SAAS TERMS OF SERVICE
THESE SAAS TERMS OF SERVICE (THE “TERMS”
OR THIS “AGREEMENT”) ARE A LEGAL AGREEMENT BETWEEN THE ENTITY ON WHOSE BEHALF
YOU ARE AGREEING TO THIS AGREEMENT (“CUSTOMER”) AND CELLEBRITE. BY
CLICKING THE "I ACCEPT" BUTTON, EXECUTING AN ORDER FORM THAT INCLUDES
THESE TERMS BY REFERENCE, ACCESSING OR USING THE CELLEBRITE SERVICES, CUSTOMER
ACKNOWLEDGES THAT CUSTOMER HAS REVIEWED AND ACCEPTS THESE TERMS. YOU ARE AGREEING TO
THESE TERMS AS A REPRESENTATIVE OF AN ENTITY, AS A REPRESENTATIVE OF CUSTOMER, AND
YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND CUSTOMER. IF CUSTOMER DOES
NOT AGREE WITH ALL OF THESE TERMS, DO NOT ACCESS OR OTHERWISE USE THE CELLEBRITE
SERVICE REFERENCED IN THE ORDER FORM. CELLEBRITE MAY MAKE CHANGES TO THE CELLEBRITE
SERVICES AND TO THESE TERMS AT ANY TIME.
“Activation
Date” means the date, set forth in the applicable Order Form, on which
the Cellebrite Service is scheduled to be made available to Customer.
“Affiliate”
means any entity, now or hereafter existing (so long as such entity does not
have its own agreement with Cellebrite for use of the Software or access and
use of the Cellebrite Services) that directly or indirectly, through one or
more intermediaries, controls, is controlled by, or is under common control
with the subject entity. For purposes of this definition, “control”
means direct or indirect possession of the power to direct or cause the
direction of the management and policies of an entity, whether through the
ownership of voting securities, by contract or otherwise. An entity shall be
considered an “Affiliate” only so long as that entity meets the foregoing
definition.
“Ancillary
Services” means implementation, training or consulting services that Cellebrite
may perform as described in an Order Form.
“Authorized
Purposes” means Customer’s internal business purposes.
“Authorized Users”
means the number of Users that Customer is licensed to have access to the
Services, all as set forth in the Order Form.
“Cellebrite”
means Cellebrite DI Ltd. or its Affiliate that has
an agreement with Customer and/or issues invoices to Customer with respect
to the Services.
“Cellebrite
Service” means the Cellebrite Software as a Service (“SaaS”) to
be provided by Cellebrite to Customer pursuant to these Terms and any
applicable Order Form, and for all purposes of these Terms, such services
exclude any Open Source Software that may be used to provide the Cellebrite
Service and all Third Party Offerings.
“Customer
Data” means all data, including Personal Information, submitted, stored,
posted, displayed, or otherwise transmitted to the Cellebrite Service by or on
behalf of Customer, including without limitation by any User.
“Customer
System” means Customer’s internal website(s), servers and other
equipment and software used in the conduct of Customer’s business.
“Documentation”
means the printed, paper, electronic or online user instructions and help files
made available by Cellebrite for use with the Cellebrite Service, as may be
updated from time to time by Cellebrite.
“Intellectual
Property Rights” means all intellectual property rights or similar
proprietary rights, including (a) patent rights and utility models, (b)
copyrights and database rights, (c) trademarks, trade names, domain names and
trade dress and the goodwill associated therewith, (d) trade secrets, (e) mask
works, and (f) industrial design rights; in each case, including any
registrations of, applications to register, and renewals and extensions of, any
of the foregoing in any jurisdiction in the world.
“Malicious
Code” means viruses, worms, time bombs, Trojan horses and other harmful
or malicious code, files, scripts, agents or programs.
“Named Users” means a User authorized
by Customer to access or use the Services through the assignment of a single user ID, regardless of
whether such User is using the Services at any given time. A non-human device
capable of accessing or access the Services is counted as a Named User.
“Open
Source Software” means
all software that is available under the GNU Affero General Public License
(AGPL), GNU General Public License (GPL), GNU Lesser General Public License
(LGPL), Mozilla Public License (MPL), Apache License, BSD licenses, or any
other license that is approved by the Open Source Initiative (www.opensource.org).
“Order
Form” means a purchase order submitted by Customer
to Cellebrite. Affiliates of Customer may purchase licenses to access and use
the Cellebrite Service, or receive Support Services or Ancillary Services,
subject to these Terms by executing separate Order Forms hereunder, and by
executing an Order Form, that Affiliate of Customer shall be bound by these
Terms as if it were an original party hereto.
“Personal Information”
means (i) all data that identifies an individual or, in combination with any
other information or data available to a relevant entity, is capable of
identifying an individual, and (ii) such other data that is defined as
“personal information” or “personal data” under applicable law.
“Services”
means the Cellebrite Service, Support Services and any Ancillary Services.
“Statement
of Work” means a written statement of work entered into and signed by
the parties describing the Ancillary Services to be provided by Cellebrite to
Customer.
“Subscription
Term” means the subscription period for Customer’s use of the Cellebrite
Service set forth in an Order Form.
“Support
Services” means the support and maintenance services offered by Cellebrite
and purchased by Customer pursuant to an Order Form.
“Third
Party Offerings” means certain software or services delivered or
performed by third parties that are required for the operation of the Cellebrite
Service, or other online, web-based CRM, ERP, or other business application
subscription services, and any associated offline products provided by third
parties, that interoperate with the Cellebrite Service.
“User”
means a person for whom access to the Cellebrite Services during the
Subscription Term have been purchased pursuant to an Order Form, (b) who are
authorized by Customer to access and use the Cellebrite Service, and (c) where
applicable, who have been supplied user identifications and passwords for such
purpose by Customer.
2.
ORDERS;
LICENSES; AND RESTRICTIONS.
2.1
Orders. Subject to the
terms and conditions contained in these Terms, Customer may purchase
subscriptions to access and use the Cellebrite Services pursuant to Order
Forms. Unless otherwise specified in the applicable Order Form, Cellebrite
Services are purchased as User and storage space subscriptions and may be
accessed by no more than the number of Users specified in the applicable Order
Form. Additional User and/or storage space subscriptions may be added at any
time during the applicable Subscription Term, prorated for the remainder of the
Subscription Term in effect at the time the additional User and/or storage
space subscriptions are added and invoiced separately from the then-existing
User and/or storage space subscriptions, as applicable, for the remainder of
such Subscription Term. The added User and/or storage space subscriptions,
shall terminate on the same date as the pre-existing subscriptions. Unless
otherwise specified in the applicable Order Form, User subscriptions are for
designated Users only and cannot be shared or used by more than one User, but
may be reassigned to new Users replacing former Users who no longer require
ongoing use of the Cellebrite Services. Customer agrees that its purchases
hereunder are neither contingent on the delivery of any future functionality or
features nor dependent on any oral or written public comments made by Cellebrite
regarding any future functionality or features. If there is any inconsistency
between an Order Form and these Terms, the Order Form controls.
2.3
Restrictions. Customer shall not, directly or indirectly, and Customer
shall not permit any User or third party to: (a) reverse engineer,
decompile, disassemble or otherwise attempt to discover the object code, source
code or underlying ideas or algorithms of the Cellebrite Service;
(b) modify, translate, or create derivative works based on any element of
the Cellebrite Service or any related Documentation; (c) rent, lease,
distribute, sell, resell, assign, or otherwise transfer its rights to use the Cellebrite
Service; (d) use the Cellebrite Service for timesharing purposes or
otherwise for the benefit of any person or entity other than for the benefit of
Customer and Users; (e) remove any proprietary notices from the
Documentation; (f) publish or disclose to third parties any evaluation of
the Cellebrite Service without Cellebrite’s prior written consent; (g) use the
Cellebrite Service for any training purposes, other than for training
Customer’s employees, where Customer charges fees or receives other
consideration for such training, except as authorized by Cellebrite in writing;
(g) deactivate, modify or impair the functioning of any disabling code in any
Software; (h) use the Cellebrite Service for any purpose other than its
intended purpose; (i) interfere with or disrupt the integrity or performance of
the Cellebrite Service; (j) introduce any Open Source Software into the Cellebrite
Service; (k) attempt to gain unauthorized access to the Cellebrite Service or
their related systems or networks; (l) use the Cellebrite Service in violation
of any applicable law (including but not limited to any law with respect to
human rights or the rights of individuals) or to support any illegal activity
or to support any illegal activity; or (n) use the Cellebrite Service to
violate any rights of any third party.
3.
THIRD PARTY OFFERINGS.
3.1
Customer
acknowledges and agrees that the access and use of any Service (or certain
features thereof) may involve access
and/or use of Third Party Software. In addition to the Agreement, Customer shall
comply with the terms and conditions applicable to any such Third
Party Software, including without limitation the following terms and
conditions: i. BingMaps - https://www.microsoft.com/en-us/maps/product/terms-april-2011; http://aka.ms/BingMapsMicrosoftPrivacy; ii. OpenStreetMap – http://www.openstreetmap.org/copyright.
3.2
No
Implied Licenses. Except for the express licenses set forth herein, Cellebrite
does not grant any license to Customer, whether by implication or otherwise.
3.3
Open Source Software. Services
may
use and/or be provided with third party open source software, libraries or other components (“Open Source
Component”). To the extent so stipulated by the license that
governs each Open Source Component (“Open Source License”), each such
Open Source Component is licensed directly to Customer from its respective licensors and
not sublicensed to Customer by Cellebrite, and such Open
Source Component is subject to its respective Open
Source License, and not to this
Agreement. If, and to the
extent,
an Open Source Component requires that this Agreement effectively impose, or
incorporate by reference, certain disclaimers, permissions, provisions,
prohibitions or restrictions, then such
disclaimers, permissions, provisions, prohibitions or restrictions shall be
deemed to be imposed, or incorporated by reference into this Agreement, as
required, and shall supersede any conflicting provision of this Agreement,
solely with respect to the corresponding Open
Source Component which is governed by
such Open Source License.
If
an Open Source License requires that the source code of its corresponding Open
Source Component be made available to Customer, and such source code was not delivered to Customer with the Software, then Cellebrite hereby extends a written offer,
valid for the period prescribed in such Open Source License, to obtain a copy of the source code of the corresponding
Open Source Component, from Cellebrite. To accept this offer, Customer
shall contact
Cellebrite at support@cellebrite.com.
4.
PASSWORDS; SECURITY.
