For businesses looking to emerge stronger than ever from COVID, we're now providing an Organizational Resilience solution.

Terms of Use for Humu Resilience Solution 

Date: April 28, 2020

 

Introduction

 

Please read these Terms of Use for Humu Resilience (“Terms”) carefully before using the Humu Resilience product and services offered by Humu, Inc. (“Humu”). You (“Customer”) indicate your agreement to these Terms by clicking or tapping on a button indicating your acceptance of these Terms or by executing a document that references them. If you are agreeing to these Terms on behalf of Customer, you represent to Humu that you have legal authority to bind Customer.

 

If a separate valid agreement exists between you and Humu related to the subject matter of these terms, that valid agreement takes precedence over these terms unless otherwise agreed by the Parties.

 

Services. The Humu Resilience product and services offered by Humu (“Services”) include human resources-related technology services which allow Customer and its authorized employees and officers (“Users”) to: (i) participate in human resource diagnostics (“Humu Resilience Surveys”); (ii) use Humu’s software platform as developed and improved by Humu (“Humu Resilience Platform”).

 

  1. Fees and Payments

 

1.1. Fees for Services.

You agree to pay to Humu any fees for each Service you purchase or use (including any overage fees), in accordance with the pricing and payment terms included in an Order Form or, if ordering online, presented to you for that Service. When paying the fees by credit card, you represent and warrant that the credit card information you provide is correct and you will promptly notify Humu of any changes to such information. Fees paid by you are non-refundable, except as provided in these Terms or when required by law.

 

1.2. Taxes.

Our fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction (collectively, “Taxes”). You are responsible for paying all Taxes associated with your purchases made pursuant to these Terms. If Humu has the legal obligation to collect or pay taxes for which you are responsible under this Agreement, Humu shall invoice you and you shall pay that amount unless you can produce a valid tax exemption certificate authorized by the appropriate taxing authority.  For clarity, Humu is solely responsible for taxes assessable against Humu based on Humu’s income, property and employees.

 

1.3. Overage Fees.

Unless otherwise stated, any overage fees incurred by you will be billed in arrears. Overage fees which remain unpaid for 30 days after being billed are considered overdue. Failure to pay overage fees when due may result in the applicable Service being limited, suspended, or terminated (subject to applicable legal requirements).

 

  1. Humu Services 

 

2.1 Provision of Services. 

Humu shall (make the Services available to you in accordance with these Terms and each applicable Order. During the term of these Terms, Humu may make updates or modifications to the Services and may add, remove, terminate or modify any features or functionality with or without notice to Client, provided any such updates or modifications do not diminish the Services.  

 

2.2 License Grant by Humu

Humu hereby grants you a revocable, worldwide, non-exclusive license for the Subscription Term of the applicable Order to access and use the Services solely for your non-commercial internal business purposes. Neither these Terms nor your use of the Services grants you ownership in the Services or the content you access through the Services (other than your Content). These Terms do not grant you any right to use Humu’s trademarks or other brand elements.

 

  1. Your Content

 

3.1. You Retain Ownership of Your Content.

You retain ownership of all of your intellectual property rights in your Content, which includes your registration data, information and other materials (“Customer Content”) including information that its Users create, upload, submit, post or otherwise make available to Humu through the Services, (“Employee Content”). Humu does not claim ownership over any of your Content. These Terms do not grant Humu any licenses or rights to your Content except for the limited rights needed for us to provide the Services, and as otherwise described in these Terms.

 

3.2. Limited License to Your Content.

You grant Humu a worldwide, royalty free license to use, reproduce, distribute,, adapt, create derivative works, make publicly available, and otherwise exploit your Content, but only for the limited purposes of providing the Services to you and as otherwise permitted by the Terms. 

 

3.3. Customer List.

Humu may identify Customer (by name and logo) as a Humu customer on Humu’s public customer list. Any goodwill arising from the use of your name and logo will inure to your benefit. Humu grants to Customer the express right to use Humu’s logo and related trademarks solely to identify Humu as a provider of the Services to Customer. Other than as expressly stated herein, neither party shall use the other party’s trademarks or logos without the prior written consent of the other party, which consent shall not be unreasonably withheld.

