BY AND BETWEEN
On the one hand, Mr. _______________, full age, with Spanish ID Number (DNI) ____________, acting as Joint and Several Director of WELCOMENEXT S.L. (hereinafter WELCOMENEXT) with Tax ID Code (CIF): B-86432325, with registered office at Complejo Empresarial Ática, Edificio 5, 2ª Planta, Avenida de Europa 26, 28224 Pozuelo de Alarcón (Madrid), duly registered on March 29, 2012, at the Commercial Registry of Madrid,
And on the other hand, Mr. ___________________________, full age, with ID Number _____________, acting as _________________________ of the company _________________________________ (hereinafter THE CLIENT) with Tax ID Code: _______________, with registered office at ________________________________________________________ and duly registered at the Commercial Registry of ________________ on _____________.
The appearing parties, in their respective capacities, acknowledge each other to have the necessary civil capacity to enter into this Collaboration Contract and to such effect,
THEY STATE THE FOLLOWING
- WELCOMENEXT is a company the corporate purpose of which consists, inter alia, of the provision of services related to the training sector, providing access to its IT solutions technology platform (SaaS) and to its outsourcing services, hereinafter referred to as the “Services”.
- The scormNEXT service covers the content hosting, changing, management and distribution needs in SCORM 1.2 format for those companies or organisations wishing to offer their content online in a safe and centralised way.
- The CLIENT has evaluated the Services offered by WELCOMENEXT, believes they are tailored to its needs and is interested in hiring such Services, in accordance with the following
1.- SUBJECT-MATTER OF THE CONTRACT AND TERRITORIAL SCOPE
- This Contract seeks to establish the grounds according to which WELCOMENEXT is to provide the following services to the CLIENT:
- Implementation, at WELCOMENEXT’s cloud-based servers, of an instance of the technological platform scormNEXT, owned by WELCOMENEXT, to be used by the CLIENT.
- Technical support and maintenance service of the technological platform scormNEXT, in accordance with the terms and conditions set forth in this contract.
- The territorial scope of this Contract will be at the national level.
2.- TRIAL PERIOD
- Prior to the execution of this contract, the client may request, if he so wishes, a trial period of the technological platform scormNEXT without charge. The length of the trial period shall be 7 calendar days.
3.- CONTRACT PERIOD
- This Contract shall be effective as of the signing date and its initial term shall be from that date until the end of the following calendar month.
- Once the due date has been reached, the Contract shall be automatically extended for subsequent periods of 1 month, unless both parties agree to change the duration of the extensions.
- If either party does not wish to renew this Contract, it shall notify the other party in writing at least 15 days prior to the expiration of the Contract.
- In any case, WELCOMENEXT will not be liable for the consequences resulting from the service interruption, or from the lack of maintenance after the contract has been terminated.
4.- DATA PROTECTION POLICY
The parties, following the current laws on Personal Data Protection and pursuant to article 28 of the GDPR agree as follows:
- For the provision of the Services and for the execution thereof in accordance with the Contract, WELCOMENEXT shall have access to certain personal data of the CLIENT and, in particular, to the following: Identification data (name and surnames) and user name (email/Nick) of the CLIENT’s employees.
The provision of services delivered by WELCOMENEXT involves the processing of the following: collecting, record, structuring, preservation and interconnection.
- WELCOMENEXT, acting as data processor, represents and warrants to the CLIENT the following:
- It has enough technical capacity to meet the obligations of the Contract in full compliance with the laws regarding personal data protection, being able to commit itself, insofar as is required for the provision of the Services, to comply with the requirements of the GDPR.
- It will maintain the secrecy and confidentiality of the personal data owned by the CLIENT to which access is provided.
- It will process the personal data to which access is provided exclusively on behalf of the CLIENT and, in any case, in accordance with the instructions given by the CLIENT. Similarly, it must use such data only for the provision of the Services and, consequently, cannot use them or implement them in any way exceeding such purpose.
- It shall not provide third parties, not even for safekeeping, data to which access is provided pursuant to the provision of the Services, or similar developments, assessments or processes carried out with such data, or duplicate or reproduce all or part of the information, results or relations on such data, except for such cases where it is legally enforceable.
- All personal data processed by WELCOMENEXT is hosted on servers located within the European Union. Likewise, WELCOMENEXT represents and warrants that the backups of data are hosted on servers located within the European Union.
- It shall provide the CLIENT with the necessary information to prove compliance of its obligations, and for audits or inspections carried out by the CLIENT, or an auditor on its behalf.
