US Movable Ink Terms

Client desires to purchase and Movable, Inc. (“Movable”) desires to provide to Client the Services (as defined herein), subject to these Standard Terms and Conditions ("Standard Terms"). These Standard Terms are incorporated by reference into each order form (an “Order Form”) and Statement of Work (a “SOW”) executed by Movable and Client. The Standard Terms, any Order Form, any SOW, and any Appendices or Exhibits attached there to are collectively referred to herein as the"Agreement."

‍1. Services. Movable hereby grants Client a limited, non-transferable, non-exclusive, revocable right and license to obtain access to the services identified on the applicable Order Form (“Services”) during the term of the Order Form on the terms set forth in the Agreement, subject to any limitations specified in the Order Form (“Limitations”). Client agrees to use the Services only in connection with Client’s products and/or services (“Client Products”) that are not Prohibited Products (as set forth below). The Services may include any tags, scripts, or code (such as html or javascript code) provided to Client by Movable hereunder for use in certain websites, apps, email campaigns or other online technology of Client, as well as the proprietary software platform and any other infrastructure (including without limitation any API or other web-based mechanism) through which Movable delivers the Services.  For avoidance of doubt, Client shall only use the Services for its own benefit, and shall not modify, redistribute, or tamper with the Services or send via, upload to, or store within the Services any viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs.
‍
‍2. Affiliates.  Any Client Affiliate may enter into an Order Form with Movable under these Standard Terms.  In such event, (i) Client enters into these Standard Terms on behalf of such Client Affiliate, (ii) such Client Affiliate shall comply with these Standard Terms and such Client Affiliate’s Order Form, and (iii) Client shall be fully responsible for such Client Affiliate’s actions and omissions in connection with these Standard Terms and the Client Affiliate’s Order Form, including payment, liability for breach of contract and indemnification.  As used herein, “Client Affiliate” means any entity that Client controls or is under common control with Client.

‍3. Ownership and Proprietary Rights.   As between the parties, (a) Client owns all right, title and interest (including any intellectual property rights) in any trademarks or other content provided by Client in connection with the Services and (b) Movable owns all right, title and interest (including any intellectual property rights) in the Services, inclusive of any infrastructure, know-how, source code, algorithms, machine-learning methodology and data used to provide the Services.  All rights not expressly granted to Client are reserved by Movable.

‍4. Payment. All fees for the Services (“Fees”) shall be set forth in the Order Form or SOW and (i) are quoted and payable in the currency set forth in the applicable Order Form,  (ii) are non-refundable and non-cancellable (in whole or in part), and (iii) are based on the Services and Limitations specified in the applicable Order Form. All Fees shall be due and payable in advance upon execution of the Order Form and at commencement of any renewal term.  Notwithstanding the foregoing and unless otherwise specified in the Order Form or SOW, Fees for additional Services or for usage exceeding any usage Limitations shall be billed monthly in arrears. Any payment not received from Client by the due date may accrue, at Movable's discretion, late charges at the rate of one and a half percent (1.5%) of the outstanding balance per month, or at the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid.  Movable also reserves the right to charge Client other reasonable costs of collection.  If Client's account is 30 days or more overdue, in addition to any of its other rights or remedies, Movable reserves the right to suspend the Services, without liability to Movable, until such amounts are paid in full.

‍5. Taxes. Fees are exclusive of all local, state, federal and foreign taxes, levies, or duties of any nature (“Taxes”), and Client is responsible for payment of all Taxes, excluding only taxes based on Movable’s income. When, as required by law, Client withholds income tax amounts from amounts payable to Movable, Client will increase the amounts payable such that the net amount paid to Movable equals the amount calculated in accordance with this Agreement.  If Movable has the legal obligation to pay or collect Taxes for which Client is responsible pursuant to this Section, the appropriate amount shall be invoiced to and paid by Client unless Client provides Movable with evidence of a valid tax exemption issued by the appropriate taxing authority.

‍6. Communications.  In using the Services, Client agrees to abide by all applicable laws, rules, regulations and other legal requirements (“Laws”), including laws governing online activities, reading or writing of cookies or other information on an end-user’s device, privacy, email marketing and anti-spam laws, as well as any requirements imposed by third parties whose products or services Client uses in connection with the Services (such as terms of use imposed by a third-party platform through which Client sends communications that are tailored by the Services).  In these Standard Terms, the term “Communication” means any email message, web page, advertisement or other communication that is sent, displayed, targeted, created or customized through use of the Services.  Client shall be responsible for the content of all Communications, including obtaining all necessary licenses, permissions and consents to enable all material comprising Service Data to be made available to Movable for use in providing the Services.  Client will ensure that Communications are not, and will not give a reasonable observer the impression that Communications are, targeted or customized on the basis of Sensitive Personal Data (as defined in Section 8).