4.1
Passwords. Customer shall
be, and shall ensure that each of their Affiliates and their respective Users
are, responsible for maintaining the confidentiality of all user logins and
passwords and for ensuring that each user login and password is used only by
the User. Customer is solely responsible for any and all access and use of the
Cellebrite Services. Customer shall, and shall ensure that Customer’s Affiliates,
restrict its Users from sharing passwords. Customer agrees to immediately
notify Cellebrite of any unauthorized use of or access to any account, or any
other breach of security known to Customer. Cellebrite shall have no liability
for any loss or damage arising from Customer’s failure to comply with the terms
set forth in this Section.
4.2
No Circumvention of Security.
Neither Customer nor any of Customer’s Affiliates nor any User may circumvent
or otherwise interfere with any user authentication or security of the Cellebrite
Service. Customer will immediately notify Cellebrite of any breach, or
attempted breach, of security known to Customer.
4.3
Security. Each of
Cellebrite and Customer represents and warrants that it complies, and at all
times during the term of this Agreement, will comply with all data protection,
privacy and security laws applicable to each in its performance under this
Agreement. Cellebrite will use commercially reasonable efforts to maintain
appropriate administrative, physical and technical safeguards designed to protect
the security, confidentiality and integrity of Personal Information in a manner
consistent with what Cellebrite supplies generally to its other customers and
in compliance with applicable law. Notwithstanding the foregoing, Customer
acknowledges that, notwithstanding any security precautions deployed by Cellebrite,
the use of, or connection to, the Internet provides the opportunity for
unauthorized third parties to circumvent such precautions and illegally gain
access to the Cellebrite Services and Customer Data. Cellebrite does not
guaranty the privacy, security, integrity or authenticity of any information
transmitted over or stored in any system connected to or accessible via the
Internet.
4.4
Data Processing Addendum. The
data processing addendum attached hereto as Exhibit A shall apply to the
parties’ processing of Personal Information.
5.
CUSTOMER OBLIGATIONS.
5.1
Customer System. Customer
is responsible for (a) obtaining, deploying and maintaining the Customer
System, and all computer hardware, software, modems, routers and other
communications equipment necessary for Customer, its Affiliates and their
respective Users to access and use the Cellebrite Services via the Internet;
(b) contracting with third party ISP, telecommunications and other service
providers to access and use the Cellebrite Services via the Internet; and
(c) paying all third party fees and access charges incurred in connection
with the foregoing. Except as specifically set forth in these Terms, an Order
Form or a Statement of Work, Cellebrite shall not be responsible for supplying
any hardware, software or other equipment to Customer under these Terms.
5.2
Acceptable Use Policy.
Customer shall be solely responsible for its actions and the actions of its
Users while using the Cellebrite Service. Customer represents, warrants and
agrees that it does and will: (a) abide by all local, state, national, and
international laws and regulations applicable to Customer’s use of the Cellebrite
Service, including without limitation the provision and storage of Customer
Data; (b) not send or store data on or to the Cellebrite Service which violates
the rights of any individual or entity established in any jurisdiction; (c) not
to upload in any way any information or content that contain Malicious Code or
data that may damage the operation of the Cellebrite Services or another's
computer or mobile device; (d) not to use the Cellebrite Service for illegal,
fraudulent, unethical or inappropriate purposes; (e) not to interfere or
disrupt networks connected to the Cellebrite Service or interfere with other
ability to access or use the Cellebrite Service; (f) not to interfere with
another customer’s use of the Cellebrite Service or another person or entity's
use of similar services; (g) not to use the Cellebrite Service in any manner
that impairs the Cellebrite Service, including without limitation the servers
and networks on which the Cellebrite Service is provided; (h) to comply with
all regulations, policies and procedures of networks connected to the Cellebrite
Service and Cellebrite’s service providers; and (i) to use the Cellebrite
Services only in accordance with the Documentation. Customer acknowledges and
agrees that Cellebrite neither endorses the contents of any Customer
communications, Customer Data or other information nor assumes any
responsibility for any offensive material contained therein, any infringement
of third party Intellectual Property Rights arising therefrom or any crime
facilitated thereby. Cellebrite may remove any violating content posted or
stored using the Cellebrite Service or transmitted through the Cellebrite
Service, without notice to Customer. Notwithstanding the foregoing, Cellebrite
does not guarantee, and does not and is not obligated to verify, authenticate,
monitor or edit the Customer Data, Other Information, or any other information
or data input into or stored in the Cellebrite Service for completeness,
integrity, quality, accuracy or otherwise. Customer shall be responsible and
liable for the completeness, integrity, quality and accuracy of Customer Data
and Other Information input into the Cellebrite Services. Cellebrite reserves
the right to amend, alter, or modify Customer’s conduct requirements as set
forth in these Terms at any time.
5.3
Permissions and Responsibilities
for Customer Data. Customer represents, warrants and agrees that: (i)
it has provided and will provide all notices, and has obtained and will obtain,
all approvals, permits, licenses, consents, authorizations, registrations,
permissions, certifications, rulings, orders, judgements and other
authorizations from any applicable person, employee representative body,
regulatory authority, or third party entity or person necessary for Customer’s
or its Users’ use of the Cellebrite Services and for Cellebrite to perform or
provide any services related to the Cellebrite Services, including, but not
limited to, Cellebrite’s processing the Customer Data for the such purposes (“Permissions”).
Permissions include rights for Cellebrite to use, access, intercept, analyze,
transmit, copy, modify, and store all of the intellectual property rights, Customer
Data, Personal Information, confidential information, or other data or
information that may be used, accessed, intercepted, transmitted, copied,
modified or stored by Cellebrite to perform or provide any Cellebrite Services
to Customer; (ii) it has the right to be in possession of, access, interact
with and otherwise use, all devices, equipment, programs, data (including
Customer Data) and media (including any telecommunications systems) that are
being used in connection with the Cellebrite Services and that the use of the
Cellebrite Services, including any instructions given to Cellebrite in
connection with the same, is made in compliance with all applicable laws; and
(iii) all information provided by or on behalf of Cellebrite during the term of
the Agreement shall be complete and accurate in all material respects, and that
Customer is entitled to provide the information to Cellebrite for its use as
contemplated under the Agreement. Customer acknowledges that: (i) Customer is
exclusively responsible to determine what Customer Data it feeds into the
Services and is solely responsible to determine the nature, content,
characteristics of the Customer Data that it feeds into the Services; and (ii)
Cellebrite assumes no responsibility for the nature, content, characteristics
or consequences of the Customer Data (whether in their form inbound to the
Services, or in their form outbound back to the Customer), and that Customer
shall have no plea, claim or demand, and waives any such claims, pleas or
demands, of whatever nature, for any of the foregoing.
5.4
Accuracy of Customer’s Contact
Information; Email Notices. Customer agrees to provide accurate, current
and complete information as necessary for Cellebrite to communicate with
Customer from time to time regarding the Services, issue invoices or accept
payment, or contact Customer for other account-related purposes. Customer
agrees to keep any online account information current and inform Cellebrite of
any changes in Customer’s legal business name, address, email address and phone
number. Customer agrees to accept emails from Cellebrite at the e-mail
addresses specified by its Users for login purposes, and to receive updates and
marketing communications from Cellebrite. In addition, Customer agrees that Cellebrite
may rely and act on all information and instructions provided to Cellebrite by
Users from the above-specified e-mail address.
5.5
Temporary Suspension. Cellebrite
may temporarily suspend Customer’s, its Affiliates’ or their respective Users’
access to the Cellebrite Services in the event: (i) that either Customer, its
Affiliates or any of their Users is engaged in, or Cellebrite in good faith
suspects Customer, its Affiliates’ or any of their Users is engaged in, any
unauthorized or unlawful conduct (including, but not limited to any violation
of these Terms), or (ii) Cellebrite is required to do so under the orders of a
court or other governmental body having jurisdiction over Customer or
Cellebrite. Cellebrite will attempt to contact Customer prior to or
contemporaneously with such suspension; provided, however, that Cellebrite’s
exercise of the suspension rights herein shall not be conditioned upon
Customer’s receipt of any notification. A suspension may take effect for
Customer’s entire account and Customer understands that such suspension would
therefore include its Affiliates and User sub-accounts. Customer agrees that Cellebrite
shall not be liable to Customer, any of its Affiliates or Users, or any other
third party if Cellebrite exercises its suspension rights as permitted by this
Section. Upon determining that Customer has ceased the unauthorized conduct
leading to the temporary suspension to Cellebrite’s reasonable satisfaction, Cellebrite
shall reinstate Customer’s, its Affiliates and their respective Users’ access
and use of the Cellebrite Services. Notwithstanding anything in this Section
to the contrary, Cellebrite’s suspension of Cellebrite Services is in addition
to any other remedies that Cellebrite may have under these Terms or otherwise,
including but not limited to termination of these Terms for cause.
Additionally, if there are repeated incidences of suspension, regardless of the
same or different cause and even if the cause or conduct is ultimately cured or
corrected, Cellebrite may, in its reasonable discretion, determine that such
circumstances, taken together, constitute a material breach.
6.
AVAILABILITY; SUPPORT
6.1
Availability. Subject to the
terms and conditions of these Terms, Cellebrite will use commercially
reasonable efforts to make the Cellebrite Service available with minimal
downtime 24 hours a day, 7 days a week; provided, however, that the following
are excepted from availability commitments: (a) planned downtime (with regard
to which Cellebrite will use commercially reasonable efforts to provide advance
notice, and (b) routine maintenance times , and (c) any unavailability caused
by circumstances of Force Majeure. Certain enhancements to the Cellebrite
Services made generally available at no cost to all subscribing customers
during the applicable Subscription Term will be made available to Customer at
no additional charge. However, the availability of some new enhancements to
the Cellebrite Services may require the payment of additional fees, and Cellebrite
will determine at its sole discretion whether access to any other such new
enhancements will require an additional fee. These Terms will apply to, and
the Cellebrite Service includes, any bug fixes, error corrections, new builds,
enhancements, updates, upgrades and new modules to the Cellebrite Service
subsequently provided by Supplier to Customer hereunder.
6.2
Support. Cellebrite makes a
variety of Support Services offerings available to its customers and will
provide Customer with the level of support to which Customer is entitled based
on Customer’s purchase as set forth in an Order Form.
6.3
Included Services for Guardian’s
Customers:
(a)
“Included Guardian Annual Services” shall mean services
to be provided to Customers using Cellebrite’s Guardian solution (respectively, “Guardian” and “Guardian Customers”) with respect to new
(other than renewals) Guardian subscriptions issued
under Quotes dated February 15, 2022 onwards; Such services may include first
installation assistance and/or web-based guidance and/or implementation, all as
defined and/or as shall be defined from time to time by Cellebrite at its sole
and absolute distraction.