 

  1. Security, Privacy and Confidentiality

 

4.1 Security and Privacy

Humu uses reasonable security technologies in providing the Services. As a data processor, Humu will implement technical and organizational measures referenced in the Data Processing Agreement attached hereto as Addendum A (“DPA”) to secure personal data processed in the Services in accordance with applicable data protection law.

 

4.2. Confidentiality.

The receiving party will hold in confidence and not disclose to any third party any Confidential Information of the disclosing party, except as approved in writing by the Disclosing Party or otherwise permitted by these Terms. Confidential Information means, with respect to Customer: (i) the Customer Data, (ii) Customer marketing and business requirements, (iii) Customer implementation plans, and/or (iv) Customer financial information, and with respect to Humu: (i) the Services and any related documentation, and (ii) information regarding Humu research and development, product offerings, pricing and availability. Confidential Information of either party also includes information which the disclosing party protects against unrestricted disclosure to others that (i) the disclosing party or its representatives designates as confidential at the time of disclosure, or (ii) should reasonably be understood to be confidential given the nature of the information and the circumstances surrounding its disclosure. 

 

Confidential Information shall not include information that: (a) is or becomes generally known or publicly available through no fault of the receiving party; (b) is known by or in the possession of the receiving party prior to its disclosure, as evidenced by business records, and is not subject to restriction; (c) is lawfully obtained from a third party who has the right to make such disclosure; or (d) was developed by employees or agents of the receiving party who had no access to any Confidential Information. The receiving party may disclose Confidential Information when required by law or legal process, but only after the receiving party, if permitted by law, uses commercially reasonable efforts to notify the disclosing party to give it the opportunity to challenge the requirement to disclose.

 

  1. Acceptable Uses

 

5.1. Legal Compliance.

You represent and warrant that you will comply with all laws and regulations applicable to your use of the Services.

 

5.2. Your Responsibilities.

You must comply with the following requirements when using the Services:

  1. You may not purchase, use, or access the Services for the purpose of building a competitive product or service or for any other competitive purposes.
  2. You may not misuse our Services by interfering with their normal operation, or attempting to access them using a method other than through the interfaces and instructions that we provide.
  3. You may not use the Services in any manner that could interfere with, disrupt, negatively affect or inhibit other users from utilizing the Services or that could damage, disable, overburden or impair the functioning of the Services in any manner;
  4. Unless authorized by Humu in writing, you may not use any manual or automated system or software to extract or scrape data from the websites or other interfaces through which we make our Services available.
  5. Unless permitted by applicable law, you may not deny others access to, or reverse engineer, the Services, or attempt to do so.
  6. You may not transmit any viruses, malware, or other types of malicious software, or links to such software, through the Services.
  7. You may not engage in abusive or excessive usage of the Services, which is usage significantly in excess of average usage patterns that adversely affects the speed, responsiveness, stability, availability, or functionality of the Services for other users. Humu will endeavor to notify you of any abusive or excessive usage to provide you with an opportunity to reduce such usage to a level acceptable to Humu.
  8. You may not use the Services to infringe the intellectual property rights of others, or to commit an unlawful activity.
  9. Unless authorized by Humu in writing, you may not resell or lease the Services.
  10. If your use of the Services requires you to comply with industry-specific regulations applicable to such use, you will be solely responsible for such compliance, unless Humu has agreed with you otherwise. You may not use the Services in a way that would subject Humu to those industry-specific regulations without obtaining Humu’s prior written agreement. 
  11. Upon reasonable request, you agree to whitelist certain Humu IP addresses and allow images in Humu emails delivered to Customer employees in order to improve survey response. 

 

5.3. Embargoes.

You may only use the Services if you are not barred under any applicable laws from doing so. If you are located in a country embargoed by United States or other applicable law from receiving the Services, or are on the U.S. Department of Commerce’s Denied Persons List or Entity List, or the U.S. Treasury Department’s list of Specially Designated Nationals, you are not permitted to purchase any paid Services from Humu. You will ensure that: (a) your end users do not use the Services in violation of any export restriction or embargo by the United States; and (b) you do not provide access to the Services to persons or entities on any of the above lists.

