This Enterprise SaaS Subscription Agreement (“ESSA”), effective as of the effective date set out in the Order Form (such date, the “Effective Date”) is entered into by and between SION Inc., a Delaware corporation, with offices at 108 Main Street, Oceanport, NJ 07757 (“SION”) and the customer identified in the Order Form (“Customer”). This ESSA and the Order Form are, collectively, the “Agreement”. In the event of any inconsistency or conflict between the terms of the ESSA and the terms of the Order Form, the terms of the Order Form control.
“Client Data” means data or information submitted by Customer or an Employee User to the Service regarding a Travel Agent or a client of a Travel Agent, including booking data and any personally identifiable information of a client.
“Customer Data” means Client Data and any other data or information provided by Customer for use in connection with the Service.
“Employee Users” means Customer’s employees authorized under this Agreement to use the Service that have been supplied user identifications and passwords by Customer (or by SION at Customer’s request).
“Order Form” means the order form entered into by SION and Customer that references this ESSA.
“Service” means the online, web-based hotel commission management service identified in the Order Form and provided by SION via [sioncentral.com] or other URLs and applications designated by SION.
“Travel Agent” means any travel agent that the Client identifies to SION in connection with the Service or for which a commission may otherwise be payable through the Service from the Client.
“Users” means Employee Users and Third-Party Users.
SION shall provide the Service subject to the terms and conditions of this Agreement and will use commercially reasonable efforts to make the Service generally available for use by Customer in accordance with this Agreement. This Agreement includes all exhibits attached hereto, each of which is incorporated herein by reference. SION shall: (i) provide Customer with the authentication credentials Employee Users will need to access the Service; (ii) provide a separate landing page on the Service website for Customer, Employee Users, and Third-Party Users to access the Services; and (iii) provide telephone and online standard support to Customer as set forth on the Service website.
Customer may grant its Employee Users access to the Service only for the term of this Agreement.
Customer is responsible for all activities that occur under Employee User accounts. Customer shall: (i) have sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data, including Client Data; (ii) prevent unauthorized access to, or use of, the Service (including any access or use by individuals other than Employee Users), and notify SION promptly of any such unauthorized use; and (iii) comply with all applicable laws in using the Service.
Customer shall use the Service solely for its internal business purposes in accordance with this Agreement. Customer shall not, and shall ensure its Employee Users do not: (i) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise commercially exploit or make the Service available to any third party; (ii) send spam or otherwise duplicative or unsolicited messages via the Service; (iii) send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material harmful to children or violative of third party privacy rights; (iv) send or store material containing software viruses, worms, Trojan horses, or other harmful computer code, files, scripts, agents, or programs; (v) interfere with or disrupt the integrity or performance of the Service or the data contained therein; or (vi) attempt to gain unauthorized access to the Service or its related systems or networks.
Customer shall pay the fees for the Service as specified in the Order Form (“Fees”). The Fees shall remain fixed for the initial term of the Agreement. Thereafter, SION may increase the Fees for any payment period upon at least 30 days’ notice to customer prior to the start of the applicable payment period, provided that any such increase shall not exceed five (5%) in any twelve (12) month period. If Sion does not receive a payment in full when due, Sion may charge interest on the amount of the late payment at the lesser of 1.5% per month or the maximum amount permitted under applicable law. If customer’s account is thirty (30) days or more overdue, in addition to any other of its rights or remedies, Sion may suspend the service until such amounts are paid.
SION’s fees do not include any local, state, federal, or foreign taxes, levies or duties of any nature (“Taxes”). Customer is responsible for paying all Taxes, excluding only taxes based on SION’s income. If SION has the legal obligation to pay or collect Taxes for which Customer is responsible under this section, the appropriate amount shall be invoiced to and paid by Customer unless Customer provides SION with a valid tax exemption certificate authorized by the appropriate taxing authority.
The Service provides functionality to facilitate the payment of commissions to Travel Agent. Such functionality is provided by (and such payments will be processed through) a third-party payment provider selected by SION, which may include Airwallex. Customer’s use of such commission payment functionality is subject to Customer entering into a separate agreement with such third-party payment provider and completing such provider’s KYC checks and onboarding requirements. Customer acknowledges and agrees that SION’s third-party payment providers have reserved certain rights to suspend, terminate or cease to provide payment services pursuant to their agreements with SION and their respective agreements with Customer. Customer may invite Travel Agents to join the Service, though Travel Agents are not required to join the Service in order to receive commissions through the Service. Should a Travel Agent elect to join the Service, it must create its own account and enter into a separate written agreement with SION for access to the Service. For the avoidance of doubt, each Travel Agent must provide its payment information to SION and enter into a separate written agreement with SION prior to receiving commissions, and SION will not be responsible for any failure to provide commissions to Travel Agents that fail to do so.