(b)
During the
Guardian’s Subscription Term, Guardian Customers shall be entitled to up to
2 (two) sessions (maximum 4 hours per each session) of Included Guardian Annual Services per year, on a
non-accumulative basis. The Included Guardian
Annual
Services shall be provided to Guardian
Customers remotely
or on-site - at Cellebrite’s sole and absolute discretion. Upon Guardian
Customer’s written request to receive the
annual Included
Guardian Annual Services,
Cellebrite and the Guardian
Customer
shall mutually determine regarding the dates of executions of the annual Included Guardian Annual Services. Non-consumption of any Included Guardian Annual Services by the Guardian Customer during the Subscription
Term, for any reason,
shall not entitle the Guardian Customer to
any refund and/or reduction of the Quoted Price and/or any other rights deriving
from the non-consumption of the Included Guardian
Annual
Services.
7.1
Price List. Cellebrite may, at its sole
discretion, change its price lists or add or remove services
and/or products from the price lists. Changes in price lists shall take
effect within thirty (30) days from the date of notification to Customer. It
is hereby clarified that changes in price lists shall not apply to services and/or products underlying an executed Order Form, however,
price list changes will apply to any executed Order Form if
Customer has requested an amendment to the executed Order Form and the
amendment has not been accepted by Cellebrite at the time of the price list
change.
7.2
Total Purchase Price. Customer shall pay Cellebrite the total price as set forth in
the Order Form (“Total Purchase Price”). Cellebrite
may charge Customer for any modifications to an accepted Order Form.
7.3
Quoted Price. Unless otherwise agreed in writing, all prices quoted in the Order
Form (“Quoted Price”) shall be paid by Customer to
the account(s) indicated by Cellebrite. All payments shall be made in US
currency or other currency mutually agreed by the Parties. The payment is
considered made at the date when the amounts effectively reach Cellebrite’s
bank account. The Quoted Price does not
include transportation, insurance, federal, state, local, excise, value-added,
use, sales, property (ad valorem), and similar taxes or duties. In
addition to the Quoted Price, Customer shall pay all taxes, fees, or
charges imposed by any governmental authority. If Cellebrite is required
to collect the foregoing, Customer will pay such amounts promptly
unless it has provided Cellebrite with a satisfactory valid tax exemption
certificate authorized by the appropriate taxing authority.
7.4
Terms of Payment and
Default Interest. Payment for the Services
under any confirmed Order Form shall be in accordance with the payment
terms set forth in the Cellebrite Quote, issued by Cellebrite pursuant to
this Agreement (the “Quote”). Failure to make due payment in
accordance with the terms of the Quote may cause Cellebrite to apply
an interest charge of up to one and one-half percent (1.5%) per
month (but not to exceed the maximum
lawful rate) on all amounts which are not timely and duly
paid, accruing daily and compounding monthly from the date such amounts
were due. Customer shall reimburse Cellebrite for all
costs and expenses incurred by Cellebrite in connection with the
collection of overdue amounts, including attorneys’ fees. Customer shall not
be permitted to set off any deductions against any amounts due
to Cellebrite.
7.5
Suspension of Service. If
any amounts owed by Customer for the Services are thirty (30) or more days
overdue, Cellebrite may, without limiting Cellebrite’s other rights and
remedies, suspend Customer’s and its Users’ access to the Services until such
amounts are paid in full.
7.6
Payment Disputes. Cellebrite
agrees that it will not exercise its rights under this Section 7 if the
applicable charges are under reasonable and good-faith dispute and Customer is
cooperating diligently to resolve the dispute.
8.1
Mutual Representations and
Warranties. Each party represents, warrants and covenants that:
(a) it has the full power and authority to enter into these Terms and to
perform its obligations hereunder, without the need for any consents, approvals
or immunities not yet obtained; and (b) its acceptance of and performance
under these Terms shall not breach any oral or written agreement with any third
party or any obligation owed by it to any third party to keep any information
or materials in confidence or in trust.
8.2
Customer
Representations and Warranties. Customer represents, warrants and covenants that during the term of
these Terms that (a) only Users who have obtained any necessary
consents and approvals pursuant to applicable laws shall be permitted to use
the Cellebrite Service; (b) Customer will obtain any necessary approval,
consent, authorization, release, clearance or license of any third party and any release related to any rights of
privacy or publicity required in connection with Customer’s or its Users’ use
of the Cellebrite Service and Customer Data, and (c) Customer and its Users
shall use the Cellebrite Service in compliance all applicable federal, state
and local laws, rules and regulations including without limitation those
related to data privacy, protection and security.
8.3
Cellebrite Service Warranty. Cellebrite
warrants that during the relevant Subscription Term, the Cellebrite Service
will conform, in all material respects, with the Documentation, PROVIDED,
HOWEVER, THAT CELLEBRITE DOES NOT MAKE, AND HEREBY DISCLAIMS ANY
REPRESENTATIONS OR WARRANTIES CONCERNING THE PROPER STORAGE OF THE CUSTOMER
DATA (WHETHER IN ITS INBOUND OUTBOUND FORM), OR ITS DATA-INTEGRITY,
AVAILABILITY OR ABSENCE OF MODIFICATIONS THERETO. For a breach of the foregoing
warranty, Cellebrite will, at no additional cost to Customer, provide remedial
services necessary to enable the Cellebrite Service to conform to the warranty.
The Customer will provide Cellebrite with a reasonable opportunity to remedy
any breach and reasonable assistance in remedying any defects. Such warranty
shall only apply if the Cellebrite Service has been utilized by the Customer in
accordance with the Order Form and this Agreement.
8.4
Ancillary and Support Services Warranty.
Cellebrite warrants that any Ancillary Services and the Support Services provided
hereunder shall be provided in a competent and professional manner and in
accordance with any specifications set forth in the Order Form in all material
respects. If the Ancillary Services or the Support Services are not performed in
conformity with the foregoing warranty, then, upon the Customer’s written
request, Cellebrite shall promptly re-perform, or cause to be re-performed,
such Ancillary Services or Support Services, at no additional charge to the
Customer. Such warranties and other obligations shall survive for thirty (30)
days following the completion of the Ancillary Services or the Support Services.
8.5
Disclaimer. EXCEPT FOR THE WARRANTIES SET FORTH IN THIS SECTION 9, THE CELLEBRITE
SERVICES, SUPPORT SERVICES, ANCILLARY SERVICES, THIRD PARTY OFFERINGS AND ANY
NON-GA SERVICES ARE PROVIDED ON AN AS-IS BASIS. CUSTOMER’S USE OF THE CELLEBRITE
SERVICE, SUPPORT SERVICES, ANCILLARY SERVICES, THIRD-PARTY OFFERINGS AND NON-GA
SERVICES IS AT ITS OWN RISK. CELLEBRITE DOES NOT MAKE, AND HEREBY DISCLAIMS,
ANY AND ALL OTHER EXPRESS, STATUTORY AND IMPLIED REPRESENTATIONS AND
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT AND TITLE, QUALITY,
SUITABILITY, OPERABILITY, CONDITION, SYSTEM INTEGRATION, NON-INTERFERENCE,
WORKMANSHIP, TRUTH, ACCURACY (OF DATA OR ANY OTHER INFORMATION OR CONTENT), THE
PROPER STORAGE OF THE CUSTOMER DATA (WHETHER IN ITS INBOUND OUTBOUND FORM), OR
ITS DATA-INTEGRITY, AVAILABILITY OR ABSENCE OF MODIFICATIONS THERETO, ABSENCE
OF DEFECTS, WHETHER LATENT OR PATENT, AND ANY WARRANTIES ARISING FROM A COURSE
OF DEALING, USAGE, OR TRADE PRACTICE. THE EXPRESS WARRANTIES MADE BY CELLEBRITE
IN SECTION 10 ARE FOR THE BENEFIT OF THE CUSTOMER ONLY AND NOT FOR THE BENEFIT
OF ANY THIRD PARTY. ANY SOFTWARE PROVIDED THROUGH THE CELLEBRITE SERVICES IS
LICENSED AND NOT SOLD.
8.6
NO AGENT OF CELLEBRITE IS AUTHORIZED TO ALTER OR
EXPAND THE WARRANTIES OF CELLEBRITE AS SET FORTH HEREIN. CELLEBRITE DOES NOT
WARRANT THAT: (A) THE USE OF THE SERVICES OR NON-GA SERVICES WILL BE SECURE,
TIMELY, UNINTERRUPTED OR ERROR-FREE OR OPERATE IN COMBINATION WITH ANY OTHER
HARDWARE, SOFTWARE, SYSTEM OR DATA; (B) THE SERVICES WILL MEET CUSTOMER’S
REQUIREMENTS OR EXPECTATIONS; (C) ANY STORED CUSTOMER DATA WILL BE ACCURATE OR
RELIABLE; (D) THE QUALITY OF ANY INFORMATION OR OTHER MATERIAL OBTAINED BY
CUSTOMER THROUGH THE SERVICES OR NON-GA SERVICES WILL MEET CUSTOMER’S
REQUIREMENTS OR EXPECTATIONS; (E) THE SERVICES AND NON-GA SERVICES WILL BE
ERROR-FREE OR THAT ERRORS OR DEFECTS IN THE SERVICES AND NON-GA SERVICES WILL
BE CORRECTED; OR (F) THE SERVER(S) THAT MAKE THE SERVICES AND NON-GA SERVICES
AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. THE SERVICES AND
NON-GA SERVICES MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS
INHERENT IN THE USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS. CELLEBRITE
IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR OTHER DAMAGES
RESULTING FROM SUCH PROBLEMS.
9.1
General. From time to time, Cellebrite may
invite Customer to try at no charge services that are or are not generally
available to Cellebrite customers (accordingly, a “Trial”, “GA”
and “Non-GA” services). Customer may accept or decline
any such Trial in its sole discretion. If Customer accepts such Trial, the
Trial shall be subject to the terms of this Agreement. Any Trial license
granted by Cellebrite to Customer shall be non-exclusive, non-transferable,
limited and non-assignable, and with or without charge as shall be determined
by Cellebrite. Cellebrite has the right to immediately revoke a Trial license
at any time in its sole discretion.
9.2
Feedback. During the Trial, the Customer
agrees to provide reasonable reports as requested by Cellebrite, which may
disclose, inter alia, (1) which portions of the services have been used, (2)
errors or difficulties discovered in sufficient detail to allow Cellebrite to
recreate the errors and difficulties, and (3) other data which is reasonably
requested by Cellebrite. The Customer agrees to notify Cellebrite by telephone
as promptly as practicable of the discovery of a material error or difficulty
in the Trial. All and any reports and feedback provided by the Customer to
Cellebrite shall be considered the Proprietary Information of Cellebrite alone.
