Last modified November 7, 2019
USE OF ANY PRODUCTS AND SERVICES AND/OR CONTENT FROM AERIS WILL BE GOVERNED BY THESE SERVICE TERMS (“THE TERMS”).
- Parties and Definitions.
- Parties. The words “Aeris” or “Company” mean Aeris Communications, Inc., owner and operator of the Aeris Services, and its Affiliated companies. The word “Customer” means the legal entity that has agreed to a Services Agreement. The words “party” or “parties” refer to Aeris and Customer.
- Definitions. In these Terms, the following words have the meanings given to them:
- Acceptable Use Policy means the rules governing use of the Aeris Sites and Aeris Services, the current version of which is available at https://www.aeris.com/acceptable-use-policy/.
- Account means any account established by or for Customer in order to allow it to purchase SIM Cards, to order and access any Aeris Services, or to manage Devices.
- Account User means any individual or entity that, directly or indirectly through another user, accesses Customer’s Account.
- Aeris Platform means the Aeris computing resources that receive Device data and host the Aeris Services, including any Web Portal.
- Aeris Services means AerTrak, the CVP Services, Wireless Services and any other services that Customer receives from Aeris under a Services Agreement or otherwise, including Support Services and Professional Services.
- Aeris Sites means the main Aeris website at https://www.aeris.com and any Web Portal provided by Aeris for Customer or End User interaction with the Aeris Services.
- Affiliate means any entity that controls, is controlled by, or is under common control with a party, where “control” means the power to direct or cause the direction of management and policies of an entity, either directly or indirectly, whether through direct or indirect ownership, voting rights, contract or otherwise.
- APIs means the application programming interfaces that allow communication between Customer’s computing facilities or Devices and the Aeris Platform and Aeris Services.
- API Instructions means any instructions made available to Customer by Aeris for its use in coordinating access to and use of any Aeris Services through APIs.
- API Keys means any keys issued to or generated by Customer as permitted for access to an Account or for use of Aeris Services.
- Application Data means all data, SMS or voice traffic data (including data resulting from any processing of such data, SMS or voice traffic by Customer Applications, Customer Services or by the Aeris Services) that is transmitted in the course of the operation of the Aeris Services between Customer Devices or computing facilities and any Aeris Platform.
- Confidential Information means all confidential or proprietary information of a business or technical nature exchanged between the parties, whether disclosed orally, visually or in writing, which has clearly been identified as confidential or which by its nature or the circumstances of its disclosure should reasonably be understood to be proprietary and held in confidence, including, without limitation, product and service plans and information, marketing, sales and pricing data and plans, operational and financial information and Customer Data to the extent that it contains any of the foregoing.
- Customer Application means any software or firmware program not provided by Aeris and used by Customer for its internal purposes or to provide Customer Services to its customers or any other party that accesses the Aeris Services or that sends, receives or processes Application Data.
- Customer Data means Customer Application Data and any other owned by Customer as provided in Appendix 1 that is processed by Aeris Services or stored at the Aeris Platform.
- Customer Services means the services, including Customer Applications, provided by Customer to its customers or End Users that rely on or incorporate any Aeris Service.
- Data Facilities means the data interface, handling or storage facilities used by a party for receipt, processing or storage of data in connection with the provision or use of Aeris Services.
- Device means any radio module, telematics unit, telephone, wireless or other hardware or virtual device for use with the Aeris Services, including any physical or virtual SIM Card or device containing a SIM Card.
- Dispute means any disagreement between the parties relating to their contractual relationship, including any disagreement relating to a party’s performance under the terms of a Services Agreement or to the validity, interpretation, execution, or termination of a Services Agreement or these Terms or to compliance with any applicable policies.
- Documentation means all of the information and materials provided or made available to Customer by Aeris, including on a Web Portal or other Aeris Site, about Aeris Services and the Requirements, including developer guides, getting started guides, user guides, quick reference guides, sample code and tools, software libraries, command line tools, API guides and API Instructions, support and troubleshooting guidelines and other technical and operations manuals and specifications for the operation of the Aeris Services, as may be updated by Aeris from time to time.
- End User means the authorized employees, subcontractors, customers, vendors and distributors of Customer or its customers who will operate any Device or interact with any Aeris Service directly or through Customer Services.
- Intellectual Property means patents, patent applications, copyrights, trade secrets, trademarks and any other rights of a proprietary nature, existing anywhere in the world, whether registered or registrable or not, and including all derivative works thereof.
- Malicious Code means any virus, worm, trojan, time bomb, ransomware or other disabling or harmful code, file or program intended to interfere with the operation of computer systems or to alter, delete or interfere with access to data.
- Managed Wireless Providers means any Wireless Providers contracted directly by Customer to transmit Application Data and with whom Aeris has made arrangements to allow Customer to use the Aeris Platform to perform some management of Customer Devices deployed on such Wireless Providers’ systems.
- Mobile App means any application provided or made available by Aeris that is designed for operation on a smartphone or other mobile device and that allows access to Aeris Services or any Web Portal.
- Privacy Policy means the policies governing the collection and use of information by Aeris; the most current version of the Privacy Policy is available at https://www.aeris.com/privacy-policy/. If a particular Aeris Service or Mobile App has its own privacy policy, the term “Privacy Policy” includes that other policy.
- Representative means the directors, employees, agents, contractors, representatives, advisors or personnel of a party or its Affiliates who are authorized by a party, or who have apparent authority to act on behalf of a party, to take action on its behalf relating to the Aeris Services or the contractual relationship between the parties.
- Requirements means the guidelines available in the Documentation setting out technical and behavioral requirements for Devices and for Customer Services and Customer Applications that use or interact with Aeris Services.
- Service Providers means the subcontractors or other parties who provide services in connection with use of Aeris Services or provision of Customer Services, including Wireless Providers, call centers, third party support personnel, and cloud storage providers.
- Services Agreement means any agreement between Customer and Aeris that governs Customer’s use of and payment for Aeris Services.
- SIM Card means a physical subscriber identity module chip or virtual SIM supplied or approved by Aeris to enable Devices to access Wireless Services.
- Support Services means any services that are provided by Aeris to Customer under the terms of any Services Agreement (or other agreement) for support of the Aeris Services.
- VPN means a secure link to the Web Services from Customer Data Facilities for exchange of Application Data and other access of Aeris Services.
- Web Portal means any web-based portal or dashboard for interacting with Aeris in connection with Customer’s use or potential use of Aeris Services, including such activities as establishing an Account, signing up for Aeris Services, viewing Documentation, and accessing Aeris Services, including managing Devices and setting Device alerts, viewing Device or Application Data, viewing Device activity and billing information, and using other features of the Aeris Services.
- Web Services means the means (a) the API-based services for managing or monitoring Devices and activity or for routing Application Data, and (b) the services available at Aeris Sites and through any Web Portal.
- Wireless Providers means the wireless telecommunications operators whose cellular or other wireless networks are used to provide the Wireless Services or to carry Application Data.
- Wireless Provider Partners means Wireless Providers contracted by Aeris to provide Wireless Services.
- Wireless Services means the cellular and internet-based services, including, but not limited to, cellular connectivity services, used to enable the transmission of Application Data between Customer’s facilities or Customer’s or Customer’s End Users’ Devices on the one hand and the Aeris Platform on the other hand.
- Modification of Terms, Services or APIs. Except as otherwise provided in subsection (d) below or in any Services Agreement, Aeris may, without Customer’s approval and at any time, modify these Terms, any Services Agreement, any other terms for or policies applicable to use of Aeris Services, any Documentation, any price lists or any Requirements and may change, discontinue, or deprecate any aspect or functionality of the Aeris Services (including APIs or any service as a whole). Aeris will use commercially reasonable efforts to limit the frequency of any changes materially affecting the operation of any Aeris Service. The following terms apply to these changes:
- Modification of Services. Aeris will use commercially reasonable efforts to keep the Aeris Services up to date with industry developments relevant to that Aeris Service. Customer acknowledges that Aeris engages in a process of continuous improvement of its technology and services and, subject to its compliance with this Section 2, has the right to modify its services across its customer base from time to time without Customer’s consent.
- Modification of APIs. If Aeris changes, discontinues or deprecates any APIs, Aeris will use commercially reasonable efforts to continue supporting the previous version of any such API for 12 months unless doing so would pose a security or intellectual property issue, would be economically or technically burdensome in any material respect, or if the change is needed to comply with the law or requests of relevant stakeholders, including Wireless Providers, Service Providers or governmental entities.
- Notice of Changes. If Aeris contemplates any modification of an Aeris Service that is not covered by subsection (d)(i) through (iv) below, Aeris agrees to provide reasonable prior notice of such change to Customer and to cooperate in good faith with Customer, at no additional charge, to minimize the impact on Customer’s business and Customer’s customers, including making the changes with adequate notice and support and implementing them smoothly. All support and maintenance obligations of Aeris to Customer will extend to any such updated Aeris Service. Aeris will post notice on the Aeris Sites of all changes made and, for any changes that Aeris thinks are material, will use reasonable efforts to notify Customer by email to the designated contact in Customer’s Account. Except for emergency changes required to protect any Aeris Service or any customers, all changes will take effect thirty (30) days from the date Aeris post notice of the change on the Aeris Sites. Customer’s continued use of the Aeris Sites or any Aeris Services indicates Customer’s acceptance of such change. Customer should check the Aeris Sites periodically for any changes.
