Product and Services Agreement

1. DEFINITIONS

Capitalized terms not defined in this Section 1 have the meaning ascribed to them where used in the Agreement.

1.1 “Affiliate” means GPTW wholly-owned and majority-owned subsidiaries and Great Place to Work Institute, Inc. licensees with no ownership interest by GPTW.

1.2 “Aggregate Data” means (a) the Company-specific information, data, and content contained in any report(s) delivered by GPTW to Company pursuant to this Agreement; and (b) any other aggregated data that is derived from the Raw Data and that is delivered by GPTW to Company pursuant to this Agreement. For the avoidance of doubt, Aggregate Data does not include any Raw Data or Company Data.

1.3 “Assessment” means any assessment conducted by GPTW as part of the Services pursuant to which GPTW uses its tools and methodologies to assess and measure work place culture (including, but not limited to, use of Trust Index Survey, Culture Audit, Culture Brief, Trust Model and Methodology).

1.4 “Company Affiliate” means Company wholly-owned and majority-owned subsidiaries.

1.5 “Company Data”   means Company’s proprietary data and information that Company provides to GPTW so that GPTW may, as part of the Services, conduct an Assessment (e.g., demographic and corporate information necessary to distribute the Survey to participants (such as email address, employee ID, and other personally identifying information) and the data provided by Company to GPTW for the Culture Audit or Culture Brief). For the avoidance of doubt, Company Data does not include either Aggregate Data or Raw Data.

1.6 “Company Personal Data” means any Personal Data processed by a Processor on behalf of Company pursuant to or in connection with the Principal Agreement.

1.7 “Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, evidenced by written, electronic or recorded means, signifies agreement to the processing of Personal Data relating to him or her.

1.8 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

1.9 “Data” means the Raw Data and the Aggregate Data.

1.10 “Data Protection Laws” means the Philippines’ Data Privacy Act of 2012 (DPA) and its implementing rules and regulations, and other applicable issuances of the NPC, and the applicable data protection laws of all other country where the personal data, as described herein, is processed.

1.11 “Data Subject” refers to an individual whose personal information is processed.
1.12 “Fees” means the fees to be paid by Company to GPTW as set forth in this Agreement, including in the applicable Principal Agreement.

1.13 “GPTW Intellectual Property” means (a) all copyrightable works owned by GPTW (including without limitation books, articles, brochures, Surveys, Trust Index Surveys, Culture Audits, Culture Briefs, Trust Model and Methodology, the form and structure of reports, and other materials, tools and methodologies), whether or not the copyrights in such works have been registered in the U.S. or any other jurisdiction; (b) all confidential information and material belonging to GPTW; (c) all GPTW names, service marks, icons, and logos; (d) all GPTW Materials; (e) the Data; (f) the Services; and (g) the Software.

1.14 “GPTW Materials” means all techniques, algorithms and methods or rights thereto owned by, or licensed to, GPTW during the term of this Agreement and employed by GPTW in connection with the Services provided to Company.

1.15 “Initial Term” has the meaning set forth in Section 10.1.

1.17 “Intellectual Property Rights” means patent rights (including, without limitation, patent applications and disclosures), copyrights, trade secrets, moral rights, know-how, and any other intellectual property rights recognized in any country or jurisdiction in the world.

1.18 “Late Payments” has the meaning set forth in Section 3.2

1.19 “Personal Data” refers to both personal information, sensitive personal information, and privileged information processed by GPTW pursuant to the Agreement.

1.20 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1.21 “Personal Information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;

1.22 “Personal Information Controller” or “PIC” refers to a natural or juridical person, or any other body who controls the processing of personal data or instructs another to process personal data on its behalf. The term excludes:

• A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
• A natural person who processes personal data in connection with his or her personal, family, or household affairs;

There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing

In this Agreement, the PIC is the Company;

1.23 “Pre-existing IPR” has the meaning set forth in Section 5.1.

1.24 “Privileged Information” refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.

1.25 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The nature and purpose as well as the subject matter and duration of the Processing of the Company Personal Data is to collect Company employee survey data for processing and archiving scientific and historical research purposes and statistical purposes assessing workplace culture, performance, and accreditation to assist organizations in evaluating and improving their workplaces.

1.26 “Personal Information Processor” or “PIP” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

In this Agreement, GPTW is the PIP.

1.27 “Raw Data” means the confidential and anonymous responses received by GPTW from Company and Company’s employees in connection with, among other things, the Trust Index Survey(s) and/or Culture Audit(s), Culture Brief(s), focus groups, and one-to-one interviews administered by GPTW pursuant to this Agreement. For the avoidance of doubt, Raw Data does not include any Aggregate Data or Company Data.

1.28 “Sensitive Personal Information” refers to personal information:

• About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
• About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
• Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
• Specifically established by an executive order or an act of Philippine Congress to be kept classified.

1.29 “Software” means any software owned or licensed by GPTW and used by GPTW to provide the Services.

1.30 “Services” means the services that GPTW will perform for Company as described in the applicable Principal Agreement.

