channelblu_new_logo

Privacy Policy

This Privacy Notice describes how we collect and use your personal information in relation to Evato websites, applications, products, services, events, and experiences that reference this Privacy Notice (together, “Evato Offerings”). This Privacy Notice does not apply to the “content” processed, stored, or hosted by our customers using Evato Offerings in connection with an Evato account. See the agreement governing your access to your Evato account and the Evato Data Privacy FAQ for more information about how we handle content and how our customers can control their content through Evato Offerings. This Privacy Notice also does not apply to any products, services, websites, or content that are offered by third parties or have their own privacy notice.

 

Personal Information We Collect

 

We collect your personal information in the course of providing Evato Offerings to you. Here are the types of information we gather:

  • Information You Give Us: We collect any information you provide in relation to Evato Offerings.

  • Automatic Information: We automatically collect certain types of information when you interact with Evato Offerings.

  • Information from Other Sources: We might collect information about you from other sources, including service providers, partners, and publicly available sources.

 

How We Use Personal Information

 

We use your personal information to operate, provide, and improve Evato Offerings. Our purposes for using personal information include:

  • Provide Evato Offerings: We use your personal information to provide and deliver Evato Offerings and process transactions related to Evato Offerings, including registrations, subscriptions, purchases, and payments.

  • Measure, Support, and Improve Evato Offerings: We use your personal information to measure use of, analyze performance of, fix errors in, provide support for, improve, and develop Evato Offerings.

  • Recommendations and Personalization: We use your personal information to recommend Evato Offerings that might be of interest to you, identify your preferences, and personalize your experience with Evato Offerings.

  • Comply with Legal Obligations: In certain cases, we have a legal obligation to collect, use, or retain your personal information. For example, we collect bank account information from Evato Marketplace sellers for identity verification.

  • Communicate with You: We use your personal information to communicate with you in relation to Evato Offerings via different channels (e.g., by phone, email, chat) and to respond to your requests.

  • Marketing: We use your personal information to market and promote Evato Offerings. We might display interest-based ads for Evato Offerings.

  • Fraud and Abuse Prevention and Credit Risks: We use your personal information to prevent and detect fraud and abuse in order to protect the security of our customers, Evato, and others. We may also use scoring methods to assess and manage credit risks.

  • Purposes for Which We Seek Your Consent: We may also ask for your consent to use your personal information for a specific purpose that we communicate to you.

Cookies

 

To enable our systems to recognize your browser or device and to provide Evato Offerings to you, we use cookies. For more information about cookies and how we use them, please read our Cookies Notice.

 

How We Share Personal Information

 

Information about our customers is an important part of our business and we are not in the business of selling our customers’ personal information to others. We share personal information only as described below and with Evato Technology Private Limited and the subsidiaries that Evato Technology Private Limited controls that are either subject to this Privacy Notice or follow practices at least as protective as those described in this Privacy Notice.

  • Transactions Involving Third Parties: We make available to you services, software, and content provided by third parties for use on or through Evato Offerings. You can tell when a third party is involved in your transactions, and we share information related to those transactions with that third party. For example, you can order services, software, and content from sellers using the Evato Marketplace and we provide those sellers information to facilitate your subscription, purchases, or support.

  • Third-Party Service Providers: We employ other companies and individuals to perform functions on our behalf. Examples include: delivering Evato hardware, sending communications, processing payments, assessing credit and compliance risks, analyzing data, providing marketing and sales assistance (including advertising and event management), conducting customer relationship management, and providing training. These third party service providers have access to personal information needed to perform their functions, but may not use it for other purposes. Further, they must process that information in accordance with this Privacy Notice and as permitted by applicable data protection law.

  • Business Transfers: As we continue to develop our business, we might sell or buy businesses or services. In such transactions, personal information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the individual consents otherwise). Also, in the unlikely event that Evato or substantially all of its assets are acquired, your information will of course be one of the transferred assets.

  • Protection of Us and Others: We release account and other personal information when we believe release is appropriate to comply with the law, enforce or apply our terms and other agreements, or protect the rights, property, or security of Evato, our customers, or others. This includes exchanging information with other companies and organizations for fraud prevention and detection and credit risk reduction.

  • At Your Option: Other than as set out above, you will receive notice when personal information about you might be shared with third parties, and you will have an opportunity to choose not to share the information.

Location of Personal Information

 

Evato Technology Private Limited is located in the India, and our affiliated companies may be located throughout the world. Depending on the scope of your interactions with Evato Offerings, your personal information may be stored in or accessed from multiple countries, including the India. Whenever we transfer personal information to other jurisdictions, we will ensure that the information is transferred in accordance with this Privacy Notice and as permitted by applicable data protection laws.

 

How We Secure Information

 

At Evato, security is our highest priority. We design our systems with your security and privacy in mind.

  • We maintain a wide variety of compliance programs that validate our security controls.

  • We protect the security of your information during transmission to or from Evato websites, applications, products, or services by using encryption protocols and software.

  • We follow the Payment Card Industry Data Security Standard (PCI DSS) only when handling credit card data.

  • We maintain physical, electronic, and procedural safeguards in connection with the collection, storage, and disclosure of personal information. Our security procedures mean that we may request proof of identity before we disclose personal information to you.

 

Internet Advertising and Third Parties

 

Evato Offerings may include third-party advertising and links to other websites and applications. Third party advertising partners may collect information about you when you interact with their content, advertising, or services. For more information about third-party advertising, including interest-based ads.

 

Access and Choice

 

You can view, update, and delete certain information about your account and your interactions with Evato Offerings. If you cannot access or update your information yourself, you can always contact us for assistance.

 

You have choices about the collection and use of your personal information. Many Evato Offerings include settings that provide you with options as to how your information is being used. You can choose not to provide certain information, but then you might not be able to take advantage of certain Evato Offerings.