 

  1. Term and Termination

 

6.1 Term

The subscription term is as stated in the Order. The term for the Humu Resilience solution begins upon receipt of a valid employee data file. Subscription ends 90 days after receipt of valid employee data file. If Customer provides the data file more than 5 business days after an Order effective date, without written agreement by Humu, Humu may reduce the term of the subscription proportionally to the delay.

 

6.2 Termination

A party may terminate the Agreement upon thirty days written notice of the other party’s material breach unless the breach is cured during that thirty day period, or

immediately if the other party files for bankruptcy, becomes insolvent, or makes an assignment for the benefit of creditors.

 

6.3 Refund and Payments. For termination by Customer under 6.2, Customer will be entitled to: (a) a pro-rata refund in the amount of the unused portion of prepaid fees for the terminated subscription calculated as of the effective date of termination, and (b) a release from the obligation to pay fees due for periods after the effective date of termination.

 

6.4 Effect of Expiration or Termination

Upon the effective date of expiration or termination of the subscription, Customer’s right to use the Services will end. Except to the extent required otherwise by Data Privacy Laws, Humu will return to Customer and/or securely destroy all Personal Data at  Customer’s written request upon termination of the Agreement. Notwithstanding the foregoing, Customer instructs Humu that, at Customer’s written instruction, Humu shall only destroy, and not return to Customer, any response to a Humu survey question provided by a user of Humu’s services (“Survey Responses”).  Customer and Humu agree that such instructions regarding destruction of the Survey Responses are required, regardless of whether the Survey Responses may constitute Personal Data, in order to preserve the anonymity of survey respondents as required by the terms of Humu’s  services.  

 

  1. Warranties, Disclaimers and Limitations of Liability

 

7.1 Warranties

Humu warrants that during the Subscription Term: (a) the Services will be free of all: (i) “time bombs”, time-out or deactivation functions or other means designed to terminate the operation of the Services (other than at the direction of Customer, its Users, or any other user that Customer authorizes); (ii) “back doors” or other means in which Humu or any other party may remotely access or control (or both) any of Customer’s networks without the Customer’s express authorization; (iii)  functions that transmit data to any destination not specified by the Customer; (iv) Customer Data copy prevention mechanisms; (v) functions or routines that will surreptitiously delete or corrupt data;  or (vi) computer viruses; (b) the Services will not allow unauthorized users to gain privileges off the related operating system (e.g., supervisory state); and (c) it has disclosed in the applicable Order Form all hardware Customer will need to access and use the Services in accordance with the Agreement.

 

7.2. Disclaimers.

EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS AND TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES AND ANY GUIDANCE OR RECOMMENDATIONS THEREIN ARE PROVIDED “AS IS” AND HUMU DOES NOT MAKE WARRANTIES OF ANY KIND, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OR ANY REPRESENTATIONS REGARDING AVAILABILITY, RELIABILITY, OR ACCURACY OF THE SERVICES.

 

7.3. Exclusion of Certain Liability.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY, OR ITS AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, SUPPLIERS, AND LICENSORS WILL BE LIABLE FOR (A) ANY INDIRECT, CONSEQUENTIAL, SPECIAL, INCIDENTAL, PUNITIVE, OR EXEMPLARY DAMAGES WHATSOEVER, OR (B) LOSS OF USE, DATA, BUSINESS, REVENUES, OR PROFITS (IN EACH CASE WHETHER DIRECT OR INDIRECT), ARISING OUT OF OR IN CONNECTION WITH THE SERVICES AND THESE TERMS, AND WHETHER BASED ON CONTRACT, TORT, STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, EVEN IF HUMU HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE.

