of Warranties. Except as we may specifically agree in a Services Agreement, we disclaim all warranties with respect to the Aeris Services, whether express or implied, including any implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, non-infringement or quiet enjoyment, as well as any warranties arising by law, out of course of dealing or by usage of trade. The Aeris Services are provided “as is”. We do not provide any warranty that the Aeris Services will perform in accordance with their specifications or that operation of the Aeris Services will be error-free or will be available at all times. You agree that your sole and exclusive remedy for any failure by us to provide the Aeris Services in conformance with their applicable specifications is to use the Support Services or to terminate the Services Agreement. If we certify any Devices or any of Your Services or Your Applications, such certification would not constitute a warranty or representation by us, either express or implied, concerning the suitability, durability, fitness for use, merchantability, condition or quality of the Aeris Services or any of your Devices or Applications or Your Services.
- Indemnification Obligations
- Aeris Obligations Regarding Intellectual Property Claims. We agree that we will, at our own expense, defend you and your Representatives against any claim made against you by a third party alleging that the Aeris Services infringe the Intellectual Property rights of a third party and pay all damages and costs finally awarded against you because of the claim, including reasonable attorney’s fees, and/or all amounts payable by you in connection with a settlement made in compliance with Section 10(d). We will have no obligation to indemnify you under this subsection (a) to the extent that the alleged infringement involves any patents issued by any country other than the United States or is caused by (i) any modification of the Aeris Services by any person that is not approved by us, (ii) any combination of the Aeris Services with any program, data, product, device or service not specified by us as required for use of the Aeris Services if such infringement claim would have been avoided by use of the Aeris Services alone, or (iii) any trademark infringement involving any marking or branding not applied at our sole discretion and direction.
- Mitigation of Intellectual Property Claims. If any Aeris Services are subject to an infringement claim covered by Section 10(a) and not excluded under Section 10(a)(i), (ii) or (iii), then, in addition to indemnifying you under Section 10(a), we will, in our sole discretion and at our own cost, either:
- obtain for you the right to continue to use the Aeris Services;
- modify the Aeris Services to make them non-infringing without degrading their performance, functionality or quality; or
- replace them with a compatible, functionally equivalent, and non-infringing substitute in a manner that does not degrade performance, functionality or quality.
- General Indemnification. We each also agree to the following provisions:
- We each will defend, at our own expense, the other party and its Representatives and End Users against any suit or proceeding or threatened suit or proceeding to the extent such suit or proceeding is alleged to arise out of or result from (A) the negligence or willful misconduct of the indemnifying party relating to any use of Aeris Services or any Services Agreement; (B) the indemnifying party’s failure to comply with any law or regulation or to obtain any consent of any party, including consent of any End User for use of data pertaining to the End User, applicable to the activities under any Services Agreement, including any claim that a party did not comply with its obligations under Section 17; and (iii) breaches of its confidentiality and data protection obligations hereunder, including obligations in Addendum 1.
- You agree to defend, at your own expense, us, our Service Providers, and our respective Representatives against any suit or proceeding or threatened suit or proceeding to the extent such suit or proceeding is alleged to arise out of or result from claims from End Users relating to the operation of your Devices, Your Applications or Your Services (even if Your Services incorporate or rely on any Aeris Services), or to any actions taken by you or your Representatives as described in Section 7(a).
- The indemnifying party will pay all damages and costs finally awarded against the indemnified party because of the indemnified claim, including the reasonable costs and attorney’s fees incurred by the indemnified party because of the claim, and/or all amounts payable by the indemnified party in connection with a settlement made in compliance with subsection (d) below.
- Procedure. For claiming indemnification under this Section 10, the indemnified party will notify the indemnifying party promptly on becoming aware of a claim, furnish to the indemnifying party a copy of each communication relating to the claim, and provide all information and assistance (at the indemnifying party’s expense) necessary to defend or settle such suit or proceeding. The indemnifying party will have exclusive control of the defense and/or settlement of any indemnified claim. The indemnified party will not be bound by any settlement made without its prior written consent, which will not be unreasonably withheld or delayed, if the settlement does not include a full release of all claims against the indemnified party or if it requires an admission of guilt or wrongdoing. If the indemnifying party is legally prevented from assuming control of the defense of any claims, or either does not elect to assume control, or having elected to assume control, subsequently fails to proceed with the settlement or defense of any claims, then the indemnified party will be entitled to assume such control, and all costs and expenses incurred by the indemnified party in such defense or settlement will also be subject to its indemnity protection and recoverable from the indemnifying party. In such a case, the indemnifying party will be bound by the results obtained by the indemnified party with respect to such defense or settlement of such claims.
- Dispute Resolution and Arbitration; Governing Law, Jurisdiction and Venue; Injunctive Relief.
