Post on 14-Oct-2020
LE-FR-8568 Rev 3 - Feb 19, 2019
1
SCENE WEBSHARE CLOUD LICENSE AGREEMENT
between
FARO Europe GmbH & Co. KG,
Lingwiesenstr. 11/2,
70825 Korntal-Münchingen,
Federal Republic of Germany
- hereinafter referred to as “FARO” -
and
Company: …………………………………………………….…
Address: …………………………………………………….…
…………………………………………………….…
…………………………………………………….…
Tel : ……………………….………………………………
Fax : ……………………………….………………………
e-mail: ……………………………………….………………
Other information needed to identify the organisation:
…………………………………………………….…
- hereinafter referred to as “Licensee” -
WHEREAS
(1) FARO Group has developed the cloud computing service SCENE WebShare Cloud that
is hosted on third parties’ servers (“Computing Service”).
(2) Licensee uses one or more laser scanners of the FARO Group and is interested in using
the Computing Service.
LE-FR-8568 Rev 3 - Feb 19, 2019
2
NOW THEREFORE, in consideration of the mutual covenants, the Parties hereto enter into
this License Agreement (“Agreement”) according to the following terms and conditions:
§ 1
Object of the Agreement
The object of this Agreement is to regulate the deployment of the Computing Service by FARO
to Licensee and the license fees that are due in favour of FARO in consideration for such
deployment. The Computing Service shall enable Licensee to get access to and use software
applications and data storage capacity. The software applications and the data storage
capacity are hosted on servers of FARO and/or third parties. Access shall be taken via
telecommunication. The functionalities of the software applications and the data storage
capacity shall be used subject to the rules provided in this Agreement. FARO’s computing
service specifications (“Computing Service Specifications”, Annex 1 to his Agreement) and
§ 2 of this Agreement describe the type, scope and further specifications of the Computing
Service.
§ 2
Description of the Computing Service
(1) In order to be able to create Uploaded Data of the Computing Service, Licensee requires
at least the software SCENE and a functioning internet connection.
(2) The Computing Service is a software and hosting service that is provided to Licensees
as well as to any third party internet user by FARO. The Computing Service allows users
to upload 3D laser scan data and panoramic photographs produced by SCENE
(“Uploaded Data”), to view the Uploaded Data and related meta data within a standard
web browser, to organize the Uploaded Data in projects to which annotations and
measurements can be added (“Scan Projects”), and to share the Scan Projects with
other users. Each Scan Project is presented in an overview map which indicates the
position of 3D laser scans. Single laser scans are presented in a panoramic view.
(3) The Computing Service requires the installation and use of SCENE and the setting up of
accounts to SCENE as described in § 6 below.
LE-FR-8568 Rev 3 - Feb 19, 2019
3
(4) Further description of the Computing Service and minimum requirements are determined
in Annex 1.
§ 3
License
(1) FARO hereby grants to Licensee a personal, revocable, non-exclusive, non-assignable
and non-transferable license, on a royalty-basis, and temporally limited to the expiry or
termination of this Agreement, and to use the Computing Service via telecommunication
in accordance with the terms and conditions of this Agreement (“License”). Unless
granted expressly in this Agreement, Licensee does not get additional rights or licenses,
in particular, but not limited to, SCENE, the Computing Service, software applications
and/or operating systems.
(2) The License granted herein does not include the right to make copies of the Computing
Service, to make or retain any notes, memos, reports or records, reproductions,
correspondence or any document regarding the Computing Service, including copies of
the Computing Service.
(3) The License is restricted to the access and usage of the Computing Service in the cloud.
FARO is not obligated to provide Licensee with the object and/ or source code of the
Computing Service.
(4) Licensee shall have no right to decompile, reverse engineer or dis- and/or reassemble
or otherwise attempt to derive the object and/or the source code of the Computing
Service granted to Licensee.
§ 4
Rights to use and Sublicensing
(1) Licensee is not entitled to assign or transfer the License or any part thereof to any other
party without the prior written consent of FARO.
LE-FR-8568 Rev 3 - Feb 19, 2019
4
(2) Licensee may sublicense the Computing Service to users of the Licensee in accordance
with the terms and conditions of this Agreement (the "Sublicensees"). Unless otherwise
provided in this Agreement, Licensee shall not sublicense any of the rights granted to it
hereunder without prior consent of FARO.
(3) Licensee shall inform FARO about any Sublicensee including the correct name and
address of the Sublicensee without undue delay.
(4) Each sublicense granted by Licensee is limited in scope and time to the License’s scope
and time and will automatically terminate upon the termination of this Agreement and the
License respectively. Licensee shall be fully liable for the compliance with the terms of
this Agreement by the Sublicensees and for any damage FARO or any of its affiliates
suffer as a result of non-compliance and misuse of the Computing Service by any
Sublicensee.
(5) For each case that Licensee enables the use of the Computing Service to a non-named
user and/or unauthorized third party, Licensee is obligated to pay a compensation to
FARO that amounts to the license fee that would be payable in the event of entering into
a license contract for a regular term of one (1) year including the scope and further
specifications of the Computing Service as selected by the License. Licensee remains
the right to evidence that FARO has suffered no damages or damages less than the
above-mentioned compensation. FARO shall have the right to claim further damages.
§ 5
Ownership of Computing Service
(1) Licensee acknowledges that FARO is the full and sole owner of the Computing Service
and that title to the Computing Service, any copies thereof or any modification,
improvement, adaption, enhancement or translation, developed as a result of Licensee
using the Computing Service, and/or rights in and to any patent, trademark, copyright
developed and/or incorporated in the Computing Service, shall at all times remain with
FARO. Licensee agrees that nothing in this Agreement shall give Licensee, its
subsidiaries or other affiliates any right, title or interest in the Computing Service other
LE-FR-8568 Rev 3 - Feb 19, 2019
5
than the right to use the Computing Service in accordance with the provisions of this
Agreement.
(2) Licensee hereby agrees and acknowledges FARO’s full and sole ownership of the
Computing Service in and to any such modification, improvement, adaption,
enhancement or translation. Licensee herebyundertakes to confer, full and sole
ownership in said modification, improvement, adaption, enhancement or translation to
FARO by executing an assignment of rights, evidencing such transfer to FARO.
(3) Licensee undertakes to refrain, and to procure that its subsidiaries and other affiliates
refrain from comitting any act that is inconsistent with such ownership. In respect of those
countries in which the Computing Service is not subject to a registration or application,
Licensee acknowledges FARO’s priority rights in the Computing Service and expressly
waives in favor of FARO any right it may acquire in such countries in the Computing
Service as a user of it.
(4) Licensee agrees that FARO and/or its licensors or other licensees own all right, title and
interest in any and all of Licensee’s customer feedback statements, and that FARO shall
not owe any remuneration, compensation or credit for these to Licensee. To the extent
that any of the rights assigned herein cannot presently be assigned under applicable law,
Licensee agrees to assign such rights at such time as the rights are capable of being
assigned.