- It shall appoint a data protection officer and communicate the identity and contact details to the CLIENT, when put under the obligation to designate one. If WELCOMENEXT does not have the obligation to designate a data protection officer, it must notify such fact to the CLIENT through a statement of responsibility.
- It shall guarantee that the persons authorised to process personal data commit themselves, expressly and in writing, to respect confidentiality and comply with the corresponding security measures, of which they shall inform accordingly. To that end, WELCOMENEXT shall keep available to the CLIENT all documents evidencing compliance with the obligation set forth in this paragraph.
- It shall guarantee the necessary training, in the field of personal data protection, of those persons authorised to process personal data for which it is responsible.
- It shall give support to the CLIENT in the carrying-out of impact assessments with regard to personal data to which access is provided, as appropriate and requested by the CLIENT.
- It shall give support to the CLIENT in the prior consultations held with the control authority, where applicable.
- If WELCOMENEXT considers that the fulfilment of any particular instruction given by the CLIENT might entail a breach of the GDPR or any other applicable regulations modifying or supplementing it, WELCOMENEXT must immediately inform the CLIENT and ask it to withdraw, amend or confirm such instruction. WELCOMENEXT may suspend the implementation of the relevant instruction while awaiting the CLIENT’s decision with regard to the withdrawal, amendment or confirmation of the corresponding instruction.
- On completion of the provision of Services and at the CLIENT’s request, WELCOMENEXT will immediately destroy the personal data to which it had access to, and the documents or storage mediums that included such data.
- It shall implement mechanisms to: (i) ensure permanent confidentiality, integrity, availability and resilience of processing systems and services (ii) restore data availability and access in a quick way in case of physical or technical incidents; (iii) constantly verify, assess and value the effectiveness of technical and organisational measures implemented to ensure security of processing; and (iv) pseudonomise and encrypt data, where appropriate.
- As data processor it shall notify the CLIENT, without undue delay, and in any case within a maximum of 24 hours, via email: ___________________, of any incident, suspected or confirmed, on data protection, of any unlawful or unauthorised data, of any loss, destruction or damage to personal data within the area of responsibility of WELCOMENEXT (caused by WELCOMENEXT, its staff, agents or subcontractors) and of any incident that may be considered to be a security breach of data, along with all relevant information for the documentation and communication of the incident to the authorities or affected parties. In this sense, if available, at least the following information is to be provided:
- Description of the nature of the breach of data security, including, where possible, the categories and approximate number of affected parties, and the categories and approximate number of affected personal data registries;
- Name and contact details of the data protection officer or of another point of contact from which detailed information can be obtained;
- Description of the possible consequences of the breach of data security; and
- Description of the adopted or proposed measures to remedy the breach of data security, including, where appropriate, the measures adopted to mitigate the potential negative effects.
Additionally, WELCOMENEXT shall immediately open a full investigation on the circumstances associated with such incident and shall submit its report or comments on it to the CLIENT, and it shall fully cooperate with the investigation that may be performed by the CLIENT, providing the CLIENT with the assistance required to investigate such incident.
Likewise, it shall assist the CLIENT, in the event of a breach of personal data security, so as to ensure compliance with the reporting obligations of a breach of personal data security in accordance with the GDPR (in particular, arts. 33 and 34 of the GDPR) and any other applicable regulations amending, complementing or that may be enacted in the future.
- It shall assist the CLIENT, at its request, upon simple application, delivering any kind of information or documents needed to provide a proper response to the exercise of the rights of access, rectification, erasure, opposition, limits to processing or data portability that it may receive from the interested parties, it all within reasonable deadlines and, in any case, sufficiently in advance for the CLIENT to be able to comply with legally established deadlines for the provision of the aforementioned rights.
- In those cases where it receives a direct request of access, rectification, erasure, opposition, limits to processing or portability from the affected party, holder of the processed data, it undertakes to immediately transfer such request to the CLIENT so that it can be addressed within the legally established deadlines.
- It shall not subcontract the Services to third parties unless it has prior written authorisation from the CLIENT or it refers to ancillary services that WELCOMENEXT needs in order to provide its services properly.
If WELCOMENEXT needs to sub-process processing, it must inform the CLIENT about the services and processing that wants to be outsourced, the identity of the subcontractor and its contact details. Such notice must be made by WELCOMENEXT at least two weeks before the signing of the outsourcing, and throughout such period the CLIENT may oppose to such outsourcing.