By using the commissions payment functionality provided by SION’s third-party payment providers, Customer acknowledges and agrees as follows: (i) any payment services that are regulated under applicable laws are provided by the applicable third-party payment provider or its regional banking partners and no such payment services are provided directly by SION; (ii) any fees payable under this Agreement are specific to the Service provided by SION and are unrelated to any fees due to the third-party payment providers in connection with services that they separately provide to Customer (if any); and (iii) Customer hereby provides its consent to SION to (a) provide the Service; (b) obtain and provide data required for ongoing due diligence to its third-party providers and their respective partners and affiliates, (c) viewing, accessing and providing account and other information regarding commission payments to its third-party providers as required to facilitate commission payments; (e) provide all other information necessary to allow its third-party payment provider to allocate any funds it receives pursuant to Customer’s directions; and (f) perform all activities required for its third-party payment provider to to make available the commission payment functionality.
As between the parties, Customer is responsible for identifying the applicable commissions payable to Travel Agents, and any dispute regarding the amount of commissions payable will be directly between Customer and the applicable Travel Agent.
As between the parties, SION owns: (i) the Service, the SION name, the SION logo, the [sioncentral.com] domain name and all subdomains and content thereon, the product and service names associated with the Service, and other trademarks and service marks; (ii) audio and visual information, documents, software and other works of authorship provided by SION to Customer under this Agreement; and (iii) other technology, including graphical user interfaces, workflows, products, processes, algorithms, know-how and other trade secrets, techniques, designs, inventions and other tangible or intangible technical material or information used by SION or its third-party providers to provide the services under this Agreement, including in each case all modifications, enhancements, improvements and derivative works thereof and thereto (collectively, “SION Technology”). If Customer acquires any right, title or interest in or to the SION Technology other than the limited licenses expressly granted in this Agreement, Customer hereby assigns all such right, title and interest to SION. Other than as expressly set forth herein, no license or other rights in or to the SION Technology or related intellectual property rights are granted to Customer or Employee Users, and all such licenses and rights are hereby expressly reserved to SION.
Customer shall not (i) modify, copy or create derivative works based on the Service or SION Technology; (ii) create Internet “links” to or from the Service, or “frame” or “mirror” any content forming part of the Service, other than on Customer’s own intranets; (iii) disassemble, reverse engineer, or decompile the Service or SION Technology, or (iv) access the Service in order to copy any ideas, features, functions, or graphics of the Service.
SION may access, reproduce, and use Customer’s Employee User accounts, including Customer Data associated therewith, solely to respond to service or technical problems, at Customer’s or the applicable Employee User’s request, or otherwise in connection with the Service, and Customer is responsible for obtaining all consents necessary for SION to do the foregoing. Customer remains the exclusive owner of all Customer Data. SION shall not use, access, or disclose Customer Data except as necessary to perform the Service or as expressly permitted by this Agreement. SION may use Customer Data in aggregated and anonymized form solely to improve the Service, provided such data cannot reasonably be re-identified. Any anonymization must meet recognized industry standards. SION shall not sell or disclose anonymized data to third parties for unrelated commercial purposes without Customer’s prior written consent. Use of anonymized data shall end upon termination of this Agreement, unless otherwise agreed in writing.
Customer hereby grants to SION a non-exclusive, royalty-free, limited, worldwide, irrevocable, perpetual, sublicensable, transferable license to use or incorporate into the Service and SION’s other products and services any suggestions, ideas, enhancement requests, feedback, recommendations, or other information provided by Customer or its Employee Users relating to the operation of the Service or other current and potential products and services, solely for internal product development purposes. Such license shall not include the right to publicly attribute, commercialize, or disclose Customer as the source of any suggestions without Customer’s prior written consent.