‍7. Prohibited Products.  Client Products, and the Communications promoting Client  Products, shall not contain, consist of, promote or offer: (i) tobacco products, (ii) bombs, grenades, guns or other weapons or instructions on how to assemble or otherwise make them, (iii) pornography or illicitly pornographic sexual products, including magazines, video, and software; escort services; or adult "swinger" promotions, (iv) odds making and betting/gambling services that are illegal or unlicensed in the jurisdiction in which Client is located or where Client Products and Communications are sent from, sent to, or offered in, (v) goods; drugs; drug contraband; or pirated computer programs that are illegal in the jurisdiction in which Client is located or where Client Products and Communications are sent from, sent to, or offered in, (vi) products or materials that exploit children under 18 years of age, including those that post or disclose any personally identifying information or private information about children without their consent (or their parents' consent in the case of a minor), (vii) products or materials frequently associated with unsolicited commercial email, a.k.a. spam, such as online and direct pharmaceutical sales, including health and sexual well-being products, work at home businesses, credit or finance management (including credit repair and debt relief offerings, stock and trading tips, and mortgage finance offers), or DJ/nightclub and event/club promotions/party lists, (viii) products or material that are grossly offensive, including blatant expressions of bigotry, prejudice, racism, hatred, or excessive profanity or post any obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable content, (ix) products or materials that introduce viruses, worms, harmful code and/or Trojan horses on the Internet, (x) products or materials that promote, solicit, or participate in pyramid schemes or multi-level channel and/or network marketing (MLM) businesses, including personal work-at-home offers promoting "get rich quick," "build your wealth" or "financial independence" offerings, (xi) products or materials that engage in any libelous, defamatory, scandalous, threatening, or harassing activity, including those that post any content that advocates, promotes, or otherwise encourages violence against any governments, organizations, groups, or individuals or which provide instruction, information or assistance in causing or carrying out such violence, (xii) products or materials that market or are marketed to third-party voter registration lists, (xiii) products or materials that contain or provide content, including images, of authors, artists, photographers, or others without the express written consent of the content owner or (ix) any other Products which may not be advertised under applicable law (collectively, “Prohibited Products”).

‍8. Information Collection and Service Data.  (a) For purposes of providing the Services, Client hereby grants Movable an irrevocable license during the Term to (a) employ all information and content provided by Client and (b) collect information through the Services or from Client in order to provide the Services, including, as applicable, the recipient’s email address, a unique identifier, information about an individual’s interaction with Client’s website, emails or other Communications (e.g., opens and clicks), the type of device, browser and/or computer on which a Communication is opened,  IP address, the approximate location of a device, the amount of time it took to read the Communication, product information and transaction information (the foregoing, along with any other data lawfully collected by Movable for provision of the Services, is referred to as “Service Data”).  To the extent the Service Data contains personal data, the processing by Movable will be governed by the Data Processing Agreement for Movable Services attached hereto as Exhibit A.  Movable may anonymize by de-identification and/or aggregation any such Service Data and use it solely for (i) internal purposes such as evaluating and improving the Services, (ii) creating analytics and predictive datasets regarding consumer behavior and interests and (iii) creating and distributing benchmark reports that report on general trends; provided that any such data is not publicly identified or identifiable as originating with or associated with Client or any individual person.  Client shall not transmit to Movable, through the Services or otherwise, any "Sensitive Personal Data."  Sensitive Personal Data consists of:  (a) all government-issued identification numbers, including US Social Security numbers, driver's license numbers, and passport numbers; (b) all financial account numbers, including bank account numbers, credit/debit card numbers, passwords and other information if that information would permit access to a financial or other account; (c) all information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, sex life, criminal matters or offenses, biometrics, and physical, physiological, genetic, mental, economic, cultural or social identity of a natural person or any minor under the age of thirteen that would be subject to the Children Online Privacy Protection Act or similar applicable laws; and (d) any other personal data designated by applicable law as "sensitive personal data," "special categories of data" or similar designation.

(b) Client shall ensure there is a legally sufficient privacy policy on each website, app or other online location on which Service Data is collected, describing the collection, use of the Services and to collect data as described herein and providing a mechanism for end users to notify Client if they want to opt out of such collection and use if legally required. Client shall provide any necessary notice and obtain any necessary consent for its use of the Services.

(c) Movable shall post a privacy policy on its website that describes its Services and to which Client may refer for clarification purposes (however, such reference shall not release Client from its statutory or legal obligation to provide transparent information to data subjects). Movable implements and maintains physical, electronic and managerial procedures intended to protect against the loss, misuse, unauthorized access or disclosure of Service Data and provides a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.  Client and Movable shall use secure methods to transmit Service Data (e.g., upload data sources directly into the platform).

‍9. Term and Termination. The term of each Order Form is set forth in the applicable Order Form.  The Agreement will remain in effect for so long as any Order Form is in effect.  Either party may terminate any Order Form: (i) upon thirty (30) days’ written notice of a material breach of such Order Form or these Standard Terms to the other party, provided such breach remains uncured at the expiration of the notice period, if such breach is capable of being cured; or (ii) if the other party becomes the subject of a petition in bankruptcy or any proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.   The terms and conditions of Sections 3-5, 10-16, and this sentence shall survive termination of the Agreement.

