scene webshare cloud license agreement faro europe …€¦ · le-fr-8568 rev 2 oct. 4, 2018 1...
TRANSCRIPT
LE-FR-8568 Rev 2 Oct. 4, 2018
1
SCENE WEBSHARE CLOUD LICENSE AGREEMENT
between
FARO Europe GmbH & Co. KG,
Lingwiesenstr. 11/2,
70825 Korntal-Münchingen,
Federal Republic of Germany
- hereinafter referred to as “FARO” -
and
Company: …………………………………………………….…
Address: …………………………………………………….…
…………………………………………………….…
…………………………………………………….…
Tel : ……………………….………………………………
Fax : ……………………………….………………………
e-mail: ……………………………………….………………
Other information needed to identify the organisation:
…………………………………………………….…
- hereinafter referred to as “Licensee” -
WHEREAS
(1) FARO Group has developed the cloud computing service SCENE WebShare Cloud
that is hosted on third parties’ servers (“Computing Service”).
(2) Licensee uses laser scanner of the FARO Group and is interested in using the
Computing Service.
LE-FR-8568 Rev 2 Oct. 4, 2018
2
NOW THEREFORE, in consideration of the mutual covenants, the Parties hereto enter into
this License Agreement (“Agreement”) according to the following terms and conditions:
§ 1
Object of the Agreement
The deployment of the Computing Service by FARO to Licensee and the referring license
fees in favour of FARO is subject to this Agreement. The Computing Service shall enable
Licensee to get access to and use software applications and data storage, which are hosted
on servers of FARO and/or third parties, via telecommunication and to use these
functionalities of the software applications within the framework of this Agreement. Type and
extent of the Computing Service is set out in the Computing Service Specifications of FARO
(“Computing Service Specifications”, Annex 1) and in § 2 of this Agreement.
§ 2
Description of the Computing Service
(1) In order to be able to create Uploaded Data of the Computing Service, Licensee
requires at least the software SCENE and a functioning internet connection.
(2) The Computing Service is a software and hosting service that is provided to Licensees
as well as to any third party internet user by FARO. The Computing Service allows
users to upload 3D laser scan data and panoramic photographs produced by SCENE
(“Uploaded Data”) to view the Uploaded Data and related meta data within a standard
web browser, to organize the Uploaded Data in projects to which annotations and
measurements can be added (“Scan Projects”), and to share the Scan Projects with
other users. Each Scan Project is presented in an overview map which indicates the
position of 3D laser scans. Single laser scans are presented in a panoramic view.
(3) The Computing Service requires the installation and use of SCENE and the setting up
of accounts to SCENE as described in § 6 below.
(4) Further description of the Computing Service and minimum requirements are
determined in Annex 1.
LE-FR-8568 Rev 2 Oct. 4, 2018
3
§ 3
License
(1) FARO hereby grants to Licensee a personal, revocable, non-exclusive, non-assignable
and non-transferable license, on a royalty-basis, timely limited to the end of this
Agreement, to use the Computing Service via telecommunication in accordance with
the terms and conditions of this Agreement (“License”). Unless granted expressly in
this Agreement, Licensee does not get additional rights or licenses, in particular, but
not limited to, SCENE, the Computing Service, software applications and/or operating
systems.
(2) The License granted herein does not include the right to make copies of the Computing
Service, to make or retain any notes, memos, reports or records, reproductions,
correspondence or any document regarding the Computing Service, including copies of
the Computing Service.
(3) The License is restricted to the access and usage of the Computing Service in the
cloud. FARO is not obligated to provide Licensee with the object and/ or source code of
the Computing Service.
(4) The right to decompile, reverse engineer or dis- and/or reassemble or otherwise
attempt to derive the object and/or the source code for the Computing Service granted
to Licensee is excluded.
§ 4
Rights to use and Sublicensing
(1) Licensee is not entitled to assign or transfer the License or any part thereof to any
other party without the prior written consent of FARO.
(2) Licensee may sublicense the Computing Service to users of the Licensee in
accordance with the terms and conditions of this Agreement (the "Sublicensees").
Otherwise, Licensee is not entitled to sublicense any of the rights granted to it
hereunder without prior consent of FARO.
LE-FR-8568 Rev 2 Oct. 4, 2018
4
(3) Licensee shall inform FARO about any Sublicensee including the correct name and
address of the Sublicensee without undue delay.
(4) Each sublicense granted by Licensee is limited in scope and time to the License and
will automatically terminate upon the termination of this Agreement and the License
respectively. Licensee shall be fully liable for the observance of the terms and
conditions of this Agreement by the Sublicensees and for any damage FARO or any of
its affiliates suffer as a result of a misuse of the Computing Service by any
Sublicensee.
(5) For each case that Licensee enables the use of the Computing Service to a non-
named user and/or unauthorized third party, Licensee is obligated to pay compensation
to FARO amounting to the license fee that would be payable in the event of entering
into a license contract for a regular term of one (1) year including the extent of
Computing Service as selected by the License. Licensee remains the right to evidence
that FARO has suffered no damages or damages less than the above-mentioned
compensation. FARO remains entitled to claim further damages.
§ 5
Ownership of Computing Service
(1) Licensee acknowledges that FARO is the full and sole owner of the Computing Service
and that title to the Computing Service, any copies thereof or any modification,
improvement, adaption, enhancement or translation, developed as a result of Licensee
using the Computing Service, and/or rights in and to any patent, trademark, copyright
developed and/or incorporated in the Computing Service, shall at all times remain with
FARO. Licensee agrees that nothing in this Agreement shall give Licensee, its
subsidiaries or other affiliates any right, title or interest in the Computing Service other
than the right to use the Computing Service in accordance with the provisions of this
Agreement.
(2) Licensee hereby recognizes to FARO full and sole ownership of the Computing Service
in and to any such modification, improvement, adaption, enhancement or translation
and undertakes to confer, full and sole ownership in said modification, improvement,
LE-FR-8568 Rev 2 Oct. 4, 2018
5
adaption, enhancement or translation to FARO by executing an assignment of rights,
evidencing such transfer to FARO.
(3) Licensee undertakes to refrain, and to procure its subsidiaries and other affiliates to
refrain, from doing any act inconsistent with such ownership. In respect of those
countries in which the Computing Service are not subject to a registration or
application, Licensee acknowledges FARO’s priority rights in the Computing Service
and expressly waives in favor of FARO any right it may acquire in such countries in the
Computing Service as user of them.
(4) Licensee agrees that FARO and/or its licensors or other licensees own all right, title
and interest in any and all of Licensee’s feedback, without any remuneration,
compensation or credit to Licensee. To the extent that any of the rights assigned herein
cannot presently be assigned under applicable law, Licensee agrees to assign such
rights at such time as the rights are capable of being assigned.
(5) Licensee shall not use, deposit or obtain registration of, and shall procure that none of
the Sublicensees, its subsidiaries or other affiliates uses, deposits or obtains
registration of a tradename or trademark that is identical with, confusingly similar to, or
consisting of the Computing Service.