  • Account Information: If you want to add, update, or delete information related to your account, please go to the related product Dashboard. When you update or delete any information, we usually keep a copy of the prior version for our records.

  • Communications: If you do not want to receive promotional messages from us, please unsubscribe or adjust your communication preferences in the related product dashboard. If you do not want to receive in-app notifications from us, please adjust your notification settings in the app or your device.

  • Advertising: If you don’t want to see interest-based ads, please adjust your Advertising Preferences.

  • Browser and Devices: The Help feature on most browsers and devices will tell you how to prevent your browser or device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.

  • Sellers and Evato Partners: Sellers and Evato Partner Network members can add, update, or delete information in the related product Evato Dashboard.

Children’s Personal Information

We don’t provide Evato Offerings for purchase by children. If you’re under 18, you may use Evato Offerings only with the involvement of a parent or guardian.

 

Retention of Personal Information

We keep your personal information to enable your continued use of Evato Offerings, for as long as it is required in order to fulfill the relevant purposes described in this Privacy Notice, as may be required by law (including for tax and accounting purposes), or as otherwise communicated to you. How long we retain specific personal information varies depending on the purpose for its use, and we will delete your personal information in accordance with applicable law.

 

Contacts, Notices, and Revisions

If you have any concern about privacy at Evato or want to contact one of our data controllers, please contact us with a thorough description, and we will try to resolve it. You may also contact us at the addresses below:

  • For any prospective or current customers of Evato Technology Private Limited, our mailing address is: Evato Technology Private Limited, F-213/A, Lower Ground Floor, Old M B Road, Nai Basti, Lado Sarai, New Delhi 110030, India, ATTN: ETPL Legal

 

If you interact with Evato Offerings on behalf of or through your organization, then your personal information may also be subject to your organization’s privacy practices, and you should direct privacy inquiries to your organization.

 

Our business changes constantly, and our Privacy Notice may also change. You should check our website frequently to see recent changes. You can see the date on which the latest version of this Privacy Notice was posted. Unless stated otherwise, our current Privacy Notice applies to all personal information we have about you and your account. We stand behind the promises we make, however, and will never materially change our policies and practices to make them less protective of personal information collected in the past without informing affected customers and giving them a choice.

Here are the types of information we gather:

 

Information You Give Us: We collect any information you provide in relation to Evato Offerings.

Automatic Information: We automatically collect certain types of information when you interact with Evato Information from Other Sources: We might collect information about you from other sources, including service providers, partners, and publicly available sources.

 

How We Use Personal Information

 

We use your personal information to operate, provide, and improve Evato Offerings. Our purposes for using personal information include:

 

Provide Evato Offerings: We use your personal information to provide and deliver Evato Offerings and process transactions related to Evato Offerings, including registrations, subscriptions, purchases, and payments.

 

Measure, Support, and Improve Evato Offerings: We use your personal information to measure use of, analyze performance of, fix errors in, provide support for, improve, and develop Evato Offerings.

 

Recommendations and Personalization: We use your personal information to recommend Evato Offerings that might be of interest to you, identify your preferences, and personalize your experience with Evato

Offerings.

 

Comply with Legal Obligations: In certain cases, we have a legal obligation to collect, use, or retain your personal information. For example, we collect bank account information from Evato Marketplace sellers for identity verification.

 

Communicate with You: We use your personal information to communicate with you in relation to Evato Offerings via different channels (e.g., by phone, email, chat) and to respond to your requests.

 

Marketing: We use your personal information to market and promote Evato Offerings. We might display interest-based ads for Evato Offerings. To learn more, please read our Interest-Based Ads notice.

 

Fraud and Abuse Prevention and Credit Risks: We use your personal information to prevent and detect fraud and abuse in order to protect the security of our customers, Evato, and others. We may also use scoring methods to assess and manage credit risks.

 

Purposes for Which We Seek Your Consent: We may also ask for your consent to use your personal information for a specific purpose that we communicate to you.

 

Cookies

To enable our systems to recognize your browser or device and to provide Evato Offerings to you, we use cookies. For more information about cookies and how we use them, please read our Cookies Notice.

 

How We Share Personal Information

Information about our customers is an important part of our business and we are not in the business of selling our customers’ personal information to others. We share personal information only as described below and with Evato Technology Private Limited and the subsidiaries that Evato Technology Private Limited controls that are either subject to this Privacy Notice or follow practices at least as protective as those described in this Privacy Notice.

 

Transactions Involving Third Parties: We make available to you services, software, and content provided by third parties for use on or through Evato Offerings. You can tell when a third party is involved in your transactions, and we share information related to those transactions with that third party. For example, you can order services, software, and content from sellers using the Evato Marketplace and we provide those sellers information to facilitate your subscription, purchases, or support.

 

Third-Party Service Providers: We employ other companies and individuals to perform functions on our behalf. Examples include: delivering Evato hardware, sending communications, processing payments, assessing credit and compliance risks, analyzing data, providing marketing and sales assistance (including advertising and event management), conducting customer relationship management, and providing training. These third party service providers have access to personal information needed to perform their functions, but may not use it for other purposes. Further, they must process that information in accordance with this Privacy Notice and as permitted by applicable data protection law.

 

Business Transfers: As we continue to develop our business, we might sell or buy businesses or services. In such transactions, personal information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the individual consents otherwise). Also, in the unlikely event that Evato or substantially all of its assets are acquired, your information will of course be one of the transferred assets.

 

Protection of Us and Others: We release account and other personal information when we believe release is appropriate to comply with the law, enforce or apply our terms and other agreements, or protect the rights, property, or security of Evato, our customers, or others. This includes exchanging information with

other companies and organizations for fraud prevention and detection and credit risk reduction.

 

At Your Option: Other than as set out above, you will receive notice when personal information about you might be shared with third parties, and you will have an opportunity to choose not to share the information.