 

7.4. Limitation of Liability.

IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EACH PARTY TOGETHER WITH ALL OF ITS AFFILIATES ARISING OUT OF THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, EXCEED THE AMOUNTS PAID OR PAYABLE FROM CUSTOMER HEREUNDER OVER THE 12 MONTHS PRECEDING THE INCIDENT GIVING RISE TO LIABILITY (OR OVER THE FIRST 12 MONTHS IF SUCH INCIDENT ARISES DURING THE FIRST 12 MONTHS).

 

  1. Indemnification.

 

8.1 By Humu

Humu will defend Customer against claims brought against Customer and its Affiliates by any third party alleging that Customer’s and its Affiliates’ use of the Services infringes or misappropriates a patent claim, copyright, or trade secret right. Humu will indemnify Customer against all damages finally awarded against Customer (or the amount of any settlement Humu enters into) with respect to these claims. Humu’s obligations under Section 8.1 will not apply if the claim results from (i) Customer’s breach of Section 5, (ii) use of the Services in conjunction with any product or service not provided by Humu, or (iii) use of the Services provided for no fee. In the event a claim is made or likely to be made, Humu may (i) procure for Customer the right to continue using the Services under the terms of the Agreement, or (ii) replace or modify the Services to be non-infringing without a material decrease in functionality. If these options are not reasonably available, Humu or Customer may terminate Customer’s subscription to the affected Services upon written notice to the other.

 

8.2 By Customer

Customer will defend Humu and its affiliates, officers, agents, and employees from all liabilities, damages, and costs (including settlement costs and reasonable attorneys’ fees) arising out of a third party claim regarding or in connection with your or your end users’ use of the Services or breach of these Terms, to the extent that such liabilities, damages and costs were caused by you or your end users. 

 

8.3 Third Party Claim Procedure.

The party against whom a third party claim is brought will timely notify the other party in writing of any claim, reasonably cooperate in the defense and may appear (at its own expense) through counsel reasonably acceptable to the party providing the defense. The party that is obligated to defend a claim will have the right to fully control the defense. Any settlement of a claim will not include a financial or specific performance obligation on, or admission of liability by, the party against whom the claim is brought.

 

8.4 Exclusive Remedy. 

The provisions of Section 8 state the sole, exclusive, and entire liability of the parties and their Affiliates to the other party, and is the other party’s sole remedy, with respect to covered third party claims and to the infringement or misappropriation of third party intellectual property rights.

 

  1. General

 

9.1. Governing Law. 

These Terms and any action related thereto will be governed by the laws of the State of California, excluding that State’s choice-of-law principles. All disputes will be subject to the exclusive jurisdiction of the courts located in Santa Clara, California. The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act (where enacted) will not apply to the Agreement. Each party consents to personal jurisdiction over such party in the state and/or federal courts of California and hereby waives any defense of lack of personal jurisdiction. Venue, for the purpose of all such suits, will be in Santa Clara County, State of California. 

 

9.2. Notices.  

Notices required to be delivered to Humu under these Terms must be delivered in writing to Humu at 100 View Street Suite 101, Mountain View, CA 94041 or to Customer at the address provided in Customer’s subscription registration. 

 

9.3. No Assignment. 

These Terms, and Customer’s rights and obligations hereunder, may not be assigned, subcontracted, delegated or otherwise transferred by Customer without prior written consent of Humu. Any attempted assignment, subcontract, delegation, or transfer in violation of the foregoing will be null and void.

 

9.4. Relationship of the Parties

The parties are independent contractors, and no partnership, franchise, joint venture, agency, fiduciary or employment relationship between the parties is created hereby. There are no third party beneficiaries to these Terms.

 

9.5. Force Majeure. 

Neither party shall be liable to the other for any delay or failure to perform hereunder (excluding payment obligations) due to circumstances beyond such party’s reasonable control, including acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems (excluding those involving such party’s employees), service disruptions involving hardware, software or power systems not within such party’s possession or reasonable control, and denial of service attacks

.

9.6. Severability. 

If any provision of these Terms is, for any reason, held to be invalid or unenforceable, the other provisions in these Terms will remain enforceable and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law.