§ 6
Account
(1) To every Licensee an account will be assigned (“Account”).
(2) Licensee shall appoint one representative (“Domain Owner”) who will be responsible
for making all service and support calls to FARO. FARO will contact this representative
for any operational and/or billing-related issues. Licensee can assign administrators for
their Account (each a “Domain Administrator”). Domain Administrators can invite
prospective users who have not registered to the Computing Service yet by email
address. By accepting such invitation, users will create a “User Account”. Domain
Administrators can remit access privileges to employees and/or to third parties who
have created a User Account (each a “User”) per role. These permissions may include
(i) read-only access to Private Scan Projects in the Licensee’s domain, or (ii) additional
LE-FR-8568 Rev 2 Oct. 4, 2018
6
permissions per role. The Domain Administrator(s) may assign the following rules to
Users:
• “User Role”: The User Role includes the permission to create measurements,
annotations and orthophotos related to a Scan Project;
• “Uploader Role”: The Uploader Role includes the permission to upload data to
Scan Projects;
• “Project Manager Role” (or “Project Managers”): The Project Manager Role
includes the permission to view all Scan Projects in the respective domain, to
manage group-based access for all Protected Scan Projects of same and to
delete Scan Projects in the respective domain; or
• “Administrator Role” (or “Domain Administrator”): The Administrator Role
includes the permission to add Users to the domain and to manage user roles.
This includes the appointment of the Domain Owner.
(3) Future versions of the Computing Service may include further roles that can be
assigned to Users.
(4) Licensee agrees not to pass to and/or to let a third party use Licensee’s Account.
(5) FARO is not responsible for unauthorized access to Licensee’s Account. Licensee will
immediately contact FARO if Licensee believes an unauthorized third party may be
using Licensee’s Account or if Licensee’s Account information is lost or stolen.
(6) More Details in respect of the Account and the User Accounts shall be set out in
Annex 1.
§ 7
Obligations of Licensee
(1) Except as otherwise expressly permitted in this Agreement, Licensee agrees not to use
the Computing Service in any manner contrary to the purposes of this Agreement nor
to adapt, add-on, improve, enhance, modify the Computing Service or translate the
Computing Service. In particular, Licensee undertakes not to redistribute, encumber,
sell, rent, lease, assign, sublicense or use the Computing Service in a timesharing or
LE-FR-8568 Rev 2 Oct. 4, 2018
7
service bureau arrangement, or otherwise transfer rights to the Computing Service to
third parties.
(2) Licensee is required to keep the contact information of the Domain Owner current in
the settings of the administration area in SCENE WebShare Cloud.
(3) Licensee is obligated to take all appropriate measures to avoid any infringement, action
or cause of action against it by reason of the use of the Computing Service. Should
Licensee be the cause of any such infringement, action or cause of action, Licensee
agrees to bring such a matter to the attention of FARO immediately.
(4) Licensee is obligated to refrain from each attempt to retrieve unauthorized information
or data himself or via non-authorized third parties and/or to interfere or to let interfere in
programs that are run by FARO and/or to intrude unauthorized into the data network of
FARO.
(5) Licensee warrants to FARO that (i) the Uploaded Data shall not contain any violent,
sexual, gambling, hacking, cracking or other objectionable material, including, without
limitation, any material intolerant, offensive or otherwise offensive material regarding
race, sex, religion, nationality, disability, sexual orientation, or age, or any material that
is illegal or that may give rise to civil liability on the part of FARO of any sort, and (ii)
that any Uploaded Data and/or data Licensee provides to FARO shall not contain any
viruses, Trojan horses, malware, spyware, adware or other disruptive software, or any
software code which is designed to disrupt, damage, or perform unauthorized actions
on a computer system, or which transmits data from FARO’s webservers or other
computer systems of FARO or any third party without notice to and the express prior
consent of FARO, and (iii) that Licensee will comply with all applicable laws, rules and
regulations.
(6) Licensee hereby grants to FARO a personal, limited, non-exclusive, royalty-free, non-
assignable and non-transferable license to use the Uploaded Data and the related
copyrights and other intellectual property rights restricted to conduct the Computing
Service due to the terms and conditions of this Agreement. FARO hereby accepts the
granting of these rights.
LE-FR-8568 Rev 2 Oct. 4, 2018
8
(7) Licensee represents and warrants to FARO that in relation to all Uploaded Data,
Licensee has the worldwide authority, be it by ownership or with consent of the entitled
owner or entitled licensee, to upload the Uploaded Data and that uploading the
Uploaded Data does not infringe or violate any copyright, trademark, trade secret,
personality, personal data or other proprietary right of any third party.
(8) Licensee has to protect its data and Uploaded Data, for example by making a daily
backup of its data and Uploaded Data to limit possible damages and to ensure the
reconstruction of its data and/or Uploaded Data in case of a loss of its data and/or
Uploaded Data.
(9) As far as legally required, Licensee is obligated to have persons, car plates and any
other personal data that refers to third parties which is included in Uploaded Data
anonymized, i.e. pixelated or blurred.
(10) Licensee is obligated to check data and information for viruses and other malware
before sending these and to use an up-to-date reasonable antivirus program.
§ 8
FARO’s Obligations and Rights
(1) FARO is not obligated to provide upgrades to Licensee.
(2) FARO may modify the Computing Service and its functionalities and provide software
updates at any time. In the case of an amendment to the Licensee’s detriment, FARO
will advise the Licensee or its Domain Owner, who serves as point of contact for
FARO, of such amendment in advance by sending an email or by applying a clearly
highlighted notice on the Computing Service. The Licensee may then object to this
amendment by sending an email to [email protected] or a letter to FARO
within thirty (30) days of receipt of the notice of change. If Licensee fails to object in
due time or continues to use the Computing Service after receipt of the notice of
change, the amended Computing Service shall be deemed to be accepted. For this
purpose, a use of the Computing Service executed by Users who were set up by
Licensee or granted access to the Licensee’s domain will be deemed as continued use
of the Computing Services by Licensee. Licensee will be informed by this legal
LE-FR-8568 Rev 2 Oct. 4, 2018
9
consequence separately in the notice of change. If the Licensee objects to the
amendment, FARO may terminate this Agreement extraordinarily with one (1) month
notice to the end of a calendar month.
(3) FARO is entitled to block the access of Licensee to the Computing Service or the
Uploaded Data and/or the access of Licensee’s Account and the User accounts in its
domain in case of an unlawful violation of Licensee and/or the Sublicensees against
one of the obligations of Licensee and/or the Sublicensees of this Agreement,
especially a breach of the obligations of § 7 para. (1), (4), (5), (7), (9) and/or (10) of this
Agreement. The access will be restored when Licensee has stopped violating this
Agreement and the danger of repetition is eliminated by issuing a declaration of cease
and desist by Licensee with respect to FARO. In that case Licensee remains obligated
to pay all due invoices.
