INTERACTA _Terms of Service Agreement

Version 3.0, 24 november 2022

This Interacta Agreement (the ‘Agreement’) is entered into by and between Injenia S.r.l., with offices at Via dei Lapidari 12, 40129 Bologna, Italy and the entity agreeing to these terms (‘the Customer’). This Agreement is effective as of the date that the Customer subscribes an offline commercial proposal provided by Injenia or provides an equivalent offline purchase order.

1. Services.

1.1 New Features or Services. Injenia may make new applications, features or functionality for the Services available from time to time, the use of which may be contingent upon the Customer’s agreement to additional terms.

2. Modifications.

(a) Changes to Services. Injenia may make commercially reasonable changes to the Services from time to time. If Injenia makes a material change to the Core Services, Injenia will inform the Customer, by either sending an email to the Notification Email Address or alerting the Customer through the Admin Console.

(b) Changes to the Agreement. Injenia may make commercially reasonable changes to this Agreement from time to time. If Injenia makes a material change to the Agreement, Injenia will inform the Customer by either sending an email to the Notification Email Address or alerting the Customer through the Admin Console. Material changes to the Agreement will become effective thirty days after the notice is given, except if the changes apply to new functionality in which case the changes will be effective immediately. If the change has a material adverse impact on the Customer, and the change is not a result of Injenia complying with a court order or applicable law, the Customer may notify Injenia within thirty days after being informed of the change that the Customer does not agree with the change. If the Customer notifies Injenia as required, then the Customer will remain governed by the terms in effect immediately prior to the change until the earlier of: (i) the end of the then-current Agreement or (ii) 12 months after Injenia informs the Customer of the change, unless the modification to the Agreement is in response to a court order or to comply with applicable law. If the Agreement renews, it will do so under the updated Agreement.

(c) Discontinuance of Services. Subject to Section 1.2(d), Injenia can discontinue any Services or any portion or feature for any reason at any time without liability to the Customer.

(d) Deprecation Policy. Injenia will notify the Customer if it intends to make a Significant Deprecation. Injenia will use commercially reasonable efforts to continue to provide the Services without a Significant Deprecation for at least one year after that notification, unless (as Injenia determines in its reasonable good faith judgement): (i) otherwise required by law or by contract (including if there is a change in applicable law or contract), or (ii) doing so could create a security risk or a substantial economic or technical burden. This policy is the ‘Deprecation Policy’.

3. Customer Obligations.

3.1 Compliance. The Customer must ensure that all use of the Services by the Customer and its End Users complies with this Agreement.

3.2 Customer Administration of the Services. The Customer may specify one or more Administrators through the Admin Console who will have the rights to access Admin Account(s) and to administer the End-User Accounts. The Customer is responsible for: (a) maintaining the confidentiality of the password and Admin Account(s); (b) designating those individuals who are authorised to access the Admin Account(s); and (c) ensuring that all activities that occur in connection with the Admin Account(s) comply with the Agreement. The Customer agrees that Injenia’s responsibilities do not extend to the internal management or administration of the Services for the Customer and that Injenia is merely a data processor.

3.3 Administrator Access; End-User Consent.

(a) Administrator Access. Administrators will have the ability to access all the Customer’s End-User Accounts, including the ability to access, monitor, use, modify, withhold or disclose any data available to End Users associated with their End-User Accounts.

(b) End-User Consent. the Customer will obtain and maintain all required consents from End Users to allow: (i) Administrators to have the access described in this Agreement; and (ii) Injenia’s provision of the Services to 

Administrators and End Users.

3.4 Unauthorised Use. the Customer will use commercially reasonable efforts to prevent unauthorised use of the Services and to terminate any unauthorised use. The Customer will promptly notify Injenia of any unauthorised use of, or access to, the Services of which it becomes aware.

3.5 Restrictions on Use. Unless Injenia specifically agrees in writing, the Customer will not, and will use commercially reasonable efforts to make sure a third party does not: (a) sell, resell, lease, or the functional equivalent, the Services to a third party (unless expressly authorised in this Agreement); (b) attempt to reverse engineer the Services or any component; (c) attempt to create a substitute or similar service through use of, or access to, the Services; (d) use the Services for High Risk Activities.

3.6 Support. The Customer will, at its own expense, respond to questions and complaints from End Users or third parties relating to the Customer’s or End Users’ use of the Services. The Customer will use commercially reasonable efforts to resolve support issues before escalating them to Injenia.

