Illumio named a Leader in The Forrester Wave™: Microsegmentation Solutions, Q3 2024.

GET THE REPORT

Master Subscription Agreement

Updated May 1, 2024

The version of this Master Subscription Agreement in effect as of the Effective Date (defined below) (together with all exhibits, schedules, statements of work and Order Forms incorporated herein, the “Agreement”) governs customer’s (“Customer”) access to and use of any Products of Illumio, Inc. (“Illumio”). If You register for a free trial for any Product, this Agreement will also govern that free trial; provided, however, that the terms and conditions pertaining to support and maintenance, warranties, etc. will be provided on the applicable free trial Order Form. By executing an Order Form that references this Agreement, or by click-accepting a link to this Agreement, you agree to the terms of this Agreement. You represent that you have the authority to bind the applicable entity on behalf of your organization and its Affiliates. 

This Master Subscription Agreement is made and entered into as of the date (the “Effective Date”) of the relevant Order Form by and between Illumio and the party indicated on the Order Form. Certain capitalized terms are defined in Section 17 (Definitions).

  1. General. Any licenses or grant of use rights with respect to Illumio Products require entering into an Order Form by and between Customer and Illumio, or between an Illumio-authorized channel partner and Illumio. Unless otherwise specified in the Agreement, the provisions of the Agreement will apply to all Products provided by Illumio. In addition, certain supplemental terms will apply to and govern only specific Products that are licensed, purchased or provided to Customer under the applicable Order Form (the “Supplemental Terms”), as set forth below:
  1. Products License and Use Rights. Pursuant to the applicable Order Form(s) for Customer’s purchase of the SaaS and/or On-Premises Software, Illumio shall during the Subscription Term (a) provide Customer with the SaaS either on its own servers or through a third-party hosting service provider; or (b) grant Customer a nonexclusive, revocable, limited, non-transferable, non-assignable, non-sublicensable, license to install and use the On-Premises Software on servers related hardware and software owned or controlled by Customer.

  2. Fees. In consideration for Illumio providing the Products contemplated under the Agreement, Customer will pay Illumio the Fees specified in the applicable Order Form. The Fees will be invoiced in full upon entering into the applicable Order Form or, in the case of a renewal Order Form term, upon the annual anniversary of the initial Order Form. Except as otherwise specified in any Order Form, Fees are based on Products purchased and not actual usage of the Products. Except as otherwise provided herein, all Fees and payment obligations are non-cancellable and non-refundable. Customer will pay all taxes and duties assessed in connection with the Agreement, and the performance of the obligations hereunder, by any authority within or outside of the U.S., except for taxes payable on Illumio’s net income. Illumio will invoice Customer for all such taxes and duties unless Customer provides Illumio with a valid tax exemption certificate authorized by the appropriate taxing authorities. All amounts not paid when due under the Agreement will accrue interest daily (without the requirement of a notice) at a rate of one and one-half percent (1.5%) per month or the highest rate permissible by law, whichever is lower, until the unpaid balance is paid in full. Customer will cure a payment delinquency within thirty (30) days of Illumio’s delinquency notice, and if it fails to do so Illumio may suspend Customer's access to the Products until such amounts are paid in full or terminate the Agreement and/or applicable Order Form for breach in addition to any other rights and remedies available. This Section will in no way limit any other rights or remedies of Illumio. Upon automatic renewal of the Subscription Term for Products as provided in Section 14 (Subscription Term and Termination) below, the unit price will increase by five percent (5%) for each successive renewal Order Form term. If Customer purchased the Products through an Illumio-authorized channel partner, all payment-related terms (including, but not limited to, pricing, invoicing, billing, payment methods and late payment charges) will be set forth in Customer's agreement directly with such channel partner and such payment-related terms will supersede any conflicting terms set forth in this Section.

  3. Customer Success and Compliance. In Illumio’s effort to continuously improve our Products and enhance the value proposition for Customer, Illumio may collect and process technical and related information in an anonymous and aggregated form about Customer’s use of the Products to support and troubleshoot issues, provide Updates, analyze trends and inform our professional services and related customer success teams in their support of Customer’s implementation. Illumio encourages Customer to provide feedback regarding improvements to the Products (the “Feedback”) and hereby grants Illumio a non-exclusive, worldwide, royalty-free, sublicensable, transferable, perpetual license to use, commercialize and distribute such Feedback without restriction. Illumio may periodically, but in no event more than once per three (3) months remotely review Customer’s use of the Products to support Illumio’s provision of Professional Services and related customer success teams and ensure Customer’s compliance with the Agreement and the applicable Order Form. On Illumio’s written request Customer will provide reasonable assistance to verify such compliance. If the review reveals that Customer has underpaid Illumio, then Illumio may invoice Customer for such underpaid amount, and Customer will pay Illumio for such amount in accordance with the payment terms in Section 3 (Fees).

  4. Ownership of Illumio Intellectual Property. As between Illumio and Customer, Illumio owns all worldwide right, title and interest in and to the Products, including all Intellectual Property Rights therein, and Customer will not obtain any ownership right, title or interest therein. No license is granted in the source code of any Products. Customer: (a) will not delete or in any manner alter the copyright, trademark and other proprietary rights notices appearing on the Products as provided to Customer by Illumio; and (b) will reproduce such notices on all authorized copies it makes of the Products. At Illumio’s request and expense, Customer shall assist and cooperate with Illumio in all reasonable respects and shall execute documents and take such further action requested by Illumio to acquire, transfer, maintain, perfect and enforce Intellectual Property Rights and other legal protection for Illumio Materials arising from Professional Services.

  5. Ownership of Customer Data. As between Customer and Illumio, Customer owns all worldwide right, title and interest in and to all Customer Data, and Illumio will not obtain any ownership right, title or interest therein. Customer hereby grants to Illumio a non-exclusive, worldwide, royalty-free, non-transferable (except as otherwise provided herein) right to access and use Customer Data as is necessary to provide the Products hereunder during the Subscription Term.

  6. Restrictions. Customer will at all times provide Illumio with good faith cooperation and assistance and make available such information and personnel as may be reasonably required by Illumio in order to provide Customer with the Products. Customer: (a) will ensure that its Authorized Users comply with the terms and conditions of the Agreement, including the applicable Order Form; (b) will promptly notify Illumio of any suspected or alleged breach of the Agreement; and (c) will cooperate in good faith with Illumio with respect to: (i) any investigation by Illumio of any suspected or alleged breach of the Agreement; or (ii) any action by Illumio to enforce the terms and conditions of the Agreement. Illumio may suspend or terminate any Authorized User’s access to Products without prior notice to Customer in the event that Illumio reasonably determines that such Authorized User has breached the Agreement. Customer will, at all times, be responsible for all actions taken under an account of any Authorized User. Customer is responsible for the security of each Authorized User’s credentials and will not share (and will instruct each Authorized User not to share) such credentials with any other person or entity or otherwise permit any other person or entity access to or use of the Products. Customer has no right to and will not transfer, sublicense or otherwise distribute the Products to any third-party. Except as necessary to maintain standard backups or archival systems as part of Customer’s ordinary IT practices specified in corporate policies, Customer will not copy the Products in whole or in part. Customer will not: (1) modify or lease, lend or rent the Products; (2) make the Products available on a service bureau, time sharing, rental, application services provider, hosting or other computer services basis to third-parties; or (3) otherwise make the functionality of the Products available to third-parties. Customer acknowledges that the Products constitute and contain trade secrets of Illumio and its licensors, and agrees that in order to protect such trade secrets and other interests neither Customer nor its Representatives will disassemble, decompile or reverse engineer the Products. Customer will not publish or use for any external purposes any reports or copies of the Product user interface that are generated either by, or for, Customer through use of the Products, without the express written permission of Illumio. Customer’s rights in the Products are limited to those expressly granted to Customer, and Illumio reserves all rights and licenses in and to the Products not expressly granted herein.

  1. Confidentiality
    1. The party receiving Confidential Information (“Recipient”) agrees: (i) to maintain the Confidential Information of the party disclosing such information (“Discloser”) in strict confidence; (ii) not to disclose such Confidential Information to any third-parties; and (iii) not to use any such Confidential Information for any purpose other than to exercise its rights or perform its obligations under the Agreement. Recipient will treat Confidential Information of the Discloser with the same degree of care as it accords to its own Confidential Information, but in no event with less than reasonable care. Recipient may disclose the Confidential Information of Discloser to its directors, officers, employees, Authorized Users and subcontractors (collectively, “Representatives”), who have a bona fide need to know such Confidential Information; provided that each such Representative is bound by a legal obligation as protective of the other party’s Confidential Information as those set forth herein; and provided further, that Recipient is responsible for any breach of their Representatives’ confidentiality obligations under this Agreement.

    2. The obligations of Recipient under Section 8(a) will not apply to any Confidential Information that: (i) is now or hereafter becomes generally known or available to the public, through no act or omission on the part of Recipient (or any of its Representatives, Affiliates, or agents) or any third-party subject to any use or disclosure restrictions with respect to such Confidential Information; (ii) was known by or lawfully in the possession of Recipient, prior to receiving such information from Discloser without restriction as to use or disclosure; (iii) is rightfully acquired by Recipient from a third-party who has the right to disclose it and who provides it without restriction as to use or disclosure; or (iv) is independently developed by Recipient without access, use or reference to any Confidential Information of Discloser.

    3. The provisions of Section 8(a) will not restrict Recipient from disclosing Discloser’s Confidential Information to the extent required by any law enforcement agencies or regulators or compelled by a court or administrative agency of competent jurisdiction; provided that, to the extent permissible under law, Recipient uses reasonable efforts to give Discloser advance notice of such required disclosure as appropriate in order to enable Discloser to prevent or limit disclosure.