(4) FARO is obligated to delete the concerned Uploaded Data in case of a breach against
§ 7 para. (5) and/or (7) of this Agreement.
§ 9
Fees and Terms of Payment
(1) The license fees depend on the extent of Computing Services which are utilized by the
Licensee (“Package”). Licensee and FARO have agreed about the extent of the
Computing Services as listed in Annex 2 and selected by Licensee (“Selected
Package”).
(2) For the use of the Selected Package, Licensee shall pay FARO a yearly license fee as
set forth in FARO’s applicable Price List (Annex 3) (“License Fee”).
(3) To the extent that Licensee’s use of the Computing Service falls outside the limits of
the Selected Package, for example exceeds the storage and/or download volume of
the Selected Package, Licensee shall pay additional fees (“Additional Fees”) which
are subject to FARO’s applicable Price List (Annex 3), after the service has been
provided.
(4) The payable fees consist of the License Fee and the Additional Fees, as applicable.
FARO will issue an invoice on the payable fees which are calculated on the basis of
FARO’s applicable Price List (Annex 3) of the Commencing Date, subject to a raise of
LE-FR-8568 Rev 2 Oct. 4, 2018
10
fees pursuant to § 9 (5) (“Invoice Amount”). In case the fees have to be calculated for
a portion of a year, the fees will be calculated for every month with 1/12 of the yearly
fees as set out in Annex 3.
(5) FARO is entitled to raise adequately the fees as set out in Annex 3 for the contractual
services as compensation for personnel or other cost increases of FARO. In this case
FARO will inform Licensee by letter or email about the increase of fees. The increase
of fees does not apply to the period that Licensee had already made payments. The
same applies mutatis mutandis in the event of personnel or other cost decrease. In
case that the increase of the fees reaches an amount of 20% of the previous fee,
Licensee is entitled to terminate this Agreement at the end of the Initial Term or
Renewal Term, as applicable, by written notice given at least one (1) month prior to the
end of any such period. If Licensee exercises this right of termination, the previous fees
will be invoiced until the termination becomes effective.
(6) In case that the parties have not agreed to use a direct debiting scheme, the Invoice
Amount has to be credited to the specified account thirty (30) days after reception of
the invoice of FARO. Invoices shall be issued in Euro.
(7) The fees are exclusive of VAT. If VAT accrues, it shall be added at the current rate.
§ 10
Default
(1) FARO is entitled to block the access of Licensee to the Computing Service, whilst a
default of Licensee’s payment obligation under this Agreement over thirty (30) days. In
that case, Licensee stays obliged to pay all due invoices.
(2) If the Licensee defaults with its payment obligations under this Agreement over sixty
(60) days, FARO is entitled to terminate the Agreement without prior notice and to
claim liquidated damages in the amount of a quarter of all monthly fees to the end of
the normal term of the Agreement.
(3) Upon Licensee's default of payment, Licensee shall pay default interest amounting to
eight (8) percentage points above the base interest rate of the German Federal Bank.
LE-FR-8568 Rev 2 Oct. 4, 2018
11
(4) FARO reserves the right to enforce further claims against Licensee because of default
of payment.
§ 11
Warranties of FARO
(1) FARO represents and warrants to Licensee that FARO has the authority to grant the
License. To the best of FARO's knowledge and belief, the Computing Service does not
infringe or violate any third-party rights. However, FARO does not represent and
warrant that the use of the Computing Service does not infringe any third-party rights,
in particular copyrights, software, trademarks, trade secrets, know-how, patents, utility
patents, design patents or other proprietary or intellectual property rights. FARO
represents and warrants that it is not aware of any circumstances that may have
infringed the confidentiality, insofar as confidentiality exists, of the Computing Service.
(2) FARO strives to perform without errors and interruptions. However, a faultless and
uninterrupted service cannot always be guaranteed. FARO provides the Computing
Service on an “AS IS” basis. In the event of faults or interruptions in the Computing
Service or other deteriorations in quality, FARO shall restore normal operation as soon
as possible.
(3) FARO makes no express or implied warranties concerning the quality of the Computing
Service, including any warranties of merchantability or fitness for a particular purpose.
(4) FARO does not and cannot warrant the performance or results Licensee may obtain by
using the Computing Service. In addition, Licensee is solely responsible for
determining the appropriateness of using the Computing Service and FARO does not
represent that the Computing Service can be used in any, and in particular in
Licensee’s hardware and/or software and/or computer system environment.
LE-FR-8568 Rev 2 Oct. 4, 2018
12
§ 12
Infringement of Computing Service
(1) If any Party becomes aware
(a) of any actual or imminent infringement of the Computing Service, or
(b) of any claim or allegation by a third person that any part of the Computing
Service is invalid or liable to revocation or cancellation, or infringes the rights of
any third party,
it shall promptly advise the other party by written notice, giving full particulars thereof. If
Licensee becomes aware of such facts, it shall not make any admission or comment to
any third party with regard to such issues.
(2) Notwithstanding § 12 para. (1), FARO shall have the control of disputes and
proceedings relating to the Computing Service (including, without limitation, any
proceedings to which Licensee is a party), in particular but not limited to infringement of
any copyright, trademark, trade secret or other proprietary right by any third party
resulting from or as a consequence of Licensee’s use of Computing Service in
accordance with this Agreement, and shall, in its reasonable discretion and in
consideration of Licensee's position, decide what action (including litigation, arbitration
or settlement), if any, to take in respect of any circumstance referred to under § 13
para. (1). FARO shall not be obliged to bring or defend any proceedings in relation
thereto. In the event that FARO notifies Licensee within reasonable time in writing that
it will not take any action in respect of any circumstance referred to under § 13
para. (1), Licensee shall be entitled to prosecute infringements and bring suit or take
any other action in its own name and at its own cost.
(3) Upon request, Licensee and FARO shall give each other all reasonable assistance
(including, without limitation, the provision of documents and information and the
execution of documents and making relevant people available and being joined as a
party in which the contracting partner is a party) in any action, claim or proceedings
brought, threatened or contemplated concerning any of the Computing Service. The
requesting party shall meet all reasonable expenses incurred by the assisting party in
giving such assistance.
LE-FR-8568 Rev 2 Oct. 4, 2018
13
§ 13
Indemnification, Limitation of FARO’s Liability
(1) In the event of any breach of a duty under this Agreement, in particular the duties
under § 7 of this Agreement, Licensee shall indemnify FARO without delay against all
claims of third parties, for example but not limited to claims for indirect, direct and/or
consequential damages, liabilities and expenses incurred by FARO, including FARO’s
reasonable costs of its legal defense, and arising out of any activity of Licensee,
including, but not limited to, such arising out of the storage or processing of Uploaded
Data or other business operations of the Uploaded Data, and offer FARO the
necessary assistance in its legal defense.
(2) FARO shall not be liable for any damages, costs, losses, expenses (including
settlement awards and attorney’s fees) incurred by Licensee in defending any action or
claim unless such defense or action has been authorized in writing by FARO.
(3) Unless otherwise agreed herein, any claims for damages of Licensee against FARO or
FARO’s agents because of or in relation with any defects or lack of warranted
characteristics of the Computing Service, no matter on which legal basis, in particular,
claims arising out of breach of contract or of precontractual relationship (culpa in
contrahendo), infringement of duties arising in connection with the Agreement or tort,
subsequent frustration due to petty negligence and/or repudiation of the contract
because of delayed delivery, shall be excluded.
(4) FARO shall only be liable - and this shall also apply if FARO employed executive
personnel or other persons in performing FARO’s obligations - in the event that:
(a) FARO is attributed gross negligence or intent;
(b) FARO fraudulently concealed a defect or warranted the quality of the service
FARO provides;
(c) damage to life, bodily injury or damage to health has been negligently and/or
willfully caused by FARO; and/or
LE-FR-8568 Rev 2 Oct. 4, 2018
14
(d) FARO violates substantial contractual obligations (cardinal obligations)
endangering the purpose of the agreement as a whole, that is
(aa) in the event of material violations of duties which endanger the
achievement of the contractual purpose, or
(bb) in the event of the violation of duties – the fulfilment of which enables the
proper performance of the contract in the first place - and on the
observance of which the buyers may regularly rely ("Cardinal Duties").
(5) The claim to damages compensation for the violation of Cardinal Duties in the case of
§ 13 para (4) lit. (d) of this Agreement is limited to the typically foreseeable damage.
(6) The liability regardless of negligence or fault of FARO on compensation (sec. 536 a
German Civil Code) for existing deficits on conclusion of contract are expressly
excluded. § 13 para. (1) to (5) of this Agreement remain unaffected.
(7) The exclusion of liability shall not apply to claims arising out of the German Product
Liability Code. No change in the legally codified distribution of the burden-of-proof to
the Licensee’s disadvantage is associated with the aforementioned rules.
§ 14
Act of God
(1) FARO is released of its obligation to perform out of this Agreement, if and to the extent
to which the default of performances is due to an incidence of circumstances of an act
of God after signing this Agreement.
(2) As act of God apply for example, but not limited to, the following events: war, riots,
dispossessions, cardinal modifications of law, lawfully industrial actions, also in third
party businesses, storm, flooding and other natural disasters, failures of communication
networks or gateways of third party carriers, regulatory actions, and/or other technical
dysfunctions insofar as FARO is not be responsible for them, especially water ingress,
power blackouts and disruptions or destruction of data lines.
LE-FR-8568 Rev 2 Oct. 4, 2018
15
§ 15
Data Protection
(1) FARO is permitted to use Licensee’s personal information to provide Licensee with
support and inform Licensee about FARO’s software updates/upgrades or new
releases that are part of FARO’s service.
(2) FARO has implemented technology and security policies, rules and measures to
protect the personal data that FARO has in FARO’s possession from unauthorized
access, improper use, alteration, unlawful or accidental destruction, and accidental
loss. For detailed information, please see Exhibit 2 to Annex 4 which shall be deemed
incorporated herein by reference.
(3) Licensee warrants that Licensee (i) has permission of all individuals (where required),
be it employees or customers of Licensee or employees of Licensee’s customers or
other persons, or (ii) is otherwise justified to transmit this individual’s personal data to
FARO, that FARO stores this personal data, including on web servers of FARO and on
web servers owned by Amazon Web Services, Inc., that FARO processes this personal
data with the Computing Service and that this personal data can be presented to third
parties, especially with all data processing operations related with the use of the
Computing Service. Therefore, Licensee undertakes to enter into agreements with its
employees and customers relating to the aforementioned.
(4) In order to entitle FARO to process the personal data of individuals in the manner of
para. (3) above, Licensee and FARO enter into an “Data Processing Agreement” that
complies with all applicable laws, rules and regulations, especially Art. 28 (3) of
General Data Protection Regulation (Annex 4).
(5) Licensee shall, upon first demand, indemnify FARO and hold FARO harmless from and
against any and all liability or claims of third parties based on culpable infringement of
personal privacy rights of individuals from or as a consequence of FARO’s permitted
use of the personal data of individuals as set out in § 15 para. (3) till (4) above. The
above indemnification shall not apply if the claim is based on FARO’s intentional or
grossly negligent breach of duties or FARO’s slightly negligent breach of Cardinal
Duties.
LE-FR-8568 Rev 2 Oct. 4, 2018
16
§ 16
Confidentiality
(1) All Confidential Information (information which is designated as confidential, or
communicated in such a manner or under such circumstances as would reasonably
enable a person or organization to ascertain its confidential nature) provided by one
party will be maintained in confidence by the other party. Each party agrees to notify
the other party if disclosure of such other party's Confidential Information is necessary
to comply with the requirements of any law, government order, regulation or legal
process prior to such disclosure. The provisions of this § 16 will not have application to
any information disclosed by a party to the extent such information (i) becomes lawfully
available to the public; (ii) is received without restriction from another person or
organization lawfully in possession of such information; (iii) was rightfully in the
possession of a party without restriction prior to its disclosure; or (iv) is independently
developed by a party or its employees or agents without access to the other party's
similar information.
(2) The obligations contained in § 17 para. (1) of this Agreement shall survive the
termination of this Agreement for five (5) years, but shall cease to apply to any
information coming into the public domain otherwise than by breach of the Licensee of
its obligations contained in this Agreement.
§ 17
Term and Termination
(1) This agreement shall be deemed to have taken effect from the date this Agreement is
signed (“Commencing Date”). The Agreement shall be effective for the period of one
(1) year beginning on the day of operable deployment (“Initial Term”). The Agreement
will be renewed automatically to the end of the Initial Term or following terms for one
(1) year (“Renewal Term”), unless either party terminates this Agreement.
(2) The Agreement may be terminated at the end of each term of the Agreement by written
notice given at least thirty (30) days before the end of any of such terms.
(3) The right to terminate this Agreement for cause remains unaffected. A serious and
continuous breach of the terms of this Agreement by either party shall be considered
LE-FR-8568 Rev 2 Oct. 4, 2018
17
as cause to terminate this Agreement without prior notice. Without limiting the
generality of the foregoing sentence, such a cause is considered in particular if one of
the following violations occurs:
(a) If either party commits an act of bankruptcy or compounds or makes any
arrangement with its creditor or executes a bill of sale on its assets or any part
thereof; or
(b) if either party is wound up either compulsorily or voluntarily or a receiver on its
assets is appointed except for the purpose of amalgamation or reconstruction; or
(d) in the event that Licensee comes under the control, directly or indirectly, of a third
party or entity different from the shareholders/owners of Licensee at the time of
signing of this Agreement; or
(e) Licensee does not conduct its business in consistency with proper business
methods and practices or otherwise in a manner able to cause considerable
damage to FARO’s reputation or fails to comply with its obligations under § 7
para. (1), (4), (5), (7) and/or (11) and § 4 para. (1).