‍10. Confidentiality. Neither party shall (a) have any right or interest in or to the Confidential Information of the other party or (b) use any Confidential Information of the other party except as permitted by the Agreement. Each party agrees that it will take reasonable steps, at least substantially equivalent to the steps it takes to protect its own proprietary information of similar nature to prevent the disclosure of the other party’s Confidential Information other than to its employees, affiliates, subsidiaries, subprocessors or other agents who must have access to such Confidential Information for such party to perform its obligations or exercise its rights hereunder, who each will be subject to confidentiality obligations no less strict than those set forth in this Section. “Confidential Information” means the material terms of the Agreement, and any information relating to or disclosed in the course of the Agreement that is, or should be reasonably understood to be, confidential or proprietary to the disclosing party.  Confidential Information will not include information (i) now or hereafter, through no unauthorized act or failure to act on the receiving party’s part, in the public domain; (ii) known to the receiving party without an obligation of confidentiality effective at the time the receiving party received the same from the disclosing party; (iii) hereafter furnished to the receiving party by a third party as a matter of right and without restriction on disclosure; or (iv) independently developed by the receiving party, as evidenced by written records. Neither party may disclose the terms of the Agreement or make any announcements regarding the nature of the relationship between the parties without the other party’s prior written approval except as set forth herein.  Nothing in the Agreement shall prevent a party from disclosing Confidential Information of the disclosing party to the extent the receiving party is legally compelled to do so by any governmental investigative or judicial agency pursuant to proceedings over which such agency has jurisdiction; provided, however, that prior to any such disclosure, the receiving party shall (a) assert the confidential nature of the information to the agency; (b) immediately notify the disclosing party in writing of the agency’s order or request to disclose, to the extent permitted; and (c) at the disclosing party’s expense, cooperate fully with the disclosing party in protecting against any such disclosure and/or  obtaining a protective order narrowing the scope of the compelled disclosure and protecting its confidentiality. To the extent Client tests the Services for an evaluation period, the results or evaluation of such testing or monitoring shall be deemed the Confidential Information of Movable.

‍11. Indemnification. Movable shall defend, indemnify, and hold harmless (“Indemnify”) Client and its officers, employees or agents (“Related Parties”) against any damages, losses, liabilities, and expenses (including reasonable attorneys’ fees) to the extent arising from any allegation or claim brought by a third party (”Claim”) that the Services infringe any copyright, patent, trademark or other proprietary right of such third party. Notwithstanding the foregoing, Movable shall have no obligation under this Section to the extent a Claim arises, results from or is caused by (i) use of the Services in combination with any other product, service or content not provided by Movable, (ii) use of the Services for a purpose not intended, or (iii) Client’s failure to use the Services in accordance with the terms of the Agreement and instructions provided by Movable.  Movable may elect in its sole discretion to do one or more of the following: (A) modify, or arrange for the modification, of the Service (but without materially adversely affecting its functionality) to render it non-infringing; (B) at no cost to Client, render the relevant activity non-infringing by procuring the right to exercise the relevant intellectual property rights of the relevant party; or (C) terminate the applicable Order Form and refund Client a pro-rata amount of any prepaid Fees attributable to the period after termination.  Client hereby agrees to Indemnify Movable and Movable’s Related Parties against any Claim that arises from or in connection with (i) the Communications, (ii) Client Products and/or the use of Client Products in connection with the Communications, or (iii) Client’s use of the Services in contravention of the terms of the Agreement.

‍12. Indemnification Procedure.  The indemnified party agrees to (a) promptly notify the indemnifying party in writing of each Claim (provided that failure to provide notice will not relieve the indemnifying party of its indemnification obligations, except to the extent such failure prejudices the indemnifying party), (b) render reasonable assistance to the indemnifying party in connection with any Claim, and (c) permit the indemnifying party to direct the defense or settlement of such Claim, except that the indemnifying party shall not settle any such suit or claim without the indemnified party’s prior written approval (which the indemnified party shall not unreasonably delay providing) unless such settlement is for money only and (i) includes a release of the indemnified party and its applicable Related Parties, and (ii) does not require the indemnified party or any of its applicable Related Parties to pay any amount or deliver any other consideration.

‍13. Limitation of Liability.  EXCEPT WITH RESPECT TO A PARTY’S INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 11: (i) TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT, CONTRACT, OR OTHERWISE, SHALL ONE PARTY BE LIABLE TO THE OTHER OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL, COVER, RELIANCE OR CONSEQUENTIAL DAMAGES,  INCLUDING LOST REVENUES, AND  LOSS OF GOODWILL, BUSINESS OR DATA, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES, AND (ii) THE MAXIMUM AGGREGATE LIABILITY OF ONE PARTY TO THE OTHER ARISING IN CONNECTION WITH THE AGREEMENT SHALL BE LIMITED TO THE FEES CLIENT PAID UNDER THE ORDER FORM THAT SERVES AS THE BASIS FOR THE CLAIM IN THE TWELVE (12) MONTHS PRIOR TO THE ACCRUAL OF THE APPLICABLE CLAIM.  THE LIMITATIONS OF THIS SECTION SHALL NOT BE CONSTRUED TO REDUCE AMOUNTS PAYABLE BY CLIENT TO MOVABLE HEREUNDER.

‍14. Disclaimer. EXCEPT AS MAY OTHERWISE BE EXPRESSLY SET FORTH IN THE ORDER FORM, (A) THE SERVICES ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT, AND MOVABLE DISCLAIMS, ALL WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, AND ANY WARRANTIES THAT MAY ARISE FROM COURSE OF DEALING, COURSE OF PERFORMANCE OR USAGE OF TRADE, AND (B) MOVABLE DOES NOT WARRANT THAT CLIENT’S USE OF THE SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE.  NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY MOVABLE, ITS AGENTS OR EMPLOYEES WILL CREATE A WARRANTY AND CLIENT ASSUMES ALL RESPONSIBILITY AND RISK FOR ITS RELIANCE THEREON AND ITS USE OF THE SERVICES.

