Legal

Privacy Policy

This Privacy Policy governs the manner in which Sharpr collects, uses, maintains and discloses information collected from users (each, a “User”) of the sharpr.com website (“Site”). This privacy policy applies to the Site and all products and services offered by Sharpr.

Personal identification information

We may collect personal identification information from Users in a variety of ways, including, but not limited to, when Users visit our site, place an order, subscribe to the newsletter, respond to a survey, fill out a form, and in connection with other activities, services, features or resources we make available on our Site. Users may be asked for, as appropriate, name, email address, mailing address, phone number. Users may, however, visit our Site anonymously. We will collect personal identification information from Users only if they voluntarily submit such information to us. Users can always refuse to supply personally identification information, except that it may prevent them from engaging in certain Site related activities.

Non-personal identification information

We may collect non-personal identification information about Users whenever they interact with our Site. Non-personal identification information may include the browser name, the type of computer and technical information about Users means of connection to our Site, such as the operating system and the Internet service providers utilized and other similar information.

Web browser cookies

Our Site may use “cookies” to enhance User experience. User’s web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. User may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.

How we use collected information

Sharpr may collect and use Users personal information for the following purposes:

  • To improve customer service. Information you provide helps us respond to your customer service requests and support needs more efficiently.
  • To personalize user experience. We may use information in the aggregate to understand how our Users as a group use the services and resources provided on our Site.
  • To improve our Site. We may use feedback you provide to improve our products and services.
  • To process payments. We may use the information Users provide about themselves when placing an order only to provide service to that order. We do not share this information with outside parties except to the extent necessary to provide the service.
  • To run a promotion, contest, survey or other Site feature. To send Users information they agreed to receive about topics we think will be of interest to them.
  • To send periodic emails. We may use the email address to send User information and updates pertaining to their order. It may also be used to respond to their inquiries, questions, and/or other requests. If User decides to opt-in to our mailing list, they will receive emails that may include company news, updates, related product or service information, etc. If at any time the User would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email.

 

How we protect your information

We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site. Sensitive and private data exchange between the Site and its Users happens over a SSL secured communication channel and is encrypted and protected with digital signatures.

Sharing your personal information

We do not sell, trade, or rent Users personal identification information to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys. We may share your information with these third parties for those limited purposes provided that you have given us your permission.

Changes to this privacy policy

Sharpr has the discretion to update this privacy policy at any time. When we do, we will revise the updated date at the bottom of this page. We encourage Users to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect. You acknowledge and agree that it is your responsibility to review this privacy policy periodically and become aware of modifications.

Your acceptance of these terms

By using this Site, you signify your acceptance of this policy and terms of service. If you do not agree to this policy, please do not use our Site. Your continued use of the Site following the posting of changes to this policy will be deemed your acceptance of those changes.

Contacting us

If you have any questions about this Privacy Policy, the practices of this site, or your dealings with this site, please contact us at:

Sharpr
215 S State Street STE 700
Salt Lake City, UT 84111
801-575-6000
contact@sharpr.com

This document was last updated on March 28, 2022

 

California Privacy Rights

The California Consumer Privacy Act of 2018 (“CCPA”) provides additional consumer rights. This notice applies only to individuals residing in California.

The right to know the categories of personal information we collected in the past 12 months:

  • Personal Identifiers such as first name, last name, email address
  • Internet or other electronic network activity information such as browser cookies

The right to know the use of personal information

  • To fulfill the reason you provided the info (ie price quotes or demo requests)
  • To support, personalize, and develop our websites, products, and services.
  • To provide you with support and respond to inquiries

The right to know the categories of personal information disclosed for business purposes in the past 12 months
Personal Identifiers such as first name, last name, email address

Sharpr does not and has not sold any personal information in the past 12 months.