(4) A notice of termination requires the written form or text form (e.g. email).
§ 18
Effect of Termination
(1) Upon termination of this Agreement, the rights of Licensee to use the Computing
Service cease immediately to exist.
(2) In case of termination, Licensee is not entitled to any kind of compensation for the
goodwill connected to the Computing Service that Licensee may have created during
the term of this Agreement.
(3) With termination of the Agreement Licensee shall immediately return or, if instructed by
FARO, destroy all Uploaded Data. FARO will erase the Uploaded Data of Licensee if
the Uploaded Data were not returned or destroyed before this Agreement comes to an
end.
LE-FR-8568 Rev 2 Oct. 4, 2018
18
(4) Further termination of this Agreement will not limit FARO from pursuing any other
remedies available to it, including injunctive relief, nor will termination relieve Licensee
of its obligation to pay any charges to FARO that accrued under this Agreement prior to
termination, provided that FARO has met all its contractual obligations associated with
these charges. Further Termination of this Agreement by FARO pursuant to § 17 shall
be without prejudice to the right to seek compensation for breach of any provision of
this Agreement or any other damage of FARO or any of its affiliates caused in
connection with the use of the Computing Service by Licensee.
§ 19
Assignment and Set-off
(1) This Agreement is not transferable or assignable by Licensee, whether in whole or in
part, voluntarily or by merger, consolidation or sale, or otherwise by operation of law
without the prior written consent of FARO. Subject to the foregoing, this Agreement and
each and every provision hereof, shall be binding upon and shall inure to the benefit of
the parties and their respective permitted successors and assigns.
(2) Licensee is permitted to set off only with claims that are undisputed or have been
upheld by a final decision of a court of competent jurisdiction
§ 20
Applicable law, Jurisdiction
(1) This Agreement is governed by German law. The Application of the United Nations
Convention on Contracts for the International Sale of Goods is hereby expressly
excluded.
(2) Place of performance and delivery, as well as exclusive place of jurisdiction for all
disputes arising out of or in connection with this contract, shall be Korntal-Münchingen.
Nevertheless, FARO shall be entitled to take action against Licensee at Licensee’s
place of business.
LE-FR-8568 Rev 2 Oct. 4, 2018
19
§ 22
Final Provisions
(1) All Annexes which are listed in and are enclosed to the Agreement are an integral part
of the Agreement.
(2) Any amendment to or modification of this Agreement requires the written form. The
same applies to any agreement waiving the written form.
(3) This Agreement, including the Annexes, constitutes the entire agreement between the
Parties with respect to the subject matter of this Agreement, and supersedes all other
prior oral and written agreements or understandings of the Parties relating thereto. All
references to this Agreement shall be deemed to include the Annexes.
(4) In the event that any term or provision of this Agreement is or will become invalid or
unenforceable, then the validity and enforceability of all other terms and conditions
shall thereby not be affected. In such case, the invalid or unenforceable term shall be
substituted by a valid and enforceable term which comes as close as possible to the
economic purpose of the invalid or unenforceable term. The same applies in case of
gaps of this Agreement.
________________________________ ________________________________
(date) (date)
For on behalf of FARO For on behalf of the Licensee
________________________________ ________________________________
(Name) (Name)
Title Title
List of Annexes
Annex 1 – Computing Service Specifications
Annex 2 – Selected Package
Annex 3 – Price List
Annex 4 – Data Processing Agreement
LE-FR-8568 Rev 2 Oct. 4, 2018
20
Annex 1 of License Agreement
Computing Service Specifications
This following Computing Service Specifications shall establish the services which shall be
rendered by FARO in accordance with the License Agreement and the duties of the parties
with which they have to comply in order to render the services.
Deployment of the Computing Service
The Computing Service is a software and hosting service to Licensee by FARO. The
Computing Service is deployed operable to Licensee with informing Licensee about the
activation of the Computing Service in writing or by email.
Description of the Computing Service
(a) Computing Service
The Computing Service is a software and hosting service offered by FARO. The
Computing Service allows the User to upload laser scan data, to view uploaded
laser scan data and related meta data within a standard web browser like Mozilla
Firefox, Google Chrome, Apple Safari or Microsoft Internet Explorer. The data is
organized in scan projects. Each scan project is presented as an overview map
which indicates the position of 3D laser scans. Single laser scans are presented
in a panoramic view.
(b) Functionalities of the Computing Service
- Within the panoramic view, a logged-on User can take simple distance
measurements. These measurements will be stored and assigned to the
User to make the data persistent after the duration of a specific session.
- The uploading project data onto the Licensee’s Computing Service sub-
domain requires a local installation of FARO´s SCENE software in version
5.2 or higher.
- The Computing Service is providing a role model which enables Licensee
to assign specific User rights to registered Users.
(c) User documentations
- The documentation for the Computing Service is provided online via
http://manuals.faro.com.
LE-FR-8568 Rev 2 Oct. 4, 2018
21
- The documentation for creation of Uploaded Data and the upload onto the
sub-domain of the Licensee is described in the user manual of SCENE.
(d) Other services
- FARO is planning to constantly maintain the offered service and improve its
functionality. Updates and extensions of the service can be implemented at
all time without further notice but FARO is not obligated to improve the
functionality or to provide updates and extensions.
- It is FAROs sole decision to define if future extensions of the offered
service will be provided as part of existing contracts or if they will be
provided at additional costs.
(e) Handover point of performance
The handover point of the Computing Service is the interface of FARO’s network
to the public internet network. The scope of service of the Computing Service of
FARO ends from Licensee’s point of view at the handover point of the Computing
Service.
Access Authority
(a) Licensee will be granted one sub-domain for his sole usage. The name of the
sub-domain needs to be defined and provided to FARO by Licensee. The full
URL of Licensee’s Computing Service site will be as follows:
https://sub_domain.websharecloud.com.
(b) FARO will grant administrator rights to specific users in the Licensee’s sub-
domain (“Administrators” or “Domain Administrators”).
(c) The Administrators can assign additional registered users to the sub-domain. The
user rights and feature set provided to such an assigned user can be managed
by the Administrators via the role management system of the Computing Service.
(d) The number of users which can be assigned to the sub-domain of Licensee
depends on the actual package which is agreed with the License Agreement.
(e) The Administrators and each single user have to safeguard its access authority
by a unique and safe password.
LE-FR-8568 Rev 2 Oct. 4, 2018
22
Backups
(a) The Uploaded Data is stored within the system of Amazon Web Services.
(b) Neither FARO nor the Computing Service offer means to back up Uploaded
Data.
(c) It is in Licensee’s sole responsibility to create and store backups of the Uploaded
Data. FARO is not providing any means of backup service as part of the License
Agreement.
(d) With termination of the License Agreement, the sub-domain of Licensee including
all data will be deleted by FARO. FARO is not providing any means of backup
service as part of the License Agreement.