    4. Upon termination or expiration of the Agreement or Maintenance and Support Services, Recipient will promptly return to Discloser or, at Discloser’s option, destroy all tangible items and embodiments containing or consisting of Discloser’s Confidential Information and all copies thereof and provide written certification of such return or destruction by an authorized person.

    5. Recipient agrees that, due to the unique nature of the Confidential Information, the unauthorized disclosure or use of the Confidential Information will cause irreparable harm and significant injury to Discloser, the extent of which will be difficult to ascertain and for which there will be no adequate remedy at law. Accordingly, Recipient agrees that Discloser, in addition to any other available remedies, will have the right to an immediate injunction and other equitable relief enjoining any breach or threatened breach of this Section 8, without the necessity of posting any bond or other security. Recipient will notify Discloser in writing immediately upon Recipient’s becoming aware of any such breach or threatened breach.

  2. Third-Party Components. The Products include third-party software components, including open source software components under license from third-parties (the “Third-Party Components”). Additional information regarding the Third-Party Components is available online at https://docs.illumio.com/core/23.5/Content/Guides/support/open-source-licensing-disclosures.htm.

  3. Indemnification
    1. Subject to Section 10(c) hereof, Illumio will defend, indemnify and hold Customer harmless from and against any damages, costs and expenses (including reasonable attorneys’ fees and other professional fees) that are awarded against Customer in a final non-appealable judgment or that are agreed to in settlement of a third-party claim that Customer’s use of the Products infringe or misappropriate any U.S. patent, copyright or trade secret of such third-party. Illumio’s obligations under this Section will not apply to the extent any claim results from, or is based upon, (i) any combination, operation or use of the Products with any product, system, device, method or data not provided by Illumio, if such claim would have been avoided but for such combination, operation or use; or (ii) Customer’s or an Authorized User’s use of the Products other than in accordance with the Agreement and the Documentation. THE FOREGOING PROVISIONS OF THIS SECTION SET FORTH ILLUMIO’S SOLE AND EXCLUSIVE OBLIGATIONS, AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDIES, WITH RESPECT TO INFRINGEMENT OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS OF ANY KIND BY THE PRODUCTS OR ANY USE THEREOF.

    2. Customer will defend, indemnify and hold Illumio harmless from and against any damages, costs and expenses (including reasonable attorneys' fees and other professional fees) that are awarded against Illumio or that are agreed to in settlement of a third-party claim that Customer Data infringes or misappropriates any U.S. patent, copyright, or trade secret or privacy right of any third-party.

    3. As a condition to the parties’ respective obligations under this Section, the party seeking indemnification (the “Indemnitee”) will: (i) promptly notify the other party (the “Indemnitor”) of the claim for which it is seeking indemnification; (ii) grant the Indemnitor sole control of the defense and settlement of the claim; and (iii) provide the Indemnitor, at the Indemnitor’s expense, with all assistance, information and authority reasonably required for the defense and settlement of the claim. The Indemnitee has the right to retain counsel, at its expense, to participate in the defense or settlement of any claim. The Indemnitor will not be liable for any settlement or compromise that the Indemnitee enters into without the Indemnitor’s prior written consent.

    4. In the event the Indemnitee invokes the Indemnitor’s obligations under this Section 10, the Indemnitor may (i) contest the claim; (ii) obtain the applicable claimant’s permission for the Indemnitee’s continued access and use of the Products or data in question; (iii) avoid the claim by replacing or modifying the Products or data in question with a substantially similar equivalent; (iv) or if in the Indemnitor’s commercially reasonable judgement the foregoing are infeasible, then the Indemnitor may with ninety (90) days’ prior notice terminate the Products in question and provide Customer a pro-rata refund of prepaid subscription Fees for the remainder of the Subscription Term after the effective date of termination.

  4. Warranty; Disclaimers. Illumio warrants (the “Warranty”) that, for the Subscription Term, the Products purchased by Customer in such Order Form and deployed by Customer in its production environment according to the Licensed Configuration will materially conform to the Documentation. In the event Customer experiences a non-conformity, Customer will submit a support request referencing this Warranty (a “Warranty Claim”) to which Illumio will respond pursuant to the Maintenance and Support Services Supplemental Terms. In the event such non-conformity persists without relief for more than sixty (60) days after Illumio’s receipt of a Warranty Claim, then Customer may terminate the affected Products and Illumio will provide Customer a pro-rata refund of any prepaid subscription Fees for the remainder of the Subscription Term after the effective date of termination. This warranty will not apply to any non-conformity due to a modification or defect in a Product that is caused by any person other than Illumio or under Illumio’s direction. This Section 11 provides Customer’s sole and exclusive rights and remedies, and Illumio’s sole and exclusive liability, in connection with the Warranty.

  1. Exclusion of Damages; Limitation of Liability. In no event will either party be liable to the other party for any indirect, incidental, exemplary, punitive or consequential damages (including without limitation loss of use, data, business or profits) or for the cost of procuring substitute products arising out of or in connection with the Agreement or the use, operation or performance of the Products, whether such liability arises from any claim based upon contract, warranty, tort (including negligence), product liability or otherwise, and whether or not a party has been advised of the possibility of such loss or damages (the “Exclusion of Damages”). The total aggregate liability of either party arising under the Agreement, from all causes of action and all theories of liability, will not exceed the amounts paid to Illumio by Customer in the twelve (12) month period preceding the claim or action giving rise to any liability (the “Limitation of Liability”). The Limitation of Liability shall not apply to: (a) a party’s indemnification obligations under Section 10 (Indemnification); (b) breach of a party’s confidentiality obligations under Section 8 (Confidentiality); or (c) infringement by a party of the other party’s Intellectual Property Rights. The parties expressly acknowledge and agree that Illumio has set its Fees and entered into this Agreement in part in reliance upon the Exclusion of Damages and Limitations of Liability specified herein, which allocate the risk between Illumio and Customer and form a basis of the bargain.

  2. Data Processing. To the extent the engagement governed by the Agreement entails the processing of personal data, such processing is governed by the Privacy Supplemental Terms, unless Illumio already has a signed data processing agreement with Customer for such Products; in which case, the signed version governs the processing of personal data.

  3. Subscription Term and Termination. Subject to Customer’s compliance with the terms and conditions of the Agreement, this Agreement will be in effect for as long as Customer is licensed to use any Product pursuant to an active Order Form (the “Subscription Term”). In addition to any termination rights set forth elsewhere herein, each party will have the right to terminate the Agreement if the other party breaches any material term of the Agreement and fails to cure such breach within thirty (30) days after receiving written notice thereof. Each party has the right to terminate the Agreement immediately upon notice if the other party becomes the subject of a petition in bankruptcy or similar legal proceeding arising from its insolvency, receivership or assignment for the benefit of creditors, provided that the underlying case is not dismissed within sixty (60) days. An Order Form term shall automatically be extended for consecutive additional Order Form terms of one (1) year, unless a party delivers, at least sixty (60) days before the expiration of the Order Form term, written notice to the other party of its intent not to renew or extend the Subscription Term. Each party will have the right to terminate an individual Order Form if the other party breaches any material term of such Order Form and fails to cure such breach within thirty (30) days after written notice thereof. For the avoidance of doubt, termination of an Order Form (or any discrete Products within an Order Form) shall not affect any other Products that Customer has purchased under the same or any other Order Form(s). Customer shall be liable for payment of all Fees, costs and expenses up to the effective date of termination (for Illumio’s uncured material breach) for (a) any completed, partially completed or scheduled Professional Services; (b) any reasonable committed costs or expenses; (c) any non-refundable travel costs including visa costs and related expenses. Upon termination of any Order Form or part thereof before end of the Subscription Term due to Illumio’s uncured material breach, Illumio will, within thirty (30) days of the effective date of termination, provide Customer a pro-rata refund of prepaid subscription Fees for the remainder of the Subscription Term after the effective date of termination. Upon any termination or expiration of this Agreement for any reason, all licenses granted to Customer in this Agreement and in all Order Forms will terminate immediately and: (i) Customer will (1) immediately cease use of the Products and (2) promptly return to Illumio the On-Premises Software and Documentation and all copies and portions thereof, in all forms and types of media; and (ii) Customer will provide Illumio with an officer’s written certification, certifying to Customer’s compliance with the foregoing. The rights and obligations of Illumio and Customer contained in Sections 3 (Fees), 4 (Customer Success and Compliance), 5 (Ownership of Illumio Intellectual Property), 8 (Confidentiality), 10 (Indemnification), 12 (Exclusion of Damages; Limitation of Liability), 13 (Data Processing), 14 (Subscription Term and Termination), 15 (Affiliates), 16 (Miscellaneous) and 17 (Definitions) will survive the expiration or termination of this Agreement.

  4. Affiliates. Affiliates of Customer may purchase Products by executing an Order Form referencing the then-existing Agreement by and between Customer and Illumio, provided that the terms and conditions of such Agreement shall govern all such Order Forms and such Affiliate complies with such terms and conditions. Customer shall be responsible and remain liable for the performance of any obligations of the Affiliate in connection with any Order Form executed by such Affiliate, except that an Affiliate may enter into a separate Agreement with Illumio, in which case Customer shall not be responsible or liable for the performance of such obligations.