- Excluded Changes. Changes that fall within any of the following categories will be treated as a proposed amendment of these Terms or the applicable Services Agreement between the parties:
- Changes that materially increase Customer’s total costs of receiving the Aeris Services during any guaranteed term of Customer’s Services Agreement, excluding changes due to increases in costs charged by roaming partners of Wireless Provider Partners;
- Changes that require Customer or Customer’s End Users to make any material changes to Customer’s or their respective systems, software, equipment or Devices, policies or procedures, including any obligation to install or use new hardware or Devices or to make changes to software, firmware or settings of deployed Devices other than through over-the-air campaigns;
- Changes that have a material adverse impact on the functionality, interoperability, performance, reliability, security or resource efficiency of any of the Aeris Services; or
- Changes that materially reduce the scope of the affected Aeris Services.
- Right to Use Services and Restrictions.
- Right to Use Services. So long as Customer is in compliance with these Terms, Customer Services Agreement or any other agreement or terms applicable to the Aeris Services Customer is using and, as applicable, the Acceptable Use Policy, Customer is granted the limited, non-exclusive, revocable, non-transferable, non-sublicensable and worldwide right to use the Aeris Sites, the Aeris Services, the APIs and the Documentation only for Customer’s own internal business purposes, including providing Customer Services to Customer’s End Users. Aeris reserves all rights not expressly granted to Customer in these Terms.
- Means of Access.
- Customer agrees not to access (or attempt to access) the Aeris Sites or any Web Services by any means other than through the interfaces provided by Aeris, unless Customer has been specifically allowed to do so in a separate agreement signed by the parties. If the parties have agreed that Customer will access Aeris Services using an appropriately configured VPN, Customer will do so.
- For any of the Web Services accessible only through use of APIs and/or API Keys, Customer agrees that Customer will access the Web Services only using appropriate APIs and API Keys that are compliant with the API Instructions provided by Aeris and Customer will not access the Web Services through any other automated means, such as scripts or web crawlers.
- If Aeris suspects fraud, malicious behavior or aberrant Device or system behavior, Aeris may limit the number of times Customer can visit or log into the Aeris Sites or Web Services within a certain period of time to prevent disruptive activity. Aeris will use reasonable attempts to notify Customer of the need for such limitation. Continued abuse, fraudulent activity, disruptive activity, or excessively frequent requests to the Web Services may result in the temporary or permanent suspension of Customer’s access to Web Services or Customer’s Account or to any API or API Key.
- Customer understands that the identification numbers (IMSI, MSISDN, MIN or similar) assigned to a SIM Card or a Device to allow a SIM Card or Device to use Wireless Services are assigned by wireless service providers. Customer also understands that regulations about portability of numbers generally do not apply to IoT devices, and that if Customer wishes to move Customer’s Devices to use services from a different wireless service provider, Customer may need to replace the SIM Card in Customer’s Devices. Customer will be responsible for any expense in replacing SIM Cards or reconfiguring Devices.
- Suspension or Termination. Aeris or its Wireless Provider Partners may suspend, reduce or terminate the Aeris Services to Customer or to particular Devices associated with Customer or its End Users or suspend access to Customer’s Account in certain circumstances, including Customer’s failure to comply with the Requirements or otherwise, in cases of suspected fraud, in cases of aberrant Device behavior causing issues, such as repetitive registration attempts, congestion or reduction of availability of resources for other customers, on its networks or those of any Wireless Provider Partners, if Aeris reasonably believes Customer’s Account has or is at risk of a security breach or if Customer or Customer’s End Users are in violation of the Acceptable Use Policy, these Terms or any Services Agreement or other terms applicable to Customer’s use of Aeris Services. Aeris will use commercially reasonable efforts to notify Customer in advance of any suspension or termination and the reason for taking such action, and will restore service if and when the issue has been satisfactorily resolved. Aeris will have no liability to Customer, any Account User, any End User or any other third party for any actions reasonably taken by Aeris under this provision.
- Maintenance. Aeris, its Service Providers or its Wireless Provider Partners may make temporary changes to the Aeris Sites or Aeris Services required by an emergency, as well as take actions deemed reasonably necessary to protect or optimize its or their networks or services. Some of these actions may interrupt or prevent legitimate communications and the usage, including, for example, use of message filtering/blocking software to prevent SPAM or viruses, limitations on throughput, scheduled maintenance and the like. Aeris will provide as much advance notice as reasonably possible of any such planned or emergency maintenance windows by email or by posting on a Web Portal.
- Additional Restrictions. Customer agrees that Customer will not do any of the following (or permit or enable any other person, including any Account User or End User, to do any of the following), without the prior written consent of Aeris, and that Customer will require Customer’s Account Users and End Users to agree to similar restrictions:
- Resell, copy or otherwise use the Aeris Services for Customer’s personal gain except as may be necessary for Customer’s internal business purposes or for Customer to provide Customer Services to End Users;
- modify or make derivative works based on the Aeris Sites, any Aeris Services, the Documentation, the APIs or any SIM Cards, or reverse engineer any of the software or content used in any of the foregoing;
- share or otherwise distribute any non-public information about the operation of the Aeris network or any Aeris Services to any third parties, other than with Customer’s End Users;
- bypass or circumvent measures Aeris uses to limit access to the Aeris Sites or Web Portal or take any actions intended to artificially disguise the extent of the usage of the Aeris Services to avoid payment of fees;
- use the Web Services or any other means to access the accounts of any other persons or to intercept, collect or store personal information about other users or their customers, other than as may be necessary for Customer to provide support to its End Users;
- take or permit any actions that Customer reasonably ought to know may overload the Web Services, the Aeris Platform or any Aeris Site or the systems of any other party;
- benchmark any of the Aeris Services, perform penetration testing or engage in any other activity to probe the Aeris Platform, any Aeris Site or any other Aeris systems, or collect or share information about the performance of the Aeris Services;
- engage in excessively high-volume data transfers or bandwidth use, including without limitation by hosting a webserver, internet relay, chat server or any other server, via any use of the Web Services;
- “frame” or “mirror” the Aeris Sites or any Aeris Services or content on any other server or Internet-enabled device;
- take any action to modify, avoid or override any Aeris or Wireless Provider Partner lists or algorithms for blocking or preferring any wireless service network; or
- use the Aeris Services in violation of the Acceptable Use Policy.
- Account Security. Customer agrees that Customer has certain security obligations with respect to accessing Aeris Services and, if applicable, Customer’s Account and that Aeris will not be liable for any loss or damage from Customer’s failure to comply with these obligations. In particular, Customer agrees that it will:
- limit access to Customer’s Account and the Web Services to Customer’s authorized Account Users;
- establish account logins and API Keys for Customer’s Account Users in accordance with Aeris policies including, if required, providing the legal full name, valid email address, and any other information requested for each person for whom a login is created;
- not grant access to the Web Services to Customer’s End Users without the prior written consent of Aeris and, if access is granted, require Customer’s End Users to establish their own access credentials and to agree to these Terms;
- safeguard all usernames and passwords, API Keys and other Account access credentials for Customer’s Account Users who have access to the Web Services;
- use appropriate security to protect all points of interconnection between Customer’s Data Facilities or Devices and the Aeris Data Facilities;
- be responsible for all activities that occur through Customer’s Account using Customer’s usernames, passwords or API Keys or using Customer’s Devices; and
- notify Aeris immediately if Customer believes that the security of Customer’s Devices or Account access credentials has been compromised and cooperate in the correction of Device security issues or resetting of any such access credentials.
- Security and Data Protection. Aeris and Customer each agree to comply with the requirements of Addendum 1 – System Security and Data Privacy.
- Ownership of Intellectual Property and Data.
- Ownership of Intellectual Property. Customer agrees that, as between Customer and Aeris, Aeris is the exclusive owner of all Intellectual Property relating to the Aeris Services, all APIs, the Aeris Sites and all Documentation and in all developments, enhancements, new versions and other modifications of or additions to the foregoing made by or for Aeris, including in the course of providing Aeris Services to Customer. Aeris agrees that, as between Customer and Aeris, Customer is the exclusive owner of all Intellectual Property relating to Customer Services (excluding any Aeris Services that are used in or incorporated in Customer Services). Unless agreed otherwise in writing with Aeris, Aeris may use any suggestions made by Customer for improvements to Aeris services without any obligation to Customer.
- Ownership of Data. The rights of each of the parties and Customer with respect to ownership of any data will be as set out in Addendum 1.
- Independent Development. Nothing in these Terms will be construed as a restriction on the right of either of Aeris or Customer to develop its technology, products or services independently of and without reference to the Confidential Information of the other, even if they are the same or similar to the technology, products or services contemplated by the other, or to share ownership of any such developments with the other. Any agreement on transfer of or joint ownership of Intellectual Property will be subject to a separate written agreement signed by authorized Representatives of both parties.