1.31 “Subprocessor” means any person (including any third party and any GPTW Affiliate, but excluding an employee of GPTW or any of its sub-contractors) appointed by or on behalf of GPTW or any GPTW Affiliate to Process Company Personal Data on behalf of Company in connection with the Principal Agreement.

1.32 “Supervisory Authority” means the National Privacy Commission or the NPC and other relevant government regulatory agency.

1.33 “Survey” means the web-based Company employee engagement survey consisting of GPTW’s standard survey questions and additional questions as requested by Company.

1.34 “Term” has the meaning set forth in Section 10.1

2. COMPANY OBLIGATIONS

2.1 Cooperation and Assistance. As a condition to GPTW’s performance hereunder, Company will at all times: (a) provide GPTW with good faith cooperation and access to such information, facilities, and equipment as may be reasonably required by GPTW in order to provide the Services, including, but not limited to, providing Company Data; (b) provide such personnel assistance, as may be reasonably requested by GPTW from time to time; and (c) comply with its obligations under this Agreement.

2.2 Telecommunications and Internet Services. Company acknowledges and agrees that Company’s and Company’s users’ use of the Assessment portion of the Services is dependent upon access to telecommunications and Internet services. Company and Company’s users will be solely responsible for acquiring and maintaining all telecommunications and Internet services and other hardware and software required to access and use the Assessment portion of the Services, including, without limitation, all costs, fees, expenses, and taxes of any kind related to the foregoing.

3. FEES

3.1 Fees. In consideration for GPTW performing the Services, Company will pay to GPTW the Fees in the amounts and in accordance with the terms set forth in the Principal Agreement. No refund will be made once the Principal Agreement has been fully executed.

Dependent upon the Services purchased, additional fees may apply for changes to employee count per country, delivery dates, and/or requests made by Company that require additional work, such as filling out security surveys, vendor registration forms, etc. Should additional fees apply, Company will be invoiced accordingly.

3.2 Invoices and Payment.

(a) Company will pay to GPTW the full amount of undisputed Fees according to the Payment Terms set forth in the Principal Agreement within thirty (30) days of the invoice date. 

(b) Any unpaid invoice within the due date shall: (1) incur a penalty of two percent (2%) per month based on the total outstanding amount; and (2) GPTW shall have the right to cease performance of the Services without incurring any penalty or liability to the Company until all overdue amounts and penalties are paid. An additional fee may need to be paid before the services reinstated.

(c) GPTW will email invoices to the primary Company contact specified in the Principal Agreement. Further invoice requirements with respect to payment due dates are specified in the Principal Agreement. Payment remittance options will be set forth in the invoice and will include payment by check or wire, or payment online.

3.3 Credits for Future Services. If at any time GPTW issues a credit for future services to Company, Company must use the credits within twelve (12) months of the credit being issued.

4. OWNERSHIP AND USE OF DATA

4.1 Company Data.

(a) As between GPTW and Company, the Personal Data, and Company Data and all Intellectual Property Rights therein or relating thereto, are and will remain the exclusive property of Company or its licensors.

(b) GPTW will use Company Data and Personal Data solely to perform the Services and in a manner that is compatible with the purposes for which such Company Data and Personal Data is furnished to GPTW or subsequently authorized to be used, and GPTW will ensure that any Personal Information included in Company Data is properly maintained and protected in accordance with the DPA.

4.2 Aggregate Data and Raw Data.

(a) As between GPTW and Company, the Raw Data and the Aggregate Data, and all Intellectual Property Rights therein or relating thereto, are and will remain the exclusive property of GPTW.

(b) The Raw Data will not be provided to Company by GPTW to protect the confidentiality of Company respondents. Company may use Aggregate Data solely as described in Section 5.3.

(c) GPTW covenants to use the Aggregate Data solely for the purposes of GPTW, including without limitation for benchmarking, creation of best practices, statistical analysis, and other R&D purposes. GPTW will not share Aggregate Data with any third parties without receiving prior written permission from Company.

(d) To protect the confidentiality of Company respondents, GPTW will not report on Assessment results in which fewer than five (5) people in a Company demographic group have responded.

5. TREATMENT OF INTELLECTUAL PROPERTY

5.1 Notwithstanding any provision of this Agreement to the contrary, (a) all Intellectual Property Rights belonging to a Party, sub-contractor or third party prior to the Effective Date, or created other than in connection with GPTW’s provision of the Services (“Pre-existing IPR”) will remain with, and vested in, that Party, sub-contractor or third party (as applicable) and will not be assigned hereunder, and (b) all Intellectual Property Rights in all enhancements and modifications to, or derivative works of, any Pre-existing IPR made by either Party will be with, and vest in, the owner of the relevant Pre-existing IPR.

5.2 As between GPTW and Company, the GPTW Intellectual Property, and all Intellectual Property Rights therein or relating thereto (except for limited rights granted to Company and Company’s users herein), are and will remain the exclusive property of GPTW or its licensors. Company is not acquiring any rights to any GPTW Intellectual Property. Any use of GPTW Intellectual Property other than as expressly described in this Agreement requires prior written approval from GPTW.