The right to request access to personal information
You may submit a verifiable request for information regarding the:

  • Categories of personal information we have collected about you
  • Categories of sources from which the personal information was collected
  • Categories of personal information about you we disclosed for a business purpose or sold
  • Categories of third parties to whom the personal information was disclosed for a business purpose or sold
  • The business or commercial purpose for collecting or selling the personal information
  • Specific pieces of personal information we have collected about you

To do so, please submit an access request here or by calling us at 801-575-6000.

The right to request deletion of personal information
You may submit a request to delete personal information about you that we have collected from you. To do so, please submit a deletion request here or by calling us at 801-575-6000.

The right to opt-out
Sharpr does not and has not sold any personal information in the past 12 months. However, Sharpr understands that you may want to opt out of having your personal information sold to third parties. To do so, please go to the Do Not Sell My Personal Information page.

The right to Non-Discrimination
We will not discriminate against you because you exercised your rights set out in the CCPA.

This document was last updated on April 13, 2022

SECURITY, PRIVACY, AND ARCHITECTURE

Sharpr’s Corporate Trust Commitment

Sharpr is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across our suite of services, including data submitted by customers to our services (“Customer Data”).

Services Covered

This documentation describes the architecture of, the security and privacy-related audits and certifications received for, and the administrative, technical and physical controls applicable to the services offered by Sharpr (the “Sharpr Services”).

Infrastructure

Sharpr owns or controls access to the infrastructure that Sharpr uses to host Customer Data submitted to the Sharpr Services. Each instance of the Sharpr Services contains servers and other elements to make it run. Each instance in a primary data center has an exact copy in a secondary data center.

Audits and Certifications

The following security and privacy-related audits and certifications are applicable to the Sharpr Services:

    • Binding Corporate Rules (BCR) for Processors: Customer Data submitted to the services is within the scope of the Sharpr BCR for Processors. The most current version of the Sharpr BCR for Processors is available on Sharpr’s website
    • ISO 27001 compliance: Sharpr is subject to an information security management system (ISMS) in accordance with the ISO 27001 international standard. Sharpr is ISO 27001 compliant and the cloud infrastructure is ISO 27001 certified for its ISMS from an independent third party. The Sharpr ISO 27001 Certificate and Statement of Applicability are available upon request from your organization’s Sharpr account executive.

Additionally, the Sharpr Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments, on at least an annual basis.

Security Controls

The Sharpr Services include a variety of configurable security controls that allow customers to tailor the security of the Sharpr Services for their own use. These controls are set forth in the Security Implementation Guide.

Security Procedures, Policies and Logging

The Sharpr Services are operated in accordance with the following procedures to enhance security:

  • User passwords are stored using a one-way salted hash.
  • User access log entries will be maintained, containing date, time, User ID, URL executed or entity ID operated on, operation performed (created, updated, deleted) and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP.
  • If there is suspicion of inappropriate access, Sharpr can provide customers log entry records to assist in forensic analysis. This service will be provided to customers on a time and materials basis.
  • Logs will be kept for a minimum of 90 days.
  • Logs will be kept in a secure area to prevent tampering.
  • Passwords are not logged under any circumstances.
  • Certain administrative changes to the Sharpr Services (such as password changes and adding custom fields) are tracked in an area known as the “Setup Audit Trail” and are available for viewing by a customer’s system administrator. Customers may download and store this data locally.
  • Sharpr personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user.

 

Intrusion Detection

Sharpr, or an authorized third party, will monitor the Sharpr Services for unauthorized intrusions using network based intrusion detection mechanisms. Sharpr may analyze data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the Sharpr Services function properly.

Security Logs

All Sharpr systems used in the provision of the Sharpr Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable security reviews and analysis.

Incident Management

Sharpr maintains security incident management policies and procedures. Sharpr promptly notifies impacted customers of any actual or reasonably suspected unauthorized disclosure of their respective Customer Data by Sharpr or its agents of which Sharpr becomes aware to the extent permitted by law.

User Authentication

Access to Sharpr Services requires authentication via one of the supported mechanisms as described in the Security Implementation Guide, including user ID/password, SAML based Federation, Oauth, Social Login, or Delegated Authentication as determined and controlled by the customer. Following successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.