- Confidentiality.
- Duty to Protect and Restriction on Disclosure or Use. Aeris and Customer each agree to use at least a reasonable degree of care to protect any Confidential Information of the other in its possession and to use that Confidential Information only for purposes related to use or provision of Aeris Services. Each party agrees not to disclose the Confidential Information of the other without the written consent of the other, other than to its Representatives who need to know and who are bound by appropriate confidentiality obligations. Each party will be responsible for any breach of this Section 6 by its Representatives.
- Term of Obligations. Each party will adhere to these obligations of confidentiality for three (3) years after any particular Confidential Information has been disclosed to it. The obligations of Aeris with respect to Personal Data as defined in Addendum 1 will continue for so long as Aeris has possession of any such Personal Data. On request, Aeris will certify in writing to Customer that Aeris has destroyed or is no longer in possession of any Personal Data.
- Exclusions. These obligations will not apply to any Confidential Information disclosed by a party to the other that was (i) rightfully in possession of the other before being disclosed, or that became publicly known after disclosure not due to any action of the other; (ii) that was given to the other by someone reasonably understood to have the right to disclose it; (iii) that was developed independently by the other without use of or reference to the disclosed Confidential Information; or (iv) that the other is required to disclose by court order or otherwise, provided that, if permitted, the disclosing party is given prompt notice of the requirement and the other party provides reasonable assistance to the disclosing party (at the disclosing party’s expense) in resisting or limiting any disclosure.
- Return of Confidential Information. Each party agrees that, upon request of the other party, it will promptly return or destroy (and certify in writing the destruction of) the Confidential Information of other (including Personal Data), provided that each of the parties may retain such Confidential Information as is necessary to continue to perform any Services Agreement still in effect, to comply with applicable laws or for appropriate and reasonable archival purposes, provided that such information will continue to remain subject to these confidentiality obligations so long as it is retained.
- Limitation of Liability. Except as the parties may explicitly agree in a Services Agreement, the liability of each of Customer, Aeris and Service Partners will be limited as provided below. The parties agree that these limitations of liability are essential to their economic relationship, and the prices and other terms on which Aeris Services would be available would be different without them.
- Customer’s Use of Aeris Services. Customer will be solely responsible for determining how to use the Aeris Services and for the results of such use. Aeris will have no responsibility to Customer, to any End User or any other party for any use of the Aeris Services, including any action that Customer or any other party choose to take or not to take based upon data generated from the use of the Aeris Services. Aeris will not be liable to Customer, to any End User or any other party for any use of Aeris’ Services due to damage to equipment or Devices not caused by Aeris. In addition to any other limitations included in any Services Agreement, Customer understands that the Aeris Services may not be designed to collect or send data continuously, that there is unavoidable latency in the operation of any wireless-based system, and that data collected from Devices may not be complete or current. Customer also understands that the accuracy and performance of Aeris Services may be compromised by failures of Customer Applications, Devices, or equipment. Customer is encouraged to take reasonable steps to confirm the accuracy of data before taking actions that have the potential to cause harm to an End User or any other person or property.
- Excluded Damages and Losses. Subject to subsection (e) below, neither party will have any liability to the other for any indirect, special, consequential or punitive damages or for any loss of data, profit, business or other economic advantage arising out of a Services Agreement or Customer’s use of any Aeris Services, even if that party was aware of the possibility of such damage or loss.
- Maximum Liability for Direct Damages. Subject to subsection (e) below, the maximum aggregate liability of one of the parties to the other for any direct damages will not exceed the greater of (a) $50,000 or (b) the aggregate fees paid by Customer to Aeris for Aeris Services relating to the claim in any twelve (12) month period prior to the events giving rise to the claim.
- Exceptions. The limitations and exclusions set forth in subsections (b) and (c) will not apply to (i) any violation by Customer, Customer’s Account Users or Customer’s End Users of the Acceptable Use Policy, (ii) for claims to the extent arising out of a party’s willful default or gross negligence, (iii) except as otherwise expressly provided herein, claims that a party’s actions resulted in death or personal injury, (iv) breach of confidentiality obligations; (v) claims subject of any indemnification obligations under Section 10; or (vi) any damages that may not be limited or excluded under applicable laws. With respect to claims that are the subject of any indemnification obligations under Section 10, or for damages relating to any breach of data protection obligations, including those obligations set forth in Addendum 1, the maximum liability of a party will not exceed $250,000.
- No Liability for Coverage Availability or Changes. Customer understands that the availability of Wireless Services or internet services in any given area depends on a combination of Device capabilities and facilities, the actions of internet service providers, mobile network operators and others, and other factors not under the control of Aeris or its Service Providers. Aeris Services may also be limited or interrupted by such factors as buildings, weather, topographical features, usage by other parties, or maintenance activities by Aeris or Service Providers. Neither Aeris nor any Service Providers will have any liability to Customer, any End User or other third parties for any such limitation or interruption of Aeris Services.
- No Liability for Interception of Application Data. Neither Aeris nor any Wireless Provider Partners can guarantee the privacy or security of any transmission using Wireless Services. The possibility exists that third parties may be able to intercept Application Data without the knowledge or permission of Customer, Aeris or any Wireless Provider Partner, and that Customer bears primary responsibility for protecting Customer’s Data, including, if Customer desires, encrypting it in transit or at rest. Customer agrees that Aeris and the Carrier Partners will not be liable to Customer, any End User or other third party for interception or unauthorized use of any Application Data transmitted using Wireless Services. However, upon discovery of such third-party interception or unauthorized use of any Application Data, Aeris shall endeavor to report such interception within a reasonable time and assist the Wireless Provider Partner as reasonably practicable to limit any further issues.
- Obligations to Third Parties.
- Obligations Applicable to Account Users and End Users. Customer will be responsible for requiring that Customer’s Account Users and End Users comply with these Terms, any other terms applicable to the Aeris Services, the Requirements and the Acceptable Use Policy, and for enforcing that compliance.
- No Obligations of Aeris to End Users. Customer agrees that Aeris and its Service Providers have no contractual relationship with or any obligations to Customer’s End Users for operation of any Devices or of Customer Services. Unless Aeris has specifically agreed otherwise, Customer will have the sole responsibility to provide first line support to Customer’s End Users for use of Customer Services. Customer agrees that Customer’s End Users will have no direct claim against Aeris or its Service Providers of any kind, including (i) claims for injury or death, or (ii) any liability arising out of any use or failure of Customer Applications or Customer Services, even if this failure is due to a failure of the Aeris Services. Customer will not make any promises or representations to any End Users inconsistent with these Terms, any Services Agreement or any other terms applicable to the Aeris Services used by Customer.
- No Liability of Wireless Provider Partners. Customer understands that the Wireless Provider Partners contractually require Aeris to inform its customers and obtain their agreement that such Wireless Provider Partners have no direct or indirect contractual relationship with or any obligations to Customer or any of its End Users, and that Customer and its End Users will have no claim under any legal theory against any Wireless Provider Partner for any use of or failure of the Aeris Services or any damage, including death or personal injury, arising out of such use or failure.
- Malicious Code; Warranties and Disclaimers.
- Malicious Code. Aeris will follow commercial best practices in its industry to mitigate the risk that any Aeris Service, Mobile App or Web Service contains any Malicious Code, including scanning all code prior to deployment to production. If at any time Aeris discovers any Malicious Code in an Aeris Service, Mobile App or any Web Services that Aeris does (or should) reasonably expect to have a material adverse effect upon Customer or its End Users, Aeris will remove it as quickly as possible.
- Warranties and Remedies. Aeris warrants that the Aeris Services will perform in accordance with their written specifications in Documentation, but does not warrant that operation of the Aeris Services will be error-free or will be available at all times. Customer’s sole and exclusive remedy for any failure by Aeris to provide the Aeris Services in conformance with their applicable specifications is to use the Support Services and, if use of such services is not able to resolve the issue, to terminate the applicable Services Agreement. Further, Aeris warrants and represents that Aeris Services will comply with all applicable federal, state and local laws and regulations.
- No Warranty to End Users. The foregoing warranties extend to Customer only. Customer will be responsible for warranting the performance of Customer Services and Customer Applications, for providing first line support to its End Users, and for accessing any applicable Support Services from Aeris.
- Disclaimer of Warranties. Except as explicitly agreed above or in a Services Agreement, Aeris disclaims all warranties with respect to the Aeris Services, whether express or implied, including any implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, non-infringement or quiet enjoyment, as well as any warranties arising by law, out of course of dealing or by the usage of trade. If Aeris certifies any Devices or any of Customer Services or Customer Applications, such certification would not constitute a warranty or representation by the parties, either express or implied, concerning the suitability, durability, fitness for use, merchantability, condition or quality of the Aeris Services or any of Devices, Customer Applications or Customer Services.