5.3 Without GPTW’s prior written approval, which may be withheld in GPTW’s sole discretion, Company will not use or re-use any GPTW Intellectual Property in any manner other than pursuant to its receipt of the Services during the Term (including in any surveying conducted either in-house or with another vendor outside of the scope of this Agreement). Reports provided by GPTW to Company may be distributed internally by Company, but any external distribution requires prior written approval from GPTW which will not be unreasonably withheld.

5.4 Each Party will not infringe or misappropriate the Intellectual Property Rights of the other Party or of any third party while performing its obligations under this Agreement.

5.5 Each Party acknowledges and agrees that the other Party’s Intellectual Property is the valuable property of the other Party. Each Party will safeguard and protect the Intellectual Property that it receives. Each Party will not alter or modify or permit others to alter or modify the other Party’s Intellectual Property without the prior written approval of the other Party. As examples only, and in no way as any limitation of this provision, no text may be revised nor may any mark or logo be altered, distorted or modified in any way.
5.6 In the event a Party becomes aware of any infringement or unauthorized use of the other Party’s Intellectual Property by that Party, its personnel or by any third party, that Party will immediately notify the other Party of such infringement or unauthorized use. If such infringement or unauthorized use is by that Party or its personnel, that Party immediately will cease such infringement or unauthorized use; if such infringement or unauthorized use is by a third party, that Party will cooperate with the other Party in causing the third party to cease such infringement or unauthorized use.

6. CONFIDENTIALITY

6.1 All information provided by Company to GPTW or otherwise obtained by GPTW as a receiving Party relating to the business or operations of Company or its clients or any person, firm, company or organization associated with Company, will be treated by GPTW as confidential, and GPTW will not disclose the same to third parties without the prior written consent of Company. The Parties acknowledge and agree that the confidential information of Company does not include the Raw Data and the Aggregate Data, which will be confidential information of GPTW.

6.2 In the event that Company as a receiving Party has access to any confidential information and/or material belonging to GPTW (including GPTW Intellectual Property), whether such access is intended or inadvertent, then Company will treat such information and/or material as confidential and will not disclose such information and/or material to third parties without the prior written consent of GPTW.

6.3 The confidentiality provisions set forth herein will not apply to confidential information which (a) is in or enters the public domain other than by acts or omissions of the receiving Party, (b) is obtained by the receiving Party from a third party who obtained it lawfully without obligation of confidentiality, (c) is or has been independently generated by the receiving Party as evidenced in written documents, or (d) is properly disclosed by the receiving Party pursuant to a statutory obligation, the order of a court of competent jurisdiction or that of a competent regulated body that requires the disclosure of confidential information or material belonging to the other Party, provided that the receiving Party will before disclosure notify the other Party, unless such notice is prohibited, so that steps may be taken to attempt to quash or limit any disclosure.

6.4 The foregoing obligations as to confidentiality will apply retrospectively, from the point of first contact between Company and GPTW regarding the Services and will remain in full force and effect notwithstanding any termination of this Agreement.

7. DATA SECURITY

7.1 Security Obligations Pursuant to its obligation to maintain the appropriate Technical, Physical, and Organizational Security Measures, GPTW warrants that, at minimum, it shall have the following security measures:

a) Organizational Security Measures

i. That it has a designated individual who functions as Data Protection Officer (DPO).

ii. That it has implemented appropriate data protection policies that provide for organization, physical and technical security measures as required by the DPA, DPA IRR, NPC issuances and other pertinent laws, taking into account the nature, scope, context, and purposes of the processing, as well as the risks posed to the rights and freedoms of data subject.

iii. The policies shall implement data protection principles both at the time of the determination of the means for processing and at the time of the processing itself.

iv. The policies shall implement appropriate security measures that, by default, ensure only personal data which is necessary for the specified purpose of the processing are processed. They shall determine the amount of personal data collected, including the extent of processing involved, the period of their storage, and their accessibility.

v. The policies shall provide for documentation, regular review, evaluation, and updating of the privacy and security policies and practices.

vi. That it shall maintain records that sufficiently describe its data processing system and identify the duties and responsibilities of those individuals who will have access to personal data. Records shall include:

vii. Information about the purpose of the processing of personal data, including any intended future processing or data sharing;

viii. A description of all categories of data subjects, personal data, and recipients of such personal data that will be involved in the processing;

ix. General information about the data flow within the organization, from the time of collection, processing, and retention, including the time limits for disposal or erasure of personal data;

x. A general description of the organizational, physical, and technical security measures in place;

xi. The name and contact details of each Party, its representative, the subcontractor (if applicable), and the compliance officer or Data Protection Officer, or any other individual or individuals accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.

xii. That its employees shall operate and hold personal data under strict confidentiality. The parties shall ensure by contractual means that such obligation shall continue even upon termination of the employee’s employment.

xiii. That it shall implement any other physical security measures that may thereafter be required under the DPA, DPA IRR, NPC issuances and other pertinent laws.