9.3
ProFound Trial. Notwithstanding the terms of
this Agreement, ProFound Trials are provided for evaluation purposes only, with
or without charge, and for a time period determined by Cellebrite. At the end
of a ProFound Trial, the Customer shall be granted 24 hours access to remove
any of its data from the ProFound service platform. Customer shall immediately
return any and all documents, notes and other materials assessing the
functionality of the Trial Services to Cellebrite including all Proprietary
Information and all copies made thereof.
9.4
Non-GA. Non-GA Services are provided for
evaluation purposes and not for commercial/production use, are not supported,
may contain bugs or errors (but shall not knowingly contain any undisclosed
Malicious Code), and may be subject to additional terms that shall be provided
by Cellebrite to Customer prior to or concurrent with Cellebrite’s invitation
to the applicable Non-GA Services. Non-GA Services are not considered
“Services” hereunder. Cellebrite has the right to discontinue Non-GA Services
at any time in its sole discretion and may never make them generally available.
9.5
Warranty. Customer acknowledge that Trial
Services are provided free of charge, and on “AS IS” and “as available” basis. Furthermore,
Non-GA Services are a prerelease code and not at the level of performance or
compatibility of a final generally available product offering. Cellebrite
disclaims any warranty relating to Trial Services, express or implied, or
statutory, including, but not limited to implied warranties, duties or
conditions of merchantability, fitness for a particular purpose, accuracy or
completeness with regard to the Trial Services. Therefore, the entire risk
arising out of the use or performance of Trial Services remains with Customer
and the Customer is advised to safeguard important data, to use caution and not
to rely in any way on the correct functioning or performance of the Trial
Services and/or accompanying materials.
9.6
Trial Term. A Trial shall be in effect for a
period of thirty (30) days as of the date of its acceptance by Customer, unless
indicated otherwise by Cellebrite. A Trail may be terminated by either party
for any reason by providing a written notice to the other party. Upon
termination or expiration of a Trial, for any reason, Customer may purchase a
subscription to the Services, in accordance with Cellebrite’s terms. Otherwise,
the right of use and access to the Services hereunder shall terminate. Customer
shall be granted access to remove any of its data within 30 days hereafter.
Customer shall immediately return any and all documents, notes and other
materials assessing the functionality of the Trial Services to Cellebrite
including all Proprietary Information and all copies made thereof.
9.a FREEMIUM
9.a.1 General. Cellebrite may invite Customer to try at no charge
services that are generally available to Cellebrite customers (“Freemium”).
Customer may accept or decline any such invite in its sole discretion. If
Customer accepts, such services and the Customer’s access and use thereof shall
be subject to the terms of this Agreement. Any Freemium license granted by
Cellebrite to Customer shall be non-exclusive, non-transferable, limited and
non-assignable, and with or without charge as shall be determined by
Cellebrite. Cellebrite has the right to immediately revoke a Freemium license
at any time in its sole discretion.
9.a.2 Feedback. During the Freemium license, the Customer
agrees to provide reasonable reports as requested by Cellebrite, which may
disclose, inter alia, (1) which portions of the services have been used, (2)
errors or difficulties discovered in sufficient detail to allow Cellebrite to
recreate the errors and difficulties, and (3) other data which is reasonably
requested by Cellebrite. The Customer agrees to notify Cellebrite by telephone
as promptly as practicable of the discovery of a material error or difficulty
in the Freemium service. All and any reports and feedback provided by the
Customer to Cellebrite shall be considered the Proprietary Information of
Cellebrite alone.
9.a.3 Warranty. The Service is provided free of charge and on “AS
IS” and “as available” basis. Cellebrite disclaims any warranty relating to the
Freemium, express or implied, or statutory, including, but not limited to
implied warranties, duties or conditions of merchantability, fitness for a
particular purpose, accuracy or completeness with regard to the Freemium. Therefore,
the entire risk arising out of the use or performance of Freemium remains with
Customer and the Customer is advised to safeguard important data, to use
caution and not to rely in any way on the correct functioning or performance of
the Freemium and/or accompanying materials.
9.a.4 Liability. Notwithstanding any other term of this
Agreement, Cellebrite shall not be liable and shall not indemnify Customer in
any nature whatsoever for any direct, indirect special, consequential or
indirect losses or damages, arising from the performance or non-performance of
any aspect of the Freemium or from the execution or termination of this
Agreement for the provision of Freemium or from any cause whatsoever arising
from or in any way related to the manufacture, sale, handling or use of the Freemium,
whether or not any party shall have been made aware of the possibility of such
losses. Customer acknowledges that the Freemium is provided to it without any
compensation to Cellebrite therefore this section is a fundamental element in
this Agreement and Cellebrite would not provide the Freemium without such
limitations.
9.a.5 Indemnity. Customer will, at its own expense: (i)
indemnify and hold Cellebrite and its affiliates, officers and directors
harmless from any claim (whether brought by a third party or an employee,
consultant or agent of Customer’s) arising from: (a) any use of the Freemium in
a manner other than as authorized under this Agreement or under any applicable
law, rule or regulation; or (b) Customer’s breach of confidentiality and/or
proprietary obligations hereunder; (ii) reimburse Cellebrite for any expenses,
costs and liabilities incurred relating to such claim or due to any loss, theft
of or damage to the Freemium; and (iii) pay all settlements, damages and costs
assessed against Cellebrite and attributable to such claim.
9.a.6 Term. A Freemium shall be in effect for a period of ninety
(90) days as of the date of its acceptance by Customer, unless indicated
otherwise by Cellebrite to the Customer in writing. A Freemium may be
terminated by either party for any reason by providing a written notice to the
other party. Upon termination or expiration of a Freemium, for any reason, the
right of use and access to the Freemium services hereunder shall terminate.
Customer shall be granted access to remove any of its data within 30 days
hereafter. Customer shall immediately return any and all documents, notes and
other materials assessing the functionality of the Freemium, as applicable, to
Cellebrite, including all Proprietary Information and all copies made thereof.
10.
INDEMNIFICATION.
10.1
Cellebrite Indemnity.
I.
General. During the
Subscription Term, Cellebrite, at its expense, shall defend Customer and its
Affiliates and their respective officers, directors and employees (the “Customer Indemnified Parties”) from
and against all actions, proceedings, claims and demands in each case by a
third party (a “Third-Party Claim”) alleging
that the Cellebrite Services infringes any patent, copyright or trademark, or
misappropriates any trade secret and shall pay all damages, costs and expenses,
including attorneys’ fees and costs (whether by settlement or award of by a
final judicial judgment) paid to the Third Party bringing any such Third-Party
Claim. Cellebrite’s obligations under this Section are conditioned upon
(i) Cellebrite being promptly notified in writing of any claim under this
Section, (ii) Cellebrite having the sole and exclusive right to control
the defense and settlement of the claim, and (iii) Customer providing all
reasonable assistance (at Cellebrite’s expense and reasonable request) in the
defense of such claim. In no event shall Customer settle any claim without Cellebrite’s
prior written approval. Customer may, at its own expense, engage separate
counsel to advise Customer regarding a Claim and to participate in the defense
of the claim, subject to Cellebrite’s right to control the defense and
settlement.
II.
Mitigation. If any
claim which Cellebrite is obligated to defend has occurred, or in Cellebrite’s
determination is likely to occur, Cellebrite may, in its sole discretion and at
its option and expense (a) obtain for Customer the right to use the Cellebrite
Services, (b) substitute a functionality equivalent, non-infringing replacement
for such the Cellebrite Services, (c) modify the Cellebrite Services to make it
non-infringing and functionally equivalent, or (d) terminate these Terms and
refund to Customer any prepaid amounts attributable the period of time between
the date Customer was unable to use the Cellebrite Services due to such claim
and the remaining days in the then-current Subscription Term.
IV.
Sole Remedy. THE
FOREGOING STATES THE ENTIRE LIABILITY OF CELLEBRITE WITH RESPECT TO THE
INFRINGEMENT OF ANY INTELLECTUAL PROPERTY OR PROPRIETARY RIGHTS BY THE CELLEBRITE
SERVICE OR OTHERWISE, AND CUSTOMER HEREBY EXPRESSLY WAIVES ANY OTHER
LIABILITIES OR OBLIGATIONS OF CELLEBRITE WITH RESPECT THERETO.
10.2
Customer Indemnity.
Customer shall defend Cellebrite and its Affiliates, licensors and their
respective officers, directors and employees (“Cellebrite
Indemnified Parties”) from and against any and all Third-Party Claims
which arise out of or relate to: (a) a claim or threat that the Customer Data
or Customer System (and the exercise by Cellebrite of the rights granted herein
with respect thereto) infringes, misappropriates or violates any third party’s
Intellectual Property Rights; (b) Customer’s use or alleged use of the Cellebrite
Service other than as permitted under or in breach of these Terms, including
without limitation using the Cellebrite Service in a manner that violates
applicable law including without limitation a person’s Fourth Amendment rights
under the United States Constitution or Customer’s failure to provide any
notice, or obtain any consent, approval or release with respect to the use of
Customer Data in connection with the Cellebrite Service as required by
applicable law; (c) Customer’s failure to comply with applicable law; or (d) an
allegation that the Cellebrite System infringes, misappropriates or violates any
third party’s Intellectual Property Rights that results from (i) Customer’s use
of the Cellebrite Service in combination with any software, hardware, network
or system not supplied by Cellebrite where the alleged infringement relates to
such combination, (ii) any modification or alteration of the Cellebrite Service
other than by Cellebrite, (iii) Customer’s continued use of the Cellebrite
Service after Cellebrite notifies Customer to discontinue use because of an
infringement claim, (iv) Customer’s violation of applicable law; or (v) Third
Party Offerings. Customer shall pay all damages, costs and expenses, including
attorneys’ fees and costs (whether by settlement or award of by a final
judicial judgment) paid to the Third Party bringing any such Third-Party
Claim. Customer’s obligations under this Section are conditioned upon
(x) Customer being promptly notified in writing of any claim under this
Section, (y) Customer having the sole and exclusive right to control the
defense and settlement of the claim, and (z) Cellebrite providing all
reasonable assistance (at Customer’s expense and reasonable request) in the
defense of such claim. In no event shall Cellebrite settle any claim without
Customer’s prior written approval. Cellebrite may, at its own expense, engage
separate counsel to advise Cellebrite regarding a Third-Party Claim and to
participate in the defense of the claim, subject to Customer’s right to control
the defense and settlement.