  1. Miscellaneous. The Products are “commercial items” (FAR 2.101), consisting of “commercial computer software” and “commercial computer software documentation” (FAR 12.212 and DFARS 227.7202). If the Products are being acquired by or on behalf of the U.S. Government, then, as provided in FAR 12.212 and DFARS 227.7202-1 through 227.7202-4, as applicable, the U.S. Government’s rights in the Products will be only those specified in the Agreement. If Customer is incorporated or has its principal place of business within the Americas, the Agreement will be governed by and construed in accordance with the laws of the State of California excluding that body of laws known as conflicts of law; and any legal action or proceeding arising under the Agreement will be brought exclusively in the federal or state courts located in the Northern District of California and the parties hereby irrevocably consent to the personal jurisdiction and venue therein. If Customer is incorporated and has its principal place of business outside the Americas, the Agreement will be governed by and construed in accordance with the laws of England and Wales excluding that body of laws known as conflicts of law; and any legal action or proceeding arising under the Agreement will be brought exclusively in the courts located in London, England and the parties hereby irrevocably consent to the personal jurisdiction and venue therein. The parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply. Neither party may assign or transfer the Agreement by operation of law or otherwise without the other party’s prior written consent except (a) in the case of a merger, acquisition, reorganization, sale of substantially all assets or equity, or (b) to such party’s Affiliate. Except as expressly set forth in the Agreement, the exercise by either party of any of its remedies under the Agreement will be without prejudice to its other remedies under the Agreement or otherwise. Illumio may use Customer's name and logo on its website and in its promotional materials to state that Customer is a customer of Illumio and a Product user. Customer agrees to serve as a reference customer of Illumio and shall cooperate with Illumio’s reasonable marketing and referencing requests. All notices or approvals required or permitted under the Agreement will be in writing and delivered by confirmed facsimile transmission, by overnight delivery service, or by certified mail, and in each instance will be deemed given upon receipt. All notices or approvals will be sent to the addresses set forth in the applicable Order Form or to such other address as may be specified by either party to the other in accordance with the Agreement. The failure by either party to enforce any provision of the Agreement will not constitute a waiver of future enforcement of that or any other provision. Any waiver, modification or amendment of any provision of the Agreement will be effective only if in writing and signed by authorized representatives of both parties. Neither party will be responsible for any failure or delay in its performance under the Agreement (except for any payment obligations) due to causes beyond its reasonable control, including, but not limited to, labor disputes, strikes, lockouts, shortages of or inability to obtain labor, energy, raw materials or supplies, war, terrorism, riot, trespass, theft or other criminal acts, pandemic, acts of God or governmental action (“Force Majeure”). In the event any of the provisions of the Agreement are found by a court of competent jurisdiction to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not be affected, and such remaining provisions shall remain in full force and effect. Customer acknowledges that Illumio’s Products are subject to U.S. Export Administration Regulations (“EAR”) and agrees to comply fully with all relevant export laws and regulations, including those of the United States to ensure that no Products are: (a) exported or re-exported directly or indirectly in violation of such export laws; or (b) used for any purposes prohibited by such export laws, including but not limited to nuclear, chemical or biological weapons proliferation. Customer represents and warrants that it is not located in, and will not use Illumio’s Products in connection with, any country subject to U.S. export restrictions (currently including Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk Regions of Ukraine). The Agreement is the complete and exclusive understanding and agreement between the parties regarding its subject matter, and supersedes all proposals, understandings or communications between the parties, oral or written, regarding such subject matter. In the event of a conflict between the terms and conditions of this Agreement and any other document pertaining to the Products or Services hereunder (including without limitation any underlying Intellectual Property Rights), this Agreement will control unless by a duly executed Order Form or amendment the parties expressly set forth the specific provisions mutually agreed to control. The parties to the Agreement are independent contractors and the Agreement will not establish any relationship of partnership, joint venture, employment, franchise, or agency between the parties. Neither party will have the power to bind the other or incur obligations on the other’s behalf without the other’s prior written consent. Any additional, supplemental or varying terms in any other Customer purchase order or similar document will be disregarded and have no effect.

  2. Definitions. Certain capitalized terms used herein will have the definitions ascribed thereto as set forth below:
  • “Affiliate” means, with respect to a party to the Agreement, any entity that directly or indirectly controls, is controlled by or is under common control with such party. For purposes of this definition, “control” shall mean the possession, directly or indirectly, of the power to direct or cause the direction of management or policies (whether through ownership of securities or other ownership interests, by contract or otherwise).

  • “Authorized User” means any individual who has been authorized in accordance with the terms of the Agreement to access and use the Products.

  • “Confidential Information” means any technical or business information, ideas, materials, know-how or other subject matter that is disclosed by one party to the other party that: (a) if disclosed in writing, is marked “confidential” or “proprietary” at the time of such disclosure; (b) if disclosed orally, is identified as “confidential” or “proprietary” at the time of such disclosure, and is summarized in a writing sent by the Discloser to the Recipient within thirty (30) days after any such disclosure; or (c) under the circumstances, a person exercising reasonable business judgment would understand to be confidential or proprietary. “Confidential Information” of Illumio includes Illumio Materials.

  • “Customer Data” means any and all data used by Customer or its Authorized Users in connection with the Products (but excluding any personal data regulated by the Data Protection Law).

  • “Data Protection Law” means the General Data Protection Regulation (Regulation (EU) 2016/679), the California Consumer Privacy Act (Cal. Civil Code § 1798.100 et seq.), or the equivalent data protection regulation under the jurisdiction and law provided under Section 16 (Miscellaneous).

  • “Documentation” means the standard user documentation that Illumio delivers to Customer with the Products.

  • “Error” refers to any material error or defect in the Products that causes substantial nonconformance in all material respects with its applicable Documentation.

  • “Error Corrections” means patches and bug fixes for the Products developed by Illumio in connection with any Errors.

  • “Fees” means the fees payable for the Product as indicated in the Order Form.

  • “Illumio Materials” means: (a) the standard application programming interface or configuration and related materials identified and provided by Illumio for and with the applicable Product; (b) any separately downloadable configuration file, add-on, technical add-on, module, command, function or application that extends the features or functionality of the Products; and (c) all software, tools, utilities, technology, processes, inventions, devices, methodologies, specifications, documentation, data, inventions, works of authorship and other innovations of any kind, including, without limitation, any improvements or modifications to the Products, that Illumio or its personnel working for or through Illumio, may make, conceive, develop or reduce to practice, alone or jointly with others, in the course of performing the Professional Services or as a result of the Professional Services, including all Intellectual Property Rights therein.

  • “Intellectual Property Rights” means patent rights (including without limitation patent applications and disclosures), copyrights, trademarks, trade secrets, know-how, any goodwill related to any of the foregoing, and any other intellectual property rights recognized in any country or jurisdiction in the world.

  • “Licensed Configuration” means the permitted type and quantity of workloads, nodes, clusters, memory, equipment and locations, as applicable, for the use of the Products, as specified in an Order Form.

  • “Maintenance and Support Services” means the maintenance and support services provided by Illumio and paid for by Customer under the Agreement, in accordance with Illumio’s then-current Maintenance and Support Services program set forth in the Maintenance and Support Services Supplemental Terms.

  • “On-Premises Software” means the software Product specified in the applicable Order Form, in executable code form, including any Error Corrections, Updates and customizations provided by Illumio to Customer under the Agreement, and including the Documentation.

  • “Order Form” means a written order form referencing this Agreement by which Customer purchases any Product.

  • “Products” means the SaaS and the On-Premises Software (together, as the software and services constituting the Illumio subscription service, the “Platform”); Illumio Materials; Maintenance and Support Services; Professional Services and the Training Services; and any Updates, Upgrades, releases, fixes, enhancements or modifications thereto.

  • “Professional Services” means the professional services provided by Illumio under this Agreement and the Order Form.

  • “SaaS” means the hosted Product offering specified in the Order Form to which Customer acquires rights to access and use and including the Documentation.

  • “Scope Document” means the document that is provided with and becomes part of the Order Form and which defines, sometimes in conjunction with a Service Description, the Professional Services or Training Services to be provided.

  • “Security Incident” means an event where Confidential Information or Customer Data is reasonably suspected to have been improperly accessed, altered, disclosed or destroyed.

  • “Service Description” means pre-defined descriptions of services found at http://www.illumio.com as of the effective date of the Order Form which in conjunction with a Scope Document defines the Professional Services and/or Training Services to be provided and becomes part of the Order Form.

  • “Services” means the SaaS, the Professional Services, the Training Services and the Maintenance and Support Services, to the extent each is provided to Customer by Illumio.

  • “Training Services” means the training services provided by Illumio under this Agreement and the Order Form.

  • “Update” means Error Corrections, minor enhancements and extensions or other changes to the Products are that are generally made available by Illumio at no additional cost to Customer as part of qualifying Maintenance and Support Services, provided that “Update” shall not include Upgrade.

  • “Upgrade” means a major enhancement to or new version of the Products that provides substantially new, enhanced or different features or functions.

Exhibit A

Supplemental Terms – SaaS

The following Supplemental Terms will apply to and govern Customer’s use of the SaaS, as applicable. The terms and conditions herein are incorporated into the Agreement by this reference. Capitalized terms not defined herein will have the meaning set forth in the Agreement.

Customer Obligations

Customer acknowledges and agrees that Customer’s use of the SaaS is dependent upon access to telecommunications and internet services. Customer is solely responsible for acquiring and maintaining all telecommunications and internet services and other hardware and software required to access and use the SaaS, including, without limitation, any and all costs, fees, expenses, and taxes of any kind related to the foregoing. Illumio will not be responsible for any loss or corruption of data, lost communications, or any other loss or damage of any kind arising from any such telecommunications and internet services.