4. Suspension.

4.1 Of End User Accounts by Injenia. If Injenia becomes aware of an End User’s violation of the Agreement, then Injenia may specifically request that Customer Suspend the applicable End User Account. If Customer fails to comply with Injenia’s request to Suspend an End-User Account, then Injenia may do so. The duration of any Suspension by Injenia will be until the applicable End User has cured the breach which caused the Suspension.

4.2 Emergency Security Issues. Notwithstanding the foregoing, if there is an Emergency Security Issue, then Injenia may automatically Suspend the offending use. Suspension will be to the minimum extent and of the minimum duration required to prevent or terminate the Emergency Security Issue. If Injenia Suspends an End-User Account for any reason without prior notice to Customer, at Customer’s request, Injenia will provide Customer with the reason for the Suspension as soon as is reasonably possible.

4.3 Suspension to Comply with Laws. Injenia may at its sole discretion Suspend the provision of any Services at any time if required to comply with any applicable law.

5. Intellectual Property Rights.

5.1 Intellectual Property Rights. Except as expressly set forth herein, this Agreement does not grant either party any rights, implied or otherwise, to the other’s content or any of the other’s intellectual property. Injenia owns all Intellectual Property Rights in the Services and Software.

6. Disclaimers.

6.2 Disclaimers. INJENIA DOESN’T WARRANT THAT OPERATION OF THE SOFTWARE OR THE SERVICES WILL BE ERROR-FREE OR UNINTERRUPTED. NEITHER THE SOFTWARE NOR THE SERVICES ARE DESIGNED, MANUFACTURED OR INTENDED FOR HIGH-RISK ACTIVITIES. EXCEPT AS EXPRESSLY PROVIDED FOR IN THIS AGREEMENT, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, INJENIA MAKES NO REPRESENTATIONS ABOUT ANY CONTENT OR INFORMATION MADE ACCESSIBLE BY OR THROUGH THE SERVICES.

7. Miscellaneous.

7.1 Notices. Injenia may provide any notice to the Customer under this Agreement by: (a) sending an email to the Notification Email Address or by (b) posting a notice in the Admin Console. The Customer may provide notice to Injenia under this Agreement by sending an email to Injenia’s legal department at legal@injenia.it. Notice will be treated as received when (x) the email is sent, whether or not the other party has received the email or (y) notice is posted in the Admin Console.

7.2 Assignment. Neither party may assign or transfer any part of this Agreement without the written consent of the other party, except to an Affiliate, but only if: (a) the assignee agrees in writing to be bound by the terms of this Agreement; and (b) the assigning party remains liable for obligations incurred under the Agreement prior to the assignment. Any other attempt to transfer or assign is void.

7.3 Change of Control. Upon a change of control (for example, through a stock purchase or sale, merger, or other form of corporate transaction): (a) the party experiencing the change of control will provide written notice to the other party within thirty days after the change of control; and (b) the other party may immediately terminate this Agreement any time between the change of control and thirty days after it receives the written notice in subsection (a).

7.4 Force Majeure. Neither party will be liable for inadequate performance to the extent caused by a condition (for example, natural disaster, act of war or terrorism, riot, labour condition, governmental action and Internet disturbance) that was beyond the party’s reasonable control.

7.5 Severability. If any provision of this Agreement is found unenforceable, the balance of the Agreement will remain in full force and effect.

7.6 Governing Law. This Agreement is governed by Italy law. For any dispute arising out of or relating to this agreement, the parties consent to personal jurisdiction in, and the exclusive venue of, the courts in Bologna, Italy.

7.7 Amendments. Any amendment must be in writing and expressly state that it is amending this Agreement.

8. Definitions.

• “Admin Account(s)” means the administrative account(s) provided to Customer by Injenia for the purpose of administering the Services. The use of the Admin Account(s) requires a password, which Injenia will provide to Customer.
• “Admin Console” means the online tool provided by Injenia to Customer for use in reporting and certain other administration functions.
• ‘Administrators’ mean the Customer-designated technical personnel who administer the Services to End Users on the Customer’s behalf.
• “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
• “Customer Data” means data, including email, provided, generated, transmitted or displayed via the Services by Customer or End Users.
• ‘Emergency Security Issue’ means either: (a) the Customer’s or End Users’ use of the Services in violation of the Acceptable Use Policy, in a way that disrupts: (i) the Services; (ii) other the Customers’ use of the Services; or (iii) to prevent unauthorised third-party access to the Services or data within the Services.
• “End Users” means the individuals Customer permits to use the Services.
• “End User Account” means a Google-hosted account established by Customer through the Services for an End User.
• “High Risk Activities” means uses such as the operation of nuclear facilities, air traffic control or life-support systems, where the use or failure of the Services could lead to death, personal injury or environmental damage.
• ‘Services’ means the applicable Services provided by Injenia and used by the Customer under this Agreement.
• ‘Significant Deprecation’ means to discontinue or to make backwards-incompatible changes to the Services that results in Injenia no longer providing to its enterprise-customer base the ability to: (1) send and receive posts; (2) schedule and manage posts, events and tasks; (3) add, store files; (4) communicate with other end users in real time
• “Suspend” means the immediate disabling of access to the Services, or components of the Services, as applicable, to prevent further use of the Services.

