The following is applicable to You, with respect to the purchase of on-premise software and related services:
These Terms of Sale (“Terms”) represent the agreement (“Agreement”) that governs the purchase of on-premise software and related services (together, the “EntIT Goods”) from EntIT Software LLC (“EntIT” or “Our” or “We”) by the customer who completes the purchase order (“You” and “Customer”). Unless You have another valid agreement applicable to Your purchase and/or EntIT specifies different or additional terms applicable to Your purchase, these Terms will govern Your purchase in its entirety.
READ THESE TERMS CAREFULLY.
BY INDICATING YOUR CONSENT TO AGREE TO THESE TERMS, YOU ARE BOUND TO THESE TERMS WITH RESPECT TO YOUR PURCHASE. IF YOU ARE ACCEPTING THESE TERMS ON BEHALF OF ANOTHER PERSON OR A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE FULL AUTHORITY TO BIND THAT PERSON, COMPANY, OR LEGAL ENTITY TO THESE TERMS. IF YOU DO NOT AGREE TO THESE TERMS, AND WE DELIVER THE EntIT GOODS, DO NOT USE, DOWNLOAD, INSTALL, COPY, OR ACCESS THE EntIT GOODS, AND PROMPTLY RETURN THE PRODUCT WITH PROOF OF PURCHASE AND OBTAIN A REFUND OF THE AMOUNT YOU PAID, IF ANY. IF YOU DOWNLOADED ANY SOFTWARE, CONTACT THE PARTY FROM WHOM YOU ACQUIRED IT.
a) Improper use, site preparation, or site or environmental conditions or other non-compliance with applicable Supporting Material;
b) Modifications or improper system maintenance or calibration not performed by EntIT or authorized by EntIT;
c) Failure or functional limitations of any non-EntIT software or product impacting systems receiving EntIT support or service;
d) Malware (e.g. virus, worm, etc.) not introduced by EntIT; or
e) Abuse, negligence, accident, fire or water damage, electrical disturbances, transportation by Customer, or other causes beyond EntIT’s control.
European Union. The offerings of this website are not available to consumers in the EU. With respect to EU customers, the terms and conditions within this European Union section apply:
Germany.
Personal Information. Customer and EntIT shall comply with their respective obligations under applicable data protection legislation as a controller and processor, respectively. Customer shall remain the controller of Customer Personal Data (as defined in the Exhibit) at all times. Exhibit “Data Protection Regulations” forms part of this Agreement and takes precedence over any conflicting terms herein or in any Supporting Material.
Security. Information about security controls are provided at the hp.com website or can be otherwise provided at Customer’s request.
To the extent EntIT has access to Customer´s personal data for performing Software-as-a-Service (“SaaS”) or Software Support (either hereinafter referenced as “Services”) the Parties agree to apply the terms described in subsection 1.1. EntIT shall apply those technical and organizational measures required by the exhibit to § 9 BDSG as set out in subsection 1.2 below.
Underlying Contract. The terms of the agreement on commissioned data processing are based upon the Services contract concluded between the Parties, including the appendixes describing the services (data sheets) (the “Contract”). On the basis of the aforementioned Contract, EntIT will process the Customer's personal data. The Contract defines the scope, nature, and purpose of the collection, processing and/or use of personal data by EntIT, the type of personal data to be processed and the persons affected by the handling of personal data. The Customer may also provide additional written instructions. The duration of the commissioned data processing will be governed by the Contract.
Correcting, blocking, and deleting data. EntIT may only correct, delete or block data processed within the scope of the Contract in accordance with the instructions provided by the Customer. If a person asks EntIT for information about his/her data or requests that EntIT correct or delete his/her data, EntIT shall immediately forward the request to the Customer.