Customer Data

Customer will provide Customer Data to Illumio in such format and by such method as agreed to by the parties in the Order Form. Customer acknowledges and agrees that Customer and Customer’s Authorized Users’ use of the SaaS are conditioned upon Customer’s provision of Customer Data to Illumio in accordance with the foregoing. To the extent Illumio stores any Customer Data, Illumio shall follow its standard archival procedures for the storage of Customer Data. In the event of any loss or corruption of Customer Data, Illumio shall follow physical, technical and organizational measures designed to restore the lost or corrupted Customer Data from the latest backup of such Customer Data maintained by Illumio. With respect to the processing of Customer Data, Illumio will comply with the Privacy supplemental terms under Exhibit F and the Security supplemental terms under Exhibit G.

Exhibit B

Supplemental Terms – On-Premises Software

The following Supplemental Terms will apply to and govern Customer’s use of the On-Premises Software. The terms and conditions herein are incorporated into the Agreement by this reference. Capitalized terms not defined herein will have the meaning set forth in the Agreement.

Customer Obligations

Customer acknowledges and agrees that Customer’s use of the On-Premises Software is dependent upon access to Customer’s internal IT systems as well as external telecommunications and internet services. Customer is solely responsible for acquiring and maintaining its internal IT systems as well as all telecommunications and internet services and other hardware and software required to access and use the On-Premises Software, including, without limitation, any and all costs, fees, expenses, and taxes of any kind related to the foregoing. Illumio will not be responsible for any loss or corruption of data, lost communications, or any other loss or damage of any kind arising from Customer’s internal IT systems, telecommunications or internet services.

Illumio Access

For the purpose of implementing the On-Premises Software on Customer’s servers, Illumio may require access to Customer’s servers and systems where the On-Premises Software is to be installed, and Customer will grant access to Illumio for such limited purpose. Upon completion of the implementation, Customer will be responsible for removing all credentials granted to Illumio in connection with such implementation.

Exhibit C

Supplemental Terms – Maintenance and Support Services

The following Supplemental Terms will apply to and govern Customer’s receipt of Maintenance and Support Services. The terms and conditions herein are incorporated into the Agreement by this reference. Capitalized terms not defined herein will have the meaning set forth in the Agreement.

Maintenance and Support Services

During the Subscription Term and to the extent set forth in the applicable Order Form, Customer will receive 24/7 support for all maintenance releases and Updates via its support website, email and telephone. Customer should reach out to technical support for assistance in identifying and verifying the causes of suspected Errors in the Product and for existing workarounds for identified Errors. Illumio will work directly with a Customer’s designated internal support liaisons. It is Customer’s responsibility to ensure that these individuals are properly trained to use the Product. In order for Illumio to effectively resolve any issues, Customer will provide reasonable access to all necessary personnel to answer relevant questions. On request, Customer will provide access for online diagnostics of the Product during Error diagnosis. Customer will promptly implement all Updates and Error Corrections provided by Illumio to resolve an Error. Illumio’s support obligation with respect to any Product is limited to the current and prior production release for such Product.

Updates

Illumio will notify Customer of maintenance releases and Updates as they are made available. This is done at no additional charge to Illumio’s customers. Illumio has the sole discretion for the timing and availability of any and all maintenance releases and Updates. Updates may be made available for the On-Premises Software by downloading from Illumio support website.

Error Corrections

Illumio will use reasonable efforts to correct any reproducible programming Error in the Product attributable to Illumio with a level of effort commensurate with the severity of the Error. Customer will notify Illumio of such Errors and will provide Illumio with enough information to reproduce the Error(s). Illumio is only responsible for Errors that it can reproduce on Products as delivered to Customer without modification.

Portal

Illumio’s online support portal provides access to releases, Illumio Materials, Documentation, knowledge base articles, trouble-shooting reports and other additional information.

Contacts

Email: [email protected]

Phone: 1-888-631-6354

Response Time

Illumio will provide an initial response to support requests based on designated priority as provided in the Order Form.



Exhibit D

Supplemental Terms – Professional Services

The following Supplemental Terms are effective as of the effective date of the relevant Order Form and are entered into by and between Illumio and Customer and will apply to and govern the Professional Services provided to Customer, which are further detailed in Exhibit I below. The terms and conditions herein are incorporated into the Agreement by this reference. Capitalized terms not defined herein will have the meaning set forth in the Agreement.

Professional Services

Illumio will provide those Professional Services as further defined by the specific Service Descriptions and/or Scope Documents in accordance with the Order Form and these Supplemental Terms. Illumio may use third-party contractors to perform Illumio’s duties. Illumio will be responsible for the performance of the Professional Services of such third-party contractors to the same extent as for its own employees. If any Professional Services, in whole or in part, cannot be provided by Illumio due to a Customer-controlled issue and Customer fails to provide Illumio with reasonable advance notice, the time spent or allocated by Illumio personnel on such Professional Service will be charged to Customer. Any deliverables or work products provided by Illumio to Customer prior to entering into an applicable Order Form or a change request are the sole property and Confidential Information of Illumio and shall be governed by the terms of the Agreement. If no Order Form is completed, all work product and deliverables must be returned or deleted and must not be used.

Customer Obligations

Customer will make the necessary arrangements to allow Illumio to perform the Professional Services. Customer shall provide and make available all Customer personnel that Illumio reasonably requires in connection with performance of the Professional Services and as may be further addressed in an applicable Order Form. If the Professional Services are performed at Customer’s site, Customer agrees to provide necessary access to its site including appropriate access to Customer premises, computer systems and other facilities. Customer shall appoint a contact person with the authority to make decisions and to supply Illumio with any necessary or relevant information expeditiously. Customer shall ensure to have all necessary license rights including third-party license rights required to allow Illumio to perform the Professional Services.

Change Requests

Either party can request changes to the Professional Service. Illumio is not required to perform under a change request prior to the parties entering into the applicable change request.

Personnel

If at any time Customer or Illumio is dissatisfied with the material performance of an Illumio or a Customer project team member, the dissatisfied party shall promptly report such dissatisfaction to the other party in writing and may request a replacement. The other party will use its reasonable discretion in accomplishing any such change (which also, in the case of Illumio, shall be subject to staffing availability).

Fees; Expenses

For performance of the Professional Services, Customer will pay Illumio the applicable Fees in full in advance unless otherwise specified in the applicable Order Form. All prepaid Professional Services must be redeemed within twelve (12) months from the date of invoice. At the end of the twelve (12) month period, any remaining pre-paid Professional Services will expire, and no refund will be provided for any remaining pre-paid unused Fees for Professional Services. Unless otherwise specified in the applicable Order Form, upon invoice from Illumio, Customer will reimburse Illumio for all reasonable expenses incurred by Illumio while performing the Services, including without limitation, transportation services, lodging, meals and out-of-pocket expenses, and third-party online and offline research services directly related to the provision of the Professional Services. Illumio will include, upon request, reasonably detailed documentation of all such expenses in excess of US$25 with each related invoice.

Exhibit E

Supplemental Terms – Training Services

The following Supplemental Terms are effective as of the effective date of the relevant Order Form and are entered into by and between Illumio and Customer and will apply to and govern the Training Services provided to Customer. The terms and conditions herein are incorporated into the Agreement by this reference. Capitalized terms not defined herein will have the meaning set forth in the Agreement.

Training Services

Illumio will provide those Training Service(s) as further defined by the specific Service Descriptions and/or Scope Documents in accordance with the Order Form and these Supplemental Terms.

Training Materials

All Training Services materials provided by Illumio for Training Services are the property of Illumio. Customer shall not duplicate such materials and may use the materials solely in conjunction with the Training Services provided by Illumio hereunder.

Delivery

An order for Training Services is valid for a period of twelve (12) months from the date of purchase (the “Delivery Period”). Customer will be invoiced in full for Training Services at the time of submission of the Order Form and expected to pay in accordance with the Agreement. Training Services are non-cancelable and non-refundable. Changes to an Order Form for Training Services will only be accepted in writing. If for any reason Customer wishes to reschedule Training Services, the request must be received at least fourteen (14) business days prior to the scheduled start date for the Training Services. The Fees for the Training Services will be charged for rescheduling requests received fewer than fourteen (14) business days prior to the scheduled start date for the Training Services. In no event will Illumio be liable for nonrefundable travel arrangements in the event of a cancellation or rescheduling. At the end of the applicable Delivery Period, any remaining Fees for unused Training Services shall expire and shall be forfeited. No refunds shall be provided based on any remaining Fees for unused Training Services. All Training Services must be registered and attended during the Delivery Period.

Miscellaneous

For on-site Training Services, Customer shall provide a classroom which will allow sufficient space to accommodate the expected number of students, will support connection to the Illumio virtual lab environment (if applicable), table space for a computer for each student, a blackboard or whiteboard for instructor use, and an LCD projector for presentations and demonstrations. If space such as a conference room is being used as a classroom, it should be located in an area that affords minimal external distractions and noise.

Exhibit F

Supplemental Terms – Privacy

The following Supplemental Terms are effective as of the effective date of the relevant Order Form and are entered into by and between Illumio and Customer and will apply to and govern the processing of personal data on behalf of Customer in connection with the delivery of the Products. Capitalized terms not defined herein will have the meaning set forth in the Agreement, except that terms such as “personal data breach”, “supervisory authority”, “processor”, “data subject”, etc. shall have the definitions specified in the Data Protection Law.