(5) Licensee shall not use, deposit or obtain registration of, and shall procure that none of
the Sublicensees, its subsidiaries or other affiliates uses, deposits or obtains registration
of a tradename or trademark that is identical with, confusingly similar to, or consisting of
the Computing Service’s trademark or brand name.
§ 6
Account
(1) To every Licensee an account will be assigned (“Account”).
(2) Licensee shall appoint one representative (“Domain Owner”) who will be responsible for
making all service and support calls to FARO. FARO will contact the Domain Owner for
any operational and/or billing-related issues. Licensee can assign administrators for their
LE-FR-8568 Rev 3 - Feb 19, 2019
6
Account (each a “Domain Administrator”). Domain Administrators can invite
prospective users who have not yet registered themselves to the Computing Service by
email address. By accepting such invitation, users will create a “User Account”. Domain
Administrators can afford access privileges (“Permission”) to employees and/or to third
parties who have created a User Account (each a “User”) per role. These Permissions
may include (i) read-only access to Private Scan Projects in the Licensee’s domain, or
(ii) additional permissions per role. The Domain Administrator(s) may assign the
following Permission rules to Users:
• “User Role”: The User Role includes the permission to create measurements,
annotations and orthophotos related to a Scan Project;
• “Uploader Role”: The Uploader Role includes the permission to upload data to
Scan Projects;
• “Project Manager Role” (or “Project Managers”): The Project Manager Role
includes the permission to view all Scan Projects in the respective domain, to
manage group-based access for all Protected Scan Projects of same and to
delete Scan Projects in the respective domain; or
• “Administrator Role” (or “Domain Administrator”): The Administrator Role
includes the permission to add Users to the domain and to manage user roles.
This includes the appointment of the Domain Owner.
(3) Future versions of the Computing Service may include further roles that can be assigned
to Users.
(4) Licensee agrees not to pass to and/or to let a third-party use Licensee’s Account.
(5) FARO is not responsible for unauthorized access to Licensee’s Account. Licensee will
immediately contact FARO if Licensee believes an unauthorized third party may be using
Licensee’s Account or if Licensee’s Account information is lost or stolen.
(6) More Details in respect of the Account and the User Accounts shall be set out in Annex
1.
LE-FR-8568 Rev 3 - Feb 19, 2019
7
§ 7
Obligations of Licensee
(1) Except as otherwise expressly permitted in this Agreement, Licensee agrees not to use
the Computing Service in any manner contrary to the purposes of this Agreement nor to
adapt, add-on, improve, enhance, modify the Computing Service or translate the
Computing Service. In particular, Licensee undertakes not to redistribute, encumber,
sell, rent, lease, assign, sublicense or use the Computing Service in a timesharing or
service bureau arrangement, or otherwise transfer rights to the Computing Service to
third parties.
(2) Licensee is required to keep the contact information of the Domain Owner current in the
settings of the administration area in SCENE WebShare Cloud.
(3) Licensee is obligated to take all appropriate measures to avoid any infringement, action
or cause of action against it by reason of the use of the Computing Service. Should
Licensee be the cause of any such infringement, action or cause of action, Licensee
agrees to bring such a matter to the attention of FARO immediately.
(4) Licensee is obligated to refrain from each attempt to retrieve unauthorized information
or data himself or via non-authorized third parties and/or to interfere or to let interfere in
programs that are run by FARO and/or to intrude in an unauthorized manner into the
data network of FARO.
(5) Licensee warrants to FARO that (i) the Uploaded Data shall not contain any violent,
sexual, gambling, hacking, cracking or other objectionable material, including, without
limitation, any material that is intolerant, offensive or otherwise offensive material
regarding race, sex, religion, nationality, disability, sexual orientation, or age, or any
material that is illegal or that may give rise to civil liability on the part of FARO of any sort,
and (ii) that any Uploaded Data and/or data Licensee provides to FARO shall not contain
any viruses, Trojan horses, malware, spyware, adware or other disruptive software, or
any software code which is designed to disrupt, damage, or perform unauthorized
actions on a computer system, or which transmits data from FARO’s webservers or other
computer systems of FARO or any third party without notice to and the express prior
consent of FARO, and (iii) that Licensee will comply with all applicable laws, rules and
regulations.
LE-FR-8568 Rev 3 - Feb 19, 2019
8
(6) Licensee hereby grants to FARO a personal, limited, non-exclusive, royalty-free, non-
assignable and non-transferable license to use the Uploaded Data and the related
copyrights and other intellectual property rights to the extent that FARO uses theses
rights in order to maintain the Computing Service in accordance with the terms and
conditions of this Agreement. FARO hereby accepts the grant of these rights.
(7) Licensee represents and warrants to FARO that in relation to all Uploaded Data,
Licensee has the worldwide authority, be it by ownership or with consent of the entitled
owner or entitled licensee, to upload the Uploaded Data and that uploading the Uploaded
Data does not infringe or violate any copyright, trademark, trade secret, personality,
personal data or other proprietary right of any third party.
(8) Licensee has to protect its data and Uploaded Data, for example by making a daily
backup of its data and Uploaded Data to limit possible damages and to ensure the
reconstruction of its data and/or Uploaded Data in case of a loss of its data and/or
Uploaded Data.
(9) As far as legally required, Licensee is obligated to have persons, car plates and any
other personal data that refers to third parties which is included in Uploaded Data
anonymized, i.e. pixelated or blurred.
(10) Licensee is obligated to check data and information for viruses and other malware before
sending these and to use an up-to-date and state of the art antivirus program.
§ 8
FARO’s Obligations and Rights
(1) FARO is not obligated to provide upgrades to Licensee.
(2) FARO may modify the Computing Service and its functionalities and provide software
updates at any time. In the case of an amendment to the Licensee’s detriment, FARO
will advise the Licensee or its Domain Owner, who serves as point of contact for FARO,
of such amendment in advance by sending an email or by applying a clearly highlighted
LE-FR-8568 Rev 3 - Feb 19, 2019
9
notice on the Computing Service. The Licensee may then object to this amendment by
sending an email to Support.EMEA@faro.com or a letter to FARO within thirty (30) days
of receipt of the notice of change. If Licensee fails to object in due time or continues to
use the Computing Service after receipt of the notice of change, the amended Computing
Service shall be deemed to be accepted. For this purpose, a use of the Computing
Service executed by Users who were set up by Licensee or granted access to the
Licensee’s domain will be deemed as continued use of the Computing Services by
Licensee. Licensee will be informed by this legal consequence separately in the notice
of change. If the Licensee objects to the amendment, FARO may terminate this
Agreement extraordinarily with one (1) month notice to the end of a calendar month.
(3) FARO is entitled to block the access of Licensee to the Computing Service or the
Uploaded Data and/or the access of Licensee’s Account and the User accounts in its
domain in case of an unlawful violation of Licensee and/or the Sublicensees against one
of the obligations of Licensee and/or the Sublicensees of this Agreement, especially a
breach of the obligations of § 7 para. (1), (4), (5), (7), (9) and/or (10) of this Agreement.
The access will be restored when Licensee has stopped violating this Agreement and
the danger of repetition is eliminated by issuing a declaration of cease and desist by
Licensee with respect to FARO. In that case Licensee remains obligated to pay all due
invoices.