- Dispute Resolution and Arbitration. Except for any injunctive relief one of us may seek as permitted below, we agree that, in the event of a Dispute, we will first work in good faith to negotiate and resolve such Dispute as follows: (i) the party seeking resolution of the Dispute will provide a written notice to the other party describing the Dispute in reasonable detail and the name of its Representative who will participate in resolving the Dispute; (ii) the other party will, within 5 business days of receipt of the notice, designate a senior Representative who has familiarity with and responsibility for that party’s performance under the applicable Services Agreement to participate in resolution of the Dispute; and (iii) the designated Representatives will attempt to resolve the Dispute within 30 days of being designated. If they are unable to reach a resolution, the Dispute will be escalated to the senior-most management executives of each party. If these senior management personnel are not able to resolve the Dispute within 20 business days, then we each agree to submit the Dispute to binding arbitration as follows. The proceeding will take place in San Francisco, California before three arbitrators, will be conducted in English, and will be administered by JAMS, Inc. pursuant to its Comprehensive Arbitration Rules and Procedures. Within 10 business days after JAMS issues notice of the commencement of arbitration, each of us will select, from an approved list, one person to act as arbitrator, and the two so selected will select a third arbitrator within an additional 10 business days of the commencement of the arbitration. If the arbitrators selected by the parties are unable or fail to agree upon the third arbitrator within the allotted time, the third arbitrator will be appointed by JAMS in accordance with its rules. We each agree to maintain the confidential nature of the arbitration process, including any resulting award, except as may be necessary to prepare for or conduct the arbitration hearing on the merits, or except as may be necessary in connection with a judicial challenge to an award or its enforcement or unless otherwise required by law or judicial decision. The arbitrators may, in their discretion, award to the prevailing party, if any, the costs and attorneys’ fees reasonably incurred by the prevailing party in connection with the arbitration.
- Governing Law Jurisdiction and Venue. Unless a Services Agreement specifies otherwise, these Terms and your use of the Aeris Services will be governed by the internal laws of the State of California, U.S.A. without regard to its conflicts of laws or choice of law rules. The application of the United Nations Convention of Contracts for the International Sale of Goods is expressly excluded.
- Injunctive Relief. Notwithstanding any other provision of this Section 11, and without limiting any other remedy available, either of us may seek injunctive relief from any court of competent jurisdiction to prevent or limit any damage that could be irreparable, including damage arising out of a breach of confidentiality or data privacy obligations or a violation of the Acceptable Use Policy.
- English Language. All communications and notices between us must be in the English language. Any translation of the Services Agreement, these Terms, any other policies, terms, or other Documentation into a language other than English is made for your convenience, and in the event of any conflict between a translation and our original English language version, the English language version will control.
- Notices. Notices to you may be given as specifically allowed in these Terms. Any other notice to you will be sent to the email address associated with your Account and by regular mail to the physical address associated with your Account. Any notice to us must be sent to Aeris Communications, Inc. to the attention of the Legal Department and should be sent by fax to 408-557-1925, with a copy sent by overnight courier or registered or certified mail to 1745 Technology Drive, Suite 700, San Jose, CA 95110-3729. A copy of any notice to us should also be sent by email to email@example.com.
- Force Majeure. We will not be liable to you or your End Users for any delay or failure to perform any obligation on account of causes beyond our reasonable control and without our fault or negligence, including, but not limited to, acts of God, acts of civil or military authority, strikes, fires, riots, wars, embargoes, internet disruptions, hacker attacks or communications failures, provided that we use commercially reasonable efforts (a) to notify you of the force majeure event, and (b) to minimize the impact of the force majeure event. Where a force majeure event prevents us from performing our obligations for a period that you deem unreasonable, you may terminate the relevant Services Agreement on 15 days’ written notice to us. You will not be obligated to pay any fees for Aeris Services relating to any period during which we were essentially unable to provide such services due to a force majeure event.
- Relationship of the Parties. The relationship between you and us is that of independent contractors, and neither your use of the Aeris Services nor the existence of a contract between us based on these Terms, any Services Agreement or any other terms is intended, or will be construed, to create a partnership, joint venture, or employer-employee relationship or give either of us the right to bind the other. No person not a named party to the Services Agreement, including any End User, is to be treated as a third-party beneficiary of any of the obligations to be performed by us under that Services Agreement.
- U.S. Government Rights. The Aeris Services are provided to the U.S. Government as “commercial items,” “commercial computer software,” “commercial computer software documentation,” and “technical data” with the same rights and restrictions generally applicable to private parties. If you are using any Aeris Services on behalf of the U.S. Government and these Terms or the terms of any Services Agreement or other terms fail to meet the U.S. Government’s needs or are inconsistent in any respect with federal law, you will immediately discontinue your use of such Aeris Services. The terms “commercial item” “commercial computer software,” “commercial computer software documentation,” and “technical data” are defined in the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement.
- Compliance with Laws.
- Export and Sanctions Laws. You agree not to export any products, services or technical data received from us to any country for which an export license or governmental approval is necessary without first obtaining the license or approval. You represent to us that that you are not located in, organized under the laws of, or controlled by a person or entity located in any country subject to a U.S. or E.U. trade embargo, you do not violate any applicable sanction or embargo laws and regulations, including trade and economic sanctions maintained by the United State Treasury Department’s Office of Foreign Assets Control, you are not listed on, or owned or controlled by any entity or person on, the U.S. Department of Treasury list of Specially Designated Nationals or any similar list in place in any jurisdiction where you conduct business (collectively, “Restricted Persons”), and you will not provide services using the Aeris Services to Restricted Persons.