Introduction

Customer intends to send personal data from individuals in the EU or UK(the “Personal Data”) as part of the data processed by Illumio on its behalf in connection with the delivery of the Products. With respect to Personal Data, Customer is the data controller and Illumio is the data processor. Each party shall strive to comply with their respective obligations  with respect to Personal Data and thus agrees: (a) Illumio shall only process Personal Data upon instructions from Customer, including those in the Agreement and Customer’s configuration of the Products; (b) Illumio’s data centers are located in the United States and Customer hereby instructs Illumio to process Personal Data in the United States and in the European Union as needed to deliver the Products or as otherwise instructed by Customer; (c) Illumio shall ensure that persons authorized to process Personal Data are committed to a duty of confidentiality; and (d) Illumio shall implement appropriate physical, technical and organizational measures to ensure that the level of security is appropriate to the risk in the performance monitoring and the analytics processing involved in the Products.

Sub-processors

Customer acknowledges and agrees that Illumio may engage third-party sub-processors to process Personal Data in connection with the provision of the Products. Provided that Customer signs up for notifications on the Illumio support portal, Illumio shall provide prior notice of any new sub-processors. After being notified, Customer will have ten (10) business days to notify Illumio in writing of any reasonable objection it has to the new sub-processor(s). Failure to notify Illumio within this time frame will be deemed approval of the new sub-processor(s). In the event Customer provides reasonable objection, Illumio will use reasonable efforts to make a change in the configuration available to avoid processing of Personal Data by such sub-processor. If Illumio is unable to make available such a change within a reasonable period of time, which shall not exceed ninety (90) days, Customer may terminate the applicable Order Form with respect to the affected Products that cannot be provided without use of the rejected sub-processor. In the event Illumio engages a sub-processor to carry out specific processing activities on behalf of Customer, Illumio shall place the same or similar obligations on such sub-processor to require appropriate technical and organizational measures to meet the requirements of the Data Protection Law. Where such additional processor fails to fulfill its data protection obligations, Illumio shall remain fully liable to Customer for the performance of that processor’s obligations.

Assistance

Taking into account the nature of the processing and the role of Illumio as data processor, Illumio will use reasonable efforts to assist Customer in responding to requests by data subjects to exercise data subject rights. Accordingly, Illumio will use reasonable efforts to assist Customer in ensuring compliance with Customer’s obligations under Art 32-36 of the Data Protection Law, including: (a) implementing appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk; (b) taking steps to ensure that any natural person with access to Personal Data does not process such Personal Data except on instruction; (c) notifying Customer without undue delay after becoming aware of a personal data breach; (d) assisting Customer in its data protection impact assessments, as appropriate and at Customer’s expense; (e) assisting Customer in its consultation with regulators, as appropriate and at Customer’s expense; and (f) supporting Customer in its role as data controller with respect to lawful requests submitted by data subjects to Customer.

Inspection

Upon receipt of Customer’s written request, Illumio will make available to Customer information reasonably necessary to demonstrate compliance with the obligations in these Supplemental Terms and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer to the extent required by law. Customer shall give Illumio at least ninety (90) days’ prior written notice and promptly reimburse Illumio for expenses incurred in connection with audits conducted by Customer or a third-party auditor beyond those that Illumio already conducts, including but not limited to, time reasonably expended for such audits at Illumio’s then-current professional services rates (made available to Customer upon request). Prior to commencement of work, Illumio and Customer shall mutually agree upon scope, timing, and duration of the work. Customer shall promptly notify Illumio of any non-compliance discovered during the course of any audit; and Illumio will inform Customer if it becomes aware of an instruction by Customer that, in Illumio’s opinion, infringes the Data Protection Law or other applicable data protection law.

Standard Clauses

Customer acknowledges that Illumio is located in the United States and may process Personal Data from its offices and data centers located in the United States. To ensure such processing is in accordance with applicable Data Protection Law, the parties hereby enter into the standard contractual clauses below (the “Standard Clauses”). In the event the Standard Clauses become insufficient under Data Protection Law, the parties shall use reasonable efforts to utilize an alternative method of adequacy for transfer.

For Personal Data subject to the UK Data Protection Law, the parties will adopt and incorporate herein the UK Information Commissioner’s Office approved Addendum pursuant to the UK Standard Data Protection Clauses Issued by the Information Commissioner’s Office Under S119a(1) Data Protection Act 2018, provided below under the Standard Contractual Clauses – Annex IV.

The Standard Clauses apply to Customers established in the European Economic Area (“EEA”) or Switzerland as the data controller. In the event that Customer’s use of Products results in processing of Personal Data of Customer’s affiliates that are also established in the EEA or Switzerland and data controllers, such affiliates shall be deemed “data exporters” under the Standard Clauses, provided that in all cases, Illumio’s aggregate liability to Customer and its affiliates will be subject to the limitations of liability set out below.

Customer shall in its use of the Products only process Personal Data in accordance with applicable law and shall not cause Illumio to be in violation of applicable laws. Illumio shall process Personal Data in accordance with Customer’s instruction. By contracting with Illumio for the provision of the Products, Customer (through its use and configuration of the Products and/or Services) is directing Illumio to obtain and collect certain Personal Data. For purposes of Clause 5(a) of the Standard Clauses, Customer instructs Illumio to: (a) process the Personal Data in accordance with the Agreement; and (b) process Personal Data initiated by Customer and its Authorized Users in their use of the Products during the Term. The parties agree that Illumio may remove or redact any commercial information and other terms not related to data protection from copies of sub-processor agreements provided to Customer pursuant to Clause 5(j) of the Standard Clauses from such agreements before providing them to Customer; and that such copies will be provided by Illumio only after its receipt of reasonably detailed written request by Customer. The parties agree that Illumio shall provide the certification of deletion of Personal Data described in Clause 12(1) of the Standard Clauses only upon receipt of Customer’s written request. The parties agree that all liabilities between Illumio and Customer (including Customer affiliates) will be subject to the terms of the Agreement (including but not limited to limitation of liability provisions), except that no limitations of liability will apply to any liability that Illumio may have to data subjects under the third-party rights provisions of the Standard Clauses. Subject to the preceding sentence, Customer affiliates shall be granted certain rights in relation to Illumio’s obligations reserved for the benefit of Customer hereunder, and data subjects are granted third-party rights under the Standard Clauses. All other third-party rights are excluded. The parties hereby agree that these Supplemental Terms supersede any conflicting or inconsistent provisions in the Agreement related to data protection and, in the event of ambiguity, these Supplemental Terms will prevail.


STANDARD CONTRACTUAL CLAUSES

4 June 2021

 

SECTION I 

Clause 1

Purpose and scope

  1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

  2. The Parties:
    1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies(hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

    2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).

  3. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

  4. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

 

Clause 2

Effect and invariability of the Clauses

  1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

  2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

  1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

    1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

    2. Clause 8 - Clause 8.1(b), 8.9(a), (c), (d) and (e);

    3. Clause 9 - Clause 9(a), (c), (d) and (e);

    4. Clause 12 - Clause 12(a), (d) and (f);

    5. Clause 13;

    6. Clause 15.1(c), (d) and (e);

    7. Clause 16(e);

    8. Clause 18 - Clause 18(a) and (b);

  2. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

  1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

  2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

  3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

 

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

 

Clause 7

Docking clause

  1. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

  2. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

  3. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

 

8.1 Instructions
  1. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

  2. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.  

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing
  1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

  2. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

  4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

 

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

 

8.8 Onward transfers
The data importer shall only disclose the personal data to a third-party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third-party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third-party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

  1. the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

  2. the third-party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

  3. the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

  4. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance
  1. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

  2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

  3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

  4. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

  5. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

 

Clause 9

Use of sub-processors

  1. The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least [Specify time period] in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

  2. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

  3. The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

  4. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

  5. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

 

Clause 10

Data subject rights

  1. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

  2. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

  3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

 

Clause 11

Redress

  1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

  2. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

  3. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
    1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

    2. refer the dispute to the competent courts within the meaning of Clause 18.


  4. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

  5. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

  6. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

  1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

  2. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

  3. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

  4. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

  5. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

  6. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

  7. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

 

Clause 13

Supervision

  1. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

    • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

    • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

  2. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

 

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

 

Clause 14

Local laws and practices affecting compliance with the Clauses

  1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

  2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
    1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

    2. the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

    3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

  3. The data importer warrants that, in carrying out the assessment under paragraph(b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

  4. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

  5. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

  6. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

 

Clause 15

Obligations of the data importer in case of access by public authorities

 

15.1    Notification
  1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

    1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

    2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

  2. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

  3. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

  4. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

  5. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2    Review of legality and data minimisation
  1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

  2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

  3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

 

SECTION IV – FINAL PROVISIONS

 

Clause 16

Non-compliance with the Clauses and termination

  1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

  2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

  3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

    1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

    2. the data importer is in substantial or persistent breach of these Clauses; or

    3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

    4. In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

  4. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

  5. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

 

Clause 17

Governing law

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of the Netherlands.

 

Clause 18

Choice of forum and jurisdiction

  1. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

  2. The Parties agree that those shall be the courts of the Netherlands.

  3. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

  4. The Parties agree to submit themselves to the jurisdiction of such courts.‍‍

APPENDIX

ANNEX I

A. LIST OF PARTIES
Data Exporter
Name:
Address:
Phone:
Email:
Role (controller/processor): Controller
Other Identifying Information:

Data Importer
Name: Illumio, Inc.
Address: 920 De Guigne Drive, Sunnyvale, California 94085
Phone: 1-669-800-5000
Email: [email protected]
Role (controller/processor): Processor
Other Identifying Information: None

B. DESCRIPTION OF TRANSFER

Data exporter

The data exporter is the Customer legal entity named above and its Affiliates.

Data importer

The data importer is Illumio, Inc. and its Affiliates, a provider of network security product and services.