The subprocessor will also be subject to the obligations imposed upon WELCOMENEXT under this Contract and to the instructions given by the CLIENT at any given time. In this sense, WELCOMENEXT must capture the subprocessing and the obligations of the subprocessor in a contract signed by WELCOMENEXT and the subprocessor, which fulfils the formal requirements contained in this clause. In the case of failure on the part of the subprocessor to fulfil its obligations on data protection, WELCOMENEXT will undertake responsibility to the CLIENT with respect to such failures, as if such failure had been committed by WELCOMENEXT.
- It shall maintain a written record of all categories of processing activities carried out in accordance with this Contract, containing:
- The name and contact details of WELCOMENEXT and, where appropriate, of the CLIENT’s representative or of WELCOMENEXT’s representative and of the data protection officer;
- The categories of processing carried out in accordance with the Contract; and
- In the event of international transfers (which must be, in any case, regularised or authorised by the CLIENT), the identification of the third country of destination of the data owned by the CLIENT and documentation on appropriate guarantees.
- It shall not carry out international transfers of personal data to which access is provided, owned by the CLIENT, unless it has prior and written authorisation of the CLIENT or they have been dully regularised.
- It shall have a general description of the technical and organisational security measures regarding: (i) pseudonomisation and encryption of personal data, where appropriate; (ii) the capacity to ensure permanent confidentiality, integrity, availability and resilience of processing systems and services (iii) the capacity to restore personal data availability and access in a quick way in case of physical or technical incidents; and (iv) the process of constant verification, assessment and valuation of technical and organisational measures implemented to ensure security of processing.
Additionally, WELCOMENEXT undertakes to implement all technical and organisational security measures that may be applicable in accordance with the GDPR (namely, those laid down in article 32) and any other applicable regulations that amend, complement or replace it. In the particular context of this relationship, following the relevant risk analysis, both parties have agreed that the specific security measures that WELCOMENEXT must implement in connection with the data processed under this Contract are those referred to in clause 4.6 below.
Such security measures, and any others that may be implemented can be amended at the request of the CLIENT so as to accommodate them to regulatory changes or variations in the type of personal data to which WELCOMENEXT is to have access to.
- In accordance with the provision of the data protection law, WELCOMENEXT shall be considered as a data controller should it use the data for another purpose, disclose or use them in breach of the stipulations of this Contract, answering for the breaches it has personally caused.
- Pursuant to that set forth in the applicable regulations on Personal Data Protection, the CLIENT and WELCOMENEXT inform the signatories acting in the name and on behalf of each of the parties in this Contract (“Representatives“) that the personal data laid down in this Contract and those arising out of the relationship, shall be processed by each of the parties, as data controllers, on the basis of the legal interest of each party in maintaining, complying with, developing, controlling and executing that provided for in this Contract.
Data shall be kept for at least the duration of the relationship, being able to preserve it subsequently blocked during the limitation to legal actions related to such processing.
To all appropriate effects, the parties inform the Representatives that their data will not be disclosed to third parties except in the cases provided by the law and access to such data will only be given to service providers of the parties in the systems, technology and administrative management sectors.
If the Representatives wish to exercise their rights to access, rectification, cancellation, limits to processing and, in those situations where it is possible, opposition, they may do so by way of a written request addressed to the addresses specified in the Contract’s appearance clause or to the following addresses, attaching a copy of a personal identification document:
- Data Protection Officer of the CLIENT: ________________________
- Data Protection Officer of WELCOMENEXT: email@example.com
They may also address the Spanish Data Protection Agency to claim their rights.
This article lays down the security measures of information and personal data systems used during the provision of the scormNEXT service to the CLIENT.
The CLIENT is the controller of the files used for the service provision of the scormNEXT system while WELCOMENEXT is assigned the processing of the files.
While executing its maintenance duties, WELCOMENEXT shall limit its access to personal data to that necessary for the execution of the Contract and will strictly comply with the current personal data protection regulations.
WELCOMENEXT may subcontract the hardware servers that are to host the services rendered. In accordance with the personal data protection regulations, the CLIENT accepts and authorises the personal data saved in the scormNEXT system to be stored on devices outside the premises of the CLIENT and WELCOMENEXT, so as to guarantee the level of security relevant to the type of file processed.
Functions and duties of the staff of WELCOMENEXT
Access to the scormNEXT system and to the data therein contained shall be provided to both analysts/programmers of the WELCOMENEXT team, and system technician, who shall develop the following tasks:
- Incident management.
- Maintenance of hardware and software systems.