INTERACTA _ Acceptable Use Policy

Use of the Services is subject to this acceptable use policy (“AUP”).

If not defined here, capitalized terms have the meaning stated in the applicable contract (“Agreement”) between customer or other authorized user (“You”) and Injenia S.r.l..

You agree not to, and not to allow third parties or Your End Users, to use the Services:

1. to violate, or encourage the violation of, the legal rights of others;
2. for any illegal, unlawful, invasive, infringing, defamatory, or fraudulent purpose;
3. to intentionally distribute viruses, worms, Trojan horses, corrupted files, or other items of a destructive or deceptive nature;
4. to use hate speech, a content that promotes or condones violence against or has the primary purpose of inciting hatred against an individual or group on the basis of their race or ethnic origin, religion, disability, age, nationality, sexual orientation, gender or any other characteristic that is associated with systemic discrimination or marginalization;
5. to engage in harassing, bullying, or threatening behavior, and do not incite others to engage in these activities.
6. to distribute people’s personal and confidential information, such as credit card numbers, confidential national ID numbers, or account passwords, without their explicit permission.
7. to upload or share content that exploits or abuses children.
8. to distribute sexually explicit or pornographic material, violent content, terrorism that’s primarily intended to be shocking, sensational, or gratuitous.
9. to spam including by sending unwanted promotional or commercial content, or unwanted or mass solicitation.
10. to alter, disable, interfere with or circumvent any aspect of the Services;
11. to test or reverse-engineer the Services in order to find limitations, vulnerabilities or evade filtering capabilities;
12. to grant multiple individuals access to an individual End User Account;
13. to record audio or video communications without consent if such consent is required by applicable laws and regulations (You are solely responsible for ensuring compliance with all applicable laws and regulations in the relevant jurisdiction(s)).

Your failure to comply with the AUP may result in:

• removal of objectionable contents; and/or
• suspension or termination, or both, of the Services pursuant to the Agreement.

To report any potential policy violation to Injenia please contact policycompliance@injenia.it

After Injenia is notified of a potential policy violation, Injenia may review the content and take action, including restricting access to the content, removing the content, and limiting or terminating a user’s access to Interacta.

INTERACTA _ Data Processing Addendum

The customer agreeing to these terms (“Customer”), and Injenia S.r.l., have entered into one Interacta Agreement (as defined below).

1. Definitions

1.1 Capitalized terms defined in the applicable Agreement apply to this Data Processing Amendment. In addition, in this Data Processing Amendment:

• “Customer Data” means data submitted, stored, sent or received via the Services by Customer or End Users.
• “Customer Personal Data” means the personal data contained within the Customer Data.
• “Data Incident” means a breach of Injenia’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Injenia.
• “EEA” means the European Economic Area.
• “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
• “European Data Protection Law” means the GDPR.
• “European or Italian Law” means EU or Italian State law 
• “Interacta Agreement” means a Interacta Agreement under which Injenia agrees to provide Interacta services to Customer.
• “Notification Email Address” means the email address(es) designated by Customer in the Admin Console, or in Ordering Documents or communicated to Injenia (as applicable), to receive certain notifications from Injenia. Customer is responsible for using to ensure that its Notification Email Address remains current and valid.
• “Subprocessor” means a third party authorized as another processor under this Data Processing Amendment to have logical access to and process Customer Data in order to provide parts of the Services.
• “Supervisory Authority” means a “supervisory authority” as defined in the EU GDPR.
• “Term” means the period from the Addendum Effective Date until the end of Injenia’s provision of the Services under the applicable Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Injenia may continue providing the Services for transitional purposes.

1.2. The terms “personal data”, “data subject”, “processing”, “controller” and “processor” as used in this Data Processing Amendment have the meanings given in the GDPR.

2. Duration. 

This Data Processing Addendum will, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Data by Injenia as described in this Data Processing Addendum.

3. Scope of Data Protection Law.

3.1 Application of European Law. The parties acknowledge that European and Italian Data Protection Law will apply to the processing of Customer Personal Data.

4. Processing of Data.

4.1 Roles and Regulatory Compliance; Authorization.

4.1.1. Processor and Controller Responsibilities:

1. The applicable Term plus the period from the expiry of such Term until deletion of all Customer Data by Injenia in accordance with the Data Processing Amendment.
2. Nature and Purpose of the Processing: Injenia will process Customer Personal Data for the purposes of providing the Services to Customer in accordance with the Data Processing Addendum.
3. Categories of Data: Data relating to individuals provided to Injenia via the Services, by (or at the direction of) Customer or End Users.
4. Data Subjects: Data subjects include the individuals about whom data is provided to Injenia via the Services by (or at the direction of) Customer or End Users.
5. Injenia is a processor of that Customer Personal Data under European and Italian Data Protection Law;
6. Customer is a controller or processor, as applicable, of that Customer Personal Data under European and Italian Data Protection Law;
7. each party will comply with the obligations applicable to it under European Data Protection Law with respect to the processing of that Customer Personal Data.

4.1.2. Authorization by Third Party Controller. Customer warrants that its instructions and actions with respect to that Customer Personal Data, including its appointment of Injenia as another processor, have been authorized by the relevant controller.

4.2 Scope of Processing.

4.2.1 Customer’s Instructions. Customer instructs Injenia to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services; (b) as further specified via Customer’s and End Users’ use of the Services (including the Admin Console and other functionality of the Services); (c) as documented in the form of the applicable Agreement, including this Data Processing Addendum; and (d) as further documented in any other written instructions given by Customer and acknowledged by Injenia as constituting instructions for purposes of this Data Processing Amendment.

4.2.2 Injenia’s Compliance with Instructions. Injenia will comply with the instructions described in Section 5.2.1 (Customer’s Instructions) (including with regard to data transfers) unless European or Italian Law to which Injenia is subject requires other processing of Customer Personal Data by Injenia, in which case Injenia will notify Customer (unless that law prohibits Injenia from doing so on important grounds of public interest) before such other processing.

5. Data Deletion

5.1 Deletion During Term. Injenia will enable Customer and End Users to delete Customer Data during the applicable Term in a manner consistent with the functionality of the Services. If Customer or an End User uses the Services to delete any Customer Data during the applicable Term and that Customer Data cannot be recovered by Customer or an End User, this use will constitute an instruction to Injenia to delete the relevant Customer Data from Injenia’s systems in accordance with applicable law. Injenia will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European or Italian Law requires storage.

5.2 Deletion on Term Expiry. Subject to Section 5.3 (Deferred Deletion Instruction), on expiry of the applicable Term, Customer instructs Injenia to delete all Customer Data (including existing copies) from Injenia’s systems in accordance with applicable law. Injenia will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European or Italian Law requires storage. Customer is responsible for exporting, before the applicable Term expires, any Customer Data it wishes to retain.

5.3 Deferred Deletion Instruction. To the extent any Customer Data covered by the deletion instruction described in Section 5.2 (Deletion on Term Expiry) is also processed, when the applicable Term under Section 5.2 expires, in relation to an Agreement with a continuing Term, such deletion instruction will only take effect with respect to such Customer Data when the continuing Term expires. For clarity, this Data Processing Amendment will continue to apply to such Customer Data until its deletion by Injenia.

6. Data Security.
   6.1 Injenia’’s Security Measures, Controls and Assistance.
   6.1.1 Injenia’s Security Measures. Injenia will implement and maintain reasonable technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. (the “Security Measures”). Since Interacta is built on and delivered through Google Cloud Platform (GCP), GCP’s security measures are also applicable.
   6.1.2 Security Compliance. Injenia will: (a) take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, and (b) ensure that all persons authorized to process Customer Personal Data are under an obligation of confidentiality.
   6.1.4 Injenia’s Security Assistance. Injenia will assist Customer in ensuring compliance with its obligations pursuant to Articles 32 to 34 of the GDPR, by:

• a. implementing and maintaining the Security Measures in accordance with Section 6.1.1 (Injenia’s Security Measures);
• b. complying with the terms of Section 6.2 (Data Incidents);
• c. if subsections (a)-(b) above are insufficient for Customer to comply with such obligations, upon Customer’s request, providing additional reasonable assistance.