Physical Security

Production data centers used to provide the Sharpr Services have access control systems. These systems permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, two-factor access screening, including biometrics, and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure.

Reliability and Backup

All networking components, SSL accelerators, load balancers, Web servers and application servers are configured in a redundant configuration. All Customer Data submitted to the Sharpr Services is stored on a primary database server with multiple active clusters for higher availability. All Customer Data submitted to the Sharpr Services is stored on carrier-class disk storage using redundant devices and multiple data paths to ensure reliability and performance. All Customer Data submitted to the Sharpr Services, up to the last committed transaction, is automatically replicated on a near real-time basis to the secondary site and is backed up on a regular basis and stored on backup media for an additional 3 days in production environments and 30 days in Sandbox environments after which it is securely overwritten or deleted from the Sharpr Services. Any backups are verified for integrity and stored in Sharpr data centers.

Disaster Recovery

Sharpr has disaster recovery plans in place and tests them at least once per year. The Sharpr Services utilize secondary facilities that are geographically remote from their primary data centers, along with required hardware, software, and Internet connectivity, in the event Sharpr production facilities at the primary data centers were to be rendered unavailable. The Sharpr Services’ disaster recovery plans currently have the following target recovery objectives: (a) restoration of the Sharpr Service within 12 hours after Sharpr’s declaration of a disaster; and (b) maximum Customer Data loss of 24 hours; excluding, however, a disaster or multiple disasters causing the compromise of both data centers at the same time, and excluding development and test bed environments, such as the Sandbox service.

Viruses

The Sharpr Services does scan for viruses that could be included in attachments or other Customer Data uploaded into the Sharpr Services by a customer but we DO NOT guarantee we will find all viruses and shall not be liable for a failure to detect all viruses. Uploaded attachments, however, are executed in the Sharpr Services and could potentially damage or compromise the Sharpr Services by virtue of containing a virus.  Customers shall be liable for any damage or loss resulting from viruses contained in any uploaded attachment.

Data Encryption

The Sharpr Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer’s network and the Sharpr Services, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum. Additionally, Customer Data is encrypted during transmission between data centers for replication purposes.

Return of Customer Data

Within 30 days post contract termination, customers may request return of their respective Customer Data submitted to the Sharpr Services. Sharpr shall provide such Customer Data via a downloadable file in comma separated value (.csv) format and attachments in their native format.

Deletion of Customer Data

After contract termination, Customer Data submitted to the Sharpr Services is retained in inactive status within the Sharpr Services for 180 days and a transition period of up to 30 days, after which it is securely overwritten or deleted. In accordance with the Reliability and Backup section above, Customer Data submitted to the Sharpr Services (including Customer Data retained in inactive status) will be stored on backup media for an additional 90 days in production environments and 30 days in Sandbox environments after it is securely overwritten or deleted from the Sharpr Services. Physical media on which Customer Data is stored during the contract term is not removed from the data centers that Sharpr uses to host Customer Data unless the media is at the end of its useful life or being deprovisioned, in which case the media is first sanitized before removal. This process is subject to applicable legal requirements.

Without limiting the ability for customers to request return of their Customer Data submitted to the Sharpr Services, Sharpr reserves the right to reduce the number of days it retains such data after contract termination. Sharpr will update this Sharpr Security, Privacy, and Architecture Documentation in the event of such a change.

Tracking and Analytics

Sharpr may track and analyze use of the Sharpr Services for purposes of security and helping Sharpr improve both the Sharpr Services and the user experience in using the Sharpr Services. Sharpr may also use this information and users’ e-mail addresses to contact customers or their users to provide transactional information about the Sharpr Services. Sharpr will offer customers and users the ability to opt out of receiving such emails.