New Package
It is possible to change to a higher level of services of the Computing Service during
the duration of the License Agreement. This requires a written advance notice of not
less than one week before the beginning of the next month. The new conditions will
become active with the beginning of the following month. In case the fees have to be
calculated for a portion of a year, the fees will be calculated for every month with 1/12
of the yearly fees as set out in Annex 3 to the License Agreement.
Dashboard and Limits of Package
(a) The Computing Service offers real-time monitoring of the current load of the
Licensee’s sub-domain via a dashboard at Licensee’s administration console of
the web front end.
(b) This dashboard is displaying the current storage consumption, the used
download volume and the number of registered Users together with the specific
thresholds according to the actual package.
(c) The Administrators of Licensees sub-domain will receive warnings before the
agreed limits of the actual Package are reached.
Exceeding the scope of the contract
In case Licensee exceeds the selected Package of Licensee, Licensee agrees that
FARO will charge for the excess service according to the unit prices as defined in the
Price List for the Computing Service.
LE-FR-8568 Rev 2 Oct. 4, 2018
23
Support
(a) Online Help system is available at http://manuals.faro.com
(b) Email and telephone support
Support will be provided by FARO Europe on workdays from 8:00 am until
5:00pm (MEZ / UTC +1h)
TEL: +49 7150 9797 400 or free call*: 00800 3276 7378
FAX: +49 7150 9797 9400 or free fax*: 00800 3276 1737
Email: [email protected]
* Only for calls from Austria, France, Germany, Italy, Spain, Switzerland, the
Netherlands and Great Britain.
Minimum Requirements of Licensee
(1) The access to the Computing Service is made via telecommunication. The
necessary minimum requirements of Licensee for the usage of the Computing
Service are particularly:
- Access to the internet;
- Software SCENE (version 5.2 or higher) is required.
- Personal Computer with 64-Bit Windows (for SCENE, Windows 10
recommended)
- Standard web browser like Mozilla Firefox, Google Chrome, Apple Safari or
Microsoft Internet Explorer (web browser with WebGL support
recommended).
(2) The provision of these requirements and also the telecommunications service,
including the transmission service from the handover point right up to the devices
utilized by Licensee are not object of the Agreement. Licensee is responsible for
such requirements.
Service Availability
(a) Reference
LE-FR-8568 Rev 2 Oct. 4, 2018
24
The availability only concerns to the functionalities of the Computing Service as
set out in section 0of this Annex.
(b) Availability
FARO provides the functionalities of the Computing Service as described in
section 0 of this Annex to Licensee during the following system runtime (“Target
Runtime/Availability”) up to a percentage of 96%:
Target Runtime/Availability: 24 hours/day and 365 day/year up to 96%.
The Computing Service might be unavailable during Planned Non-Availability as
set out in section 0 of this Annex.
Non-Availability exists if for the rest the agreed functionalities are not usable.
Planned Non-Availability
(a) FARO is entitled to service, to maintain and to update the Computing Services,
including the inherent software and/or hardware-systems beyond the stipulated
periods of section 0 lit. (b) of this Annex (“Planned Non-Availability”).
(b) FARO will seek to inform Licensee upfront about planned maintenance activities.
This information will be either via email or online within the Computing Service
front-end.
(c) If and to the extent Licensee can use the Computing Service in periods of
Planned Non-Availability, there is no warranty claim. In case of a reduction or
dismissal of the performance during times of Planned Non-Availability, Licensee
has especially no right of warranty or damages.
LE-FR-8568 Rev 2 Oct. 4, 2018
25
Annex 2 of License Agreement
NOTE: To avoid any delays in processing your order, please make sure to fill out Annex 2 in
clearly readable form.
Selected Package
Selected FARO Part
Number Package Storage
Downloads / Month
Assigned Users
□ SOFTWSC001 Base Package 50GB 50GB unlimited
Available packages may be subject to change.
Sub-domain: https:// ………..………………………………… .websharecloud.com
🛈 The sub-domain can have between 3 and 32 characters.
🛈 Allowed characters: letters (a-z), numbers (0-9) and dashes (-).
Domain Owner Email: ………………………………………………..............................
🛈 The Domain Owner will be the user of your company who can initially log in to your sub-
domain, and invite additional users.
🛈 Further instructions will be sent to this email address, once the sub-domain is set up.
LE-FR-8568 Rev 2 Oct. 4, 2018
26
Annex 3 of License Agreement
Price List
The current Price List can be found at http://s.websharecloud.com/links/ws/pricing-eu.html
LE-FR-8568 Rev 2 Oct. 4, 2018
27
Annex 4 of License Agreement
Data Processing Agreement
Preamble
This Annex Data Processing Agreement (“Annex”) specifies the data protection obligations
of the parties which arise from commissioned data processing, as stipulated in the License
Agreement including all Annexes (the “Main Agreement”). This Annex applies to all activities
performed in connection with the Main Agreement where FARO as the data processor
(hereinafter: “Processor”) or a third party engaged by the Processor acting on behalf of the
Controller may process personal data of the Licensee according to the Main Agreement
(hereinafter: “Licensee”) and its customers or its staff.
§ 1
Definitions
(1) “Personal Data”
Personal Data means any information relating to an identified or identifiable natural
person (‘data subject’); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person.
(2) “Processing” or “Processed”
Processing means any operation or set of operations which is performed on personal
data or on sets of personal data, whether or not by automated means, such as
collection, recording, organisation, structuring, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, restriction, erasure or destruction.
(3) "General Data Protection Regulation” or “GDPR”
LE-FR-8568 Rev 2 Oct. 4, 2018
28
General Data Protection Regulation or GDPR means the General Data Protection
Regulation 2016/679 applying from 25 May 2018.
§ 2
Scope and Responsibility
(1) Processor shall Process Personal Data on behalf of Licensee. The scope of
Processing is specified in the Main Agreement. Within the scope of the Main
Agreement, Licensee is the controller and shall be responsible for complying with any
controller obligation. Licensee and Processor shall be separately responsible for
conforming with such statutory data protection regulations as are applicable to them.
(2) A list of categories of Personal Data, the purpose and nature of the Processing by
Processor on behalf of the Licensee is set out in Exhibit 1 to this Annex.
(3) The term of this Annex shall commence along with the Main Agreement and end upon
termination of the Main Agreement. Unless otherwise agreed by the Parties termination
of this Annex shall automatically terminate the Main Agreement.
§ 3
Documented Instructions
(1) The Processor shall not Process Personal Data that have been provided to the
Processor for purposes of data Processing for any other purposes, in particular, not for
its own purposes (including in anonymized form), and shall not transmit Personal Data
to third parties unless this is a subject matter of the services under this Agreement. The
foregoing shall not prevent the Processor from creating backup copies if and to the
extent they are required to ensure proper data Processing, or copies of data which are
required to be kept by virtue of law or any other legal standard. Where Processor is
obliged to Process Personal Data of Licensee beyond the instructions on basis of EU
law and/or EU member state law, the Processor shall inform Licensee before the start
of the Processing.