 

9.7. Entire Agreement

These Terms are the final and complete agreement between Customer and Humu with respect to the subject matter in this Agreement and supersedes and replaces any prior proposal, representation, discussion or understanding between Customer and Humu. No modification or amendment of these Terms, nor any waiver or any rights under these Terms, will be effective unless in writing and signed by both parties. 

 

9.8. Survival. 

Provisions of these Terms will survive any termination or expiration if by their nature and context they are intended to survive, including provisions relating to payment of outstanding fees, confidentiality, ownership of intellectual property, warranties and limitation of liability. 

 

 

Addendum A

DATA PRIVACY ADDENDUM

This Data Processing Addendum (“DPA”) is entered into Customer and Humu. Customer and Humu agree as follows:

  1. Definitions. 
    1. Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”).   For the avoidance of doubt, if Humu’s processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum.
    2. Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
    3. Personal Data” includes “personal data,” “personal information,” and “personally identifiable information,” and such terms shall have the same meaning as defined by the applicable Data Privacy Laws.
    4. Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    5. Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

  2. Scope and Purposes of Processing.
    1. Humu will Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this Addendum; (2) on Customer’s behalf; and (3) in compliance with Data Privacy Laws.  If a Data Privacy Law to which Humu is subject requires Humu to Process Personal Data in a manner that conflicts with the terms of the Agreement or this Addendum, Humu will inform Customer of that legal requirement before Processing, unless that law prohibits Customer from providing such information within the meaning of Data Privacy Laws.
    2. Without limiting the foregoing, Customer directs Humu, and Humu agrees, to Process Personal Data in accordance with Customer’s written instructions, as may be provided by Customer to Humu from time to time.
    3. Humu will immediately inform Customer if, in Humu’s opinion, an instruction from Customer infringes Data Privacy Laws.
    4. Humu will not:
      1. Sell Personal Data or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, Humu will not Process Personal Data outside of the direct business relationship between Customer and Humu. For purposes of this paragraph, “sell” shall have the meaning set forth in the CCPA.

  3. Personal Data Processing Requirements. Humu will:
    1. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    2. Upon written request of Customer, assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Data).
    3. Promptly, and in any event within five days, notify Customer of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Humu’s Processing of Personal Data on Customer’s behalf, unless prohibited by law. If Humu receives a third-party, Data Subject, or governmental request, Humu will await written instructions from Customer on how, if at all, to assist in responding to the request, if and to the extent permitted by law. Humu will provide Customer with reasonable cooperation and assistance in relation to any such request.
    4. Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data.
    5. Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Humu under Data Privacy Laws to consult with a regulatory authority in relation to Humu’s Processing or proposed Processing of Personal Data.
  4. Data Security. Humu will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Exhibit 1.
  5. Security Breach. Humu will notify Customer without undue delay of any Security Breach. Humu will comply with the Security Breach-related obligations directly applicable to it under Data Privacy Laws and will assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation, by:
    1. At Humu’s own expense, taking steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
    2. Providing Customer with the following information, to the extent known:(i) The nature of the Security Breach, including, where possible, what happened, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;(ii) The likely consequences of the Security Breach; and (iii) Measures taken or proposed to be taken by Humu to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
  6. Subprocessors.
    1. Customer acknowledges and agrees that Humu may use Humu affiliates and other subprocessors (alternatively referred to as service providers under some legal frameworks) to Process Personal Data in accordance with the provisions within this Addendum and Data Privacy Laws. A current list of Humu’s subprocessors can be found on Exhibit 2, attached hereto, and Customer hereby consents to Humu’s use of such subprocessors.
    2. Where Humu sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, Humu will (i) take steps to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with Data Privacy Laws; and (ii) enter into a written agreement with each subcontractor that imposes obligations on the subcontractor that are no less restrictive than those imposed on Humu under this Addendum.
    3. Humu will maintain an up-to-date list of its subcontractors who  may have access to Personal Data, which it will provide to Customer thirty days in advance, and with reasonable notice of any new subcontractor being able to Process Personal Data. In the event Customer objects to a new subcontractor, Humu will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer’ use of the services to avoid Processing of Personal Data by the objected-to subcontractor without unreasonably burdening the Customer. Customer may, in its sole discretion, terminate the Agreement at any time and without prior notice in the event that it objects to a subcontractor and Humu is unable to change the services to satisfy Customer.
  7. Data Transfers. To the extent that Humu Processes Personal Data of Data Subjects located in the European Economic Area (“EEA”) and/or Switzerland, by signing this Addendum, Humu agrees to be bound by the standard contractual clauses for the transfer of personal data from the EEA to processors established in third countries (Commission Decision 2010/87/EC) (“Model Clauses”) located here: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087. In case of conflict between the Model Clauses and this Addendum, the Model Clauses will prevail. Following Brexit, the relevant terms shall be deemed amended as necessary to legitimize transfers of Personal Data of Data Subjects located in the United Kingdom to and from the United Kingdom and subsequent onward transfers. 
  8. Audits. Customer or its independent third party auditor reasonably acceptable to Humu may audit Humu’s control environment and security practices relevant to Personal Data processed by Humu only if:
    1. Humu has not provided sufficient evidence of its compliance with the technical and organizational measures that protect the production systems of the Services through providing on request either: (i) a certification as to compliance with ISO 27001 or other standards (scope as defined in the certificate); or (ii) a valid ISAE3402 SOC2 Type II attestation report. Upon Customer’s request audit reports are available.
    2. An audit is formally requested by Customer’s data protection authority; or
    3. Mandatory Data Protection Law provides Customer with a direct audit right and provided that Customer shall only audit once in any twelve month period unless mandatory Data Protection Law requires more frequent audits.