Subject to the terms and conditions of this Agreement, Customer hereby grants to SION during the term of this Agreement, a limited, non-exclusive, royalty-free, non-transferable, worldwide license to use and display Customer’s trademarks, trade names, and logos (“Customer Marks”) in connection with SION's development and display of the landing page under Section 2 of this Agreement. All use of the Customer Marks will be solely in the form provided by Customer and as approved in advance in writing by Customer at Customer's sole discretion. Other than as expressly set forth herein, no license or other rights in or to the Customer Marks are granted to SION, and all such licenses and rights are hereby expressly reserved to Customer.
The term “Confidential Information” means all confidential and proprietary information of a party (“Disclosing Party”) disclosed to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including the terms and conditions of this Agreement (which are Confidential Information of both parties), and (i) in the case of Customer, the Customer Data, and (ii) in the case of SION, the Service and the SION Technology, and related technology, technical information, and product designs. Confidential Information shall not include any information that: (i) is or becomes publicly available without breach of any obligation owed to the Disclosing Party; (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party; (iii) was independently developed by the Receiving Party without breach of any obligation owed to the Disclosing Party; or (iv) is received from a third party without breach of any obligation owed to the Disclosing Party.
The Receiving Party shall not disclose or use any Confidential Information of the Disclosing Party except to perform its obligations or exercise its rights under this Agreement, except with the Disclosing Party’s prior written permission. Each party agrees to protect the confidentiality of the Confidential Information of the other party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind, but in no event with less than reasonable care. If the Receiving Party is compelled by law or a government authority to disclose Confidential Information of the Disclosing Party, it shall provide the Disclosing Party with prior notice of such compelled disclosure (to the extent practicable and legally permitted) and reasonable assistance, at Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure.
If the Receiving Party discloses or uses (or threatens to disclose or use) any Confidential Information of the Disclosing Party in breach of this Section 6, the Disclosing Party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the parties that such unauthorized disclosure or use may cause irreparable harm to the Disclosing Party for which any other available remedies are inadequate.
Each party represents and warrants that it has the legal power and authority to enter into this Agreement.
SION will provide Customer with no less than twenty-four (24) hours’ notice prior to the Service’s unavailability due to planned maintenance (other than during SION’s standard maintenance window between 12:00 AM and 3:00 AM Pacific Time). SION will provide as much notice as is practicable under the circumstances for updates and fixes that must be applied on a more urgent basis. If SION makes any material changes to the Service, SION will use commercially reasonable efforts to provide Customer with no less than fifteen (15) days prior notice of such changes.
SION will not be responsible for any unavailability, suspension, or termination of SION products or services, or any other SION performance issues: (i) caused by factors outside of SION’s reasonable control, including any Force Majeure Event (as defined below) or Internet access or related problems beyond the demarcation point of SION; (ii) that result from any actions or inactions of Customer or any third party; (iii) that result from Customer’s equipment, software, or other technology and/or third-party equipment, software, or other technology (other than third party equipment within SION’s direct control); (iv) that result from the unavailability of third-party services such as third-party technology providers or data sources; or (v) arising from SION’s suspension or termination of Customer’s right to use SION products or services in accordance with this Agreement.
CUSTOMER ACKNOWLEDGES AND AGREES THAT THE SERVICES MAY CHANGE OVER TIME. EXCEPT AS EXPRESSLY PROVIDED IN SECTION 7.1 ABOVE, SION MAKES NO WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. SION HEREBY SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.
Subject to this Agreement, SION shall at its expense defend Customer and its officers, directors, and employees (“Customer Indemnified Parties”) against any claim made or brought against any Customer Indemnified Party by a third party alleging that the Service as provided to Customer hereunder infringes the intellectual property rights of a third party (each, a “Customer Claim”), and shall pay any damages finally awarded by a court or agreed to by SION in a settlement with respect to such Customer Claim; provided, that Customer (a) promptly gives written notice of the Customer Claim to SION; (b) gives SION sole control of the defense and settlement of the Customer Claim (provided that SION may not agree to any settlement that imposes any liability or obligation on Customer); and (c) provides to SION, at SION’s cost, all reasonable assistance. SION shall have no obligation under this Section 8.1 or otherwise regarding claims that arise from or relate to (i) Customer’s use of the Service other than as contemplated by this Agreement, (ii) any modifications to the Service made by any entity other than SION, (iii) any combination of the Service with services or technologies not provided or approved by SION, or (iv) Customer’s use of the Service or portion thereof after SION has terminated this Agreement or such portion of the Service in accordance with this Section 8.1. If in SION’s opinion a Customer Claim is likely to be made, or if an existing Customer Claim may cause SION liability, SION may in its discretion (x) obtain a license to enable Customer to continue to use the potentially infringing portion of the Service, (y) modify the Service to avoid the potential infringement, or (z) if the foregoing cannot be achieved after using reasonable commercial efforts, terminate the Agreement or the license to the infringing portion of the Service and refund the amount of any pre-paid fees applicable to the portion of the terminated Services to be provided after the termination date. This indemnity shall be Customer’s sole and exclusive remedy with respect to any third-party intellectual property infringement claims.
Subject to this Agreement, Customer shall at its expense defend SION and its officers, directors, and employees (“SION Indemnified Parties”) against any claims made or brought by a third party against any SION Indemnified Party arising from or related to (i) Customer’s or any Employee User’s use of the Service, including any dispute between Customer and any Travel Agent regarding the amount of commissions payable to such Travel Agent (ii) the infringement or misappropriation of the rights of any third party resulting from SION's use of any of the Customer Marks in accordance with this Agreement, or (iii) SION’s use of any Customer Data in accordance with this Agreement or Customer’s use of the Service in violation of any law or regulation or in a manner not contemplated in this Agreement (each, a “SION Claim”) and shall pay any damages finally awarded by a court or agreed to by Customer in a settlement with respect to such SION Claim; provided, that SION (a) promptly gives written notice of the SION Claim to Customer; (b) gives Customer sole control of the defense and settlement of the SION Claim (provided that Customer may not agree to any settlement that imposes any liability or obligation on SION); and (c) provides to Customer, at Customer’s cost, reasonable assistance in connection therewith.
IN NO EVENT SHALL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, EXCEED THE AMOUNTS ACTUALLY PAID OR PAYABLE BY CUSTOMER TO SION HEREUNDER IN THE THEN-PRIOR TWELVE (12) MONTH PERIOD PRECEDING THE INITIAL CLAIM GIVING RISE TO LIABILITY HEREUNDER; PROVIDED THAT THE FOREGOING WILL NOT APPLY TO LIMIT EITHER PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 8, A PARTY’S BREACH OF SECTION 6, CUSTOMER’S INFRINGEMENT OR MISAPPROPRIATION OF ANY SION TECHNOLOGY, OR CUSTOMER’S BREACH OF SECTIONS 3.3 OR 5.2.
EXCEPT FOR DAMAGES ARISING FROM A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 8, A PARTY’S BREACH OF SECTION 6, CUSTOMER’S INFRINGEMENT OR MISAPPROPRIATION OF ANY SION TECHNOLOGY, OR CUSTOMER’S BREACH OF SECTIONS 3.3 OR 5.2, IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS, LOSS OF USE, LOSS OF DATA OR DATA BREACHES, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, MULTIPLE, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This Agreement commences on the Effective Date and will continue for the period set out in the Order Form. Unless otherwise set out in the Order Form, this Agreement will renew on the parties’ mutual written agreement.
A party may terminate this Agreement for cause: (i) upon thirty (30) days written notice of a material breach to the other party if such breach remains uncured at the expiration of such period; or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors that is not dismissed or stayed within ninety (90) days. Termination shall not relieve Customer of the obligation to pay any fees accrued or payable to SION prior to the effective date of termination.
Upon expiration or termination of this Agreement, Customer will no longer have access to the Service and SION shall have no obligation to maintain or provide any Customer Data and shall thereafter, unless legally prohibited, delete all Customer Data in its systems or otherwise in its possession or under its control. Notwithstanding the foregoing or any other provision of this Agreement, SION may use in perpetuity any anonymized data which is derived from Customer Data but does not identify Customer or any specific Employee User.
The following provisions shall survive termination or expiration of this Agreement: Sections 1, 4, 5.1, 5.2, 5.3 (solely with respect to the second sentence), 5.4, 6, 7.4, 8, 9, 10.3, 10.4 and 11.
This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties. Except as provided in Section 8, there are no third-party beneficiaries to this Agreement.
SION may not use Customer’s name, logo, or other trademarks in any public-facing materials, customer lists, case studies, or press releases without Customer’s prior written consent in each instance. Any such use, if approved must comply with Customer’s brand guidelines and be limited to the specific purpose authorized by Customer. Customer may revoke such consent at any time upon written notice, and SION shall promptly cease all use upon receipt of such notice.
If a party is hindered, delayed or prevented from performing its obligations under this Agreement (other than its payment obligations), or if such performance is rendered impossible, in each case, by reason of fire, explosion, earthquake, storm, flood, drought, embargo, pandemic, epidemic, quarantine restrictions, wars or other hostilities, strike, lockout or other labor disturbance, mechanical breakdown, governmental action, or any other cause that is beyond the reasonable control of a party (a “Force Majeure Event”), then the party so hindered, delayed or prevented shall not be liable to the other party for the resulting delay or failure to carry out its obligations hereunder. In any such event, such party’s affected obligations hereunder shall be postponed for such time as its performance is suspended or delayed on account thereof. The affected party shall promptly notify the other party upon learning of the occurrence of such Force Majeure Event. Upon the cessation of the Force Majeure Event, the affected party will use commercially reasonable efforts to resume its performance with the least possible delay.
All notices under this Agreement shall be in writing and shall be deemed to have been given upon: (i) personal delivery; (ii) the second business day after mailing; (iii) the second business day after sending by confirmed facsimile; or (iv) the second business day after sending by email.
No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect.
Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior express written consent of the other party. Notwithstanding the foregoing, either party may assign this Agreement together with all rights and obligations hereunder, without consent of the other party, to an affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all its stock or assets that relate to this Agreement. Any attempt by a party to assign its rights or obligations under this Agreement in breach of this section shall be void and of no effect. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.
This Agreement shall be governed by the laws of Delaware. The state and federal courts located in Delaware shall have exclusive jurisdiction to adjudicate any dispute arising out of or relating to this Agreement. Each party hereby consents to the exclusive jurisdiction of such courts provided that nothing in this Section 11.7 prohibits either party from seeking or obtaining in any jurisdiction injunctive or similar relief in connection with the enforcement of this Agreement.
This Agreement, including all exhibits and addenda hereto, constitutes the entire agreement between the parties, and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and signed by the party against whom the modification, amendment or waiver is to be asserted.
Where Client Data or Customer Data shared between the parties includes Personal Data or Personal Information (as defined in the DPA at Exhibit A below), the parties shall comply with the relevant terms set out in the DPA.
This Data Processing Agreement (“DPA”) is incorporated into, and supplements, the Mutual Confidentiality Agreement by and between Sion Inc. and Customer (the “Agreement”) and will remain in force until the date on which the Agreement expires or terminates in accordance with its terms. Any capitalized term used but not defined in this DPA shall have the meaning set forth in the Agreement.
“Business”, “Business Purpose”, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Personal Information”, “Processor”, “Processing”, “Sell”, “Share” and “Supervisory Authority” have the meaning as set out in the relevant Data Protection Laws (as defined below);
“CCPA” means the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act), Cal. Civ. Code §§ 1798.100-1798.199 as applicable to either party and as amended, repealed, consolidated or replaced from time to time;
“Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time;
“Data Protection Laws” means the European Data Protection Laws, the US Privacy Laws and any other applicable law, statute or regulation pertaining to data protection, in each case as amended, consolidated, re-enacted or replaced from time to time;
“European Data Protection Laws” means, as applicable, (i) the EU General Data Protection Regulation (Regulation 2016/679) as may be amended, superseded or replaced) (“GDPR”); (ii)the Privacy and Electronic Communications Directive 2002/58/EC; (iii) the UK Data Protection Act 2018 (the “2018 DPA”), the UK General Data Protection Regulation as defined by the 2018 DPA as amended by the Data Protection, Privacy and Electronic communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the 2018 DPA, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; and (iv) any relevant law, regulation, directive, order, rule, regulation or other binding instrument that implements any of the above, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time;
“Service Development” SION’s development, testing and improvement of the New Company Product and related service(s) as described more fully in the Agreement.
“Third Country” means (i) in relation to Personal Data transfers subject to the GDPR, any country or territory outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries or territories approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers subject to the UK GDPR, any country or territory outside of the scope of the data protection laws of the UK, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time;
“US Privacy Laws” means, as applicable, the CCPA and the Virginia Consumer Data Protection Act, each as applicable to either party and as amended, repealed, consolidated or replaced from time to time; and any corresponding regulations.
2.1. The parties understand, acknowledge and agree (as further detailed below) that in connection with Sion’s performance under the Agreement (“Services”), Counterparty will disclose Personal Data with Sion as is necessary to perform a Business Purpose and that such Personal Data may include Personal Data or Personal Information of Counterparty’s clients and other individuals (“Counterparty Data”);
2.1.1. Nature of Processing: Sion will process Counterparty Data for the purpose of the Services (as set out more fully in the Agreement);
2.1.2. Duration of Processing: The Processing will be for the duration of the Agreement or as otherwise agreed to between the Parties;
2.1.3. Categories of Personal Data Processed: The Counterparty Data will be comprised of:
- With respect to data of Counterparty’s clients: name, date of birth, phone number, email address, physical address, reservation details, and any information Counterparty inserts into unstructured fields;
2.1.4. Processing operations: The Counterparty Data transferred will be subject to the following basic Processing activities:
- Receiving data, including collection, accessing, retrieval, recording, and data entry;
- Holding data, including storage, organization and structuring;
- Using data, including analyzing, consultation, testing and developing;
- Updating data, including correcting, adaptation, alteration, alignment and combination;
- Protecting data, including restricting, encrypting, and security testing;
- Sharing data, including disclosure, dissemination, allowing access or otherwise making available;
- Returning data to the data exporter or Data Subject; and
- Erasing data, including destruction and deletion;
2.2. Counterparty shall collect, use and disclose to Sion Counterparty Data at all times in compliance with Data Protection Laws, including, without limitation, providing notice and obtaining all consents and rights for Sion to receive and use Counterparty Data, including as provided to or otherwise collected by Sion for all purposes set out in the Agreement. Counterparty shall notify Sion without undue delay if Counterparty makes a determination that the Processing of Counterparty Data under this DPA does not or will not comply with applicable Data Protection Laws, in which case, Sion shall not be required to continue Processing such Counterparty Data;
2.3. Sion shall ensure that all employees authorized to Process the Counterparty Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
2.4. Counterparty consents to use of Sion’s existing subprocessors Processing Counterparty Data as set out at Annex A (“Subprocessor List”). Prior to engaging or replacing any subprocessor, Sion shall update the information on the Subprocessor List and notify Counterparty, which will constitute prior written notice to Counterparty. Counterparty may object against the appointment or replacement of a subprocessor, on reasonable and documented grounds related to the confidentiality or security of Counterparty Data, within ten (10) business days’ of Sion updating the Subprocessor List. If Counterparty does not object, Sion may proceed with the appointment or replacement. Sion will enter into an agreement with subprocessors that has data protection obligations that are no less onerous than the obligations on Sion set out in this DPA. Sion shall remain liable for the Processing activities of such subprocessor;
2.5. Taking into account the nature of the Processing, Sion shall reasonably assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising the Data Subject’s or other individual’s rights;
2.6. Sion shall implement appropriate technical and organizational security measures as set out at Annex B in relation to its Processing of Counterparty Data, and the Counterparty acknowledges and agrees that those measures are appropriate and sufficient under applicable Data Protection Laws;
2.7. Sion shall, upon thirty (30) days’ advance written notice by Counterparty, make available to Counterparty all information in its possession necessary to demonstrate compliance with Data Protection Laws. Sion shall allow for and contribute to audits, including inspections, conducted by Counterparty or another auditor mandated by Counterparty and reasonably accepted by Sion. Counterparty shall be permitted to conduct or mandate such an audit at its sole cost no more than once every twelve (12) months, upon thirty (30) days’ advance written notice to Sion. To the extent legally permitted, Counterparty shall be responsible for any reasonable costs arising from Sion’s provision of such assistance; and
2.8. Security breach notification: Sion shall notify Counterparty promptly if it becomes aware of any actual, Personal Data Breach relating to Counterparty Data Processed under the Agreement ("Security Incident").
3.1. To the extent that Counterparty is a Business for the purposes of the CCPA and, to the extent required by applicable US Privacy Laws, Sion agrees:
3.1.1. Sion shall not collect (except at the direction of Counterparty), retain, use or disclose Counterparty Data except as necessary to perform the Business Purpose(s) unless otherwise permitted under the CCPA, including retaining, using, or disclosing any Counterparty Data outside of the direct relationship between Sion and Counterparty;
3.1.2. Sion shall not Sell or Share the Counterparty Data;
3.1.3. Sion shall not combine the Counterparty Data received from, or on behalf of, Counterparty with any Counterparty Data that Sion may have collected from its separate interactions with individuals or third parties, except to perform a Business Purpose or as otherwise permitted by US Privacy Laws; and
3.1.4. Sion shall provide the same level of privacy protection with regard to Counterparty Data as is required by the CCPA. Upon reasonable written notice that Counterparty reasonably believes Sion is using Counterparty Data in violation of the CCPA, Counterparty shall have the right to take reasonable and appropriate steps to ensure that Sion uses the Counterparty Data in a manner consistent with Counterparty’s obligations under the CCPA and stop and remediate any unauthorized use of the Counterparty Data.
3.2. To the extent that Counterparty is a Business or Controller for the purposes of the US Privacy Laws and, to the extent required by applicable US Privacy Laws, Sion agrees:
3.2.1. Taking into account the nature of the Processing, Sion shall reasonably assist Counterparty through appropriate technical and organizational measures, insofar as this is possible, in entering into this DPA and implementing reasonable security procedures and practices appropriate to the nature of the Counterparty Data to protect such Counterparty Data from unauthorized or illegal access, destruction, use, modification or disclosure;
3.2.2. Notwithstanding Clause 2.7 of this DPA, Sion may arrange for a qualified and independent auditor to conduct, at Sion’s expense, an assessment of Sion’s policies and technical and organizational measures in support of its obligations under applicable US Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments and will provide a report of such assessment to Counterparty upon reasonable written request. Notwithstanding the foregoing, in no event shall Sion be required to give Counterparty access to information, facilities or systems to the extent doing so would cause Sion to be in violation of confidentiality obligations owed to other customers or its legal obligations; and
3.2.3. At Counterparty’s written direction, Sion shall delete or return all Counterparty Data to Customer as requested at the end of the provision of the Services, unless retention of the Counterparty Data is permitted by law.
To the extent that Counterparty is a Controller under European Data Protection Laws and for the purpose of assisting Counterparty meet its obligations under European Data Protection Laws, Sion agrees:
4.1. Sion shall reasonably assist Counterparty with the obligations under Articles 32 to 36 of the GDPR or UK GDPR, as applicable, by reasonably assisting in (i) implementing appropriate technical and organizational security measures in accordance with Clause 2.6 of this DPA; (ii) notifying (if required) Personal Data Breaches to Supervisory Authorities and/or individuals in accordance with Clause 2.8 of this DPA; and (iii) providing information to enable Counterparty to conduct data protection impact assessments and, if required, prior consultation with Supervisory Authorities. Upon expiration or termination of the Agreement, Sion shall delete all Personal Data, unless European Union, member state or UK law to which Sion is subject requires storage of the Personal Data;
4.2. Sion shall promptly inform Counterparty if it believes that any instruction infringes European Data Protection Laws.
4.3. The parties shall comply with applicable European Data Protection Law in relation to international data transfers and in particular, to the extent Sion Processes Counterparty Data in a Third Country acting as data importer, Sion shall comply with the data importer’s obligations and Counterparty shall comply with the data exporter’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this Agreement and:
4.3.1. For the purposes of Annex I or Part 1 (as relevant), the parties and Processing details set out in Clause 2 of this DPA shall apply (and for the avoidance of doubt, no sensitive data is transferred, the transfer is continuous for the duration of the Agreement, the purpose is the Service Development and the Processing details apply in relation to subprocessors), the Start Date is the Effective Date, and the signatures in any form given in connection with the execution of this Agreement by a party and the date(s) of such signatures shall apply as the dated signature required from that party;
4.3.2. If applicable, for the purposes of Part 1, the relevant Addendum EU SCCs are the Controller to Processor Clauses as incorporated into this Agreement by virtue of this Clause;
4.3.3. For the purposes of Annex II or Part 1 (as relevant), the technical and organizational security measures set out in Annex B shall apply;
4.3.4. For the purposes of Annex III or Part 1 (as relevant), the list of authorized subprocessors set out in Annex A shall apply; and
4.3.5. If applicable, for the purposes of:
- 4.3.5.1. Clause 9 Option 2 is deemed to be selected and a notice period at Clause 2.4 of this DPA shall apply;
- 4.3.5.2. Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be omitted;
- 4.3.5.3. Clauses 13, 17 and 18 and Annex I.C, the competent supervisory authority, governing law and courts shall be England and Wales; and
- 4.3.5.4. Part 1, neither party may terminate pursuant to Section 19.
Sion shall take commercially reasonable steps to prevent unauthorized access or damage to its information and information Processing facilities, by maintaining a written information security policy with sufficient safeguards for Counterparty Data, including:
