ITAGREE TERMS AND CONDITIONS
These terms and conditions were last updated in August 2023.
Please read these terms and conditions carefully.
1 ITagree Plans and Service
1.1 IT Agree Limited (“ITagree”, “we”, “us” or “our”) makes available various agreement plans on its website at itagree.com (‘Website’) and through ITagree’s distributors (‘Distributors’) (‘ITagree Plans’).
1.2 On purchase of an ITagree Plan, the Purchaser will receive the entitlements relevant to the ITagree Plan that has been purchased, which may include (depending on the ITagree Plan that has been purchased), rights to receive various IT agreements and agreement updates (‘Agreements’), and various forms of support in respect of the Agreements (with the Agreements and support being referred to together in these terms and conditions as ‘Service’). The Purchaser acknowledge that the Distributors have no authority to commit ITagree to provide Service that goes beyond the standard inclusions for the ITagree Plans.
1.3 ITagree may, by application to ITagree and at ITagree’s discretion, agree to:
(a) prepare agreements, or content for agreements, for specific purposes at additional cost (“Agreements on Request”); or
(b) provide consulting services to existing Purchasers for specific purposes at additional cost (“Consult Session”).
1.4 Agreements on Request and Consult Sessions are also included when we refer to “Services” in these terms and conditions, except that in the case of Agreements on Request where the relevant proposal issued by ITagree includes provisions which are inconsistent or in conflict with these terms and conditions, to the extent of the inconsistency or conflict, the proposal shall prevail.
1.5 In order to obtain Services, the Purchaser will need to:
(a) purchase an ITagree Plan on our Website, or from one of our Distributors; or
(b) in the case of Agreements on Request, confirm acceptance of our proposal for Agreements on Request (and in the case of Agreements on Request this may be done by placing the order on the Website using the specific link provided or by written confirmation of the proposal issued by ITagree with the Purchaser being the customer entity named in the proposal); or
(c) in the case of Consulting Sessions, purchase the Consulting Session using the link provided to the Purchaser,
and when the Purchaser does so (unless specifically provided otherwise under the relevant proposal in the case of Agreements on Request only), the Purchaser has the right to and ITagree will provide the relevant Services. These terms and conditions apply to the Purchaser’s purchase.
1.6 Subject to these terms and conditions and compliance by the Purchaser with these terms and conditions, except where specifically agreed otherwise with the Purchaser in respect of Agreements on Request, the Agreements are provided on the basis that the Purchaser will do the ‘Setup task’ requiring the Purchaser, amongst other things, to insert details relevant to the way the Purchaser operates and details of the Purchaser’s services (specific details to be inserted by the Purchaser depend on the nature of each agreement).
1.7 The Purchaser acknowledges that:
(a) we do not provide jurisdiction-specific versions of the Services for every country;
(b) we do not provide legal advice and the supply of Services is not intended to provide, and in no event shall it be treated as providing or constituting, legal advice;
(c) under ITagree Plans, we do not customise Agreements for subscribers and our Agreements are not customised for particular industry sectors.
1.8 While all due care is used by our author/s:
(a) in the preparation of the Agreements to produce agreements that may be useful to the Purchaser; and
(b) in the supply of the Services,
the Purchaser uses our Services at the Purchaser’s own discretion.
1.9 Where the Purchaser is an individual, the individual must be 18 (eighteen) years of age or older and by accepting these terms and conditions that Purchaser represents to us that the Purchaser is 18 (eighteen) years of age or older. Without limiting the earlier part of this clause, the Purchaser may not use our Services or provide ITagree with any personally identifiable information if the Purchaser is under this age.
1.10 These terms and conditions are binding on the Purchaser and apply to the Purchaser when the Purchaser accepts them as part of the process of purchasing any ITagree Plan(s) or Consulting Sessions or when the Purchaser places an order or otherwise accepts a proposal for Agreements on Request (unless expressly stated otherwise in the proposal or the terms and conditions are not referenced in the relevant proposal).