Any such audits shall:  (i) occur no more than once per calendar year; (ii) be conducted at Customer’s sole cost and expense; (iii) only occur after Customer has provided Humu with 30 days prior written notice in advance of the audit commencement date.

  1. Return or Destruction of Personal Data. Except to the extent required otherwise by Data Privacy Laws, Humu will return to Customer and/or securely destroy all Personal Data at  Customer’s written request upon termination of the Agreement. Except to the extent prohibited by Data Privacy Laws, Humu will inform Customer if it is not able to return or delete the Personal Data. Notwithstanding the foregoing, Customer instructs Humu that, at Customer’s written instruction, Humu shall only destroy, and not return to Customer, any response to a Humu survey question provided by a user of Humu’s services (“Survey Responses”).  Customer and Humu agree that such instructions regarding destruction of the Survey Responses are required, regardless of whether the Survey Responses may constitute Personal Data, in order to preserve the anonymity of survey respondents as required by the terms of Humu’s  services.

  2. Survival. The provisions of this Addendum survive the termination or expiration of the Agreement for so long as Humu or its subcontractors Process the Personal Data. 

 

 

 

Exhibit 1

HUMU DATA SECURITY MEASURES

Humu will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:

 

  1. Humu has agreed to employ appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data (“Information Security Program”).

  2. Humu’s Information Security Program includes specific security requirements for its personnel and all subprocessors/service providers or agents who have access to Customer Personal Data (“Data Personnel”). Humu’s security requirements covers the following areas:
    1. Information Security Policies and Standards. Humu will maintain information security policies, standards and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Customer Personal Data. These policies, standards, and procedures shall be designed and implemented to:
      1. Prevent unauthorized persons from gaining physical access to Customer Personal Data Processing systems (e.g. physical access controls);
      2. Prevent Customer Personal Data Processing systems from being used without authorization (e.g. logical access control);
      3. Ensure that Data Personnel gain access only to such Customer Personal Data as they are entitled to access (e.g. in accordance with their access rights) and that, in the course of Processing or use and after storage, Customer Personal Data cannot be read, copied, modified or deleted without authorization (e.g. data access controls);
      4. Ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of Customer Personal Data by means of data transmission facilities can be established and verified (e.g. data transfer controls); and
      5. Ensure that all systems that Process Customer Personal Data are the subject of a vulnerability management program that includes without limitation internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities.
    2. Physical Security. Humu will maintain commercially reasonable security systems at all Humu sites at which an information system that uses or stores Customer Personal Data is located (“Processing Locations”) and will reasonably restrict access to such Processing Locations.
    3. Organizational Security. Humu will maintain information security policies and procedures addressing:
      1. Data Disposal. Procedures for when data or the media on which it resides are to be disposed or reused have been implemented to prevent any subsequent retrieval of any Customer Personal Data.
      2. Data Minimization. Procedures for when media are to leave the premises at which the files are located as a result of maintenance operations have been implemented to prevent undue retrieval of Customer Personal Data stored on media.
      3. Data Classification. Policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees have been implemented and are maintained.
      4. Incident Response. All Customer Personal Data security incidents are managed in accordance with appropriate incident response procedures.