 

Location of Personal Information

Evato Technology Private Limited is located in the India, and our affiliated companies are located throughout the world. Depending on the scope of your interactions with Evato Offerings, your personal information may be stored in or accessed from multiple countries, including the India. Whenever we transfer personal information to other jurisdictions, we will ensure that the information is transferred in accordance with this Privacy Notice and as permitted by applicable data protection laws.

 

How We Secure Information

At Evato, security is our highest priority. We design our systems with your security and privacy in mind. We maintain a wide variety of compliance programs that validate our security controls.

We protect the security of your information during transmission to or from Evato websites, applications, products, or services by using encryption protocols and software.

We follow the Payment Card Industry Data Security Standard (PCI DSS) only when handling credit card data.

We maintain physical, electronic, and procedural safeguards in connection with the collection, storage, and disclosure of personal information. Our security procedures mean that we may request proof of identity before we disclose personal information to you.

Internet Advertising and Third Parties

Evato Offerings may include third-party advertising and links to other websites and applications. Third party advertising partners may collect information about you when you interact with their content, advertising, or services. For more information about third-party advertising, including interest-based ads, please read our Interest-Based Ads notice.

Access and Choice

You can view, update, and delete certain information about your account and your interactions with Evato Offerings. Click here for a list of examples of information that you can access. If you cannot access or update your information yourself, you can always contact us for assistance.

 

You have choices about the collection and use of your personal information. Many Evato Offerings include settings that provide you with options as to how your information is being used. You can choose not to provide certain information, but then you might not be able to take advantage of certain Evato Offerings.

 

Account Information: If you want to add, update, or delete information related to your account, please go to the related product dashboard. When you update or delete any information, we usually keep a copy of the prior version for our records.

Communications: If you do not want to receive promotional messages from us, please unsubscribe or adjust your communication preferences in the related product dashboard. If you do not want to receive in-app notifications from us, please adjust your notification settings in the app or your device.

Advertising: If you don’t want to see interest-based ads, please adjust your Advertising Preferences. Browser and Devices: The Help feature on most browsers and devices will tell you how to prevent your browser or device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.

Sellers and Evato Partners: Sellers and Evato Partner Network members can add, update, or delete information in the Evato Marketplace and ETPL Partner Central, respectively.

 

Examples of Information Collected Information You Give Us

You provide information to us when you:

  • search for, subscribe to, or purchase Evato Offerings;

  • create or administer your Evato account (and you might have more than one account if you have used more than one email address when using Evato Offerings);

  • configure your settings for, provide data access permissions for, or otherwise interact with Evato Offerings;

  • register for or attend an Evato event;

  • purchase or use content, products, or services from third-party providers through the Evato Marketplace (or other similar venues operated or provided by us);

  • offer your content, products, or services on or through Evato Offerings or the Evato Marketplace (or other similar venues operated or provided by us);

  • communicate with us by phone, email, or otherwise;

  • complete a questionnaire, a support ticket, request/registration form or other information request forms;

  • post on Evato websites or participate in community features; and

  • employ notification services.

Depending on your use of Evato Offerings, you might supply us with such information as:

  • your name, email address, physical address, phone number, and other similar contact information;

  • payment information, including credit card and bank account information;

  • information about your location;

  • information about your organization and your contacts, such as colleagues or people within your organization;

  • usernames, aliases, roles, and other authentication and security credential information;

  • content of feedback, testimonials, inquiries, support tickets, and any phone conversations, chat sessions and emails with or to us;

  • your image (still, video, and in some cases 3-D), voice, and other identifiers that are personal to you when you attend an Evato event or use certain Evato Offerings;

  • information regarding identity, including government-issued identification information;

  • corporate and financial information; and

  • VAT numbers and other tax identifiers.

 

Automatic Information

We collect information automatically when you:

  • visit, interact with, or use Evato Offerings (including when you use your computer or other device to interact with Evato Offerings);

  • download content from us;

  • open emails or click on links in emails from us; and

  • interact or communicate with us (such as when you attend an Evato event or when you request customer support).

Examples of the information we automatically collect include:

  • network and connection information, such as the Internet protocol (IP) address used to connect your computer or other device to the Internet and information about your Internet service provider;

  • computer and device information, such as device, application, or browser type and version, browser plug-in type and version, operating system, or time zone setting;

  • the location of your device or computer;

  • authentication and security credential information;

  • content interaction information, such as content downloads, streams, and playback details, including duration and number of simultaneous streams and downloads;

  • Evato Offerings metrics, such as offering usage, occurrences of technical errors, diagnostic reports, your settings preferences, backup information, API calls, and other logs;

  • the full Uniform Resource Locators (URL) clickstream to, through, and from our website (including date and time) and Evato Offerings, content you viewed or searched for, page response times, download errors, and page interaction information (such as scrolling, clicks, and mouse-overs);

  • email addresses and phone numbers used to contact us; and

  • identifiers and information contained in cookies (see our Cookies Notice). Information from Other Sources

Examples of information we receive from other sources include:

  • marketing, sales generation, and recruitment information, including your name, email address, physical address, phone number, and other similar contact information;

  • subscription, purchase, support, or other information about your interactions with products and services offered by us, our affiliates (such as Evato training courses), or third parties (such as products offered through the Evato Marketplace) in relation to Evato Offerings;

  • search results and links, including paid listings (such as Sponsored Links); and

  • credit history information from credit bureaus. Information You Can Access

Examples of information you can access through Evato Offerings include:

  • your name, email address, physical address, phone number, and other similar contact information;

  • usernames, aliases, roles, and other authentication and security credential information;

  • your subscription, purchase, usage, billing, and payment history;

  • payment settings, such as payment instrument information and billing preferences;

  • tax information;

  • email communication and notification settings; and

  • if you participate in the Evato Marketplace or Evato Partner Network (or other similar venues operated or provided by us), your account, your status, subscriptions, and other information.