b) Physical Security Measures

i. That it has implemented policies and procedures to monitor and limit access to and activities in the room, workstation or facility, including guidelines that specify the proper use of and access to electronic media;

ii. That the design of its office space and workstations, including the physical arrangement of furniture and equipment, shall provide privacy to anyone processing personal data, taking into consideration the environment and accessibility to the public;

iii. That the duties, responsibilities and schedule of individuals involved in the processing of personal data are clearly defined to ensure that only the individuals actually performing official duties shall be in the room or workstation, at any given time;

iv. That it has implemented policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of personal data;

v. That it has implemented policies and procedures that prevent the mechanical destruction of files and equipment. The room and workstation used in the processing of personal data shall, as far as practicable, be secured against natural disasters, power disturbances, external access, and other similar threats.

vi. That it shall implement any other physical security measures that may thereafter be required under the DPA, DPA IRR, NPC issuances and other pertinent laws.

c) Technical Security Measures

i. That it has implemented safeguards to protect their computer network against accidental, unlawful or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access through an electronic network;

ii. That it has the ability to ensure and maintain the confidentiality, integrity, availability, and resilience of their processing systems and services;

iii. That it performs regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in their computer networks, and for taking preventive, corrective, and mitigating action against security incidents that can lead to a personal data breach;

iv. That it has the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

v. That it has a process for regularly testing, assessing, and evaluating the effectiveness of security measures;

vi. That it encrypts personal data during storage and while in transit, authentication process, and it has implemented other technical security measures that control and limit access.

vii. That it shall implement any other physical security measures that may thereafter be required under the DPA, DPA IRR, NPC issuances and other pertinent laws.

7.2 The GPTW analytical survey platform named Emprising is hosted by the cloud provider Microsoft Azure.  GPTW contracts with Azure to maintain the highest level of Data Security and Data Privacy global compliance at all times.  This legal protection is passed along to all GPTW clients though the warranties in the Products and Services Agreement for the entire term of our engagement as detailed below.  The Azure audit reports and other resource documentation as well as the Azure Compliance Manager Tool used by GPTW to comply with the GDPR and other privacy laws are found at the following URLs:  https://servicetrust.microsoft.com/  and other compliance offerings https://www.microsoft.com/enus/trustcenter/compliance/complianceofferings.   A general article about Azure compliance is here: https://www.communicationsquare.com/news/everything-about-gdpr-compliance-in-microsoft-cloud/  and a blog here:  https://azure.microsoft.com/en-us/blog/protecting-privacy-in-microsoft-azure-gdpr-azure-policy-updates/  There are some country specific compliance resources as well.  For example, compliance in Germany is addressed at the following URL: https://servicetrust.microsoft.com/ViewPage/GermanComplianceResourcesV3.  GPTW provides the highest standard of legal protection by warranting to our clients that during the entire term of the engagement, GPTW will comply with the following industry standards:  Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestation Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework.  If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS).

7.3 In an abundance of caution, GPTW also provides the same warranties and representations for the GPTW Network even though it does not support Emprising.  Any communication between Emprising hosted on Azure and the GPTW Network is strictly limited to an end-to-end secure VPN connection using IPSec protocol.  Accordingly, GPTW considers the third-party security/financial audits of the GPTW Network to be confidential and does not release them to any company.  There are several reasons for this policy.  First, the audits are static in time and may not cover the entire term of the company’s engagement.  Second, the audits provide no legal protection to a company.  Third, a company having possession of these audits places itself at serious risk for no benefit, e.g. should there be a GPTW security breach, any company in possession of these audits would be a primary litigation target and would have to prove that company’s possession of the audits did not cause the GPTW breach.  Instead, GPTW provides the highest standard of legal protection by warranting to all GPTW clients  that during the entire term of the engagement GPTW will comply with the industry standards listed in Section 7.2 above.  represents and warrants that during the Term it complies with Service Organization Controls (SOC) Report 1 and 2 under the Statement on Standards for Attestion Engagements (SSAE) 18 standard as well as with the International Organization for Standardization (ISO) 27001:2013 and ISO 9001:2015 standards and the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS) if applicable.  GPTW considers third party security/financial audits confidential and does not release them to any company.  There are several reasons for this policy.  First, the audits are static in time and may not cover the entire term of the company’s engagement.  Second, the audits provide no legal protection to a company.  Third, a company having possession of these audits places itself at serious risk for no benefit, e.g. should there be a GPTW security breach, any company in possession of these audits would be a primary litigation target and would have to prove that company’s possession of the audits did not cause the GPTW breach.  Instead, GPTW provides the highest standard of legal protection by warranting to the company that during the entire term of the engagement GPTW will comply with the above industry standards.     

8. DATA PRIVACY

8.1 GPTW will use commercially reasonable efforts consistent with requirements of the NPC to process, collect, transmit, store, protect and maintain the Company Personal Data obtained through the Services in accordance with the details provided in the GPTW Global Privacy Policy found at the following URL: https://greatplacetowork.com.ph/privacy-policy.  GPTW represents and warrants that during the Term it complies with the Data Protection Laws.  GPTW is also certified under the US/EU and US/CH Privacy Shield.  GPTW collects the Personal Data for processing and archiving scientific and historical research purposes and statistical purposes assessing workplace culture, performance, and accreditation to assist organizations in evaluating and improving their workplaces.  The types and categories of Company Personal Data to be processed is found in the demographic section and Trust Index questions of the survey. 

