We may collect personal identification information from Users in a variety of ways, including, but not limited to, when Users visit our site, place an order, subscribe to the newsletter, respond to a survey, fill out a form, and in connection with other activities, services, features or resources we make available on our Site. Users may be asked for, as appropriate, name, email address, mailing address, phone number. Users may, however, visit our Site anonymously. We will collect personal identification information from Users only if they voluntarily submit such information to us. Users can always refuse to supply personally identification information, except that it may prevent them from engaging in certain Site related activities.
We may collect non-personal identification information about Users whenever they interact with our Site. Non-personal identification information may include the browser name, the type of computer and technical information about Users means of connection to our Site, such as the operating system and the Internet service providers utilized and other similar information.
Sharpr may collect and use Users personal information for the following purposes:
We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site.Sensitive and private data exchange between the Site and its Users happens over a SSL secured communication channel and is encrypted and protected with digital signatures.
We do not sell, trade, or rent Users personal identification information to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above.We may use third party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys. We may share your information with these third parties for those limited purposes provided that you have given us your permission.
By using this Site, you signify your acceptance of this policy and terms of service. If you do not agree to this policy, please do not use our Site. Your continued use of the Site following the posting of changes to this policy will be deemed your acceptance of those changes.
215 S State Street STE 300
Salt Lake City, UT 84111
This document was last updated on January 12, 2016.
1. Policy Statement
Sharpr, Inc. (“Sharpr”) complies with the EU-U.S. Privacy Shield Framework, including the Supplemental Principles, and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce (collectively, the “Principles”). Sharpr has certified that it adheres to the Principles with respect to its services and the collection, use, and retention of certain Personal Data (as defined below) transferred from the European Union (“EU”) and Switzerland to Sharpr in the United States (“U.S.”). This Policy sets forth the standards under which Sharpr will treat such Personal Data. To learn more about the Principles and to view Sharpr’s certifications, please visit: https://www.privacyshield.gov/.
2. U.S. Federal Trade Commission Jurisdiction
Sharpr’s commitments under the Principles are subject to the jurisdiction and enforcement and investigatory authority of the United States Federal Trade Commission.
3. Required Disclosure
Sharpr may be required to disclose Personal Data to the extent required to meet a legal obligation, including national security or law enforcement obligations and applicable law, rule, order, or regulation.
“Data Subject” means the individual to whom any given Personal Data covered by this Policy refers.
“Personal Data” means information relating to an identified or identifiable natural person residing in the EU or Switzerland. If the information has been irreversibly stripped of all identifiers such that an individual cannot be identified or re-identified, it is not Personal Data.
“Sensitive Personal Data” means Personal Data regarding any of the following:
Sharpr provides solutions for storing, analyzing and delivering content and business insights. In connection with providing these solutions to its business customers, Sharpr generally serves as a conduit for information controlled by others — it is Sharpr’s customers that control the actual content uploaded into the Sharpr platform (e.g. posts, insights, documents, etc). This Policy applies to the collection, use, and disclosure in the U.S. of Personal Data transferred from the EU or Switzerland to Sharpr in the U.S. of: (i) users of Sharpr’s own websites and applications, and (ii) business contact information associated with our business customers.
6. Data Processed
The types of Consumer Personal Data Sharpr collects includes:
7. Purposes of Data Processing; Disclosure to Third Parties; Choice
Sharpr processes data that is transferred from the EU or Switzerland to Sharpr in the U.S. for purposes of: providing, maintaining, protecting, developing, and improving the solutions we offer to our business customers; detecting and preventing potential fraud and security risks; and supporting Sharpr’s internal business operations (e.g. billing).
Sharpr may use from time to time a limited number of third-party service providers, contractors, and other businesses to assist us in providing our solutions to our customers or in meeting internal business operation needs. These third-parties may access, process or store personal data in the course of performing their duties to Sharpr. Sharpr maintains contracts with these providers restricting their access, use and disclosure of Personal Data in compliance with our obligations under the Principles.
8. Accountability for Onward Transfer
In the event Sharpr discloses Personal Data covered by this Policy to a non-agent third party, it will do so consistent with any notice provided to Data Subjects and any choice they have exercised regarding processing and disclosure. Sharpr will only disclose Personal Data to third parties that have given us contractual assurances that they will provide at least the same level of privacy protection as is required by this Policy and the Principles and that they will process Personal Data for limited and specific purposes consistent with any consent provided by the individual. If Sharpr has knowledge that a third party to which it has disclosed Personal Data covered by this Policy is processing such Personal Data in a way that is contrary to this Policy and/or the Principles, Sharpr will take steps to prevent or stop such processing. Sharpr shall remain liable if the third-party processes such personal information in a manner inconsistent with this Policy, unless Sharpr proves that it is not responsible for the event giving rise to the damage.
Sharpr takes reasonable and appropriate measures to protect Consumer Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the Personal Data.
10. Data Integrity and Purpose Limitation
Sharpr will only collect Personal Data covered by this Policy that is relevant for the purposes for which it is to be used, and only use such Personal Data in a way that is compatible with the purposes for which it was collected or subsequently authorized. Sharpr will take reasonable steps to ensure that such Personal Data is accurate, complete, current and reliable for its intended use.
Data Subjects have the right to access Personal Data about them that is covered by this Policy and to correct, amend, or delete such Personal Data if they can demonstrate that it is inaccurate or incomplete (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated).
12. Enforcement; Recourse
Inquiries and complaints relating to Sharpr’s treatment of Personal Data and its compliance with the Principles may be directed to:
215 S State St. Suite 300
Salt Lake City, UT 84111
Attn: Chief Privacy Officer
Sharpr will respond to any such inquiries or complaints within forty-five (45) days. In the event that Sharpr fails to respond or its response is insufficient or does not address the concern, Sharpr has registered with JAMS to provide independent third party dispute resolution at no cost to the complaining party. To contact JAMS and/or learn more about the company’s dispute resolution services, including instructions for submitting a complaint, please visit: https://www.jamsadr.com/eu-us-privacy-shield. Complaining parties may also, in absence of a resolution by Sharpr and JAMS, seek to engage in binding arbitration through the Privacy Shield Panel.
Sharpr will cooperate with the United States Federal Trade Commissions and any data protection authorities of the EU Member States (“DPAs”) and/or the Swiss Federal Data Protection and Information Commissioner (“Commissioner”) in the investigation and resolution of complaints that cannot be resolved between Sharpr and the complainant that are brought to a relevant DPA.
Sharpr also commits to periodically reviewing and verifying the accuracy of this Policy and the company’s compliance with the Principles, and remedying issues identified. All employees of Sharpr that have access to Personal Data covered by this Policy in the U.S. are responsible for conducting themselves in accordance with this Policy. Failure of an Sharpr employee to comply with this Policy may result in disciplinary action up to and including termination.
Last Updated: February 1, 2018
Sharpr’s Corporate Trust Commitment
Sharpr is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across our suite of services, including data submitted by customers to our services (“Customer Data”).
This documentation describes the architecture of, the security and privacy-related audits and certifications received for, and the administrative, technical and physical controls applicable to the services offered by Sharpr (the “Sharpr Services”).
Sharpr owns or controls access to the infrastructure that Sharpr uses to host Customer Data submitted to the Sharpr Services. Each instance of the Sharpr Services contains servers and other elements to make it run. Each instance in a primary data center has an exact copy in a secondary data center.
Audits and Certifications
The following security and privacy-related audits and certifications are applicable to the Sharpr Services:
Additionally, the Sharpr Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments, on at least an annual basis.
The Sharpr Services include a variety of configurable security controls that allow customers to tailor the security of the Sharpr Services for their own use. These controls are set forth in the Security Implementation Guide.
Security Procedures, Policies and Logging
The Sharpr Services are operated in accordance with the following procedures to enhance security:
Sharpr, or an authorized third party, will monitor the Sharpr Services for unauthorized intrusions using network based intrusion detection mechanisms. Sharpr may analyze data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the Sharpr Services function properly.
All Sharpr systems used in the provision of the Sharpr Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable security reviews and analysis.
Sharpr maintains security incident management policies and procedures. Sharpr promptly notifies impacted customers of any actual or reasonably suspected unauthorized disclosure of their respective Customer Data by Sharpr or its agents of which Sharpr becomes aware to the extent permitted by law.
Access to Sharpr Services requires authentication via one of the supported mechanisms as described in the Security Implementation Guide, including user ID/password, SAML based Federation, Oauth, Social Login, or Delegated Authentication as determined and controlled by the customer. Following successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.
Production data centers used to provide the Sharpr Services have access control systems. These systems permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, two-factor access screening, including biometrics, and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure.
Reliability and Backup
All networking components, SSL accelerators, load balancers, Web servers and application servers are configured in a redundant configuration. All Customer Data submitted to the Sharpr Services is stored on a primary database server with multiple active clusters for higher availability. All Customer Data submitted to the Sharpr Services is stored on carrier-class disk storage using redundant devices and multiple data paths to ensure reliability and performance. All Customer Data submitted to the Sharpr Services, up to the last committed transaction, is automatically replicated on a near real-time basis to the secondary site and is backed up on a regular basis and stored on backup media for an additional 3 days in production environments and 30 days in Sandbox environments after which it is securely overwritten or deleted from the Sharpr Services. Any backups are verified for integrity and stored in Sharpr data centers.
Sharpr has disaster recovery plans in place and tests them at least once per year. The Sharpr Services utilize secondary facilities that are geographically remote from their primary data centers, along with required hardware, software, and Internet connectivity, in the event Sharpr production facilities at the primary data centers were to be rendered unavailable. The Sharpr Services’ disaster recovery plans currently have the following target recovery objectives: (a) restoration of the Sharpr Service within 12 hours after Sharpr’s declaration of a disaster; and (b) maximum Customer Data loss of 24 hours; excluding, however, a disaster or multiple disasters causing the compromise of both data centers at the same time, and excluding development and test bed environments, such as the Sandbox service.
The Sharpr Services does scan for viruses that could be included in attachments or other Customer Data uploaded into the Sharpr Services by a customer but we DO NOT guarantee we will find all viruses and shall not be liable for a failure to detect all viruses. Uploaded attachments, however, are executed in the Sharpr Services and could potentially damage or compromise the Sharpr Services by virtue of containing a virus. Customers shall be liable for any damage or loss resulting from viruses contained in any uploaded attachment.
The Sharpr Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer’s network and the Sharpr Services, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum. Additionally, Customer Data is encrypted during transmission between data centers for replication purposes.
Return of Customer Data
Within 30 days post contract termination, customers may request return of their respective Customer Data submitted to the Sharpr Services. Sharpr shall provide such Customer Data via a downloadable file in comma separated value (.csv) format and attachments in their native format.
Deletion of Customer Data
After contract termination, Customer Data submitted to the Sharpr Services is retained in inactive status within the Sharpr Services for 180 days and a transition period of up to 30 days, after which it is securely overwritten or deleted. In accordance with the Reliability and Backup section above, Customer Data submitted to the Sharpr Services (including Customer Data retained in inactive status) will be stored on backup media for an additional 90 days in production environments and 30 days in Sandbox environments after it is securely overwritten or deleted from the Sharpr Services. Physical media on which Customer Data is stored during the contract term is not removed from the data centers that Sharpr uses to host Customer Data unless the media is at the end of its useful life or being deprovisioned, in which case the media is first sanitized before removal. This process is subject to applicable legal requirements.
Without limiting the ability for customers to request return of their Customer Data submitted to the Sharpr Services, Sharpr reserves the right to reduce the number of days it retains such data after contract termination. Sharpr will update this Sharpr Security, Privacy, and Architecture Documentation in the event of such a change.
Tracking and Analytics
Sharpr may track and analyze use of the Sharpr Services for purposes of security and helping Sharpr improve both the Sharpr Services and the user experience in using the Sharpr Services. Sharpr may also use this information and users’ e-mail addresses to contact customers or their users to provide transactional information about the Sharpr Services. Sharpr will offer customers and users the ability to opt out of receiving such emails.
Without limiting the foregoing, Sharpr may share anonymous data about Sharpr’s customers’ or their users’ use of the Sharpr Services (“Usage Statistics”) to Sharpr’s service providers for the purpose of helping Sharpr in such tracking or analysis, including improving its users’ experience with the Sharpr Services, or as required by law. Additionally, Sharpr may share such anonymous data with other customers on an aggregate basis. Except when required by law, any such sharing of Usage Statistics will not include any identifying information about Sharpr’s customers or customers’ users.
Inter operation with Other Sharpr Services
The Sharpr Services may interoperate with other services provided by Sharpr. The Security, Privacy and Architecture documentation for such services is available in the Trust and Compliance Documentation section of help.sharpr.com.
Last Updated: February 2018
Sharpr Corporation and its affiliates are committed to achieving and maintaining customer trust. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters. In accordance with the EU Data Protection Directive and implementing national legislation, the Sharpr Processor BCR is intended to provide an adequate level of protection for Personal Data during international transfers within the Sharpr Group made on behalf of Customers and under their instructions. 
3. Scope and Application
The purpose of the Sharpr Processor BCR is to govern cross-border transfers of Personal Data to and between members of the Sharpr Group, and to third-party sub-processors (in accordance with written agreements with any such third-party sub-processors) when acting as Processors and/or sub-processors on behalf and under the instructions of Customers.
The Sharpr Processor BCR applies to Personal Data submitted to the Services by:
(a) Customers established in EEA member states whose processing activities for the relevant data are governed by the EU Data Protection Directive and implementing national legislation; and
(b) Customers established in non-EEA member states for which the customer has contractually specified that the EU Data Protection Directive and implementing national legislation shall apply.
The Sharpr Group may update the Sharpr Processor BCR with approval from the Sharpr Group’s appointed privacy leader, general counsel and compliance officer. All changes to the Sharpr Processor BCR shall be communicated to members of the Sharpr Group.
The Sharpr Group’s appointed privacy leader shall be responsible for keeping a fully updated list of the members of the Sharpr Group and third-party sub-processors and making appropriate notifications to Customers and the CNIL in its capacity as lead authority for the Sharpr Processor BCR. The Sharpr Group shall not transfer Personal Data to a new member of the Sharpr Group until such member is appropriately bound by and complies with the Sharpr Processor BCR.
The Sharpr Group shall make the most current version of the Sharpr Processor BCR, including the members of the Sharpr Group, available at http://sharpr.com/home/legal/. Significant changes to the Sharpr Processor BCR and/or the list of members of the Sharpr Group will be reported (a) in a timely fashion to Customers and (b) once per year to the relevant data protection authorities accompanied by a brief explanation of the changes.
4. Responsibilities Towards Customers
A. General Obligations
The Sharpr Group and its employees shall comply with the Sharpr Processor BCR, process Personal Data only upon a Customer’s instruction and shall have a duty to respect the security and confidentiality of Personal Data, pursuant to the measures provided in the contracts executed with Customers.
B. Transparency and Cooperation with Customers
The Sharpr Group undertakes to be transparent regarding its Personal Data processing activities and to provide Customers with reasonable cooperation within a reasonable period of time to help facilitate their respective data protection obligations regarding Personal Data.
C. Data Subject Rights
Members of the Sharpr Group act as Processors on behalf of Customers. As between the Sharpr Group and Customers, Customers have primary responsibility for interacting with Data Subjects, and the role of the Sharpr Group is generally limited to assisting Customers as needed.
i. Access, Correction, Amendment or Deletion Requests
The Sharpr Group shall promptly notify a Customer if the Sharpr Group receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. The Sharpr Group shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to that Customer.
The Sharpr Group shall provide Customers with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any request regarding Personal Data to the extent Customers do not have access to such Personal Data through their respective uses of the Services.
ii. Handling of Complaints
The Sharpr Group’s Privacy department shall be responsible for handling complaints related to compliance with the Sharpr Processor BCR.
Data Subjects may lodge a complaint about processing of their respective Personal Data that is incompatible with the Sharpr Processor BCR by contacting the relevant Customer or the Sharpr Group’s Privacy department at the email address firstname.lastname@example.org. The Sharpr Group shall promptly communicate the complaint to the Customer to whom the Personal Data relates.
Customers shall be responsible for responding to all Data Subject complaints forwarded by the Sharpr Group except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where the Sharpr Group is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply (such as lodging a complaint before the relevant data protection authority).
D. Regulatory Inquiries and Complaints
The Sharpr Group shall, to the extent legally permitted, promptly notify a Customer if the Sharpr Group receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, the Sharpr Group shall provide the Customer with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any regulatory inquiry or complaint involving the Sharpr Group’s processing of Personal Data.
5. Description of Processing Operations and Transfers
A. Purpose Limitation
The Sharpr Group shall process Personal Data only for the following purposes: (i) processing in accordance with a Customer’s instructions set forth in the Customer’s contract with a member of the Sharpr Group; and (ii) processing initiated by the Customer in its use of the Services. If the Sharpr Group cannot comply with such purpose limitation, a member of the Sharpr Group shall promptly notify the relevant Customer, and such Customer shall be entitled to suspend the transfer of Personal Data and/or terminate the applicable order form(s) in respect to only those Services which cannot be provided by the Sharpr Group in accordance with such Customer’s instructions. On the termination of the provision of such Services, the Sharpr Group and third-party sub-processors shall, at the choice of the Customer, return the Personal Data to the Customer and/or delete the Personal Data as set forth in the applicable customer contract.
B. Data Quality
Customers have access to, and control of, Personal Data in their use of the Services. To the extent a Customer, in its use of the Services, does not have the ability to anonymize, correct, amend or delete Personal Data, as required by applicable laws, the Sharpr Group shall comply with any request by a Customer in a reasonable period of time and to the extent reasonably possible to facilitate such actions by executing any measures necessary to comply with the law, in a reasonable period of time and to the extent reasonably possible to the extent the Sharpr Group is legally permitted to do so. The Sharpr Group will, to the extent reasonably required for this purpose, inform each member of the Sharpr Group to whom the Personal Data may be stored of any anonymization, rectification, amendment or deletion of such data. If any such anonymization, correction, amendment or deletion request is applicable to a third-party sub-processor’s processing of Personal Data, the Sharpr Group shall communicate such request to the applicable third-party sub-processor(s).
Within the Sharpr Group As set forth in applicable contracts with Customers, members of the Sharpr Group may be retained as sub-processors of Personal Data, and depending on the location of the Sharpr Group member, processing of Personal Data by such sub-processors may involve transfers of Personal Data. The Sharpr Processor BCR extends to all members of the Sharpr Group.
ii. Sub-processing by Third Parties
As set forth in applicable contracts with Customers, members of the Sharpr Group may retain thirdparty sub-processors, and depending on the location of the third-party sub-processor, processing of Personal Data by such sub-processors may involve transfers of Personal Data. Such third-party subprocessors shall process Personal Data only (i) in accordance with the Customer’s instructions set forth in the Customer’s contract with a member of the Sharpr Group; or (ii) if processing is initiated by the Customer in its use of the Services. The current list of third-party sub-processors engaged in processing Personal Data, including a description of their processing activities, is available at here. Such third-party sub-processors have entered into written agreements with a member of the Sharpr Group in accordance with the applicable requirements of Articles 16, 17, 25 and 26 of EU Data Protection Directive and Sections 3 – 10 of the Sharpr Processor BCR as applicable to the third-party subprocessor’s processing activities.
iii. Notification of New Sub-processors and Objection Rights
As set forth in applicable contracts with Customers, the Sharpr Group shall provide Customers with prior notification before a new sub-processor begins processing Personal Data. Within thirty (30) days of receiving such notice, a Customer may object to the Sharpr Group’s use of a new sub-processor subject to the following:
It would be unreasonable for a Customer to object to a new sub-processor that is a member of the Sharpr Group if (a) the sub-processor is subject to the Sharpr Processor BCR; and (b) has achieved a third-party, internationally-recognized security certification (e.g., ISO 27001) unless the Customer demonstrates reasonable suspicion that the new sub-processor will not be able to comply with its obligations under the Sharpr Processor BCR.
Unless a Customer demonstrates reasonable suspicion that a new third-party sub-processor introduces unreasonable risk to the protection of Personal Data (e.g., a history of security breaches), it would be unreasonable for a Customer to object to a new third-party sub-processor if (a) the new third-party sub-processor is located in a country that provides an adequate level of protection per the European Commission or has entered into a contract with a member of the Sharpr Group containing the applicable requirements of the European Commission’s controller-to-processor standard contractual clauses; and (b) the new third-party sub-processor has passed the Sharpr Group’s vendor security evaluation based on a third-party, internationally-recognized security framework.
In the event a Customer objects to a new sub-processor, and that objection is not unreasonable under the standards described above, the Sharpr Group will use reasonable efforts to make available to the Customer a change in the Services or recommend a commercially reasonable change to the Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new subprocessor without unreasonably burdening the Customer. If the Sharpr Group is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, the Customer may terminate the applicable order form(s) in respect only to those Services which cannot be provided by the Sharpr Group without the use of the objected-to new sub-processor by providing written notice to the member of the Sharpr Group with whom the customer has contracted. Such Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.
6. Confidentiality and Security Measures
A. Confidentiality and Training The Sharpr Group shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have executed written confidentiality agreements and have received appropriate training on their responsibilities. Additionally, the Sharpr Group shall ensure that its personnel responsible for the development of tools used to process Personal Data have received appropriate training on their responsibilities. The Sharpr Group shall also ensure that its personnel engaged in the processing of Personal Data are limited to those personnel who require such access to perform the Sharpr Group’s obligations under applicable contracts with Customers.
B. Data Security The Sharpr Group shall maintain appropriate administrative, technical and physical safeguards for protection of the security, confidentiality and integrity of Personal Data, as set forth in applicable contracts with Customers. The Sharpr Group regularly monitors compliance with these safeguards. The Sharpr Group will not materially decrease the overall security of the Services during a Customer’s applicable subscription term.
C. Security Breach Notification In the event a member of the Sharpr Group becomes aware of any unauthorized access to or disclosure of Personal Data, the Sharpr Group will promptly notify affected Customers to the extent such notification is permitted by applicable law.
D. Audits The Sharpr Group shall maintain an audit program to help ensure compliance with the Sharpr Processor BCR, including the following third-party audits and certifications, internal verification and audits by Customers. The audit program covers all aspects of the Sharpr Processor BCR, including methods for ensuring non-compliance is addressed.
i. Third-Party Audits and Certifications The following third-party audits and certifications are applicable to the Services. The Sharpr Group agrees to maintain such audits and certifications, or their successors.
ISO 27001 certification: The Sharpr Group is subject to an information security management system (ISMS) in accordance with the ISO 27001 international standard. Sharpr is ISO 27001 compliant and the cloud infrastructure used by Sharp is ISO 27001 is ISO 27001 certified. The scope of the Sharpr Group’s ISO 27001certification is set forth in the Security, Privacy and Architecture Documentation for the Services.
SSAE 16 Service Organization Control (SOC) reports: Sharpr’s cloud infrastructure undergoes an independent evaluation in the form of SSAE 16 Service Organization Control (SOC) reports, which are available to Customers upon request.
ii. Internal Verification
The Sharpr Group has appointed a network of privacy personnel responsible for overseeing and ensuring compliance with the Sharpr Group’s data protection responsibilities at a local and global level, including compliance with this Sharpr Processor BCR, advising management on data protection matters, liaising with data protection authorities, and handling data protection-related complaints. Each member of the Sharpr Group shall be assigned such a member of network of privacy personnel. Such privacy personnel are primarily responsible for privacy-related matters and report to the Sharpr Group’s appointed privacy leader, who reports to the Sharpr Group’s general counsel, and benefit from the support of the Sharpr Group’s top management. The Sharpr Group’s appointed privacy leader is responsible for the Sharpr Group’s compliance with applicable privacy and data protection laws and leads the Sharpr Group’s network of privacy personnel. The Sharpr Group’s network of privacy personnel have regional responsibility for the Sharpr Group’s compliance with applicable privacy and data protection laws. The Sharpr Group’s compliance department shall conduct an annual assessment of the Sharpr Group’s compliance with the Sharpr Processor BCR, which is provided to the Sharpr Group’s appointed privacy leader, compliance officer and salesforce.com, inc.’s board of directors. Such an assessment shall include any necessary corrective actions, timeframes for completing such corrective actions, and follow up by Sharpr’s compliance department to ensure such corrective actions have been completed.
iii. Customer Audits
Upon a Customer’s request, and subject to appropriate confidentiality obligations, the Sharpr Group shall make available to the Customer (or such Customer’s independent, third-party auditor that is not a competitor of the Sharpr Group) information regarding the Sharpr Group’s and third-party subprocessors’ compliance with the data protection controls set forth in this Sharpr Processor BCR. This includes providing the requesting Customer a report of the Sharpr Group’s audits of third-party processors, which Customers instruct the Sharpr Group to conduct in their applicable contracts. A Customer (or such Customer’s independent, third-party auditor that is not a competitor of the Sharpr Group) may also request to conduct an on-site audit of the architecture, systems and procedures relevant to the protection of Personal Data at the locations where Personal Data is stored, including applicable members of the Sharpr Group and third-party sub-processors, by following the instructions set forth in its applicable contract. Customers shall reimburse the Sharpr Group for any time expended by the Sharpr Group or its third-party sub-processors for such on-site audit at the Sharpr Group’s then-current professional service rates, which shall be made available to Customers upon their request. Before any such on-site audit commences, the requesting Customer and the Sharpr Group shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which the Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by the Sharpr Group or its third-party subprocessors. As set forth in applicable contracts with Customers, a Customer who performs an audit in accordance with this Section must promptly provide the Sharpr Group with information regarding any noncompliance discovered during the course of an audit.
7. Third-Party Beneficiary Rights
Data Subjects may directly enforce against third-party sub-processors breaches of the written agreement with members of the Sharpr Group which relate to the third-party sub-processors’ obligations to comply with Sections 3-10 of the Sharpr Processor BCR, as applicable to the thirdparty sub-processor’s processing activities, as third-party beneficiaries. Such third-party beneficiary rights shall be limited to those situations where a Data Subject is unable to bring a claim against the relevant Customer and members of the Sharpr Group because such entities have factually ceased to Sharpr Processor exist in law or become insolvent and have not named successor entities to assume their respective legal obligations. Such third-party liability of third-party sub-processors shall be limited to their own processing operations. In accordance with Section 8 of the Sharpr Processor BCR, a Data Subject’s third-party beneficiary rights, if applicable, shall cover judicial remedies for any breach of the rights provided in the Sharpr Processor BCR and the right to receive compensation for damages.
8. Liability and Enforcement
Sharpr’s contracts with Customers shall include a reference to the Sharpr Processor BCR. In accordance with such contracts, Customers shall have the right to enforce the Sharpr Processor BCR against the Sharpr Group, including judicial remedies and the right to receive compensation.
9. Cooperation with Data Protection Authorities
The Sharpr Group shall cooperate with member state data protection authorities with jurisdiction over the Sharpr Group or competent for Customers, reply to any requests they make within a reasonable time frame and abide by the advice and recommendations of the relevant member state data protection authorities regarding the interpretation and application of the Sharpr Processor BCR. Upon request and subject to duties of confidentiality, the Sharpr Group shall provide relevant member state data protection authorities with jurisdiction over the Sharpr Group or competent for Customers (i) a copy of the Sharpr Group’s annual assessment of compliance with the Sharpr Processor BCR and/or other documentation reasonably requested; and (ii) the ability to conduct an onsite audit of the Sharpr Group’s architecture, systems and procedures relevant to the protection of Personal Data.
10. Local Law Requirements
As set forth in applicable contracts with Customers, the Sharpr Group shall comply with applicable law in its processing of Personal Data. Where applicable law requires a higher level of protection for Personal Data than provided for in the Sharpr Processor BCR, the local applicable law shall take precedence.
Where the Sharpr Group reasonably believes that applicable law prevents it from fulfilling its obligations under the Sharpr Processor BCR or the instructions of a Customer, it shall promptly notify the Sharpr Group’s Privacy department in addition to affected Customers and the data protection authority competent for the Customer. In such a case, the Sharpr Group shall use reasonable efforts to make available to the affected Customers a change in the Services or recommend a commercially reasonable change to the Customers’ configuration or use of the Services to facilitate compliance with applicable law without unreasonably burdening Customers. If the Sharpr Group is unable to make available such change within a reasonable period of time, Customers may terminate the applicable order form(s) in respect to only those Services which cannot be provided by the Sharpr Group in accordance with applicable law by providing written notice to the member of the Sharpr Group with whom the customer has contracted. Such Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.
In accordance with applicable contracts with Customers, the Sharpr Group shall communicate any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body to the impacted Customer unless the Sharpr Group is prohibited by law from providing such notification.
To the extent the Sharpr Group is prohibited by law from providing such notification, the Sharpr Group shall (1) review each request on a case-by-case basis; (2) use best efforts to request that the confidentiality requirement be waived to enable the Sharpr Group to notify the appropriate data protection authority competent for the Customer; and (3) maintain evidence of any such attempt to have a confidentiality requirement waived On an annual basis, the Sharpr Group shall provide the appropriate data protection authorities competent for impacted Customers with general information about the types of legally binding requests for disclosure of Personal Data the Sharpr Group receives by law enforcement authorities.
The Sharpr Processor BCR applies to the services branded as the following:
 For clarity, a Customer (as defined in Section 2) may be a Controller or a Processor of Personal Data. Where a Customer is a Processor of Personal Data, the Sharpr Group shall process Personal Data as sub-processors on behalf of the Controller. Instructions from the Controller regarding the processing Personal Data shall be given through the Processor.
PLEASE READ THIS LICENSED PROGRAM END USER LICENSE AGREEMENT (“AGREEMENT”) CAREFULLY BEFORE USING SOFTWARE FROM SHARPR. BY DOWNLOADING OR USINGSHARPR SOFTWARE, YOU SIGNIFY YOUR ASSENT TO AND ACCEPTANCE OF THIS END USER LICENSE AGREEMENT AND ACKNOWLEDGE YOU HAVE READ AND UNDERSTAND THE TERMS. AN INDIVIDUAL ACTING ON BEHALF OF AN ENTITY REPRESENTS THAT HE OR SHE HAS THE AUTHORITY TO ENTER INTO THIS END USER LICENSE AGREEMENT ON BEHALF OF THAT ENTITY. IF YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT, THEN YOU MUST NOT USE THESHARPR SOFTWARE. EXCEPT AS SET FORTH HEREIN, THIS END USER LICENSE AGREEMENT DOES NOT PROVIDE ANY RIGHTS TO SHARPR SERVICES SUCH AS ADDITIONAL SOFTWARE, CONSULTING SERVICES, MAINTENANCE, UPGRADES OR SUPPORT EXCEPT AS SET FORTH HEREIN. USING THE SOFTWARE ACCOMPANYING THIS LICENSE INDICATES YOUR ACCEPTANCE OF THESE TERMS AND CONDITIONS. READ ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT PRIOR TO INSTALLING OR USING THE SOFTWARE. IF YOU DO NOT ACCEPT THESE TERMS, YOU MUST DELETE THE SOFTWARE FROM YOUR HARDWARE.
1. License. Subject to the terms of the Statement of Work as agreed upon by the parties hereto (“SOW”), Sharpr Corporation (“Licensor”) hereby licenses (the “License”) its Information Curation Licensed Platform (the “Licensed Program”) and the accompanying documentation, services, features and documentation (the “Documentation”) to you. The term “Licensed Program” shall also include any updates of the Licensed Program licensed to you by Licensor. Subject to the terms of this agreement and the SOW, you have a non-exclusive and nontransferable right to use the Licensed Program for its own uses and not for commercial purposes (e.g., not for resale or rental or the like). You agree to use your best efforts to prevent and protect the contents of the Licensed Program and Documentation from unauthorized disclosure or use. Licensor and its licensors reserve all rights not expressly granted to you. Licensor’s licensors are the intended third party beneficiaries of this agreement and have the express right to rely upon and directly enforce the terms set forth herein.
2. Limitation on Use: You may not assign, transfer, rent, lease, sublicense, sell or otherwise transfer or distribute copies of the Licensed Program or Documentation to others. You may not modify or translate the Licensed Program or the Documentation without the prior written consent of Licensor. You may not reverse assemble, reverse compile or otherwise attempt to create the source code from the Licensed Program. You may not release the results of any performance or functional evaluation of any Licensed Program to any third party without prior written approval of Licensor for each such release. You may make copies of the Licensed Program in executable code form as necessary for your use and for backup or archive purposes. You agree to maintain records of the location and use of each copy, in whole or in part, of the Licensed Programs. Each Licensed Program is copyrighted and you agree to reproduce and apply the copyright notice and proprietary notice of Licensor to all copies made hereunder, in whole or in part and in any form, of Licensed Programs.
3. Transfer. You may not sublicense, assign, delegate, rent, lease, time-share or otherwise transfer this License or any of the related rights or obligations for any reason. Any attempt to make any such sublicense, assignment, delegation or other transfer by you shall be void.
4. Copyright and Ownership. The Licensed Program and related Documentation are copyrighted by Licensor and its licensors. You agree that the Licensed Program and Documentation belong to Licensor and its licensors. You agree that you neither own nor hereby acquire any claim or right of ownership to the Licensed Program and Documentation or to any related patents, copyrights, trademarks or other intellectual property. Licensor and its licensors retain all right, title and interest in and to the Documentation and all copies and the Licensed Program at all times, regardless of the form or media in or on which the original or other copies may subsequently exist. This License is not a sale of the original or any subsequent copy. All content accessed through the Licensed Program is the property of the applicable content owner and may be protected by applicable copyright law. This License gives you no rights to such content. Licensor retains all rights in and to the Licensed Programs not expressly granted in this Agreement.
6. Service and Support. Upon request, Licensor will provide technical support, technical maintenance, correction of technical errors and bugs, consultation, training, and other general consulting Services related to the Licensed Programs (together with the Customer Programming (as defined below), the “Services”). All Services shall be described as set forth in the SOW. If you notify Licensor of a program error respecting the Licensed Programs, or Licensor has reason to believe that error exists in the Licensed Program, Licensor shall at its expense verify and attempt to correct such error within thirty (30) working days after the date of notification. If you are not satisfied with the correction, then you may immediately upon notice terminate this Agreement.
7. Custom Programming. Upon request, Licensor shall provide such custom programming as set forth on the SOW (“Custom Programming”). All rights, title and interest in the Custom Programming as well all intellectual property rights therein or with respect thereto, are and shall be owned by Licensor and licensed to you. For purposes of this Agreement and the Application, the Licensed Programs and the License granted by Licensor shall include all Custom Programming developed pursuant to this Agreement.
8. Fees. In consideration for the License granted pursuant to this Agreement, you agree to pay Licensor a monthly License fee (“License Fee”) in the amount set forth in the SOW. Unless otherwise stated in the SOW, all payments shall be made quarterly in advance. In addition to the License Fee, in connection with the Services or any Custom Programming, you shall pay such service fees (“Service Fees”) as set forth in the SOW. Unless as set forth in the SOW, all Service Fees shall be paid to Licensor within 45 days of invoicing.
9. Term and Termination. This License is effective until terminated by you or Licensor or in accordance with the SOW. This License automatically terminates if you fail to comply with its terms and conditions or the terms and conditions of the SOW. You agree that, upon such termination, you will either destroy all copies of the Licensed Program and Documentation, or return the original Licensed Program and Documentation to Licensor, together with any other material you have received from Licensor in connection with the Licensed Program and immediately cease further use of the Licensed Programs.
10. Third Party Content. The Licensed Program may display, include, or make available content, data, information, applications or materials from third parties (“Third Party Material”). You acknowledge and agree that Licensor is not responsible for examining or evaluating content, accuracy, completeness, timeliness, validity, copyright compliance, legality, decency, quality or any other aspect of such Third Party Material or web sites. Licensor does not warrant or endorse and does not assume and will not have any liability or responsibility to you or any other person for any third party Materials.
11. No Warranty: YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT USE OF THE LICENSED PROGRAM IS AT YOUR SOLE RISK AND THAT THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED PROGRAM AND ANY SERVICES PERFORMED OR PROVIDED BY THE LICENSED PROGRAM (“SERVICES”) ARE PROVIDED “AS IS” AND “AS AVAILABLE”, WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND APPLICATION PROVIDER HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE LICENSED PROGRAM AND ANY SERVICES, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. APPLICATION PROVIDER DOES NOT WARRANT AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE LICENSED PROGRAM, THAT THE FUNCTIONS CONTAINED IN, OR SERVICES PERFORMED OR PROVIDED BY LICENSOR WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION OF THE LICENSED PROGRAM OR SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT DEFECTS IN THE LICENSED PROGRAM OR SERVICES WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY APPLICATION PROVIDER OR ITS AUTHORIZED REPRESENTATIVE SHALL CREATE A WARRANTY. SHOULD THE LICENSED PROGRAM OR SERVICES PROVE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON APPLICABLE STATUTORY RIGHTS OF A CONSUMER, SO THE ABOVE EXCLUSION AND LIMITATIONS MAY NOT APPLY TO YOU.
12. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL APPLICATION PROVIDER BE LIABLE FOR PERSONAL INJURY, OR ANY INCIDENTAL, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OR INABILITY TO USE THE LICENSED PROGRAM, HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT OR OTHERWISE) AND EVEN IF APPLICATION PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY FOR PERSONAL INJURY, OR OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY TO YOU. In no event shall Application Provider’s total liability to you for all damages (other than as may be required by applicable law in cases involving personal injury) exceed the amount of the License Fees and Service Fees paid by you.
13. The Licensed Program and related Documentation are “Commercial Items”, as that term is defined at 48 C.F.R. §2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation”, as such terms are used in 48 C.F.R. §12.212 or 48 C.F.R. §227.7202, as applicable. Consistent with 48 C.F.R. §12.212 or 48 C.F.R. §227.7202-1 through 227.7202-4, as applicable, the Commercial Computer Software and Commercial Computer Software Documentation are being licensed to U.S. Government end users (a) only as Commercial Items and (b) with only those rights as are granted to all other end users pursuant to the terms and conditions herein. Unpublished-rights reserved under the copyright laws of the United States.
14. Miscellaneous. This Agreement and the License granted hereunder will be governed by the laws of the State of Utah, without reference to conflicts of laws principles. This Agreement and the SOW constitute the entire agreement between the parties with respect to the Licensed Program and the Documentation, and supersedes any other written or oral agreement. The relationships established by this Agreement are non-exclusive; each party retains the right to enter into similar agreements with other parties. You may not assign or transfer your rights or obligations under this Agreement without the prior written consent of Licensor. The failure of either Licensor to enforce at any time any of the provisions hereof or exercise any right or option hereunder shall not be construed to be a waiver of the right of such party thereafter to enforce any such provisions or exercise such right or option. Any consent by any Licensor to, or waiver of, a breach by the other, shall not constitute consent to, waiver of, or excuse of any other different or subsequent breach.