1.11 ITagree reserves the right to modify or replace these terms and conditions at any time, effective upon the posting of modified or replacement terms on this Website or at this link. For ITagree Plans (or any licence to use Agreements purchased prior to the ITagree Plans being made available) purchased prior to replacement or modified terms and conditions being posted, the terms and conditions that the Purchaser accepted when the Purchaser purchased those ITagree Plans apply up until 12 (twelve) months following the date of the Purchaser original purchase of the ITagree Plan, or as from the date that is 12 (twelve) months from the date of the Purchaser purchase of the ITagree Plan (whichever is sooner), and subsequently the current terms and conditions apply provided that any change made to reflect relevant laws and regulations applies immediately. It is the Purchaser’s obligation and responsibility to check the Website regularly for any changes to these terms and conditions.
2 Licence to use Agreements
2.1 We grant to the Purchaser a non-exclusive right, subject to the restrictions in clause 2.2, to use the Agreements issued by ITagree to the Purchaser, subject to payment of the applicable Licence Fee/s and except where any Agreement is issued in error.
2.2 Without limiting any other provision of these Terms and Conditions, the following restrictions apply to the Purchaser’s use of the Agreements:
(a) the Purchaser cannot transfer the right granted to the Purchaser to use the Agreements;
(b) the Purchaser must not resell the licence granted to the Purchaser to use the Agreements or offer that licence for resale or attempt to sell or, except as expressly permitted under clause 5.3 below, otherwise deal in the Products;
(c) except in the Purchaser’s ordinary use of an Agreement to govern supply of products or services supplied by the Purchaser, the Purchaser must not publish, transmit or distribute all or part of any Agreement on the internet including on any website, by email or otherwise or in any document which is generally available to the public.
2.3 The Purchaser must not:
(a) do any act which would or might invalidate or be inconsistent with any Intellectual Property of IT Agree Limited or its licensor/s;
(b) copy the Website; or
(c) permit or enable users, other than nominated users notified to ITagree and permitted by ITagree to use the Service, to use the Service; or
(d) resell, rent, lease, transfer, sublicense or otherwise transfer rights to use the Service; or
(e) use the Website or the Service in any way that could damage or interfere with the Website or the Service in any way;
(f) use the Website or the Service otherwise than in the manner in which the Website or the Service is designed to be used;
(g) use the Website or the Service in any way that could interrupt, damage or otherwise interfere with use of the Website or the Service by any other customers.
2.4 When Agreements are issued by ITagree, the Purchaser will receive email confirmation with links to download the Agreements, sent to the email address provided by the Purchaser at the time of purchase of ITagree Plans.
3 Payment obligations
3.1 For all ITagree Plans with a monthly charge, a minimum term of 12 (twelve) months applies and the Purchaser must continue to pay the monthly fees (monthly in advance) for 12 (twelve) months. On expiration of the initial 12 (twelve) month period, the subscription will continue on a monthly basis until terminated by the Purchaser on written notice to us. The Purchaser may continue to use the Agreements following termination of the subscription (after the initial 12 (twelve) month period) but following the termination the Service will cease (and in particular but without limitation the Purchaser will cease to receive agreement updates.
3.2 All payments made via our Website are processed by Stripe and are subject to Stripe's terms and conditions.
3.3 For purchases made on our Website, the Purchaser acknowledges that each payment must be made in full, without setoff or deduction by the due date. If any payment is not made in accordance with this clause, the Purchaser have no right to access or use the relevant Agreements until such time as payment in full is made.
4 Refund policy
4.1 Except as specified in clause 4.2 below and in our customer commitment on the Website, no refunds will be provided.
4.2 If through our fault the Purchaser is incorrectly invoiced and /or charged, we will refund the relevant amount provided that no-one has downloaded the Agreements to which the refund applies.
5 Our obligations
5.1 We will use our best endeavors to maintain the Website and to ensure that the ITagree Plans and the Services are available in accordance with these terms and conditions. However, we are not responsible for any errors or omissions in the content of our Website or Services, or for damages arising from the use of our Website or the Services under any circumstances.
5.2 All information available on or accessed through our Website, is provided “as is.” We do not guarantee the continuous or uninterrupted availability of the Website or our Service.