‍15. Assignment.  Neither party may assign or transfer any of its rights hereunder without the prior written consent of the other party and any attempt to do so is void; provided, however, that either party may assign the Agreement in the event of a merger, reorganization, purchase of all or substantially all of its assets to which the Agreement relates or other change of control.

‍16. Miscellaneous.  If there is any inconsistency between the Order Form or SOW and these Standard Terms, the Order Form or SOW, as applicable, shall govern. The Agreement: (i) will be governed by and construed in accordance with the laws of the State of New York, without giving effect to principles of conflicts of law; and (ii) will not be governed by the United Nations Convention of Contracts for the International Sale of Goods. The exclusive venue for any dispute relating to the Agreement shall be New York County, New York, and Client hereby waives any jurisdictional, venue or inconvenient forum objections thereto. CLIENT EXPRESSLY WAIVES ANY RIGHT TO A JURY TRIAL, TO JOIN OR CONSOLIDATE CLAIMS BY OR AGAINST OTHER CLIENTS, OR TO PURSUE OR PARTICIPATE IN ANY CLAIM AS A REPRESENTATIVE ACTION OR CLASS ACTION OR IN A PRIVATE ATTORNEY GENERAL CAPACITY. Prior to initiating any legal action, the initiating party shall give the other party at least 60 days written notice of its intent to file an action. Movable will provide such notice by e-mail to Client's e-mail address on file with Movable, and Client must provide such notice by e-mail to legal@movableink.com. During such notice period, the parties will endeavor to settle amicably by mutual discussions any disputes, differences, or claims whatsoever related to the Agreement. Failing such amicable settlement and expiration of the notice period, any controversy, claim, or dispute arising under or relating to the Agreement shall finally be settled in a court of competent jurisdiction as set forth herein. Regardless of any statute or law to the contrary, any claim or cause of action arising out of or related to the Services or the Agreement must be filed within one (1) year after such claim or cause of action arose or be forever barred.  The relationship of the parties under the Agreement is that of independent contractors, and the Agreement will not be construed to imply that either party is the agent of the other. The Agreement is not exclusive to either party.  The Agreement may be amended only in writing, signed and executed by a duly authorized representative of each party or if Movable emails revised Standard Terms to Client or posts revised Standard Terms. Any notices under the Agreement must be sent to the addresses set forth in the Order Form (as may be modified by a party upon written notice), by facsimile, nationally recognized express delivery service or email to the email address on the Order Form, and deemed given upon receipt.    The Agreement constitutes the complete and entire expression of the agreement between the parties, and supersedes any and all other proposals, both oral and written, representations, warranties and agreements, whether written or oral, with respect to the subject matter hereof.   Client expressly agrees that any varying or additional terms contained in any purchase order or any other document or notification issued by Client in relation to the Services shall be of no effect and may be accepted for administrative convenience only.  The waiver of any breach or default of the Agreement will not constitute a waiver of any subsequent breach or default, and will not act to amend or negate the rights of the waiving party. If any provision contained in the Agreement is determined to be invalid, illegal or unenforceable in any respect under any applicable law, then such provision will be severed and replaced with a new provision that most closely reflects the original intention of the parties, and the remaining provisions of the Agreement will remain unaffected. Headings used herein are for reference purposes only, not for interpretation hereof.  Neither party will have any liability for any failure or delay resulting from any governmental action, fire, flood, insurrection, earthquake, power failure, hackers, riot, explosion, embargo, strikes whether legal or illegal, labor or material shortage, transportation interruption of any kind, work slowdown or any other condition beyond the control of such party.

‍17. Publicity. Client gives Movable permission to use Client logo on Movable’s website and in promotional materials. Further, Client gives Movable permission to create a case study on the performance of the Services or on a segment of Client’s end users (the “Case Study”), and Client agrees to participate in the Case Study. If Client is satisfied with the Service, Client also agrees to participate in speaking opportunities, including conferences and webinars alongside Movable.

‍Exhibit A
Data Processing Agreement for Movable Services

1. Introduction
This Data Processing Agreement (“DPA”) reflect the parties’ agreement with respect to the terms governing the processing and security of Client Data under the Agreement.