Data subjects

Natural persons who interact with the Products, which may include (but are not limited to) data exporter’s employees, contractors, Authorized Users and customers as determined by data exporter.

Categories of data

The data exporter may submit personal data to the Products, the extent of which is determined by the data exporter. This may include:

  • device identifiers, IP addresses, firmware versions, operating system, time zone, language, MAC addresses, and other information about computing systems, applications and networks;
  • names, emails, age, gender, phone numbers, photographs;
  • information about activity on computing systems, applications and networks, including real-user monitoring;
  • file and communications content and metadata, antivirus and other malware statistics and files;
  • system logs and traffic, including URLs; and
  • information provided to Illumio through dashboards or portals associated with the security and firewall solutions of the Illumio Services, such as troubleshooting requests and security inquiries regarding files, systems and URLs.

Special categories of data

Not applicable

Processing operations
  • Providing maintenance and technical support.
  • Providing Updates and Upgrades.
  • Addressing security and business continuity issues.
  • Analyzing and improving the Products.
  • Enforcing the legal terms that govern the Products.
  • Complying with law and protect rights, safety and property.
  • Other purposes requested or permitted by Customers or Authorized Users or as reasonably required to perform Illumio’s business.


ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

  • Measures of pseudonymisation and encryption of personal data

  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

  • Measures for user identification and authorisation

  • Measures for the protection of data during transmission

  • Measures for the protection of data during storage

  • Measures for ensuring physical security of locations at which personal data are processed

  • Measures for ensuring events logging

  • Measures for ensuring system configuration, including default configuration

  • Measures for internal IT and IT security governance and management

  • Measures for certification/assurance of processes and products

  • Measures for ensuring data minimisation

  • Measures for ensuring data quality

  • Measures for ensuring limited data retention

  • Measures for ensuring accountability

  • Measures for allowing data portability and ensuring erasure

ANNEX III – LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

 

1. Amazon Web Services (AWS)

Amazon’s corporate address is:

410 Terry Avenue North

Seattle, WA 98109-5210

United States

Please note that AWS operates globally, and its data centers are hosted at undisclosed locations. For Illumio Core SaaS deployments, customer production information is hosted in the US, Australia, EU, or the UK, depending on customer location and preference.

Contact person’s name, position and contact details:

Questions regarding Illumio's use of AWS for hosting should be directed to the Illumio account team or Illumio Support.

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

The Illumio Core and Endpoint SaaS production environments are hosted on AWS.

 

2. Splunk

Splunk corporate address:

270 Brannan Street

San Francisco, CA 94107

United States 

Contact person’s name, position and contact details:

Questions regarding Illumio's use of Splunk should be directed to the Illumio account team or Illumio Support.

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

System, application, and security logs from the Illumio Core and Endpoint SaaS platforms are stored on Splunk Cloud.

 

3. Salesforce (ServiceCloud)

Salesforce corporate address:

415 Mission Street, 3rd Floor

San Francisco, CA 94105

United States

 

Contact person’s name, position and contact details:

Questions regarding Illumio's use of Salesforce should be directed to the Illumio account team or Illumio Support.

 

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

Customer support tickets are managed through Salesforce ServiceCloud.

4. Microsoft (Office 365)

Microsoft corporate address:

One Microsoft Way

Redmond, WA 98052-6399

United States

 

Contact person’s name, position and contact details:

Questions regarding Illumio's use of Microsoft Office 365 should be directed to the Illumio account team or Illumio Support.

 

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

Employee collaboration and additional business communications.

 

5. Observe Inc

Observe corporate address: 

520 S El Camino Real # 400

San Mateo, CA 94402

United States

 

Contact person’s name, position and contact details:

Questions regarding Illumio's use of Observe should be directed to the Illumio account team or Illumio Support.

 

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

Monitoring and logging tool for SaaS product environment.

6. Pendo

Pendo corporate address:

140 2nd St #600

San Francisco, CA 94105

United States

Contact person’s name, position and contact details:

Questions regarding Illumio's use of Pendo should be directed to the Illumio account team or Illumio Support.

 

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): 

User behavior analytics for improvements to the product.

  

ANNEX IV – UK STANDARD DATA PROTECTION CLAUSES

 

The following provisions under this Annex IV are provided as an addendum to the SCCs above. On 2 February 2022, the UK Secretary of State laid before Parliament the international data transfer agreement (“IDTA”), the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (“Addendum”) and a document setting out transitional provisions. This final step followed the consultation the UK Information Commissioner’s Office (the “ICO” or “Information Commissioner”) ran into 2021. The documents were issued under Section 119A of the Data Protection Act 2018 and following parliamentary approval came into force on 21 March 2022. Accordingly, data exporters are to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers. The IDTA and Addendum replaced standard contractual clauses for international transfers, taking into account the judgement of the European Court of Justice in the case commonly referred to as “Schrems II”.

 

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

VERSION B1.0, in force 21 March 2022

 

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties' details Full legal name:
Trading name (if different):
Main address (if a company registered address):
Official registration number (if any) (company number or similar identifier)		 Full legal name:
Trading name (if different):
Main address (if a company registered address):
Official registration number (if any) (company number or similar identifier)
Key Contact Full Name (optional):
Job Title:
Contact details including email:		 Full Name (optional):
Job Title:
Contact details including email:
Signature (if required for the purposes of Section 2)

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date:
Reference (if any):
Other identifier (if any):
OR
[ ] The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses, or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module Module in operation Clause 7 (Docking Clause) Clause 11 (Option) Clause 9a (Prior Authorisation
or General Authorisation) 		Clause 9a (Time period) Is personal data received from the Importer combined with personal data collected by the Exporter?
1
2
3
4

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties:
Annex 1B: Description of Transfer:
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:
Annex III: List of Sub processors (Modules 2 and 3 only):

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section ‎19:
[ ] Importer
[ ] Exporter
[ ] neither Party

Part 2: Mandatory Clauses

 

Entering into this Addendum

Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

 

Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

 

Interpretation of this Addendum

Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

Addendum This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix Information As set out in Table ‎3.
Appropriate Safeguards The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved Addendum The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.
Approved EU SCCs The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO The Information Commissioner.
Restricted Transfer A transfer which is covered by Chapter V of the UK GDPR.
UK The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR As defined in section 3 of the Data Protection Act 2018.

This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

 

If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

 

If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

 

Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

 

Hierarchy

Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.

 

Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

 

Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

 

Incorporation of and changes to the EU SCCs

This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

  1. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

  2. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

  3. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.

No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:

  1. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;

  2. In Clause 2, delete the words:
    • “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

  3. Clause 6 (Description of the transfer(s)) is replaced with:
    • “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
  4. Clause 8.7(i) of Module 1 is replaced with:
    • “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

  5. Clause 8.8(i) of Modules 2 and 3 is replaced with:
    • “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

  6. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

  7. References to Regulation (EU) 2018/1725 are removed;

  8. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

  9. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

  10. Clause 13(a) and Part C of Annex I are not used;

  11. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

  12. In Clause 16(e), subsection (i) is replaced with:
    • “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

  13. Clause 17 is replaced with:
    • “These Clauses are governed by the laws of England and Wales.”;

  14. Clause 18 is replaced with:
    • “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

  15. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11

Amendments to this Addendum

The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

From time to time, the ICO may issue a revised Approved Addendum which:

  1. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

  2. reflects changes to UK Data Protection Laws;

 

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

  1. its direct costs of performing its obligations under the Addendum; and/or

  2. its risk under the Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

The Parties do not need the consent of any third-party to make changes to this Addendum, but any changes must be made in accordance with its terms.

Alternative Part 2 Mandatory Clauses:

Mandatory Clauses Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

Exhibit G

Supplemental Terms – Security

The following supplemental terms are effective as of the effective date of the relevant Order Form and are entered into by and between Illumio and Customer and will apply to and govern the Security Program (as defined below). The terms and conditions herein are incorporated into the Agreement by this reference. Capitalized terms not defined herein will have the meaning set forth in the Agreement.

Security

Illumio maintains a formal security program (the “Security Program”), based on reasonable industry best practices, and designed to preserve the confidentiality, integrity and availability of the Platform and Customer Data.

The Security Program addresses (a) management of operational and security risk; (b) technical and administrative security measures; (c) ongoing security training for all employees; and (d) procedures for responding to and recovering from Security Incidents.

Security Incidents

Illumio will promptly notify Customer in the event of a Security Incident impacting Customer's Confidential Information or Customer Data, using the primary support contact information Customer has provided.

Security of the Products

Illumio incorporates security principles in all aspects of the Platform’s design, development and operation. A security assessment (“Penetration Test”) of the product is performed at regular intervals, using independent subject-matter experts.