6.1 Unless the relevant party has the prior written consent of the other party or unless required to do so by law:
(a) each party will preserve the confidentiality of all Confidential Information of the other party obtained in connection with the Service. Neither party will, without the prior written consent of the other party, disclose or make any Confidential Information available to any person except as expressly contemplated by the Service, or use the same for its own benefit, other than as contemplated by these terms and conditions.
(b) each party's obligations under this clause will survive termination of the Purchaser’s subscription to an ITagree Plan.
7 Privacy and personal data
7.2 Where the GDPR or UK GDPR apply, the Purchaser consents to the Processing of Personal Data by ITagree for the purposes of provision of the Service, in accordance with these terms and conditions including the GDPR Attachment. Before providing Personal Data to ITagree, the Customer will obtain all required consents from third parties (including Customer’s employees and contractors and where applicable partners, distributors, administrators, and other contacts) under applicable Data Protection Laws.
7.3 To the extent permitted by applicable law and subject to applicable contractual rights and obligations, including the rights and obligations in the GDPR Attachment (where applicable), Personal Data collected by ITagree in providing the Service and pursuant to these terms and conditions may be transferred, stored and processed in any country in which ITagree’s contractors or service providers (including for example Microsoft and other third party vendors) maintain facilities.
7.4 In the event of any Personal Data Breach, ITagree and the Purchaser will each comply with their obligations, including notification obligations (if any), under applicable Data Protection Laws.
8 Intellectual Property
8.1 Title to, and all Intellectual Property in:
(a) the Agreements and all other aspects of the Service; and
(b) the Website and all site content,
is and will remain the property of IT Agree Limited (or its licensors). Except in the Purchaser’s use of the Service as permitted under the ITagree Plan and these terms and conditions, the Purchaser will not copy and will prevent any unauthorised copying of the Agreements and content in other parts of the Service.
9 No warranties
9.1 To the extent permitted by law, IT Agree Limited gives no warranty about the Agreements or the Service.
9.2 Without limiting clause 9.1, IT Agree Limited does not warrant that the Agreements or any other aspect of the Service will meet the Purchaser’s requirements or be suitable for the Purchaser’s purposes.
9.3 Except as expressly provided in these terms and conditions, all warranties, terms and conditions (including, without limitation, warranties and conditions as to fitness for purpose and merchantability), whether expressed or implied by statute, common law or otherwise, are excluded to the extent permitted by law.
10 Consumer guarantees
10.1 If the Purchaser acquires or holds itself out as acquiring an ITagree Plan or Consulting Session or Agreements on Request for the purposes of a business, then to the fullest extent permitted by law, any statutory consumer guarantees or legislation intended to protect non-business consumers in any jurisdiction do not apply in respect of the purchase of that licence.
11 Limitation of Liability
11.1 Subject to clause 11.2, our liability to the Purchaser is limited to direct loss to the amount paid by the Purchaser (whether paid to IT Agree Limited or to any of our Distributors) for the relevant ITagree Plan in the twelve (12) month period preceding the event giving rise to the loss, or where applicable to the amount paid for the relevant Consulting Session or Agreement on Request.
11.2 To the extent permitted by law, in no event is ITagree liable for any indirect loss or for any loss of profits, lost savings, incidental or special damages, or for any consequential loss in connection with an ITagree Plan, Consulting Session or Agreements on Request, the Agreements, the licence to use the Agreements, the Service or otherwise.
11.3 No assurance can be given that the Website, or any linked website, or any third party service used by ITagree to provide the Service is free of viruses and no assurance can be given that this Website or any linked site or any third party service used by ITagree to provide the Service will not harm or cause loss to the Purchaser, the Purchaser’s computer or the Purchaser’s network.
12.1 Breach: We may, at our discretion, suspend the Purchaser’s rights under, or terminate, the Purchaser’s ITagree Plan if the Purchaser:
(a) breaches any of these terms and conditions, being a breach capable of being remedied, and does not remedy the breach within 14 (fourteen) days after receiving notice of the breach from us;
(b) breaches any of these terms and conditions, being a breach not capable of being remedied; or
(c) is placed into liquidation or a receiver or manager is appointed of any of the Purchaser’s assets or the Purchaser become insolvent, or makes any arrangement with the Purchaser’s creditors, or becomes subject to any similar insolvency event in any jurisdiction.