Customers can access the information above through Evato Offerings, such as the Supplytics & Original4Sure Dashboard etc.

Evato Policy on Reporting Trademark Infringements

 

Effective Date September 30, 2018

Evato respects the trademark rights of third-parties, and expects you (or the entity you represent), as a user of our Websites or Services, to do the same. This policy provides information about our policies and procedures regarding any alleged or suspected infringement of trademarks, service marks, trade names, logos, or other similar designations which identify a person or business (collectively, “trademarks”) on our Websites and Services. Any capitalized terms which are not defined in this policy shall have the same meanings in our Terms of Service.

 

Trademark Infringement Notifications

If you are the owner or authorized representative of the owner or a licensed user of a trademark that you reasonably believe has been infringed because of its use on our Websites or Services, you may provide us with a notice of infringement.

We have provided the following information for the exclusive purpose of notifying us that you believe your trademarks are being infringed.

To notify us of any reasonably suspected trademark infringement, you must send us a written notice that includes substantially all of the following requirements. You should consult your own attorney to confirm the following requirements:

  1. Your name, address, telephone number, mailing address, and/or email address, so that we may contact you regarding the notification.

  2. A clear and complete identification of the trademark (including a graphical representation of the trademark) you claim is being infringed.

  3. A clear and complete identification of your proof of ownership of, or the right to use, the trademark. Any identification must include, at a minimum (a) (if the trademark is registered) the federal or state trademark registration number; and (b) the date of first use of the trademark in commerce in India.

  4. Clear and unambiguous proof of your actual use of the trademark in commerce in India.

  5. An identification of the allegedly infringing materials, and if applicable, the reference or link to the allegedly infringing materials. The identification should include enough specific information, such as Website URL(s), so that we can reasonably locate the allegedly infringing material. General information about the material, such as the Service being used or a username, will not be sufficient for us to identify the allegedly infringing material or its location.

  6. Any arguments or documented evidence which supports your belief that the allegedly infringing materials are likely to cause confusion or mistake, or would deceive any third-party.

  7. The statement “I have a good-faith belief that the use of the material in the manner complained of is not authorized by the trademark owner, its authorized representative, or the law.”

  8. The statement “The information in this notice is accurate, and, under penalty of perjury, I am the trademark owner, or authorized to act on behalf of the owner of the exclusive right that is allegedly infringed.”

  9. An electronic or physical signature of the trademark owner or the person authorized to act on behalf of the owner. You may provide your signature by typing your own full legal name (including first and last names; no company names) at the bottom of your notice.

  10. The date (MM/DD/YYY) that you are submitting the notice of alleged trademark infringement.

If we determine that your notice complies with these requirements, we will act promptly to conduct an independent investigation of the suspected or alleged trademark infringement, and upon advice of legal

counsel, take down, or disable access to, the allegedly infringing material, and provide notice to the user that we have taken down the material. We reserve the right to take any all actions (including no action) in connection with any notice of suspected trademark infringement in our sole, reasonable discretion.

If we comply with any trademark notice you submit, you may be responsible for initiating actions which may expose you or us to legal liability. Do not submit false claims. If you are unsure whether materials on our Websites or Services infringe upon your trademark rights, you should consult a lawyer before proceeding with any notice to us.

 

You may be subject to severe legal consequences if you submit false claims of trademark infringement. These consequences include injunctions or damages (including court costs and attorneys’ fees) incurred by anyone who is injured by our reliance on those misrepresentations to remove or disable access to the material. Those parties include the alleged infringer, the trademark owner or its licensees, or us. In addition, if you have an account with us, we may suspend or terminate your account or access to any of our Websites or Services for submitting false claims of trademark infringement.

Please note that the information you provide in a notice, including your name, telephone number, mailing address, and/or email address, may be forwarded to the person who provided the allegedly infringing material to us, and that we may publish your contact information in place of disabled content.

 

Retractions

If you submitted a notice of trademark infringement by mistake, or would otherwise like to retract your notice, please provide us with the following:

  1. The statement “I hereby retract my trademark infringement notification.”

  2. An identification of the allegedly infringing materials, and if applicable, the reference or link to the allegedly infringing materials which you identified in the original trademark infringement notification

  3. Your electronic or physical signature (including first and last names; no company names). If you sent your original notification by email, send your retraction from the same email address, otherwise we may not be able to process your retraction.

  4. The date (MM/DD/YYY) that you are submitting the retraction.

If your account or any material you uploaded or submitted to a Website or through a Service has been affected by a trademark infringement notification, you may reach out directly to the trademark owner for a retraction of the original notice. We will retract the original notice upon receiving a written confirmation from the trademark owner or any person authorized to act on behalf of the trademark owner.

 

Notices

All notices under this policy should be submitted by electronic mail to legal@evato.co. Termination Policy

Please be advised that we have adopted and enforce a policy of termination in appropriate circumstances against users who are repeat infringers. In addition, we reserve the right at all times to suspend or terminate your account according to our Terms of Service.

ETPL GDPR DATA PROCESSING ADDENDUM

 

This Data Processing Addendum (“DPA”) is an agreement between Evato Technology Private Limited (“ETPL”, “we,” “us,” or “our”) and you or the entity you represent (“Customer”, “you” or “your”). This DPA supplements the ETPL Customer Agreement available at https://evato.co/legal/agreement, as updated from time to time between Customer and ETPL, or other agreement between Customer and ETPL governing Customer’s use of the Service Offerings (the “Agreement”), when the GDPR applies to your use of the Services to process Customer Data. Unless otherwise defined in this DPA or in the Agreement, all capitalised terms used in this DPA will have the meanings given to them in Section 17 of this DPA.