Information about how Illumio works with the security community to surface and address security findings in the Platform can be found in Illumio’s Responsible Disclosure Policy: https://www.illumio.com/responsible-disclosure-policy

PDF of current MSA version

Past versions


Archived April 30, 2024 (effective for orders placed April 11, 2021 - April 30, 2024)

Archived April 10, 2021 (effective for orders placed July 1, 2020 - April 10, 2021)

Archived June 30, 2020 (effective for orders placed prior to July 1, 2020)

ウェブサイト利用規約(パートナーポータル)

本利用規約(以下に言及される追加規約とともに)は、本ウェブサイト、www.illumio.com(以下「本サイト」)のご利用を規定するものであり、本サイトには、http://partners.illumio.com/  にあるパートナーポータルが含まれます。本利用規約は、お客様が組織を代表してイルミオ社(「イルミオ」、「弊社」)と締結した再販業者または販売業者契約(「パートナー契約」)に追加されるものであり、パートナー契約と本利用規約が矛盾する場合は、パートナー契約が優先されます。本サイトの利用には、アクセス、閲覧、登録、ダウンロードが含まれます。本サイトの利用を開始する前に、利用規約をよくお読みください。本サイトの利用を継続することにより、利用者は、利用者自身および利用者の組織(「利用者」)を代表して、本利用規約および必要に応じて本サイトの製品およびサービスに適用されるその他の条件、ガイドライン、または規則に拘束されることに同意するものとします。利用規約のいずれかに同意しない場合は、本サイトの利用を継続しないでください。

本利用規約は、https://www.illumio.com/legal/privacy-policy で入手可能なイルミオのプライバシー・ステートメントを参照しています。プライバシー・ステートメントは、本サイトの利用に適用され、当社がお客様から収集した、またはお客様から提供された個人データを処理する条件を定めています。

当社は、このページを修正することにより、いつでも本利用規約を改訂することができます。このような変更はお客様を拘束するものとなるため、お客様は随時このページを確認し、当社が行う変更を認識する必要があります。そのような変更はお客様を拘束するため、変更の通知は行われないものとします。当社は、本サイトを随時更新し、いつでも内容を変更することができます。当社は、本サイトまたは本サイト上のコンテンツに誤りや遺漏がないことを保証しません。当社は、当サイトが常に同じDNS名、IPアドレス、認証方法、URLで維持されること、または常に利用可能で中断されないことを約束するものではありません。

利用者は、利用者のインターネット接続を通じて本サイトにアクセスするすべての人が、本利用規約および言及されているその他の適用される規約および条件/ポリシーを認識し、それらを遵守することを保証する責任を負うものとします。本利用規約は、利用者に関係なく、利用者のインターネット接続からの本サイトの利用に関連して、利用者に適用されます。

当社のセキュリティ、購入またはダウンロード手続きの一環として、利用者識別コード、パスワードまたはその他の情報を選択または提供された場合、利用者はこれらの情報を機密情報として扱わなければなりません。

いかなる情報は、第三者にも開示しないでください。当社は、お客様が本利用規約の規定のいずれかに従わなかったと合理的に判断した場合、お客様が選択した、または当社が割り当てたユーザー識別コードまたはパスワードを、事前の通知なくいつでも無効にする権利を留保します。利用者以外の者が利用者のユーザー識別コードおよびパスワードを知っている、または知っていると疑われる場合は、直ちにパスワードを変更してください。

本サイトに掲載されている、あるいは本サイトに関連するすべてのコンテンツ、ソフトウェア、データ、知的財産権(ノウハウ、コンセプト、ロジックを含むがこれに限定されない)は、株式会社イルミオまたはそのライセンサーの所有物です。本サイトに掲載されているソフトウェア、データ、コンテンツは、当社の書面による事前の明示的な許可なく、複製、再発行、配布、掲載、販売、譲渡、改変することを禁じます。本サイトに表示される商標、ロゴ、サービスマークを含むがこれに限定されない全ての知的財産は、イルミオにより登録され、世界中で保護されています。いかなるイルミオの知的財産に対するライセンス、権利、利益もお客様に付与されるものではありません。お客様は、個人的な使用のために、本サイトのページの合理的なコピーを印刷することができ、また、お客様の組織内の他のユーザーに、本サイトに掲載されたコンテンツに注意を喚起することができます。ただし、(i)引用の最後にイルミオのクレジットを記載し、(ii)引用をウェブサイトに掲載する場合は、当該記事内からwww.illumio.com への帰属リンクを記載することを条件とします。お客様は、本サイト上の記事またはウェブページの内容の大部分をコピーすること、または、その全体をコピーすることはできません。上記で明示的に許可されている場合を除き、本サイトのコンテンツの利用を希望する場合は、事前に[email protected]に事前に許諾下さい。

コミュニティサイトやヘルプフォーラムでイルミオ社員が表明した意見は、あくまでも個人のものであり、イルミオの意見を代表するものでも、必ずしも一致するものでもありません。弊社は、お客様がかかる情報を使用または信頼した結果生じた、または生じたとされる直接的または間接的な損害または損失について、一切の責任を負いません。

本利用規約のいかなる条項も、当社の過失に起因する死亡もしくは人身傷害、詐欺もしくは詐欺的不実表示、または法律により制限もしくは除外できないその他の責任に対する当社の責任を除外もしくは制限するものではありません。法律で認められる最大限の範囲において、当社は本サイトを保証、表明または表明なしに提供します。当社は、利用者による本サイトの利用、アクセスまたは閲覧に起因する、利用者のコンピュータ機器またはその他の機器/財産に影響を及ぼす可能性のある損失または損害について、一切の責任を負わず、また責任を負わないものとします。当社は、契約、不法行為(過失を含むがこれに限定されない)、法定義務の違反、またはその他を問わず、たとえ予見可能であったとしても、以下の事項(ただしこれに限定されない)に起因または関連して生じる損失または損害について、本サイトのいかなるユーザーに対しても責任を負いません: (a)本サイトまたはそこに含まれるコンテンツの使用 (b)本サイトのいかなる構成要素の使用または使用不能、および本サイトのいかなるエラーまたは中断を含むがこれに限定されない、いかなる障害または遅延 (c)イルミオによる履行または不履行 (d)本サイトの不適当性、信頼性または不正確性; (e)本サイトがお客様の要求を満たすのに不十分であること、(f)本サイトがお客様の機器、ソフトウェア、または通信リンクと適合しないこと、(g)サービスの提供または提供の失敗、(h)本サイトを通じて入手した情報、ソフトウェア、製品、サービス、および関連グラフィック。上記の免責事項に加えて、お客様がビジネス・ユーザーである場合、特に、当社は間接的な損失について、それがどのように生じたとしても責任を負わないことにご注意ください。利用者は、商業目的または事業目的で本サイトを使用しないことに同意し、利益の損失、事業の損失、事業の中断、または事業機会の損失について、当社が利用者に対して責任を負わないことを認めるものとします。利用者が購入、試用、またはダウンロードした製品またはサービスの供給から生じる責任については、特定の購入、試用、またはダウンロードに適用される条件に規定される、異なる制限および除外が適用されるものとします。

利用者が本サイトにコンテンツをアップロードできる機能を利用する場合、または本サイトの他の利用者と連絡を取る場合、利用者は、利用者および利用者がアップロードするコンテンツが以下のいずれにも該当しないことに同意するものとします: (a)地域、国、または国際的な法律または規制に違反すること、(b)違法または詐欺的であること、または違法または詐欺的な目的を持つこと、(c)未成年者に危害を加える目的または危害を加えようとする目的であること、(d)未承諾または無許可の広告または販売促進資料、またはその他の形式の同様の勧誘を送信すること、または送信を調達すること; (e) コンピュータ・ソフトウェアまたはハードウェアの動作に悪影響を及ぼすように設計された、ウイルス、トロイの木馬、ワーム、時限爆弾、キーストローク・ロガー、スパイウェア、アドウェア、その他の有害なプログラムまたは類似のコンピュータ・コードを含むデータを故意に送信したり、資料を送信したり、アップロードしたりすること; (f) 違法、嫌がらせ、中傷、罵倒、脅迫、有害、下品、ポルノ、わいせつ、またはその他の好ましくないマテリアルを広めること、(g) 他のコンピューター・システムへのアクセスを試みること、(h) 他者による本サイトの利用を妨害すること、(i) 本サイトに接続されているネットワークまたはウェブサイトを妨害または混乱させること。

お客様が本サイトにアップロードしたすべてのコンテンツは、非機密的かつ非独占的なものとみなされます。利用者はコンテンツの所有権をすべて保持しますが、当社(および本サイトの他の利用者)に対し、そのコンテンツを使用、保存、コピーし、第三者に配布および利用可能にするライセンスを付与する必要があります。当社は、利用者が本サイトに投稿またはアップロードしたコンテンツが知的財産権またはプライバシー権の侵害にあたると主張する第三者に対し、利用者の身元を開示する権利を留保します。当社は、利用者または本サイトの他の利用者によって投稿されたコンテンツの内容または正確性に関して、いかなる第三者に対しても責任を負わないものとします。当社は、利用者の投稿が本利用規約に準拠していないと当社が単独で判断した場合、利用者が本サイトに行った投稿を削除する権利を留保します。利用者はさらに、本サイトのいかなる部分も複製、複写、コピー、または再販売しないこと、本サイトのいかなる部分、本サイトの提供において使用されるいかなるソフトウェア、または第三者が所有または使用するいかなる機器、ネットワーク、またはソフトウェアに無権限でアクセスしないこと、干渉しないこと、損害を与えないこと、または混乱させないことに同意するものとします。

利用者は、本サイトへのアクセスおよび本サイトの利用が、適用されるすべての法律および規制に従っていること、および今後も従い続けることを保証するものとします。利用者は、利用者による本サイトの利用に起因または関連するいかなる請求、手続き、損害、費用、経費、または責任に対しても、当社を免責し、防御し、完全に補償するものとします。

イルミオのホームページへのリンクは、公正かつ合法的な方法であり、イルミオの評判を損なったり、それを利用したりするものではないことを条件とします。このような方法で、イルミオとの関連、承認、推薦が存在しないことを示唆するようなリンクを張ってはなりません。利用者は、利用者に帰属しないいかなるウェブサイトにおいても、本サイトへのリンクを確立してはなりません。また、当サイトのトップページ以外へのリンクを張ることはできません。イルミオは、いつでも予告なしにリンク許可を取り消す権利を有します。リンク先のウェブサイトは、すべての点で本利用規約を遵守している必要があります。上記以外の本サイトのコンテンツの利用を希望される場合は、[email protected]に連絡下さい。本サイトに第三者が提供する他のサイトおよびリソースへのリンクが含まれている場合、これらのリンクはお客様の参考のためにのみ提供されます。利用者は、当社がそれらのサイトやリソースのコンテンツを管理していないことを認めるものとします。