12.2 Accrued rights: Termination of the Purchaser’s ITagree Plan is without prejudice to the rights and obligations of the parties accrued up to and including the date of termination. On termination of the Purchaser’s ITagree Plan, the Purchaser will remain liable for any accrued charges and amounts which become due for payment before or after termination.
12.3 Survival: all clauses which by their nature survive the termination of the contract between ITagree and the Purchaser relating to the Purchaser’s ITagree Plan will so survive.
13.1 Entire agreement: For Purchasers that purchase from ITagree, the Contract supersedes and extinguishes all prior agreements, representations (whether oral or written), and understandings and constitutes the entire agreement between IT Agree Limited and that Purchaser relating to its subject matter.
13.2 Waiver: If either party waives any breach of the Agreement, this will not constitute a waiver of any other breach. No waiver will be effective unless made in writing.
13.3 No assignment: The Purchaser may not assign or transfer any rights under the Agreement to any other person or entity without our prior written consent.
13.4 Severability: If any part or provision of these terms and conditions is found to be invalid, unenforceable or in conflict with the law, that part or provision is replaced with a provision which, as far as possible, accomplishes the original purpose of that part or provision. The remaining provisions will continue in full force and effect.
13.5 Notices: Any notice given under the Agreement by either party to the other must be in writing by email and will be deemed to have been given on transmission. Notices to IT Agree Limited must be sent to 18 Papahia Street Parnell, Auckland 1052 New Zealand or to any other address notified by email to the Purchaser by IT Agree Limited. Notices to the Purchaser will be sent to the email address which the Purchaser provided when the Purchaser accepted these terms and conditions or any updated email address which the Purchaser provide to us.
13.6 Governing law and jurisdiction: Each Contract is governed by the laws of New Zealand and each party submits to the non-exclusive jurisdiction of the courts of New Zealand.
14 Definitions and interpretation:
14.1 In these terms and conditions:
"Confidential Information" means (but is not limited to) any proprietary information, know-how and data disclosed by one or each to the other party, but does not include any information which is (a) in the public domain without any breach of the Agreement; (b) on receipt by the other party is already known by that party; (c) at any time after the date of receipt by the other party, received in good faith by that party from a third party; or (d) required by law or any other competent authority to be disclosed by the other party;
“Contract” means these terms and conditions, together with:
(a) in respect of an ITagree Plan, the details provided by ITagree at the point of purchase on the Website;
(b) in respect of Consulting Sessions (available from ITagree only), the details agreed between ITagree and the Customer in writing as to what the Consulting Session will cover and the details provided by ITagree at the point of purchase on the link to purchase provided by ITagree;
(c) in respect of Agreements on Request (available from ITagree only), the proposal agreed between the parties in writing and the details provided by ITagree at the point of purchase on the link to purchase provided by ITagree;
“Data Protection Laws” means, as applicable:
(a) the GDPR as incorporated into UK law by the UK Data Protection Act 2018, and the UK Data Protection Act 2018 itself; and
(b) the GDPR;
and, to the extent applicable, the data protection or privacy laws of any other country, and includes any statutory modification or re-enactment of such laws for the time being in force;
“GDPR” means the EU General Data Protection Regulation 2016/679;
"Intellectual Property" means, as protected by legislation: any patent, trademark, service mark, copyright, moral right, (right in) a design, know-how and any other intellectual or industrial property rights, anywhere in the world whether or not registered;
“ITagree Plan” has the meaning given to that term in clause 1.1 above;
“ITagree Terms and Conditions” means these terms and conditions and includes, where applicable, the GDPR Attachment, as updated by ITagree from time to time;
“Personal Data” means any information relating to an identified or identifiable natural person, as defined in the Data Protection Laws;
“Personal Data Breach” has the meaning given to that term in the Data Protection Laws (and includes unauthorised access to, unauthorised disclosure of, or loss of, Personal Data), in respect of Personal Data that is Processed by ITagree pursuant to these Terms and Conditions);
“Processing” has the meaning given to that term in the Data Protection Laws, in respect of any operation which is performed on Personal Data by ITagree (whether or not by automated means, and includes but is not limited to collection, recording or storage of the Personal Data), in respect of and ‘Process’ and ‘Processed’ has/have a corresponding meaning;
"Purchaser" means the legal entity on whose behalf these terms and conditions are accepted or, where a business is named or identified when the ITagree Plan is purchased (including by purchasing using a business email address), is the legal entity that owns that business, and if no other legal entity is named or identified by the natural person placing the order means that person;
“Service” has the meaning given to that term in clause 1.2 above, with the inclusion referred to in clause 1.3;
"Website" means the internet site at www.itagree.com.