(2) Where Processor is of the opinion that an instruction violates Data Protection
Legislation, Processor is obliged to immediately inform Licensee of such opinion.
LE-FR-8568 Rev 2 Oct. 4, 2018
29
(3) The Personal Data will be Processed and used within the European Union and the
European Economic Area as well as by subcontractors of Processor being located
outside these areas (see Section 6 of this Annex). In the event Processor intends to
use subcontractors located in third countries, the additional requirements of Art. 44 et
seq. GDPR shall apply and have to be fulfilled.
§ 4
Confidentiality of Processing
Processor shall ensure that any personnel entrusted with Processing Licensee’s Personal
Data have committed themselves to confidentiality and have been duly instructed and trained
on the protective regulations of the GDPR. The confidentiality obligations shall continue after
the termination of the above-entitled activities.
§ 5
Security of Processing
(1) Within Processor’s responsibility, Processor shall structure Processor’s internal
corporate organisation to ensure compliance with the specific requirements of the
protection of Personal Data. Processor shall take the appropriate technical and
organisational measures taking into account (i) the nature of the Personal Data to be
protected, (ii) the risks that are presented by the Processing of Personal Data; (iii) the
harm that may result from breach of such measures; (iv) applicable industry standards;
(v) the state of technological development; and (vi) the costs of implementing the
measures to adequately protect Licensee’s Personal Data against unauthorized or
unlawful Processing, accidental loss, destruction or damage in accordance with the
requirements set out in Art. 32 GDPR. Such measures hereunder shall include, but not
be limited to measures to ensure ongoing confidentiality, integrity, availability and
resilience of the Processing systems and services and the ability to restore availability
and access to Customer Personal Data as well as evaluation of the measures
implemented.
(2) An overview of the above-entitled technical and organisational measures shall be
attached to this Annex as an Exhibit 2.
LE-FR-8568 Rev 2 Oct. 4, 2018
30
(3) Licensee shall retain title as to any carrier media provided to Processor as well as any
copies or reproductions thereof. Processor shall store such media safely and protect
them against unauthorised access by third parties.
§ 6
Subcontractors
(1) Processor is generally not entitled to engage subcontractors without the prior written
consent of Licensee. Where Processor engages subcontractors, Processor shall be
obliged to impose the same data protection obligations on the subcontractor as
applicable to the Processor under this Annex. Sentence 2 shall apply in particular, but
shall not be limited to, the contractual requirements for confidentiality, data protection
and data security stipulated between the parties of the Main Agreement. The Processor
is obliged to inform Licensee about any intended amendment to the subcontractors.
Licensee is entitled to refuse or withdraw consent to the amendment of the
subcontractors. The Licensee acknowledges refusal or withdrawal may have the effect
that the Licensee can no longer use certain services. In this case the Licensee shall be
entitled to terminate the Main Agreement without notice.
(2) Licensee acknowledges and consents that Processor’s contractual obligations
hereunder will be performed by using Amazon Web Services. Amazon Web Services,
Inc., who owns Amazon Web Services, is located in the USA. But, in this instance
Amazon Web Services will store the data in the cloud only within the EU.
§ 7
Data Subject Rights
(1) Taking into account the nature of the Processing under the Main Agreement Processor
shall provide reasonable assistance to Customer in responding to any request from
Data Subjects under Chapter III of the GDPR.
(2) Where Licensee, based upon applicable data protection law, is obliged to provide
information to an individual about the collection, Processing its Personal Data,
Processor shall assist Licensee in making this information available, provided that
Licensee has instructed Processor in writing to do so. Processor shall only correct or
LE-FR-8568 Rev 2 Oct. 4, 2018
31
erase the Personal Data Processed on behalf of the Licensee or restrict Processing of
Personal Data when instructed to do so by the Licensee.
(3) To the extent an individual contacts the Processor with a request to correct or erase
Personal Data or to restrict Processing of Personal Data, or if the Processor has other
reasons to believe that certain Personal Data should be corrected, erased or its
Processing restricted, the Processor shall inform the Licensee thereof without undue
delay in text form. The Licensee shall then issue the necessary instructions to the
Processor. The Processor shall be obliged to assist the Licensee upon first demand in
connection with the correction or erasure of Personal Data and to restrict Processing of
Personal Data.
§ 8
Assistance of Processor
(4) Processor shall, without undue delay, inform Licensee in case of breaches of Personal
Data protection, and any other irregularity in Processing Licensee’s Personal Data. The
information shall include information with respect to the timing, type of incident
(including information, which of the Personal Data is affected), the affected system, the
persons concerned, time of discovery, any potential adverse consequences as well as
the counter-measures taken by the Processor. Licensee shall be responsible for
fulfilling the duties to notify under Art. 33 and Art. 34 GDPR. Processor will support
Licensee in fulfilling such obligation.
(5) Processor shall also assist taking into account the nature of the processing in carrying
out data protection impact assessments (Art. 35 GDPR) or consulting the supervisory
authority (Art. 36 GDPR).
(6) Upon Licensee’s request, Processor shall provide all information necessary for
compiling the overview defined by Art. 30 GDPR.
(7) Processor shall if required under statutory law appoint a data protection officer in
accordance with Art. 37 to 39 GDPR and sections 38 and 6 German Federal Data
Protection Act. In this case Processor provides Licensee with the contact details of the
Processor’s data protection officer.
LE-FR-8568 Rev 2 Oct. 4, 2018
32
(8) Processor shall, upon Licensee and/or Subcontractor’s request, provide to Licensee or
Subcontractor all information on Licensee and/or Subcontractor’s Personal Data and
information.
§ 9
Return and Deletion of Personal Data
(1) Licensee shall, upon termination or expiration of the Main Agreement, instruct
Processor to return Personal Data or to delete stored Personal Data. Processor may
still need to retain certain information for legal and internal business reasons, such as
fraud prevention.
(2) Documentation intended as proof of proper data Processing must be kept by the
Processor beyond the end of the Annex in accordance with relevant retention periods.
The Processor may hand such documentation over to the Licensee after expiry of the
Annex.
(3) Processor shall be obliged to securely delete any test and scrap material as instructed
by Licensee on a case-by-case basis. On Licensee’s request, Processor shall hand
over such material to Licensee or store it on Licensee’s behalf.
(4) Any additional cost arising in connection with the return or deletion of Personal Data
after the termination or expiration of the Main Agreement shall be borne by Licensee.
§ 10
Information to demonstrate compliance; Audits
(1) The Processor shall regularly monitor compliance with the provisions of this Annex by
conducting its own reviews.
(2) At Licensee’s request, Processor makes available to Licensee the information
necessary to demonstrate compliance with the obligations under this Annex, in a
commonly used and machine-readable format. Such information can be in the form of a
current attestation, of reports or report excerpts from independent bodies (e.g.,
accountant, auditor, data protection officer), an appropriate certification resulting from
an IT security audit or from a data protection audit (e.g., according to ISO 27001), or a
certification approved by the competent authority.