11.
CONFIDENTIALITY.
11.1
Confidential Information. “Confidential Information” means any and all non-public
technical and non-technical information disclosed by one party (the “Disclosing Party”) to the other party (the “Receiving
Party”) in any form or medium, whether oral, written, graphical or
electronic, pursuant to these Terms, that is marked confidential and
proprietary, or that the Disclosing Party identifies as confidential and
proprietary, or that by the nature of the circumstances surrounding the
disclosure or receipt ought to be treated as confidential and proprietary
information, including but not limited to: (a) techniques, sketches,
drawings, models, inventions (whether or not patented or patentable), know-how,
processes, apparatus, formulae, equipment, algorithms, software programs,
software source documents, APIs, and other creative works (whether or not
copyrighted or copyrightable); (b) information concerning research,
experimental work, development, design details and specifications, engineering,
financial information, procurement requirements, purchasing, manufacturing,
customer lists, business forecasts, sales and merchandising and marketing plans
and information; (c) proprietary or confidential information of any third party
who may disclose such information to Disclosing Party or Receiving Party in the
course of Disclosing Party’s business; and (d) the terms of these Terms and any
Order Form or Statement of Work. Confidential Information of Cellebrite shall
include the Cellebrite Service, the documentation, the pricing, and the terms
and conditions of this agreement. Confidential Information also includes all
summaries and abstracts of Confidential Information.
11.3
Exceptions to Confidential
Information. The obligations set forth in Section 11.2
(Non-Disclosure) shall not apply to the extent that Confidential Information
includes information which: (a) was known by the Receiving Party prior to
receipt from the Disclosing Party either itself or through receipt directly or
indirectly from a source other than one having an obligation of confidentiality
to the Disclosing Party; (b) was developed by the Receiving Party without
use of the Disclosing Party’s Confidential Information; or (c) becomes
publicly known or otherwise ceases to be secret or confidential, except as a
result of a breach of these Terms or any obligation of confidentiality by the
Receiving Party. Nothing in these Terms shall prevent the Receiving Party from
disclosing Confidential Information to the extent the Receiving Party is
legally compelled to do so by any governmental investigative or judicial agency
pursuant to proceedings over which such agency has jurisdiction; provided,
however, that prior to any such disclosure, the Receiving Party shall
(x) assert the confidential nature of the Confidential Information to the
agency; (y) to the extent permitted by applicable law, immediately notify
the Disclosing Party in writing of the agency’s order or request to disclose;
and (z) cooperate fully with the Disclosing Party in protecting against
any such disclosure and in obtaining a protective order narrowing the scope of
the compelled disclosure and protecting its confidentiality.
11.4
Injunctive Relief. The
Parties agree that any unauthorized disclosure of Confidential Information may
cause immediate and irreparable injury to the Disclosing Party and that, in the
event of such breach, the Disclosing Party will be entitled, in addition to any
other available remedies, to seek immediate injunctive and other equitable
relief, without bond and without the necessity of showing actual monetary
damages.
12.
PROPRIETARY RIGHTS.
12.1
Cellebrite Services. As
between Cellebrite and Customer, all right, title and interest in the Cellebrite
Services and any other Cellebrite materials furnished or made available
hereunder, and all modifications and enhancements thereof, and all suggestions,
ideas and feedback proposed by Customer regarding the Cellebrite Services,
including all copyright rights, patent rights and other Intellectual Property
Rights in each of the foregoing, belong to and are retained solely by Cellebrite
or Cellebrite’s licensors and providers, as applicable. Customer hereby does
and will irrevocably assign to Cellebrite all evaluations, ideas, feedback and
suggestions made by Customer to Cellebrite regarding the Cellebrite Service
(collectively, “Feedback”) and all Intellectual
Property Rights in the Feedback.
12.2
Customer Data. As between Cellebrite
and Customer, all right, title and interest in the Customer Data, and all
Intellectual Property Rights therein, belong to and are retained solely by
Customer. Customer hereby grants to Cellebrite a limited, non-exclusive,
royalty-free, worldwide license to use the Customer Data and perform all acts
with respect to the Customer Data as may be necessary for Cellebrite to provide
the Services to Customer. To the extent that receipt of the Customer Data
requires Cellebrite to utilize any account information from a third party
service provider, Customer shall be responsible for obtaining and providing
relevant account information and passwords, and Cellebrite hereby agrees to
access and use the Customer Data solely for Customer’s benefit and as set forth
in these Terms. As between Cellebrite and Customer, Customer is solely
responsible for the accuracy, quality, integrity, legality, reliability, and
appropriateness of all Customer Data.
12.3
Aggregated Statistics. Notwithstanding anything else in these Terms or
otherwise, Cellebrite may monitor Customer’s use of the Services and use
Customer Data, and Other Information in an aggregate and anonymous manner,
including to compile statistical and performance information related to the
provision and operation of the Cellebrite Services and any data about how the
Cellebrite product and/or Services are used by the Customer and/or its Users (“Aggregated Statistics”). As between Cellebrite and Customer,
all right, title and interest in the Aggregated Statistics and all Intellectual
Property Rights therein, belong to and are retained solely by Cellebrite.
Customer acknowledges that Cellebrite will be compiling Aggregated Statistics
based on Customer Data, Other Information, and information input by other
customers into the Cellebrite Service and Customer agrees that Cellebrite may
(a) make such Aggregated Statistics publicly available, and (b) use such
information to the extent and in the manner permitted by applicable law or
regulation and for any purpose of data gathering, analysis, service enhancement
and marketing, provided that such data and information does not identify
Customer or its Confidential Information.
12.4
Cellebrite Developments.
All inventions, works of authorship and developments conceived, created,
written, or generated by or on behalf of Cellebrite, whether solely or jointly,
including without limitation, in connection with Cellebrite’s performance of
the Ancillary Services hereunder, including (unless otherwise expressly set
forth in an applicable Statement of Work) all Deliverables (“Cellebrite
Developments”) and all Intellectual Property Rights therein, shall be
the sole and exclusive property of Cellebrite. Customer agrees that, except
for Customer Confidential Information, to the extent that the ownership of any
contribution by Customer or its employees to the creation of the Cellebrite
Developments is not, by operation of law or otherwise, vested in Cellebrite,
Customer hereby assigns and agrees to assign to Cellebrite all right, title and
interest in and to such Cellebrite Developments, including without limitation
all the Intellectual Property Rights therein, without the necessity of any
further consideration.
12.5
Further Assurances. To the
extent any of the rights, title and interest in and to Feedback or Cellebrite
Developments or Intellectual Property Rights therein cannot be assigned by
Customer to Cellebrite, Customer hereby grants to Cellebrite an exclusive,
royalty-free, transferable, irrevocable, worldwide, fully paid-up license (with
rights to sublicense through multiple tiers of sublicensees) to fully use,
practice and exploit those non-assignable rights, title and interest. If the
foregoing assignment and license are not enforceable, Customer agrees to waive
and never assert against Cellebrite those non-assignable and non-licensable
rights, title and interest. Customer agrees to execute any documents or take
any actions as may reasonably be necessary, or as Cellebrite may reasonably
request, to perfect ownership of the Feedback and Cellebrite Developments. If
Customer is unable or unwilling to execute any such document or take any such
action, Cellebrite may execute such document and take such action on Customer’s
behalf as Customer’s agent and attorney-in-fact. The foregoing appointment is
deemed a power coupled with an interest and is irrevocable.
12.6
License to Deliverables.
Subject to Customer’s compliance with these Terms, Cellebrite hereby grants
Customer a limited, non-exclusive, non-transferable license during the
Subscription Term to use the Deliverables solely in connection with Customer’s
authorized use of the Cellebrite Service. Notwithstanding any other provision
of these Terms: (i) nothing herein shall be construed to assign or transfer any
Intellectual Property Rights in the proprietary tools, source code samples,
templates, libraries, know-how, techniques and expertise (“Tools”)
used by Cellebrite to develop the Deliverables, and to the extent such Tools
are delivered with or as part of the Deliverables, they are licensed, not
assigned, to Customer, on the same terms as the Deliverables; and (ii) the term
“Deliverables” shall not include the Tools.
13.1
No Consequential Damages. NEITHER
CELLEBRITE NOR ITS LICENSORS OR AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT,
INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, OR ANY DAMAGES FOR LOST
DATA, BUSINESS INTERRUPTION, LOST PROFITS, LOST REVENUE OR LOST BUSINESS,
ARISING OUT OF OR IN CONNECTION WITH THESE TERMS, EVEN IF CELLEBRITE OR ITS
LICENSORS OR AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES,
INCLUDING WITHOUT LIMITATION, ANY SUCH DAMAGES ARISING OUT OF THE LICENSING,
PROVISION OR USE OF THE CELLEBRITE SERVICE, ANCILLARY SERVICES, SUPPORT
SERVICES OR THE RESULTS THEREOF.
13.2
Limits on Liability.
NEITHER CELLEBRITE NOR ITS LICENSORS OR AFFILIATES SHALL BE LIABLE FOR
CUMULATIVE, AGGREGATE DAMAGES GREATER THAN AN AMOUNT EQUAL TO THE AMOUNTS PAID
BY CUSTOMER TO CELLEBRITE UNDER THESE TERMS DURING THE PERIOD OF TWELVE (12)
MONTHS PRECEDING THE DATE ON WHICH THE CLAIM FIRST ACCRUED, LESS THE AMOUNTS PREVIOUSLY
PAID BY CELLEBRITE TO SATISFY LIABILITY UNDER THIS AGREEMENT.
13.3
Essential Purpose.
CUSTOMER ACKNOWLEDGES THAT THE TERMS IN THIS SECTION 13 (LIMITATION OF
LIABILITY) SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND
SHALL APPLY EVEN IF AN EXCLUSIVE OR LIMITED REMEDY STATED HEREIN FAILS OF ITS
ESSENTIAL PURPOSE, AND WITHOUT REGARD TO WHETHER SUCH CLAIM IS BASED IN
CONTRACT, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE.
14.
TERM AND TERMINATION.
14.1
Term. The term of these Terms
commences on the Effective Date and continues until the expiration or
termination of all Subscription Term(s), unless earlier terminated as provided
in these Terms
14.2
Termination for Cause. Cellebrite
may terminate this Agreement: (i) for its convenience by giving the Customer
(30) days’ prior written notice; (ii) by giving the Customer a
written notice to be immediately effective in case the Customer causes a
material or continuous breach hereof (“continuous” meaning two or more
occurrences of the same breach). All of Customer’s obligations under this
Agreement shall survive the expiration or termination of the Agreement.