本利用規約、その主題および解釈(ならびに契約外の紛争または請求)は日本法に準拠し、利用者は東京(日本)に所在する裁判所の専属的管轄権に同意するものとします。当社は、当社の独自の見解により必要と判断した場合、管轄権を有する裁判所において差止命令またはその他の衡平法上の救済を求める権利を留保します。本利用規約は英語で作成されています。本利用規約の日本語版は、英語版を翻訳したものであり、あくまで便宜を図るためのものであり、両当事者を拘束するものではありません。両言語版の間に相違がある場合は、英語版が優先するものとします。本利用規約の解釈または適用に関して紛争が生じた場合は、英語版のみが適用されるものとします。

WEBSITE TERMS OF USE (PARTNER PORTAL)

These Terms of  Use (together with the additional terms referred to below) govern your use of  this website, www.illumio.com (the "Site"), which Site includes  the partner portal located at http://partners.illumio.com/. These Terms of  Use are in addition to the reseller or distributor agreement (the "Partner  Agreement") that you, on behalf of your organization, have entered  into with Illumio, Inc. (“Illumio”, “we”, “our”, “us”),  and in the event of conflict between the Partner Agreement and these Terms of  Use, the Partner Agreement would take precedence. Use of the Site includes  accessing, browsing, registering and downloading. Please read the Terms of Use  carefully, before you start to use the Site. By continuing to use the Site  you, on behalf of yourself and your organization (“you”, “your”),  agree to be bound by the Terms of Use and, where appropriate any other terms  or conditions, guidelines or rules applicable to the products and services  herein. If you do not agree with any of the Terms of Use, you must not  continue to use the Site.

These Terms of Use refer to Illumio’s  Privacy Statement, available at https://www.illumio.com/legal/privacy-policy, which applies to the use  of the Site and sets out the terms upon which we may process any personal  data we collect from you, or that is provided by you.

We may revise  these Terms of Use at any time by amending this page. You should check this  page from time to time to take notice of any changes that we make; as such  changes will be binding upon you. No notice of any changes shall be given. We  may update the Site from time to time, and may change the content at any time.  We do not guarantee that our Site or any content on it will be free from  errors or omissions. We make no promise that the Site will always be  maintained with the same DNS names, IP addresses, authentication methods or  URLs, or that it will always be available and uninterrupted.

You are  responsible for ensuring that all persons who access the Site through your  internet connection are aware of these Terms of Use and the other applicable  terms and conditions/policies mentioned, and comply with them. These Terms of  Use apply to you, related to any use of the Site from your internet  connection, regardless of the user.

Should you  choose or be provided with a user identification code, password or any other  piece of information as part of our security, purchasing or downloading  procedures, you must treat such information as confidential. Such information  should not be disclosed to any third party. We reserve the right to disable  any user identification code or password, whether chosen by you or allocated  by us, at any time and without prior notice, if in our reasonable opinion you  have failed to comply with any of the provisions of these Terms of Use. If  you know or suspect that anyone other than you knows your user identification  code and password you should immediately change your password.

All content,  software, data and intellectual property rights, including but not limited to  all know how, concepts and logic found on or relating to the Site is the  property of Illumio, Inc. or its licensors. None of the software, data or  content found on the Site may be reproduced, republished, distributed,  posted, sold, transferred or modified in any way without our prior express  written permission. All intellectual property including but not limited to  trademarks, logos and service marks displayed on the Site is registered by  Illumio and protected throughout the world. No license, right or interest in  any Illumio intellectual property is granted to you. You may print off  reasonable copies of any page(s) from the Site for your own personal use and  you may draw the attention of other users within your organization to content  posted on the Site. You may quote short portions of content on the Site,  provided that (i) you credit Illumio at the end of such quote, and (ii) if  you publish the quote on a website, you include an attribution link to  www.illumio.com from within such article. You may not copy substantial  portions of the content of an article or webpage on the Site or copy same in  their entirety. Should you wish to make use of any of the content on the Site  other than as expressly permitted above, please contact [email protected] for  permission prior to any such use.

The opinions  expressed by Illumio employees on the community site or help forums are the  individual's own and do not represent or necessarily correspond to the  opinions of Illumio. We will not be responsible for any direct or indirect  damages or losses caused or alleged to have been caused as a result of your  use or reliance on such information.

Nothing in  these Terms of Use shall exclude or limit our liability for death or personal  injury arising from our negligence, fraud or fraudulent misrepresentation, or  any other liability which cannot be limited or excluded by law. To the  maximum extent permitted by law we provide the Site without warranties,  guarantees or representations. We assume no responsibility and shall not be  liable for any loss or damage which may affect your computer equipment or  other equipment/property arising out of your use of, access to or browsing of  the Site. We will not be liable to any user of the Site for any loss or  damage, whether in contract, tort (including but not limited to negligence),  breach of statutory duty, or otherwise, even if foreseeable, arising under or  in connection with including (but not limited to) the following: (a) any use  of this Site or content found therein; (b) any failure or delay (including  but not limited to) the use of or inability to use any component of the Site  and any errors or interruptions of the Site; (c) the performance or  non-performance by Illumio; (d) unsuitability, unreliability or inaccuracy of  the Site; (e) inadequacy of the Site to meet your requirements; (f)  incompatibility of the Site with any of your equipment, software or telecommunications  links; (g) the provision of or failure to provide services; or (h) any  information, software, products, services and related graphics obtained  through the Site. In addition to the above exclusions, if you are a business  user, please note that in particular, we will not be liable for any indirect  losses however so arising. You agree not to use the Site for any commercial  or business purposes, and acknowledge that we have no liability to you for  any loss of profit, loss of business, business interruption or loss of  business opportunity. Different limitations and exclusions of liability shall  apply arising out of the supply of any product or services purchased, trialed  or downloaded by you, which will be set out in the terms and conditions applicable  to the particular purchase, trial or download.

Whenever you make  use of a feature that allows you to upload content to the Site, or to make  contact with other users of the Site you agree that your use and the content  you upload shall not: (a) breach any applicable local, national or  international law or regulation; (b) be unlawful or fraudulent, or have any  unlawful or fraudulent purpose; (c) be for the purpose of harming or  attempting to harm minors in any way; (d) transmit, or procure the sending  of, any unsolicited or unauthorized advertising or promotional material or  any other form of similar solicitation; (e) knowingly transmit any data, send  or upload any material that contains viruses, Trojan horses, worms,  time-bombs, keystroke loggers, spyware, adware or any other harmful programs  or similar computer code designed to adversely affect the operation of any  computer software or hardware; (f) disseminate any unlawful, harassing,  libelous, abusive, threatening, harmful, vulgar, pornographic, obscene or  otherwise objectionable material; (g) attempt to gain access to other  computer systems; (h) interfere with anyone else's enjoyment of the Site; or  (i) interfere with or disrupt networks or websites connected to the Site.

All content  you upload to the Site shall be considered non-confidential and  non-proprietary. You retain all ownership rights in your content, but you are  required to grant us (and other users of the Site) license to use, store and  copy that content and to distribute and make it available to third parties.  We reserve the right to disclose your identity to any third party who claims  that any content posted or uploaded by you to the Site constitutes a  violation of their intellectual property rights or of their right to privacy.  We accept no responsibility, or liability to any third party, for the content  or accuracy of any content posted by you or any other user of the Site. We  reserve the right to remove any posting you make on the Site if, in our sole  opinion, your post does not comply with these Terms of Use. You further agree  not to reproduce, duplicate, copy or re-sell any part of the Site; not to  access without authority, interfere with, damage or disrupt any part of the  Site, any software used in the provision of the Site or any equipment or  network or software owned or used by any third party.

You warrant  that your access to and use of the Site is and will remain in accordance with  all applicable laws and regulations. You shall hold harmless, defend and  fully indemnify us against any claims, proceedings, damages, costs, expenses  or liabilities whatsoever arising out of or relating to your use of the Site.

You may  link to our home page, provided that you do so in a way that is fair and  legal and does not damage our reputation or take advantage of it. You must  not establish a link in any such way that suggests a form of association,  approval or endorsement with or by Illumio where none exists. You must not  establish a link to the Site in any website that does not belong to you. The  Site must not be framed on any other site, nor may you create a link to any  part of our Site other than the home page. Illumio reserves the right to  withdraw linking permissions at any time and without notice. The website in  which you are linking must comply with these Terms of Use in all respects.  Should you wish to make use of any of the content on the Site other than that  which is set out above, please contact [email protected]. Where our Site  contains links to other sites and resources provided by third parties, these  links are provided for your information only. You acknowledge that we have no  control over the content of those sites or resources.

These Terms of Use, their subject  matter and construction (and any non-contractual disputes or claims) are  governed by the laws of Japan and you agree to the exclusive jurisdiction of  the courts located in Tokyo, Japan. We reserve the right to seek injunctive,  or any other equitable relief, in any courts of competent jurisdiction should  we, in our sole opinion, consider this to be necessary. These Terms of Use are  drafted in English. The Japanese language version of these Terms of Use is a  translation of the English language version and is intended as an  accommodation only and shall not be binding upon the parties. In case of  discrepancies between the two language versions, the English version shall  prevail. In the event of any dispute as to the interpretation or application  of these Terms of Use, only the English version shall govern.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?

Learn more