- Local Laws. We will each comply at our own cost with any laws or rules of a governmental or regulatory authority having jurisdiction over us in performing our obligations under a Services Agreement. You understand and agree that you, and not Aeris, will have sole responsibility for determining whether your Devices, Your Applications, Your Services or your use of Aeris Services are in compliance with the laws of any jurisdiction where you operate or where your End Users are located.
- Conflict and Order of Precedence. If a conflict arises between these Terms and a Services Agreement, the conflict will be resolved as follows: (a) to the extent the conflicting provisions may be reasonably interpreted in a manner consistent with each other, such consistent interpretation will apply, (b) provisions in any pricing attachment or other negotiated exhibit will override those in the Services Agreement, including these Terms, and (c) terms applicable to a specific Aeris Service set out in the Services Agreement for that Aeris Service will govern. The terms in any standard invoicing or order acknowledgement documentation provided by Aeris or any standard order or payment remittance documentation provided by you will not be interpreted to add to or modify any Services Agreement or these Terms.
ADDENDUM 1 TO AERIS SERVICES TERMS
SYSTEM SECURITY, DATA PRIVACY AND DATA PROCESSING
We mutually acknowledge that an IoT program is a coordinated effort among multiple parties, including not only you and Aeris, but also Device manufacturers, Carriers, cloud storage providers or other Service Providers. Each entity involved in your IoT program has the principal responsibility to secure those components of the IoT program under its control and to manage access to those components as necessary to protect its systems and to provide for the security and privacy of data in its possession. The purposes of this Addendum 1 are:
- to identify, as between you and us, who has responsibility for providing for the security of various system resources, data and services used in the program for which you will be using Aeris Services, including any resources you use to provide Your Services,
- to specify the minimum requirements applicable to us for those data and resources that are our responsibility,
- to specify a framework for handling any security vulnerabilities or actual or threatened security incidents;
- to agree on how data will be classified and handled; and
- to agree on the respective rights of each of us to own or use any data.
The obligations in this Addendum 1 are in addition to any obligations we each may have under a Services Agreement or the Terms.
In this Addendum 1, the capitalized terms listed below will have the meanings given to them. Any other capitalized terms used herein will have the meanings ascribed to them in the Terms or in the applicable Services Agreement. The singular will include the plural and vice-versa where the context so requires.
Applicable Data Laws means the laws of a Territory or otherwise applicable to your Data relating to data protection, privacy and security, data transfer or trans-border data flow, data breach or data processing, including all directives, laws, regulations, as well as rulings, regulatory guidance and other binding restrictions of or by any judicial or administrative body in a Territory.
Consent means the consent and agreement of an individual data subject to the collection and processing of Personal Data about the data subject where such consent and agreement are freely given, specific, informed and unambiguous as those terms are generally understood under the framework of the GDPR.
Controller means the party that determines the purposes and means for processing a specific type or set of Data.
Data means all data that is generated, collected, used and/or transmitted between the Aeris Platform, your Data Facilities, any Device and, as applicable, any Service Provider in connection with operation of Your Application. Data is further subcategorized as described below:
Account Data means information about a customer necessary to establish and maintain an account with us, including the name of the contracting entity, the Aeris Services selected, account number, contact information (name, address, email address and mobile phone number for each of your authorized users) and the like. Account Data also includes information about activity in your account, including billing and payment data, Device usage or activity information, actions taken with respect to the account, use of support services, and the like.
Application Data means the contents of all data, SMS or voice traffic transmitted to or from your Devices or resulting from any processing of such data, SMS or voice traffic by Your Applications.
Device Data means static data about any Device or associated equipment that uses Aeris Services, including information for purposes of identifying the Device, such as model or serial number, identification number, IMSI, MSISDN or ICCID associated with any Device or any SIM Card installed in a Device.
End User Data means any Personal Data about an End User of a Device or of Your Application, including name, address (physical and email), telephone number(s), and other information that is specific and identifiable to an End User.
Event Data means data generated by or relating to a Device or associated equipment, such as a vehicle, where such data is generated dynamically in the course of operation of the Aeris Services, including Location Data, events recorded, error codes used in Your Application, or information about the Device or associated equipment collected for use in Your Application.
Location Data means both Wireless Data available from a Carrier or other wireless network Service Provider that indicates a specific or approximate location based on usage of wireless networks or, where applicable, GPS data available from a Device that indicates the location of a Device at a given time.
Personal Data has the meaning given in Section 4.2.
Service Data means all data that identifies the Aeris Services used by a Device, including the rate plan to which a Device is assigned, together with data generated dynamically in course of operation of the Aeris Services, including data about how the Aeris System Resources performed in recording Event Data or providing Aeris Services, Wireless Data, and information (other than Personal Data) that identifies a Device used to access Aeris Services.
Wireless Data means originating and receiving Device ID, time stamp, type of transmission (voice, packet data, SMS and size/length), coordinates of delivery location, and identity of the Carrier or other Service Provider that carried the traffic.