(4) FARO is obligated to delete the concerned Uploaded Data in case of a breach against
§ 7 para. (5) and/or (7) of this Agreement.
§ 9
Fees and Terms of Payment
(1) The license fees depend on the extent of Computing Services which are utilized by the
Licensee (“Package”). Licensee and FARO have agreed about the scope and
specifications of the Computing Services as listed in Annex 2 and selected by Licensee
(“Selected Package”).
(2) For the use of the Selected Package, Licensee shall pay FARO a yearly license fee as
set forth in FARO’s applicable Price List (“License Fee”).
(3) Licensee’s use of the Computing Service is limited in terms of storage and certain other
performance specifications of the Selected Package. If Licensee’s use of the Computing
LE-FR-8568 Rev 3 - Feb 19, 2019
10
Service exceeds such limitations after the service has been initially provided, Licensee
shall pay additional fees (“Additional Fees”) as provided for in FARO’s applicable Price
List.
(4) The payable fees consist of the License Fee and the Additional Fees, as applicable
(“Payable Fees”). FARO will issue an invoice on the Payable Fees which are calculated
on the basis of FARO’s applicable Price List of the Commencing Date, subject to a raise
of fees pursuant to § 9 (5) (“Invoice Amount”). In case the Payable Fees have to be
calculated for a portion of a year, they will be calculated on a pro-rata basis for every
month with 1/12 of the yearly fees as set out in FARO’s applicable Price List. Specifically,
if Additional Fees are due or if Licensee upgrades otherwise, then Licensee shall pay
the fees for the remaining months of the yearly term.
(5) FARO is entitled to raise adequately the fees as set out in FARO’s applicable Price List
for the contractual services as compensation for personnel or other cost increases of
FARO. In this case FARO will inform Licensee by letter or email about the increase of
fees. The increase of fees does not apply to the period that Licensee had already made
payments. The same applies mutatis mutandis in the event of personnel or other cost
decrease. In case the increase of the fees reaches an amount equal or greater than 20%
of the previous fee, Licensee is entitled to terminate this Agreement at the end of the
Initial Term or Renewal Term, as applicable, by written notice given at least one (1)
month prior to the end of any such period. If Licensee exercises this right of termination,
the previous fees will be invoiced until the termination becomes effective.
(6) In case the parties have not agreed to use a direct debiting scheme, the Invoice Amount
has to be credited to the specified account thirty (30) days after reception of the invoice
of FARO. Invoices shall be issued in Euro.
(7) The fees are exclusive of VAT. If VAT accrues, it shall be added at the current rate.
LE-FR-8568 Rev 3 - Feb 19, 2019
11
§ 10
Default
(1) FARO is entitled to block the access of Licensee to the Computing Serviceif and while
Licensee defaults with Payable Fees for over thirty (30) days. For the avoidance of doubt,
the Licensee shall remain obliged to pay all due invoices.
(2) If the Licensee defaults with its payment obligations under this Agreement for over sixty
(60) days, FARO is entitled to terminate the Agreement without prior notice and to claim
liquidated damages in the amount of a quarter of all monthly fees to the end of the normal
term of the Agreement.
(3) Upon Licensee's default of payment, Licensee shall pay default interest amounting to
eight (8) percentage points above the base interest rate of the German Federal Bank.
(4) FARO reserves the right to enforce further claims against Licensee for damages and
cost incurred as a consequence of the Licensee being in default of payment.
§ 11
Warranties of FARO
(1) FARO represents and warrants to Licensee that FARO has the authority to grant the
License. To the best of FARO's knowledge and belief, the Computing Service does not
infringe or violate any third-party rights. However, FARO does not represent and warrant
that the use of the Computing Service does not infringe any third-party rights, in particular
copyrights, software, trademarks, trade secrets, know-how, patents, utility patents,
design patents or other proprietary or intellectual property rights.
(2) FARO represents and warrants that it is not aware of any circumstances that may have
compromised the confidentiality of the Computing Service.
(3) FARO strives to perform the Computing Service without errors and interruptions.
However, a faultless and uninterrupted service cannot always be guaranteed. FARO
provides the Computing Service on an “AS IS” basis. In the event of faults or interruptions
in the Computing Service or other deteriorations in quality, FARO shall restore normal
operation as soon as possible.
LE-FR-8568 Rev 3 - Feb 19, 2019
12
(4) FARO makes no express or implied warranties concerning the quality of the Computing
Service, including any warranties of merchantability or fitness for a particular purpose.
(5) FARO does not and cannot warrant the performance or achievement of specific results
Licensee may obtain by using the Computing Service. In addition, Licensee is solely
responsible for determining the appropriateness of using the Computing Service and
FARO does not represent that the Computing Service can be used in any specific
hardware and/or software and/or computer system environment including Licensee’s
environment.
§ 12
Infringement of Computing Service
(1) If any Party becomes aware
(a) of any actual or imminent infringement of the Computing Service, or
(b) of any claim or allegation by a third person that any part of the Computing Service
is invalid or liable to revocation or cancellation, or infringes the rights of any third
party,
it shall promptly advise the other party by written notice, giving full particulars thereof. If
Licensee becomes aware of such facts, it shall not make any admission or comment to
any third party with regard to such issues.
(2) Notwithstanding § 12 para. (1), FARO shall have the control of disputes and proceedings
relating to the Computing Service (including, without limitation, any proceedings to which
Licensee is a party), in particular but not limited to infringement of any copyright,
trademark, trade secret or other proprietary right by any third party resulting from or as
a consequence of Licensee’s use of Computing Service in accordance with this
Agreement, and shall, in its reasonable discretion and in consideration of Licensee's
position, decide what action (including litigation, arbitration or settlement), if any, to take
in respect of any circumstance referred to under § 13 para. (1). FARO shall not be
obliged to bring or defend any proceedings in relation thereto. In the event that FARO
notifies Licensee within reasonable time in writing that it will not take any action in respect
LE-FR-8568 Rev 3 - Feb 19, 2019
13
of any circumstance referred to under § 13 para. (1), Licensee shall be entitled to
prosecute infringements and bring suit or take any other action in its own name and at
its own cost.
(3) Upon request, Licensee and FARO shall give each other all reasonable assistance
(including, without limitation, the provision of documents and information and the
execution of documents and making relevant people available and being joined as a
party in which the contracting partner is a party) in any action, claim or proceedings
brought, threatened or contemplated concerning any of the Computing Service. The
requesting party shall meet all reasonable expenses incurred by the assisting party in
giving such assistance.
§ 13
Indemnification, Limitation of FARO’s Liability
(1) In the event of any breach of a duty under this Agreement, in particular the duties under
§ 7 of this Agreement, Licensee shall indemnify FARO without delay against all claims
of third parties, for example but not limited to claims for indirect, direct and/or
consequential damages, liabilities and expenses incurred by FARO, including FARO’s
reasonable costs of its legal defense, and arising out of any activity of Licensee,
including, but not limited to, such arising out of the storage or processing of Uploaded
Data or other business operations of the Uploaded Data, and offer FARO the necessary
assistance in its legal defense.
(2) FARO shall not be liable for any damages, costs, losses, expenses (including settlement
awards and attorney’s fees) incurred by Licensee in defending any action or claim unless
such defense or action has been authorized in writing by FARO.
(3) Unless otherwise agreed herein, any claims for damages of Licensee against FARO or
FARO’s agents because of or in relation with any defects or lack of warranted
characteristics of the Computing Service, no matter on which legal basis, in particular,
claims arising out of breach of contract or of precontractual relationship (culpa in
contrahendo), infringement of duties arising in connection with the Agreement or tort,
subsequent frustration due to petty negligence and/or repudiation of the contract
because of delayed delivery, shall be excluded.
LE-FR-8568 Rev 3 - Feb 19, 2019
14
(4) FARO shall only be liable - and this shall also apply if FARO employed executive
personnel or other persons in performing FARO’s obligations - in the event that:
(a) FARO is attributed gross negligence or intent;
(b) FARO fraudulently concealed a defect or warranted the quality of the service
FARO provides;
(c) damage to life, bodily injury or damage to health has been negligently and/or
willfully caused by FARO; and/or
(d) FARO violates substantial contractual obligations (cardinal obligations)
endangering the purpose of the agreement as a whole, that is
(aa) in the event of material violations of duties which endanger the achievement
of the contractual purpose, or
(bb) in the event of the violation of duties – the fulfilment of which enables the
proper performance of the contract in the first place - and on the observance
of which the buyers may regularly rely ("Cardinal Duties").
(5) The claim to damages compensation for the violation of Cardinal Duties in the case of §
13 para (4) lit. (d) of this Agreement is limited to the typically foreseeable damage.
(6) The liability regardless of negligence or fault of FARO on compensation (sec. 536 a
German Civil Code) for existing deficits on conclusion of contract are expressly excluded.
§ 13 para. (1) to (5) of this Agreement remain unaffected.
(7) The exclusion of liability shall not apply to claims arising out of the German Product
Liability Code. No change in the legally codified distribution of the burden-of-proof to the
Licensee’s disadvantage is associated with the aforementioned rules.
LE-FR-8568 Rev 3 - Feb 19, 2019
15
§ 14
Act of God
(1) FARO is released of its obligation to perform out of this Agreement, if and to the extent
to which the default of performances is due to an incidence of circumstances of an act
of God after signing this Agreement.
(2) As act of God apply for example, but not limited to, the following events: war, riots,
dispossessions, cardinal modifications of law, lawfully industrial actions, also in third
party businesses, storm, flooding and other natural disasters, failures of communication
networks or gateways of third party carriers, regulatory actions, and/or other technical
dysfunctions insofar as FARO is not be responsible for them, especially water ingress,
power blackouts and disruptions or destruction of data lines.
§ 15
Data Protection
(1) FARO is permitted to use Licensee’s personal information to provide Licensee with
support and inform Licensee about FARO’s software updates/upgrades or new releases
that are part of FARO’s service.
(2) FARO has implemented technology and security policies, rules and measures to protect
the personal data that FARO has in FARO’s possession from unauthorized access,
improper use, alteration, unlawful or accidental destruction, and accidental loss. For
detailed information, please see Exhibit 2 to Annex 4 which shall be deemed
incorporated herein by reference.
(3) Licensee warrants that Licensee (i) has permission of all individuals (where required), be
it employees or customers of Licensee or employees of Licensee’s customers or other
persons, or (ii) is otherwise justified to transmit this individual’s personal data to FARO,
that FARO stores this personal data, including on web servers of FARO and on web
servers owned by Amazon Web Services, Inc., that FARO processes this personal data
with the Computing Service and that this personal data can be presented to third parties,
especially with all data processing operations related with the use of the Computing
LE-FR-8568 Rev 3 - Feb 19, 2019
16
Service. Therefore, Licensee undertakes to enter into agreements with its employees
and customers relating to the aforementioned.
(4) In order to entitle FARO to process the personal data of individuals in the manner of
para. (3) above, Licensee and FARO enter into an “Data Processing Agreement” that
complies with all applicable laws, rules and regulations, especially Art. 28 (3) of General
Data Protection Regulation (Annex 4).
(5) Licensee shall, upon first demand, indemnify FARO and hold FARO harmless from and
against any and all liability or claims of third parties based on culpable infringement of
personal privacy rights of individuals from or as a consequence of FARO’s permitted use
of the personal data of individuals as set out in § 15 para. (3) till (4) above. The above
indemnification shall not apply if the claim is based on FARO’s intentional or grossly
negligent breach of duties or FARO’s slightly negligent breach of Cardinal Duties.
§ 16
Confidentiality
(1) All Confidential Information (information which is designated as confidential or
communicated in such a manner or under such circumstances as would reasonably
enable a person or organization to ascertain its confidential nature) provided by one party
will be maintained in confidence by the other party. Each party agrees to notify the other
party if disclosure of such other party's Confidential Information is necessary to comply
with the requirements of any law, government order, regulation or legal process prior to
such disclosure. The provisions of this § 16 will not have application to any information
disclosed by a party to the extent such information (i) becomes lawfully available to the
public; (ii) is received without restriction from another person or organization lawfully in
possession of such information; (iii) was rightfully in the possession of a party without
restriction prior to its disclosure; or (iv) is independently developed by a party or its
employees or agents without access to the other party's similar information.
(2) The obligations contained in § 17 para. (1) of this Agreement shall survive the termination
of this Agreement for five (5) years, but shall cease to apply to any information coming
into the public domain otherwise than by breach of the Licensee of its obligations
contained in this Agreement.
LE-FR-8568 Rev 3 - Feb 19, 2019
17
§ 17
Term and Termination
(1) This agreement shall be deemed to have taken effect from the date this Agreement is
signed (“Commencing Date”). The Agreement shall be effective for the period of one
(1) year beginning on the day of operable deployment (“Initial Term”). The Agreement
will be renewed automatically to the end of the Initial Term or following terms for one (1)
year (“Renewal Term”), unless either party terminates this Agreement.
(2) The Agreement may be terminated at the end of each term of the Agreement by written
notice given at least thirty (30) days before the end of any of such terms.
(3) The right to terminate this Agreement for cause remains unaffected. A serious and
continuous breach of the terms of this Agreement by either party shall be considered as
cause to terminate this Agreement without prior notice. Without limiting the generality of
the foregoing sentence, such a cause is considered in particular if one of the following
violations occurs:
(a) If either party commits an act of bankruptcy or compounds or makes any
arrangement with its creditor or executes a bill of sale on its assets or any part
thereof; or
(b) if either party is wound up either compulsorily or voluntarily or a receiver on its
assets is appointed except for the purpose of amalgamation or reconstruction; or
(d) in the event that Licensee comes under the control, directly or indirectly, of a third
party or entity different from the shareholders/owners of Licensee at the time of
signing of this Agreement; or
(e) Licensee does not conduct its business in consistency with proper business
methods and practices or otherwise in a manner able to cause considerable
damage to FARO’s reputation or fails to comply with its obligations under § 7 para.