8.2 The Company shall ensure that the Data Subjects whose Personal Data are to be processed pursuant to this Agreement consent to the Processing hereunder as evidenced by written, electronic or recorded means. The Company shall inform GPTW of any fact, condition or circumstance within the Company’s knowledge, which will render GPTW’s processing under this Agreement contrary to law.

8.3 In connection with the Services, GPTW may receive, process and store Personal Data in the United States or other jurisdictions. Personal Information received by GPTW will be protected by GPTW as described in the Section above. In the event that consent of any individual is required to be obtained before transfer of Personal Information to GPTW, Company is responsible for obtaining the consent of any affected individual. Said consent needs to be freely given, specific, informed, unambiguous and given by a statement or clear affirmative action.

8.4 GPTW maintains a full-time Data Protection Officer (DPO) to ensure compliance with all DPA and its IRR and other relevant issuances of the NPC and regulatory government agencies. The DPO reports directly to the President of GPTW. GPTW also employs full-time Certified Information Privacy Practitioner (CIPP) and staff who is certified under by the International Association of Privacy Professionals at www.iapp.org whose credentials is accredited by the American National Standards Institute (ANSI) under the International Organization for Standardization (ISO) standard 17024:2012.

8.5 Obligations of GPTW

Pursuant to the requirements of the DPA, GPTW hereby undertakes to:

a) Process the Personal Data only upon the documented instructions of the Company, including transfers of Personal Data to another country or an international organization, unless such transfer is authorized by law;

b) Ensure that an obligation of confidentiality is imposed on persons authorized to process the Personal Data;

c) Implement appropriate security measures and comply with the DPA, the DPA IRR and NPC issuances;

d) Not engage another personal information processor without prior instruction from the Company; provided, that any such arrangement shall ensure that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the processing;

e) Assist the Company, by appropriate technical and organizational measures and to the extent possible, fulfill the obligation to respond to requests by data subjects relative to the exercise of their rights;

f) Assist the Company in ensuring compliance with the DPA, the DPA IRR, other relevant laws and NPC issuances, taking into account the nature of processing and the information available to GPTW.

g) At the choice of the Company, delete or return all Personal Data to the Company after the end of the provision of services relating to the processing; provided, that this includes deleting other existing copies unless storage is authorized under the DPA or another law;

h) Make available to the Company all information necessary to demonstrate compliance with the obligations laid down in the DPA, and allow for and contribute to audits, including inspections, conducted by the Company or another auditor mandated by them;

i) Immediately inform the Company if, in its opinion, an instruction infringes the DPA;

j) Report all available information to the Company within twenty-four (24) hours from knowledge of, or reasonable belief that, a personal data breach or a security incident has occurred, and extend full cooperation to the Company to enable the Company to comply with its obligations under the DPA, including but not limited to reporting to the NPC and notification of Data Subjects.

8.6 Data Subject’s Rights

Each party shall respect the following rights accorded to the Data Subjects by the DPA:

a. Right to be informed. Data Subjects have the right to be informed whether Personal Data pertaining to them shall be, are being, or have been processed, including the existence of automated decision-making and profiling.

b. Right to object. Data Subjects have the right to object to the Processing of their Personal Data, including processing for direct marketing, automated processing or profiling. They may withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the Data Subject.

c. Right to access. Data Subjects have the right to request access to any of their Personal Data, subject to certain restrictions.

d. Right to rectification. Data Subjects have the right to dispute the inaccuracy or error in the personal data and have the Company correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.

e. Right to erasure or blocking. Data Subjects have the right to suspend, withdraw or order the blocking, removal or destruction of his or her Personal Data from the personal information controller’s filing system.

f. Right to damages. Data subjects have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of the rights and freedoms of the data subject.

g. Right to lodge a complaint with the NPC.

8.7 Rights to Audits, Inspections, Data Protection Impact Assessments, and Prior Consultations. GPTW and each GPTW Affiliate shall make available to Company on request all information necessary to contribute to audits, inspections, data protection impact assessments, and prior consultations by Company in relation to the Processing of the Company Personal Data by the Processor to meet the requirements of any Data Protection Law. GPTW shall immediately inform Company if, in its opinion, an instruction pursuant to this Section infringes any Data Protection Law. Company undertaking an audit, inspection, data protection impact assessment, or prior consultation under this Section shall give GPTW or the relevant GPTW Affiliate reasonable notice and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing any damage, injury or disruption to the Processor’s premises, equipment, personnel and business while Company’s personnel are on those premises in the course of such an audit, inspection, data protection impact assessment, or prior consultation. A Processor need not give access to its premises pursuant to this Section: (i) to any individual unless he or she produces reasonable evidence of identity and authority; (ii) outside normal business hours at those premises; or (iii) for the purposes of more than one audit, inspection, data impact assessment, or prior consultation in respect of each Processor in any calendar year, except if Company is so required by a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country.