Data Breach means an actual or reasonably suspected misuse, compromise, unauthorized access, use or acquisition (a) of any Personal Data or (b) of any other Data where such access could, in our reasonable opinion, result in a material adverse effect on you or your End Users or present a security vulnerability that could affect you or your End Users.
Data Facilities means all facilities within a party’s span of control used for receipt, processing or storage of Data.
GDPR means the General Data Protection Regulation adopted by the European Union effective as of May 25, 2018 and as such regulation may be modified from time to time.
Privacy Engineering means an approach to the design of systems, services and applications to maximize the privacy of individuals and minimize the risk of harm through unauthorized access to or loss of Personal Data, including measures to ensure that:
- Personal Data is processed fairly and lawfully;
- Personal Data is collected only for specifically stated and legitimate purposes and processed only for these purposes;
- no Personal Data is collected that is not relevant to and necessary for the original purpose;
- Personal Data is retained in identifiable form only for so long as required for the original purpose;
- means are provided to allow for data subjects to request delivery of Personal Data or for deletion of Personal Data from production systems or marketing lists.
Processor means the party that processes a specific type or set of Data on behalf of the Controller.
Restricted Jurisdiction means any Territory in which Applicable Data Laws restrict for any reason the transfer outside of the Territory of Personal Data of data subjects who are located in the Territory.
Secure Systems means System Resources that have been engineered or configured using appropriate technical and organizational measures in a way reasonably intended to protect against the possibility that unauthorized persons could access such components (including any Data transmitted through or stored on such components), could modify any settings or other configurable elements of such components, or could otherwise compromise the confidentiality, availability, integrity or resilience of System Resources or Data. Steps to be taken to create Secure Systems will include the following:
- measures to ensure the physical security of all facilities where System Resources under the direct operational control of a party are located;
- measures to control access rights for employees and contractors of a party in relation to its System Resources, including role-based access and multi-factor authentication;
- the measures described in Service Hardening; and
- processes for regularly testing , assessing and evaluating the effectiveness of these technical and organizational measures.
Security Incident has the meaning given in Section 3.6.
Security Incident Response Teams (SIRTs) means any group retained by or working inside our or your organization or a Service Provider and responsible for handling Security Incidents or providing information about Security Incidents.
Service Hardening means a process for engineering Aeris Services in a way that is intended to secure the Aeris Services (including System Resources and software used to provide the Aeris Services) against Vulnerabilities and known security-related threats and to protect production environments, test environments and network entry points against unauthorized access, changes or tampering. Typical steps to be taken during Service Hardening will include those steps deemed reasonably necessary under the circumstances and may include (a) disabling or removal of all unnecessary or obsolete software ports, functions, services or user accounts that are not required for the Aeris Services to function as required under a Services Agreement, (b) applying configuration changes relevant to security during installation and configuration of the Aeris Services, and (c) testing control objectives and promptly identifying and addressing any deficiencies. During the Services Hardening process, security personnel will take note of relevant security advisories from sources such as governmental, academic or industry groups recognized in the industry as security experts and apply those deemed relevant and necessary. The Service Hardening process will take a risk-based approach to evaluating potential threats and vulnerabilities, and will consider industry best practices and the specific context of the Aeris Services being provided in determining best practices. Best practices will adhere to the principles referenced in ISO/IEC 27001-2013 – Information technology – Security techniques – information security management systems – Requirements (“ISO 27001”) and may include others as applicable, such as the Automotive Information Sharing and Analysis Center (“Auto-ISAC”). Aeris will apply those best practices that it deems relevant and necessary. Service Hardening applies to Aeris Services themselves and their intended interoperability with your Data Facilities and all other Aeris System Resources used to provide Aeris Services in accordance with the typical deployment model (or a deployment model as agreed in a Services Agreement). Tools and processes to be used in Service Hardening may include (i) selecting tools and technologies that promote security by nature, such as using SSL Certificates, DNS-based access or REST interfaces, (ii) implementing security within the Aeris Services through password protection, encryption, data segmentation, etc., and (iii) in architecting System Resources and design for deployment, using security provided by underlying infrastructure such as VPNs, NAT, firewalls and the like. Aeris may conduct penetration testing of specific System Resources or software as it deems necessary and prudent or as specifically agreed with you in writing, You may also discuss with us other reasonable processes you believe we should follow prior to deploying the Aeris Services, and such other processes as mutually agreed will be included within the term “Service Hardening”.
Service Quality Assurance Test means the testing of the Aeris Services to verify the fulfilment of the specifications and other requirements for Service Hardening and Secure Systems and to verify that all necessary error corrections, patches and other fixes have been applied and work as required.
Sub-Processor means a person or entity, including a Service Provider, who will act as a Processor and who is selected by us either to assist us in fulfilling our obligations under a Services Agreement or this Addendum 1, including cloud storage providers, or to provide certain services on our behalf, such as support services or call center service providers.
System Resources means any hardware, software, cloud resources and other components, including Data Facilities, used by us or our Service Providers to provide Aeris Services to you or used by you in connection with your use of the Aeris Services or for any component of your Application.
Territory means a legal jurisdiction in which we will provide Aeris Services to you or in which you will provide Your Services to your End Users.
Vulnerability is a weakness in the system design, implementation or configuration which allows an attacker (a) to reduce confidence that the Aeris Services will be available and will operate reliably and accurately, or (b) to compromise the integrity of any System Resources or any Data. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
3. SYSTEM AND SOFTWARE SECURITY REQUIREMENTS
3.1 Service Hardening; Security Measures
We will provide Aeris Services using only Secure Systems. Unless specifically agreed otherwise, we will have no responsibility for the security of your System Resources or the System Resources of any other party, including any Service Provider, that are not under our direct operational control, and we will have no obligation or liability under this Addendum 1 for the security of or any failure of security related to such System Resources. If our software is installed on any System Resource not operated, managed or controlled by us, our sole obligation is to conduct any Service Hardening or similar processes and to engage in any Service Quality Assurance Test as described in Section 3.2 prior to making the software available to the person or entity that will install the software on such System Resource.
Subject to the limitations in the prior paragraph, we will perform Service Hardening for our System Resources, including software, required for the Aeris Services as initially deployed for you prior to commercial deployment. Before making any material modifications to our System Resources and prior to each major release of software, we will perform additional testing as needed to meet the standards for Secure Systems.
3.2 Service Quality Assurance Test
We will conduct and subject all major elements of the Aeris Services, including any Mobile App, and each major release of any Aeris Services to a Service Quality Assurance Test prior to deploying such Aeris Services. If so provided in a Statement of Work, we may agree with you on end-to-end testing of the Aeris Services as integrated with you, with systems of our Service Provider or with other third-party systems to identify Vulnerabilities or other deficiencies that will only surface when the Aeris Services are integrated into a complete system. The Statement of Work will assign responsibility for addressing any such Vulnerability to the proper party.
3.3 Security Assessment
If you wish to conduct a security audit and/or security assessment with respect to the Aeris Services, including any penetration testing or similar evaluation, we will cooperate reasonably with you in such review, including providing additional information about steps taken by us in any Service Hardening and any standards and processes we follow. Any such audit or assessment will be at your expense. You agree that you will not conduct any penetration testing or other similar evaluations without our prior written consent.
3.4 Security Vulnerabilities
We will monitor the Aeris Services and our System Resources on an ongoing basis in a commercially reasonable and appropriate manner for security weaknesses and will address all deficiencies or security risks promptly based on their risk to systems, services or confidentiality. We will keep informed about system and software security threat information published or announced by industry security groups, governmental organizations or other reliable sources that we believe may materially affect the security or use or operation of the Aeris Services. We will further collaborate with the aforementioned industry and/or governmental organizations or other sources when appropriate to evaluate, assess, and design or develop corrective actions or software updates. If requested by any party with whom we are collaborating to address such Vulnerability, we will maintain information about the Vulnerability and the plan to address it in confidence until such time as public disclosure is approved. If such public disclosure should reasonably be expected to allow the general public to associate the Vulnerability with the services they receive from you, we will use good faith efforts to coordinate any public disclosure with you. If your personnel or End Users detect any potential Vulnerability in any Aeris Services, please report that Vulnerability to firstname.lastname@example.org.
3.5 Security Alerts and Security Updates
At your request, our SIRT or similar organization will contact the similar organization inside your organization to establish a secure channel of communication between us for the purposes of enabling the co-ordination of any information related to any Vulnerabilities in the Aeris Services or in any other security flaw that comes to the attention of either of us.
If our personnel become aware, whether through monitoring of our System Resources or by public disclosure, such as by public Vulnerability tracking databases, of security-related threats that we believe may materially affect the use, operation or security of the Aeris Services, we will provide a preliminary notification to you of such threats without unreasonable delay. For “highly critical” security issues (linked to Common Vulnerability Scoring System (CVSS) base score 7-10), we will (a) inform you without undue delay after the Vulnerability has become publicly known if the security issue could potentially have a material adverse impact upon you, your End Users or the Aeris Services, and (b) agree on possible mitigation measures (e.g. by providing a workaround or by applying fixes, patches and other updates), taking into account the level of the threat and complexity of dependencies to other parts of the Aeris Services, the operating environment in which the Aeris Services are deployed, or the involvement of elements used in Your Services that are not under our direct control.
Notwithstanding anything to the contrary contained in a Services Agreement or elsewhere in this Addendum 1, it is expressly agreed and understood that, subject to any confidentiality obligation under Section 3.4, you may be required to, and will have the exclusive right to, inform your End Users of any security-related threats related to the Aeris Services.
It is expressly agreed and understood that security-related issues and threats observed or experienced in the Aeris Services will be assigned a severity level based upon assessment of the potential impact of the issue on the Aeris Services or Data, and that response and resolution efforts will vary based on the severity level applicable to a particular Vulnerability.
3.6 Security Incidents. We each agree to provide to the other written notice reasonably promptly after discovery of (a) any breach or penetration of any of our respective System Resources that has resulted or should reasonably be expected to result in access of unauthorized persons to our own System Resources or to any systems of the other through any VPN or other points of interconnection, (b) any loss or unauthorized access to or processing of Data maintained or stored by us or our Service Providers, or (c) any enforcement proceeding, action or lawsuit, or any pending or threatened enforcement proceeding, action or lawsuit, brought or threatened against us or our Service Providers and relating in any way to security of Data (each a “Security Incident”). Obligations with respect to Security Incidents involving Personal Data are set forth in Section 4 below.
3.7 Review. We will provide to you on request our high level information security policies documents that outline the major security control objectives that guide all of our activities relating to system design, performance of services, and handling of sensitive data. We will make knowledgeable personnel available to meet periodically with you to discuss our system and data security practices, including (a) an overview of our security risk assessment and remediation processes, (b) a review of how we design and manage our services and systems for fault tolerance, including recovery after any type of disaster, and how our personnel are empowered to act in the event of any adverse event, including any loss of key personnel or of any critical system component. The review may cover how our control objectives are tested and how deficiencies are identified and addressed, as well as how production environments, test environments and network entry points are protected to prevent unauthorized product changes or tampering. If we reasonably believe that any major change to our system architecture could present a risk to system security, we will notify the person designated by you of the proposed change in advance and be prepared to discuss the issue with your designated person.
4. DATA SECURITY AND PRIVACY; PROCESSING
4.1 Definition of Personal Data
The term “Personal Data” means any Account Data, End User Data or other data which reveals information about a specific natural person either directly or through reference to information that enables, or, through association with other information under the control of or accessible to Aeris, could reasonably be expected to enable, identification of a specific natural person, such as (i) a government identification number or passport number for a person or (ii) a Device identifier for equipment (such as a vehicle) owned by a private individual where the identifier, such as a VIN, is maintained in a public database, or could be used to locate or establish communication with a specific natural person (such as mobile number, physical address or IP address). Location Data will be considered Personal Data either whenever it is associated in Aeris systems with other Personal Data relating to that data subject, or alone if the Location Data is likely to indicate the location of a specific natural person (e.g., GPS coordinates indicating a specific residence address, as opposed to a commercial building or a cell tower located in a general area and serving multiple persons).
4.2 Privacy Engineering
Aeris will use reasonable and prudent efforts to design the Aeris Services with respect to their collection and use of Personal Data following commonly-accepted principles of Privacy Engineering. You will be responsible for applying Privacy Engineering to Your Applications and Your Services as you deem appropriate. If you request that Aeris develop or modify any Aeris Service to meet your specifications and we reasonably believe that your design could be expected to pose a risk to the rights and freedoms of natural persons, you agree that we may conduct, with your cooperation, a privacy impact assessment and suggest any changes that may be prudent to protect the privacy of data subjects.
4.3 Information Security Policy; Safeguard of Data
We will at all times maintain a comprehensive written information security policy, train our personnel in its requirements, and monitor performance and compliance. We will at all times implement and maintain appropriate operational, managerial, physical and technical measures to protect all Data in our custody and control against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access. Measures will be commensurate with the sensitivity or commercial value of the Data, with the requirements of Applicable Data Laws, or with the impact on Aeris Services. We will limit access to Data only to those of our personnel or Service Providers who have a well-defined “need-to-know”, who have been notified of our obligations with respect to Data, who are bound by appropriate confidentiality and data security obligations, and who have received appropriate training in appropriate data privacy practices.
If Applicable Data Laws require that any categories of Data in our possession or control be encrypted in transit or at rest, we will discuss with you which of us should have responsibility for encryption of such Data and, where we have that responsibility, will encrypt it using appropriate protocols. You will be responsible for implementing appropriate security measures to protect Data transmitted to or from your Devices or your Data facilities, including, where required or appropriate, providing for the encryption of Data either in transit or at rest.
4.4 Lawful Processing; Controller
Aeris will be the Controller with respect to Account Data and Service Data and will be the Processor with respect to all other categories of Data. You are the Controller with respect to End User Data, Location Data and all other Personal Data we collect or process to provide Aeris Services to you and your End Users. Whether we are the Controller or Processor, we agree that we will only process Data lawfully and fairly and as required in connection with our performance of the Aeris Services. When processing Data as the Processor, we agree we will only process Data as necessary to provide the Aeris Services in compliance with a Services Agreement with you or otherwise in accordance with your documented instructions. Additional instructions outside the scope of any Services Agreement (including these Terms) or your instructions will require prior written agreement between us, including agreement on any additional fees payable to us for carrying out these instructions. You will be responsible for ensuring that your instructions comply with all Applicable Laws and that processing of Data in accordance with your instructions will not cause us to be in breach of the GDPR. We will notify you of any Service Providers who will have actual access to Personal Data, including information about the reason for such access. We will keep accurate records of all processing of Personal Data under a Services Agreement.
4.5 Consent to Collection of Personal Data
You agree that you will have the sole responsibility to determine the need for obtaining and to obtain the Consent of any natural person, including any of your Representatives or Account Users, to the collection and use of that person’s Personal Data with respect to the use of Aeris Services and to providing Your Services. We may also collect or process Personal Data on your behalf where you inform us that it is not reasonably practicable to obtain Consent and that you are required to use that data to perform a contract, or where you or we determine that processing is in the legitimate interests of you, us, a data subject or a third party and the processing should not be expected to threaten the fundamental rights and freedoms of a data subject. Where Consent is the only lawful basis for processing any personal data and you are not able to obtain Consent, you understand that, if we cannot use the Personal Data, we may not be able to continue to provide services to you or with respect to the data subjects who did not give Consent or who withdrew Consent.
4.5 Compliance with Applicable Data Laws.
We agree to process Data, including Personal Data, in compliance with all Applicable Data Laws in each Territory in which we will provide Aeris Services to you. We will not be required to comply with any specific obligations with respect to any Data, such as Payment Card Industry (PCI) or similar data security standards or any laws concerning “protected health information” (PHI) as defined in 45 CFR 10.103 or any similar law or regulation in any jurisdiction, unless we have explicitly agreed to such obligations in a Services Agreement.
4.6 Data Facilities
We will process and store Data using Data Facilities in the location of our choice except as required by Applicable Data Laws and except as we have explicitly agreed with you in a Services Agreement. If providing Aeris Services to you will involve processing of data originating in a Restricted Jurisdiction, we will notify you whether we have Data Facilities in such Restricted Jurisdiction. If we do, we will make every reasonable effort to process and store Data in Data Facilities located in that Restricted Jurisdiction. If we do not have access to Data Facilities in any Restricted Jurisdiction, or if you would like us to process and store Data in any other location where we do not have access to Data Facilities, we will discuss the request in accordance with the change control provisions of our Services Agreement. You will be responsible for the costs associated with contracting with or establishing and maintaining such Data Facilities.
4.7 Transfer of Data.
If we receive your Data, including Personal Data, in a Restricted Jurisdiction, we agree that we will not (and will procure that our Sub-Processors will not) transfer or process such Data outside the Restricted Jurisdiction without your specific prior written authorization unless a specific contractual clause in a Services Agreement authorizes such transfer or processing, such transfer and processing is required in order to provide Aeris Services to you and your End Users, or if there is another legitimate reason for such transfer and processing, including, for Personal Data, an appropriate and effective Consent from the data subjects authorizing the transfer. If required by Applicable Data Laws, we will (and will procure that any Sub-Processors will) have in place appropriate contractual arrangements, including obligations consistent with standard contractual clauses, governing such transfer and processing, unless such transfer has been approved by the applicable data protection regulatory authority in the Restricted Jurisdiction, or is made in reliance on any approved framework permitting the lawful transfer of the Data outside of a Restricted Jurisdiction, such as the Privacy Shield program.
For Aeris Services provided through Aeris Sites located in the United States, you agree that the use of the Aeris Sites and the collection of information from you, your Account Users or your End Users, including Data collected for creation of access credentials for use of Accounts and the Aeris Sites, occurs in the United States and is not a transfer of Data to the United States.
4.8 Ownership and Use of Data.
As between you and Aeris, we agree that Account Data, Application Data, End User Data and Event Data are your exclusive property. Unless we specifically agree otherwise with you in writing, and except as required to provide the Aeris Services and perform our obligations under a Services Agreement, we agree that, during and after the term of a Services Agreement, we will not (a) access, use, edit, modify, create derivatives, combinations or compilations of, reproduce, display, or otherwise process the Data you own, in part or in whole, (b) disclose, or transfer such Data to any third party other than our authorized Service Providers, or (c) sell or license such Data to any third party. We agree not to use Personal Data for purposes of marketing any goods or services except as expressly agreed with you in an affirmative writing.
If so requested by you within 90 days of termination or expiration of a Services Agreement, we will provide to you within a commercially reasonable time a complete copy in a mutually agreeable form of all current Account Data and End User Data that is in our possession and reasonably accessible to us. We will (and will procure that our Service Providers will) promptly destroy all other Personal Data in our or their possession and under our or their control except as may be necessary to establish a legal defense against any actual or potential claim.
All other Data will be our property, and we will have no obligation to make any such Data available to you.
4.9 Use of Third Party Sub-Processors in Data Processing.
We may contract with Sub-Processors as necessary to provide the Aeris Services to you under a Services Agreement, and you consent to the use of all such Sub-Processors to carry out these processing activities on your behalf. We will on request provide you with a list of Sub-Processors used in providing Aeris Services to you. With respect to all Sub-Processors, we agree that we will:
- restrict the Sub-Processor’s access to Personal Data and to your Data only to what is necessary to provide the Aeris Services to you and your End Users in accordance with a Services Agreement, and prohibit the Sub-Processor from accessing or using Personal Data or your Data for any other purpose;
- enter into a written agreement with the Sub-Processor containing essentially similar obligations and covenants concerning the processing of Personal Data and your Data as are applicable to us under this Addendum 1 or a Services Agreement; and
- remain primarily liable for compliance by the Sub-Processor with the obligations hereunder and for the acts and omissions of the Sub-Processor that cause us to be in breach of our obligations.