- Indemnification Obligations
- Aeris Obligations Regarding Intellectual Property Claims. Aeris agrees that Aeris will, at its own expense, defend Customer and its Representatives against any claim made against any of them by a third party alleging that their use of the Aeris Services infringes the Intellectual Property rights of a third party and pay all damages and costs finally awarded against any of them because of the claim, including reasonable costs and attorney’s fees, and/or all amounts payable by any of them in connection with a settlement made in compliance with Section 10(d). Aeris will have no obligation to indemnify Customer or its Representatives under this subsection (a) to the extent that the alleged infringement (i) involves any patents issued by any country other than the United States or (ii) is caused by (A) any modification of the Aeris Services by any person that is not approved by Aeris, (B) any combination of the Aeris Services with any program, data, device or service not approved or specified by Aeris as required for use of the Aeris Services if such infringement claim would have been avoided by use of the Aeris Services alone, or (C) any trademark infringement involving any marking or branding not applied at the sole discretion and direction of Aeris.
- Mitigation of Intellectual Property Claims. If any Aeris Services are subject to an infringement claim covered by Section 10(a) and not excluded under Section 10(a)(i) or (ii), then, in addition to indemnifying Customer under Section 10(a), Aeris will, in its sole discretion and at its own cost, either:
- obtain for Customer the right to continue to use the Aeris Services;
- modify the Aeris Services to make them non-infringing without degrading their performance, functionality or quality; or
- replace them with a compatible, functionally equivalent, and non-infringing substitute in a manner that does not degrade performance, functionality or quality.
If Aeris is unable to offer any of the above options, Aeris may stop providing the affected Aeris Services upon 30 days’ notice, provided that Aeris will promptly refund to Customer any portion of the fees Customer paid for such Aeris Services relating to periods of time after Customer stops using such Aeris Services. Customer agrees that the indemnification as described in (a) above and its mitigation obligations in (b) will be its sole obligation and Customer’s exclusive remedy with respect to claims of infringement of third-party Intellectual Property rights.
- General Indemnification. The parties each also agree to the following provisions:
- Each party will defend, at its own expense, the other and its Representatives and End Users (“Indemnified Parties”) against any actual or threatened claim, suit or proceeding brought against any of the Indemnified Parties by a third party to the extent such claim, suit or proceeding is alleged to arise out of or result from (A) the gross negligence or willful misconduct of the indemnifying party; (B) the indemnifying party’s failure to comply with any law or regulation or to obtain any consent of any party, including consent of any End User for use of data pertaining to the End User, applicable to the activities under any Services Agreement, including any claim that a party did not comply with its obligations under Section 17; and (iii) breaches of its confidentiality and data protection obligations hereunder, including obligations in Addendum 1.
- Customer agrees to defend, at its own expense, Aeris, its Service Providers and their respective Representatives against any actual or threatened third-party claim, suit or proceeding to the extent such claim, suit or proceeding is alleged to arise out of or result from claims from End Users relating to the operation of Devices, Customer Applications or Customer Services or any actions taken by Customer or its Representatives as described in Section 7(a).
- The indemnifying party will pay all damages and costs finally awarded against the indemnified party because of the indemnified claim, including the reasonable costs and attorney’s fees incurred by the Indemnified Party because of the claim, and/or all amounts payable by the Indemnified Party in connection with a settlement made in compliance with subsection (d) below.
- Procedure. For claiming indemnification under this Section 10, the Indemnified Party will notify the indemnifying party promptly on becoming aware of a claim, furnish to the indemnifying party a copy of each communication relating to the claim and provide all information and assistance (at the indemnifying party’s expense) necessary to defend or settle such suit or proceeding, provided that the failure of the indemnified party to do any of the foregoing will relieve the indemnifying party of its obligations hereunder only to the extent that such failure materially prejudices the ability of the indemnifying party to defend the claim. The indemnifying party will have exclusive control of the defense and/or settlement of any indemnified claim. The Indemnified Party will not be bound by any settlement made without its prior written consent, which will not be unreasonably withheld or delayed, if the settlement does not include a full release of all claims against the Indemnified Party or if it requires an admission of guilt or wrongdoing. If the indemnifying party is legally prevented from assuming control of the defense of, or does not so elect to, or having elected to assume control, subsequently fails to proceed with the settlement or defense of any claims, the Indemnified Party will be entitled to assume such control, and all costs and expenses incurred by the Indemnified Party in such defense or settlement will also be subject to its indemnity protection and recoverable from the indemnifying party. In such a case, the indemnifying party will be bound by the results obtained by the Indemnified Party with respect to such defense or settlement of such claims.
- Dispute Resolution and Arbitration; Governing Law, Jurisdiction and Venue; Injunctive Relief.
- Dispute Resolution and Arbitration. Except for any injunctive relief sought by a party as permitted below, the parties agree that, in the event of a Dispute, they will first work in good faith to negotiate and resolve such Dispute as follows: (i) the party initiating or seeking resolution of the Dispute will provide a written notice to the other party describing the Dispute in reasonable detail and the name of its Representative who will participate in resolving the Dispute; (ii) each party will, within 10 business days of receipt of the notice, designate a senior Representative who has familiarity with and responsibility for that party’s performance under the applicable Services Agreement to participate in resolution of the Dispute; and (iii) the designated Representatives will attempt to resolve the Dispute within 30 calendar days of being designated. If they are unable to reach a resolution, the Dispute will be escalated to the senior-most management executives of each party. If these senior management personnel are not able to resolve the Dispute within 30 calendar days, then each of the parties agree to submit the Dispute to binding arbitration as follows: The proceeding will take place in a mutually acceptable location in New York state before three arbitrators, will be conducted in English, and will be administered by JAMS, Inc. pursuant to its Comprehensive Arbitration Rules and Procedures. Within 10 business days after JAMS issues notice of the commencement of arbitration, each of the parties will select, from an approved list, one person to act as arbitrator, and the two so selected will select a third arbitrator within an additional 10 business days prior to the commencement of the arbitration. If the arbitrators selected by the parties are unable or fail to agree upon the third arbitrator within the allotted time, the third arbitrator will be appointed by JAMS in accordance with its rules. The parties agree to maintain the confidential nature of the arbitration process, including any resulting award, except as may be necessary to prepare for or conduct the arbitration hearing on the merits, or except as may be necessary in connection with a judicial challenge to an award or its enforcement or unless otherwise required by law or judicial decision. The arbitrators may, in their discretion, award to the prevailing party, if any, the costs and attorneys’ fees reasonably incurred by the prevailing party in connection with the arbitration.
- Governing Law Jurisdiction and Venue. Unless a Services Agreement specifies otherwise, these Terms and Customer’s use of the Aeris Services will be governed by the internal laws of the State of New York without regard to its conflicts of laws or choice of law rules. The application of the United Nations Convention of Contracts for the International Sale of Goods is expressly excluded.
- Injunctive Relief. Notwithstanding any other provision of this Section 11, and without limiting any other remedy available, either of the parties may seek injunctive relief in any court of competent jurisdiction to prevent or limit any damage that could be irreparable, including damage arising out of a breach of confidentiality or data privacy obligations or a violation of the Acceptable Use Policy.
- English Language. All communications and notices between the parties must be in the English language. Any translation of the Services Agreement, these Terms, any other policies, terms, or other Documentation into a language other than English is made for Customer’s convenience, and in the event of any conflict between a translation and its original English language version, the English language version will control.
- Notices. Notices to Customer may be given as specifically allowed in these Terms. Any other notice to Customer will be sent to the email address associated with Customer’s Account and by regular mail or recognized delivery service with confirmation of receipt to the physical address associated with Customer’s Account. Any notice to Aeris must be sent to Aeris Communications, Inc. to the attention of the Legal Department by recognized delivery service with confirmation of receipt or registered or certified mail to 2099 Gateway Place, Suite 600, San Jose, CA 95110. A copy of any notice to Aeris should also be sent by email to generalcounsel@aeris.net.
- Force Majeure. A party (“Affected Party”) whose performance of any obligation (other than payment of money) under a Services Agreement or these terms is impacted by causes beyond its reasonable control and without its fault or negligence, including, but not limited to, acts of God, acts of civil or military authority, strikes, fires, riots, wars, embargoes, internet disruptions, hacker attacks or communications failures (“Force Majeure Events”), will not be liable to the other party, its customers or its End Users or any of its Service Providers for any delay or failure to perform obligations on account of the Force Majeure Event, provided that the Affected Party uses commercially reasonable efforts (a) to notify the other party of the existence and impact of the Force Majeure Event, and (b) to minimize the impact of the Force Majeure Event. Where a Force Majeure Event prevents the Affected Party from performing its obligations for a period that the other party deems unreasonable, the other party may terminate the relevant Services Agreement on 15 days’ written notice to the Affected Party. Customer will not be obligated to pay the reasonable portion of any fees for Aeris Services relating to any period during which Aeris was essentially unable to provide such services due to a Force Majeure Event. However, Customer will be liable to pay any fees for Aeris Services already delivered to Customer.
- Relationship of the Parties. The relationship between Customer and Aeris is that of independent contractors, and neither Customer’s use of the Aeris Services nor these Terms, any Services Agreement or any other terms is intended, or will be construed, to create a partnership, joint venture, or employer-employee relationship or to give either party the right to bind the other. No person not a named party to the Services Agreement, including any End User, is to be treated as a third-party beneficiary of any of the obligations to be performed by Aeris under that Services Agreement.
- Compliance with Laws.
- Export and Sanctions Laws. Customer agrees not to export any products, services or technical data received from Aeris to any country for which an export license or governmental approval is necessary without first obtaining the license or approval. Customer represents to Aeris (i) that Customer is not located in, organized under the laws of, or controlled by a person or entity located in any country subject to a U.S. or E.U. trade embargo, (ii) Customer does not violate any applicable sanction or embargo laws and regulations, including trade and economic sanctions maintained by the United State Treasury Department’s Office of Foreign Assets Control, (iii) Customer is not listed on, or owned or controlled by any entity or person on, the U.S. Department of Treasury list of Specially Designated Nationals or any similar list in place in any jurisdiction where Customer conducts business (collectively, “Restricted Persons”), and (iv) Customer will not provide services using the Aeris Services to Restricted Persons.
- Local Laws. Each party will comply at its own cost with any laws or rules of a governmental or regulatory authority having jurisdiction over such party in performing its obligations under, or using any Aeris Services provided under, a Services Agreement. Customer understands that Aeris disclaims responsibility for determining whether use of Aeris Services to provide Customer Services violates the laws of any jurisdiction where Customer operates or where Customer’s End Users are located. Customer will be solely responsible for determining whether Customer may lawfully provide Customer Services to Customer’s customers and End Users in the jurisdictions where Customer intends to use them.
- Conflict and Order of Precedence. If a conflict arises between these Terms and a Services Agreement, (a) to the extent the conflicting provisions may be reasonably interpreted in a manner consistent with each other, such consistent interpretation will apply, (b) provisions in any Pricing Document or other negotiated exhibit will override those in the Services Agreement or in these Terms, and (c) terms applicable to a specific Aeris Service set out in the Services Agreement for that Aeris Service will govern. The terms in any quote or standard invoicing documentation provided by Aeris or any standard purchase order documentation provided by Customer will not be interpreted to add to or modify any Services Agreement or these Terms.
- Entire Agreement; Waiver. These Terms, together with the Acceptable Use Policy, the Privacy Policy and, if applicable, the Services Agreement and other terms applicable to the Aeris Services that Customer uses, are the entire agreement between the parties regarding their subject matter and supersede any prior or contemporaneous understandings or oral or written agreements. None of the foregoing may be modified or amended except (a) as provided above for changes by the parties, and (b) by a written document signed by authorized Representatives of each of the parties. No failure to exercise or any delay in exercising any right, power or remedy by a party under a Services Agreement or these Terms will operate as a waiver. A single or partial exercise of any right, power or remedy does not preclude any other or further exercise of that or any other right, power or remedy. To be binding, a waiver must be in writing and signed by the waiving party.
- Assignment. No Services Agreement may be assigned without the prior written consent of the other party, except that a party may assign a Services Agreement without such consent to its successor in interest by way of merger, acquisition or sale of all or substantially all of its assets on the condition that the successor agree in writing to be bound by the terms of such agreement, including any liabilities or other terms enforceable against the assigning party and arising prior to the date of the assignment.
*End of Main Body of Service Terms*
Addendum 1 to AERIS SERVICES TERMS
System Security and Data Privacy
1. Overview
The parties mutually acknowledge that programs that use services such as the Aeris Services, including connected vehicle programs, asset tracking or other Internet of Things applications, is a coordinated effort among multiple parties, including not only Customer and Aeris but also Device manufacturers, Wireless Providers and other Service Providers. Each of Aeris, Customers and these other entities has the principal responsibility to secure those components of such program under its control and to manage access to those components as necessary to protect systems and to provide for the security and privacy of data in its possession.
The purposes of this Addendum 1 are:
- to identify, as between Customer and Aeris, who has responsibility for providing for the security of various system resources, data and services used in the program for which Customer will be using Aeris Services, including any resources use by Customer to provide Customer Services,
- to specify the minimum requirements applicable to each party for those data and resources that are its responsibility,
- to specify a framework for handling any security vulnerabilities or actual or threatened security incidents;
- to agree on how data will be classified and handled;
- to agree on the respective rights of each party to own or use any data; and
- to serve as a “data processing addendum” or similar document for purposes of the GDPR (as defined below) or other Applicable Data Laws.
The obligations in this Addendum 1 are in addition to any obligations either party may have under a Services Agreement or the Terms.
2. Definitions
In this Addendum 1, the capitalized terms listed below will have the meanings given to them. Any other capitalized terms used herein will have the meanings ascribed to them in the Terms or in the applicable Services Agreement. The singular will include the plural and vice-versa where the context so requires.
Applicable Data Laws means the laws of a Territory relating to data protection, privacy and security, data transfer or trans-border data flow, data breach or data processing, including all directives, laws, regulations, as well as rulings, regulatory guidance and other binding restrictions of or by any judicial or administrative body in a Territory.
Consent means the consent and agreement of an individual person (data subject) to the collection and processing of Personal Data about the data subject where such consent and agreement are given in compliance with Applicable Data Laws.
Controller means the party that determines the purposes and means for processing a specific type or set of Data.
Data means all data that is generated, collected, used and/or transmitted between the Aeris Platform or other Data Facilities, Customer’s Systems and Data Facilities, any Device and, as applicable, any Service Provider in connection with operation of Customer Application. Data is further subcategorized as described below:
Account Data means information about customer necessary to establish and maintain an account with Aeris, including the name of the contracting entity, the Aeris Services selected, account number, contact information (name, address, email address and mobile phone number for Customer’s Account Users) and the like. Account Data also includes information about activity conducted under or in association with Customer’s account, including billing and payment data, Device usage or activity information, actions taken with respect to the account, use of support services, and the like.
Device Data means static data about any Device or associated equipment that uses Aeris Services, including information for purposes of identifying the Device, such as model or serial number, identification number, IMSI, MSISDN or ICCID associated with any Device or Equipment or any SIM Card installed in a Device.
End User Data means any information about an End User of a Device or Customer Service, including name, address (physical and email), telephone number(s), and other information specific and identifiable to an End User.
Event Data means data generated by or relating to a Device or associated equipment, such as a vehicle, where such data is generated dynamically in the course of operation of the Aeris Services, including Location Data, events recorded, error codes used in a Customer Application, or information about the Device or associated equipment collected for use in a Customer Service or Customer Application.
Location Data means both Wireless Data available from a Wireless Provider that indicates a specific or approximate location based on usage of wireless networks or, where applicable, GPS data available from a Device that indicates the actual or approximate location of the Device at a given time.
Personal Data has the meaning given in Section 4.1.
Service Data means all data that identifies the Aeris Services used by a Device, including the rate or pricing plan to which a Device is assigned, together with data generated dynamically in course of operation of the Aeris Services, including data about how the Aeris System Resources performed in recording Event Data or providing Aeris Services, Wireless Data, and information (other than Personal Data) that identifies a Device used to access Aeris Services.
Wireless Data means originating and receiving Device ID, time stamp, type of transmission (voice, packet data, SMS and size/length), coordinates of delivery location, and identity of the wireless service provider that carried the traffic.
Data Breach means an actual or reasonably suspected unauthorized access, use or acquisition of (a) any Personal Data or (b) of any other Data where such actions could, in the reasonable opinion of Aeris, result in a material adverse effect on Customer or its End Users or present a security vulnerability that could materially and adversely affect Customer or its End Users.
GDPR means the General Data Protection Regulation adopted by the European Union effective as of May 25, 2018 and as such regulation may be modified from time to time.
Privacy Engineering means an approach to the design of systems, services and applications to maximize the privacy of individuals and minimize the risk of harm through unauthorized access to or loss of Personal Data, including measures to ensure that:
- Personal Data is processed fairly and lawfully;
- Personal Data is collected only for specifically stated and legitimate purposes and processed only for these purposes;
- no Personal Data is collected that is not relevant to and necessary for the original purpose for which Consent has been given;
- Personal Data is retained in identifiable form only for so long as required for the original purpose; and
- means are provided to allow for data subjects to request delivery of Personal Data or for deletion of Personal Data from production systems or marketing lists.
Process or Processing means any operation or set of operations which is performed on Data or on sets of Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor means the party or other Service Provider that Processes a specific type or set of Data on behalf of the Controller.
Restricted Jurisdiction means any Territory in which Applicable Data Laws restrict for any reason the transfer outside of the Territory of Personal Data of data subjects who are located in the Territory.
Secure Systems means System Resources that have been engineered or configured using appropriate technical and organizational measures in a way reasonably intended to protect against the possibility that unauthorized persons could access such components (including any Data transmitted through or stored on such components), could modify any settings or other configurable elements of such components, or could otherwise compromise the confidentiality, availability, integrity or resilience of System Resources or Data. Steps to be taken to create Secure Systems will include the following:
- measures to ensure that any data transmissions using System Resources are made following applicable industry standard security practices, including practices required by Wireless Provider Partners or cellular standards bodies;
- measures to ensure the physical security of all facilities where System Resources under the direct operational control of a party are located;
- measures to control access rights for employees and contractors of a party in relation to its System Resources, including role-based access and multi-factor authentication;
- the measures described in Service Hardening; and
- processes for regularly testing, assessing and evaluating the effectiveness of these technical and organizational measures.