Termination of this Agreement will not entitle Customer to any deduction of the
Quoted Price or any refund of any prepaid fees. Cellebrite may terminate
the Agreement and revoke the license granted hereunder by giving the other
Party a written notice to be immediately effective in case Cellebrite
reasonably determines that it can no longer comply with the terms of the
Agreement in accordance with the requirement of any applicable law, rule and/or
regulations. Termination of the Agreement in accordance with this
Section shall not impose on Cellebrite liability of any kind.
14.4
Survival. This Section and
Sections 1,
2.3, 2.4,
7, 8, 10, 12, 13, 15.4, 16 and
any other Section or Appendix which should reasonably survive termination of this
Agreement, shall continue to be in force and effect after termination or expiry
of this Agreement.
15.1
Notices. All notices which
any party to these Terms may be required or may wish to give may be given by
addressing them to the other party at the addresses set forth below (or at such
other addresses as may be designated by written notices given in the manner
designated herein) by (a) personal delivery, (b) sending such notices by
commercial overnight courier with written verification of actual receipt, (c)
by email, effective (A) when the sender receives an automated message from the
recipient confirming delivery or (B) one hour after the time sent (as recorded
on the device from which the sender sent the email) unless the sender receives
an automated message that the email has not been delivered, whichever happens
first, but if the delivery or receipt is on a day which is not a business day
or is after 5:00 pm (addressee’s time) it is deemed to be received at 9:00 am
on the following business day, or (d) sending them by registered or certified
mail. If so mailed or otherwise delivered, such notices shall be deemed and
presumed to have been given on the earlier of the date of actual receipt or
three (3) days after mailing or authorized form of delivery. All
communications and notices to be made or given pursuant to these Terms shall be
in the English language.
15.2
Governing Law. This
Agreement and any disputes or claims arising hereunder are governed by the laws
of, and subject to the exclusive jurisdiction of, the country of incorporation
of the Cellebrite entity that sold the Services to Customer, without giving
effect to any choice of law rules or principles. In case of sales or licenses
in the United States of America, this Agreement and any disputes or claims
arising hereunder are governed by the laws of the State of New York and subject
to the exclusive jurisdiction of the federal or state courts in New York,
without giving effect to any conflict of Law rules or principles.
Notwithstanding anything to the contrary, in the event that the entity that
sold the Services to the Customer is Cellebrite GmbH, this Agreement shall be governed
by and construed in accordance with the law of England and Wales and the
Parties hereby submit to the exclusive jurisdiction of the London courts and,
without giving effect to any conflict of law rules or principles. The United
Nations Convention on Contracts for the International Sale of Goods (except
that sales or licenses in the United States of America shall not exclude the
application of General Obligations Law 5-1401), and the Uniform Computer
Information Transactions Act do not apply to this Agreement. Cellebrite may, at
its sole discretion, initiate any dispute or claim against Customer, including
for injunctive relief, in any jurisdiction permitted by applicable law.
15.3
U.S. Government Customers.
If Customer is
a U.S. Federal Government entity, Cellebrite provides the Cellebrite Service,
including related software and technology, for ultimate Federal Government end
use solely in accordance with the following: Government technical data rights
include only those rights customarily provided to the public with a commercial
item or process and Government software rights related to the Cellebrite
Service include only those rights customarily provided to the public, as
defined in these Terms. The technical data rights and customary commercial
software license is provided in accordance with FAR 12.211 (Technical Data) and
FAR 12.212 (Software) and, for Department of Defense transactions, DFAR
252.227-7015 (Technical Data – Commercial Items) and DFAR 227.7202-3 (Rights in
Commercial Computer Software or Computer Software Documentation). If greater rights are needed, a mutually acceptable
written addendum specifically conveying such rights must be included in these
Terms. In addition, if the Customer is a U.S. Federal Government entity (or
agency thereof), these Terms incorporate the following FAR provisions by
reference: 52.222-50, 52.233-3, 52.222-54, 52.222-21, 52.222-26, 52.203-6, 52.204-10,
52.209-9, 52.212-4, 52.222-40, 52.222-41, 52.203-13, 52.222-36, 52.222-37,
52.233-4, 52.212-5, 52.209-10, 52.222-35, 52.222-53.
15.4
Inapplicable Terms and
Provisions – VOID AB INITIO. This Section only
applies to U.S. local, county, state, governmental agencies and
other U.S. law enforcement agencies that are state or federally funded by the
United States Government. Subject to the foregoing statements, to the
extent that any term or provision of the Agreement, is considered void
ab initio, or is otherwise unenforceable against Customer pursuant to
applicable U.S. Law that expressly prohibits Customer from agreeing to such
term or condition, then such conflicting term or provision in this Agreement
shall be struck to the extent to make such term or provision enforceable, and
the remaining language, if any, shall remain in full force and effect.
15.5
Regulation. The Cellebrite
Service utilizes software and technology that may be subject to certain export,
re-export, customs or import controls, applicable in Israel, the European Union,
the United States and/or other countries. Said regulations include but are not
limited to the provisions of the US Export Administration Regulations
(EAR) and the provisions of the regulations of the European Union. Customer
expressly warrants, represents and covenants that it shall comply fully with
all applicable export laws and regulations any relevant jurisdictions
to ensure that the Services are not
exported or re-exported in violation of such laws and regulations, or used for
any purposes prohibited by such laws and regulations. As the Services are
subject to export control laws and regulations, Customer shall
not export or "re-export" (transfer) the Services unless the
Customer has complied with all applicable controls. Customer acknowledges
and agrees that the Services shall not be used, and none of the underlying
information, software, or technology may be transferred or otherwise exported
or re-exported to countries as to which the United States maintains an embargo
(collectively, “Embargoed Countries”), or to or by a
national or resident thereof, or any person or entity on the U.S. Department of
Treasury’s List of Specially Designated Nationals or the U.S. Department of
Commerce’s Table of Denial Orders (collectively, “Designated
Nationals”). The lists of Embargoed Countries and Designated Nationals
are subject to change without notice. By using the Cellebrite Services,
Customer represents and warrants that it is not located in, under the control
of, or a national or resident of an Embargoed Country or Designated National.
The Cellebrite Service may use encryption technology that is subject to
licensing requirements under the U.S. Export Administration Regulations, 15
C.F.R. Parts 730-774 and Council Regulation (EC) No. 1334/2000. Customer agrees
to comply strictly with all applicable export laws and assume sole
responsibility for obtaining licenses to export or re-export as may be
required. Cellebrite and its licensors make no representation that the Cellebrite
Service is appropriate or available for use in other locations. Any diversion
of the Customer Data contrary to law is prohibited. None of the Customer Data,
nor any information acquired through the use of the Cellebrite Service, is or
will be used for nuclear activities, chemical or biological weapons, or missile
projects.
15.6
Compliance. Customer is
obligated to comply with the law applicable in connection with the
business relationship with Cellebrite. Customer will comply
with Cellebrite’s Business Conduct Policy. Customer represents,
warrants and covenants that it shall not engage in any deceptive,
misleading, illegal or unethical practices that may be detrimental to
Cellebrite or to any of Cellebrite’s services and/or products, including but
not limited to the Services and shall only use the Services in compliance
with all applicable laws and regulations (including, without limitation,
data protection, privacy, computer misuse, telecommunications interception,
intellectual property, and import and export compliance laws and regulations or
the applicable foreign equivalents).
Customer, its subsidiaries and Affiliates will not (i) offer, promise or
grant any benefit to a public official for that person or a third party for the
discharge of a duty; (ii) offer, promise or grant an employee or an agent of a
business for competitive purposes a benefit for itself or a third party in a
business transaction as consideration for an unfair preference in the purchase
of goods or commercial services; (iii) demand, allow itself to be promised or
to accept a benefit for itself or another in a business transaction as
consideration for an unfair preference to another in the competitive purchase
of goods or commercial services, and; (iv) violate any applicable
anticorruption regulations and, if applicable, not to violate the US Foreign
Corrupt Practices Act (FCPA), the UK Bribery Act or any other applicable
antibribery or anti-corruption law. Customer further represents, covenants
and warrants that it has, and shall cause each of its subsidiaries and/or
Affiliates to, maintain systems of internal controls (including, but not
limited to, accounting systems, purchasing systems and billing systems) to
ensure compliance with the FCPA, the U.K. Bribery Act or any other applicable
anti-bribery or anti-corruption law. Upon Cellebrite's request, Customer
will confirm in writing that it complies with this Section and
is not aware of any breaches of the obligations under this Section.
If Cellebrite reasonably suspects that Customer is not complying with
this Section then, after notifying Customer regarding the reasonable
suspicion, Cellebrite may demand that Customer, in
accordance with applicable law, permit and participate in - at
its own expense - auditing, inspection, certification or screening to
verify Customer’s compliance with this Section. Any such inspection can
be executed by Cellebrite or its third party representative. In the event Customer
is in contact with a Government Official concerning Cellebrite, discussing or
negotiating, or Customer engages a third party to do so, Customer is
obligated (i) to inform Cellebrite in advance and in writing, clearly defining
the scope of the interaction, (ii) upon request, to provide Cellebrite with a
written record of each conversation or meeting with a Government Official and
(iii) to provide Cellebrite monthly a detailed expense report, with all
original supporting documentation. A “Government Official” is any person
performing duties on behalf of a public authority, government agency or
department, public corporation or international organization. Cellebrite may
immediately terminate this Agreement and any applicable Order Form if Customer violates
its obligations under this Section. Nothing contained in this Section shall
limit any additional rights or remedies available to Cellebrite. Customer shall
indemnify Cellebrite and Cellebrite's employees from any liability claims,
demands, damages, losses, costs and expenses that result from a culpable
violation of this Section by Customer. Customer will pass on the
provision of this Section to its affiliates and bind its affiliates
accordingly and verify the compliance of its subsidiaries or
affiliates with the provisions of this Section.
15.7
Assignment. Customer shall
not assign its rights hereunder or delegate the performance of any of its
duties or obligations hereunder, whether by merger, acquisition, sale of
assets, operation of law, or otherwise, without the prior written consent of Cellebrite.
Any purported assignment in violation of the preceding sentence is null and
void. Subject to the foregoing, these Terms shall be binding upon, and inure
to the benefit of, the successors and assigns of the parties thereto. With the
exception of Affiliates of Customer who have executed Order Forms under these
Terms, there are no third-party beneficiaries to these Terms.
15.8
Amendment. These Terms may
be amended or supplemented from time to time at Cellebrite’s sole discretion.
15.9
Interpretation; Severability. If any of
these Terms is found invalid or unenforceable that term will be enforced to the
maximum extent permitted by law and the remainder of the Terms will remain in
full force.