‍2. Definitions‍
‍2.1 In this DPA, unless stated otherwise:
‍
- Affiliate means any entity that controls or is under common control with a specified entity.
- Agreed Liability Cap means the maximum monetary or payment-based amount atwhich a party’s liability is capped under the Agreement.
- Client Data means the data received by the Services by or on behalf of Client, including any data that Movable collects from message recipients or visitors to Client’s websites on behalf of Client.
- Client Personal Data means the personal data contained within the Client Data.
- Data Incident means a breach of Movable’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data on systems managed by or otherwise controlled by Movable. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Client Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- DPA Effective Date means the date the parties agreed to this DPA.
- EEA means the European Economic Area.
- EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- European Data Protection Legislation means, as applicable: (a) the EUGDPR; (b) the UK GDPR and/or (b) the Federal Data Protection Act of 19 June1992 (Switzerland).
- Non-European Data Protection Legislation means data protection or privacy laws, regulations, and other legal requirements other than the European DataProtection Legislation.
- Notification Email Address means the email address for Client’s primary contact.
- Security Documentation means all documents and information made available by Movable under Section 7.4.1 (Reviews of Security Documentation).
- Security Measures has the meaning given in Section 7.1.1 (Movable’s Security Measures).
- “Sensitive Personal Data” means: (a) all government-issued identification numbers, including US Social Security numbers, driver's license numbers, and passport numbers; (b) all financial account numbers, including bank account numbers, credit/debit card numbers, passwords and other information if that information would permit access to a financial or other account; (c) all information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, sex life, criminal matters or offenses, biometrics, and physical, physiological, genetic, mental, economic, cultural or social identity of a natural person or any minor under the age of thirteen that would be subject to the Children Online Privacy Protection Act or similar applicable laws; and (d) any other personal data designated by applicable law as "sensitive personal data," "special categories of data" or similar designation.
- Subprocessors means third parties authorized under this DPA to process Client Personal Data in order to provide parts of the Services.
- Term means the period from the DPA Effective Date until the end of Movable’s provision of the Services, including, if applicable, any period during which provision ofthe Services may be suspended and any post-termination period during whichMovable may continue providing the Services for transitional purposes.
- UK GDPR means (i) the UK's Data Protection Act 2018; and (ii) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection ofnatural persons with regard to the processing of personal data and on the freemovement of such data as it forms part of the law of England and Wales,Scotland and Northern Ireland by virtue of section 3 of the European Union(Withdrawal) Act of 2018.

‍2.2 The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this DPA have the meanings given in the EU and UK GDPR.

‍3. Duration of this DPA
This DPA will take effect on the DPA Effective Date and, notwithstanding expiry of the Term, will remain in effect until, and automatically expire upon, deletion of all Client Personal Data by Movable as described in this DPA.

‍4. Scope of Data Protection Legislation‍
‍4.1 Application of European Legislation. The parties acknowledge that the European Data Protection Legislation will apply to the processing of Client Personal Data to the extent provided under the European Data Protection Legislation.
‍4.2 Application of Non-European Legislation. The parties acknowledge that Non-European Data Protection Legislation may also apply to the processing of Client Personal Data.

‍5. Processing of Data‍
‍5.1 Roles and Regulatory Compliance; Authorization.
‍5.1.1 Processor and Controller Responsibilities. If the European Data Protection Legislation applies to the processing of Client Personal Data, the parties acknowledge and agree that:
a. The subject matter and details of the processing are described in Annex I;
b. As between the parties, Movable is a processor of that Client Personal Data under the European Data Protection Legislation; and
c. As between the parties, Client is a controller, of that Client Personal Data underEuropean Data Protection Legislation
d. Client shall not transmit to Movable, through theServices or otherwise, any Sensitive Personal Data.

Each party will comply with the obligations applicable to it under the European Data Protection Legislation, Non-European Data Protection Legislation and under this DPA with respect to the processing of that Client Personal Data.
‍5.1.2 Authorization by Third Party Controller. If the European Data Protection Legislation applies to the processing of Client Personal Data and Client is a processor, Client warrants to Movable that Client’s instructions and actions with respect to that Client Personal Data,including its appointment of Movable as another processor, have been authorized by the relevant controller.
‍5.1.3 Responsibilities under Non-European Legislation. If Non-European Data Protection Legislation applies to either party’s processing of Client Personal Data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that Client Personal Data.
‍5.1.4 California Consumer Privacy Act.  To the extent that Client Data includes “personal information” as defined in the California Consumer Privacy Act of 2018, including through the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations, collectively, the “CCPA”), Client shall be a “business,” and Movable shall be a “service provider,” as those terms are defined under the CCPA, with respect to such personal information.  Movable shall not (i) “sell” or “share,” as those terms are defined under the CCPA, Client Personal Data; (ii) retain, use, or disclose Client Personal Data for any purpose(s) other than the limited and specific purpose(s) of the processing set forth in Annex 1 to this DPA; (iii) retain, use, or disclose Client Personal Data outside the direct business relationship between Movable and Client, unless expressly permitted by the CCPA; or (iv) combine or update Client Personal Data with personal information that Movable receives from or on behalf of another person(s), or collects from its own interaction with the data subject, unless expressly permitted under the CCPA. Movable hereby certifies that it understands the restrictions in the foregoing sentence and agrees to comply with them.
‍
‍5.2 Scope of Processing
‍5.2.1 Client’s Instructions. By entering into this DPA, Client instructs Movable to process Client Personal Data only in accordance with applicable law: (a) to provide the Services; (b) as further specified through Client’s use of the Services (including through use ofpreference options, such as targeting rules, and other functionality of the Services); (c) as documented in the Agreement, including this DPA; and (d) as further documented in any other written instructions given by Client and acknowledged by Movable as constituting instructions for purposes of this DPA.  Movable may condition the acknowledgement described in (d) on the payment of additional fees or the acceptance of additional terms

‍5.2.2 Movable’s Compliance with Instructions. With respect to Client Personal Data subject to European Data Protection Legislation, Movable will comply with the instructions described in Section 5.2.1 (Client’s Instructions) unless Movable has knowledge that EU or EU Member State law to which Movable is subject is being infringed or requires other processing of Client Personal Data by Movable, in which case Movable will inform Client(unless that law prohibits Movable from doing so on important grounds of public interest) via the Notification Email Address.