14.2 Interpretation: In these terms and conditions:
(a) the headings are for convenience only and do not affect the interpretation of the terms and conditions;
(b) references to the singular include the plural where the context requires;
(c) references to ‘in writing’ or ‘written’ include in digital or electronic form.
This GDPR Attachment applies only where the Customer is a UK or EEA entity.
In order to provide the Service to the Customer, ITagree will be required to Process Personal Data on the Customer’s behalf. To the extent such Processing of Personal Data is an integral part of ITagree’s Service and is done under explicit instructions of the Customer, the Customer will be a ‘Controller’ and ITagree will be a ‘Processor’ – as defined in and as used for the purposes of the GDPR. As such, Article 28(3) and 28(4) of the GDPR requires that the details in this attachment are included in the contract between the Customer and ITagree, including the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of data subjects (see Appendix 1).
To the extent such Processing of Personal Data is not an integral part of ITagree’s Service, or the Processing is done for any internal business requirements of ITagree, ITagree will be a ‘Controller’ for the purposes of the GDPR. In all such circumstances, ITagree will comply with Articles 24-26 of the GDPR which sets out the role and responsibility of a Controller.
The terms used in this attachment have the meanings given to them in the main definition section of the ITagree Terms and Conditions or in clause 13 of this attachment, or in the GDPR if not defined in the ITagree Terms and Conditions or in this attachment.
1 Processing of Personal Data
1.1 ITagree will:
(a) Instructions from Customer: in providing Services, Process Personal Data only on the Customer’s documented instructions (as provided in clause 2 and in appendix 1 to this attachment or otherwise in writing) unless required to do so by the Data Protection Laws in which case ITagree will inform the Customer of that legal requirement before Processing unless ITagree is prohibited from informing the Customer by that law;
(b) Confidentiality: ensure that ITagree’s personnel who are authorised to Process the Personal Data have obligations of confidentiality to ITagree (including as required in clause 3 below) in respect of the Personal Data or are under an appropriate statutory obligation of confidentiality;
(c) Security: comply with the security obligations in clause 4 below;
(d) Subprocessors: comply with the provisions relating to Subprocessors in clause 5 below;
(e) Data subjects’ rights: provide assistance to the Customer with responding to data subjects’ rights in accordance with clause 6 below;
(f) Assist Customer: comply with its obligations to assist the Customer in relation to security of Personal Data and data protection impact assessments and prior consultation in accordance with clause 7 below;
(g) Deleting and returning data: after the provision of Service related to Processing of Personal Data has ended, at the choice of the Customer either delete or return to the Customer all of that Personal Data and delete existing copies unless the Data Protection Laws require storage of Personal Data in accordance with clause 8 below; and
(h) Compliance and audits: make available to the Customer all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits including inspections conducted by the Customer or another auditor mandated from time to time, in accordance with clause 9 below. ITagree will immediately inform the Customer if, in its opinion, an instruction received from the Customer in relation to an audit under this clause 1.1(h) infringes the Data Protection Laws.
2 Instructions from Customer
2.1 The Customer instructs ITagree (and authorises ITagree to instruct each Subprocessor) to:
(a) Process Personal Data; and
(b) in particular, transfer Personal Data to any country or territory,
as reasonably necessary for the provision of the Services and consistent with the relevant ITagree Plan and in compliance with the ITagree Terms and Conditions.