(1), (4), (5), (7) and/or (11) and § 4 para. (1).
(4) A notice of termination requires the written form or text form (e.g. email).
LE-FR-8568 Rev 3 - Feb 19, 2019
18
§ 18
Effect of Termination
(1) Upon termination of this Agreement, the rights of Licensee to use the Computing Service
cease immediately to exist.
(2) In case of termination, Licensee is not entitled to any kind of compensation for the
goodwill connected to the Computing Service that Licensee may have created during the
term of this Agreement.
(3) With termination of the Agreement Licensee shall immediately return or, if instructed by
FARO, destroy all Uploaded Data. FARO will erase the Uploaded Data of Licensee if the
Uploaded Data were not returned or destroyed before this Agreement comes to an end.
(4) Further termination of this Agreement will not limit FARO from pursuing any other
remedies available to it, including injunctive relief, nor will termination relieve Licensee
of its obligation to pay any charges to FARO that accrued under this Agreement prior to
termination, provided that FARO has met all its contractual obligations associated with
these charges. Further Termination of this Agreement by FARO pursuant to § 17 shall
be without prejudice to the right to seek compensation for breach of any provision of this
Agreement or any other damage of FARO or any of its affiliates caused in connection
with the use of the Computing Service by Licensee.
§ 19
Assignment and Set-off
(1) This Agreement is not transferable or assignable by Licensee, whether in whole or in
part, voluntarily or by merger, consolidation or sale, or otherwise by operation of law
without the prior written consent of FARO. Subject to the foregoing, this Agreement and
each and every provision hereof, shall be binding upon and shall inure to the benefit of
the parties and their respective permitted successors and assigns.
(2) Licensee is permitted to set off only with claims that are undisputed or have been upheld
by a final decision of a court of competent jurisdiction.
LE-FR-8568 Rev 3 - Feb 19, 2019
19
§ 20
Applicable law, Jurisdiction
(1) This Agreement is governed by German law. The Application of the United Nations
Convention on Contracts for the International Sale of Goods is hereby expressly
excluded.
(2) Place of performance and delivery, as well as exclusive place of jurisdiction for all
disputes arising out of or in connection with this contract, shall be Korntal-Münchingen.
Nevertheless, FARO shall be entitled to file legal complaints against Licensee at
Licensee’s place of business.
§ 21
Final Provisions
(1) All Annexes which are listed in and are enclosed to the Agreement are an integral part
of the Agreement.
(2) Any amendment to or modification of this Agreement requires the written form. The same
applies to any agreement waiving the written form.
(3) This Agreement, including the Annexes, constitutes the entire agreement between the
Parties with respect to the subject matter of this Agreement, and supersedes all other
prior oral and written agreements or understandings of the Parties relating thereto. All
references to this Agreement shall be deemed to include the Annexes.
(4) In the event that any term or provision of this Agreement is or will become invalid or
unenforceable, then the validity and enforceability of all other terms and conditions shall
thereby not be affected. In such case, the invalid or unenforceable term shall be
substituted by a valid and enforceable term which comes as close as possible to the
economic purpose of the invalid or unenforceable term. The same applies in case of
gaps of this Agreement.
LE-FR-8568 Rev 3 - Feb 19, 2019
20
________________________________ ________________________________
(date) (date)
For on behalf of FARO For on behalf of the Licensee
________________________________ ________________________________
(Name) (Name)
Title Title
List of Annexes
Annex 1 – Computing Service Specifications
Annex 2 – Available Packages
Annex 3 – Price List
Annex 4 – Data Processing Agreement
LE-FR-8568 Rev 3 - Feb 19, 2019
21
Annex 1 of License Agreement
Computing Service Specifications
This following Computing Service Specifications shall establish the services which shall be
rendered by FARO in accordance with the License Agreement and the duties of the parties
with which they have to comply in order to render the services.
Deployment of the Computing Service
The Computing Service is a software and hosting service to Licensee by FARO. The
Computing Service is deployed operable to Licensee with informing Licensee about the
activation of the Computing Service in writing or by email.
Description of the Computing Service
(a) Computing Service
The Computing Service is a software and hosting service offered by FARO. The
Computing Service allows the User to upload laser scan data, to view uploaded
laser scan data and related meta data within a standard web browser like Mozilla
Firefox, Google Chrome, Apple Safari or Microsoft Edge. The data is organized in
scan projects. Each scan project is presented as an overview map which indicates
the position of 3D laser scans. Single laser scans are presented in a panoramic
view.
(b) Functionalities of the Computing Service
- Authentication, access control and user rights management,
- Uploading data,
- Working with the uploaded data, e.g. creating annotations or taking
measurements,
- Sharing and data management.
- Some packages may add additional functionality.
(c) User documentations
- The documentation for the Computing Service is provided online via
https://manuals.websharecloud.com
LE-FR-8568 Rev 3 - Feb 19, 2019
22
- The documentation for creation of Uploaded Data and the upload onto the
sub-domain of the Licensee is described in the user manual of SCENE.
(d) Other services
- FARO is planning to constantly maintain the offered service and improve its
functionality. Updates and extensions of the service can be implemented at
all time without further notice but FARO is not obligated to improve the
functionality or to provide updates and extensions.
- It is FAROs sole decision to define if future extensions of the offered service
will be provided as part of existing contracts or if they will be provided at
additional costs.
(e) Handover point of performance
The handover point of the Computing Service is the interface of FARO’s network
to the public internet network. The scope of service of the Computing Service of
FARO ends from Licensee’s point of view at the handover point of the Computing
Service.
Access Authority
(a) Licensee will be granted one sub-domain for his sole usage. The name of the sub-
domain needs to be defined and provided to FARO by Licensee. The full URL of
Licensee’s Computing Service site will be as follows (where “sub_domain” is
chosen by Licensee):
https://sub_domain.websharecloud.com.
(b) FARO will grant administrator rights to specific users in the Licensee’s sub-domain
(“Administrators” or “Domain Administrators”).
(c) The Administrators can assign additional registered users to the sub-domain. The
user rights and feature set provided to such an assigned user can be managed by
the Administrators via the role management system of the Computing Service.
(d) The number of users which can be assigned to the sub-domain of Licensee
depends on the actual package which is agreed with the License Agreement.
(e) The Administrators and each single user have to safeguard its access authority by
a unique and safe password.
LE-FR-8568 Rev 3 - Feb 19, 2019
23
Backups
(a) The Uploaded Data is stored within the system of Amazon Web Services.
(b) Neither FARO nor the Computing Service offer means to back up Uploaded Data.
(c) It is in Licensee’s sole responsibility to create and store backups of the Uploaded
Data. FARO is not providing any means of backup service as part of the License
Agreement.
(d) With termination of the License Agreement, the sub-domain of Licensee including
all data will be deleted by FARO. FARO is not providing any means of backup
service as part of the License Agreement.