Security Incident has the meaning given in Section 3.6.
Security Incident Response Teams (SIRTs) means any group retained by or working inside a party’s organization or a Service Provider and responsible for handling Security Incidents or providing information about Security Incidents.
Service Hardening means a process for engineering Aeris Services in a way that is intended to secure the Aeris Services (including System Resources and software used to provide the Aeris Services) against Vulnerabilities and known security-related threats and to protect production environments, test environments and network entry points against unauthorized access, changes or tamperingTypical steps to be taken during Service Hardening will include those steps deemed reasonably necessary under the circumstances and may include (a) disabling or removal of all unnecessary or obsolete software ports, functions, services or user accounts that are not required for the Aeris Services to function as required under a Services Agreement, (b) applying configuration changes relevant to security during installation and configuration of the Aeris Services, and (c) testing control objectives and promptly identifying and addressing any deficiencies. During the Services Hardening process, security personnel will take note of relevant security advisories from sources such as governmental, academic or industry groups recognized in the industry as security experts and apply those deemed relevant and necessary. Aeris will take a risk-based approach in designing the Service Hardening process, evaluating potential threats and vulnerabilities and considering industry best practices and the specific context of the Aeris Services being provided in determining best practices. Best practices will adhere to the principles referenced in ISO/IEC 27001-2013 – Information technology – Security techniques – information security management systems – Requirements (“ISO 27001”) and may include others as applicable, such as the Automotive Information Sharing and Analysis Center (“Auto-ISAC”). Aeris will apply those best practices that it deems relevant and necessary for the Aeris Services. Service Hardening applies to Aeris Services themselves and their intended interoperability with all other Aeris System Resources or Customer’s Systems used to provide Aeris Services in accordance with the typical deployment model (or a deployment model as agreed in a Services Agreement). Tools and processes to be used in Service Hardening may include (i) selecting tools and technologies that promote security by nature, such as using SSL Certificates, DNS-based access or REST interfaces, (ii) implementing security within the Aeris Services through password protection, encryption, data segmentation, etc., and (iii) in architecting System Resources and design for deployment, using security provided by underlying infrastructure such as VPNs, NAT, firewalls and the like. Aeris may conduct penetration testing of specific System Resources or software as it deems necessary and prudent or as specifically agreed with Customer in writing, Customer may also discuss with Aeris other reasonable processes Customer believes that Aeris should follow prior to deploying the Aeris Services, and such other processes as mutually agreed will be included within the term “Service Hardening”.
Vulnerability is a weakness in the system design, implementation or configuration which allows an attacker (a) to reduce confidence that the Aeris Services will operate reliably and accurately, or (b) to compromise the integrity or robustness of any System Resources or any Data. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
3. System and Software Security Requirements
3.1 Service Hardening; Security Measures. Aeris will provide Aeris Services and Process Data using only Secure Systems and will use commercially reasonable efforts to contract only with those Service Providers who, in the reasonable opinion of Aeris, provide appropriate service hardening and security for their systems. Unless specifically agreed otherwise, Aeris will have no responsibility for the security of Customer’s System Resources or the System Resources of any other party, including any Service Provider, that are not under the direct operational control of Aeris, and Aeris will have no obligation or liability under this Addendum 1 for the security of or any failure of security related to such System Resources. If Aeris software is installed on any System Resource not managed or controlled by Aeris, its sole obligation is to conduct any Service Hardening or similar processes and to engage in any Service Quality Assurance Test prior to making the software available to the person or entity that will install the software on such System Resource.
Subject to the limitations in the prior paragraph, Aeris will, prior to commercial deployment, perform Service Hardening for its System Resources, including software, required for the Aeris Services as initially deployed for Customer. Before making any material modifications to its System Resources and prior to each major release of software, Aeris will perform additional testing as needed to meet the standards for Secure Systems.
3.2 Service Quality Assurance Test. Prior to commercial deployment and prior to deployment of each major release, Aeris will conduct and subject all major elements of the Aeris Services, including any Mobile Apps, to a Service Quality Assurance Test. If so provided in a Statement of Work, Aeris may agree with Customer on end-to-end testing of the Aeris Services as integrated with Customer, or with systems of Service Provider or other third-party systems to identify Vulnerabilities or other deficiencies that will only surface when the Aeris Services are integrated into a complete system. The Statement of Work will assign responsibility for addressing any such Vulnerability to the proper party.
3.3 Security Assessment. If Customer wishes to conduct a security audit and/or security assessment with respect to the Aeris Services, including any penetration testing or similar evaluation, Aeris will cooperate reasonably with Customer in such review, including providing additional information about steps taken by Aeris in any Service Hardening and any standards and processes Aeris follow. Any such audit or assessment will be at Customer’s expense. Customer agrees that Aeris may impose reasonable restrictions on access to its System Resources to protect the privacy of other customers, and Customer will not conduct any penetration testing or other similar evaluations without the prior written consent of Aeris.
3.4 Security Vulnerabilities. Aeris will monitor the Aeris Services and its System Resources on an ongoing basis in a commercially reasonable and appropriate manner for security weaknesses and will address all deficiencies or security risks promptly based on their probable degree of risk to systems or services or to the confidentiality, availability, or integrity of Data. Aeris will use prudent efforts to keep informed about information published or announced by industry security groups, governmental organizations or other reliable sources relating to system and software security threats that Aeris believes may materially affect the security or other use or operation of the Aeris Services. Aeris will further collaborate with the aforementioned industry and/or governmental organizations or other sources when appropriate to evaluate, assess, and design or develop corrective actions or software updates. If requested by any party with whom it is collaborating to address such Vulnerability, Aeris will maintain information about the Vulnerability and the plan to address it in confidence until such time as public disclosure is approved. If such public disclosure should reasonably be expected to allow the general public to associate the Vulnerability with the services they receive from Customer, Aeris will use good faith efforts to coordinate any public disclosure with Customer. If Customer personnel or End Users detect any potential Vulnerability in any Aeris Services, they are requested to report that Vulnerability to security@aeris.net.
3.5 Security Alerts and Security Updates. At Customer’s request, the SIRT or similar organization of Aeris will contact the similar organization of Customer to establish a secure channel of communication between the parties for the purposes of enabling the co-ordination of any information related to any Vulnerabilities in the Aeris Services or in any other security flaw that comes to the attention of either party.
If Aeris personnel become aware, whether through monitoring of its System Resources or by public disclosure, such as by public Vulnerability tracking databases, of any security-related threats that Aeris believes may materially affect the use, operation or security of the Aeris Services, Aeris will provide to Customer a preliminary notification of such threats without unreasonable delay. For “highly critical” security issues (linked to Common Vulnerability Scoring System (CVSS) base score 7-10), Aeris will (a) inform Customer without undue delay after the Vulnerability has become publicly known if the security issue could potentially have a material adverse impact upon Customer, its End Users, Customer Services or the Aeris Services, and (b) agree on possible mitigation measures (e.g. by providing a workaround or by applying fixes, patches and other updates), taking into account the level of the threat and complexity of dependencies to other parts of the Aeris Services, the operating environment in which the Aeris Services are deployed, or the involvement of elements used in Customer Application that are not under the direct control of Aeris.
Notwithstanding anything to the contrary contained in a Services Agreement or elsewhere in this Addendum 1, it is expressly agreed and understood that, subject to any confidentiality obligation under Section 3.4, Customer may be required and will have the right to inform its customers and End Users of any security related threats related to the Aeris Services.
It is expressly agreed and understood that security-related issues and threats observed or experienced in the Aeris Services will be assigned a severity level based upon assessment of the potential impact of the issue on the Aeris Services or Data, and that response and resolution efforts will vary based on the severity level applicable to a particular Vulnerability.
3.6 Security Incidents. Each party agrees to provide to the other written notice reasonably promptly after discovery of (a) any breach or penetration of any of its respective System Resources that has resulted or should reasonably be expected to result in access by unauthorized persons to its own System Resources or to any systems of the other through any VPN or other points of interconnection, (b) any actual loss or unauthorized access to or processing of Data maintained or stored by Aeris or its Service Providers, or (c) any pending or threatened enforcement proceeding, action or lawsuit, or any pending or threatened enforcement proceeding, action, lawsuit, brought or threatened against Aeris or its Service Providers and relating in any way to security of Data (each a “Security Incident”. Obligations with respect to Security Incidents involving Personal Data are set forth in Section 4 below.