2.2 The Customer warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in clause 2.1 on behalf of the Customer.
3.1 ITagree will take reasonable steps to ensure the reliability of its employees, agents or contractors who may have access to Personal Data, ensuring in each case that access is limited to those individuals who need to know or need to access the relevant Personal Data, as necessary for the purposes of provision of the Service in accordance with the ITagree Terms and Conditions, and to comply with applicable laws in the context of that individual's duties to ITagree, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Subject to clause 4.2 below, ITagree will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including amongst other things as appropriate:
(a) the pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
4.2 In assessing the appropriate level of security for clause 4.1 above, ITagree will take account in particular of the risks of a Personal Data Breach that are presented by the Processing to be undertaken in providing the Service in accordance with the ITagree Terms and Conditions.
4.3 ITagree will in relation to Personal Data:
(a) implement and maintain appropriate information security to protect Personal Data against:
i. a Personal Data Breach;
ii. all other unauthorised or unlawful forms of Processing; and
iii. any breach of ITagree’s information security obligations in this attachment. ITagree will (and will ensure that its Sub-processors) provide full cooperation and assistance to the Customer in ensuring that the individuals´ rights under the Data Protection Laws are timely and appropriately addressed for the fulfilment of the Customer’s obligation to respond without undue delay to requests by such individuals as required by Data Privacy Laws, including the rights of subject access, rectification, erasure, and portability, and the right to restrict or object to certain Processing;
(b) take reasonable steps to inform its staff, and any other person acting under its supervision, of the responsibilities of any Data Privacy Laws due to the incidental access to Personal Data, and ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process, such Personal Data.
5.1 The Customer authorises ITagree to appoint Subprocessors (and permits each Subprocessor appointed in accordance with this clause 5 to appoint Subprocessors) in accordance with this clause 5.
5.2 The Customer:
(a) acknowledges that ITagree uses third party applications and that the vendors of those applications are Subprocessors;
(b) authorises the use by ITagree of Subprocessors as described in clause 5.2(a) above as required for the provision of the Services; and
(c) accepts that, without limiting ITagree’s obligation to have agreements in place with each Subprocessor which meet the requirements under the GDPR (including for Restricted Transfers where relevant), the authorisation given by the Customer in clause 5.2(b) above constitutes prior written consent to the use by ITagree of the relevant Subprocessors.
5.3 With respect to each Subprocessor, ITagree will:
(a) enter into an agreement with the Subprocessor which includes the same data protection obligations as set out in this attachment (and Appendix 1) and in particular includes sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. If the Subprocessor fails to fulfil its data protection obligations, ITagree will remain fully liable to the Customer for the performance of that Subprocessor’s obligations;
(b) if the Processing by the Subprocessor will involve a Restricted Transfer, ensure that the IDTA is at all relevant times incorporated into the agreement between ITagree and the Subprocessor; and
(c) provide to the Customer for review, copies of ITagree’s agreements with Subprocessors (confidential commercial information that is not relevant to the requirements of this attachment may be blacked out) as the Customer may request from time to time.
5.4 Appendix 1 to this attachment sets out certain information regarding ITagree’s Processing of Personal Data, as required by article 28(3) of the GDPR. The Customer may make reasonable amendments to Appendix 1 by written notice to ITagree from time to time as the Customer reasonably considers necessary to meet those requirements.
6 Data Subjects’ Rights
6.1 Taking into account the nature of the Processing, ITagree will, by implementing appropriate technical and organisational measures to the extent described in clause 4, assist the Customer to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 ITagree will:
(a) promptly notify the Customer if ITagree or any Subprocessor receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and
(b) ensure that ITagree or relevant Subprocessor does not respond to that request except on the documented instructions of the Customer or as required by applicable laws to which they are subject, in which case ITagree will to the extent permitted by applicable laws inform the Customer of that legal requirement before ITagree or relevant Subprocessor responds to the request.
7 Assist Customer
7.1 Assist Customer with Security of Processing:
(a) ITagree will assist the Customer in respect of the Customer’s obligations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, by complying with ITagree’s obligations under clause 4 of this attachment.
7.2 Assist Customer with notifications of Personal Data Breach
(a) ITagree will notify the Customer without undue delay if ITagree or any Subprocessor becomes aware of a Personal Data Breach, providing the Customer with sufficient information to allow the Customer to meet any obligations to report the Personal Data Breach to the relevant Supervisory Authority under the Data Protection Laws (noting that the Customer is required, where feasible, to notify applicable Personal Data breaches to the relevant Supervisory Authority within 72 hours after having become aware of the breach).