 

  1. Data Processing.

    1. Scope and Roles. This DPA applies when Customer Data is processed by ETPL. In this context, ETPL will act as “processor” to Customer who may act either as “controller” or “processor” with respect to Customer Data (as each term is defined in the GDPR).

    2. Customer Controls. The Services provide Customer with a number of controls, including security features and functionalities, that Customer may use to retrieve, correct, delete or restrict Customer Data as described in the Documentation. Without prejudice to Section 5.1, Customer may use these controls as technical and organisational measures to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects.

    3. Details of Data Processing.

      1. Subject matter. The subject matter of the data processing under this DPA is Customer Data.

      2. Duration. As between ETPL and Customer, the duration of the data processing under this DPA is determined by Customer.

      3. Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time.

      4. Nature of the processing: Compute, storage and such other Services as described in the Documentation and initiated by Customer from time to time.

      5. Type of Customer Data: Customer Data uploaded to the Services under Customer’s ETPL accounts.

      6. Categories of data subjects: The data subjects may include Customer’s customers, employees, suppliers and end-users.

    4. Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the GDPR.

 

  1. Customer Instructions. The parties agree that this DPA and the Agreement (including the provision of instructions via configuration tools such as the Evato product dashboard and APIs made available by ETPL or its Affiliates for the Services) constitute Customer’s documented instructions regarding ETPL’s processing of Customer Data (“Documented Instructions”). ETPL will process Customer Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between ETPL and Customer, including agreement on any additional fees payable by Customer to ETPL for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if ETPL declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA.

 

  1. Confidentiality of Customer Data. ETPL will not access or use, or disclose to any third party, Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends ETPL a demand for Customer Data, ETPL will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, ETPL may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then ETPL will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other

appropriate remedy unless ETPL is legally prohibited from doing so. If the Standard Contractual Clauses apply, nothing in this Section 3 varies or modifies the Standard Contractual Clauses.

  1. Confidentiality Obligations of ETPL Personnel. ETPL restricts its personnel from processing Customer Data without authorisation by ETPL as described in the Security Standards. ETPL imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

  2. Security of Data Processing

    1. ETPL or its Affiliates have implemented and will maintain the technical and organisational measures for the Evato Network as described in the Security Standards and this Section. In particular, ETPL or its Affiliates have implemented and will maintain the following technical and organisational measures:

  1. security of the Evato Network as set out in Section 1.1 of the Security Standards;

  2. physical security of the facilities as set out in Section 1.2 of the Security Standards;

  3. measures to control access rights for employees and contractors of ETPL or its Affiliates in relation to the Evato Network as set out in Section 1.1 of the Security Standards; and

  4. processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures implemented by ETPL or its Affiliates as described in Section 2 of the Security Standards.

  1. Customer may elect to implement technical and organisational measures in relation to Customer Data. Such technical and organisational measures include the following which may be obtained by Customer from ETPL or its Affiliates as described in the Documentation, or directly from a third party supplier:

  1. pseudonymisation and encryption to ensure an appropriate level of security;

  2. measures to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services that are being operated by Customer;

  3. measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and

  4. processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures implemented by Customer.

  1. Sub-processing.

    1. Authorised Sub-processors. Customer agrees that ETPL may use sub-processors to fulfil its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services. Evato is, and Customer consents to the appointment of Evato as, a sub-processor for ETPL for these purposes. The Site lists sub-processors of ETPL (other than Evato) or Evato that are currently engaged to carry out processing activities on Customer Data on behalf of Customer. At least 30 days before ETPL or Evato engages any new sub-processor to carry out processing activities on Customer Data on behalf of Customer, ETPL or Evato will update the applicable website and provide Customer with a mechanism to obtain notice of that update. If Customer objects to a new sub-processor, then without prejudice to any termination rights Customer has under the Agreement and subject to the applicable terms and conditions, Customer may move the relevant Customer Data to another Evato region where the new sub-processor to whom Customer objects, is not engaged by ETPL or Evato as a sub-processor. Customer consents to ETPL’s use of sub-processors as described in this Section. Except as set forth in this Section, or as Customer may otherwise authorise, ETPL will not permit any sub-processor to carry out processing activities on Customer Data on behalf of Customer.

    2. Sub-processor Obligations. Where ETPL authorises any sub-processor as described in Section 6.1:

  1. ETPL will restrict the sub-processor’s access to Customer Data only to what is necessary to maintain the Services or to provide the Services to Customer and

any End Users in accordance with the Documentation, and ETPL will prohibit the sub-processor from accessing Customer Data for any other purpose;

  1. ETPL will enter into a written agreement with the sub-processor and, to the extent that the sub-processor is performing the same data processing services that are being provided by ETPL under this DPA, ETPL will impose on the sub- processor the same contractual obligations that ETPL has under this DPA; and

  2. ETPL will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that cause ETPL to breach any of ETPL’s obligations under this DPA.

  1. Data Subject Rights

Taking into account the nature of the Services, ETPL offers Customer certain controls as described in Sections 1.2 and 5.2 that Customer may elect to use to comply with its obligations towards data subjects. Should a data subject contact ETPL with regard to correction or deletion of its personal data, ETPL will use commercially reasonable efforts to forward such requests to Customer.

  1. Optional Security Features. ETPL makes available a number of security features and functionalities that Customer may elect to use. Customer is responsible for (a) implementing the measures described in Section 5.2, as appropriate, (b) properly configuring the Services, (c) using the controls available in connection with the Services (including the security controls) to allow Customer to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident (e.g. backups and routine archiving of Customer Data), and (d) taking such steps as Customer considers adequate to maintain appropriate security, protection, and deletion of Customer Data, which includes use of encryption technology to protect Customer Data from unauthorised access and measures to control access rights to Customer Data.

  2. Security Breach Notification.

    1. Security Incident. ETPL will (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and (b) take reasonable steps to mitigate the effects and to minimise any damage resulting from the Security Incident.