New Package
In accordance with the Packages and the Pricings that are available for such Packages
it is possible to change to a higher level of services of the Computing Service during the
duration of the License Agreement. The change shall be requested within the Computing
Service and the respective payment shall be made in accordance with the instructions
given by the Computing Service. The change will then be processed in accordance with
the Computing Service’s standard processing times. After the processing and the
payment being made and confirmed by the Computing Service, the Computing Service
will activate the change. In case the fees have to be calculated for a portion of a year,
the fees will be calculated for every month with 1/12 of the yearly fees as set out in
FARO’s applicable Price List.
Dashboard and Limits of Package
(a) The Computing Service offers real-time monitoring of the current load of the
Licensee’s sub-domain via a dashboard at Licensee’s administration console of
the web front end.
(b) This dashboard is displaying the current storage consumption and the used
download volume together with the specific thresholds according to the actual
package.
Exceeding the scope of the contract
In case Licensee exceeds the Selected Package of Licensee, Licensee agrees that
FARO will charge for the excess service according to the unit prices as defined in the
Price List for the Computing Service.
LE-FR-8568 Rev 3 - Feb 19, 2019
24
Support
(a) The Online Help system is available at https://manuals.websharecloud.com
(b) Email and telephone support
Support will be provided by FARO Europe on workdays from 8:00 am until 5:00pm
(MEZ / UTC +1h)
TEL: +49 7150 9797 400 or free call*: 00800 3276 7378
FAX: +49 7150 9797 9400 or free fax*: 00800 3276 1737
Email: Support.EMEA@faro.com
* Only for calls from Austria, France, Germany, Italy, Spain, Switzerland, the Netherlands
and Great Britain.
Minimum Requirements of Licensee
(1) The access to the Computing Service is made via telecommunication. The
necessary minimum requirements of Licensee for the usage of the Computing
Service are particularly:
- Access to the internet.
- The uploading of project data onto the Licensee’s Computing Service sub-
domain requires one of the following FARO software or hardware products:
1. a local installation of FARO SCENE in version 5.2 or higher,
2. a local installation of FARO SCENE LT in the latest version,
3. a FARO ScanPlan device.
- The most up-to-date full SCENE software version is required in order to
enable the latest features, highest stability and speed.
- The technical requirements as provided for in the SCENE release notes
apply and are available under:
https://knowledge.faro.com/Software/FARO_SCENE/SCENE
- To work with the Uploaded data, a standard web browser like Mozilla Firefox,
Google Chrome, Apple Safari or Microsoft Edge is required. A web browser
with WebGL support is recommended to enable all features.
(2) The provision of these requirements and also the telecommunications service,
including the transmission service from the handover point right up to the devices
LE-FR-8568 Rev 3 - Feb 19, 2019
25
utilized by Licensee are not object of the Agreement. Licensee is responsible for
such requirements.
(3) The Computing Service may allow for the export of read-only file formats that are
compatible with standard third party applications.
Service Availability
(a) Reference
The availability only concerns to the functionalities of the Computing Service as set
out in section “Description of the Computing Service” of this Annex.
(b) Availability
FARO provides the functionalities of the Computing Service as described in section
“Description of the Computing Service” of this Annex to Licensee during the
following system runtime (“Target Runtime/Availability”) up to a percentage of
96%:
Target Runtime/Availability: 24 hours/day and 365 day/year up to 96%.
The Computing Service might be unavailable during Planned Non-Availability as
set out in this Annex.
Non-Availability exists if for the rest the agreed functionalities are not usable.
Planned Non-Availability
(a) FARO is entitled to service, to maintain and to update the Computing Services,
including the inherent software and/or hardware-systems beyond the stipulated
periods of section “Service Availability” lit. (b) of this Annex (“Planned Non-
Availability”).
(b) FARO will seek to inform Licensee upfront about planned maintenance activities.
This information will be either via email or online within the Computing Service
front-end.
(c) If and to the extent Licensee can use the Computing Service in periods of Planned
Non-Availability, there is no warranty claim. In case of a reduction or dismissal of
the performance during times of Planned Non-Availability, Licensee has especially
no right of warranty or damages.
LE-FR-8568 Rev 3 - Feb 19, 2019
26
Annex 2 of License Agreement
Available Packages
Package Included Storage
Download volume
3D Processing
Assigned Users
Base Package 100GB unlimited unlimited unlimited
Amounts shown as “unlimited” are subject to fair usage. Download volumes of more than
500GB per month are deemed not to be fair usage anymore and require negotiation of a
special download Package.
Available packages may be subject to change.
LE-FR-8568 Rev 3 - Feb 19, 2019
27
Annex 3 of License Agreement
Price List
The pricing as agreed between you and FARO’s Regional Sales representative applies.
LE-FR-8568 Rev 3 - Feb 19, 2019
28
Annex 4 of License Agreement
Data Processing Agreement
Preamble
This Annex Data Processing Agreement (“Annex”) specifies the data protection obligations of
the parties which arise from commissioned data processing, as stipulated in the License
Agreement including all Annexes (the “Main Agreement”). This Annex applies to all activities
performed in connection with the Main Agreement where FARO as the data processor
(hereinafter: “Processor”) or a third party engaged by the Processor acting on behalf of the
Controller may process personal data of the Licensee according to the Main Agreement
(hereinafter: “Licensee”) and its customers or its staff.
§ 1
Definitions
(1) “Personal Data”
Personal Data means any information relating to an identified or identifiable natural
person (‘data subject’); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social identity of that
natural person.
(2) “Processing” or “Processed”
Processing means any operation or set of operations which is performed on personal
data or on sets of personal data, whether or not by automated means, such as collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction.
(3) "General Data Protection Regulation” or “GDPR”
LE-FR-8568 Rev 3 - Feb 19, 2019
29
General Data Protection Regulation or GDPR means the General Data Protection
Regulation 2016/679 applying from 25 May 2018.
§ 2
Scope and Responsibility
(1) Processor shall Process Personal Data on behalf of Licensee. The scope of Processing
is specified in the Main Agreement. Within the scope of the Main Agreement, Licensee
is the controller and shall be responsible for complying with any controller obligation.
Licensee and Processor shall be separately responsible for conforming with such
statutory data protection regulations as are applicable to them.
(2) A list of categories of Personal Data, the purpose and nature of the Processing by
Processor on behalf of the Licensee is set out in Exhibit 1 to this Annex.
(3) The term of this Annex shall commence along with the Main Agreement and end upon
termination of the Main Agreement. Unless otherwise agreed by the Parties termination
of this Annex shall automatically terminate the Main Agreement.
§ 3
Documented Instructions
(1) The Processor shall not Process Personal Data that have been provided to the
Processor for purposes of data Processing for any other purposes, in particular, not for
its own purposes (including in anonymized form), and shall not transmit Personal Data
to third parties unless this is a subject matter of the services under this Agreement. The
foregoing shall not prevent the Processor from creating backup copies if and to the extent
they are required to ensure proper data Processing, or copies of data which are required
to be kept by virtue of law or any other legal standard. Where Processor is obliged to
Process Personal Data of Licensee beyond the instructions on basis of EU law and/or
EU member state law, the Processor shall inform Licensee before the start of the
Processing.
(2) Where Processor is of the opinion that an instruction violates Data Protection Legislation,
Processor is obliged to immediately inform Licensee of such opinion.
LE-FR-8568 Rev 3 - Feb 19, 2019
30
(3) The Personal Data will be Processed and used within the European Union and the
European Economic Area as well as by subcontractors of Processor being located
outside these areas (see Section 6 of this Annex). In the event Processor intends to use
subcontractors located in third countries, the additional requirements of Art. 44 et seq.
GDPR shall apply and have to be fulfilled.
§ 4
Confidentiality of Processing
Processor shall ensure that any personnel entrusted with Processing Licensee’s Personal
Data have committed themselves to confidentiality and have been duly instructed and trained
on the protective regulations of the GDPR. The confidentiality obligations shall continue after
the termination of the above-entitled activities.
§ 5
Security of Processing
(1) Within Processor’s responsibility, Processor shall structure Processor’s internal
corporate organisation to ensure compliance with the specific requirements of the
protection of Personal Data. Processor shall take the appropriate technical and
organisational measures taking into account (i) the nature of the Personal Data to be
protected, (ii) the risks that are presented by the Processing of Personal Data; (iii) the
harm that may result from breach of such measures; (iv) applicable industry standards;
(v) the state of technological development; and (vi) the costs of implementing the
measures to adequately protect Licensee’s Personal Data against unauthorized or
unlawful Processing, accidental loss, destruction or damage in accordance with the
requirements set out in Art. 32 GDPR. Such measures hereunder shall include, but not
be limited to measures to ensure ongoing confidentiality, integrity, availability and
resilience of the Processing systems and services and the ability to restore availability
and access to Customer Personal Data as well as evaluation of the measures
implemented.
(2) An overview of the above-entitled technical and organisational measures shall be
attached to this Annex as an Exhibit 2.
LE-FR-8568 Rev 3 - Feb 19, 2019
31
(3) Licensee shall retain title as to any carrier media provided to Processor as well as any
copies or reproductions thereof. Processor shall store such media safely and protect
them against unauthorised access by third parties.
§ 6
Subcontractors
(1) Processor is generally not entitled to engage subcontractors without the prior written
consent of Licensee. Where Processor engages subcontractors, Processor shall be
obliged to impose the same data protection obligations on the subcontractor as
applicable to the Processor under this Annex. Sentence 2 shall apply in particular, but
shall not be limited to, the contractual requirements for confidentiality, data protection
and data security stipulated between the parties of the Main Agreement. The Processor
is obliged to inform Licensee about any intended amendment to the subcontractors.
Licensee is entitled to refuse or withdraw consent to the amendment of the
subcontractors. The Licensee acknowledges refusal or withdrawal may have the effect
that the Licensee can no longer use certain services. In this case the Licensee shall be
entitled to terminate the Main Agreement without notice.
(2) Licensee acknowledges and consents that Processor’s contractual obligations
hereunder will be performed by using Amazon Web Services. Amazon Web Services,
Inc., who owns Amazon Web Services, is located in the USA. But, in this instance
Amazon Web Services will store the data in the cloud only within the EU.
§ 7
Data Subject Rights
(1) Taking into account the nature of the Processing under the Main Agreement Processor
shall provide reasonable assistance to Customer in responding to any request from Data
Subjects under Chapter III of the GDPR.
(2) Where Licensee, based upon applicable data protection law, is obliged to provide
information to an individual about the collection, Processing its Personal Data, Processor
shall assist Licensee in making this information available, provided that Licensee has
instructed Processor in writing to do so. Processor shall only correct or erase the
LE-FR-8568 Rev 3 - Feb 19, 2019
32
Personal Data Processed on behalf of the Licensee or restrict Processing of Personal
Data when instructed to do so by the Licensee.
(3) To the extent an individual contacts the Processor with a request to correct or erase
Personal Data or to restrict Processing of Personal Data, or if the Processor has other
reasons to believe that certain Personal Data should be corrected, erased or its
Processing restricted, the Processor shall inform the Licensee thereof without undue
delay in text form. The Licensee shall then issue the necessary instructions to the
Processor. The Processor shall be obliged to assist the Licensee upon first demand in
connection with the correction or erasure of Personal Data and to restrict Processing of
Personal Data.
§ 8
Assistance of Processor
(4) Processor shall, without undue delay, inform Licensee in case of breaches of Personal
Data protection, and any other irregularity in Processing Licensee’s Personal Data. The
information shall include information with respect to the timing, type of incident (including
information, which of the Personal Data is affected), the affected system, the persons
concerned, time of discovery, any potential adverse consequences as well as the
counter-measures taken by the Processor. Licensee shall be responsible for fulfilling the
duties to notify under Art. 33 and Art. 34 GDPR. Processor will support Licensee in
fulfilling such obligation.
(5) Processor shall also assist taking into account the nature of the processing in carrying
out data protection impact assessments (Art. 35 GDPR) or consulting the supervisory
authority (Art. 36 GDPR).
(6) Upon Licensee’s request, Processor shall provide all information necessary for compiling
the overview defined by Art. 30 GDPR.
(7) Processor shall if required under statutory law appoint a data protection officer in
accordance with Art. 37 to 39 GDPR and sections 38 and 6 German Federal Data
Protection Act. In this case Processor provides Licensee with the contact details of the
Processor’s data protection officer.
LE-FR-8568 Rev 3 - Feb 19, 2019
33
(8) Processor shall, upon Licensee and/or Subcontractor’s request, provide to Licensee or
Subcontractor all information on Licensee and/or Subcontractor’s Personal Data and
information.
§ 9
Return and Deletion of Personal Data
(1) Licensee shall, upon termination or expiration of the Main Agreement, instruct Processor
to return Personal Data or to delete stored Personal Data. Processor may still need to
retain certain information for legal and internal business reasons, such as fraud
prevention.
(2) Documentation intended as proof of proper data Processing must be kept by the
Processor beyond the end of the Annex in accordance with relevant retention periods.
The Processor may hand such documentation over to the Licensee after expiry of the
Annex.
(3) Processor shall be obliged to securely delete any test and scrap material as instructed
by Licensee on a case-by-case basis. On Licensee’s request, Processor shall hand over
such material to Licensee or store it on Licensee’s behalf.
(4) Any additional cost arising in connection with the return or deletion of Personal Data after
the termination or expiration of the Main Agreement shall be borne by Licensee.
§ 10
Information to demonstrate compliance; Audits
(1) The Processor shall regularly monitor compliance with the provisions of this Annex by
conducting its own reviews.
(2) At Licensee’s request, Processor makes available to Licensee the information necessary
to demonstrate compliance with the obligations under this Annex, in a commonly used
and machine-readable format. Such information can be in the form of a current
attestation, of reports or report excerpts from independent bodies (e.g., accountant,
auditor, data protection officer), an appropriate certification resulting from an IT security
audit or from a data protection audit (e.g., according to ISO 27001), or a certification
approved by the competent authority.
LE-FR-8568 Rev 3 - Feb 19, 2019
34
(3) The Licensee shall be entitled to assure itself, by way of inspections at the Processor,
that the Processor complies with the terms of this Annex, in particular with respect to
compliance with the provisions of the GDPR, and that adequate data security is
guaranteed within the meaning of this Annex as well as the implementation of technical
and organizational measures pursuant to Art. 32 GDPR. The Licensee may execute any
controls by third parties. For his consideration to perform inspections, the Licensee will
take into account the information already received under Section 10(2) of this Annex.
§ 11
Liability of Licensee and Processor
(1) As to the liability of the parties the terms and conditions of the Main Agreement shall
apply.
(2) Licensee shall indemnify and hold harmless in case third parties especially but not only
data subjects claim for damages alleging their rights had been harmed by Processor, but
Processor only acted within the scope of the instructions given by Licensee.
§ 12
Additional Costs, Duties to Inform, Mandatory Written Form, Choice of Law
(1) Any cost arising out of Processor’s performance under instructions outside the Main
Agreement’s scope of work shall be borne by Licensee.
(2) Where Licensee’s Personal Data becomes subject to search and seizure, an attachment
order, confiscation during bankruptcy or insolvency proceedings, or similar events or
measures by third parties while being Processed, Processor shall inform Licensee
without undue delay. Processor shall, without undue delay, notify to all pertinent parties
in such action, that any Personal Data affected thereby is in Licensee’s sole property
and area of responsibility, that Personal Data is at Licensee’s sole disposition, and that
Licensee is the controller.
(3) No change of or amendment to this Annex and all of its components, including any
commitment issued by Processor, shall be valid and binding unless made in writing and
unless they make express reference to being a change or amendment to these
regulations. The foregoing shall also apply to the waiver of this mandatory written form.
LE-FR-8568 Rev 3 - Feb 19, 2019
35
(4) This Annex is governed by the laws of the Federal Republic of Germany.
Exhibit 1
A list of Personal Data elements and the purpose of their Processing by Processor on behalf
of Licensee. The list shall state the extent, the nature and purpose of any contemplated
collection, Processing of data, the type of data, and the circle of data subjects.
Exhibit 2
An overview of the technical and organizational measures taken by Processor.
LE-FR-8568 Rev 3 - Feb 19, 2019
36
Exhibit 1 to Annex 4 of License Agreement
Scope, nature and purpose of the
Data Processing
Detailed description of the subject-matter of the contract in terms of extend, kind and purpose
of the service offered by FARO: Cloud-based storing, viewing and sharing service for 3D laser
scan data “SCENE WebShare Cloud” for the duration of the License Agreement (see License
Agreement).
1. Data Categories
Subject of acquisition, Processing of Personal Data are the following kind of data and data
categories:
Processed at FARO and Amazon Web Services:
- First name - Middle name - Last name - Email address - Username - User ID - Password
2. Data Subjects
- Customers
- Licensee’s or customers’ staff and employees
- Prospective customers
3. Processing Operations
• Storage, use and Processing of the above-mentioned data at FARO and in the
Amazon Web Services in order to provide, control and maintain the service which is
subject of this contract.
• FARO uses Amazon Web Services for storage, processing, data handling,
authorization and security.
LE-FR-8568 Rev 3 - Feb 19, 2019
37
Exhibit 2 to Annex 4 of License Agreement
Technical and organizational measures
in accordance with Art. 32 GDPR
Description of the Technical and Organizational Security Measures taken by
Processor.
Processor has implemented the following technical and organizational security measures to provide the on-going confidentiality, integrity, availability and resilience of processing systems and services:
1. Confidentiality Processor has implemented the following technical and organizational security to provide the confidentiality of processing systems and services, in particular:
• Licensee’s data is processed both on FARO premise as well as on remote server sites owned and operated by industry leading cloud service providers that offer highly sophisticated measures to protect against unauthorized persons gaining access to data processing equipment (namely telephones, database and application servers and related hardware). Cloud certifications can be obtained at https://aws.amazon.com/compliance/ and AWS GDPR DATA PROCESSING ADDENDUM at https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf ; Such certifications and measures may include:
- CSA
- ISO 9001, ISO 2701, ISO 2717, ISO 27018
- SOC1, SOC2, SOC3
- a layered security model, including safeguards like custom-designed electronics access cards, alarms, and perimeter fencings;
- data centers are monitored by CCTV;
- access logs and activity records;
- facilities hosting data centers are also routinely patrolled
- access to data centers requires security badges only approved employees with specific role may enter.
• Processor implements suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:
- automatic time-out of user terminal if left idle, identification and password required to reopen;
- issuing and safeguarding identification codes to Processor’s online platform, requiring two-factor authentication for all users;
- letting Licensee and customers define individual user accounts with
LE-FR-8568 Rev 3 - Feb 19, 2019
38
permissions across Processor resources;
- industry standard encryption and requirements for passwords (minimum length, use of special characters, etc.); and
- all access to data content is logged, monitored, and tracked.
• Processor’s employees entitled to use its data processing systems are only able to access personal data within the scope of and to the extent covered by their respective access permission (authorization). In particular, access rights and levels are based on employee job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. This is accomplished by:
- employee policies and training;
- effective and measured disciplinary action against individuals who access personal data without authorization;
- limited access to personal data to only authorized persons;
- industry standard encryption; and
- policies controlling the retention of back-up copies.
2. Integrity
Processor has implemented the following technical and organizational security to provide the integrity of processing systems and services, in particular:
• Processor implements suitable measures to prevent personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
- use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
- industry standard encryption; and
- avoiding the storage of personal data on portable storage media for transportation purposes and on company issued laptops or other mobile devices.
• Processor does not access any Licensee or customer content except as necessary to provide that Licensee with the Processor products and professional services it has selected. Processor does not access Licensee’s content for any other purposes. Accordingly, Processor does not know what content Licensees choose to store on its systems and cannot distinguish between personal data and other content, so Processor treats all Licensee content the same. In this way, all Licensee content benefits from the same robust Processor security measures, whether this content includes personal data or not.
3. Availability Processor has implemented the following technical and organizational security
LE-FR-8568 Rev 3 - Feb 19, 2019
39
measure to provide the availability of processing systems and services, in particular:
• Processor implements suitable measures to provide that personal data is protected from accidental destruction or loss. This is accomplished by:
- infrastructure redundancy;
- policies prohibiting permanent local (work station) storage of personal data; and
- performing regular data back-ups.
4. Resilience Processor has implemented the following technical and organizational security measures to provide the resilience of processing systems and services, in particular:
• performing regular data back-ups;
• hosting its website on multiple web servers located in different locations; and
• performing regular health tests on servers.
LE-FR-8568 Rev 3 - Feb 19, 2019
40
Revision History
Version Revision Date Revised By Brief Description of the Revision
1 Sept. 28, 2018 T. Mauch Initial Upload
2 Oct. 4, 2018 T. Mauch Updated Exs. 1 and 2 to Annex 4
3 Feb 19, 2019 E. Egan Updated Annex 2
4 Dec 09, 2019 E. Egan Updated License Agreement and
Annexes
5 Dec 13, 2019 R. Kemper Updated License Agreement and
Annexes