3.7 Review. Aeris will provide to Customer on request its high-level information security policies documents that outline the major security control objectives that guide its activities relating to system design, performance of services, and handling of sensitive data. Aeris will make knowledgeable personnel available to meet periodically with Customer to discuss its system and data security practices, including (a) an overview of its security risk assessment and remediation processes, (b) a review of how Aeris designs and manages its services and systems for fault tolerance, including recovery after any type of disaster, and how its personnel are empowered to act in the event of any adverse event, including any loss of key personnel or of any critical system component. The review may cover how Aeris control objectives are tested and how deficiencies are identified and addressed, as well as how production environments, test environments and network entry points are protected to prevent unauthorized product changes or tampering. If Aeris reasonably believes that any major change to its system architecture could present a risk to system security, Aeris will notify the person designated by Customer of the proposed change in advance and be prepared to discuss the issue with such designated person.
4. Data Security and Privacy
4.1 Definition of Personal Data. The term “Personal Data” means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. ‘Personal Data’ includes Account Data, End User Data, Location Data (subject to the limitation below), or other Data which reveals information about a specific natural person either directly or through reference to information that enables, or, through association with other information under the control of or accessible to Aeris, could reasonably be expected to enable, identification of a specific natural person, such as (i) a government identification number or passport number for a person or (ii) a Device identifier for equipment (such as a vehicle) owned by a private individual where the identifier, such as a VIN, is maintained in a public database, or could be used to locate or establish communication with a specific natural person (such as mobile number, physical address or IP address). Location Data will be considered Personal Data either (a) whenever it is associated in Aeris systems with other Personal Data relating to that data subject, or (b) alone if the Location Data is likely to indicate the location of a specific natural person (e.g., GPS coordinates indicating a specific residence address, as opposed to a commercial building or a cell tower located in a general area and serving multiple persons).
4.2 Privacy Engineering. Aeris will use reasonable and prudent efforts to design the Aeris Services with respect to their collection and use of Personal Data in compliance with Applicable Data Laws and following commonly-accepted principles of Privacy Engineering. Customer will be responsible for applying Privacy Engineering to Customer Applications and Customer Services as it deems appropriate. If Customer requests that Aeris develop or modify any Aeris Service to meet its specifications, and Aeris reasonably believes that Customer’s design could be expected to pose a risk to the rights and freedoms of natural persons, Customer agrees that Aeris may conduct, with Customer’s cooperation, a privacy impact assessment and suggest any changes that may be prudent to protect the privacy of data subjects.
4.3 Safeguards. Aeris will at all times maintain a comprehensive written information security policy, train its personnel in its requirements, and monitor performance and compliance. Aeris will implement and maintain at all times appropriate operational, managerial, physical and technical measures to protect all Data in its custody and control against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access. Measures will be commensurate with the sensitivity or commercial value of the Data, with the requirements of Applicable Data Laws, or with the impact on Aeris Services. Aeris will limit access to Data solely to those of its employees or Service Providers who have a well-defined “need-to-know”, who have been notified of the obligations of Aeris with respect to Data, are bound by appropriate confidentiality and data security obligations, and who have received appropriate training in data privacy practices.
If Applicable Data Laws require that any categories of Data in the possession or control of a party be encrypted in transit or at rest, Aeris and Customer will discuss which party should have responsibility for encryption of such Data, and the nature of such encryption. Where Aeris has that responsibility, it agrees to encrypt the Data using appropriate protocols.
Customer will be responsible for implementing appropriate security measures to protect Data transmitted to or from Customer Devices or its Data facilities, including, where required or appropriate, providing for the encryption of Data either in transit or at rest.
4.4 Processor and Controller. Aeris will be the Controller with respect to Account Data and Service Data and will be the Processor with respect to all other categories of Data. Customer is the Controller with respect to End User Data, Location Data and all other Personal Data collected or Processed by Aeris in order to provide Aeris Services to Customer and its End Users.
Aeris will notify Customer of any subcontractors who will have actual access to Personal Data, including information about the reason for such access. Aeris will keep accurate records of all processing of Personal Data under a Services Agreement. If Applicable Data Laws require that a data processor encrypt any categories of Personal Data in its possession or control in transit or at rest, Aeris will encrypt such Personal Data using appropriate protocols.
Customer will be responsible for implementing appropriate security measures to protect Data originating from or transmitted to Customer’s Devices or Customer Application or Data facilities, including, where required or appropriate, providing for the encryption of Data either in transit or at rest.
4.5 Consent to Collection of Personal Data. Customer will have the sole responsibility to determine the need for obtaining, and to obtain, the Consent of any natural person, including any of its End Users, Representatives or Account Users, to the collection and use of that person’s Personal Data with respect to the use of Aeris Services and to providing Customer Services. Aeris may also collect or Process Personal Data on Customer’s behalf where you inform us that it is not reasonably practicable to obtain Consent and that Customer has a lawful basis or legitimate interest in collection or use of such Data, such as the need to use that Data to perform a contract or to protect the interests of a data subject, and where the Processing should not be expected to threaten the fundamental rights and freedoms of a data subject. Where Consent is the only lawful basis for Processing any Personal Data and Customer is not able to obtain Consent, Customer understands that, if Aeris cannot use the Personal Data, Aeris may not be able to continue to provide services to Customer or with respect to the data subjects who did not give Consent or who withdrew Consent.
4.6 Compliance with Applicable Data Laws. Aeris agrees to process Data, including Personal Data, in compliance with all Applicable Data Laws in each Territory in which Aeris will provide Aeris Services to Customer. Aeris will not be required to comply with any specific obligations with respect to any Data, such as Payment Card Industry (PCI) or similar data security standards or any laws concerning “protected health information” (PHI) as defined in 45 CFR 10.103 or any similar law or regulation in any jurisdiction, unless Aeris has explicitly agreed to such obligations in a Services Agreement. Customer will have responsibility for complying with Applicable Data Laws applicable to the services provided by Customer using Customer Application in each Territory, including obtaining appropriate Consent from any End User or other person for the collection or use of Data in connection with Customer Application.
4.7 Data Facilities. Aeris may process and store Data using Data Facilities in the location of its choice except as required by Applicable Data Laws and except as Aeris has explicitly agreed with Customer in a Services Agreement. If providing Aeris Services will involve Processing of Data originating in a Restricted Jurisdiction, Aeris will notify Customer whether Aeris has Data Facilities in such Restricted Jurisdiction. If so, Aeris will make every reasonable effort to Process and store Data in Data Facilities located in that Restricted Jurisdiction. If it does not have access to Data Facilities in any Restricted Jurisdiction, or if Customer would like for Aeris to Process and store Data in any other location where it does not then have access to Data Facilities, the parties will discuss the request in accordance with the change control provisions of the Services Agreement. Customer will be responsible for the costs associated with contracting with or establishing and maintaining such Data Facilities.
4.8 Transfer of Personal Data. If Aeris receives Personal Data in a Restricted Jurisdiction, Aeris agrees that neither Aeris nor its Sub-Processors will transfer or process such Personal Data outside the Restricted Jurisdiction without Customer’s specific prior written authorization unless (a) a specific contractual clause in a Services Agreement authorizes such transfer or processing, (b) such transfer and Processing is required in order to provide Aeris Services to Customer and its End Users, or (c) there is another legitimate reason for such transfer and Processing, including an appropriate and effective Consent from the data subjects authorizing the transfer. If required by the Applicable Data Laws, Aeris agrees that all receipt and Processing of Personal Data by it or any Sub-Processor in any jurisdiction deemed not to ensure an adequate level of data protection will be undertaken only in compliance with the Standard Contractual Clauses, unless such transfer has been approved by the applicable data protection regulatory authority in the Restricted Jurisdiction, or is made in reliance on any approved framework permitting the lawful transfer of the Personal Data outside of a Restricted Jurisdiction, such as the Privacy Shield program.
For Aeris Services provided through Aeris Sites located in the United States, Customer agrees that the use of the Aeris Sites and the collection of information from Customer, its Account Users or its End Users, including Personal Data collected for creation of access credentials for use of Accounts and the Aeris Sites, occurs in the United States and is not a transfer of Personal Data by Aeris to the United States.
4.9 Ownership and Use of Data. As between Customer and Aeris, Aeris agrees that Account Data, End User Data and Personal Data are Customer’s exclusive property. Unless specifically agreed otherwise in writing, and except as required to provide the Aeris Services and perform obligations under a Services Agreement, Aeris agrees that, during and after the term of a Services Agreement, it will not (a) access, use, edit, modify, create derivatives, combinations or compilations of, reproduce, display, or otherwise Process the Data owned by Customer, in part or in whole, (b) disclose or transfer such Data to any third party other than its authorized Service Providers or Sub-Processors, or (c) sell or license such Data to any third party. Aeris agrees not to use Personal Data for purposes of marketing any goods or services except as expressly agreed with Customer in an affirmative writing and in compliance with applicable law. Notwithstanding the foregoing, Customer agrees that (a) Aeris may transform Application Data and Event Data into a form that does not contain Personal Data or other Confidential Information belonging to Customer through pseudonymization using such techniques as are generally understood in the industry as not to permit the discovery of Personal Data directly or through reverse engineering, (b) that such transformed data will cease to be Confidential Information upon completion of such pseudonymization, and (c) that Aeris will own and be able to use such transformed and anonymized data for its own internal or commercial purposes.