    4. Network Security. Humu maintains commercially reasonable information security policies and procedures addressing network security.

    5. Access Control (Governance).
      1. Humu governs access to information systems that Process Customer Personal Data.
      2. Only authorized Humu staff can grant, modify or revoke access to an information system that Processes Customer Personal Data.
      3. Humu implements commercially reasonable physical and technical safeguards to create and protect passwords.

    6. Virus and Malware Controls. Humu protects Customer Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Customer Personal Data.

    7. Personnel.
      1. Humu has implemented and maintains a security awareness program to train all employees about their security obligations. This program includes training about data classification obligations, physical security controls, security practices, and security incident reporting.
      2. Data Personnel strictly follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
      3. Humu shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may Process Customer Personal Data.

    8. Business Continuity. Humu implements disaster recovery and business resumption plans. Business continuity plans are tested and updated regularly to ensure that they are up to date and effective.

 

 

Exhibit 2

LIST OF SUBCONTRACTORS

Customer acknowledges and agrees that Humu may use Humu Affiliates and other subcontractors to Process Personal Data in accordance with the provisions within this Addendum and Data Privacy Laws. A current list of Humu’s subcontractors is included in this Exhibit 2, and Customer hereby consents to Humu’s use of such subcontractors.

Humu will maintain an up-to-date list of its subcontractors who may have access to Personal Data, which it will provide to Customer thirty days in advance, and with reasonable notice of any new subcontractor being able to Process Personal Data. In the event Customer objects to a new subcontractor, Humu will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer’s use of the services to avoid Processing of Personal Data by the objected-to subcontractor without unreasonably burdening the Customer. Customer may terminate the Agreement at any time and without prior notice in the event that it objects to a subcontractor and Humu is unable to change the services without unreasonably burdening the Customer.

Subcontractor Name Address Country Purpose of Processing
Google LLC 1600 Amphitheatre Way

Mountain View, CA 94041

USA Cloud computing services.  Humu uses cloud hosting services to host our production systems, store  customer and user data, and perform data processing. Humu’s provider for all of these services is Google.
Sendgrid, Inc 889 Winslow St

Redwood City, CA 94063

USA Email. Humu uses an email sending service to send emails to customers and users, such as invitations to take a survey and nudges.
Hound Technology, Inc. d/b/a Honeycomb. 945 Bryant St. #300

San Francisco, CA 94103

USA Logging, logs analysis and alerting. Humu logs data about our application and analyse those logs so we can respond to customer requests, find bugs, alert engineers of issues, and improve the application.
Google LLC 1600 Amphitheatre Way

Mountain View, CA 94041

USA Customer Support.  Humu uses several tools to route and handle customer tickets, requests, and emails as quickly as possible.
Jira Software (by Atlassian Corporation Plc) 301 E. Evelyn Ave.

Mountain View, CA 94041

USA Customer Support.  Humu uses several tools to route and handle customer tickets, requests, and emails as quickly as possible.
Zendesk, Inc. 1019 Market St, San Francisco, CA 94103 USA Customer Support.  Humu uses several tools to route and handle customer tickets, requests, and emails as quickly as possible.
Slack Technologies, Inc. 500 Howard St.

San Francisco, CA 94105

USA Customer Support.  Humu uses several tools to route and handle customer tickets, requests, and emails as quickly as possible.

 

%d bloggers like this: