ENDPOINT SAAS TERMS OF SERVICE
THESE ENDPOINT SAAS TERMS OF SERVICE (THE “TERMS” OR THIS “AGREEMENT”) ARE BETWEEN CELLEBRITE DI LTD. OR ANY OF ITS WHOLLY OWNED SUBSIDIARIES NAMED IN THE QUOTE (“CELLEBRITE”) AND THE AGENCY OR LEGAL ENTITY NAMED IN THE QUOTE (“CUSTOMER”). THIS AGREEMENT SHALL COME INTO EFFECT UPON THE EARLIER OF: (I) A CUSTOMER REPRESENTATIVE CLICKING THE "I ACCEPT" BUTTON AT THE END OF THESE TERMS, (II) CUSTOMER EXECUTING THE QUOTE AND/OR AN ORDER FORM THAT REFERECES THE QUOTE AND/OR ANY OTHER LEGALLY BINDING DOCUMENT THAT INCLUDES THIS AGREEMENT BY REFERENCE, OR (III) CUSTOMER REPRESENTATIVE(S) ACCESSING OR USING THE CELLEBRITE ENDPOINT SERVICES. THIS AGREEMENT GOVERNS THE CUSTOMER’S PURCHASE AND USE OF THE SERVICES DETAILED IN THIS AGREEMENT AND/OR THE QUOTE.
IN THE EVENT OF A CUSTOMER REPRESENTATIVE CLICKING TO ACCEPT THE AGREEMENT TERMS, THE INDIVIDUAL (“YOU”) CLICKING TO ACCEPT HEREBY REPRESENT AND WARRANT THAT YOU HAVE THE REQUISITE AUTHORITY AND POWER TO BIND THE CUSTOMER TO THE TERMS OF THIS AGREEMENT, AND ACCORDINGLY ACKNOWLEDGE THAT THE CUSTOMER HAS REVIEWED AND ACCEPTS THESE TERMS. IF THE CUSTOMER DOES NOT AGREE WITH THESE TERMS, DO NOT ACCESS OR OTHERWISE USE THE SERVICES REFERENCED IN THE QUOTE AND/OR RESPECTIVE ORDER FORM.
1. DEFINITIONS.
“Activation Date” means the date, set forth in the applicable Quote or Order Form, on which the Service is scheduled to be made available to Customer.
“Authorized Purposes” means Customer’s internal business purposes.
“Authorized Users” means employees of the Customer for whom access to the Service during the Subscription Term have been purchased pursuant to the Quote or the respective Order Form, and who are authorized by Customer to access and use the Service, including, where applicable, by way of user identifications and passwords supplied for such purpose by Customer.
“Cellebrite” means Cellebrite DI Ltd. or its respective Affiliate that is identified on the Quote and issues invoices to Customer with respect to these Services.
“Customer Data” means all data, including Personal Information, submitted, stored, posted, displayed, or otherwise transmitted to the Service by or on behalf of Customer or Authorized User.
“Customer System” means Customer’s website(s), internal servers and other equipment and any software, SaaS programs and applications used in the conduct of Customer’s business, whether or not required for the provision, operation and/or use of the Service.
“Documentation” means the printed, paper, electronic or online user instructions and help files made available by Cellebrite for use with the Service, as may be updated from time to time by Cellebrite.
“Intellectual Property Rights” means all intellectual property rights or similar proprietary rights, including (a) patent rights and utility models, (b) copyrights and database rights, (c) trademarks, trade names, domain names and trade dress and the goodwill associated therewith, (d) trade secrets, (e) mask works, and (f) industrial design rights; in each case, whether registered or not, including any registrations of, applications to register, and renewals and extensions of, any of the foregoing in any jurisdiction in the world.
“Malicious Code” means viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs.
“Open Source Software” means all software that is available under the GNU Affero General Public License (AGPL), GNU General Public License (GPL), GNU Lesser General Public License (LGPL), Mozilla Public License (MPL), Apache License, BSD licenses, or any other license that is approved by the Open Source Initiative (www.opensource.org).
“Order Form” means a purchase order submitted by Customer to Cellebrite which references the Quote for the sale of the Service. Any inconsistencies or supplemental terms printed or attached to the Order Form are void.
“Personal Information” means (i) all data that identifies an individual or, in combination with any other information or data available to a relevant entity, is capable of identifying an individual, and (ii) such other data that is defined as “personal information” or “personal data” under applicable law.
“Quote” means the valid Quote issued by Cellebrite for the Services at specified prices.
“Service” means the Cellebrite Endpoint Mobile Now Software as a Service or Cellebrite Endpoint Inspector Software as a Service (collectively “SaaS”) to be provided by Cellebrite to Customer pursuant to these Terms. Services exclude any Third Party Offerings which may be offered in the context of the Services.
“Subscription Term” means the subscription period for Customer’s use of the Service set forth in the Quote or the respective Order Form.
“Third Party Offerings” means certain software or services delivered or performed by third parties that are required for the operation of the Service, or other online, web-based CRM, ERP, or other business application subscription services, and any associated offline products provided by third parties, that interoperate with the Service, or any adjacent services or products offered by Cellebrite which operate in conjunction with the Service.
2. SERVICE; ORDERS; LICENSES; AND RESTRICTIONS.
2.1 Description of Service. Cellebrite Endpoint SAAS is a service that enables fast and easy remote collection of mobile or computer data. The Service allows the authorized user to create collection jobs with targeted collection criteria and to specify where the collection will be stored once complete. If a mobile job is created, an email is sent to the device owner, specified in the job, with instructions for running the collection software on the device owner’s computer. The device owner is guided through instructions to connect their phone to their computer using their standard data/power cable and to unlock their phone and initiate the collection. If a computer job is created, it will communicate directly with the authorized computer to collect the specified files. Once the collection is complete, it is uploaded to the preconfigured storage location.
2.2 Quotes and Orders. Subject to the terms and conditions contained in these Terms, Customer may purchase additional subscriptions to access and use the Service pursuant to Order Forms issued in reference to a Quote and execution of the Terms. The Service is purchased as subscriptions and may be accessed solely by Customer’s Authorized Users. Customer agrees that its purchases hereunder are neither contingent on the delivery of any future functionality or features nor dependent on any oral or written public comments made by Cellebrite regarding any future functionality or features. If there is any inconsistency between an Order Form and these Terms, these Terms control.
2.3 Access and Use Rights. Subject to Customer’s full compliance with the terms and conditions contained in these Terms, and Cellebrite granting to Customer a subscription to the Service, the Customer may access and use the Service to perform remote access to end point mobile devices solely for Customer’s Authorized Purposes and not for the benefit of any other person or entity, and in accordance with the Documentation and terms of Agreement, during the Subscription Term. Customer may not allow access and use to more Authorized Users than the Quote and respective Order Form specify.
2.4 License to Software. Subject to Customer’s full compliance with this Agreement, Cellebrite will grant Customer a revocable, non-transferable, non-sublicensable, non-exclusive, limited, personal license to download, install, execute and use the software (including any updates, modifications, patches and upgrades that Cellebrite may provide to Customer under these Terms) required for access and use of the Service as defined in the Documentation (the “Downloadable Software”), in each case solely for Customer’s Authorized Purposes and not for the benefit of any other person or entity. All references to Service include the use of Downloadable Software.
2.5 Restrictions. Customer shall not, directly or indirectly, and Customer shall not permit any User or third party to: (a) reverse engineer, decompile, disassemble or otherwise attempt to discover the object code, source code or underlying ideas or algorithms of the Service; (b) modify, translate, or create derivative works based on any element of the Service or any related Documentation; (c) rent, lease, distribute, sell, resell, assign, or otherwise transfer its rights to use the Service; (d) use the Service for timesharing purposes or otherwise for the benefit of any person or entity other than for the benefit of Customer and Authorized Users; (e) remove any proprietary notices from the Documentation; (f) publish or disclose to third parties any evaluation of the Service without Cellebrite’s prior written consent; (g) use the Service for any training purposes, other than for training Customer’s employees, where Customer charges fees or receives other consideration for such training, except as authorized by Cellebrite in writing; (g) deactivate, modify or impair the functioning of any disabling code in any Software; (h) use the Service for any purpose other than its intended purpose; (i) interfere with or disrupt the integrity or performance of the Service; (j) introduce any Open Source Software into the Service; (k) attempt to gain unauthorized access to the Service or their related systems or networks; (l) use the Service in violation of any applicable law (including but not limited to any law with respect to human rights or the rights of individuals) or to support any illegal activity or to support any illegal activity; or (n) use the Service to violate any rights of any third party.
2.6 Reservation of Rights. Except as expressly granted in these Terms, there are no other licenses granted to Customer, express, implied or by way of estoppel. All rights not granted in these Terms are reserved by Cellebrite.
2.7 Decoding Services Add On. The following terms in Clause 2.7 only apply to the extent that Customer has purchased the Decoding Services (defined below).
A) United States. If Customer purchased the Decoding Services as an add on to the Service (“Decoding Services”) in the United States, then Customer may access Cellebrite’s U.S. based SAAS cloud to decode and convert UFD files, remotely collected from mobile devices, into UFDR and RSMF files for the following authorized purposes in or involving Customer’s organization: internal investigations, investigations of fraud, intrusion, or information security events, eDiscovery performed as part of a legal proceeding; legal holds data recovery or compliance evaluation activities (collectively, “Decoding Authorized Purposes”). Cellebrite will send the decoded files to a Customer designated storage location in the United States. These files may then be uploaded into third-party workspaces. If Customer has purchased the Decoding Services in the United States, then the Data Processing Addendum attached as Exhibit B shall apply to this Agreement.
B) United Kingdom. If Customer purchased the Decoding Services in the United Kingdom, then Customer may access Cellebrite’s U.K. based SAAS cloud to decode and convert UFD files, remotely collected from mobile devices to UFDR and RSMF files for the Decoding Authorized Purposes. Cellebrite will send the decoded files to a Customer designated storage location in the United Kingdom. These files may then be uploaded into third-party workspaces. If Customer has purchased the Decoding Services in the United Kingdom, then the Data Processing Addendum attached as Exhibit A shall apply to this Agreement instead of the Data Processing Addendum attached as Exhibit B.
C) If Customer is working in third party workspaces, then Customer is solely responsible for any terms, conditions, or policies under any third-party agreements. Cellebrite does not warrant or guarantee that any third-party services or solutions procured under third-party agreements will work properly. Cellebrite disclaims any and all liability arising out of or in connection with Customer’s use of any services or solutions obtained under third-party agreements. In addition, Cellebrite is not liable for any costs associated with hosting data on any third-party services or solutions.
3. OPEN SOURCE SOFTWARE.
I. Services may use and/or be provided with third party open source software, libraries or other components (“Open Source Component”). To the extent so stipulated by the license that governs each Open Source Component (“Open Source License”), each such Open Source Component is licensed directly to Customer from its respective licensors and not sublicensed to Customer by Cellebrite, and such Open Source Component is subject to its respective Open Source License, and not to this Agreement. If, and to the extent, an Open Source Component requires that this Agreement effectively impose, or incorporate by reference, certain disclaimers, permissions, provisions, prohibitions or restrictions, then such disclaimers, permissions, provisions, prohibitions or restrictions shall be deemed to be imposed, or incorporated by reference into this Agreement, as required, and shall supersede any conflicting provision of this Agreement, solely with respect to the corresponding Open Source Component which is governed by such Open Source License.
II. If an Open Source License requires that the source code of its corresponding Open Source Component be made available to Customer, and such source code was not delivered to Customer with the Software, then Cellebrite hereby extends a written offer, valid for the period prescribed in such Open Source License, to obtain a copy of the source code of the corresponding Open Source Component, from Cellebrite. To accept this offer, Customer shall contact Cellebrite at support@cellebrite.com.
4. PASSWORDS; SECURITY.
4.1 Passwords. Customer shall ensure that each of its Authorized Users are responsible for maintaining the confidentiality of all user logins and passwords and for ensuring that each user login and password is used only by the respective Authorized User. Customer is solely responsible for any and all access and use of the Service. Customer shall restrict its Authorized Users from sharing login data or passwords. Customer shall immediately notify Cellebrite of any unauthorized use of or access to the Service, or any Security or Data Breach of which the Customer becomes aware. Cellebrite shall have no liability for any loss or damage arising from or in any way related to Customer’s failure to comply with the terms of this Section.
4.2 No Circumvention of Security. Neither Customer nor any Authorized User may circumvent or otherwise interfere with any user authentication or security of the Service. Customer will immediately notify Cellebrite of any breach, or attempted breach, of any security measures known to Customer.
4.3 Security. Customer represents and warrants that it complies, and at all times during the term of this Agreement, will comply with all data protection, privacy and security laws applicable to it in connection with the use of the Service and/or its performance under this Agreement. Cellebrite will use commercially reasonable efforts to maintain appropriate administrative, physical and technical safeguards designed to protect the security, confidentiality and integrity of Personal Information in a manner consistent with what Cellebrite supplies generally to its other customers. Notwithstanding the foregoing, Customer acknowledges that, notwithstanding any security precautions deployed by Cellebrite, the use of, or connection to, the Internet provides the opportunity for unauthorized third parties to circumvent such precautions and illegally gain access to the Service and any Customer Data that Customer chooses to place within the Service. Cellebrite does not guarantee the privacy, security, integrity or authenticity of any information transmitted over or stored in any system connected to or accessible via the Internet. Customer shall be responsible for obtaining and maintaining both the functionality and security of any equipment and ancillary services needed to connect to, access or otherwise use each Service, including modems, hardware, servers, software, operating systems, networking, web servers and the like (“Customer System”). Cellebrite shall have no liability for any delay or failure to of the Service to perform as a result of the failure of Customer to maintain any Customer System so that it is compatible with the Service.
4.4 Data Processing Addendum. Unless Customer purchases the Decoding Services, the Service is not intended for the processing of Personal Data, and Customer represents and warrants that it will not place, hold, process, store or review any Personal Data using the Service.
5. CUSTOMER OBLIGATIONS.
5.1 Customer System. Customer is responsible for (a) obtaining, deploying and maintaining the Customer System, and all computer hardware, software, modems, routers and other communications equipment necessary for Customer and its Authorized Users to access and use the Service via the Internet; (b) contracting with third party ISP, telecommunications and other service providers to access and use the Service via the Internet; and (c) paying all third party fees and access charges incurred in connection with the foregoing. Except as specifically set forth in these Terms, Cellebrite shall not be responsible for supplying any hardware, software or other equipment to Customer under these Terms.
5.2 Acceptable Use Policy. Customer shall be solely responsible for its actions and the actions of its Authorized Users while using the Service. Customer represents, warrants and agrees that it does and will: (a) abide by all local, state, national, and international laws and regulations applicable to Customer’s use of the Service, including without limitation the provision and storage of Customer Data; (b) not send or store data on or to the Service which violates the rights of any individual or entity established in any jurisdiction; (c) not upload in any way any information or content that contain Malicious Code or data that may damage the operation of the Service or another computer or mobile device; (d) not use the Service for illegal, fraudulent, unethical or inappropriate purposes; (e) not interfere or disrupt networks connected to the Service or interfere with other ability to access or use the Service; (f) not interfere with another customer’s use of the Service or another person or entity's use of similar services; (g) not use the Service in any manner that impairs the Service, including without limitation the servers and networks on which the Service is provided; (h) comply with all regulations, policies and procedures of networks connected to the Service and Cellebrite’s service providers; and (i) use the Services only in accordance with the Documentation. Customer acknowledges and agrees that Cellebrite neither endorses the contents of any Customer communications, Customer Data or other information nor assumes any responsibility for any offensive material contained therein, any infringement of third party Intellectual Property Rights arising therefrom or any crime facilitated thereby. Cellebrite may remove any violating content posted or stored using the Service or transmitted through the Service, without notice to Customer. Notwithstanding the foregoing, Cellebrite does not guarantee, and does not and is not obligated to verify, authenticate, monitor or edit the Customer Data or any other information or data input into or stored in the Service for completeness, integrity, quality, accuracy or otherwise. Customer shall be responsible and liable for the completeness, integrity, quality and accuracy of Customer Data and other information that it input into the Service. Cellebrite reserves the right to amend, alter, or modify Customer’s conduct requirements as set forth in these Terms at any time.
5.3 Use of Customer Data. During the performance of this Agreement, Cellebrite may collect and use Customer Data for the limited purpose of fulfilling the Service provided under this Agreement, including the collection of Authorized User names and email addresses.
5.4 Accuracy of Customer’s Contact Information; Email Notices. Customer agrees to provide accurate, current and complete information as necessary for Cellebrite to communicate with Customer from time to time regarding the Service, issue invoices or accept payment, or contact Customer for other account-related purposes. Customer agrees to keep any online account information current and inform Cellebrite of any changes in Customer’s legal business name, address, email address and phone number. Customer agrees to accept emails from Cellebrite at the e-mail addresses specified by its Authorized Users for login purposes. In addition, Customer agrees that Cellebrite may rely and act on all information and instructions provided to Cellebrite by Authorized Users from the above-specified e-mail address.
5.5 Temporary Suspension. Cellebrite may temporarily suspend Customer’s, or their respective Authorized Users’ access to the Service in the event: (i) that either Customer or any of their Authorized Users is engaged in, or Cellebrite in good faith suspects Customer or any of their Authorized Users is engaged in, any unauthorized or unlawful conduct (including, but not limited to any violation of these Terms), or (ii) Cellebrite is required to do so under the orders of a court or other governmental body having jurisdiction over Customer or Cellebrite. Cellebrite will attempt to contact Customer prior to or contemporaneously with such suspension; provided, however, that Cellebrite’s exercise of the suspension rights herein shall not be conditioned upon Customer’s receipt of any notification. A suspension may take effect for Customer’s entire account and Customer understands that such suspension would therefore include its Authorized User sub-accounts. Customer agrees that Cellebrite shall not be liable to Customer, or Authorized Users, or any other third party if Cellebrite exercises its suspension rights as permitted by this Section. Upon determining that Customer has ceased the unauthorized conduct leading to the temporary suspension to Cellebrite’s reasonable satisfaction, Cellebrite shall reinstate Customer’s, their respective Authorized Users’ access and use of the Service. Notwithstanding anything in this Section to the contrary, Cellebrite’s suspension of the Service is in addition to any other remedies that Cellebrite may have under these Terms or otherwise, including but not limited to termination of these Terms for cause. Additionally, if there are repeated incidences of suspension, regardless of the same or different cause and even if the cause or conduct is ultimately cured or corrected, Cellebrite may, in its reasonable discretion, determine that such circumstances, taken together, constitute a material breach.
6. AVAILABILITY; ENHANCEMENTS; AND SUPPORT.
6.1 Availability. Subject to the terms and conditions of these Terms, Cellebrite will use commercially reasonable efforts to make the Service available at least ninety-nine percent (99%) of the time as measured over the course of each calendar month during the Subscription Term; provided, however, that the following are excepted from availability commitments:
(a) Network Availability. Network Availability is defined as the Cellebrite network’s ability to pass incoming and outgoing TCP/IP traffic. A servers unavailability caused by network unavailability is not included in server uptime if such unavailability is caused by factors beyond Cellebrite’s control. Interruptions of service due to problems on the backbone or on the customer’s desktop or network are beyond Cellebrite’s control. Interruptions of service caused by denial of service or similar attacks are beyond Cellebrite’s control and are not included in downtime calculations,
(b) Planned Downtime. Cellebrite will use commercially reasonable efforts to provide advanced notice of any planned downtime,
(c) Routine Maintenance. To guarantee optimal performance of the servers and technology, Cellebrite will perform routine maintenance of the servers on a regular basis. Such maintenance may require taking Cellebrite servers off-line. Cellebrite reserves server unavailability for maintenance purpose. This server unavailability is not included in downtime calculations. The maintenance is typically performed during off-peak hours. and
(d) Force Majeure. Any unavailability caused by circumstances of Force Majeure are not included in downtime calculations.
6.2. Enhancements. Certain enhancements to the Service made generally available at no cost to all subscribing customers during the applicable Subscription Term will be made available to Customer at no additional charge. However, the availability of some new enhancements to the Service may require the payment of additional fees, and Cellebrite will determine at its sole discretion whether access to any other such new enhancements will require an additional fee. These Terms will apply to, and the Service includes, any bug fixes, error corrections, new builds, enhancements, updates, upgrades and new modules to the Service subsequently provided by Supplier to Customer hereunder.
6.3 Support. Cellebrite offers the Customer 24-7 technical online support during the Subscription Term.
7. FEES AND PAYMENT.
7.1 Price List. Cellebrite may, at its sole discretion, change its price lists or add or remove services and/or products from the price lists. Changes in price lists shall take effect within thirty (30) days from the date of notification to Customer. It is hereby clarified that changes in price lists shall not apply to services and/or products underlying an executed Order Form, however, price list changes will apply to any executed Order Form if Customer has requested an amendment to the executed Order Form and the amendment has not been accepted by Cellebrite at the time of the price list change.
7.2 Total Purchase Price. Customer shall pay Cellebrite the total price as set forth in the Order Form (“Total Purchase Price”). Cellebrite may charge Customer for any modifications to an accepted Order Form.
7.3 Quoted Price. Unless otherwise agreed in writing, all prices quoted in the Order Form (“Quoted Price”) shall be paid by Customer to the account(s) indicated by Cellebrite. All payments shall be made in US currency or other currency mutually agreed by the Parties. The payment is considered made at the date when the amounts effectively reach Cellebrite’s bank account. The Quoted Price does not include transportation, insurance, federal, state, local, excise, value-added, use, sales, property (ad valorem), and similar taxes or duties. In addition to the Quoted Price, Customer shall pay all taxes, fees, or charges imposed by any governmental authority. If Cellebrite is required to collect the foregoing, Customer will pay such amounts promptly unless it has provided Cellebrite with a satisfactory valid tax exemption certificate authorized by the appropriate taxing authority.
7.4 Terms of Payment and Default Interest. Payment for the Service under any confirmed Order Form shall be in accordance with the payment terms set forth in the Cellebrite Quote, issued by Cellebrite pursuant to this Agreement (the “Quote”). Failure to make due payment in accordance with the terms of the Quote may cause Cellebrite to apply an interest charge of up to one and one-half percent (1.5%) per month (but not to exceed the maximum lawful rate) on all amounts which are not timely and duly paid, accruing daily and compounding monthly from the date such amounts were due. Customer shall reimburse Cellebrite for all costs and expenses incurred by Cellebrite in connection with the collection of overdue amounts, including attorneys’ fees. Customer shall not be permitted to set off any deductions against any amounts due to Cellebrite.
7.5 Suspension of Service. If any amounts owed by Customer for the Service are thirty (30) or more days overdue, Cellebrite may, without limiting Cellebrite’s other rights and remedies, suspend Customer’s and its Authorized Users’ access to the Service until such amounts are paid in full.
7.6 Payment Disputes. Cellebrite agrees that it will not exercise its rights under this Section 7 if the applicable charges are under reasonable and good-faith dispute and Customer is cooperating diligently to resolve the dispute.
7.7 Taxes. “Taxes” means all taxes, levies, imposts, duties, fines or similar governmental assessments imposed by any jurisdiction, country or any subdivision or authority thereof including, but not limited to federal, state or local sales, use, property, excise, service, transaction, privilege, occupation, gross receipts or similar taxes, in any way connected with these Terms or any instrument, order form or agreement required hereunder, and all interest, penalties or similar liabilities with respect thereto, except such taxes imposed on or measured by a party’s net income. Notwithstanding the foregoing, Taxes shall not include payroll taxes attributable to the compensation paid to workers or employees and each party shall be responsible for its own federal and state payroll tax collection, remittance, reporting and filing obligations. Fees and charges imposed under these Terms or under any order form or similar document ancillary to or referenced by these Terms shall not include Taxes except as otherwise provided herein. Customer shall be responsible for all of such Taxes. If, however, Cellebrite has the legal obligation to pay Taxes and is required or permitted to collect such Taxes for which Customer is responsible under this section, Customer shall promptly pay the Taxes invoiced by Cellebrite unless Customer has furnished Cellebrite with valid tax exemption documentation regarding such Taxes at the execution of these Terms or at the execution of any subsequent instrument, order form or agreement ancillary to or referenced by these Terms. Customer shall comply with all applicable tax laws and regulations. Customer hereby agrees to indemnify Cellebrite for any Taxes and related costs paid or payable by Cellebrite attributable to Taxes that would have been Customer’s responsibility under this Section 8.6 if invoiced to Customer. Customer shall promptly pay or reimburse Cellebrite for all costs and damages related to any liability incurred by Cellebrite as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligation under this Section 8.6 shall survive the termination or expiration of these Terms.
8. REPRESENTATIONS AND WARRANTIES; DISCLAIMER.
8.1 Mutual Representations and Warranties. Each party represents, warrants and covenants that: (a) it has the full power and authority to enter into these Terms and to perform its obligations hereunder, without the need for any consents, approvals or immunities not yet obtained; and (b) its acceptance of and performance under these Terms shall not breach any oral or written agreement with any third party or any obligation owed by it to any third party to keep any information or materials in confidence or in trust.
8.2 Customer Representations and Warranties. Customer represents, warrants and covenants that during the term of these Terms that (a) only Authorized Users who have obtained any necessary consents and approvals pursuant to applicable laws shall be permitted to use the Service; (b) Customer will obtain any necessary approval, consent, authorization, release, clearance or license of any third party and any release related to any rights of privacy or publicity required in connection with Customer’s or its Authorized Users’ use of the Service and Customer Data, and (c) Customer and its Authorized Users shall use the Service in compliance all applicable federal, state and local laws, rules and regulations including without limitation those related to data privacy, protection and security.
8.3 Service Warranty. Cellebrite warrants that during the relevant Subscription Term, the Service will conform, in all material respects, with the Documentation, PROVIDED, HOWEVER, THAT CELLEBRITE DOES NOT MAKE, AND HEREBY DISCLAIMS ANY REPRESENTATIONS OR WARRANTIES CONCERNING THE PROPER STORAGE OF THE CUSTOMER DATA (WHETHER IN ITS INBOUND OUTBOUND FORM), OR ITS DATA-INTEGRITY, AVAILABILITY OR ABSENCE OF MODIFICATIONS THERETO. For a breach of the foregoing warranty, Cellebrite will, at no additional cost to Customer, provide remedial services necessary to enable the Service to conform to the warranty. The Customer will provide Cellebrite with a reasonable opportunity to remedy any breach and reasonable assistance in remedying any defects. Such warranty shall only apply if the Service has been utilized by the Customer in accordance with the Order Form and this Agreement.
8.4 Disclaimer. EXCEPT FOR THE WARRANTIES SET FORTH IN THIS SECTION 9, THE SERVICE, THIRD PARTY OFFERINGS AND ANY NON-GA SERVICES ARE PROVIDED ON AN AS-IS BASIS. CUSTOMER’S USE OF THE SERVICE, THIRD-PARTY OFFERINGS AND NON-GA SERVICES IS AT ITS OWN RISK. CELLEBRITE DOES NOT MAKE, AND HEREBY DISCLAIMS, ANY AND ALL OTHER EXPRESS, STATUTORY AND IMPLIED REPRESENTATIONS AND WARRANTIES, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT AND TITLE, QUALITY, SUITABILITY, OPERABILITY, CONDITION, SYSTEM INTEGRATION, NON-INTERFERENCE, WORKMANSHIP, TRUTH, ACCURACY (OF DATA OR ANY OTHER INFORMATION OR CONTENT), THE PROPER STORAGE OF THE CUSTOMER DATA (WHETHER IN ITS INBOUND OUTBOUND FORM), OR ITS DATA-INTEGRITY, AVAILABILITY OR ABSENCE OF MODIFICATIONS THERETO, ABSENCE OF DEFECTS, WHETHER LATENT OR PATENT, AND ANY WARRANTIES ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. THE EXPRESS WARRANTIES MADE BY CELLEBRITE IN SECTION 10 ARE FOR THE BENEFIT OF THE CUSTOMER ONLY AND NOT FOR THE BENEFIT OF ANY THIRD PARTY. ANY SOFTWARE PROVIDED THROUGH THE SERVICE IS LICENSED AND NOT SOLD.
8.5 NO AGENT OF CELLEBRITE IS AUTHORIZED TO ALTER OR EXPAND THE WARRANTIES OF CELLEBRITE AS SET FORTH HEREIN. CELLEBRITE DOES NOT WARRANT THAT: (A) THE USE OF THE SERVICES OR NON-GA SERVICES WILL BE SECURE, TIMELY, UNINTERRUPTED OR ERROR-FREE OR OPERATE IN COMBINATION WITH ANY OTHER HARDWARE, SOFTWARE, SYSTEM OR DATA; (B) THE SERVICES WILL MEET CUSTOMER’S REQUIREMENTS OR EXPECTATIONS; (C) ANY STORED CUSTOMER DATA WILL BE ACCURATE OR RELIABLE; (D) THE QUALITY OF ANY INFORMATION OR OTHER MATERIAL OBTAINED BY CUSTOMER THROUGH THE SERVICES OR NON-GA SERVICES WILL MEET CUSTOMER’S REQUIREMENTS OR EXPECTATIONS; (E) THE SERVICES AND NON-GA SERVICES WILL BE ERROR-FREE OR THAT ERRORS OR DEFECTS IN THE SERVICES AND NON-GA SERVICES WILL BE CORRECTED; OR (F) THE SERVER(S) THAT MAKE THE SERVICES AND NON-GA SERVICES AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. THE SERVICES AND NON-GA SERVICES MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF THE INTERNET AND ELECTRONIC COMMUNICATIONS. CELLEBRITE IS NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR OTHER DAMAGES RESULTING FROM SUCH PROBLEMS.
9. INDEMNIFICATION.
9.1 Cellebrite Indemnity.
I. General. During the Subscription Term, Cellebrite shall defend and indemnify Customer from and against all actions, proceedings, claims and demands in each case by a third party (a “Third-Party Claim”) alleging that the Service infringes or misappropriates a patent, copyright or trademark registered in the USA and shall pay all damages, costs and expenses, including attorneys’ fees and costs (whether by settlement or award of by a final judicial judgment) payable to the Third Party bringing such Third-Party Claim. Cellebrite’s obligations under this Section are conditioned upon (i) Customer promptly notifying Cellebrite in writing of any claim under this Section, (ii) Cellebrite having the sole and exclusive right to control the defense and settlement of the claim, and (iii) Customer providing all reasonable assistance (at Cellebrite’s expense and reasonable request) in the defense of such claim. In no event shall Customer settle any claim without Cellebrite’s prior written approval. Customer may, at its own expense, engage separate counsel to advise Customer regarding a Claim and to participate in the defense of the claim, subject to Cellebrite’s right to control the defense and settlement.
II. Mitigation. If any claim which Cellebrite is obligated to defend has occurred, or in Cellebrite’s determination is likely to occur, Cellebrite may, in its sole discretion and at its option and expense (a) obtain for Customer the right to use the Service, (b) substitute a functionality equivalent, non-infringing replacement for such the Service, (c) modify the Service to make it non-infringing and functionally equivalent, or (d) terminate these Terms and refund to Customer any prepaid amounts attributable the period of time between the date Customer was unable to use the Service due to such claim and the remaining days in the then-current Subscription Term.
III. Exclusions. Notwithstanding anything to the contrary in these Terms, the foregoing obligations shall not apply with respect to a claim of infringement if such claim arises out of (i) Customer’s use of infringing Customer Data; (ii) use of the Service in combination with any software, hardware, network or system not supplied by Cellebrite where the alleged infringement relates to such combination, (iii) any modification or alteration of the Service other than by Cellebrite, (iv) Customer’s continued use of the Service after Cellebrite notifies Customer to discontinue use because of an infringement claim, (v) Customer’s violation of applicable law; (vi) Third Party Offerings; and (vii) Customer System.
IV. Sole Remedy. THE FOREGOING STATES THE ENTIRE LIABILITY OF CELLEBRITE WITH RESPECT TO THE INFRINGEMENT OF ANY INTELLECTUAL PROPERTY OR PROPRIETARY RIGHTS BY THE SERVICE OR OTHERWISE, AND CUSTOMER HEREBY EXPRESSLY WAIVES ANY OTHER REMEDIES, LIABILITIES OR OBLIGATIONS OF CELLEBRITE WITH RESPECT THERETO.
9.2 Customer Indemnity. Customer shall defend and indemnify Cellebrite and its Affiliates, licensors and their respective officers, directors and employees (“Cellebrite Indemnified Parties”) from and against any and all Third-Party Claims which arise out of or relate to: (a) a claim or threat that the Customer Data or Customer System (and the exercise by Cellebrite of the rights granted herein with respect thereto) infringes, misappropriates or violates any third party’s Intellectual Property Rights; (b) Customer’s use or alleged use of the Service other than as permitted under or in breach of these Terms, including without limitation using the Service in a manner that violates applicable law including without limitation a person’s Fourth Amendment rights under the United States Constitution or Customer’s failure to provide any notice, or obtain any consent, approval or release with respect to the use of Customer Data in connection with the Service as required by applicable law; (c) Customer’s failure to comply with applicable law; or (d) an allegation that the Cellebrite System infringes, misappropriates or violates any third party’s Intellectual Property Rights that results from (i) Customer’s use of the Service in combination with any software, hardware, network or system not supplied by Cellebrite where the alleged infringement relates to such combination, (ii) any modification or alteration of the Service other than by Cellebrite, (iii) Customer’s continued use of the Service after Cellebrite notifies Customer to discontinue use because of an infringement claim, (iv) Customer’s violation of applicable law; or (v) Third Party Offerings. Customer shall pay all damages, costs and expenses, including attorneys’ fees and costs (whether by settlement or award of by a final judicial judgment) paid to the Third Party bringing any such Third-Party Claim. Customer’s obligations under this Section are conditioned upon (x) Customer being promptly notified in writing of any claim under this Section, (y) Customer having the sole and exclusive right to control the defense and settlement of the claim, and (z) Cellebrite providing all reasonable assistance (at Customer’s expense and reasonable request) in the defense of such claim. In no event shall Cellebrite settle any claim without Customer’s prior written approval. Cellebrite may, at its own expense, engage separate counsel to advise Cellebrite regarding a Third-Party Claim and to participate in the defense of the claim, subject to Customer’s right to control the defense and settlement.
10. CONFIDENTIALITY.
10.1 Confidential Information. “Confidential Information” means any and all non-public technical and non-technical information disclosed by one party (the “Disclosing Party”) to the other party (the “Receiving Party”) in any form or medium, whether oral, written, graphical or electronic, pursuant to these Terms, that is marked confidential and proprietary, or that the Disclosing Party identifies as confidential and proprietary, or that by the nature of the circumstances surrounding the disclosure or receipt ought to be treated as confidential and proprietary information, including but not limited to: (a) techniques, sketches, drawings, models, inventions (whether or not patented or patentable), know-how, processes, apparatus, formulae, equipment, algorithms, software programs, software source documents, APIs, and other creative works (whether or not copyrighted or copyrightable); (b) information concerning research, experimental work, development, design details and specifications, engineering, financial information, procurement requirements, purchasing, manufacturing, customer lists, business forecasts, sales and merchandising and marketing plans and information; (c) proprietary or confidential information of any third party who may disclose such information to Disclosing Party or Receiving Party in the course of Disclosing Party’s business; and (d) the terms of these Terms or any Order Form. Confidential Information of Cellebrite shall include the Service, the documentation, the pricing, and the terms and conditions of this agreement. Confidential Information also includes all summaries and abstracts of Confidential Information.
10.2 Non-Disclosure. Each party acknowledges that in the course of the performance of these Terms, it may obtain the Confidential Information of the other party. The Receiving Party shall, at all times, both during the Term and thereafter, keep in confidence and trust all of the Disclosing Party’s Confidential Information received by it. The Receiving Party shall not use the Confidential Information of the Disclosing Party other than as necessary to fulfill the Receiving Party’s obligations or to exercise the Receiving Party’s rights under these Terms. Each party agrees to secure and protect the other party’s Confidential Information with the same degree of care and in a manner consistent with the maintenance of such party’s own Confidential Information (but in no event less than reasonable care), and to take appropriate action by instruction or agreement with its employees or other agents who are permitted access to the other party’s Confidential Information to satisfy its obligations under this Section. The Receiving Party shall not disclose Confidential Information of the Disclosing Party to any person or entity other than its officers, employees, affiliates and agents who need access to such Confidential Information in order to effect the intent of these Terms and who are subject to confidentiality obligations at least as stringent as the obligations set forth in these Terms.
10.3 Exceptions to Confidential Information. The obligations set forth in Section 11.2 (Non-Disclosure) shall not apply to the extent that Confidential Information includes information which: (a) was known by the Receiving Party prior to receipt from the Disclosing Party either itself or through receipt directly or indirectly from a source other than one having an obligation of confidentiality to the Disclosing Party; (b) was developed by the Receiving Party without use of the Disclosing Party’s Confidential Information; or (c) becomes publicly known or otherwise ceases to be secret or confidential, except as a result of a breach of these Terms or any obligation of confidentiality by the Receiving Party. Nothing in these Terms shall prevent the Receiving Party from disclosing Confidential Information to the extent the Receiving Party is legally compelled to do so by any governmental investigative or judicial agency pursuant to proceedings over which such agency has jurisdiction; provided, however, that prior to any such disclosure, the Receiving Party shall (x) assert the confidential nature of the Confidential Information to the agency; (y) to the extent permitted by applicable law, immediately notify the Disclosing Party in writing of the agency’s order or request to disclose; and (z) cooperate fully with the Disclosing Party in protecting against any such disclosure and in obtaining a protective order narrowing the scope of the compelled disclosure and protecting its confidentiality.
10.4 Injunctive Relief. The Parties agree that any unauthorized disclosure of Confidential Information may cause immediate and irreparable injury to the Disclosing Party and that, in the event of such breach, the Disclosing Party will be entitled, in addition to any other available remedies, to seek immediate injunctive and other equitable relief, without bond and without the necessity of showing actual monetary damages.
11. Proprietary Rights.
11.1 Service. As between Cellebrite and Customer, all right, title and interest in the Service and any other Cellebrite materials furnished or made available hereunder, and all modifications and enhancements thereof, and all suggestions, ideas and feedback proposed by Customer regarding the Service, including all copyright rights, patent rights and other Intellectual Property Rights in each of the foregoing, belong to and are retained solely by Cellebrite or Cellebrite’s licensors and providers, as applicable. Customer hereby does and will irrevocably assign to Cellebrite all evaluations, ideas, feedback and suggestions made by Customer to Cellebrite regarding the Service (collectively, “Feedback”) and all Intellectual Property Rights in the Feedback.
11.2 Customer Data. As between Cellebrite and Customer, all right, title and interest in the Customer Data, and all Intellectual Property Rights therein, belong to and are retained solely by Customer. Customer hereby grants to Cellebrite a limited, non-exclusive, royalty-free, worldwide license to use the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Cellebrite to provide the Services to Customer. To the extent that receipt of the Customer Data requires Cellebrite to utilize any account information from a third party service provider, Customer shall be responsible for obtaining and providing relevant account information and passwords, and Cellebrite hereby agrees to access and use the Customer Data solely for Customer’s benefit and as set forth in these Terms. As between Cellebrite and Customer, Customer is solely responsible for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Customer Data.
11.3 Aggregated Statistics. Notwithstanding anything else in these Terms or otherwise, Cellebrite may monitor Customer’s use of the Service and use customer usage data or other information in an aggregate and anonymous manner, including to compile statistical and performance information related to the provision and operation of the Services (“Aggregated Statistics”). As between Cellebrite and Customer, all right, title and interest in the Aggregated Statistics and all Intellectual Property Rights therein, belong to and are retained solely by Cellebrite. Customer acknowledges that Cellebrite will be compiling Aggregated Statistics based on Customer Data, or other information input by other customers into the Service and Customer agrees that Cellebrite may (a) make such Aggregated Statistics publicly available, and (b) use such information to the extent and in the manner permitted by applicable law or regulation and for any purpose of data gathering, analysis, service enhancement and marketing, provided that such data and information does not identify Customer or its Confidential Information.
11.4 Cellebrite Developments. All inventions, works of authorship and developments conceived, created, written, or generated by or on behalf of Cellebrite, whether solely or jointly, including all deliverables (“Cellebrite Developments”) and all Intellectual Property Rights therein, shall be the sole and exclusive property of Cellebrite. Customer agrees that, except for Customer Confidential Information, to the extent that the ownership of any contribution by Customer or its employees to the creation of the Cellebrite Developments is not, by operation of law or otherwise, vested in Cellebrite, Customer hereby assigns and agrees to assign to Cellebrite all right, title and interest in and to such Cellebrite Developments, including without limitation all the Intellectual Property Rights therein, without the necessity of any further consideration.
11.5 Further Assurances. To the extent any of the rights, title and interest in and to Feedback or Cellebrite Developments or Intellectual Property Rights therein cannot be assigned by Customer to Cellebrite, Customer hereby grants to Cellebrite an exclusive, royalty-free, transferable, irrevocable, worldwide, fully paid-up license (with rights to sublicense through multiple tiers of sublicensees) to fully use, practice and exploit those non-assignable rights, title and interest. If the foregoing assignment and license are not enforceable, Customer agrees to waive and never assert against Cellebrite those non-assignable and non-licensable rights, title and interest. Customer agrees to execute any documents or take any actions as may reasonably be necessary, or as Cellebrite may reasonably request, to perfect ownership of the Feedback and Cellebrite Developments. If Customer is unable or unwilling to execute any such document or take any such action, Cellebrite may execute such document and take such action on Customer’s behalf as Customer’s agent and attorney-in-fact. The foregoing appointment is deemed a power coupled with an interest and is irrevocable.
11.6 License to Deliverables. Subject to Customer’s compliance with these Terms, Cellebrite hereby grants Customer a limited, non-exclusive, non-transferable license during the Subscription Term to use the deliverables solely in connection with Customer’s authorized use of the Service. Notwithstanding any other provision of these Terms: (i) nothing herein shall be construed to assign or transfer any Intellectual Property Rights in the proprietary tools, source code samples, templates, libraries, know-how, techniques and expertise (“Tools”) used by Cellebrite to develop the deliverables, and to the extent such Tools are delivered with or as part of the deliverables, they are licensed, not assigned, to Customer, on the same terms as the deliverables; and (ii) the term “deliverables” shall not include the Tools.
12. LIMITATION OF LIABILITY.
12.1 No Consequential Damages. NEITHER CELLEBRITE NOR ITS LICENSORS OR AFFILIATES SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, OR ANY DAMAGES FOR LOST DATA, BUSINESS INTERRUPTION, LOST PROFITS, LOST REVENUE OR LOST BUSINESS, ARISING OUT OF OR IN CONNECTION WITH THESE TERMS, EVEN IF CELLEBRITE OR ITS LICENSORS OR AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING WITHOUT LIMITATION, ANY SUCH DAMAGES ARISING OUT OF THE LICENSING, PROVISION OR USE OF THE SERVICE OR THE RESULTS THEREOF.
12.2 Limits on Liability. NEITHER CELLEBRITE NOR ITS LICENSORS OR AFFILIATES SHALL BE LIABLE FOR CUMULATIVE, AGGREGATE DAMAGES GREATER THAN AN AMOUNT EQUAL TO THE AMOUNTS PAID BY CUSTOMER TO CELLEBRITE UNDER THESE TERMS DURING THE PERIOD OF TWELVE (12) MONTHS PRECEDING THE DATE ON WHICH THE CLAIM FIRST ACCRUED, LESS THE AMOUNTS PREVIOUSLY PAID BY CELLEBRITE TO SATISFY LIABILITY UNDER THIS AGREEMENT.
12.3 Essential Purpose. CUSTOMER ACKNOWLEDGES THAT THE TERMS IN THIS SECTION 13 (LIMITATION OF LIABILITY) SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND SHALL APPLY EVEN IF AN EXCLUSIVE OR LIMITED REMEDY STATED HEREIN FAILS OF ITS ESSENTIAL PURPOSE, AND WITHOUT REGARD TO WHETHER SUCH CLAIM IS BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE.
13. TERM AND TERMINATION.
13.1 Term. The term of these Terms commences on the Effective Date and continues until the expiration or termination of all Subscription Term(s), unless earlier terminated as provided in these Terms
13.2 Termination for Cause. Cellebrite may terminate this Agreement: (i) for its convenience by giving the Customer (30) days’ prior written notice; (ii) by giving the Customer a written notice to be immediately effective in case the Customer causes a material or continuous breach hereof (“continuous” meaning two or more occurrences of the same breach). All of Customer’s obligations under this Agreement shall survive the expiration or termination of the Agreement. Termination of this Agreement will not entitle Customer to any deduction of the Quoted Price or any refund of any prepaid fees. Cellebrite may terminate the Agreement and revoke the license granted hereunder by giving the other Party a written notice to be immediately effective in case Cellebrite reasonably determines that it can no longer comply with the terms of the Agreement in accordance with the requirement of any applicable law, rule and/or regulations. Termination of the Agreement in accordance with this Section shall not impose on Cellebrite liability of any kind.
13.3 Effects of Termination. Upon expiration or termination of these Terms: (a) Customer’s use of and access to the Service shall cease; (b) all Order Forms shall terminate; and (c) all fees and other amounts owed to Cellebrite shall be immediately due and payable by Customer, including without limitation. Upon Customer’s request made within ten (10) days after the effective date of applicable termination or expiration, Cellebrite shall make any Customer Data stored on the Service available, for a period of 30 days, for download by Customer in the format in which it is stored in the Service. After such 30-day period, Cellebrite shall have no obligation to maintain or provide any Customer Data and may thereafter, unless legally prohibited, delete all Customer Data in its systems or otherwise in its possession or under its control. In addition, within thirty (30) days of the effective date of termination, Customer shall: (a) return to Cellebrite, or at Cellebrite’s option, Customer shall destroy all items of Confidential Information (other than the Customer Data) in Customer’s possession or control, including any copies, extracts or portions thereof, and (b) upon request shall certify in writing to Cellebrite that it has complied with the foregoing.
13.4 Survival. This Section and Sections 1, 2.3, 2.4, 7, 8, 10, 12, 13, 15.4, 16 and any other Section or Appendix which should reasonably survive termination of this Agreement, shall continue to be in force and effect after termination or expiry of this Agreement.
14. MISCELLANEOUS.
14.1 Notices. All notices which any party to these Terms may be required or may wish to give may be given by addressing them to the other party at the addresses set forth below (or at such other addresses as may be designated by written notices given in the manner designated herein) by (a) personal delivery, (b) sending such notices by commercial overnight courier with written verification of actual receipt, (c) by email, effective (A) when the sender receives an automated message from the recipient confirming delivery or (B) one hour after the time sent (as recorded on the device from which the sender sent the email) unless the sender receives an automated message that the email has not been delivered, whichever happens first, but if the delivery or receipt is on a day which is not a business day or is after 5:00 pm (addressee’s time) it is deemed to be received at 9:00 am on the following business day, or (d) sending them by registered or certified mail. If so mailed or otherwise delivered, such notices shall be deemed and presumed to have been delivered on the earlier of the date of actual receipt or three (3) days after mailing or authorized form of delivery. All communications and notices to be made or given pursuant to these Terms shall be in the English language.
14.2 Governing Law. This Agreement and any disputes or claims arising hereunder are governed by the laws of, and subject to the exclusive jurisdiction of, the country of incorporation of the Cellebrite entity that sold the Service to Customer, without giving effect to any choice of law rules or principles. In case of sales or licenses in the United States of America, this Agreement and any disputes or claims arising hereunder are governed by the laws of the State of New York and subject to the exclusive jurisdiction of the federal or state courts in New York, without giving effect to any conflict of Law rules or principles. Notwithstanding anything to the contrary, in the event that the entity that sold theService to the Customer is Cellebrite GmbH, this Agreement shall be governed by and construed in accordance with the law of England and Wales and the Parties hereby submit to the exclusive jurisdiction of the London courts and, without giving effect to any conflict of law rules or principles. The United Nations Convention on Contracts for the International Sale of Goods (except that sales or licenses in the United States of America shall not exclude the application of General Obligations Law 5-1401), and the Uniform Computer Information Transactions Act do not apply to this Agreement. Cellebrite may, at its sole discretion, initiate any dispute or claim against Customer, including for injunctive relief, in any jurisdiction permitted by applicable law.
14.3 Inapplicable Terms and Provisions – VOID AB INITIO. This Section only applies to U.S. local, county, state, governmental agencies and other U.S. law enforcement agencies that are state or federally funded by the United States Government. Subject to the foregoing statements, to the extent that any term or provision of the Agreement, is considered void ab initio, or is otherwise unenforceable against Customer pursuant to applicable U.S. Law that expressly prohibits Customer from agreeing to such term or condition, then such conflicting term or provision in this Agreement shall be struck to the extent to make such term or provision enforceable, and the remaining language, if any, shall remain in full force and effect.
14.4 Regulation. The Service utilizes software and technology that may be subject to certain export, re-export, customs or import controls, applicable in Israel, the European Union, the United States and/or other countries. Said regulations include but are not limited to the provisions of the US Export Administration Regulations (EAR) and the provisions of the regulations of the European Union. Customer expressly warrants, represents and covenants that it shall comply fully with all applicable export laws, regulations and any relevant jurisdictions to ensure that the Service is not exported or re-exported in violation of such laws and regulations, or used for any purposes prohibited by such laws and regulations. As the Service is subject to export control laws and regulations, Customer shall not export or "re-export" (transfer) the Service unless the Customer has complied with all applicable controls. Customer acknowledges and agrees that the Service shall not be used, and none of the underlying information, software, or technology may be transferred or otherwise exported or re-exported to countries as to which the United States maintains an embargo (collectively, “Embargoed Countries”), or to or by a national or resident thereof, or any person or entity on the U.S. Department of Treasury’s List of Specially Designated Nationals or the U.S. Department of Commerce’s Table of Denial Orders (collectively, “Designated Nationals”). The lists of Embargoed Countries and Designated Nationals are subject to change without notice. By using the Service, Customer represents and warrants that it is not located in, under the control of, or a national or resident of an Embargoed Country or Designated National. The Service may use encryption technology that is subject to licensing requirements under the U.S. Export Administration Regulations, 15 C.F.R. Parts 730-774 and Council Regulation (EC) No. 1334/2000. Customer agrees to comply strictly with all applicable export laws and assume sole responsibility for obtaining licenses to export or re-export as may be required. Cellebrite and its licensors make no representation that the Service is appropriate or available for use in other locations. Any diversion of the Customer Data contrary to law is prohibited. None of the Customer Data, nor any information acquired through the use of the Service, is or will be used for nuclear activities, chemical or biological weapons, or missile projects. If Customer violates this Section, or Cellebrite suspects that Customer has violated this section, then Cellebrite has the right to immediately suspend or terminate the Service.
14.5 Compliance. Customer is obligated to comply with the law applicable in connection with the business relationship with Cellebrite. Customer will comply with Cellebrite’s Business Conduct Policy. Customer represents, warrants and covenants that it shall not engage in any deceptive, misleading, illegal or unethical practices that may be detrimental to Cellebrite or to any of Cellebrite’s services and/or products, including but not limited to the Service and shall only use the Service in compliance with all applicable laws and regulations (including, without limitation, data protection, privacy, computer misuse, telecommunications interception, intellectual property, and import and export compliance laws and regulations or the applicable foreign equivalents). Customer, its subsidiaries and affiliates will not (i) offer, promise or grant any benefit to a public official for that person or a third party for the discharge of a duty; (ii) offer, promise or grant an employee or an agent of a business for competitive purposes a benefit for itself or a third party in a business transaction as consideration for an unfair preference in the purchase of goods or commercial services; (iii) demand, allow itself to be promised or to accept a benefit for itself or another in a business transaction as consideration for an unfair preference to another in the competitive purchase of goods or commercial services, and; (iv) violate any applicable anticorruption regulations and, if applicable, not to violate the US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act or any other applicable antibribery or anti-corruption law. Customer further represents, covenants and warrants that it has, and shall cause each of its subsidiaries and/or affiliates to, maintain systems of internal controls (including, but not limited to, accounting systems, purchasing systems and billing systems) to ensure compliance with the FCPA, the U.K. Bribery Act or any other applicable anti-bribery or anti-corruption law. Upon Cellebrite's request, Customer will confirm in writing that it complies with this Section and is not aware of any breaches of the obligations under this Section. If Cellebrite reasonably suspects that Customer is not complying with this Section then, after notifying Customer regarding the reasonable suspicion, Cellebrite may demand that Customer, in accordance with applicable law, permit and participate in - at its own expense - auditing, inspection, certification or screening to verify Customer’s compliance with this Section. Any such inspection can be executed by Cellebrite or its third-party representative. In the event Customer is in contact with a Government Official concerning Cellebrite, discussing or negotiating, or Customer engages a third party to do so, Customer is obligated (i) to inform Cellebrite in advance and in writing, clearly defining the scope of the interaction, (ii) upon request, to provide Cellebrite with a written record of each conversation or meeting with a Government Official and (iii) to provide Cellebrite monthly a detailed expense report, with all original supporting documentation. A “Government Official” is any person performing duties on behalf of a public authority, government agency or department, public corporation or international organization. Cellebrite may immediately terminate this Agreement and any applicable Order Form if Customer violates its obligations under this Section. Nothing contained in this Section shall limit any additional rights or remedies available to Cellebrite. Customer shall indemnify Cellebrite and Cellebrite's employees from any liability claims, demands, damages, losses, costs and expenses that result from a culpable violation of this Section by Customer. Customer will pass on the provision of this Section to its affiliates and bind its affiliates accordingly and verify the compliance of its subsidiaries or affiliates with the provisions of this Section.
14.6 Assignment. Customer shall not assign its rights hereunder or delegate the performance of any of its duties or obligations hereunder, whether by merger, acquisition, sale of assets, operation of law, or otherwise, without the prior written consent of Cellebrite. Any purported assignment in violation of the preceding sentence is null and void. Subject to the foregoing, these Terms shall be binding upon, and inure to the benefit of, the successors and assigns of the parties thereto. There are no third-party beneficiaries to these Terms.
14.7 Amendment. These Terms may be amended or supplemented from time to time at Cellebrite’s sole discretion.
14.8 Interpretation; Severability. If any of these Terms is found invalid or unenforceable that term will be enforced to the maximum extent permitted by law and the remainder of the Terms will remain in full force.
14.9 Independent Contractors. The parties are independent contractors, and nothing contained herein shall be construed as creating an agency, partnership, or other form of joint enterprise between the parties.
14.10 Entire Agreement. These Terms, including all applicable Order Forms, and Statements of Work, constitute the entire agreement between the parties relating to this subject matter and supersedes all prior or simultaneous understandings, representations, discussions, negotiations, and agreements, whether written or oral.
14.11 Force Majeure. Except for your payment obligations hereunder, neither party shall be liable to the other party or any third party for failure or delay in performing its obligations under these Terms when such failure or delay is due to any cause beyond the control of the party concerned, including, without limitation, acts of God, governmental orders or restrictions, fire, or flood, provided that upon cessation of such events such party shall thereupon promptly perform or complete the performance of its obligations hereunder.
Exhibit A
Data Processing Addendum
This Data Processing Addendum (“Addendum”) is entered into by and between Cellebrite and Customer.
THEREFORE, the parties have agreed to this Addendum, consisting of four parts:
§ Part One applies with general provision.
§ Party Two applies with respect to the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and supplementary GDPR legislations in EU member states), but only if Cellebrite Services to the Customer operate or Process Personal Data to any extent, in countries that are not member states of the European Economic Area, and are not territories or territorial sectors recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR.
§ Part Three applies with respect to the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and supplementary GDPR legislations in EU member states), but only if Cellebrite Services to the Customer operate and Process Personal Data exclusively in member states of the European Economic Area, or in territories or territorial sectors recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR.
§ Part Four applies with respect to the California Consumer Privacy Act of 2018 (CCPA).
Part 1
1. In the event of any conflicting stipulations between this Addendum and the Agreement or any other agreement in place between the parties, the stipulations of this Addendum shall prevail.
2. Any limitation of liability pursuant the Agreement shall apply to liability arising from or in connection with breach of this Addendum.
3. Cellebrite has appointed the person listed below as a contact person for data protection purposes:
Mr. Chen Laufer, Compliance Officer, chen.laufer@cellebrite.com.
Part 2
1. Capitalized terms used in this Part 2 of the Addendum but not defined in the Addendum or in the Agreement have the meaning ascribed to them in Regulation (EU) 2016/679 (GDPR) and in Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
2. This Part 2 applies only where Cellebrite is Processing Personal Data as a Data Processor on behalf of the Customer and under the Customer’s instructions, where the Customer is a Data Controller subject to the GDPR with respect to the Personal Data that Cellebrite Processes. It does not apply to Cellebrite’s Processing Personal Data of Customer’s representatives to market or promote its products, to administer the business or contractual relationship between Cellebrite and the Customer or in other instances where Cellebrite operates as the Data Controller.
3. Customer and Cellebrite hereby assent to the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as follows:
3.1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO: Transfer controller to processor: The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s).
3.2. In Section IV (Final Provisions), Clause 17 for MODULE TWO: Transfer controller to processor: The Parties agree that this shall be the law of Ireland.
3.3. In Section IV (Final Provisions), Clause 18(b) for MODULE TWO: Transfer controller to processor: The Parties agree that those shall be the courts of Ireland.
3.4. In Annex I, for MODULE TWO: Transfer controller to processor:
3.4.1. Data Exporter: Customer.
3.4.1.1. Activities relevant to the data transferred under these Clauses: A business with a need to extract, review and analyze intelligence from digital devices and online platforms.
3.4.1.2. Role: controller
3.4.2. Data Importer: Cellebrite.
3.4.2.1. Activities relevant to the data transferred under these Clauses: Develops and operates a software-as-a-service solution for extracting, obtaining, reviewing and analyzing intelligence from digital devices and online platforms.
3.4.2.2. Role: processor.
3.5. Description of Transfer:
3.5.1. Categories of data subjects whose personal data is transferred: Individuals using the digital devices from which the intelligence is gathered, and their contacts.
3.5.2. Categories of data transferred: contact information, messages and emails, correspondence, location information, photos, data related to use of online platform, and other information extracted from digital devices.
3.5.3. Sensitive data transferred: to the extent present on the digital device and extracted at the instruction of the Customer: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
3.5.4. The frequency of the transfer: On a continuous basis, as needed in the use of the Services.
3.5.5. Nature of the processing: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, disclosure by transmission, alignment or combination, restriction, erasure and destruction.
3.5.6. Purpose(s) of the data transfer and further processing: extraction, review and analysis of intelligence from digital devices and online platforms.
3.5.7. The period for which the personal data will be retained: For the duration of the Services.
3.5.8. Transfers to the following main (sub-) processors:
|
Name of sub-processor |
Subject matter and nature of sub-processor processing |
Duration of sub-processing |
|
Amazon AWS |
Cloud infrastructure provider |
Duration of the engagement |
3.5.9. Competent Supervisory Authority: the supervisory authority in the EU member state where the data exporter’s EU representative under Article 27 of the GDPR is located.
3.6. In Annex II, for MODULE TWO: Transfer controller to processor:
3.6.1. Information Security Policies & Standards: Cellebrite’s Information Security Policy sets forth general information security policy statements applicable to Cellebrite’s computer and network systems and all information contained on those systems or relating to Cellebrite’s business activities:
• Information must be consistently protected in a manner commensurate with its sensitivity, value, and criticality.
• Cellebrite’s information and computer resources must be used only for the business purposes authorized by management.
3.6.2. Acceptable Use Policy: Cellebrite’s Acceptable Use Policy defines the activities that are permissible when using any of the company’s computer, device, or communication system and states the minimum compliance requirements for users of Cellebrite’s systems, including but not limited to computer equipment, software, operating systems, network accounts and e-mail
3.6.3. Key Information Security Controls: Below are some of the key information security controls that the Information Security group has implemented across the organization:
Access Control: Cellebrite has implemented security standards, which are designed to restrict access to Cellebrite’s information and data assets including: defines general access control requirements (e.g., access to information resources granted only on a “need-to-know” basis, access terminated at termination of employment, periodic review of access rights, role-based access rights and segregation of duties, etc.)
Authentication and encryption: strong authentication with 2FA are required for every remote access to the company’s assets
3.6.4. System and Communications Protection: Cellebrite operates a comprehensive, multi-layered information security program, leveraging a defensive, in-depth architecture. Tiered perimeter defenses include firewalls between zones and key application servers, as well as segmentation between various network elements and network segments. Web Application Firewalls are employed to protect applications. Detective controls are also layered, with proactive enterprise-wide scans for Advanced Persistent Threat (“APT”) using top notch commercial malware detection. Network Intrusion Detection technology is in place, as well as endpoint controls such as Host-Based IDS and advanced malware protection. The Cellebrite’s network infrastructure is protected with the following mechanisms, as a standard:
• Network Firewalls – designed to protect against network-based, malicious attacks and provide an additional layer of access control.
• Network Access Controls – Cellebrite has controls around network access and remote access, including 2- factor authentication and forced disconnection after a period of inactivity.
• Network Segmentation – VLAN and physical segmentation. Additional controls may be in place at the application layer which, are detailed below in the product specifications section of this packet.
3.6.5. Vulnerability Management: Cellebrite maintains a systematic process to detect categorize, and handle vulnerabilities found in its infrastructure, application and systems.
3.6.6. Change Management: Cellebrite maintain a change management process for changes in production, which helps protect the integrity and availability of the services by controlling all changes to minimize risk to approve all applicable changes.
3.6.7. SaaS Network Security: Cellebrite deploys multiple layers of network security across our SaaS infrastructure and application stack. At the perimeter Cellebrite relies on cloud front to provide distributed denial of service (“DDoS”) attack mitigation and a web application firewall (“WAF”) for traffic over HTTP and HTTPS. Cellebrite relies on IP whitelisting to ensure that the network origin for clients is not accessible publicly. All traffic within Cellebrite’s SaaS platform operates on independent virtual private clouds (“VPCs”) which is in a physically isolated from all other accounts. In the IPS layer, advanced threat protection, intrusion prevention, firewall capabilities, web filtering, network visibility, anti-virus, and anti-spyware services provide a broad range of enhanced protection.
3.6.8. Content Encryption: All traffic to and from clients to the platform uses HTTPS to encrypt data in transit.
3.6.9. Incident Response Plan: Cellebrite’s have a detailed incident response plan that addresses how Cellebrite handles security incidents including notifying regulators, affected individuals, law enforcement, and/or data owners/controllers of security breaches of Scoped Data. Cellebrite’s threat operation center is in charge of monitoring detecting handling and notifying the relevant stockholders in case of a cyber incident occurs.
Part 3
1. Customer commissions, authorizes and requests that Cellebrite provide Customer the Services, which involves Processing Personal Data (as these capitalized terms are defined and used in: (a) the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any national law supplementing the GDPR; and (b) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. Legislations (a) and (b) above shall collectively be referred to as “Data Protection Law”.
2. This Part 3 applies only where Cellebrite is Processing Personal Data as a Data Processor on behalf of the Customer and under the Customer’s instructions, where the Customer is a Data Controller subject to the GDPR with respect to the Personal Data that Cellebrite Processes. It does not apply to Cellebrite’s Processing Personal Data of Customer’s representatives to market or promote its products, to administer the business or contractual relationship between Cellebrite and the Customer or in other instances where Cellebrite operates as the Data Controller.
3. Cellebrite will Process the Personal Data only on Customer’s behalf and for as long as Customer instructs Cellebrite to do so. Cellebrite shall not Process the Personal Data for any purpose other than the purpose set forth in this Addendum.
contact information, messages and emails, correspondence, location information, photos, data related to use of online platform, and other information extracted from digital devices.
Individuals using the digital devices from which the intelligence is gathered, and their contacts.
6. Customer is and will always remain the ‘Data Controller’, and Cellebrite is and will remain at all times the ‘Data Processor’ (as these capitalized terms are defined and used in Data Protection Law). As a Data Processor, Cellebrite will Process the Personal Data only as set forth in this Addendum. Cellebrite and Customer are each responsible for complying with the Data Protection Law applicable to them in their roles as Data Controller and Data Processor.
7. Cellebrite will Process the Personal Data only on instructions from Customer documented in this Addendum or otherwise provided either in writing or through the options of the Services configurable by Customer. The foregoing applies unless Cellebrite is otherwise required by law to which it is subject (and in such a case, Cellebrite shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Cellebrite shall immediately inform Customer if, in Cellebrite's opinion, an instruction is in violation of Data Protection Law.
8. Cellebrite will make available to Customer all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law.
9. Cellebrite will follow Customer’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. Cellebrite will pass on to Customer requests that it receives (if any) from Data Subjects regarding their Personal Data Processed by Cellebrite. Cellebrite shall notify Customer of the receipt of such request as soon as possible, and no later than five (5) business days from the receipt of such request, together with the relevant details.
12. Cellebrite and its other processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR, or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Model Clauses). Cellebrite must inform Customer at least 10 business days in advance of any new envisioned cross-border data transfer scenario, in which case Customer shall have the right to object, on reasoned grounds, to that new envisioned cross-border data transfer. If Customer so objects, Cellebrite may not engage in that envisioned cross-border data transfer for the purpose of Processing Personal Data in the provision of the Services.
13. In the event that the foregoing mechanism for cross-border data transfers is invalidated by a regulatory authority under applicable law or any decision of a competent authority under Data Protection Law, the parties shall discuss in good faith and agree such variations (such agreement not to be unreasonably withheld or delayed) to this Addendum as are required to enable a valid cross-border data transfers. Further, in the event that the European Commission establishes processor to processor standard contractual clauses, the parties will enter into those clauses as promptly as reasonably practicable.
14. Cellebrite will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
15. Within 10 business days of Customer’s written request, Cellebrite shall allow for and contribute to audits, including carrying out inspections conducted by Customer, or another auditor mandated by Customer in order to establish Cellebrite's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Cellebrite processes on behalf of Customer. Such audits shall be limited to one business day per annum (unless Data Protection Law requires otherwise), shall be conducted during ordinary business hours and without interruption to Cellebrite’s ordinary course of business. Under no circumstances shall the audits or inspections extend to trade secrets of Cellebrite or to data regarding other customers of Cellebrite. All audits are conditioned on the Customer or its auditors first executing appropriate confidentiality undertakings satisfactory to Cellebrite.
16. Cellebrite shall without undue delay, and in any event within 72 hours, notify Customer of any Personal Data Breach (as this term is defined and used in Data Protection Law and applicable regulatory guidelines) that it becomes aware of regarding Personal Data of Data Subjects that Cellebrite Processes. Cellebrite will thoroughly investigate the breach and take all available measures to mitigate the breach and prevent its reoccurrence. Cellebrite will cooperate in good faith with Customer on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.
17. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Cellebrite shall implement in the Services appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section of 3.6 Part 2.
18. Cellebrite will assist Customer with the eventual preparation of data privacy impact assessments and prior consultation as appropriate (and if needed).
19. Cellebrite will provide Customer prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Customer’s behalf, so that Customer may contest or attempt to limit the scope of production or disclosure request.
20. Upon Customer’s request, Cellebrite will delete the Personal Data it has Processed on Customer’s behalf under this Addendum from its own and its processor’s systems, or, at Customer’s choice, return such Personal Data and delete existing copies, within 10 business day of receiving a request to do so, and
21. Upon Customer’s request, will furnish written confirmation that the Personal Data has been deleted or returned pursuant to this section.
Part 4
1. Scope. This Part applies to the processing of ‘personal information’ (as defined in Cal. Civ. Code §1798.140(o)) by Cellebrite for Customer.
2. Service Provider Obligations. The Parties acknowledge and agree that Cellebrite is a ‘service provider’ as defined in Cal. Civ. Code §1798.140(v). To that end, and unless otherwise requires by law:
2.1. Cellebrite is prohibited from retaining, using or disclosing Customer ‘personal information’ (as defined in Cal. Civ. Code §1798.140(o)) for: (a) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to perform Customer’s processing instructions; (b) ‘selling’ (as defined in Cal. Civ. Code §1798.140(t)) Customer personal information; and (c) retaining, using or disclosing Customer personal information outside of the direct business relationship between the parties. Cellebrite certifies that it understands the restriction specified in this subsection and will comply with it.
2.2. If Cellebrite receives a request from a California consumer about his or her is ‘personal information’ (as defined in Cal. Civ. Code §1798.140(o)), Cellebrite shall not comply with the request itself, promptly inform the consumer that Cellebrite’s basis for denying the request is that Cellebrite is merely a service provider that follows Customer’s instruction, and promptly inform the consumer that they should submit the request directly to Customer and provide the consumer with Customer’s contact information.
3. Subcontracting to suppliers. Customer authorizes Cellebrite to subcontract any of its Services-related activities consisting (partly) of the processing of the personal information or requiring personal information to be processed by any third party supplier without the prior written authorization of Customer provided that: (a) Cellebrite shall ensure that the third party is bound by the same obligations of the Cellebrite under this Part and shall supervise compliance thereof; and (b) Cellebrite shall remain fully liable vis-à-vis Customer for the performance of any such third party that fails to fulfil its obligations.
4. Return or deletion of information. Upon termination of this Part, upon Customer’s written request, or upon fulfillment of all purposes agreed in the context of Customer’s instructions, whereby no further processing is required, the Cellebrite shall, at the discretion of Customer, either delete, destroy or return to Customer, some or all (however instructed) of the of the personal information that it and its third-party suppliers process for Customer.
5. Assistance in responding to consumer requests. Cellebrite shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the consumer rights under the California Consumer Privacy Act of 2018.
6. Data security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Cellebrite’s processing of personal information for Customer, as well as the nature of personal information processed for Customer, Cellebrite shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, designed to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).
***
Exhibit B
Data Processing Addendum
This Data Processing Addendum (“DPA”) is entered into between Cellebrite, Inc. (“Cellebrite”), and the counterparty listed in the signature block below (“Customer”) (each, a “Party” and collectively, the “Parties”). This DPA supplements and forms part of the Endpoint SAAS Terms of Service (the “Agreement”) in connection with the services provided pursuant to which Cellebrite Processes Customer Personal Data (defined below) from or on behalf of Customer. This DPA will be effective as of the last signature date set forth below (the “Effective Date”). Capitalized terms not otherwise defined in this DPA shall have the meanings ascribed to them in the Agreement.
1. Definitions.
“Business Purpose” means the limited and specified Services described in the Agreement and any Quote, or any other purpose specifically identified in Exhibit 1.
“Customer Personal Data” means any Personal Data provided to Cellebrite and Processed by Cellebrite (or a Sub-processor) while providing the Services under the Agreement.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed.
“Data Protection Laws” means, to the extent applicable, all federal, state, and municipal laws and regulations relating to the Processing, protection, or privacy of Customer Personal Data.
“ISO/IEC 27001” means the IT security, cybersecurity, and privacy protection measures set forth under the International Organization for Standardization’s ISO/IEC 27001 standard.
“Law” or “Laws” means all applicable federal, country, state, provincial, regional, territorial or local laws, and other laws, rules, and regulations (including, but not limited to, Data Protection Laws), ordinances, interpretive letters, and other official releases of or by any authority, decrees, orders, and codes (including any requirements for permits, certificates, approvals, and inspections), as the same are promulgated, supplemented, and/or amended from time to time.
“Personal Data” means any data or information that: (i) identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, household, or device; or (ii) is otherwise “personal information”, “personally identifiable information”, “personal data”, or similarly defined data or information under applicable Data Protection Laws.
“Privacy Rights Request” means an individual’s valid request to exercise their privacy rights under applicable Data Protection Laws.
“Sub-processor” means any person (including any entity or individual but excluding an employee of Cellebrite) appointed by or on behalf of Cellebrite to Process Customer Personal Data under the Agreement.
The terms “Business”, “Controller”, “Process”, “Processing”, “Processor”, “Sell”, “Share”, and “Service Provider” shall have the same meaning assigned to them under applicable Data Protection Laws. The term “Controller” is deemed to include “Business” and the term “Processor” is deemed to include “Service Provider”.
2. Roles. Customer and Cellebrite acknowledge and agree that to the extent Data Protection Laws apply to the Processing of Customer Personal Data under the Agreement, Customer is the Controller, and Cellebrite is the Processor. For the avoidance of doubt, this DPA does not relieve either Party from the liability imposed on it under applicable Data Protection Laws by virtue of its role in the Agreement and this DPA.
3. Customer Obligations. Customer has the sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquires Customer Personal Data and shares Customer Personal Data with Cellebrite. Customer will use the Services in compliance with all applicable Laws. Customer represents and warrants that: (i) it provides and shall provide all notices as may be required to inform individuals about the Processing and their rights provided by and in compliance with appliable Data Protection Laws; and (ii) it has collected all consents and confirmations and/or opt-outs as may be required for Processing and/or transfer of Personal Data under applicable Data Protection Laws. Customer acknowledges and agrees that Cellebrite’s systems are not Health insurance Portability and Accountability Act (HIPAA) compliant or Payment Card Industry Data Security Standard (PCIDSS) compliant. Customer shall not upload any data which is subject to HIPAA or PCIDSS.
4. Cellebrite Processing of Customer Personal Data.
a. Cellebrite will only Process Customer Personal Data on behalf of Customer for Business Purposes, to retain and employ Sub-Processors; for internal use by Cellebrite to build or improve the quality of the Services; to prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, for technical support (as needed), and for other purposes permitted by applicable law. The instructions set forth in this DPA, the Agreement, any Quote or other duly documented instructions are Customer’s complete instructions to Cellebrite for the Processing of Customer Personal Data. The instructions are more fully set forth in Exhibit 1. The Parties acknowledge and agree that Customer is disclosing Customer Personal Data to Cellebrite only for Business Purposes.
b. Cellebrite will not: (i) retain, use, or disclose Customer Personal Data for any purpose, including, without limitation, any commercial purpose other than Business Purposes, unless expressly permitted by Data Protection Laws; (ii) Sell or Share Customer Personal Data; (iii) retain, use, or disclose Customer Personal Data for any purpose, outside of the Parties’ direct business relationship, unless expressly permitted by Data Protection Laws; or (iv) combine or update Customer Personal Data with Personal Data collected from its own interaction with an individual or received from another source, unless expressly permitted by Data Protection Laws. Cellebrite certifies that it understands these provisions.
c. Cellebrite shall, without undue delay, refer any requests received from regulators or other governmental entities regarding Customer Personal Data or the privacy practices of Cellebrite to Customer. Unless otherwise required by applicable Law, Cellebrite shall not refer to or disclose any Customer Personal Data without Customer’s prior written consent.
d. Cellebrite shall notify Customer, without undue delay, if it determines that it is no longer able to comply with its obligations under applicable Data Protection Laws.
e. Cellebrite shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and provide the same level of privacy protection as required of Customer under applicable Data Protection Laws.
5. Assistance. Cellebrite shall provide reasonable assistance to Customer with (i) complying with Customer’s obligations in relation to the security of Processing Customer Personal Data and notification of a Data Breach, (ii) any data protection assessments, and (iii) any investigations by competent data privacy authorities, in each case solely in relation to Processing of Customer Personal Data by and taking into account the nature of the Processing and information available to Cellebrite. Cellebrite shall provide to Customer all information reasonably necessary to demonstrate compliance with applicable Data Protection Laws.
6. Individual Requests. Upon Cellebrite’s receipt of an individual’s Privacy Rights Request, Cellebrite shall inform Customer of such request and instruct the individual to submit the request directly to Customer.
8. Cellebrite Personnel. Cellebrite shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of Customer Personal Data and are subject to a duty of confidentiality with respect to such data.
9. Audit.
a. Customer will have the right to take reasonable and appropriate steps to ensure that Cellebrite uses Customer Personal Data in a manner consistent with Customer’s obligations under applicable Data Protection Laws. Cellebrite shall (i) make available to Customer a copy of Cellebrite’s ISO Certification to Customer within ten (10) days of receipt of Customer’s written request. If Cellebrite fails to provide its ISO Certification to Customer in accordance with this Section 9 [or Customer determines that the ISO Certification does not cover certain aspects it would like to audit], Customer shall notify Cellebrite of any aspects that are not covered and allow Cellebrite to provide alternative evidence of compliance. If such evidence is reasonably deemed not sufficient by Customer, the Parties will cooperate in good faith to determine how to address the Customer’s concerns. Customer may exercise this right no more than once in any twelve (12) month period.
b. Upon notification of unauthorized use of Customer Personal Data, Cellebrite shall have the right to take reasonable and appropriate steps to remediate the unauthorized use, and to this end, Cellebrite shall make available to the Customer Cellebrite’s proposed remediation plan.
10. Data Breach. Cellebrite shall, to the extent permitted by Law, notify Customer without undue delay and after Cellebrite becomes aware of a Data Breach affecting Customer Personal Data, provide Customer with necessary information to allow Customer to meet any obligations to report or inform individual(s) and/or regulators of the Data Breach under applicable Data Protection Laws. If it is determined that Cellebrite or a Sub-processor is responsible for the Data Breach, Cellebrite shall review the applicable technical and organizational measures and, if needed, make appropriate changes to prevent such Data Breach from occurring in the future.
11. Sub-processing.
a. Customer hereby approves the Sub-processors that are listed in Exhibit 2.
b. Cellebrite shall provide written notice to Customer within thirty (30) calendar days of executing a new agreement with a new Sub-processor, and Customer will have thirty (30) calendar days to provide written notice of its objection to such Sub-processor. Where Customer reasonably objects to a Sub-processor on reasonable data protection grounds, Customer may terminate the Agreement to the extent it relates to the Services, which require use of the proposed Sub-processor.
c. Cellebrite shall enter into a written agreement with each Sub-processor that complies with Data Protection Laws and imposes data protection obligations that are no less protective of Customer Personal Data than Cellebrite’s obligations under this DPA.
12. Deletion or Return of Customer Personal Data. All Customer Personal Data is deleted upon Cellebrite’s completion of each Processing Sequence (as defined in Exhibit 1 hereto). By virtue of the Services performed by Cellebrite, Cellebrite neither retains nor has access to Customer Personal Data.
13. General.
a. Limitation of Liability. Limitation of Liability under this DPA is subject to the Limitation of Liability section(s) of the Agreement. Notwithstanding the foregoing, no provision of this DPA shall be deemed to waive or limit the rights of an individual or competent regulatory authority under applicable Data Protection Laws.
b. Order of Precedence. In the event of a conflict between the terms of this DPA, Quote, and the Agreement with respect to the subject matter herein, the following order of precedence shall apply: (i) this DPA; (ii) the Agreement; (iii) Quote(s).
c. Changes in Data Protection Laws. If any amendment is required for this DPA as a result of a change in applicable Law (including Data Protection Laws), then either Party may provide written notice to the other Party of that change in Law. The Parties will discuss and negotiate in good faith any necessary amendment to the Agreement or this DPA to address such changes. The Parties shall without undue delay discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable. If the Parties fail to amend the Agreement or this DPA, the notifying Party may terminate the Agreement upon written notice to the other Party.
d. Term. The term (“Term”) of this DPA will commence on the Effective Date and end simultaneously and automatically at the later of: (i) the termination of the Agreement; or (ii) when Cellebrite is no longer in possession of any Customer Personal Data.
e. Jurisdiction and Governing Law. The Parties hereby submit to the choice of law and jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination, or the consequences of its nullity.
f. Severability. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
g. Exhibits. All Exhibits to this DPA are hereby incorporated by reference into, and made a part of, this DPA.
|
|
|
EXHIBIT B1
Description of Processing
Categories of individuals whose Personal Data is Processed: Employees; Contractors, Clients, Consultants, etc. and contacts of these persons.
Customer Personal Data Processed: Any Customer Personal Data contained on the device scanned.
The frequency and duration of the Processing: Upon Customer initiation, Cellebrite shall convert the files from the format in which they were uploaded to the format agreed upon between Customer and Cellebrite. This Process can last up to 24 hours, after which time it is deleted from the system (the “Processing Sequence”). Notwithstanding the foregoing, if there is a technical interruption or error when deleting the data, Cellebrite shall force delete any residing data after one week (“Eliminating Sequence”).
Nature of the Processing: Cellebrite will collect, transmit, convert, use, and otherwise Process Customer Personal Data following which Cellebrite will delete the Customer Personal Data in accordance with the Processing Sequence.
Purpose(s) of the Processing: The purpose of the Processing is to convert files containing Customer Personal Data to a format agreed upon between Customer and Cellebrite.
The period for which the Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Cellebrite will retain Customer Personal Data only during the Processing Sequence or any Eliminating Sequence, following which the Customer Personal Data will be deleted.
EXHIBIT B2
Cellebrite Sub-processors
|
Name of sub-processor |
Subject matter and nature of sub-processor processing |
Duration of sub-processing |
|
Amazon AWS |
Cloud infrastructure provider |
Duration of the engagement |
ENDPOINT SAAS APRIL 2025