LE-FR-8568 Rev 2 Oct. 4, 2018
33
(3) The Licensee shall be entitled to assure itself, by way of inspections at the Processor,
that the Processor complies with the terms of this Annex, in particular with respect to
compliance with the provisions of the GDPR, and that adequate data security is
guaranteed within the meaning of this Annex as well as the implementation of technical
and organizational measures pursuant to Art. 32 GDPR. The Licensee may execute
any controls by third parties. For his consideration to perform inspections, the Licensee
will take into account the information already received under Section 10(2) of this
Annex.
§ 11
Liability of Licensee and Processor
(1) As to the liability of the parties the terms and conditions of the Main Agreement shall
apply.
(2) Licensee shall indemnify and hold harmless in case third parties especially but not only
data subjects claim for damages alleging their rights had been harmed by Processor,
but Processor only acted within the scope of the instructions given by Licensee.
§ 12
Additional Costs, Duties to Inform, Mandatory Written Form, Choice of Law
(1) Any cost arising out of Processor’s performance under instructions outside the Main
Agreement’s scope of work shall be borne by Licensee.
(2) Where Licensee’s Personal Data becomes subject to search and seizure, an
attachment order, confiscation during bankruptcy or insolvency proceedings, or similar
events or measures by third parties while being Processed, Processor shall inform
Licensee without undue delay. Processor shall, without undue delay, notify to all
pertinent parties in such action, that any Personal Data affected thereby is in
Licensee’s sole property and area of responsibility, that Personal Data is at Licensee’s
sole disposition, and that Licensee is the controller.
(3) No change of or amendment to this Annex and all of its components, including any
commitment issued by Processor, shall be valid and binding unless made in writing and
unless they make express reference to being a change or amendment to these
regulations. The foregoing shall also apply to the waiver of this mandatory written form.
LE-FR-8568 Rev 2 Oct. 4, 2018
34
(4) This Annex is governed by the laws of the Federal Republic of Germany.
Exhibit 1
A list of Personal Data elements and the purpose of their Processing by Processor on behalf
of Licensee. The list shall state the extent, the nature and purpose of any contemplated
collection, Processing of data, the type of data, and the circle of data subjects.
Exhibit 2
An overview of the technical and organizational measures taken by Processor.
LE-FR-8568 Rev 2 Oct. 4, 2018
35
Exhibit 1 to Annex 4 of License Agreement
Scope, nature and purpose of the
Data Processing
Detailed description of the subject-matter of the contract in terms of extend, kind and
purpose of the service offered by FARO: Cloud-based storing, viewing and sharing service
for 3D laser scan data “SCENE WebShare Cloud” for the duration of the License Agreement
(see License Agreement).
1. Data Categories
Subject of acquisition, Processing of Personal Data are the following kind of data and data
categories:
Processed at FARO and Amazon Web Services:
- First name - Middle name - Last name - Email address - Username - User ID - Password
2. Data Subjects
- Customers
- Licensee’s or customers’ staff and employees
- Prospective customers
3. Processing Operations
• Storage, use and Processing of the above-mentioned data at FARO and in the
Amazon Web Services in order to provide, control and maintain the service which is
subject of this contract.
• FARO uses Amazon Web Services for storage, processing, data handling,
authorization and security.
LE-FR-8568 Rev 2 Oct. 4, 2018
36
Exhibit 2 to Annex 4 of License Agreement
Technical and organizational measures
in accordance with Art. 32 GDPR
Description of the Technical and Organizational Security Measures taken by
Processor.
Processor has implemented the following technical and organizational security measures to provide the on-going confidentiality, integrity, availability and resilience of processing systems and services:
1. Confidentiality Processor has implemented the following technical and organizational security to provide the confidentiality of processing systems and services, in particular:
• Licensee’s data is processed both on FARO premise as well as on remote server sites owned and operated by industry leading cloud service providers that offer highly sophisticated measures to protect against unauthorized persons gaining access to data processing equipment (namely telephones, database and application servers and related hardware). Cloud certifications can be obtained at https://aws.amazon.com/compliance/ and AWS GDPR DATA PROCESSING ADDENDUM at https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf ; Such certifications and measures may include:
- CSA
- ISO 9001, ISO 2701, ISO 2717, ISO 27018
- SOC1, SOC2, SOC3
- a layered security model, including safeguards like custom-designed electronics access cards, alarms, and perimeter fencings;
- data centers are monitored by CCTV;
- access logs and activity records;
- facilities hosting data centers are also routinely patrolled
- access to data centers requires security badges only approved employees with specific role may enter.
• Processor implements suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:
- automatic time-out of user terminal if left idle, identification and password required to reopen;
- issuing and safeguarding identification codes to Processor’s online
LE-FR-8568 Rev 2 Oct. 4, 2018
37
platform, requiring two-factor authentication for all users;
- letting Licensee and customers define individual user accounts with permissions across Processor resources;
- industry standard encryption and requirements for passwords (minimum length, use of special characters, etc.); and
- all access to data content is logged, monitored, and tracked.
• Processor’s employees entitled to use its data processing systems are only able to access personal data within the scope of and to the extent covered by their respective access permission (authorization). In particular, access rights and levels are based on employee job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. This is accomplished by:
- employee policies and training;
- effective and measured disciplinary action against individuals who access personal data without authorization;
- limited access to personal data to only authorized persons;
- industry standard encryption; and
- policies controlling the retention of back-up copies.
2. Integrity
Processor has implemented the following technical and organizational security to provide the integrity of processing systems and services, in particular:
• Processor implements suitable measures to prevent personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
- use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
- industry standard encryption; and
- avoiding the storage of personal data on portable storage media for transportation purposes and on company issued laptops or other mobile devices.
• Processor does not access any Licensee or customer content except as necessary to provide that Licensee with the Processor products and professional services it has selected. Processor does not access Licensee’s content for any other purposes. Accordingly, Processor does not know what content Licensees choose to store on its systems and cannot distinguish between personal data and other content, so Processor treats all Licensee content the same. In this way, all Licensee content benefits from the same robust Processor security measures, whether this content includes personal data or not.
LE-FR-8568 Rev 2 Oct. 4, 2018
38
3. Availability Processor has implemented the following technical and organizational security measure to provide the availability of processing systems and services, in particular:
• Processor implements suitable measures to provide that personal data is protected from accidental destruction or loss. This is accomplished by:
- infrastructure redundancy;
- policies prohibiting permanent local (work station) storage of personal data; and
- performing regular data back-ups.
4. Resilience Processor has implemented the following technical and organizational security measures to provide the resilience of processing systems and services, in particular:
• performing regular data back-ups;
• hosting its website on multiple web servers located in different locations; and
• performing regular health tests on servers.
LE-FR-8568 Rev 2 Oct. 4, 2018
39
Revision History
Version Revision Date Revised By Brief Description of the Revision
1 Sept. 28, 2018 T. Mauch Initial Upload
2 Oct. 4, 2018 T. Mauch Updated Exs. 1 and 2 to Annex 4