Obligations of EntIT. To ensure proper processing of personal data, EntIT will only use personnel who have entered into confidentiality agreements pursuant to Section 5 of the BDSG. If the security measures implemented by EntIT do not satisfy the requirements of the Customer, the Customer will notify EntIT immediately. Any errors or irregularities that are identified by the Customer when checking the results, and brought to EntIT's attention, will be immediately rectified by EntIT. EntIT will process personal data and other operating data belonging to the customer only in accordance with the instructions provided by the Customer. EntIT will not use the data transmitted for data processing for any other purpose, nor will EntIT retain this data for any longer than required by the Customer, save to the extent required by legal retention periods. Copies or duplicates must not be created without informing the Customer. If EntIT believes that an instruction from the Customer violates data protection legislation, EntIT must notify the Customer. This duty to notify will not include a comprehensive legal review. Subcontracts may only be awarded to subcontractors following written consent by the Customer. A Customer's consent may only be withheld if the Customer has a material reason for doing so. The Customer's consent will be deemed to have been given with respect to subcontractors named by EntIT prior to the conclusion of the Contract or which are regularly used by EntIT to provide standardized services. If a subcontractor is a company within EntIT's corporate group and is based in the European Union (EU) or the European Economic Area (EEA) or a safe third country, a subcontract may be awarded to the subcontractor without the prior written consent of the Customer. Irrespective of this, EntIT will always be obliged to exercise due caution when choosing subcontractors and to inform the Customer accordingly. Furthermore, EntIT must ensure that the data processing provisions agreed with the Customer also apply to all subcontracts awarded to subcontractors. If a subcontractor is operating outside the European Union (EU) or European Economic Area (EEA), an adequate level of data protection must be established pursuant to Sections 4b and 4c of the BDSG. To this end, the Customer hereby authorizes EntIT to execute a controller to processor EU Model Contract (C (2010) 593) on its behalf to cover the transfer of any Customer personal data which originates from the EEA to any EntIT Affiliate supporting the Services and being located in a country which does not have a finding of adequacy pursuant to Article 25(6) of Directive 95.46/EC (the “Model Contract”).
EntIT will immediately inform the Customer of any incidents that must be reported pursuant to Section 42a of the BDSG, any serious operational malfunctions, and any suspected privacy violations or other irregularities that arise while processing the Customer's data. EntIT has appointed a competent and reliable data protection officer pursuant to Section 4f of the BDSG.
Control rights of the Customer. The Customer or a representative appointed by the Customer has a right of control with regard to proper processing of personal data and other operational data processed on behalf of the Customer. The rights of control will be exercised in consultation with EntIT. EntIT is obliged to assist the Customer in such controls and any controls of the competent authorities. These controls must be carried out in consideration of the business processes and EntIT's need for security and confidentiality. The control of standardized services will be performed by controlling the test documents professionally created and submitted by EntIT. EntIT is also obliged to apply the control rights of the Customer to the subcontractors of EntIT tasked with processing the Customer's data.
Deletion of data and return of data carriers. After completion of the contractual work or earlier if requested by the Customer - at the latest upon termination of the Contract - EntIT must return to the Customer all documents, processing results, usage results, and data sets that relate to the contractual relationship, or to destroy them in a manner compatible with data protection legislation following prior approval by the Customer. The same will apply to test material and rejected material. The manner in which data is deleted must be demonstrated upon request. EntIT must retain any documentation serving as proof of commissioned data processing and proper data processing beyond the end of the Contract in accordance with the respective retention periods. To ease the burden on EntIT, EntIT can choose to hand over such documentation when the Contract terminates.
Overview of EntIT Technical and Organizational Measures
EntIT has defined its information security policy in order to make sure the appropriate controls are in place.
I. PHYSICAL ACCESS CONTROLS
The EntIT Physical Security Policy includes the following controls for working areas and data centers:
The perimeter physical security including, but not limited to, access control, health and safety regulations, protection against the damage of external and environmental threats (fire, flood, etc).
The physical access control is handled through the use of digital IDs, CCTV, finger prints, and more.
Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises are controlled.
Appropriate controls are taken to avoid theft or loss of company or personal equipment.
Equipment is protected from power failures and other disruptions caused by failures in supporting utilities using different method like generators, UPSs, and alternate power supplies in a way that minimize the effect of power failures.
Power and telecommunications cabling carrying data or supporting information services should be protected from interception or damage.
Classified information relies on paper or media is disposed in a secure manner.
All visitors are required to provide government issued ID, their visits are logged and they are escorted at all times and required to wear clearly identifiable visitor credentials
Monitor all entry/exit points
Locked cabinets and cage areas
Alarm systems monitored 24x7x365
High sensitivity fire/smoke detection systems are implemented
UPS and backup power generators
At least two independent power supplies into the building.
Robust external network connectivity infrastructure
Physical locks required on portable computers within secured work areas
II. ACCESS CONTROLS / ACCESS LIMITATION CONTROLS
Users are required to request access through either automated or manual methods.
All grants to access require documentation indicating the grant of access.
Access to the Security team’s SharePoint site must be approved by an administrator on the SaaS Security team and logged.
All access requests related to EntIT tools must be documented and stored in a central repository.
Utility programs capable of overriding system, object, network, virtual machine and application controls shall be restricted based on a pre-defined credential set.
Access to systems with shared network infrastructure must be restricted to authorized personnel. Networks shared with external entities shall have a documented plan detailing the compensating controls used to separate network traffic between organizations.
EntIT policies and procedures for employees are intended to ensure that:
Prior to employment, the employees’ background is appropriately obtained
The employees understand and aware of the terms of their employment
The information security guidelines are clearly briefed to the employees
An information security awareness program exists and implemented
A formal disciplinary process for handling security breaches is established
Employment termination or role change is conducted in a controlled and secured manner
III. INPUT CONTROLS
Access to log information must be restricted based on user roles and the principles of “need-to-know” and the usage of shared accounts is prohibited.The audit policies are reviewed annually to determine if there is a requirement to enhance audit information.
IV. JOB CONTROLS
Access to materials and use of proprietary software shall be appropriately restricted following the rule of least privilege based on job function as per established user access policies and procedures.
VI. AVAILABILITY CONTROLS
EntIT has developed a business continuity management process which includes:
A plan framework for improving EntIT’s resilience against the disruption of its ability to provide an expected service level to its customers
A rehearsed method of restoring the ability to supply key products and services upon a disaster
VII. DATA SEPARATION
Production and non-production environments shall be separated to prevent unauthorized access or changes to information assets. Access for making changes to production environments is closed to developers except in special circumstances. In those cases, developer access is granted temporarily and for specific tasks, monitored, and closed when the access is no longer needed.
Personal Information. Customer and EntIT shall comply with their respective obligations under applicable data protection legislation as a controller and processor, respectively. Customer shall remain the controller of Customer Personal Data (as defined in the Exhibit) at all times. Exhibit “Data Protection Regulations” forms part of this Agreement and takes precedence over any conflicting terms herein or in any Supporting Material.
Security. Information about EntIT’s security controls are provided at the hp.com website or can be otherwise provided at Customer’s request.
Definitions
(i) The terms “controller”, “data subject”, “processor”, “process, “processed” or “processing” and “personal data” used in this Addendum shall be as defined in the Spanish legislation (Law 15/1999, 13th December, of Personal Data Protection and the Royal Decree 1720/2007 of 21st December).
(ii) “Customer Personal Data” means personal data of which Customer or its affiliates is the controller and which EntIT processes in the course of providing SaaS or software support (either hereinafter called “Services”).
Data Processing
To the extent EntIT has access to Customer Personal Data for performing Services, in accordance with article 12 of the Law 15/1999, 13th December, of Personal Data Protection (“Ley Orgánica de Protección de Datos de Carácter Personal”), and the Royal Decree 1720/2007 of 21st December (“Real Decreto 1720/2007 de 21 de Diciembre por el que se aprueba el Reglamento de Desarrollo de la Ley Orgánica 15/1999”):
EntIT shall process such data only in accordance with the instructions of the Customer and solely for the purposes set forth in this Agreement.
EntIT shall not communicate the above referred data to any third party even for their preservation and shall destroy or return to the Customer, at customer choice, any personal data in his possession upon termination of this agreement.
EntIT shall maintain the secret and confidentiality of the personal data.
Customer hereby appoints EntIT as a processor of Customer Personal Data. Customer and EntIT shall comply with all data protection laws to which they are subject, as a controller and processor respectively, and which are applicable to their information security, privacy and data protection obligations in connection with Customer Personal Data.
EntIT shall only process Customer Personal Data as required to provide Services and in accordance with the Customer’s written instructions (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by the Customer to EntIT under this Agreement) and to the extent that such instructions are not compatible with EntIT’s obligations under this Agreement they shall be implemented as agreed by the parties. Unless otherwise agreed, EntIT shall implement the security measures required in the section 1ª, Chapter III, Title VIII of the above mentioned Royal Decree.
EntIT has implemented the EntIT technical and organisational measures to protect Customer Personal Data against accidental, unauthorised or unlawful processing, destruction, loss, damage or disclosure, details of which are provided at the hp.com website or can otherwise be provided on Customer’s request. These include:
Physical access controls
Access Controls
Access Limitation Controls
Input Controls
Job Controls
Availability Controls
Data Separation
EntIT will ensure that all employees involved in the processing of Customer Personal Data are authorized personnel with a need to access the data, are bound by appropriate confidentiality obligations and have undergone appropriate training in the protection of personal data.
Where the Supporting Material identifies categories of Customer Personal Data or other Customer-provided data that are to be returned to Customer upon termination, EntIT will supply such data to Customer in the agreed format and will delete from EntIT’s own systems any remaining copies of such Customer Personal Data or other data, unless legislation applicable to it prevents it from doing so.
EntIT will within five (5) business days of receipt, refer to Customer any queries from data subjects in connection with Customer Personal Data, for Customer to deal with.
EntIT will on written request of Customer promptly amend or delete any Customer Personal Data to the extent that Customer is not able to amend or delete the data itself.
Customer Personal Data will be transferred to EntIT’s parent company, Hewlett Packard Company in the United States of America, and onward to other affiliate and third party subcontractors located outside the EEA and Switzerland who support the Services, a list of which is available upon request.
If and to the extent EntIT is acting as a data processor or sub-processor with respect to Customer Personal Data pertaining to residents of the European Economic Area or Switzerland ("EEA+ Data Subjects"), the EU Standard Contractual Clauses (Processors) (short: “Model Contract”) shall apply and supersede any conflicting terms of this Exhibit to the extent EEA+ Data Subjects are concerned. Between EntIT and the Customer, this Exhibit shall prevail in case of any conflicts or inconsistencies with the Model Contract. Any losses suffered by data exporter or data importer (both as defined in the Model Contract) shall be treated as if they had been suffered by Customer or EntIT respectively and shall in all cases be recovered by Customer or EntIT subject to any limits on that party’s liability contained in this Agreement in section “limitation of liability”. Nothing in that section “limitation of liability “ shall limit the liability of either party in relation to a claim by a data subject under a Model Contract.
When EntIT obtains formal approval for binding corporate rules for processors (BCR-P), the parties may agree to rely on the BCR-P for transfers of Customer Personal Data. The relevant information and additional contract terms will be provided to Customer on request.
EntIT will ensure that any affiliate or third party subcontractor involved in processing Customer Personal Data enters into a written agreement with EntIT (which may be an inter-company agreement in the case of affiliates), which includes obligations substantially similar to those contained in this Addendum and appropriate to the nature of the processing involved.
Personal Information. Customer and EntIT shall comply with their respective obligations under applicable data protection legislation as a controller and processor, respectively. Customer shall remain the controller of Customer Personal Data (as defined in the Exhibit) at all times. Exhibit “SaaS Data Protection Regulations” forms part of this Agreement and takes precedence over any conflicting terms herein or in any Supporting Material.
Security. Information about SaaS’ security controls are provided at the hp.com website or can be otherwise provided at Customer’s request.
Definitions
(i) The terms “controller”, “data subject”, “processor”, “process, “processed” or “processing” and “personal data” used in this Addendum shall be as defined in European Directive 95/46/EC.
(ii) “Customer Personal Data” means personal data of which Customer or its affiliates is the controller and which EntIT processes in the course of providing SaaS or software support (each hereinafter called “Services”).
Data Processing
Customer hereby appoints EntIT as a processor of Customer Personal Data. Customer and EntIT shall comply with all data protection laws to which they are subject, as a controller and processor respectively, and which are applicable to their information security, privacy and data protection obligations in connection with Customer Personal Data.
EntIT shall only process Customer Personal Data as required to provide Services and in accordance with the Customer’s written instructions (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by the Customer to EntIT under this Agreement) and to the extent that such instructions are not compatible with EntIT’s obligations under this Agreement they shall be implemented as agreed by the parties.
EntIT has implemented the EntIT technical and organisational measures to protect Customer Personal Data against accidental, unauthorised or unlawful processing, destruction, loss, damage or disclosure, details of which are provided at the hp.com website or can otherwise be provided on Customer’s request. These include:
Physical access controls
Access Controls
Access Limitation Controls
Input Controls
Job Controls
Availability Controls
Data Separation
EntIT will ensure that all employees involved in the processing of Customer Personal Data are authorized personnel with a need to access the data, are bound by appropriate confidentiality obligations and have undergone appropriate training in the protection of personal data.
Where the Supporting Material identifies categories of Customer Personal Data or other Customer-provided data that are to be returned to Customer upon termination, EntIT will supply such data to Customer in the agreed format and will delete from EntIT’s own systems any remaining copies of such Customer Personal Data or other data, unless legislation applicable to it prevents it from doing so.
EntIT will within five (5) business days of receipt, refer to Customer any queries from data subjects in connection with Customer Personal Data, for Customer to deal with.
EntIT will on written request of Customer promptly amend or delete any Customer Personal Data to the extent that Customer is not able to amend or delete the data itself.
Customer Personal Data will be transferred to EntIT’s parent company, Hewlett Packard Company in the United States of America, and onward to other affiliate and third party subcontractors located outside the EEA and Switzerland who support SaaS, a list of which is available upon request.
If and to the extent EntIT is acting as a data processor or sub-processor with respect to Customer Personal Data pertaining to residents of the European Economic Area or Switzerland ("EEA+ Data Subjects"), the EU Standard Contractual Clauses (Processors) (short: “Model Contract”) shall apply and supersede any conflicting terms of this Exhibit to the extent EEA+ Data Subjects are concerned. Between EntIT and the Customer, this Exhibit shall prevail in case of any conflicts or inconsistencies with the Model Contract. Any losses suffered by data exporter or data importer (both as defined in the Model Contract) shall be treated as if they had been suffered by Customer or EntIT respectively and shall in all cases be recovered by Customer or EntIT subject to any limits on that party’s liability contained in this Agreement in section “limitation of liability”. Nothing in that section “limitation of liability “ shall limit the liability of either party in relation to a claim by a data subject under a Model Contract.
When EntIT obtains formal approval for binding corporate rules for processors (BCR-P), the parties may agree to rely on the BCR-P for transfers of Customer Personal Data. The relevant information and additional contract terms will be provided to Customer on request.
EntIT will ensure that any affiliate or third party subcontractor involved in processing Customer Personal Data enters into a written agreement with EntIT (which may be an inter-company agreement in the case of affiliates), which includes obligations substantially similar to those contained in this Addendum and appropriate to the nature of the processing involved.