- Fulfilment of security activities.
- Making backup copies of the system and stored data.
- Production readiness of the programming code.
- System coding and testing.
Backup copies of all the scormNEXT system used by the CLIENT will be made on a daily basis, as well as of its specific configuration. This will also include copies of all information stored in the system (databases, documents, etc.).
Backup files shall be transported through a communications network with certain security measures and secure protocols.
Backup files shall be made every day from ZERO HOURS (00:00) and FIVE HOURS (05:00) in the morning, during which the service may run at below normal service level.
WELCOMENEXT shall store daily backups for a maximum of 7 days.
5.- TECHNICAL SUPPORT AND MAINTENANCE
- WELCOMENEXT offers technical support via e-mail firstname.lastname@example.org and via telephone for major incidents. This shall be available to the CLIENT over the life of the Contract. The CLIENT may appoint a person to act as contact point so as to give notice to WELCOMENEXT about technical problems.
- Response times shall be proportional to the seriousness of the error, and in no case will they exceed that expressed in the table below:
||MAXIMUM RESPONSE TIME
||Soft errors shall be those that do not affect the proper functioning of the system and users can use the system in a normal way. They relate to errors in the text, style, pictures, colours and other irrelevant mistakes, among others.
||Moderate errors shall be those that do affect the normal use of the system by users, but enables them to access the service partially. These errors relate to functionality, access to a section or to certain information and display problems affecting the optimum navigation through the application.
||Serious errors are those that prevent the users from accessing the application. These errors relate to general system errors and server problems.
- Any maintenance service, updates and error resolution at the CLIENT’s offices shall be addressed remotely from WELCOMENEXT’s offices. These services do not include visits to the CLIENT’s premises. If visit to the CLIENT’s premises is necessary, it must be budgeted according to that set out in the economic proposal or current rates of WELCOMENEXT at the time of the service request.
- Response time is defined as the time interval between the moment in which the incident is received and the time when WELCOMENEXT’s technicians begin working to solve it. This time is calculated in work hours, that is to say, during standard working hours. If necessary, contact will be maintained with the CLIENT to instruct, should it be necessary, him on how to perform a corrective action or the scope of the actions to be performed.
6.- RATES AND FORM OF PAYMENT
- Official rates for the scormNEXT service are those shown on the following table:
- For the purpose of billing, “active user” shall be understood as a user that, throughout the current month, has accessed any of the content. This excludes internal users of the CLIENT that are needed to administer and manage the platform.
- For this purpose, on the first working day of each month, WELCOMENEXT shall draw up a report counting the number of active users of the previous month. Likewise, WELCOMENEXT shall issue an invoice for the corresponding amount according to the price table reflected under section 6.1., taking into account the number of active users and the assigned disk space.
- The amount of such invoice can be paid via bank transfer, or by means of direct debit to the CLIENT’s bank account and charged within 15 working days from the date of invoice through direct debit via B2B SEPA. For such purpose, the bank account number is _____________________________________ of Bank _______________________, held by the CLIENT.
- With the signing of this Contract, the CLIENT must pay an amount of €75 as service signup. This payment shall be made via bank transfer to the account indicated in the corresponding invoice.
- None of the prices indicated include value added tax (VAT). This tax shall be added to all corresponding rates.
7.- EARLY TERMINATION CONDITIONS
- WELCOMENEXT may terminate this Contract if one (1) monthly invoice is not paid, or any other amount that is to be paid by the CLIENT. To do this, it must specifically request the CLIENT to pay and give him at least 5 calendar days to do so.
- The CLIENT may terminate, upon request, this Contract if WELCOMENEXT fails to comply with the services agreed, if, within fifteen (15) calendar days of the request it has not been corrected. Termination may be used if, as a result of a regulatory change, it is determined that it is impossible to continue providing the contracted services.
- If any misconduct or illegal activity is detected, WELCOMENEXT reserves the right to withhold or cease the contracted services without notice. Possible illegal activities or misconducts of the CLIENT, which would entail the withholding or cessation of the contracted services, are listed below:
- a) The platform scormNEXT may not be changed, adapted or hacked, or falsely indicate that another website is associated with it.
- b) It may not create sessions or send private messages to disturb or interfere in the development of the system activity.
- c) The platform may not be used for the transmission, installation or publication of any kind of virus, malicious code or any other kind of file or program detrimental to the development of the service and platform.
- d) Sign up at the Platform using a false identity, impersonate third parties or carry out any other action that may confuse the rest of the system users.
- e) Use the Platform in order to get information from another user.
- f) Break or try to break the security or authentication measures of the Platform or any system connected to it, or any security measure included within the Platform’s contents.
- g) Upload content if you are not the named holder or do not have the necessary authorisation.
- h) Use the Platform illegally, contrary to good faith, morality or public order.
- i) Hinder the normal development of the processes carried out in the Platform.
- j) Any other activity or conduct that may be detrimental to the development of the system.
- In the hypothetical case that WELCOMENEXT was to cancel the service provided without the CLIENT having contravened any of the terms described herein, the service shall be immediately restored, and WELCOMENEXT shall be liable for the damages caused within the limits specified under section “Responsibilities”.
- In any case, WELCOMENEXT will not be liable for the consequences resulting from the service interruption after the contract has been terminated.
8.- GUARANTEE FOR THE SERVICE PROVIDED (SLA)
- WELCOMENEXT shall be responsible for the functioning of the hardware and software under its supervision according to the contracted service, bearing the costs of the incidents that take place in the service when they are WELCOMENEXT’s responsibility. The CLIENT must communicate the failure or incident via email to the support email: email@example.com.
- WELCOMENEXT guarantees 99.9% availability in the service. In case of serious incidents or suspension of service for more than 3 hours, WELCOMENEXT will discount from the next invoice issued to the CLIENT, the amount that is proportionate to the duration of the service disruption.
- In the event of incidents that can derive from the misuse by the CLIENT it reserves the right to invoice the CLIENT for the replacement expenses.
- WELCOMENEXT does not assume any responsibility for the adequacy of the services offered to the CLIENT’s needs. The inadequacy is not a reason for contract termination or non-payment of dues.
- WELCOMENEXT shall not be liable for the loss of profits and damage resulting from the use, functioning or performance of the software, and shall only be liable for the acts carried out that are necessary to comply with its obligations in accordance with this Contract.
- WELCOMENEXT shall not be liable for breaches of its obligations defined under this Contract, when the performance of such obligations has been reasonably hindered, interfered or delayed due to circumstances beyond the control of WELCOMENEXT. These events will include, among others, force majeure acts, accidental acts, strikes, riots, lockouts, acts of war, epidemics, official acts or regulations, fires, communication failures, failures in the electricity supply, lightning, earthquakes, floods, disasters and other events.
- WELCOMENEXT cannot be held responsible for the use of data stored in the system. The CLIENT shall be responsible for the correct management of access, modification or deletion of such data.
- The Parties shall be subject to the obligation to compensate for damages caused to the other Party as a result of the breach of this Contract.
- WELCOMENEXT’s responsibility for damages resulting from the breach of its contractual obligations shall be limited, in any case, to a maximum amount equal to the service that has been contracted under this Contract.
Both Parties agree to use their best efforts to mitigate the damages caused to both Parties as a result of the breach of this Contract.
10.- INTELLECTUAL AND INDUSTRIAL PROPERTY
- The terms and conditions agreed in this Contract do not involve, implicitly or explicitly, the transfer of any of the intellectual or industrial rights of the Software, its manuals or data model. The knowledge and know-how inherent to the Software, along with the knowledge used for its configuration, are also WELCOMENEXT’s own and confidential information.
- The CLIENT shall take responsibility for the actual damages to WELCOMENEXT arising directly from the fraudulent use or illegal copy of programs or this information by the CLIENT’s own employees, having to take all necessary measures to ensure that only authorised persons have access to such protected information.
- The CLIENT must respect the copyright notices appearing in the programme or in the original documentation.
- The CLIENT is responsible for ensuring that the content stored in the platform respects the applicable industrial and intellectual rights. WELCOMENEXT shall in no case be held liable for infringements of industrial or intellectual property concerning materials, elements, videos, photos, documents or any other element uploaded to the platform by users.
- The content stored in the platform, along with any industrial and intellectual property, shall be held by its respective authors. As a result, WELCOMENEXT may not under any circumstances carry out a disposal, sale, lease, transfer or others of the data collected.
11.- APPLICABLE LAW AND JURISDICTION
The drafting and interpretation language of this contract shall be Spanish.
This contract shall be interpreted in accordance with the Spanish law. In the event of a dispute over the whole or part of this contract, the parties shall be subject to the jurisdiction of the Courts and Tribunals of the city of Madrid (Spain).
In witness whereof the appearing parties, within the scope of their powers of representation, sign this Contract in duplicate, on the date and place indicated at the heading of this document.