15.10
Independent Contractors. The parties are
independent contractors, and nothing contained herein shall be construed as
creating an agency, partnership, or other form of joint enterprise between the
parties.
15.11
Entire Agreement. These Terms, including all
applicable Order Forms, and Statements of Work, constitute the entire agreement
between the parties relating to this subject matter and supersedes all prior or
simultaneous understandings, representations, discussions, negotiations, and
agreements, whether written or oral.
15.12
Force Majeure. Except for your payment
obligations hereunder, neither party shall be liable to the other party or any
third party for failure or delay in performing its obligations under these
Terms when such failure or delay is due to any cause beyond the control of the
party concerned, including, without limitation, acts of God, governmental
orders or restrictions, fire, or flood, provided that upon cessation of such
events such party shall thereupon promptly perform or complete the performance
of its obligations hereunder.
Exhibit A
Data Processing Addendum
This
Data Processing Addendum (“Addendum”) is entered into by and between
Cellebrite and Customer.
WHEREAS, the Services involves processing certain
personal data and the parties wish to regulate Cellebrite’s processing of such
personal data, through this Addendum, which become an integral part of the
Agreement.
THEREFORE,
the parties have agreed to this Addendum, consisting of four parts:
§ Part
One applies with general provision.
§ Party
Two applies with respect to the GDPR (Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement
of such data, and supplementary GDPR legislations in EU member states), but
only if Cellebrite Services to the Customer operate or Process Personal Data to
any extent, in countries that are not member states of the European Economic
Area, and are not territories or territorial sectors recognized by an adequacy
decision of the European Commission, as providing an adequate level of
protection for Personal Data pursuant to Article 45 of the GDPR.
§ Part
Three applies with respect to the GDPR (Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free
movement of such data, and supplementary GDPR legislations in EU member
states), but only if Cellebrite Services to the Customer operate and Process
Personal Data exclusively in member states of the European Economic Area, or in
territories or territorial sectors recognized by an adequacy decision of the
European Commission, as providing an adequate level of protection for Personal
Data pursuant to Article 45 of the GDPR.
§ Part
Four applies with respect to the California Consumer Privacy Act of 2018
(CCPA).
Part 1
1.
In the event of any conflicting
stipulations between this Addendum and the Agreement or any other agreement in
place between the parties, the stipulations of this Addendum shall prevail.
2. Any
limitation of liability pursuant the Agreement shall apply to liability arising
from or in connection with breach of this Addendum.
3.
Cellebrite has appointed the person
listed below as a contact person for data protection purposes:
Mr.
Ilan Tzoler, Compliance Officer, Ilan.Tzoler@cellebrite.com.
Part 2
1.
Capitalized terms used in this Part 2 of
the Addendum but not defined in the Addendum or in the Agreement have the
meaning ascribed to them in Regulation (EU) 2016/679 (GDPR) and in Directive
(EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal
data by competent authorities for the purposes of the prevention,
investigation, detection or prosecution of criminal offences or the execution
of criminal penalties, and on the free movement of such data.
2.
This Part 2 applies only where
Cellebrite is Processing Personal Data as a Data Processor on behalf of the
Customer and under the Customer’s instructions, where the Customer is a Data
Controller subject to the GDPR with respect to the Personal Data that
Cellebrite Processes. It does not apply to Cellebrite’s Processing Personal
Data of Customer’s representatives to market or promote its products, to
administer the business or contractual relationship between Cellebrite and the
Customer or in other instances where Cellebrite operates as the Data
Controller.
3.
Customer and Cellebrite hereby assent
to the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021
on standard contractual clauses for the transfer of personal data to third
countries pursuant to Regulation (EU) 2016/679 of the European Parliament and
of the Council, as follows:
3.1.
In Section II (Obligations of the
Parties), Clause 9(a) for MODULE TWO: Transfer controller to processor: The
data importer shall specifically inform the data exporter in writing of any
intended changes to that list through the addition or replacement of
sub-processors at least 10 days in advance, thereby giving the data exporter
sufficient time to be able to object to such changes prior to the engagement of
the sub-processor(s).
3.2.
In Section IV (Final Provisions),
Clause 17 for MODULE TWO: Transfer controller to processor: The Parties agree
that this shall be the law of Ireland.
3.3.
In Section IV (Final Provisions),
Clause 18(b) for MODULE TWO: Transfer controller to processor: The Parties
agree that those shall be the courts of Ireland.
3.4.
In Annex I, for MODULE TWO: Transfer
controller to processor:
3.4.1.
Data Exporter: Customer.
3.4.1.1.
Activities relevant to the data
transferred under these Clauses: A business with a need to extract, review and
analyze intelligence from digital devices and online platforms.
3.4.1.2.
Role: controller
3.4.2.
Data Importer: Cellebrite.
3.4.2.1.
Activities relevant to the data transferred
under these Clauses: Develops and operates a software-as-a-service solution for
extracting, obtaining, reviewing and analyzing intelligence from digital
devices and online platforms.
3.4.2.2.
Role: processor.
3.5.
Description of Transfer:
3.5.1.
Categories of data subjects whose
personal data is transferred: Individuals using the digital devices from which
the intelligence is gathered, and their contacts.
3.5.2.
Categories of data transferred: contact
information, messages and emails, correspondence, location information, photos,
data related to use of online platform, and other information extracted from
digital devices.
3.5.3.
Sensitive data transferred: to the
extent present on the digital device and extracted at the instruction of the
Customer: personal data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, or trade union membership, and the
processing of genetic data, biometric data for the purpose of uniquely
identifying a natural person, data concerning health or data concerning a
natural person’s sex life or sexual orientation.
3.5.4.
The frequency of the transfer: On a
continuous basis, as needed in the use of the Services.
3.5.5.
Nature of the processing: collection,
recording, organization, structuring, storage, adaptation or alteration,
retrieval, disclosure by transmission, alignment or combination, restriction,
erasure and destruction.
3.5.6.
Purpose(s) of the data transfer and
further processing: extraction, review and analysis of intelligence from
digital devices and online platforms.
3.5.7.
The period for which the personal data
will be retained: For the duration of the Services.
3.5.8. Transfers
to the following main (sub-) processors:
|
Name
of sub-processor
|
Subject
matter and nature of sub-processor processing
|
Duration
of sub-processing
|
|
Amazon
AWS
|
Cloud
infrastructure provider
|
Duration
of the engagement
|
3.5.9.
Competent Supervisory Authority: the
supervisory authority in the EU member state where the data exporter’s EU
representative under Article 27 of the GDPR is located.
3.6. In
Annex II, for MODULE TWO: Transfer controller to processor:
3.6.1.
Information Security Policies &
Standards: Cellebrite’s Information Security Policy sets forth general
information security policy statements applicable to Cellebrite’s computer and
network systems and all information contained on those systems or relating to Cellebrite’s
business activities:
•
Information must be consistently protected in a manner commensurate with its
sensitivity, value, and criticality.
•
Cellebrite’s information and computer resources must be used only for the
business purposes authorized by management.
3.6.2.
Acceptable Use Policy: Cellebrite’s
Acceptable Use Policy defines the activities that are permissible when using
any of the company’s computer, device, or communication system and states the
minimum compliance requirements for users of Cellebrite’s systems, including
but not limited to computer equipment, software, operating systems, network
accounts and e-mail
3.6.3.
Key Information Security Controls:
Below are some of the key information security controls that the Information
Security group has implemented across the organization:
Access
Control: Cellebrite has implemented security standards, which are designed to
restrict access to Cellebrite’s information and data assets including: defines
general access control requirements (e.g., access to information resources
granted only on a “need-to-know” basis, access terminated at termination of
employment, periodic review of access rights, role-based access rights and
segregation of duties, etc.)
Authentication
and encryption: strong authentication with 2FA are required for every remote
access to the company’s assets
3.6.4.
System and Communications Protection: Cellebrite
operates a comprehensive, multi-layered information security program,
leveraging a defensive, in-depth architecture. Tiered perimeter defenses
include firewalls between zones and key application servers, as well as
segmentation between various network elements and network segments. Web
Application Firewalls are employed to protect applications. Detective controls
are also layered, with proactive enterprise-wide scans for Advanced Persistent
Threat (“APT”) using top notch commercial malware detection. Network Intrusion
Detection technology is in place, as well as endpoint controls such as
Host-Based IDS and advanced malware protection. The Cellebrite’s network
infrastructure is protected with the following mechanisms, as a standard:
•
Network Firewalls – designed to protect against network-based, malicious
attacks and provide an additional layer of access control.
•
Network Access Controls – Cellebrite has controls around network access and
remote access, including 2- factor authentication and forced disconnection
after a period of inactivity.
•
Network Segmentation – VLAN and physical segmentation. Additional controls may
be in place at the application layer which, are detailed below in the product
specifications section of this packet.
3.6.5.
Vulnerability Management: Cellebrite
maintains a systematic process to detect categorize, and handle vulnerabilities
found in its infrastructure, application and systems.
3.6.6.
Change Management: Cellebrite maintain
a change management process for changes in production, which helps protect the
integrity and availability of the services by controlling all changes to
minimize risk to approve all applicable changes.
3.6.7.
SaaS Network Security: Cellebrite
deploys multiple layers of network security across our SaaS infrastructure and
application stack. At the perimeter Cellebrite relies on cloud front to provide
distributed denial of service (“DDoS”) attack mitigation and a web application
firewall (“WAF”) for traffic over HTTP and HTTPS. Cellebrite relies on IP whitelisting
to ensure that the network origin for clients is not accessible publicly. All
traffic within Cellebrite’s SaaS platform operates on independent virtual
private clouds (“VPCs”) which is in a physically isolated from all other
accounts. In the IPS layer, advanced threat protection, intrusion prevention,
firewall capabilities, web filtering, network visibility, anti-virus, and
anti-spyware services provide a broad range of enhanced protection.
3.6.8.
Content Encryption: All traffic to and
from clients to the platform uses HTTPS to encrypt data in transit.
3.6.9.
Incident Response Plan: Cellebrite’s
have a detailed incident response plan that addresses how Cellebrite handles
security incidents including notifying regulators, affected individuals, law
enforcement, and/or data owners/controllers of security breaches of Scoped
Data. Cellebrite’s threat operation center is in charge of monitoring detecting
handling and notifying the relevant stockholders in case of a cyber incident occurs.
Part 3
1.
Customer commissions, authorizes and
requests that Cellebrite provide Customer the Services, which involves
Processing Personal Data (as these capitalized terms are defined and used in:
(a) the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
applicable as of 25 May 2018 and any national law supplementing the GDPR; and
(b) Directive (EU) 2016/680 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing
of personal data by competent authorities for the purposes of the prevention,
investigation, detection or prosecution of criminal offences or the execution
of criminal penalties, and on the free movement of such data. Legislations (a)
and (b) above shall collectively be referred to as “Data Protection Law”.
2.
This Part 3 applies only where
Cellebrite is Processing Personal Data as a Data Processor on behalf of the
Customer and under the Customer’s instructions, where the Customer is a Data
Controller subject to the GDPR with respect to the Personal Data that
Cellebrite Processes. It does not apply to Cellebrite’s Processing Personal
Data of Customer’s representatives to market or promote its products, to administer
the business or contractual relationship between Cellebrite and the Customer or
in other instances where Cellebrite operates as the Data Controller.
3.
Cellebrite will Process the Personal
Data only on Customer’s behalf and for as long as Customer instructs Cellebrite
to do so. Cellebrite shall not Process the Personal Data for any purpose other
than the purpose set forth in this Addendum.
4.
The nature and purposes of the
Processing activities are as set out in the Agreement. The Personal Data Processed
may include, without limitation:
contact
information, messages and emails, correspondence, location information, photos,
data related to use of online platform, and other information extracted from
digital devices.
5.
The Data Subjects, as defined in the
Data Protection Law, about whom Personal Data is Processed are:
Individuals using the digital devices from which the
intelligence is gathered, and their contacts.
6.
Customer is and will always remain the
‘Data Controller’, and Cellebrite is and will remain at all times the ‘Data
Processor’ (as these capitalized terms are defined and used in Data Protection
Law). As a Data Processor, Cellebrite will Process the Personal Data only as
set forth in this Addendum. Cellebrite and Customer are each responsible for
complying with the Data Protection Law applicable to them in their roles as
Data Controller and Data Processor.
7.
Cellebrite will Process the Personal
Data only on instructions from Customer documented in this Addendum or
otherwise provided either in writing or through the options of the Services
configurable by Customer. The foregoing applies unless Cellebrite is otherwise
required by law to which it is subject (and in such a case, Cellebrite shall
inform Customer of that legal requirement before processing, unless that law
prohibits such information on important grounds of public interest). Cellebrite
shall immediately inform Customer if, in Cellebrite's opinion, an instruction
is in violation of Data Protection Law.
8.
Cellebrite will make available to Customer
all information in its disposal necessary to demonstrate compliance with the
obligations under Data Protection Law.
9.
Cellebrite will follow Customer’s
instructions to accommodate Data Subjects’ requests to exercise their rights in
relation to their Personal Data, including accessing their data, correcting it,
restricting its processing or deleting it. Cellebrite will pass on to Customer
requests that it receives (if any) from Data Subjects regarding their Personal
Data Processed by Cellebrite. Cellebrite shall notify Customer of the receipt
of such request as soon as possible, and no later than five (5) business days
from the receipt of such request, together with the relevant details.
10.
Customer authorizes Cellebrite to
engage another processor for carrying out specific processing activities of the
Services, provided that Cellebrite informs Customer at least 10 business days
in advance of any new or substitute processor (including in respect of any
material changes in the other processor’s ownership or control), in which case
Customer shall have the right to object, on reasoned grounds, to that new or
replaced processor. If Customer so objects, Cellebrite may not engage that new
or substitute processor for the purpose of Processing Personal Data in the provision
of the Services. Customer hereby authorizes Cellebrite to engage the processors
identified in Section 3.5.8
of Part 2 of the Addendum.
11.
Without limiting the foregoing, in any
event where Cellebrite engages another processor, Cellebrite will ensure that
the same data protection obligations as set out in this Addendum are likewise
imposed on that other processor by way of a contract, in particular providing
sufficient guarantees to implement appropriate technical and organizational
measures in such a manner that the processing will meet the requirements of Data
Protection Legislation. Where the other processor fails to fulfil its data
protection obligations, Cellebrite shall remain fully liable to Customer for
the performance of that other processor's obligations.
12.
Cellebrite and its other processors
will only Process the Personal Data in member states of the European Economic
Area, in territories or territorial sectors recognized by an adequacy decision
of the European Commission, as providing an adequate level of protection for
Personal Data pursuant to Article 45 of the GDPR, or using adequate safeguards
as required under Data Protection Law governing cross-border data transfers
(e.g., Model Clauses). Cellebrite must inform Customer at
least 10 business days in advance of any new envisioned cross-border data
transfer scenario, in which case Customer shall have the right to object, on
reasoned grounds, to that new envisioned cross-border data transfer. If
Customer so objects, Cellebrite may not engage in that envisioned cross-border
data transfer for the purpose of Processing Personal Data in the provision of
the Services.
13.
In the event that the foregoing
mechanism for cross-border data transfers is invalidated by a regulatory
authority under applicable law or any decision of a competent authority under
Data Protection Law, the parties shall discuss in good faith and agree such
variations (such agreement not to be unreasonably withheld or delayed) to this
Addendum as are required to enable a valid cross-border data transfers.
Further, in the event that the European Commission establishes processor to
processor standard contractual clauses, the parties will enter into those
clauses as promptly as reasonably practicable.
14.
Cellebrite will ensure that its staff
authorized to Process the Personal Data have committed themselves to
confidentiality or are under an appropriate statutory obligation of
confidentiality.
15.
Within 10 business days of Customer’s
written request, Cellebrite shall allow for and contribute
to audits, including carrying out inspections conducted by Customer, or another
auditor mandated by Customer in order to establish Cellebrite's compliance with
this Addendum and the provisions of the applicable Data Protection Law as
regards the Personal Data that Cellebrite processes on behalf of Customer. Such
audits shall be limited to one business day per annum (unless Data Protection
Law requires otherwise), shall be conducted during ordinary business hours and
without interruption to Cellebrite’s ordinary course of business. Under no
circumstances shall the audits or inspections extend to trade secrets of
Cellebrite or to data regarding other customers of Cellebrite. All audits are
conditioned on the Customer or its auditors first executing appropriate
confidentiality undertakings satisfactory to Cellebrite.
16.
Cellebrite shall without undue delay,
and in any event within 72 hours, notify Customer of any Personal Data Breach
(as this term is defined and used in Data Protection Law and applicable
regulatory guidelines) that it becomes aware of regarding Personal Data of Data
Subjects that Cellebrite Processes. Cellebrite will thoroughly investigate the breach
and take all available measures to mitigate the breach and prevent its
reoccurrence. Cellebrite will cooperate in good faith with Customer on issuing
any statements or notices regarding such breaches, to authorities and Data
Subjects.
17.
Taking into account the state of the
art, the costs of implementation and the nature, scope, context and purposes of
processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, Cellebrite shall implement in the
Services appropriate technical and organizational measures to ensure a level of
security appropriate to the risk, as detailed in Section of 3.6
Part 2.
18.
Cellebrite will assist Customer with
the eventual preparation of data privacy impact assessments and prior
consultation as appropriate (and if needed).
19.
Cellebrite will provide Customer
prompt notice of any request it receives from authorities to produce or
disclose Personal Data it has Processed on Customer’s behalf, so that Customer
may contest or attempt to limit the scope of production or disclosure request.
20.
Upon Customer’s request, Cellebrite
will delete the Personal Data it has Processed on Customer’s behalf under this
Addendum from its own and its processor’s systems, or, at Customer’s choice,
return such Personal Data and delete existing copies, within
10 business day of receiving a request to do so, and
21.
Upon Customer’s request, will furnish
written confirmation that the Personal Data has been deleted or returned
pursuant to this section.
22.
The duration of Processing that
Cellebrite performs on the Personal Data is for the period set out in the
Agreement.
Part 4
1.
Scope. This
Part applies to the processing of ‘personal information’ (as defined in Cal.
Civ. Code §1798.140(o)) by Cellebrite for Customer.
2.
Service Provider Obligations. The
Parties acknowledge and agree that Cellebrite is a ‘service provider’ as
defined in Cal. Civ. Code §1798.140(v). To that end, and unless otherwise
requires by law:
2.1.
Cellebrite is prohibited from
retaining, using or disclosing Customer ‘personal information’ (as defined in
Cal. Civ. Code §1798.140(o)) for: (a) any purpose other than the purpose of
properly performing, or for any commercial purpose other than as reasonably
necessary to perform Customer’s processing instructions; (b) ‘selling’ (as
defined in Cal. Civ. Code §1798.140(t)) Customer personal information; and (c)
retaining, using or disclosing Customer personal information outside of the
direct business relationship between the parties. Cellebrite certifies that it
understands the restriction specified in this subsection and will comply with
it.
2.2.
If Cellebrite receives a request from
a California consumer about his or her is ‘personal information’ (as defined in
Cal. Civ. Code §1798.140(o)), Cellebrite shall not comply with the request
itself, promptly inform the consumer that Cellebrite’s basis for denying the
request is that Cellebrite is merely a service provider that follows Customer’s
instruction, and promptly inform the consumer that they should submit the
request directly to Customer and provide the consumer with Customer’s contact
information.
3.
Subcontracting to suppliers. Customer
authorizes Cellebrite to subcontract any of its Services-related activities
consisting (partly) of the processing of the personal information or requiring
personal information to be processed by any third party supplier without the
prior written authorization of Customer provided that: (a) Cellebrite shall
ensure that the third party is bound by the same obligations of the Cellebrite
under this Part and shall supervise compliance thereof; and (b) Cellebrite
shall remain fully liable vis-ŕ-vis Customer for the performance of any such
third party that fails to fulfil its obligations.
4.
Return or deletion of information. Upon
termination of this Part, upon Customer’s written request, or upon fulfillment
of all purposes agreed in the context of Customer’s instructions, whereby no
further processing is required, the Cellebrite shall, at the discretion of
Customer, either delete, destroy or return to Customer, some or all (however
instructed) of the of the personal information that it and its third-party suppliers
process for Customer.
5.
Assistance in responding to consumer
requests. Cellebrite shall assist Customer by appropriate
technical and organizational measures, insofar as this is possible, for the
fulfilment of Customer’s obligation to respond to requests for exercising the
consumer rights under the California Consumer Privacy Act of 2018.
6.
Data security. Taking
into account the state of the art, the costs of implementation and the nature,
scope, context and purposes of Cellebrite’s processing of personal information
for Customer, as well as the nature of personal information processed for
Customer, Cellebrite shall implement and maintain reasonable security
procedures and practices appropriate to the nature of the information, designed
to protect the personal information from unauthorized access, destruction, use,
modification, or disclosure (including data breaches).
***