4.10 Your Compliance with Data Processing.
If requested by you in order for you to comply with Applicable Data Laws or if required by mandatory law in order for us to comply with Applicable Data Laws, we will provide such forms or other agreements or documents as you may reasonably require relating to processing of Personal Data by us, our Sub-Processors or our Service Providers, including, if necessary, filing any necessary registration or other forms with applicable governmental authorities.
4.11 Data Breach Notification to You
If we discover or receive credible information concerning (a) any Security Incident involving unauthorized or unlawful destruction, loss, alteration, disclosure of or access to Personal Data maintained or stored by us, our Sub-Processors or our Service Providers, (b) any Data Breach involving Data maintained or stored by us, our Sub-Processors or our Service Providers, (c) any third party notification of a Data Breach or violation of Applicable Data Laws by us, our Sub-Processors or our Service Providers; or (d) any enforcement proceeding, action, or lawsuit brought or threatened against us, our Sub-Processors or our Service Providers by any party or governmental authority relating in any way to Personal Data, then we will provide prompt notification to you as required by Applicable Data Laws.
4.12 Data Breach Remediation
To the extent any Applicable Data Laws require that a person be notified of a Data Breach, we will promptly confer with you to determine which of us has the primary obligation under Applicable Data Laws to notify data subjects of the Data Breach. If you have the obligation, we will provide to you such information about the Data Breach as we may reasonably disclose, taking in to account the nature of the Services, the information available to us, and any restrictions on disclosing the information, including confidentiality obligations.
If we have the primary obligation to notify any of your End Users or any governmental authorities of a Data Breach, we will (a) use reasonable efforts to obtain your prior approval of the content, form and timing, for providing any notices to your End Users, (b) promptly provide notice to governmental authorities containing such information as are mandated by Applicable Data Laws, (c) provide to affected persons, directly or through a third party, remediation services and other reasonable assistance as may be required under Applicable Data Laws, requested by governmental authorities, or as agreed between us, and (d) reasonably cooperate with you in otherwise responding to such Data Breach. We will bear all costs related to our responsibilities set forth above.
With respect to any Data Breach involving our System Resources or those of our Sub-Processors or Service Providers, we will conduct or require that they conduct any forensic and security reviews and audits as may be reasonably necessary in connection with such Data Breach to determine cause. We will act prudently and promptly to remediate our practices or our System Resources to prevent future incidents and will require any Sub-Processors or Service Providers to do the same.
4.13 Rights of Data Subjects. If you inform us that you must access Personal Data stored by us in order to comply with Applicable Data Laws, then, taking into account the nature of the Aeris Services provided to you, we will use good faith efforts to locate such Personal Data, modify it in accordance with your instructions if required, and provide such Personal Data to you in a form and format reasonably acceptable to you. You understand that some forms of data may be difficult or time-consuming to locate, and you will reimburse us our reasonable fees in providing this assistance.
4.14 Government Access to Data. We will not disclose your Data or any Personal Data to any government or any third party except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or other court order) issued to us by any law enforcement or other government agency with apparent authority in any Territory, including (a) requests for any Data relating to a Device or End User and (b) requests for cooperation with electronic surveillance of any Device or End User. If a law enforcement agency sends us a demand for any of your Data or Personal Data, we will attempt to redirect the law enforcement agency to request that Data directly from you, and may provide your basic contact information to the law enforcement agency. If compelled to disclose any of your Data to a law enforcement agency, then we will give you reasonable notice of the demand to allow you to seek a protective order or other appropriate remedy unless we are legally prohibited from doing so, and will disclose only that portion of Data as we are required to disclose.
5. BUSINESS CONTINUITY AND DISASTER RECOVERY
5.1 Appropriate Design for Recovery
We will design the Aeris Services and our System Resources and Data Facilities in a manner reasonably and prudently calculated to provide a highly available, secure and accurate service that appropriately protects confidential information and avoids and mitigates disruptions in our business in the event of any adverse event, including any loss of key personnel or of any critical system component. We will put in place appropriate plans and arrangements within our organization, based on risk analysis and stakeholder expectations, covering critical business operations involved in delivery of Aeris Services, will train our personnel and Service Providers in such plans and in their roles and responsibilities, and will test the plans periodically to ensure that they perform as expected in terms of failover, redundancy and recovery. We will make knowledgeable personnel available to meet periodically with you to discuss how we design and manage our services and systems for fault tolerance, including recovery after any type of disaster, and how our personnel are empowered to act. The review may cover how our control objectives are tested and how deficiencies are identified and addressed, as well as how production environments, test environments and network entry points are protected to prevent unauthorized product changes or tampering.
5.2 Appropriate Design for System Availability
We will design our System Resources to have the availability requirements agreed with you and to meet any agreed recovery time objectives. Our personnel will meet with you as reasonably requested to review design, objectives, and test results.
5.3 Appropriate Design for Data Availability
We will design our use of Data Facilities to provide security and redundancy in the processing and storage of Data commensurate with the importance of such Data to Your Application. Redundancy or failover plans and recovery times will be designed based on the business need for timely access to such Data.
5.4 Litigation Hold
We agree, upon receipt of notice of any “litigation hold” from you describing any categories of Data subject to the hold, to immediately cease destruction or deletion of any such Data for the period of time specified in the request.* End of Addendum 1*