    2. ETPL Assistance. To assist Customer in relation to any personal data breach notifications Customer is required to make under the GDPR, ETPL will include in the notification under section 9.1(a) such information about the Security Incident as ETPL is reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to ETPL, and any restrictions on disclosing the information, such as confidentiality.

    3. Unsuccessful Security Incidents. Customer agrees that:

  1. an unsuccessful Security Incident will not be subject to this Section 9. An unsuccessful Security Incident is one that results in no unauthorised access to Customer Data or to any equipment or facilities of ETPL or its Affiliates storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents; and

  2. ETPL’s obligation to report or respond to a Security Incident under this Section 9 is not and will not be construed as an acknowledgement by ETPL of any fault or liability of ETPL or its Affiliates with respect to the Security Incident.

  1. Communication. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means ETPL selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on the Evato product dashboard and secure transmission at all times.

  1. Evato Certifications and Audits.

    1. ISO Certification and SOC Reports. In addition to the information contained in this DPA, upon Customer’s request, and provided that the parties have an applicable NDA in place, ETPL or its Affiliates may make available certification related documents and information. 

  1. Audits. ETPL or its Affiliates may use external auditors to verify the adequacy of their security measures, including the security of the physical data centers from which ETPL or its Affiliates provide the Services.

  2. Audit Reports. At Customer’s written request, and provided that the parties have an applicable NDA in place, Customer will be provided with a copy of the Report so that Customer can reasonably verify ETPL’s compliance with its obligations under this DPA.

  3. Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the Services and the information available to ETPL or its Affiliates, ETPL will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by providing the information ETPL makes available under this Section 10.

  1. Customer Audits. Customer agrees to exercise any right it may have to conduct an audit or inspection, including under the Standard Contractual Clauses if they apply, by instructing ETPL to carry out the audit described in Section 10. If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending ETPL written notice as provided for in the Agreement. If ETPL declines to follow any instruction requested by Customer regarding audits or inspections, Customer is entitled to terminate this DPA and the Agreement. If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses nor affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses.

  2. Transfers of Personal Data.

    1. Customer may specify the location(s), or Evato regions, where Customer Data will be processed within the Evato Network. Once Customer has made its choice, unless Customer otherwise agrees, ETPL will not transfer Customer Data from Customer’s selected Evato region(s) except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or binding order of a governmental body. If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses.

    2. Application of Standard Contractual Clauses. The Standard Contractual Clauses will apply to Customer Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognised by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR). The Standard Contractual Clauses will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the EEA. Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply if ETPL has adopted Binding Corporate Rules for Processors or an alternative recognised compliance standard for the lawful transfer of personal data (as defined in the GDPR) outside the EEA.

  3. Termination of the DPA. This DPA shall continue in force until the termination of the Agreement (the “Termination Date”). 

  1. Return or Deletion of Customer Data. The Services provide Customer with controls that Customer may use to retrieve or delete Customer Data as described in the Documentation. Up to the Termination Date, Customer will continue to have the ability to retrieve or delete Customer Data in accordance with this Section. For 90 days following the Termination Date, Customer may retrieve or delete any remaining Customer Data from the Services, subject to the terms and conditions set out in the Agreement, unless prohibited by law or the order of a governmental or regulatory body or it could subject ETPL or its Affiliates to liability. No later than the end of this 90 day period, Customer will close all ETPL accounts. ETPL will delete Customer Data when requested by Customer by using the Service controls provided for this purpose. 

  1. Duties to Inform. Where Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by ETPL, ETPL will inform Customer without undue delay. ETPL will, without undue delay, notify all relevant parties in such action (e.g. creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is Customer’s property and area of responsibility and that Customer Data is at Customer’s sole disposition.

  1. Entire Agreement; Conflict. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control.

  2. Definitions. Unless otherwise defined in the Agreement, all capitalised terms used in this DPA will have the meanings given to them below:

Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with that party.

Evato” means Evato Technology Private Limited, an Indian Private Entity.

Evato Network” means data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within the control of ETPL or its Affiliates and are used to provide the Services.

Customer” means you or the entity you represent.

Customer Data” means the “personal data” (as defined in the GDPR) that is uploaded to the Services under Customer’s ETPL accounts.

EEA” means the European Economic Area.

GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

NDA” means a non-disclosure agreement entered into between the parties.

Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.

Security Incident” means a breach of ETPL or its Affiliates’ security, leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data. “Security Standards” means the security standards attached to the Agreement, or if none are attached to the Agreement, attached to this DPA as Annex 1.

“Standard Contractual Clauses” means Annex 2, attached to and forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC.

 

Annex 1 Security Standards

Capitalised terms not otherwise defined in this document have the meanings assigned to them in the Agreement.

  1. Information Security Program. ETPL or its Affiliates will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Evato Network, and (c) minimise security risks, including through risk assessment and regular testing. ETPL or its Affiliates will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures:

    1. Network Security. The Evato Network will be electronically accessible to employees, contractors and any other person as necessary to provide the Services. ETPL or its Affiliates will maintain access controls and policies to manage what access is allowed to the Evato Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. ETPL or its Affiliates will maintain corrective action and incident response plans to respond to potential security threats.

    2. Physical Security

      1. Physical Access Controls. Physical components of the Evato Network are housed in nondescript facilities (the “Facilities”). Physical barrier controls are used to prevent unauthorised entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorised employees or contractors while visiting the Facilities.

      2. Limited Employee and Contractor Access. ETPL or its Affiliates provide access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of ETPL or its Affiliates.

      3. Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. ETPL or its Affiliates also maintain electronic intrusion detection systems designed to detect unauthorised access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.

 

  1. Continued Evaluation. ETPL or its Affiliates will conduct periodic reviews of the security of its Evato Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. ETPL or its Affiliates will continually evaluate the security of its Evato Network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews. 