8.8 Remuneration and Costs. The Company shall remunerate GPTW based on time and costs spent to perform the obligations under this Section based on GPTW’s CDPO and CIPP hourly rates of $650/hour and the hourly rates of other GPTW personnel as needed. GPTW is also entitled to remuneration for any time and material used to adapt and change the Processing activities in order to comply with any changes to the Company’s instruction, including implementation costs and additional costs required to deliver obligations under the Principal Agreement due to the change in instruction. GPTW shall invoice Company for a deposit to be paid in advance of performing the work in this Section requiring remuneration and/or costs.

8.9 Deletion of Company Personal Data. GPTW will delete and destroy Company Personal Data after Processing is complete.

8.10 Subprocessors. GPTW may contract with one or more Subprocessors under the same terms provided in this Agreement. GPTW shall give Company prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. Within five (5) business days after the receipt of that notice, Company may notify GPTW in writing of any objections (on reasonable grounds) to the proposed appointment.  GPTW will remain responsible and liable for the actions of any Subprocessors. 

8.11 Personal Data Breach. GPTW shall notify Company without undue delay and in no case more than 72 hours upon a Processor becoming aware of a Personal Data Breach affecting Company Personal Data. Company shall be provided with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. GPTW shall co-operate with Company and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. ADDITIONAL REPRESENTATIONS AND WARRANTIES OF GPTW

GPTW warrants to Company that the Services will be performed: (i) in a professional and workman like manner and otherwise in accordance with prevailing industry standards; (ii) by personnel that have the requisite skills, expertise, experience and training necessary to perform such Services; and (iii) in accordance with the requirements of the Principal Agreement and all applicable present and future laws, regulations, ordinances, orders, decrees and requirements applicable to performance of the Services.  GPTW warrants and represents that it will make commercially reasonable efforts to ensure that no Software or Data shall include and/or cause the Company’s data and/or computer system to become infected by any virus or any other type of malware.  In addition, GPTW shall implement anti-virus and anti-hacking software to protect the Company’s data and/or its computer systems.

10. TERM AND TERMINATION

10.1 Term.  This Agreement will commence on the Effective Date and will continue for the period stated in the Principal Agreements, (the “Initial Term”), unless terminated earlier as provided in this Agreement.  The Principal Agreement controls whether this Agreement will automatically renew for subsequent renewal periods each of length equivalent to the Initial Period as provided in the Principal Agreement, unless either Party notifies the other in writing of its intent not to renew at least ninety (90) days prior to the end of the Initial Term or the then-current renewal period, as applicable.  The Initial Term and any renewal periods are collectively, (the “Term”). 

10.2 Termination for Cause.  Either Party may terminate this Agreement upon written notice if the other Party materially breaches this Agreement and fails to correct the breach within thirty (30) days following written notice specifying the breach; provided that the cure period for any default with respect to Company’s payment of Fees will be five (5) business days after written notice is sent.

10.3 Rights and Obligations Upon Expiration or Termination.  Upon expiration or termination of this Agreement, Company’s and Company’s users’ right to access and use the Services (and any GPTW Intellectual Property) will immediately terminate, Company and its users will immediately cease all use of the Services (and any GPTW Intellectual Property) except for the Aggregate Data received in reports which may continue to be used internally at the Company, and each Party will return and make no further use of any confidential information, materials, or other items (and all copies thereof) belonging to the other Party no later than ten (10) days after the effective date of the expiration or termination of this Agreement.

10.4 Survival.  The rights and obligations of GPTW and Company contained in Sections 3 (Fees), 4 (Ownership), 5 (Intellectual Property), 6 (Confidentiality), 7 (Data Protection), 8 (Data Privacy), 10 (Indemnification), 11 (Limitation of Liability), and 12 (General) will survive any expiration or termination of this Agreement.

11. INDEMNIFICATION

11.1 A Party will release, defend, hold harmless and indemnify the other Party and its employees, officers, directors, shareholders, agents, representatives, successors and assigns, from and against any and all third party claims, demands, causes of action, losses, damages, liabilities, costs and expenses, including reasonable attorneys’ fees and costs, arising out of, resulting from or pertaining to (a) any negligent or wrongful act or omission of, or violation of law by, the Party, or any of its employees, officers, directors, representatives or affiliates; or (b) a breach of any warranty or agreement made by the Party herein.  In addition, a Party will release, defend, hold harmless and indemnify the other Party and its employees, officers, directors, shareholders, agents, representatives, successors and assigns, from and against any and all third party claims, demands, causes of action, losses, damages, liabilities, costs and expenses, including reasonable attorneys’ fees and costs, arising out of, resulting from or pertaining to any claim alleging infringement or violation of  any third party’s intellectual property rights.

11.2 The indemnified Party will promptly notify the indemnifying Party of any claim subject to indemnification, tender to the indemnifying Party control over the defense and settlement of the claim and render reasonable assistance to the indemnifying Party with respect to such defense and settlement.

12. LIMITATION OF LIABILITY

12.1 If A Party should become entitled to claim damages from the other Party for any reason in connection with this Agreement (including without limitation, for breach of contract, breach of warranty, negligence or other tort claim), the other Party will be liable only for the amount of the other Party’s actual direct damages up to the amount that Company paid GPTW for the Services that are the subject of the claim. In no event will the other Party’s aggregate liability to the Party for all claims arising under or relating to this Agreement exceed the amount of twelve (12) months’ worth of Fees paid by Company to GPTW under this Agreement. These limits are the maximum liability for which the other Party is responsible..