(b) ITagree will co-operate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
7.3 Assist Customer with communication of Personal Data breach to Data Subject
(a) Where a Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons:
i. such that the Customer is required to communicate the Personal Data Breach to the Data Subject (including where, despite the conditions referenced in clause 7.3(a)(ii) below being met, the Supervisory Authority has required the Customer to communicate the Personal Data Breach to the Data Subject), ITagree will assist the Customer in doing so by providing all relevant information as may be reasonably required by the Customer;
ii. but despite that high risk, the Customer is not required to communicate the Personal Data Breach to the Data Subject due to certain conditions being met (such as that the Personal Data is encrypted and so unintelligible to any person not authorised to access it), ITagree will assist the Customer by providing all relevant information as may be reasonably required by the Customer.
7.4 Assist Customer with Data Protection Impact Assessments
(a) ITagree will provide reasonable assistance to the Customer with any data protection impact assessments which the Customer reasonably considers to be required of the Customer by Article 35 of the GDPR or equivalent provisions of related Data Protection Laws. ITagree’s obligations under this clause 7.4(a) are solely in relation to Processing of Personal Data by ITagree and taking into account the nature of the Processing and information available to ITagree.
7.5 Assist Customer with Prior Consultation with Supervisory Authority
(a) ITagree will provide reasonable assistance to the Customer with prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required of the Customer by Article 36 of the GDPR or equivalent provisions of related Data Protection Laws. ITagree’s obligations under this clause 7.5(a) are solely in relation to Processing of Personal Data by ITagree and taking into account the nature of the Processing and information available to ITagree.
8 Deletion or return of Personal Data
8.1 Subject to clauses 8.2 and 8.3, ITagree will, within three months of the date of expiration or termination of Services involving the Processing of Personal Data (the "End of Processing Date"), delete and procure the deletion of all copies of the Personal Data.
8.2 Subject to clause 8.3, the Customer may in its absolute discretion by written notice to ITagree within one month of the End of Processing Date require ITagree to:
(a) return a complete copy of all Personal Data to the Customer by secure file transfer in such format as is reasonably notified by the Customer to ITagree; and
(b) delete and procure the deletion of all other copies of Personal Data Processed by ITagree.
ITagree will comply with any such written request under this clause 8.2 within two months of the End of Processing Date.
8.3 ITagree may retain Personal Data:
(a) to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that ITagree will: i. ensure the confidentiality of all such Personal Data; ii. ensure that such Personal Data is only processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose;
8.4 ITagree will provide written certification to the Customer that it has fully complied with this clause 8 within three months following the End of Processing Date, on written request from the Customer.
9 Audit rights
9.1 Subject to clauses 9.2 to 9.4, ITagree will make available to the Customer on request all information necessary to demonstrate compliance with this attachment, and will allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of Personal Data by ITagree.
9.2 Information and audit rights of the Customer only arise under clause 9.1 to the extent that the ITagree Terms and Conditions do not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Laws (including, where applicable, article 28(3)(h) of the GDPR).
9.3 ITagree may, on reasonable grounds, object to the proposed auditor in which case the Customer will propose an alternate auditor.
(a) The Customer will give ITagree reasonable notice of any audit or inspection to be conducted under clause 9.1 and will make (and ensure that its auditor makes) reasonable endeavours to avoid causing any damage, injury or disruption to ITagree's premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. ITagree need not give access to its premises for the purposes of such an audit or inspection for the purposes of more than one audit or inspection in any calendar year, except for any additional audits or inspections which:
i. the Customer reasonably considers necessary because of genuine concerns as to ITagree's compliance with this attachment; or
ii. the Customer is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where the Customer has identified its concerns or the relevant requirement or request in its notice to ITagree of the audit or inspection.
10 Restricted Transfers
10.1 The Customer acknowledges and agrees that:
(a) given that ITagree is a New Zealand registered company, the Services involve a ‘Restricted Transfer’ as between the Customer and ITagree, with the Customer (as "data exporter") and ITagree (as "data importer");
(b) there is no requirement for ITagree and Customer to agree to an International Data Transfer Agreement (or to include the IDTA in these terms and conditions) given that New Zealand is an Approved Jurisdiction.
11 Order of precedence
11.1 Nothing in this attachment reduces ITagree's obligations under the ITagree Terms and Conditions in relation to the protection of Personal Data or permits ITagree to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the ITagree Terms and Conditions.
11.2 Subject to clause 11.1, in the event of inconsistencies between the provisions of this attachment and the other parts of the ITagree Terms and Conditions, the provisions of this attachment will prevail.
12 Changes in Data Protection Laws
12.1 The Customer may by at least 30 calendar days' written notice to ITagree propose any other variations to this attachment which the Customer reasonably considers to be necessary to address the requirements of any data protection law.
12.2 If the Customer gives notice under clause 12.1(a):
(a) ITagree will promptly co-operate (and require affected Subprocessors to promptly co-operate) to ensure that equivalent variations are made to the agreements made under clause 5.3; and
(b) the Customer will not unreasonably withhold or delay agreement to any consequential variations to this attachment proposed by ITagree to protect ITagree against additional risks associated with the variations made under this clause 12.2.
12.3 If the Customer gives notice under clause 12.1(b), the parties will promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the Customer's notice as soon as is reasonably practicable.
In this attachment:
“Adequacy Decision” means a country (or territory or specified sector within it) or an international organisation which the European Commission has decided, under Article 45(3) of the GDPR, ensures an adequate level of data protection;
“Approved Jurisdiction” means the countries in the EEA and jurisdictions for which an Adequacy Decision has been made and any other countries or territories for which there are UK adequacy regulations;
“Contracted Processor” means ITagree or a Subprocessor;
"Data Subject" means an identified or identifiable natural person, or any updated definition of this term from time to time in the GDPR;
"EEA" means the European Economic Area;
“Information Security Obligations” means commercially reasonable and appropriate physical, technical and organisational security measures (determined with regard to risks associated with the Processing of Personal Data as part of the Services), including the measures set out in this GDPR attachment;
“International Data Transfer Agreement” or “IDTA” means the international data transfer addendum to the European Commission’s Standard Contractual Clauses for international data transfers, as issued by the UK Information Commissioner's Office's (ICO) under section 119A(1) of the Data Protection Act 2018 and as applicable on and from 21 March 2022;
"Restricted Transfer" means transferring Personal Data outside of the United Kingdom, whether this is:
(a) a transfer of Personal Data from the Customer to ITagree or to a Subprocessor; or
(b) an onward transfer of Personal Data from one Contracted Processor to another Contracted Processor, or between two establishments of a Contracted Processor,
in each case, where such transfer means would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws), in the absence of the IDTA;
"Services" means, for the purposes of this GDPR Attachment, the products, services and/or deliverables (as applicable) and any related services supplied to or carried out by or on behalf of ITagree for the Customer under a Contract;
"Subprocessor" means any person (including any third party, but excluding an employee of ITagree or any of its sub-contractors) appointed by or on behalf of ITagree to Process Personal Data on behalf of the Customer in connection with a Contract;
The term "Supervisory Authority" has the meaning given to that term in the Data Protection Laws. For United Kingdom, the Information Commissioner’s Office (ICO) is the Supervisory Authority, and may be reached through the following channels:
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (Head Office) Telephone: 0303 123 1113 Fax: 01625 524510 Website: https://ico.org.uk/
APPENDIX 1 TO GDPR ATTACHMENT
DETAILS OF PROCESSING OF PERSONAL DATA
This Appendix 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Personal Data
Contact information of Customer personnel as nominated by Customer for purposes of provision of Service under the relevant Contract. This will include name and contact details for person who will receive the agreements from ITagree and in respect of other aspects of the Service will include personnel who will have access.
The nature and purpose of the Processing of Personal Data
To provision the Service to the Customer and for related activities prior to or after purchase of Services under a Contract.
The types of Personal Data to be Processed
Contact person: name and email address
The categories of Data Subject to whom Personal Data relates
Customer personnel: contact people within Customer for provision of Service.
The obligations and rights of Customer
The obligations and rights of the Customer are set out in the Contract including this attachment.