Annex 2

Standard Contractual Clauses (processors)

 

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection. The entity identified as “Customer” in the DPA (the “data exporter”) and Evato Technology Private Limited B-2, Third Floor, Swasthya Vihaar, New Delhi-110092, India (the “data importer”) each a “party”; together “the parties”, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

  1. ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

  2. ‘the data exporter’ means the controller who transfers the personal data;

  3. ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

  4. ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

  5. ‘the applicable data protection lawmeans the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

  6. ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. 

  1. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

  1. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

 

The data exporter agrees and warrants:

Clause 4

Obligations of the data exporter

  1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

  2. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

  3. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

  4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

  5. that it will ensure compliance with the security measures;

  6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

  7. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

  8. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information.

  9. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

  10. that it will ensure compliance with Clause 4(a) to (i).

 

Clause 5

Obligations of the data importer1

 

The data importer agrees and warrants:

 

  1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

  2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

  1. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

  2. that it will promptly notify the data exporter about:

    1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

    2. any accidental or unauthorised access, and

    3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

  3. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

1 Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.

 

  1. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

  2. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

  3. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

  4. that the processing services by the subprocessor will be carried out in accordance with Clause 11;

  5. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

 

Clause 6

Liability

 

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

  1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and Jurisdiction

 

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

    1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

    2. to refer the dispute to the courts in the Member State in which the data exporter is established.

  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with Supervisory Authorities

 

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

 

Clause 10

Variation of the Contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

 

Clause 11

Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

 

Clause 12

Obligation after the termination of personal data processing services

 

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

 

Data exporter

The data exporter is the entity identified as “Customer” in the DPA

 

Data importer

The data importer is Evato Technology Private Limited, a provider of web services.

 

Data subjects

Data subjects are defined in Section 1.3 of the DPA.

 

Categories of data

The personal data is defined in Section 1.3 of the DPA.

 

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify): The processing operations are defined in Section 1.3 of the DPA.

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

 

This Appendix forms part of the Clauses and must be completed by the parties.

 

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

 

The technical and organisational security measures implemented by the data importer are as described in the DPA.

 

Evato Policy on Reporting Copyright Infringements

 

Effective Date September 30, 2018

 

Evato respects the copyrights of third-parties, and expects you (or the entity you represent), as a user of our Websites or Services, to do the same. This policy provides information about our policies and procedures regarding the infringement of copyrighted material on our Websites and Services. Any capitalized terms which are not defined in this policy shall have the same meanings in our Terms of Service.

 

Copyright Infringement Notifications

If you believe that there is any infringement of your copyrighted materials on our Websites or Services, you may provide us with a notice of copyright infringement. Pursuant to 17 U.S.C. §512(c)(2), all notifications of claimed copyright infringement on our Websites or Services should be sent to our Designated Agent.

We have provided the following information for the exclusive purpose of notifying us that you believe your copyright(s) are being infringed. Please do not send other inquiries or notices to this contact (including those alleging a violation of trademarks or patent rights), since you will not receive a response to any inquiries or notices that are not related to copyright infringement.

To file a copyright infringement notification with us, you must send us a written notice that includes substantially all of the following requirements. You may consult your own attorney or refer to 17 U.S.C.§512(c)(3) (Section 512(c)(3) of the Digital Millennium Copyright Act) to confirm the following requirements:

  1. Your address, telephone number, and/or email address, so that we may contact you regarding the notification.

  2. A clear and complete identification of the copyrighted work or works claimed to be infringed. If your notice covers multiple copyrighted works, the notice may include only a representative list   of the works.

  3. An identification of the allegedly infringing materials, and if applicable, the reference or link to the allegedly infringing materials. The identification should include enough specific information, such as Website URL(s), so that we can reasonably locate the allegedly infringing material. General information about the material, such as the Service being used or a username, will not be sufficient for us to identify the allegedly infringing material or its location.

  4. The statement “I have a good-faith belief that the use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.”

  5. The statement “The information in this notice is accurate, and, under penalty of perjury, I am the copyright owner, or authorized to act on behalf of the owner of the exclusive right that is allegedly infringed.”

  6. An electronic or physical signature of the copyright owner or the person authorized to act on behalf of the owner. You may provide your signature by typing your own full legal  name (including first and last names; no company names) at the bottom of your notice.

 

If you are submitting a copyright infringement notice to remove allegedly infringing materials originating from a third-party website which is cached on our systems, your notice (a) may only be sent after the material has been taken down from the originating website, or where a court has ordered the takedown from that website, and (b) must include a statement confirming that the material has been taken down, or that a court has ordered that the material be taken down from the originating website.

If we determine that your notice is substantially compliant with these requirements, we will act promptly  to take down,  or disable access to, the allegedly infringing material and provide the subscriber with  notice that we have taken down the material.

You are initiating a legal process by sending us a copyright infringement notice. Do not submit false claims. Please consider whether any disputed use constitutes fair use or fair dealing (or any other exception to copyright) before you submit a copyright infringement notice. If you are unsure whether materials on our Websites or Services infringe upon your copyrights, please consult a lawyer before proceeding with any notice to us.

You may be subject to severe legal consequences if you knowingly make a material misrepresentation that material is infringing. These consequences include damages (including court costs and attorneys’ fees) incurred by anyone who is injured by our reliance on those misrepresentations to remove or disable access to the material. Those parties include the alleged infringer, the copyright owner or its licensees,   or us. In addition, we may suspend or terminate your account or access to any of our Websites or Services for submitting false claims of copyright infringement.

Please note that the information you provide in a notice may be forwarded to the person who provided the allegedly infringing material to us, and that we may publish your information in place of disabled content.

