SUBSCRIPTION SERVICES AGREEMENT [INBOUND] SSA LinkedIn … · LinkedIn Confidential and Proprietary...

LinkedIn Confidential and Proprietary 1 ONLINE MSA Last updated: November 2017

SUBSCRIPTION SERVICES AGREEMENT [INBOUND]

This Subscription Services Agreement including its exhibits (“SSA”) governs each statement of work or order form signed by the LinkedIn entity and the supplier (“Supplier”) identified in that statement of work or order form. This SSA is between LinkedIn Corporation and LinkedIn Ireland Unlimited Company and their Affiliates (“LinkedIn”) and Supplier. 1. DEFINITIONS

1.1 “Affiliate” means an entity that controls, is controlled by, or is under common control with, a party.

1.2 “Documentation” means the generally available user manuals, online help files, training and other materials

describing the use, functionality or configurations of the applicable service or product provided by Supplier.

1.3 “Intellectual Property Rights” means patent rights (including patent applications and disclosures), copyrights (including rights in audiovisual works and moral rights), trademark rights, trade secret rights, and any other intellectual property rights recognized by the law of each applicable jurisdiction.

1.4 “LinkedIn Data” means any content, data and information that enter the Subscription Services by or on behalf of

LinkedIn or its Affiliates. “LinkedIn Data” also includes any content, data and information that is collected or generated by the Subscription Services that result from queries made by LinkedIn or its Affiliates.

1.5 “Order Form” means the ordering document in a form substantially similar to the one in Exhibit B and executed by

both parties.

1.6 “Professional Services” means any configuration, deployment, guided services, consultation, training services or similar services related to the Subscription Services provided by Supplier under this SSA.

1.7 “Services” means the Subscription Services and Professional Services provided to LinkedIn under this SSA. 1.8 “Software” means any downloadable software products and related Documentation provided by Supplier in

connection with the Subscription Services. 1.9 “Subscription Services” means the software as a service or other cloud-based offering made available to LinkedIn

via web access by Supplier, including any related Documentation and Software. 1.10 “Subscription Term” means one year from LinkedIn’s implementation and acceptance of the Subscription Services,

unless otherwise stated in the Order Form. 2. SERVICES

2.1 Ordering and Provision of Services. Supplier will provide LinkedIn with the Subscription Services described in an

Order Form for the duration of the Subscription Term. Supplier will provide the Professional Services, if any, described in a statement of work substantially similar in form to the one at: https://legal.linkedin.com/documents/current_SOW_US.pdf and executed by the parties (“SOW”). Each Order Form or SOW, together with this SSA, forms the entire agreement that applies to LinkedIn’s receipt of Services (“Agreement”). If any conflict exists between these documents, the Order Form or SOW will govern, followed by this SSA. LinkedIn may renew the Subscription Services at the same pricing as the initial Subscription Term, for up to 3 additional one-year terms, by submitting an Order Form to Supplier prior to the end of the then current term.

LinkedIn Confidential and Proprietary 2 Last Updated: November 2017

2.2 Access & Support. During the Subscription Term, Supplier will provide (a) the information necessary for LinkedIn and its employees, contractors and agents to access and use the Subscription Services; and (b) support for the Subscription Services as described in the Order Form.

2.3 Third Party Provider of Services. An Affiliate of Supplier, which executes an Order Form or SOW with LinkedIn to

provide Services under this SSA, will be deemed a “Supplier” for that transaction only and that Supplier-Affiliate and Supplier will be jointly and severally liable for Supplier-Affiliate’s performance under and compliance with the Agreement. Supplier may subcontract its obligations under the Agreement, in whole or in part, to a person or entity pre-approved in writing by LinkedIn (“Subcontractor”) only if Supplier will be solely liable to LinkedIn for Subcontractor’s performance under and compliance with the Agreement. Supplier will ensure that each Subcontractor discloses to LinkedIn the location of any LinkedIn Data in the Subcontractor’s possession or control.

2.4 Use Restrictions. LinkedIn will use commercially reasonable efforts to prevent any unauthorized use of the

Subscription Services and will promptly notify Supplier of any unauthorized use that comes to LinkedIn’s attention. If unauthorized use occurs by an individual who obtained access to the Subscription Services through LinkedIn, then LinkedIn will take reasonable steps to terminate the unauthorized use. Except as otherwise permitted in the Agreement, or as may be permitted by applicable law, LinkedIn will not (a) use the Subscription Services to provide services to third parties (e.g., act as a service bureau); (b) circumvent or disable any security features or measures of the Subscription Services; (c) decompile, disassemble or reverse engineer the Subscription Services; or (d) exceed its authorized use of the Subscription Services.

2.5 Professional Services.

A. Changes. If the parties agree in writing to changes to the scope of Services, the fees payable or the schedule on which Services will be provided, then the parties will document these changes in a form substantially similar to the one at: https://legal.linkedin.com/documents/current_CO_US.pdf (“Change Order”). If LinkedIn determines that the changes are substantial, then LinkedIn may require that the parties sign a separate SOW. Each party will use commercially reasonable efforts to ensure that any Subcontractor or Affiliate will promptly execute that separate SOW and perform acts as may reasonably be required for the purpose of giving full effect to any agreed upon changes to the Services.

B. Acceptance. Supplier will submit to LinkedIn the items specified in the SOW as deliverables of Supplier subject

to the schedule stated in the SOW (“Deliverable(s)”). If LinkedIn reasonably determines that a submitted Deliverable materially fails to meet the specifications or acceptance criteria stated in the SOW, if any (“Acceptance Criteria”), then LinkedIn will provide Supplier with a written statement of errors within 10 business days of receipt of that Deliverable. Supplier will use commercially reasonable efforts to promptly correct the errors at no additional cost to LinkedIn. Supplier will then redeliver the Deliverable to LinkedIn and the acceptance provision will be reapplied until LinkedIn accepts the Deliverable or terminates the applicable SOW or this SSA or both in accordance with section 5.

2.6 Feedback. LinkedIn is not obligated to provide Supplier with any suggestions, enhancement requests, or other

feedback about the Services or related technology. If LinkedIn does provide any feedback to Supplier, Supplier may use and modify the feedback without restriction or payment. However, the ownership rights to any feedback remain with LinkedIn.

3. CONFIDENTIAL INFORMATION 3.1 Definition. “Confidential Information” means any information or data disclosed under the Agreement that (a) if

tangible, is clearly marked as “Confidential” or with a similar designation; (b) if intangible, is identified by discloser as confidential at the time of disclosure and confirmed in writing to recipient as being Confidential Information; or (c) from the relevant circumstances should reasonably be known by recipient to be confidential. The existence of any business discussions or agreements between the parties, Supplier pricing, LinkedIn Data and Personal Data are


presumed Confidential Information. “Personal Data” means information about an individual that (x) can be used to identify, contact or locate a specific individual; (y) can be combined with other information that is linked to a specific individual to identify, contact or locate a specific individual; or (z) is defined as “personal data” or “personal information” by applicable laws or regulations relating to the collection, use, storage or disclosure of information about an identifiable individual. Recipient will protect Personal Data in accordance with this section 3 in perpetuity. With respect to Personal Data, including EU Personal Data (defined in Exhibit A), Supplier will also comply with the requirements in Exhibit A to this Agreement. All Confidential Information remains the property of discloser.

3.2 Exclusions. Confidential Information does not include any portion of the information or data that recipient can prove (a) was rightfully known to recipient before receipt from discloser; (b) was generally known to the public on the Effective Date; (c) becomes generally known to the public after the Effective Date, through no fault of recipient; (d) was received by recipient from a third party without any confidentiality obligation; or (e) was independently developed by recipient without breach of this section 3.

3.3 Limited Use and Non-Disclosure. Recipient will (a) use Confidential Information solely to fulfill its obligations under

the Agreement; (b) protect Confidential Information using the same degree of care it uses to protect its own confidential information of a like nature, but in no event less than a reasonable degree of care; (c) not disclose Confidential Information to any third party except to its employees, consultants, and agents who (i) have a need to know it in order to carry out its obligations under the Agreement, and (ii) are under written confidentiality and non-use obligations at least as restrictive as those stated in this SSA; and (d) not modify, reverse engineer, decompile, create other works from, or disassemble any Confidential Information. Supplier will use any Personal Data received from LinkedIn (whether or not it is publicly available) only as instructed by LinkedIn, solely for the purpose of providing the Services, and will not transfer or make available the Personal Data to third parties without LinkedIn’s prior written consent.

3.4 Compelled Disclosures. If Supplier is required to provide information to any applicable legal authority regarding

LinkedIn Confidential Information (“Request”), Supplier will direct the authority to work directly with LinkedIn. To the extent allowed by law, Supplier will (a) promptly notify LinkedIn of its receipt of the Request; (b) comply with LinkedIn’s reasonable requests regarding the processing of the Request; and (c) provide LinkedIn with the information or tools required for LinkedIn to respond to the Request. LinkedIn will reimburse Supplier for its assistance at the agreed time and materials rates. If LinkedIn needs to respond to litigation discovery, Supplier will lift any bandwidth, usage, or API cap placed on LinkedIn’s usage of the Subscription Services for that purpose. To the extent that Supplier is compelled to respond to a Request and is prohibited by law from notifying LinkedIn of such Request, Supplier shall (i) disclose only the minimum amount of LinkedIn Confidential Information requested; and (ii) take reasonable steps to ensure that the disclosure does not result in further disclosure of the requested information to improper or unauthorized parties or the public.

3.5 Independent Development / Return or Destroy. Recipient may independently design, develop, acquire, market,

service or otherwise deal in, directly or indirectly, products or services competitive with those of discloser or assign personnel for any purpose, only if in so doing recipient does not breach this section 3. Upon (a) discloser’s written request; (b) the termination or expiration of this SSA; or (c) the completion, abandonment or other ending of the Services under an Order Form or SOW, then recipient will promptly return or destroy all of discloser’s Confidential Information (including any data and output produced in connection with the processing of any Personal Data), excluding LinkedIn Data, in recipient’s (or its Subcontractor’s, Affiliate’s or agent’s) control. Subject to Clause 9 of Exhibit A, immediately upon completion, abandonment or other ending of the Services for which Personal Data (whether or not publicly available) was necessary, or upon LinkedIn’s request, whichever is earlier, all instances of the respective Personal Data in Supplier’s (or its Subcontractor’s, Affiliate’s or agent’s) control will be returned by Supplier to LinkedIn or destroyed, at LinkedIn’s option. Recipient will provide written certification from a qualified representative of its organization that the return or destruction, as applicable, was completed. If Supplier is required by applicable law to retain LinkedIn Confidential Information following expiration or termination of this Agreement, Supplier will: (i) retain only the LinkedIn Confidential Information and the copies thereof that Supplier is required by law to retain, (ii) not permit any person or entity to access LinkedIn Confidential Information retained pursuant to


this section 3.5 except to the extent required by law, and (iii) securely destroy all copies of LinkedIn Confidential Information as soon as Supplier is not required by law to retain them and provide written certification from a qualified representative of its organisation that the destruction was completed.

3.6 Remedies. If the Recipient discloses or uses (or threatens to disclose or use) any Confidential Information of the

Disclosing Party in breach of confidentiality protections hereunder, the Disclosing Party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the Parties that any other available remedies are inadequate.

4. INTELLECTUAL PROPERTY RIGHTS AND OWNERSHIP 4.1 Limited Rights. No right, title or interest in any Intellectual Property Rights transfers to the other party, except for

the limited rights stated in the Agreement. Supplier will not use LinkedIn’s copyrights or trademarks (including the LinkedIn name and the LinkedIn logo).

A. License Grant to LinkedIn Data. LinkedIn grants Supplier a limited, non-exclusive, non-transferable right and

license to use, process, and store LinkedIn Data to the extent necessary to provide the Services to LinkedIn.

B. License Grant to Software. Supplier grants LinkedIn a limited, worldwide, non-exclusive, non-transferable (except as otherwise stated in the Agreement) right and license to (i) download and execute the Software during the Subscription Term, and (ii) use the Documentation in perpetuity for its internal business purposes.

4.2 Ownership of Work Product of Professional Services. Unless otherwise stated in an SOW, as between the parties,

all Intellectual Property Rights in anything resulting from the Professional Services, including any Deliverables, and all associated derivatives, enhancements and modifications (“Work Product”) are the property of LinkedIn. Supplier assigns all rights, title and interest in the Work Product to LinkedIn and will render all reasonable assistance to LinkedIn, at LinkedIn’s expense, to secure, perfect, register and enforce those rights.

4.3 License Grant to Background Technology. In the course of performing its obligations under an SOW, Supplier may incorporate into the Work Product or use Supplier’s Background Technology. Therefore, Supplier grants LinkedIn a non-exclusive, royalty-free, irrevocable, perpetual, worldwide, sub-licensable, transferable license to use, reproduce, modify, offer to sell and sell, and distribute the Background Technology in connection with its use of the Work Product. “Background Technology” means the inventions, original works of authorship, developments, improvements, and trade secrets listed in the SOW that (a) Supplier can prove with written evidence were made by Supplier prior to engagement with LinkedIn or licensed by Supplier from a third party, or (b) Supplier does not have the right to assign or waive. Background technology does not include Supplier’s Subscription Services.

5. TERM AND TERMINATION 5.1 Term. This SSA is effective on the Start Date of the first Order Form or SOW processed under this SSA or the Effective

Date specified in this SSA (if any), whichever occurs first, and will continue until terminated. If Services continue to be provided under an Order Form or SOW after termination of this SSA, then this SSA will continue to be in effect until the Order Form or SOW is terminated or the obligations under the Order Form or SOW are completed.

5.2 Termination.

A. LinkedIn may terminate this SSA, an Order Form, or an SOW (or any combination of these) for any reason by providing 10 calendar days prior written notice to Supplier.

B. LinkedIn may immediately terminate this SSA, an Order Form, or a SOW (or any combination of these) if

Supplier breaches section 3 (Confidential Information), section 11 (Data Security), section 15 (Anti-Corruption), or Exhibit A (Data Protection Addendum). Alternatively, at LinkedIn’s option, LinkedIn may suspend its usage


of the Services following a breach of any of the foregoing sections and LinkedIn shall be entitled to a refund or extension of the term, as applicable at LinkedIn’s option, for the time period it takes Supplier to cure the non-compliance giving rise to suspension to LinkedIn’s reasonable satisfaction.

C. LinkedIn may immediately terminate this SSA, an Order Form, or a SOW (or any combination of these) if

LinkedIn experiences two or more priority one errors described in the support documentation, which takes Supplier more than 24 hours to resolve on each occurrence, during a twelve-month period.

D. Supplier may terminate this SSA, an Order Form, or an SOW (or any combination of these) if LinkedIn materially

breaches the Agreement and fails to cure the breach within 30 calendar days after receiving notice of that breach.

E. The termination of any one particular Order Form or SOW will not terminate this SSA. F. These termination rights are (a) absolute and neither party will be liable to the other for any resulting

compensation, reimbursement or damages; and (b) in addition to any other rights or remedies available to a party.

5.3 Effect of Termination.

A. Supplier Obligations. Upon expiration or termination of this SSA, an Order Form or an SOW, Supplier will

promptly (a) return or destroy all of LinkedIn’s Confidential Information (including any data and output produced in connection with the processing of any Personal Data) in accordance with section 3; (b) terminate its provision of the applicable Services and submit to LinkedIn all Deliverables in their state of completion as of the termination date; (c) provide any transitional assistance reasonably required by LinkedIn, including assistance with any data migration and data formats; and (d) refund to LinkedIn any pre-paid amounts for Services that were not provided as of the termination date.

B. LinkedIn Obligations. Upon expiration or termination of this SSA, an Order Form or an SOW, LinkedIn will

promptly (a) return or destroy all of Supplier’s Confidential Information in accordance with section 3; and (b) pay Supplier for Subscription Services used prior to the date of termination and for Professional Services provided (and accepted, if applicable) prior to the date of termination as follows: For Professional Services performed on an hourly basis, LinkedIn will pay Supplier for Professional Services provided prior to the date of termination, plus any Approved Expenses (defined in section 12.3); and for Professional Services performed on a fixed fee basis, LinkedIn will pay Supplier on a “percentage complete” basis, taking into account any applicable project milestones, as reasonably determined by LinkedIn, plus Approved Expenses incurred prior to the date of termination. All payments by LinkedIn are subject to any “not to exceed” amounts stated in the applicable Order Form or SOW.

C. Survival. The provisions of this SSA that by their nature extend beyond the termination of this SSA, will survive

the termination of this SSA.

6. WARRANTIES 6.1 Mutual Warranties. Each party represents and warrants that (a) it will comply with all applicable laws, orders, codes

and regulations, including all privacy laws and U.S. sanctions laws, in its performance under the Agreement; and (b) in entering into the Agreement it does not rely on any promise, statement, representation or warranty (whether in writing or not) of any person (whether party to the Agreement or not) relating to the subject matter of the Agreement, other than as stated in the Agreement.

6.2 Subscription Services Warranties. Supplier represents and warrants that (a) the Subscription Services will materially conform to any related documentation provided by Supplier; (b) functionality of the Subscription Services will not


degrade during the initial term or any subsequent renewal term; and (c) Supplier has and will retain the full right, power, and authority to perform its obligations and grant the rights and licenses under the Agreement. If Supplier receives notice and a description of a material non-conformity or degradation in the Subscription Services, then Supplier will use best efforts to promptly correct the issue(s) at no additional charge to LinkedIn. Supplier represents and warrants that the Subscription Services do not and will not contain any viruses, disabling code, or similar programs or mechanisms designed to materially disrupt, modify, delete, harm or otherwise materially impede the operation of the Subscription Services (“Destructive Elements”). If the Subscription Services contain any Destructive Elements, Supplier will use commercially reasonable efforts to immediately eliminate the Destructive Elements.

6.3 Professional Services Warranties. Supplier represents and warrants that (a) it will perform the Professional Services

in a diligent and workmanlike manner and in accordance with current industry standards and the Agreement; (b) Work Product will conform to the related plans, specifications and other documents prepared by or for Supplier; (c) it has acquired and will acquire all rights necessary for LinkedIn’s (i) use and ownership of the Work Product in accordance with the Agreement, and (ii) use of any third party products provided by Supplier; (d) as of its date of delivery, Work Product is not subject to litigation; and (e) other than as explicitly stated in the SOW, the Work Product will not include any software or copyrightable materials of any third party that are subject to any open source license, creative commons license or similar terms.

7. INDEMNITY 7.1 Definition. “Claims” means claims, demands, proceedings, regulatory actions, liabilities, losses, causes of action,

damages, fines, judgments, and settlements, including reimbursement of all reasonable expenses, including legal fees and expenses.

7.2 Indemnification. Supplier will defend, indemnify and hold LinkedIn Corporation, LinkedIn Ireland Unlimited

Company, their Affiliates, and their respective officers and directors harmless from and against:

A. any Claims arising directly or indirectly from (a) any material breach of the Agreement by Supplier, its Affiliates, employees, contractors, agents, or Subcontractors; (b) any willful misconduct or negligent act or omission by Supplier, its Affiliates, employees, contractors, agents, or Subcontractors, including injuries or death to persons or damage to property; or (c) the actual or alleged infringement or misappropriation of any third party’s Intellectual Property Rights resulting from LinkedIn’s use of the Work Product or Services. Should the Work Product or Services become (or in LinkedIn’s opinion be likely to become) the subject of an infringement claim, Supplier will, at its sole expense, promptly: (x) procure for LinkedIn the right to continue using the relevant Work Product and Services; (y) replace or modify the relevant Work Product or Services so that it becomes non-infringing while providing equivalent functionality and performance; or (z) if (x) and (y) are not commercially reasonable options, terminate the Agreement or any relevant Order Form or SOW and refund any amount paid by LinkedIn for Services that were not delivered; or

B. any Claims arising directly or indirectly from any breach of section 11 (Data Security) or breach of Exhibit A

(Data Protection) by Supplier, its Affiliates, employees, contractors, agents or Subcontractors.

7.3 Indemnification Procedures. LinkedIn will notify Supplier in writing of any indemnified Claim within 10 business days of receipt of that Claim to allow Supplier to investigate and defend the matter. However, failure to give the notice will only relieve Supplier of its indemnity obligations to the extent Supplier is prejudiced by the failure. Supplier will have sole control of the defense and all negotiation for any settlement or compromise of any indemnified Claim provided that (a) no indemnified Claim may be settled or compromised by Supplier without LinkedIn’s prior written consent, unless the settlement or compromise includes a release of all claims against LinkedIn by the party bringing the claim or action; and (b) LinkedIn may by providing written notice to Supplier (i) within forty (40) business days of service of notice by LinkedIn of receipt of an indemnified Claim; or (ii) at any time where LinkedIn determines that Supplier has refused or failed to assume control of the defense or to diligently pursue the defense thereafter, assume sole control of the defense and all negotiation for any settlement or compromise of such Claim in such a manner as


LinkedIn may deem appropriate, at Supplier’s sole expense. Each party will have the right, at its sole expense, to participate in the legal proceeding where the other party is controlling the defense, with counsel of its own choosing. Furthermore, at Supplier’s expense, each party will assist and cooperate in the defense of an indemnified Claim as reasonably requested by the party controlling the defense.

8. LIMITATION OF LIABILITY

8.1 Damages Waiver. Neither party will be liable to the other for any loss of business opportunities, lost profits and for

any indirect, special, collateral, incidental, consequential, or punitive damages, however caused on any theory of liability, whether based on breach of contract, strict liability, warranty, tort (including negligence and breach of statutory duty) or otherwise, and whether or not the party has been advised of the possibility of that damage.

8.2 Exceptions. The limitations in section 8.1 will not apply to either party’s liability for gross negligence or intentional misconduct, death or personal injury, breach of section 3 (Confidential Information), breach of section 11 (Data Security), breach of Exhibit A (Data Protection), any indemnification obligations under this Agreement, breach of its obligations under applicable law, or infringement or misappropriation of the other party’s Intellectual Property Rights.

9. DISPUTE RESOLUTION 9.1 Governing Law. If an issue arises under the Agreement (including non-contractual disputes or claims) and the

applicable SOW was signed by a LinkedIn entity in (a) North America or South America (excluding Brazil), then the Agreement is governed by the laws of the State of California, and any action or proceeding related to the Agreement (including those arising from non-contractual disputes or claims) will be brought in a federal court in the Northern District of California; (b) any country other than those in North America or South America, Asia Pacific Countries or Brazil, then the Agreement is governed by the laws of Ireland, and any action or proceeding related to the Agreement (including those arising from non-contractual disputes or claims) will be brought in Dublin, Ireland; or (c) Brazil or Asia Pacific Countries, then please see https://legal.linkedin.com/documents/current_governinglaw_intl.pdf for applicable dispute resolution provisions. Each party irrevocably submits to the jurisdiction and venue of the applicable courts. The prevailing party in any litigation may seek to recover its legal fees and expenses.

9.2 Injunctive Relief. Nothing in the Agreement prevents a party from seeking a temporary restraining order or

injunctive or other equitable relief with respect to a breach or attempted breach of the Agreement by the other party, without the requirement of posting a bond, in addition to any remedies available at law.

10. INSURANCE COVERAGE 10.1 General. Supplier will maintain adequate insurance as required by law to cover Supplier’s obligations under the

Agreement. Coverages will be placed with insurers who have an AM Best rating of A VIII or better. Supplier’s insurance will include a waiver of the insurer’s subrogation rights against LinkedIn, unless prohibited by law.

10.2 Minimum Coverages. Supplier will maintain the following minimum coverages: If Supplier has employees, employer’s liability in an amount of USD $1,000,000 per occurrence and workers’ compensation insurance in accordance with law; property insurance for any LinkedIn property under the control of Supplier, Supplier’s Affiliates or Sub-Contractors; commercial auto liability insurance covering any auto used in or around LinkedIn premises or in the performance of Services; commercial general liability insurance in the amount of USD $1,000,000 per occurrence for bodily injury and property damage, naming LinkedIn as additional insured; umbrella liability insurance, with employer’s liability, auto liability and commercial general liability in the amount of $3,000,000 if the SOW is more than $300,000 or $5,000,000 if the SOW is more than $500,000; professional liability insurance in the amount of $1,000,000 annual aggregate, or $3,000,000 annual aggregate if the SOW is more than $500,000, or $5,000,000 annual aggregate if the SOW is more than $1,000,000; and cyberliability or errors and omissions insurance providing cybersecurity, privacy, and data protection liability of not less than $5,000,000 per incident.


10.3 Affiliates and Subcontractors. Supplier will cause Supplier’s Affiliates and Sub-Contractors to maintain adequate

health, auto, unemployment compensation, liability, disability, and other insurance as required by law to cover Supplier’s obligations under the Agreement.

10.4 Evidence of Insurance. Supplier will provide to LinkedIn certificates of insurance prior to commencement of Services

under any Order Form or SOW and upon renewal or replacement of required policies. LinkedIn’s failure to receive any certificates of insurance provided by Supplier will not relieve Supplier of the obligation to provide the insurance coverages required in this section 10.

11. DATA SECURITY 11.1 General Security Measures. Supplier will comply with industry standard security measures (including with respect

to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Personal Data while in transit and at rest and any other organizational and technical measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of LinkedIn Data), as well as with all applicable data privacy and security laws, regulations and standards. Upon reasonable notice to Supplier, and at LinkedIn’s sole expense, LinkedIn (or a third-party auditor selected by LinkedIn) may perform an audit to verify Supplier’s compliance with the terms of this section 11.

11.2 Incidents. Supplier will notify LinkedIn of any suspected security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to LinkedIn Confidential Information or non-confidential information that is in the possession, custody, or control of Supplier or any Supplier subcontractor (“Incident”) within 24 hours of an Incident (or, if applicable, within any shorter time period required by law) by e-mail at [email protected] and by sending a confirmation by mail under the notice provision in section 18. Further, if Supplier becomes aware of any other breach of security that may lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to LinkedIn Confidential Information or non-confidential information, Supplier must promptly (and in no event later than 48 hours following such discovery) notify LinkedIn by email at [email protected]. In the event of an Incident, Supplier will promptly (i) provide reasonable assistance to LinkedIn in (a) investigating and remediating the Incident and (b) responding to any dispute, inquiry, or claim concerning the Incident, and (ii) reimburse LinkedIn for all expenses incurred by LinkedIn in connection with investigating, remediating and providing notice regarding the Incident. Supplier and LinkedIn will work together as reasonably necessary to identify and implement additional security measures in response to an Incident.

11.3 Contact Information. In each Order Form, Supplier will designate a point of contact for security matters related to

the Subscription Services and Supplier’s compliance with the data security requirements. The point of contact may be an individual or department. Supplier will provide a phone number or email address or both for the point of contact (i.e., [email protected] or [email protected]). Supplier will promptly notify LinkedIn of any change to the point of contact.

11.4 Personnel. Supplier shall be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of

all Supplier personnel with respect to Confidential Information and Personal Data and liable for any failure by such Supplier personnel to meet the terms and conditions of this Agreement. Supplier shall take reasonable steps to confirm that all Supplier personnel are protecting the security, privacy and confidentiality of LinkedIn consistent with the requirements of this Agreement.

11.5 Policies. Prior to performing any Services and annually after that, Supplier will provide LinkedIn with its business

continuity and disaster recovery policies, incident response policy, network security policy, and data flow diagram in an industry standard format.


11.6 Log System. With respect to systems relevant to LinkedIn services or data, Supplier will maintain a comprehensive log system to capture audit logs for all user and administrator actions, including successful and failed authentication attempts, session creation and termination times, and source IP address from where each access request is originating. Supplier will maintain a comprehensive log system to capture physical access requests and related actions at all facilities where LinkedIn Data is stored. Supplier will retain log data for a minimum of one year following the access request. Supplier will provide (or make available to LinkedIn Subscription Service administrators) a report of the audit log history upon LinkedIn’s reasonable request. Logs will be encrypted at rest with strong encryption technology.

11.7 Assessments. At least once per year and after any significant change is made to Supplier's network infrastructure, application, or software/hardware, Supplier will, at its sole expense, conduct or obtain (i) a third party manual and automated application security assessment, (ii) a network vulnerability assessment, and, (iii) if Supplier provides compiled code (a binary) or a physical or virtual appliance to be run on-premise at LinkedIn, a security assessment of this software and/or hardware (“Assessments”). Supplier will provide LinkedIn with the Assessment report within 30 days of completing the Assessment. Supplier will respond promptly to any LinkedIn inquiries or requests related to the Assessments. All results of Assessments (not just executive summaries) will be made available to LinkedIn. Upon reasonable notice to Supplier, at LinkedIn’s sole expense, LinkedIn (or a third party selected by LinkedIn) may perform an Assessment once per calendar year and after the finding of any Critical-Risk or High-Risk vulnerability by LinkedIn, Supplier, or a third party.

11.8 Performance.

A. Remediation of Vulnerabilities. LinkedIn, Supplier, or a third party may find vulnerabilities in Supplier’s product, service, or network at any time. Once a vulnerability has been discovered, LinkedIn requires the service level agreements stated below from Supplier. Supplier will disable LinkedIn’s instance of a cloud/hosted service immediately upon request in response to a vulnerability.

Severity Level Remediation Time Critical-Risk Remediation within 24 hours High-Risk Remediation in 5 business days Medium-Risk Remediation in 15 business days Low-Risk Remediation in 30 business days

B. Classification of Vulnerabilities. Supplier will perform a risk assessment and classify all vulnerabilities by

severity level within 24 hours of identification, using the Common Vulnerability Scoring System (CVSS) v.2 or such other computer system security vulnerabilities risk assessment methodology generally used in the industry and acceptable to LinkedIn. Notwithstanding the methodology used, Supplier and LinkedIn agree that all of the following are Critical-Risk vulnerabilities: (i) any bug that allows for circumvention of the authentication mechanism; (ii) any bug that enables disclosure of credential information, including usernames, passwords, or API tokens; (iii) any bug that allows for an attacker to run arbitrary code, including SQL injection, cross-site scripting (XSS) cross-site request forgery (CSRF), and remote code execution; (iv) any report of the application logging confidential data including confidential data not required for the log's purpose, passwords, or API tokens; and (v) any bug that affects log data or enables an attacker to destroy existing log data or prevent logging of their actions. If a vulnerability is not classified within 24 hours or using an acceptable methodology, LinkedIn may determine severity levels based on its internal standards.

11.9 Additional Data Security Requirements. In addition to the requirements listed above, Supplier will implement the following data security measures requested by LinkedIn: Not Applicable.


12. PAYMENT AND INVOICING; TAXES; EXPENSES 12.1 Payment and Invoicing. LinkedIn will pay the fees stated in the applicable Order Form or SOW for the Services. For

Professional Services provided at an hourly rate, Supplier will invoice LinkedIn in arrears on or before the 10th of the month following the month in which the Professional Services were accepted. For Professional Services provided on a fixed fee basis, Supplier will invoice LinkedIn on the schedule stated in the applicable SOW. LinkedIn will pay Supplier within 60 calendar days after receipt of an accurate and undisputed invoice. LinkedIn has no obligation to pay any invoice received 180 days or more days after the date Supplier was required to invoice LinkedIn under this SSA or any applicable Order Form or SOW. LinkedIn may withhold payment for any amount that is in dispute if LinkedIn pays the undisputed portion of the invoice within the 60 days. Supplier will not withhold or delay any Subscription Services or associated support or fail to perform any other services or obligations based on LinkedIn’s withholding of fees or any other good faith dispute between the parties. Supplier may submit invoices electronically if permitted by local government regulations. LinkedIn will pay in the currency stated in the Order Form or SOW. However, LinkedIn reserves the right to pay in United States (“U.S.”) dollars. LinkedIn is not responsible for payment of any fees for work performed or services provided by Supplier until the parties execute an Order Form or SOW.

12.2 Taxes. Unless LinkedIn provides Supplier with a valid tax exemption certificate, LinkedIn will pay or reimburse Supplier for all federal, state, and local taxes, including sales, use, gross receipts, VAT, GST, or similar transaction taxes. All transaction taxes payable by LinkedIn will be separately stated and exclusive of the price. LinkedIn is not liable for taxes that are statutorily imposed on Supplier, including taxes or fees measured by Supplier’s net or gross income. If Supplier is incorporated or resident outside the U.S., Supplier represents and warrants that (a) the Services will be performed outside the U.S. and the invoice will state that the Services were performed outside the U.S.; or (b) if any of the Services are performed in the U.S., Supplier will state that in the invoice and provide a breakout of Services performed inside and outside the U.S. Supplier will provide the withholding tax forms requested by LinkedIn and submit to any withholding required under U.S. tax rules.

12.3 Expenses. If specified in an SOW, applicable out-of-pocket living, travel, and similar expenses incurred by Supplier in performing the Services will be reimbursed by LinkedIn in accordance with LinkedIn’s travel and expense reimbursement policies only if the expenses are pre-approved in writing by LinkedIn and incurred by Supplier prior to termination of this SSA or the applicable SOW (“Approved Expenses”).

13. SUPPLIER PERSONNEL 13.1 Qualifications. Supplier will provide sufficient, qualified personnel who are capable of performing all of Supplier’s

obligations under the Agreement.

13.2 Background Checks. Supplier represents and warrants that it has conducted background checks appropriate for the type of Services to be performed for its personnel performing Services, and which, at the least, were sufficient to confirm that the personnel do not appear on applicable U.S. Government export exclusion lists and to verify academic credentials. Country-specific minimum standards for background checks are available upon request by Supplier. Upon LinkedIn’s request, Supplier will provide proof of the personnel background checks.

13.3 Replacements. Supplier will not remove any personnel listed by name or title in the SOW, without the prior written

consent of LinkedIn, except when removal is necessary because of the resignation, death or illness, or family leave requirements of the personnel. If Supplier must remove personnel for these acceptable reasons, then Supplier will provide LinkedIn with (a) reasonable prior notice of the removal; (b) reasons for the removal; and (c) reasonable further assurances of its ability to provide suitable replacement personnel. LinkedIn may refuse the assignment of any personnel to perform Services, or may request that personnel be removed for any reasonable basis, including unsatisfactory performance as determined by LinkedIn or LinkedIn’s clients. Supplier will replace removed personnel as soon as commercially feasible with a resource reasonably acceptable to LinkedIn.


13.4 Access to LinkedIn Sites or Systems. If personnel of Supplier or Subcontractor will require access to LinkedIn premises or LinkedIn equipment, systems, applications or networks, such personnel must comply with LinkedIn policies and all applicable laws and regulations while performing Services and will be required to execute LinkedIn’s standard resource access agreement acknowledging these obligations as a condition of their receiving such access.

14. COMPLIANCE WITH EMPLOYMENT LAWS. LinkedIn is a federal contractor. If applicable, the Equal Opportunity

Clauses stated in 41 C.F.R. parts 60-1.4(a), and the employee notice found at 29 C.F.R. Part 471, Appendix A to Subpart A, are incorporated into this SSA by reference. If applicable, Supplier will abide by the requirements of 41 CFR §§ 60-300.5(a) and 60-741.5(a). These regulations prohibit discrimination against qualified individuals on the basis of protected veteran status or disability and require affirmative action by covered prime contractors and subcontractors, to employ and advance in employment, qualified protected veterans and individuals with disabilities. Executive Order 13658, Establishing a Minimum Wage for Contractors, and its implementing regulations, including the applicable contract clause (available at 29 C.F.R. § Pt. 10, App. A), are incorporated into this SSA by reference.

15. ANTI-CORRUPTION. LinkedIn is subject to various anti-bribery statutes in the U.S. and around the globe, including the US Foreign Corrupt Practices Act and the UK Bribery Act. Supplier represents and warrants that, in connection with the Services, Supplier (a) has not done and will not do anything to violate these laws and other related laws in the jurisdictions in which Supplier operates on LinkedIn’s behalf; (b) has implemented its own anticorruption policy (or agrees to be bound by LinkedIn’s) and will take proportionate, risk-based procedures to abide by its (or LinkedIn’s) anticorruption policy for the term of the Agreement; and (c) will furnish to LinkedIn future certifications confirming compliance with this section upon LinkedIn’s request.

16. FORCE MAJEURE. Neither party will be liable for any delay or failure in performance due to acts of God, earthquake,

flood, riots, fire, epidemics, strikes or threat of strikes (excluding any such strike, labor dispute or work stoppage that involves their respective employees or agents) war or terrorism where such occurrence renders it unable to perform. The affected party will immediately notify the other party of such occurrence and will use all reasonable efforts to recommence performance as soon as possible. The obligations and rights of the affected party will be extended on a day-to-day basis for the time period equal to the period of the excusable delay. If Supplier is unable to perform for a period in excess of fifteen days due to such excusable delay, LinkedIn may terminate the Agreement upon five days written notice to Supplier without penalty or similar financial obligations and Supplier shall promptly refund LinkedIn the unused portion of any prepaid fee for the Services.

17. ETHICAL CONDUCT. Supplier agrees that it will, and it will require that its employees and agents and any

Subcontractors and their employees and agents, (a) substantially comply with the most current version of LinkedIn’s Supplier Code of Conduct, which is available at https://suppliers.linkedin.com/content/suppliers/Supplier-info or (b) comply with its own code of business standards, provided such standards are substantially similar or exceed the ethical standards in LinkedIn's Supplier Code of Conduct. Supplier will furnish to LinkedIn certification of compliance with this section upon LinkedIn’s request.


18. MISCELLANEOUS. The parties will provide notices under the Agreement in writing and will deliver them by

commercial overnight courier to the address of the other party stated on the Order Form or SOW, “Attention Legal Department”, except as otherwise stated in the Agreement. Notices are effective on the date of delivery as indicated in the records of the courier. Non-legal notices (e.g. a notice of termination for convenience) can also be delivered by email. Email notices are effective on the date the recipient acknowledges receipt of an email notice from the other party. The Agreement does not create a partnership, agency relationship, or joint venture between the parties. LinkedIn and Supplier are independent contractors and have no power or authority to bind the other or to create any obligation or responsibility on behalf of the other. Under no circumstances will any employee of one party be deemed to be the employee of the other for any purpose. Neither party may issue a press release nor other type of announcement related to the Agreement without the prior written consent of the other party. Neither party may assign the Agreement in whole or in part without the other party’s prior written consent (which consent will not be unreasonably denied, delayed or conditioned) except to its own Affiliate or to a purchaser of substantially all of its assets or stock. Any attempted assignment in violation of this restriction will be void. If the Agreement is translated into a language other than English, the translation is for convenience only, and the English language version will govern. If any provision of the Agreement is unenforceable, that provision will be modified to render it enforceable to the extent possible to give effect to the parties’ intentions and the remaining provisions will not be affected. If executing this SSA the parties may execute it electronically and in counterparts. Each counterpart is deemed to be an original which, taken together, comprise a single document. The parties may amend the Agreement only in a written amendment signed by both parties. LinkedIn’s use of the Services may be impacted by changes in applicable law that result in the need to amend this SSA. Supplier will make reasonable efforts to promptly execute amendments required by such changes. Each party represents and warrants that the individual binding a party under this SSA and any Order Form or SOW is authorized to do so.


EXHIBIT A DATA PROTECTION ADDENDUM

This Exhibit A applies to the processing of Personal Data by Supplier including, without limitation, Personal Data relating to data subjects located in the European Union (“EU Personal Data”). As between the parties, with regard to EU Personal Data, LinkedIn Ireland Unlimited Company is a Data Controller and Supplier may be either a Data Processor for a LinkedIn entity located in the EU or a Subprocessor to LinkedIn Corporation with regard to EU Personal Data. “Data Controller”, “Data Processor”, “subprocessor”, “Supervisory Authority”, “data subject” and “process” have the meanings given in the relevant Data Protection Requirements. In the event of a conflict between this Exhibit and any other terms in the Agreement, the terms of this Exhibit A will govern. 1. NATURE OF DATA PROCESSING. The subject matter of the data processing, including the processing operations carried out by Supplier on behalf of LinkedIn and LinkedIn’s data processing instructions for Supplier, will be described in each SOW, which form integral parts of the Agreement.

2. COMPLIANCE WITH LAWS. The parties shall each comply with their respective obligations under all applicable laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data (“Privacy Laws”). More specifically, and without limiting the foregoing, with regard to EU Personal Data, the parties will comply with each of their respective obligations under the EU Data Protection Directive 95/46/EC (as amended), (the “Directive”), any subordinate legislation and regulation implementing the Directive which may apply (“Local Data Protection Laws”), and, as of 25 May 2018 and thereafter, the European Union Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation”) and any subordinate legislation and regulation implementing the General Data Protection Regulation which may apply (collectively, with Privacy Laws, the “Data Protection Requirements”). Both parties warrant that if and to the extent legally required, they will obtain, and at all times maintain, a registration under the applicable Data Protection Requirements appropriate to the performance of their obligations under the Agreement.

3. OBLIGATIONS OF THE DATA CONTROLLER. LinkedIn, in its capacity as a Data Controller, shall:

3.1. provide instruction to Supplier and determine the purposes and general means of Supplier’s processing of Personal Data on behalf of LinkedIn under the Agreement; and

3.2 comply with its personal data protection, data security and other obligations prescribed by Data Protection Requirements for Data Controllers by, without limitation, meeting its obligations under Data Protection Requirements to:

A. establish and maintain a procedure for the exercise of the rights of the individuals whose EU Personal Data are processed on behalf of LinkedIn;

B. process only data that have been lawfully and validly collected and ensure that such data will be relevant and proportionate to the respective uses; and

C. ensure compliance with the provisions of this Exhibit A by its personnel and by any person accessing or using Personal Data on its behalf.

4. OBLIGATIONS OF THE DATA PROCESSOR.


4.1 Supplier, in its capacity as a Data Processor or subprocessor of Personal Data, shall:

A. process Personal Data solely for the purposes described in the Agreement and in compliance with the instructions received from LinkedIn and the Agreement and will not use or process the Personal Data for any other purpose. If Supplier cannot comply with these requirements, it will promptly inform LinkedIn, and LinkedIn is entitled to immediately terminate the Agreement or to take any other reasonable action, including the suspension of data processing operations; B. inform LinkedIn immediately if, in Supplier’s opinion, an instruction from LinkedIn violates applicable Data Protection Requirements; C. if Supplier is collecting Personal Data from individuals on behalf of LinkedIn, follow LinkedIn’s instructions with regard to such Personal Data collection (including with regard to the provision of notice and exercise of choice);

D. adopt and maintain appropriate security measures (including organizational and technical measures), including those specified in section 11 of the SSA and Schedule A to this Exhibit A; E. take all commercially reasonable steps to ensure that: (i) persons employed by it and (ii) other persons engaged to perform on Supplier’s behalf comply with the terms of the Agreement; F. encrypt all Personal Data which is processed by Supplier to the extent required under the Data Protection Requirements;

F. ensure that its employees, authorized agents and any subprocessors are legally required in writing to comply with and acknowledge and respect the confidentiality of the Personal Data, including after the end of their employment, contract or at the end of their assignment

G. if it intends to engage one or more third parties acting on its behalf [“subprocessor”] to help it to satisfy its obligations in accordance with this Exhibit A or to delegate all or part of the processing activities to such subprocessors, (i) obtain the prior consent of LinkedIn to such subcontracting, such consent to not be unreasonably withheld; (ii) remain responsible, and liable, to LinkedIn for the subprocessors’ acts and omissions with regard to data protection; and (iii) enter into contractual arrangements with such approved subprocessors requiring them to guarantee the same level of data protection compliance and information security to that provided for herein; H. have a business continuity plan in the event Supplier ceases operations; I. provide LinkedIn with its privacy and security policies; and J. inform LinkedIn if an independent security review has been or will be conducted.

4.2. Supplier shall inform LinkedIn without delay if Supplier becomes aware of:

A. any non-compliance by Supplier or its employees with this Exhibit A or the Data Protection Requirements relating to the protection of Personal Data processed under this Exhibit A;

B. any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;


C. any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Data; or

D. any complaint or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from the data subjects. Supplier shall not respond to any such request without LinkedIn’s prior written authorization.

4.3 Supplier further agrees to notify LinkedIn of any suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (“Personal Data Breach”) by Supplier, subprocessors and/or any other third parties acting on Supplier’s behalf without undue delay and in any event within 24 hours of becoming aware of a Personal Data Breach.

4.4. Supplier shall assist LinkedIn without delay regarding:

A. any requests from data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Personal Data. In the event that a data subject sends such a request directly to Supplier, Supplier will pass it on to LinkedIn without delay;

B. the investigation of Personal Data Breaches and the notification to the Supervisory Authority and data subjects in respect of such breaches; and

C. the preparation of data protection impact assessments and, where applicable, carrying out consultations with any Supervisory Authority.

4.5. If Supplier is required by Data Protection Requirements to process any Personal Data, Supplier shall inform LinkedIn of this requirement in advance of any processing, unless Supplier is legally prohibited from informing LinkedIn of such processing.

4.6 HIPAA. If Supplier processes Protected Health Information (“PHI”), as defined in the Health Insurance Portability and Accountability Act (“HIPAA”) and its implementing regulations, as amended, on behalf of LinkedIn, Supplier shall, in addition to the obligations set forth in this Agreement, (i) enter into a form of business associate agreement with LinkedIn prior to the processing of any such PHI and (ii) make its internal practices, books and records relating to the use and disclosure of PHI available to the U.S. Department of Health and Human Services, as may be required by HIPAA or by LinkedIn.

4.7 PCI DSS. If Supplier will process any payment card information from or on behalf of LinkedIn, the following terms apply: Supplier shall at all times comply with the then-current Payment Card Industry Data Security Standard (“PCI DSS”) and any similar data security standards that may be imposed by federal, state or local law. Supplier will have an annual assessment performed by a qualified security assessor certified by the PCI Security Standards Council (“QSA”). Upon request by LinkedIn, Supplier will provide LinkedIn with a PCI Attestation of Compliance (“AOC”) or such other documentation as reasonably requested by LinkedIn to evidence Supplier’s continuing compliance.

5. AUDIT; CERTIFICATION. If the relevant data protection Supervisory Authority is required by law or regulation to audit the data processing facilities from which Supplier processes Personal Data in order to ascertain and/or monitor compliance with Data Protection Requirements, then Supplier will cooperate with the audit. LinkedIn will reimburse Supplier for its reasonable expenses incurred to cooperate with such an audit. For the purposes of this section, “Supervisory Authority” has the same meaning as given by Article 28 of the Directive or, from 25 May 2018, Article 51 of the General Data Protection Regulation. An officer of Supplier must certify compliance with this Exhibit in writing at least


once every calendar year. In addition to, and not in substitution for, its obligations in section 11.7 of the Agreement, Supplier (i) must certify compliance with this Exhibit A in writing at least once every calendar year and (ii) shall make its data processing facilities used for activities falling within the scope of this Exhibit A available for audit by LinkedIn or another auditor approved by LinkedIn, upon LinkedIn’s reasonable request.

6. DATA TRANSFERS. If Supplier is based outside or intends to transfer EU Personal Data outside the EEA and European Commission-approved countries, Supplier must provide at least the same level of privacy protection for EU Personal Data as required under the Standard Contractual Clauses (Processors) (“SCCs”) in the Annex to the European Commission Decision of February 5, 2010, which is incorporated into this Agreement by reference. As between the parties, Supplier may be either a Data Importer for a LinkedIn entity located in the EU or a subprocessor to LinkedIn Corporation with regard to EU Personal Data. Data subjects whose EU Personal Data are processed by Supplier are third party beneficiaries under the clauses. The parties agree that Appendix 1 of the SCCs shall be completed with the relevant information and attached to the relevant SOW in accordance with Clause 2, and that Schedule A to this Exhibit A shall apply as Appendix 2 for each set of SCCs entered into under this Agreement. If Supplier is unable to comply with this requirement, then EU Personal Data will be processed and used exclusively within the territory of a Member State of the European Union and any movement of EU Personal Data to a non-EU country requires the prior written consent of LinkedIn.

7. SPECIAL DATA PROTECTION PROCEDURES. LinkedIn may from time to time provide Supplier with reasonable written guidelines, rules, and/or procedures for accessing, using, storing, and handling certain or all LinkedIn data, equipment, systems, or facilities (“Special Privacy and Data Protection Procedures”). Supplier will comply with all applicable Special Privacy and Data Protection Procedures when accessing LinkedIn data, equipment, systems, or facilities. Supplier will make Special Privacy and Data Protection Procedures available to all relevant Supplier Personnel and any subprocessors and will provide an appropriate level of supervision and training to relevant Supplier Personnel on the procedures required by the Special Privacy and Data Protection Procedures.

8. TERM. This Exhibit A shall remain in effect as long as Supplier carries out Personal Data processing operations on behalf of LinkedIn or until the termination of the Agreement and all associated SOWs (and all Personal Data has been returned or deleted in accordance with section 9 below).

9. DATA RETURN AND DELETION. The parties agree that on the termination of the data processing services or upon LinkedIn’s reasonable request, Supplier and any subprocessors shall, at the choice of LinkedIn, return all the Personal Data and copies of such data to LinkedIn or securely destroy them and demonstrate to the satisfaction of LinkedIn that it has taken such measures, unless Data Protection Requirements prevent Supplier from returning or destroying all or part of the Personal Data disclosed. In such case, Supplier agrees to preserve the confidentiality of the Personal Data retained by it and that it will only actively process such Personal Data after such date in order to comply with the laws it is subject to.

10. GOVERNING LAW. Notwithstanding anything in the Agreement to the contrary, this Exhibit A shall be governed by the laws of the Republic of Ireland.


SCHEDULE A

(Appendix 2 to the Standard Contractual Clauses) Description of the technical and organizational security measures implemented by the Data Processor

In determining the technical and organizational security measures required in Clause 5 of the Data Processing Exhibit, the parties will take account of the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

As a part of and without limiting the generality of the technical and organizational security measures required in the applicable master agreement agreed to by the parties, if any, or LinkedIn’s standard subscription terms (located at: http://legal.linkedin.com/documents/current_SSA_US.pdf for purchases of cloud-based subscription services, or LinkedIn’s standard service terms located at: http://legal.linkedin.com/documents/current_MSA_US.pdf for purchases of any other service types), data importer and data importer’s subprocessor, if any, will implement the following specific security measures, as applicable:

A. Data importer’s employees and contractors must be trained in relation to specific and appropriate technical and organizational security measures;

B. Personal data must be stored on secured servers behind firewall;

C. Data importer must comply with all security policies of the LinkedIn group;

D. Data importer’s servers must be monitored by both industry standard and, as appropriate, proprietary network monitoring tools to prevent any potential security breaches;

E. Data importer’s corporate systems and databases must be password protected;

F. VPN and direct LinkedIn network access will be limited to company-issued devices;

G. Dual factor authentication will be mandatory for VPN access;

H. Member passwords, if supplied to data importer, are to be hashed and salted and stored in a separate database;

I. Data importer must retain, for one year, VPN, server, wiki and database access logs;

J. Data importer must segregate and limit employee access permissions;

K. If applicable, data importer must rotate keys to credit card databases; and

L. Data importer must conduct active and automated monitoring of critical access logs and anomaly detection.


EXHIBIT B ORDER FORM

This Order Form is between the LinkedIn entity (“LinkedIn”) and Supplier (“Supplier”) set out below and is governed by the Subscription Services Agreement executed by the parties, if any, or LinkedIn’s standard Subscription Services Agreement located at http://legal.linkedin.com/documents/current_SSA_US.pdf (“SSA”). Capitalized terms not otherwise defined in this Exhibit will have the same meaning as in the SSA. SSA Number (if any): _____________________ 1. CONTACT INFORMATION

Supplier Contact Information LinkedIn Contact Information Supplier Name: d/b/a or trading as: Contact Name: Contact Address: Contact Phone #: Contact Email:

LinkedIn Company: Contact Name: Contact Address: Contact Phone #: Contact Email:

Supplier Security Contact Information Contact Name: Contact Address: Contact Phone #: Contact Email:

2. SUBSCRIPTION SERVICES TERM

Start Date: ________________ End Date: ________________ (Note: End Date must not be more than 1 year from Start Date)

3. DESCRIPTION OF THE SUBSCRIPTION SERVICES (Describe the Subscription Services below or attach a white paper or

similar document from Supplier which sufficiently describes the Subscription Services). (EXAMPLE: “Every business has documents and information that are the foundation of the company. Team members need to access and collaborate on critical documents, presentations and files, and that information needs to stay secure through multiple levels of reviews and approvals. Company A’s service serves as a central content repository that provides best-in-class security for your information, as well as the robust collaboration tools your team needs to be productive and keep your business competitive in an ever changing market. By using Company A’s Service, your business can operate faster across all departments, ensure everyone is aligned, and drive growth while maintaining security of your files to keep your projects running smoothly.)


4. PRICING

Monthly/Unit Price: ________________ Total Price: ________________

Supplier will provide a confirmation of the applicable price for any renewal term at least 90 days prior to the end of the then current term.

5. PERSONAL DATA

“Personal Data” means information about an individual that (x) can be used to identify, contact or locate a specific individual; (y) can be combined with other information that is linked to a specific individual to identify, contact or locate a specific individual; or (z) is defined as “personal data” or “personal information” by applicable laws or regulations relating to the collection, use, storage or disclosure of information about an identifiable individual. Supplier will protect all Personal Data received from LinkedIn under this Order Form as Confidential Information under the Agreement.

(Select one)

Supplier will not receive any Personal Data from LinkedIn under this Order Form. Supplier will receive Personal Data from LinkedIn. Because Supplier will receive or process Personal Data from

LinkedIn, Supplier and LinkedIn shall complete Appendix 1 for the description of Personal Data and related details of processing and the data transfer. If and to the extent that Supplier will receive or process EU Personal Data from LinkedIn, Appendix 1 is subject to and incorporated into the Standard Contractual Clauses, and Supplier and LinkedIn will execute the Standard Contractual Clauses using Appendix 1, as attached to and incorporated into this Order Form, and Appendix 2 regarding the technical and organisational security measures which Supplier must implement with regard to the EU Personal Data, as attached to and incorporated into the Agreement.

6. SUBSCRIPTION SERVICES SUPPORT (Describe the support or service level agreement(s) applicable to Subscription

Services or attach support terms in a separate attachment).


7. BUSINESS CONTINUITY AND DISASTER RECOVERY. Throughout the Subscription Term, in connection with the

Subscription Services, Supplier shall maintain a commercially reasonable business continuity plan and disaster recovery arrangements consistent with industry standards and best practices ("BCP Plan") and shall implement the BCP Plan in response to a Crisis. “Crisis” means an unplanned event that poses a significant threat of substantial disruption to the Subscription Services or otherwise negatively impacts LinkedIn or its Affiliates. The BCP Plan will ensure that Subscription Services can resume within 24 hours of the onset of a Crisis and all LinkedIn data gathered or stored with Supplier can be restored except for data collected or modified within 48 hours of the onset of a Crisis. Supplier represents and warrants that it will test its BCP Plan at least annually and advise LinkedIn of any dependencies Supplier has on LinkedIn (e.g. certain action(s) or information) to support recovery from a Crisis within the stated recovery time and recovery point objectives.

(“SUPPLIER”) LINKEDIN CORPORATION

By: By:

Name: Name:

Title: Title:

Date: Date:

Address:


APPENDIX 1

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES Data exporter The data exporter is (check which applies)

LinkedIn Ireland Unlimited Company(with respect to EU member data), a provider of professional networking and related services to members outside the United States, or

LinkedIn Corporation (with respect to US member data), a provider of professional networking and related services to members inside the United States, or

LinkedIn Ireland Unlimited Company(with respect to non-EU member data), a provider of professional networking and related services to members outside the United States, or

LinkedIn Ireland Unlimited Company (with respect to its employees’ data), a provider of professional networking and related services to members outside the United States, or

Another LinkedIn EU Affiliate (with respect to their employees’ data), a provider of marketing and other support services related to the professional networking and related services offered by LinkedIn Ireland Unlimited Company to members outside the United States, or

LinkedIn Corporation or another LinkedIn non-EU affiliate (with respect to their employees’ data), a provider of marketing and other support services related to the professional networking and related services offered by LinkedIn Corporation or LinkedIn Ireland Unlimited Company to members inside or outside the United States.

Data importer The data importer is:

LinkedIn Corporation (with respect to EU member data), a provider of professional networking and related services on behalf of LinkedIn Ireland Unlimited Company, engaging Supplier as a subprocessor, or

LinkedIn Corporation (with respect to EU employees’ data), a provider of employment and benefits related support services to the data exporter, engaging Supplier as a subprocessor, or

Supplier, with respect to providing services to LinkedIn Ireland Unlimited Company or another LinkedIn EU affiliate under applicable agreement governing the services.

Data subjects The personal data transferred concern the following categories of data subjects (please specify): (check all which apply)

EU residents that interact with LinkedIn’s professional network and services US or other non-EU residents that interact with LinkedIn’s professional network and services employees of LinkedIn Austria GmbH employees of LinkedIn France SAS employees of LinkedIn Germany GmbH employees of LinkedIn Ireland Unlimited Company employees of LinkedIn Italy S.R.L. employees of LinkedIn Netherlands B.V. employees of LinkedIn Spain, S.L. employees of LinkedIn Sweden AB employees of LinkedIn Technology UK Limited employees of LinkedIn Corporation or other non-EU LinkedIn Affiliates Other (describe): ______________________________________________________________

Categories of data


The personal data transferred concern the following categories of data (please specify): Type: (check which apply)

personal data generated, shared or uploaded by members and visitors of LinkedIn and its services. personal data of the data exporter’s employees collected or generated in the course of staff administration. Other (describe): ______________________________________________________________________

Data Fields: (check data categories which apply or insert actual data fields to be provided to Supplier)

Individuals’ first, last or full names Contact details: physical address, home or mobile telephone number, e-mail address, etc. Birth record Info: date of birth, birthplace, mother’s maiden name, etc. Government identification: national ID, passport, tax ID, drivers license or vehicle registration numbers, etc. Payment card information: card number, signature, confirmation code, etc. Location Information: IP address, GPS coordinates, etc. Personal appearance: face, fingerprints, or handwriting, etc. Digital identity or behaviors - login name, screen name, nickname, passwords, IP address, web

cookies/beacons/pixel history, etc. Medical records, including genetic information, etc. Government, school or employer records: background investigations, educational or work history, credit

records, criminal records, etc. Other (describe): ______________________________________________________________________

Special categories of data (if appropriate) The personal data transferred concern the following special categories of data (please specify): (check all which apply)

racial or ethnic origin political opinions religious or philosophical beliefs trade-union membership, health or sex life other sensitive data (describe): ______________________________________________________________ None of the above.

Processing operations Supplier must process the data collected from or for LinkedIn or in connection with its services provided to LinkedIn under this SOW solely to provide the processing operations or services specified below, in accordance with LinkedIn’s instructions. The following description of data processing operations must describe the specific services to be provided by Supplier and any applicable instructions for access, use, storage, return, and destruction of data: The personal data transferred will be subject to the following basic processing activities (please specify): ____________________________________.


(”SUPPLIER”)

LINKEDIN IRELAND UNLIMITED COMPANY On behalf of itself and its Affiliates

By: By:

Name: Name:

Title: Title:

Date: Date:

Address: Address: Wilton Place, Wilton Plaza Dublin 2, Ireland

LINKEDIN CORPORATION

By:

Name:

Title:

Date:

Address: 1000 W. Maude Ave Sunnyvale, CA 94085, USA

SUBSCRIPTION SERVICES AGREEMENT [INBOUND] SSA LinkedIn … · LinkedIn Confidential and Proprietary...

Documents

Transcript of SUBSCRIPTION SERVICES AGREEMENT [INBOUND] SSA LinkedIn … · LinkedIn Confidential and Proprietary...