If so requested by Customer within 90 days of termination or expiry of a Services Agreement, Aeris will provide to Customer within a commercially reasonable time a complete copy in a mutually agreeable form of all current Account Data and End User Data that is in its possession and reasonably accessible to it. Aeris will (and will procure that its Service Providers or Sub-Processors will) promptly destroy all other Personal Data in its or their possession and under its or their control except as may be necessary to establish a legal defense against any actual or potential claim.
All other Data will be the property of Aeris, and Aeris will have no obligation to make any such Data available to Customer.
4.10 Processing of Data. Aeris will Process Personal Data only in accordance with the documented instructions of Customer and will keep accurate records of all Processing of Personal Data under a Services Agreement. Aeris and Customer each agree that each Services Agreement is the complete and final documented instruction to Aeris in relation to Data relating to that Services Agreement, and Customer instructs Aeris to Process Personal Data in order to provide the Aeris Services in accordance with such Services Agreement and all Applicable Laws. Whether Aeris is the Controller or Processor, Aeris agrees that it will only Process Data lawfully and fairly and as required in connection with its performance of the Aeris Services. When Processing Data as the Processor, Aeris agrees that it will only Process Data as necessary to provide the Aeris Services in compliance with a Services Agreement or otherwise in accordance with any additional documented instructions provided to us by Customer. Additional instructions outside the scope of any Services Agreement (including these Terms) or Customer’s instructions will require prior written agreement between the parties, including agreement on any additional fees payable to Aeris for carrying out those instructions. Customer will be responsible for ensuring that its instructions comply with all Applicable Laws and that Processing of Data in accordance with its instructions will not cause Aeris to be in breach of such laws. Aeris will restrict its personnel from Processing Personal Data unless such personnel have authorization to Process and are subject to appropriate contractual obligations regarding confidentiality, data security and data protection.
4.11 Use of Third Party Sub-Processors in Data Processing. Aeris may contract with Sub-Processors as necessary to provide the Aeris Services under a Services Agreement, and Customer consents to the use of all such Sub-Processors to carry out these Processing activities on Customer’s behalf. Aeris will on request provide a list of Sub-Processors used in providing Aeris Services. With respect to all Sub-Processors, Aeris agrees that it will:
restrict the Sub-Processor’s access to Data, including Personal Data, only to what is necessary to provide the Aeris Services to Customer and its End Users in accordance with a Services Agreement, and prohibit the Sub-Processor from accessing or using Data for any other purpose;
enter into a written agreement with the Sub-Processor containing essentially similar obligations and covenants concerning the Processing of Data, including Personal Data, as are applicable to us under this Addendum 1 or a Services Agreement; and
remain primarily liable for compliance by the Sub-Processor with the obligations hereunder and for the acts and omissions of the Sub-Processor that cause Aeris to be in breach of its obligations.
4.12 Customer Compliance with Applicable Data Laws. If requested by Customer for purposes of its compliance with Applicable Data Laws, or if required by mandatory law in order for Aeris to comply with Applicable Data Laws, Aeris will provide such forms or other agreements or documents as Customer may reasonably require relating to Processing of Personal Data by Aeris or its Sub-Processors or Service Providers, including, if necessary, filing any necessary registration or other forms with applicable governmental authorities.
4.13 Data Breach Notification to Customer. If Aeris discovers or receives credible information concerning (a) any Data Breach involving unauthorized or unlawful destruction, loss, alteration, disclosure of or access to Personal Data maintained or stored by Aeris or its Sub-Processors or Service Providers, (b) any third party notification of a Data Breach or violation of Applicable Data Laws by Aeris or its Sub-Processors or Service Providers; or (c) any enforcement proceeding, action, or lawsuit brought or threatened against Aeris or its Sub-Processors or Service Providers by any party or governmental authority relating in any way to Personal Data, then Aeris will provide prompt written notification to Customer as required by Applicable Data Laws. Aeris will include in the notification such information about the Data Breach as it is reasonably able to disclose. This obligation to report or respond to a Data Breach will not be construed as an acknowledgement by Aeris of any fault or liability with respect to such Data Breach.
4.14 Data Breach Remediation. To the extent any Applicable Data Laws require that a person or organization (including any data processing authority) be notified of a Data Breach, the parties will promptly confer to determine which of them has the primary obligation under Applicable Data Laws to provide such notification. For any notification required to be made by Customer, Aeris will provide to Customer such information about the Data Breach as Aeris may reasonably disclose, taking in to account the nature of the Aeris Services, the information available to Aeris, and any restrictions on disclosing the information, including confidentiality obligations.
If Aeris has the primary obligation to notify any End Users or any governmental authorities of a Data Breach, Aeris will (a) use reasonable efforts to obtain Customer’s prior written approval of the content, form and timing of any notices to your End Users, (b) promptly provide notice to governmental authorities containing such information as is mandated by Applicable Data Laws, (c) provide to affected persons, directly or through a third party, remediation services and other reasonable assistance as may be required under Applicable Data Laws, requested by governmental authorities, or as agreed between Aeris and Customer, and (d) reasonably cooperate with Customer in otherwise responding to such Data Breach. Aeris will bear all costs related to its responsibilities set forth above.
With respect to any Data Breach involving the System Resources of Aeris or its Sub-Processors or Service Providers, Aeris will conduct or require that they conduct any forensic and security reviews and audits as may be reasonably necessary in connection with such Data Breach to determine cause. Aeris e will act prudently and promptly to remediate its practices or System Resources to prevent future incidents and will require any Sub-Processors or Service Providers to do the same.
4.15 Rights of Data Subjects. If informed by Customer that the Services must be designed to comply with the rights of data subjects under Applicable Data Laws to access or delete Personal Data, then the parties will discuss the procedures to be used. If Aeris already has acceptable procedures in place, Aeris will follow those procedures to process such data subject requests at no additional charge. If Aeris does not have such procedures in place and would not be required to establish such procedures in order to ensure its own compliance where it has the primary relationship with data subjects, then the parties will discuss the development of such procedures in accordance with the change control requirements of their Services Agreement, taking into account the nature of the Aeris Services provided, and Customer’s specific instructions. The parties specifically agree that Aeris will not respond directly to any request received from a data subject for access to Personal Data held by Aeris pursuant to a Services Agreement with Customer, and that Aeris will refer such request to Customer as directed by Customer.
4.16 Government Access to Data. Aeris will not disclose any Data, including Personal Data, to any government or any third party except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or other court order) issued to Aeris by any law enforcement or other government agency with apparent authority in any Territory, including (a) requests for any Data relating to a Device or End User and (b) requests for cooperation with electronic surveillance of any Device or End User. If a law enforcement agency sends Aeris a demand for any Data or Personal Data relating to Customer, its Account Users or End Users, Aeris will attempt to redirect the law enforcement agency to request that Data directly from Customer, and may provide basic contact information to the law enforcement agency. If compelled to disclose any of such Data to a law enforcement agency, then Aeris will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Aeris is legally prohibited from doing so, and will disclose only that portion of Data as it is required to disclose.
4.17 Data Retention. Aeris may retain Data as required to provide Aeris Services and otherwise in accordance with these Terms. Aeris will have no obligation to Customer to retain any Data for any specific period except as explicitly agreed in a Services Agreement. Aeris will handle Personal Data and retain it in compliance with these Terms, its Privacy Policy and Applicable Law.
5. Business Continuity and Disaster Recovery; Data Storage
5.1 Appropriate Design for Resilience. Aeris will design the Aeris Services and its System Resources and Data Facilities in a manner reasonably and prudently calculated to provide a highly available, secure and accurate service that appropriately protects confidential information and avoids and mitigates service disruptions in the event of any adverse event, including any loss of key personnel or of any critical system component. Aeris will put in place appropriate plans and arrangements within its organization, based on risk analysis and stakeholder expectations, covering critical business operations involved in delivery of Aeris Services, will train personnel and Service Providers in such plans and in their roles and responsibilities, and will test the plans periodically to ensure that they perform as expected in terms of failover, redundancy and recovery. Aeris will make knowledgeable personnel available to meet periodically with Customer to discuss how Aeris designs and manages its services and systems for fault tolerance, including recovery after any type of disaster, and how its personnel are empowered to act. The review may cover how control objectives are tested and how deficiencies are identified and addressed, as well as how production environments, test environments and network entry points are protected to prevent unauthorized product changes or tampering.
5.2 Appropriate Design for System Availability. Aeris will design its System Resources to have the availability requirements agreed to meet the agreed recovery time objectives that Aeris believes are prudent or that have been separately agreed with Customer.
5.3 Appropriate Design for Data Availability. Aeris will design the Data Facilities to provide security and redundancy in the processing and storage of Data commensurate with the importance of such Data or as specifically agreed with Customer. Redundancy and failover plans and recovery times will be designed based on the business need for timely access to such Data.
5.4 Litigation Hold. Aeris agrees, upon receipt of notice of any “litigation hold” from Customer describing any categories of Data subject to the hold, to immediately cease destruction or deletion of any such Data for the period of time specified in the request.
* End of Addendum 1*