 

Retractions

If you submitted a notice of copyright infringement by mistake, or would otherwise like to retract your notice, please provide us with the following:

  1. The statement “I hereby retract my copyright infringement notification.”

  2. An identification of the allegedly infringing materials, and if applicable, the reference or link to the allegedly infringing materials which you identified in the original copyright infringement notification

  3. Your electronic or physical signature (including first and last names; no company names). If you sent your original notification by email, send your retraction from the same email address, otherwise we may not be able to process your retraction.

If your account or any material you uploaded or submitted to a Website or through a Service has been affected by a copyright infringement notification, you may reach out directly to the copyright owner for a retraction of the original notice.

 

Counter-Notifications

When we receive a notice of copyright infringement, we will remove or disable access to the allegedly infringing material and notify the alleged infringer. If any of your material is removed for this reason, and you believe your material is not infringing, or, that you have authorization from the copyright owner, the copyright owner’s agent, or pursuant to the law, to use the material in the manner complained about, you may send a counter-notice to our Designated Agent.

We have provided the following information for the exclusive purposes of notifying us that you dispute a copyright infringement claim. Only parties who have all the necessary rights to post, distribute, or otherwise submit the disputed material, or their authorized agents, may submit a counter-notification, and this should only be done if you believe the material was removed or disabled by mistake or misidentification, and it is clear that exceptions to copyright, such as fair use, do not apply. Do not submit a counter-notification if this does not apply to you.

To submit a counter-notification to us, you must send us a written notice that includes substantially all of the following requirements. We will not be able to take action on incomplete submissions. You may consult your own attorney or refer to 17 U.S.C.§512(g)(3) (Section 512(g)(3) of the Digital Millennium Copyright Act) to confirm the following requirements:

  1. Identification of the material that has been removed or to which access has been disabled, and the location from where the material appeared before it was removed or access was disabled (e.g. the specific URL for the material formerly on a Website). General information about the material, such as the Service being used or a username, will not be sufficient for us to identify the material or its location.

  2. The statement: “I swear, under penalty of perjury, that I have a good faith belief that the material was removed or disabled as a result of a mistake or misidentification of the material to be removed or disabled.”

  3. The statement: “I consent to the jurisdiction of the District Court for the district in which my address is located, or if my address is outside India, the judicial district in which Evato is located, and will accept service of process from the claimant or claimant’s agent.”

  4. Your name, address, telephone number, and email address, and the username(s) for your account.

  5. 1 A physical or valid electronic signature. You may provide your signature by typing your own full legal name (including first and last names; no company names) at the bottom of your counter-notification.

You may be subject to severe legal consequences if you knowingly materially misrepresent that material was removed or disabled by mistake or misidentification. Those consequences include damages (including costs and attorneys’ fees) incurred by anyone who is injured by our reliance on those misrepresentations. Those parties include the alleged infringer, the copyright owner or its licensees, or  us.

Once we receive a counter-notification, we will forward a copy of the counter-notification to the party who submitted the original claim of copyright infringement. When we forward the counter-notification, it will include any personal information you provide. Please keep in mind that the original claimant may use this personal information to file a lawsuit against you to keep the material from being restored on our Website or Services. By submitting a counter-notification to us, you consent to having your information revealed in this way. We will not forward your counter-notification to any party other than the original claimant.

If you are a user not within India, and are responding to a valid international claim not brought under

§512(c) of the Digital Millennium Copyright Act, you may submit your counter-notification under the above process, or alternatively, with an international counter-notification. You should understand that filing a counter-notification may lead to legal proceedings between you and the complaining party. There may be adverse legal consequences in your country if you make false or bad faith allegations through this process. If you are unsure whether material infringes the copyrights of others, please first contact a lawyer before proceeding. An international counter-notification must include the following:

  1. Identification of the material that has been removed or to which access has been disabled and the location at which the material appeared before it was removed or access to it was disabled (e.g. the specific URL for the material formerly on a Website).

  2. The statement: “I have a good faith belief that the material was removed or disabled as a result of a mistake or misidentification of the material to be removed or disabled.”

  3. The statement: “I will accept service of process from the person who provided Evato with the original copyright complaint, or an authorized agent of such person.”

  4. Your name, address, telephone number, and email address, and the username of your Evato account.

  5. A physical or valid electronic signature.

We can only accept a counter-notification directly from the user from whose account the allegedly infringing content has been removed or has had its access disabled. For our verification purposes, counter-notifications sent by email should be submitted from the email address associated with the account.

 

Restoring Material

Once we send a counter-notification to the original party who submitted the copyright infringement notice, that party has ten (10) business days to respond with evidence that they have initiated a court action to keep the material from being restored. We are required to wait for this period before we may restore the disputed material. If we do not receive this response from the original claimant, we may, in our sole discretion, reinstate the removed material or cease disabling access to it within ten (10) to fourteen (14) business days from the day we received the counter-notification.

 

Evato’s Designated Agent

All notices under this policy, including notices of copyright infringement and counter-notifications, must be sent to our Designated Agent to be effective. You may submit notices by mail, or email to:

DMCA Complaints

 

Evato Technology Private Limited

Attn: Legal Department, Copyright Agent

B-2, Third Floor, Swasthya Vihaar, New Delhi, Delhi 110092 IN Email: copyrightinfringement@evato.co

Phone: 011-40105289

 

Termination Policy

Please be advised that we have adopted and enforce a policy of termination in appropriate  circumstances against users who are repeat infringers.

 

Disclaimer

Again, please be advised that under 17 U.S.C. §512(f) any person who knowingly materially misrepresents that material is infringing, or who knowingly materially misrepresents that material or activity was removed or disabled by mistake or misidentification may be subject to liability for damages. If you are unsure whether materials on our Websites or Services infringe upon the copyrights of others, please consult a lawyer before proceeding with any notice to us.

 
ChannelBLU-Icon-three_dots

LAUNCHING IN DECEMBER, 2022

Get Notified When We Launch
Don’t wait! Enroll in our Beta Program & get an all-access Three Months Complementary Subscription.