‍6. Data Deletion
‍6.1 Deletion by Client.  Movable will cooperate with requests of Client to delete Client Personal Data during the Term in a manner consistent with the functionality of the Services. Movable will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless applicable law requires storage.
‍6.2 Deletion on Termination. On expiry of the Term, Movable will delete or return all Client Personal Data (including existing copies) from Movable’s systems in accordance with applicable law as soon as reasonably practicable and within a maximum period of 30 days, unless applicable law requires storage.

‍7. Data security
‍7.1 Movable’s Security Measures, Controls and Assistance.

‍7.1.1 Movable’s Security Measures. Movable will implement and maintain technical and organizational measures to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Annex II (the “Security Measures”). As described in Annex II, the Security Measures include measures to encryptpersonal data; to help ensure ongoing confidentiality, integrity, availability and resilience of Movable’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Movable may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

‍7.1.2 Security Compliance by Movable Staff. Movable will take appropriate steps to ensure compliance with the Security Measures by its staff to the extent applicable to their scope of performance, including ensuring that all such persons it authorizes to process Client Personal Data have committed themselves to confidentiality or are under an appropriatestatutory obligation of confidentiality.

‍7.1.3 Movable’s Security Assistance. Client agrees that Movable will (taking into account the nature of the processing of Client Personal Data and the information available to Movable) assist Client in ensuring compliance with any of Client’s obligations in respect of security of personal data and personal data breaches, including if applicable Client’s obligations pursuant to Articles 32 to 34 (inclusive) of the EU GDPR and UK GDPR, by
a.      implementing and maintaining the Security Measures in accordance with Section 7.1.1 (Movable’s Security Measures);
b.      complying with the terms of Section 7.2 (Data Incidents); and
c.      providing Client with the Security Documentation in accordance with Section 7.4.1(Reviews of Security Documentation) and the information contained in the Agreement including this DPA.

‍7.2 Data Incidents
‍7.2.1 Incident Notification. If Movable becomes aware of a Data Incident, Movable will: (a) notify Client of the Data Incident without undue delay and in any event 72 hours after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Client Personal Data.

‍7.2.2 Details of Data Incident. Notifications made pursuant to this section will describe, to the extent practicable, details of the Data Incident, including steps taken to mitigate the potential risks and any steps Movable recommends Client take to address the Data Incident.

‍7.2.3 Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at Movable’s discretion, by direct communication (for example, by phone call or an in-person meeting). Client is solely responsible for ensuring that the Notification Email Address is current and valid.

‍7.2.4 No Assessment of Client Data by Movable. Movable will not assess the contents of Client Data in order to identify information subject to any specific legal requirements. Client is solely responsible for complying with legal requirements for incident notification applicable to Client and fulfilling any third party notification obligations related to any Data Incident(s).

‍7.2.5 No Acknowledgement of Fault by Movable. Movable’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Movable of any fault or liability with respect to the Data Incident.

‍7.3 Client’s Security Responsibilities and Assessment.

7.3.1 Client’s Security Responsibilities. Client agrees that, without prejudice to Movable’s obligations under Section 7.1 (Movable’s Security Measures, Controls and Assistance) and Section 7.2 (Data Incidents):
a. Client is solely responsible for its use of the Services, including:
i. sharing only such Client Data that is required for the provision of the Services; and
ii. securing the account authentication credentials, systems and devices Client uses to access the Services.
b. Movable has no obligation to protect Client Data that Client elects to store or transfer outside of the Services.

‍7.3.2 Client’s Security Assessment.

a.      Client is solely responsible for reviewing the Security Documentation and evaluatingfor itself whether the Services, the Security Measures and Movable’s commitments under this Section 7 (Data Security) will meet Client’s needs, including with respect to any security obligations of Client under the European Data Protection Legislation or Non-European Data Protection Legislation, as applicable.

b.      Client acknowledges and agrees that (taking into account the state of the art, thecosts of implementation and the nature, scope, context and purposes of the processing of Client Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Movable as set out in Section 7.1.1 (Movable’s Security Measures) provide a level of security appropriate to the risk in respect of the Client Data.

‍7.4 Reviews and Audits of Compliance

‍7.4.1 Reviews of Security Documentation. In addition to the information contained in the Agreement (including this DPA), Movable will make available for review by Client the following documents and information (“Security Documentation”) to demonstrate compliance by Movable with its obligations under this DPA:
- Evidence that Movable has conducted regular application penetration tests of Movable’s hosted environment at least annually and a summary of the final results upon request.
- Evidence that Movable has conducted quarterly automated web application vulnerability scans.
- Reasonable amounts of information substantiating compliance with the Security Measures described hereunder.