12.2 In no event will either Party be liable for: (a) any damages arising out of or related to the failure of the other Party or its affiliates or personnel to perform their responsibilities; and/or (b) any lost profits, loss of business, loss of data, loss of use, lost savings or other consequential, special, incidental, indirect, exemplary or punitive damages, even if either Party has been advised of the possibility of such damages.

12.3 The limitations of liability contained in Sections 11.1 and 11.2 shall not apply to liabilities arising from: (a) a Party’s gross negligence, fraud, violation of law, or misrepresentation; (b) a Party’s indemnity obligations; or (c) claims covered by a Party’s insurance.

13. GENERAL

13.1 Waiver.  It is understood and agreed that no failure or delay by either Party in exercising any right, power or privilege hereunder in any one or more instances or to insist on strict compliance with the performance of this Agreement or to take advantage of any respective rights will operate as a waiver thereof or the relinquishment of such rights in other instances but the same will continue and remain in full force and effect nor will any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any right, power or privilege hereunder.

13.2 Notices. All notices hereunder shall be in writing and delivered personally, by traceable courier (such as UPS) or by certified US mail, return receipt requested to the Party at the address set forth in the Principal Agreement.  All such notices are deemed effective upon receipt or refusal of delivery.

13.3 Assignment.  This Agreement may not be voluntarily or by operation of law assigned or transferred in whole or part, or in any other manner transferred by GPTW without the prior written consent of Company, but GPTW may use subcontractors in assisting GPTW in providing the Services; provided that subcontractors sign an agreement with GPTW with at least terms as limiting as those in this Agreement.  Any attempt to assign or transfer this Agreement other than in conformance with this Section will be of no effect and considered null and void.

13.4 Independent Contractor. 

(a) GPTW is an independent contractor and nothing herein will be construed to the contrary.  GPTW will not assume or create any obligations or responsibilities express or implied, on behalf of or in the name of Company, or bind Company in any manner or thing whatsoever without Company’s written consent.  GPTW will use GPTW’s own tools and instruments in providing the Services.  GPTW will supply all necessary labor to render Services under this Agreement and may use subcontractors in doing so.  GPTW will be solely responsible for the direction and control of GPTW’s agents, employees, representatives and subcontractors, including decisions regarding hiring, firing, supervision, assignment and the setting of wages and working conditions.  Company will neither have nor exercise disciplinary control or authority over GPTW or GPTW’s agents, employees, representatives or subcontractors. 

(b) No agent, employee, representative or subcontractor of GPTW will be or be deemed to be the employee, agent, representative or subcontractor of Company.  None of the employer-paid benefits provided by Company to its own employees, including but not limited to workers’ compensation insurance and unemployment insurance, are available from Company to GPTW or to GPTW’s employees, agents, representatives or subcontractors.  GPTW agrees to provide workers’ compensation insurance for any person utilized by GPTW to perform services under this Agreement and to pay all applicable social security taxes, unemployment compensation taxes, income taxes and other employer taxes and contributions required by any federal, state or local law with respect to GPTW or to persons utilized by GPTW to perform services under this Agreement.

13.5 Severability.  If any provision of this Agreement is deemed to be invalid or unenforceable by a court of competent jurisdiction, the same will be deemed severable from the remainder of this Agreement and the Parties agree to renegotiate such provision in good faith, in order to maintain the economic position enjoyed by each Party as close as possible to that under the provision rendered unenforceable.  In the event that the Parties cannot reach a mutually agreeable and enforceable replacement for such provision, then (i) such provision will be excluded from this Agreement, (ii) the balance of the Agreement will be interpreted as if such provision were so excluded and (iii) the balance of the Agreement will be enforceable in accordance with its terms. GPTW reserves the right to discontinue and replace products/services with ones of comparable value or offer prorated refunds.

13.6 Amendments.  Once executed, this Agreement, and any attachments to this Agreement, may be modified only through the execution of a written instrument signed by the Parties.

13.7 Use of Names/Logo.  Company may request permission for the use of the GPTW logo, and in doing so, should request to fill out and complete the “Use of Great Place to Work® Institute Materials Consent Agreement” (the “GPTW Material Consent Form”) downloadable at www.greatplacetowork.com/images/GPTW-Material-Consent-Form.doc. Company understands that it is subject to all rules and guidelines set forth in the GPTW Material Consent Form, the GPTW Intellectual Property Usage Policy at www.greatplacetowork.com/Intellectual-Property-Usage-Policy, the GPTW Brand Identity Policy at www.greatplacetowork.com.ph/Brand-Identity-Policy and the GPTW Brand Usage Guide at www.greatplacetowork.com/certification-brand-guide  which govern the usage of the Great Place To Work LOGO®.  GPTW may include Company’s name on a client list, unless notified otherwise in writing by Company.

13.8 Legal Fees.  If any action at law or in equity is necessary to enforce or interpret this Agreement, the prevailing Party will be entitled to reasonable attorneys’ fees, costs and necessary disbursements in addition to any other relief to which such Party may be entitled. 

13.9 Force Majeure.  Neither Party will be liable, and its performance will be excused, for any delays resulting from circumstances or causes beyond its reasonable control, including without limitation, fire or other casualty, act of God, strike or labor dispute, war, sabotage, terrorism, acts of aggression or other violence provided such Party will have used its commercially reasonable efforts to mitigate its effects and has given prompt written notice to the other Party.  The time for the performance will be extended for the period of delay or inability to perform due to such occurrences up to a period of thirty (30) business days at which time the Party unaffected by the Force Majeure event may immediately terminate this Agreement.

13.10 Insurance. GPTW will provide, pay for, and maintain in full force and effect during the term of the Agreement the insurance outlined herein covering GPTW’s activities, and anyone directly or indirectly engaged by GPTW. GPTW will carry the following insurance coverages during the Term of this Agreement: (i) workers’ compensation insurance in the statutory amount and employer liability insurance with minimum limits of $1,000,000 each accident, $1,000,000 each employee and $1,000,000 annual aggregate; (ii) and errors and omissions (professional liability) insurance for the Services rendered hereunder in the minimum amount of Two Million ($2,000,000) dollars per occurrence and in the annual aggregate; (iii) general liability insurance written on an occurrence basis in the minimum amount of One Million ($1,000,000) dollars per occurrence and Two Million ($2,000,000) dollars in the annual aggregate; and (iv) cyber liability insurance including coverage for network privacy liability with minimum limits of One Million ($1,000,000) dollars per occurrence and in the annual aggregate.

13.11 Successors and Assigns.  This Agreement and all of the terms and conditions hereof will be binding upon and inure to the benefit of GPTW and Company and their respective successors, transferees, permitted assignees or legal representatives.  Any terms of this Agreement containing a reference to GPTW or Company will apply with equal effect to any such successor, permitted assignee, transferee or legal representative of the Party in question.

13.12 Counterparts.  This Agreement may be executed in two or more counterparts, each of which will be deemed an original and all of which together will constitute one document.

13.13 Titles and Subtitles.  The titles and subtitles used in this Agreement are used for convenience only and are not to be considered in construing or interpreting this Agreement.

13.14 Disputes.  If any dispute or disagreement arises between the Parties with respect to the interpretation of any provision of this Agreement, the performance of either Party under this Agreement, or any other matter that is in dispute between the Parties related to this Agreement, then, upon the written request of either Party, the Parties will meet for the purpose of resolving such dispute.  The Parties agree to discuss the problem and negotiate in good faith without the necessity of any formal proceedings related thereto.  If such efforts are not successful then the Parties shall submit any dispute arising from or related to this Agreement to binding arbitration by a single arbitrator in accordance with the rules of the American Arbitration Association in San Francisco, California, United States.  If it is necessary to enforce or interpret this Agreement, the prevailing Party shall be entitled to reasonable attorneys’ fees, costs and necessary disbursements in addition to any other relief to which such Party may be entitled.  This Agreement, and all matters collateral thereto, shall be governed by the laws of the United States (including without limitation, U.S. copyright and trademark laws) and the laws of the State of California applicable to contracts entered into and to be performed entirely therein, without regard to any choice of law or conflict of law rules.  Notwithstanding the foregoing, either Party will be free at any point to pursue injunctive relief if a Party’s Intellectual Property is being violated by the other Party or its affiliates.  For any litigation which may otherwise arise with respect this Agreement, the parties irrevocably and unconditionally submit (i) to the exclusive jurisdiction and venue (and waive any claim of forum non convenience and any objections as to laying of venue) of the United States District Court for the Northern District of California, or (ii) if such court does not have jurisdiction, to the appropriate State court sitting in Alameda County, California, in connection with any action, suit or proceeding arising out of or relating to this Agreement and the subject matter of this Agreement, whether in contract, tort (including negligence), or any other form of action.  THE PARTIES HEREBY UNCONDITIONALLY WAIVE THEIR RESPECTIVE RIGHTS TO A JURY TRIAL OF ANY CLAIM OR CAUSE OF ACTION ARISING UNDER THIS AGREEMENT. 

13.15 Remedies.  The rights and remedies herein provided will be cumulative and no one of them will be exclusive of any other and will be in addition to any other remedies available at law or in equity.

13.16 No Third-Party Beneficiaries.  This Agreement is intended for the sole and exclusive benefit of the signatories and is not intended to benefit any third party (other than as described in Section 10).  Only the Parties to this Agreement may enforce it.

13.17 Entire Agreement.  This Agreement and the Principal Agreement constitutes the entire understanding between the Parties.  All previous representations or undertakings, whether oral or in writing, are superseded by this Agreement. Agreement and any Principal Agreement incorporated herein supersede any other terms, including, but not limited to, any terms and conditions in Company’s purchase orders.

13.18 Digital Format.  The Parties agree that the original of the Agreement, including the signature page, may be imaged and stored in a digital format on a Party’s computer systems and that any printout or other visually readable output which accurately reproduces the original of the Agreement, may be used for any purpose for which the original was intended, including proof of the content of the original writing.

July 14, 2021