6.2 Data Incidents.

6.2.1 Incident Notification. Injenia will notify Customer promptly and without undue delay after becoming aware of a Data Incident, and promptly take reasonable steps to minimize harm and secure Customer Data.

6.2.2 Details of Data Incident. Injenia’s notification of a Data Incident will describe, to the extent possible, the nature of the Data Incident, the measures taken to mitigate the potential risks and the measures Injenia recommends Customer take to address the Data Incident.

6.2.3 Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at Injenia’s discretion, by direct communication (for example, phone call or an in-person meeting).

6.2.4 No Assessment of Customer Data by Injenia. Injenia has no obligation to assess Customer Data in order to identify information subject to any specific legal requirements.

6.2.5 No Acknowledgement of Fault by Injenia. Injenia’s notification of or response to a Data Incident under this Section 6.2 (Data Incidents) will not be construed as an acknowledgement by Injenia of any fault or liability with respect to the Data Incident.

6.3. Customer’s Security Responsibilities and Assessment.

6.3.1 Customer’s Security Responsibilities. Without prejudice to Injenia’s obligations under Sections 6.1 (Injenia’s Security Measures, Controls and Assistance) and 6.2 (Data Incidents), and elsewhere in the applicable Agreement, Customer is responsible for its use of the Services and its storage of any copies of Customer Data outside Injenia’s or Injenia’s Subprocessors’ systems, including:

• a. using the Services and Additional Security Controls to ensure a level of security appropriate to the risk in respect of the Customer Data;
• b. securing the account authentication credentials, systems and devices Customer uses to access the Services; and
• c. retaining copies of its Customer Data as appropriate.

6.3.2 Customer’s Security Assessment. Customer agrees, based on its current and intended use of the Services, that the Services, Security Measures, and Injenia’s commitments under this Section 7 (Data Security): (a) meet Customer’s needs, including with respect to any security obligations of Customer under European and Italian Data Protection Law, and (b) provide a level of security appropriate to the risk in respect of the Customer Data.

6.4 Cloud Infrastructure compliance Certifications and SOC Reports. Interacta is built on and delivered through Google Cloud Platform (GCP) as technical infrastructure. Injenia guarantees that Interacta will be delivered on a cloud platform (such as GCP) that maintains at least the following for the Audited Services in order to evaluate the continued effectiveness of the Security Measures:

• a. certificates for ISO 27001, ISO 27017 and ISO 27018, and
• b. SOC 2 and SOC 3 (or equivalent) reports produced by cloud provider’s Third Party Auditor and updated annually based on an audit performed at least once every 12 months (the “SOC Reports”).

7. Access etc.; Data Subject Rights; Data Export.

7.1 Access; Rectification; Restricted Processing; Portability. During the applicable Term, Injenia will enable Customer, in a manner consistent with the functionality of the Services, to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by Injenia as described in Section 6.1 (Deletion During Term), and to export Customer Data.

7.2 Data Subject Requests.
7.2.1 Customer’s Responsibility for Requests. During the applicable Term, if Injenia’s Data Protection Team receives a request from a data subject in relation to Customer Personal Data, and the request identifies Customer, Injenia will advise the data subject to submit their request to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
7.2.2 Injenia’s Data Subject Request Assistance. Injenia will (taking into account the nature of the processing of Customer Personal Data) assist Customer in fulfilling its obligations under Chapter III of the GDPR to respond to requests for exercising the data subject’s rights.

8. Data Storage and processing

8.1 Data Storage and Processing Facilities. Injenia will store and process Customer Data inside of EEA.

8.3 Data Center Information. Information about the locations of Google Cloud Platform data centers is available at: https://www.google.com/about/datacenters/inside/locations/index.html (as may be updated by Google from time to time).

9. Subprocessors

9.1 Consent to Subprocessor Engagement. Customer specifically authorizes the engagement as Subprocessors of those entities listed as of the Appendix 1 (Information about Subprocessors). In addition, without prejudice to Section 11.4 (Opportunity to Object to Subprocessor Changes), Customer generally authorizes the engagement as Subprocessors of any other third parties (“New Third Party Subprocessors”).
9.2 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Injenia will:

1. ensure via a written contract that the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this Data Processing Addendum); and
2. remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

Injenia’s Data Protection Team. Injenia’s Data Protection Team can be contacted by Customer’s Administrators at legal@injenia.it.

Appendix 1: Information about Subprocessor