7.4.2 Additional Business Terms for Reviews.
a.      Client must send any requests for reviews of information to Movable.
b.      Following receipt by Movable of a request, Movable and Client will discuss and agree in advance on the reasonable date(s) of and security and confidentiality controls applicable to any review of documentation.
c.      Movable may charge a fee (based on Movable’s reasonable costs) for any review of documentation. Movable will provide Client with the basis of how it will calculate such fee.
d.     Movable may object in writing to an auditor appointed by Client to conduct any reviewif the auditor is, in Movable’s reasonable opinion, not suitably qualified or independent, a competitor of Movable, or otherwise manifestly unsuitable. Any such objection by Movable will require Client to appoint another auditor or conduct the review itself.
e.      Nothing in this Data Processing Agreement will require Movable either to disclose toClient or its third party auditor, or to allow Client or its third party auditor to access:
‍
i. any data of any other client of Movable;
ii. Movable’s internal accounting or financial information;
iii. any trade secret of Movable;
iv. any information that, in Movable's reasonable opinion, could: (A) compromise the security of Movable’s systems or premises; or (B) cause Movable to breach its obligations under applicable law or contract or its security and/or privacy obligations to any client or any third party; or
v. any information that Client or its third party auditor seeks to access for any reason other than the good faith fulfillment of Client’s obligations under this DPA.

‍8. Data Subject Rights

‍8.1 Data Subject Requests

‍8.1.1 Client’s Responsibility for Requests. During the Term, if Movable receives any request from a data subject in relation to Client Personal Data and the functionality of the Services, Movable will advise the data subject to submit their request to Client, and Client will beresponsible for responding to any such request including, where necessary, by using the functionality of the Services. For the avoidance of doubt, Client shall be responsible for honoring requests from data subjects to restrict processing of Client Personal Data by opting such data subjects out of the Services.

‍8.1.2 Movable’s Data Subject Request Assistance. Client agrees that Movable will (taking into account the nature of the processing of Client Personal Data) assist Client in fulfilling any obligation to respond to requests by data subjects, including if applicable Client’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the EU GDPR and UK GDPR.

‍9. Data Transfers

‍9.1 Data Storage and Processing Facilities. Movable may, subject to Section 9.2 (Transfers of Data Out of the EEA), store and process the relevant Client Personal Data anywhere Movable or its Subprocessors maintain facilities.

‍9.2 Transfers of Data Out of the EEA and UK.  If the storage and/or processing of ClientPersonal Data (as set out in Section 9.1 (Data Storage and Processing Facilities)) involves transfers of Client Personal Data out of the EEA, and the European Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data”), then the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Commission implementing decision 2021/914 of 4 June 2021) hereby apply with respect to such data asupdated or replaced from time to time, or, at Movable’s election, Movable will offer and comply with another mechanism that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the EU or UK  GDPR. The current version of the Standard Contractual Clauses is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.  For the avoidance of doubt, Module 2 of the Standard Contractual Clauses shall apply to Client as the “data exporter” and Movable as the “data importer”.  The governing law of the Standard Contractual Clauses shall be the law of the Republic of Ireland.  Annexes I, II and III to this DPA shall serve as the Annexes I, II and III of the Standard Contractual Clauses.  To the extent the Standard Contractual Clauses or another lawful mechanism does not provide for an adequate level of protection for the transferred Client Personal Data (e.g. due to conflict with mandatory laws to which the recipient may be subject or due to extensive surveillance practices of authorities in the country to which the data is transferred), Client and Movable will discuss and, if necessary, implement additional safeguards for the transferred Client Personal Data.

‍10. Subprocessors

‍10.1 Consent to Subprocessor Engagement. Client specifically authorizes the engagement of Movable’s Affiliates as Subprocessors. In addition, Client generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”).

‍10.2 Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at https://movableink.com/gdpr/subprocessors (asmay be updated by Movable from time to time in accordance with this DPA).

‍10.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Movable will:
‍
a.      ensure via a written contract that:
i. the Subprocessor only accesses and uses Client Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA); and
ii. if the EU or UK GDPR applies to the processing of Client Personal Data, the data protection obligations set out in Article 28(3) of the EU or UK GDPR, as described in this DPA, are imposed on the Subprocessor; and

b.      remain liable for all obligations subcontracted to, and all related acts and omissions of, the Subprocessor.

‍10.4 Opportunity to Object to Subprocessor Changes.

a.      When any new Third Party Subprocessor is engaged during the Term, Movable will, at least 30 days before the new Third Party Subprocessor processes any Client Personal Data, inform Client of the engagement (including the name and location of the relevant subprocessor and the activities it will perform) either by sending an email to the Notification Email Address or via the Services.
b.      Client may object to any new Third Party Subprocessor if it can demonstrate reasonable concerns relating to the protection of the Client Personal Data and the parties shall negotiate a resolution in good faith.  If the parties cannot agree on a resolution within 30 days of notice, then Client may terminate the Agreement immediately upon written notice to Movable, on condition that Client provides such notice within 60 days of being informed of the engagement of the Third Party Subprocessor as described in Section. This termination right is Client’s sole and exclusive remedy if Client objects to any new Third Party Subprocessor.

‍11. Processing Records

‍11.1 Movable’s Processing Records. Client acknowledges that Movable is required under the EU or UK GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Movable isacting and, where applicable, of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the EU or UK GDPR applies to the processing of Client Personal Data, Client will, where requested, provide such information to Movable via the Services or other means provided by Movable, and will use the Services or such other means to ensurethat all information provided is kept accurate and up-to-date.

‍12. Data Protection Impact Assessment.

‍12.1 Movable’s Data Protection Impact Assessment Assistance. If the EU or UK GDPR applies to the processing of Client Personal Data, Movable shall assist Client to the extent necessary, taking into account the nature of processing and the information available to Movable, with data protection impact assessments to be carried out by Client and, if necessary, subsequent consultations with the competent supervisory authority pursuant to Articles 35, 36 EU or UK GDPR.  Client shall reimburse Movable for the expenses and costs incurred by Movable as a result thereof.

‍13. Liability

‍13.1 Liability Cap. The total combined liability of either party and its Affiliates towards the other party and its Affiliates under or in connection with the Agreement will be limited to the Agreed Liability Cap for the relevant party.

‍14. Effect of This DPA
Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement except the terms of the Standard Contractual Clauses, this DPA will govern.


‍Annex I: Subject Matter and Details of the Data Processing
A. LIST OF PARTIES
Data exporter(s):
‍Name: Client under the Agreement
Address: As set forth in the Agreement
Contact person’s name, position and contact details: …As set forth in Agreement
Activities relevant to the data transferred under these Clauses:  Use of Services as described in the Agreement
Role (controller/processor): Controller

‍Data importer(s):
1. Name: Movable, Inc.
Address: 841 Broadway, 3rd Fl, New York, NY 10003…
Contact person’s name, position and contact details: …
Activities relevant to the data transferred under these Clauses: Providing the Services to data exporter accordance with the DPA.
Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER
‍Categories of data subjects whose personal data is transferred: Data subjects include data exporter’s past, present or future clients, users, website visitors, and message recipients.

‍Categories of personal data transferred: Data relating to data exporter’s past, present or future clients, users, website visitors, and message recipients, including an email address, unique user identifier, information about an individual’s interaction with data exporter’s website, emails or other communications (as applicable, e.g., opens and clicks), the type of device, browser and/or computer on which a communication is opened, the individual’s IP address, the approximate location of a device and the amount of time it took to read the communication, product information, transaction information, and such other data as data exporter’s business logic shall direct data importer to collect via merge tags, API connection or other method, and any other data listed or described in an Order Form.

Special categories of data: None

‍The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data will be transferred as required to provide Services to dataexporter under the Agreement.

‍Nature of the processing: Provision of data importer Services pursuant to the Agreement.

‍Purpose(s) of the data transfer and further processing: Data importer will process  personal data for the purposes of providing the Services to data exporter in accordancewith the Agreement.

‍The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: 2 years from the date of collection

‍For transfers to (sub-) processors, also specify subject matter, nature andduration of the processing: Subprocessors will process personal data in order to provide Services to data exporter under the Agreement for the duration of the Term of the Agreement, as further described in Annex III.

‍C. COMPETENT SUPERVISORY AUTHORITY: The Data Protection Commission (Ireland).



‍Annex II: Technical and Organisational Measures to Ensure the Security of the Data (“Security Measures”)
‍Movable (data importer) will implement and maintain the Security Measures set out in this Annex II. Movable (data importer) may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

1. Measures to encrypt and pseudoanonymise personal data. Technical and organizational measures intended to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, which include:
a.     Encrypting data at rest (via AES256 or similar encryption).
b.     Encrypting data in transit (via TLS 1.2 or similar encryption), provided that Client makes available the required dependencies.
c.     Associating data collected with a Client-provided unique user identification value that Movable cannot reidentify when clients provide such a value and to the extent possible for a product.

2. Ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services. Technical and organizational measures intended to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are processed, include:
a.     Leveraging multi-factor authentication across critical systems;
b.     Adhering to principle of least privilege
c.     Isolating development, staging and production environments;
d.     Establishing physical security of facilities;
e.     Establishing access authorizations and mechanisms for employees and third parties;
f.      Utilizing an intrusion detection system;
g.     Backing up data daily and using hot standbys; and
h.     Regularly updating systems with critical patches.

3. Restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident. Technical and organizational measures to help ensure that Personal Data are protected against accidental destruction or loss (physical/logical), which include:
a.      Backup procedures (including daily backups and hot standbys);
b.      Geographic redundancy;
c.      Mirroring of hard disks (e.g. RAID technology);
d.     Uninterruptible power supply (UPS)/backup generators;
e.      Remote storage;
f.       Firewall systems;
g.      Disaster recovery plan.

4. Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. These measures include: a. Annually engage an independent, third-party to perform a web application penetration test.  Upon Client’s written request, Movable shall provide the executive summary of the report to Client.  Movable shall address vulnerabilities in the findings of the report within a reasonable, risk-based timeframe;
b.      Performing quarterly vulnerability scans using an industry standard vulnerability scanning tool;
c.      Annually testing disaster recovery and fail over plans; and
d.     Providing annual Security Awareness training to all personnel. Security Awareness training shall address security topics to educate users about the importance of information security and safeguards against data loss, misuse or breach through physical, logical and social engineering mechanisms.  Training materials should address industry standard topics which include, but are not limited to: (i) The importance of information security, the consequences of information security failures and how to report a security breach, (ii) physical controls such as visitor protocols, safeguarding portable devices and proper data destruction, (iii) logical controls related to strong password selection/best practices, and (iv) how to recognize social engineering attackssuch as phishing.


Annex III: List of Sub-processors
‍The controller has authorised the use of the sub-processors identified at  https://movableink.com/gdpr/subprocessors, which shall be updated in accordance with the terms of the DPA.

Revised 16 August 2024