Without limiting the foregoing, Sharpr may share anonymous data about Sharpr’s customers’ or their users’ use of the Sharpr Services (“Usage Statistics”) to Sharpr’s service providers for the purpose of helping Sharpr in such tracking or analysis, including improving its users’ experience with the Sharpr Services, or as required by law. Additionally, Sharpr may share such anonymous data with other customers on an aggregate basis. Except when required by law, any such sharing of Usage Statistics will not include any identifying information about Sharpr’s customers or customers’ users.

Inter operation with Other Sharpr Services

The Sharpr Services may interoperate with other services provided by Sharpr. The Security, Privacy and Architecture documentation for such services is available in the Trust and Compliance Documentation section of help.sharpr.com.

This document was last updated on April 13, 2022

Sharpr Processor BCR

1. Introduction

Sharpr Corporation and its affiliates are committed to achieving and maintaining customer trust. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters. In accordance with the EU Data Protection Directive and implementing national legislation, the Sharpr Processor BCR is intended to provide an adequate level of protection for Personal Data during international transfers within the Sharpr Group made on behalf of Customers and under their instructions. [1]

2. Definitions

  • Controller means controller, as defined in the EU Data Protection Directive. The term “controller” is defined in the EU Data Protection Directive as “the natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.”
  • Customer means (i) a legal entity with whom a member of the Sharpr Group has executed a contract to provide the Services (or a legal entity placing an order under such contract) and such contract incorporates by reference the Sharpr Processor BCR or (ii) a legal entity with whom a member of the Sharpr Group has executed a contract under which the legal entity is entitled to resell the Services to its end customers and such contract incorporates by reference the Sharpr Processor BCR.
  • Data Subject means an individual to whom Personal Data relates.
  • EU Data Protection Directive means European Union Directive 95/46/EC dated 24 October 1995. • Personal Data means personal data, as defined in the EU Data Protection Directive, when such data is submitted to the Services. The term “personal data” is defined in the EU Data Protection Directive as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.”
  • Processor means processor, as defined in the EU Data Protection Directive. The term “processor” is defined in the EU Data Protection Directive as “a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.”
  • Sharpr Group means Sharpr Corporation and its affiliate sub-processors of Personal Data, available here.
  • Sharpr Processor BCR means Sharpr’s Processor Binding Corporate Rules for the Processing of Personal Data.
  • Services means the online services provided to Customer by the Sharpr Group, as listed in Appendix A.

 

3. Scope and Application

The purpose of the Sharpr Processor BCR is to govern cross-border transfers of Personal Data to and between members of the Sharpr Group, and to third-party sub-processors (in accordance with written agreements with any such third-party sub-processors) when acting as Processors and/or sub-processors on behalf and under the instructions of Customers.

The Sharpr Processor BCR applies to Personal Data submitted to the Services by:

(a) Customers established in EEA member states whose processing activities for the relevant data are governed by the EU Data Protection Directive and implementing national legislation; and

(b) Customers established in non-EEA member states for which the customer has contractually specified that the EU Data Protection Directive and implementing national legislation shall apply.

The Sharpr Group may update the Sharpr Processor BCR with approval from the Sharpr Group’s appointed privacy leader, general counsel and compliance officer. All changes to the Sharpr Processor BCR shall be communicated to members of the Sharpr Group.

The Sharpr Group’s appointed privacy leader shall be responsible for keeping a fully updated list of the members of the Sharpr Group and third-party sub-processors and making appropriate notifications to Customers and the CNIL in its capacity as lead authority for the Sharpr Processor BCR. The Sharpr Group shall not transfer Personal Data to a new member of the Sharpr Group until such member is appropriately bound by and complies with the Sharpr Processor BCR.

The Sharpr Group shall make the most current version of the Sharpr Processor BCR, including the members of the Sharpr Group, available at https://wpadvanced.sharpr.com/legal/. Significant changes to the Sharpr Processor BCR and/or the list of members of the Sharpr Group will be reported (a) in a timely fashion to Customers and (b) once per year to the relevant data protection authorities accompanied by a brief explanation of the changes.

4. Responsibilities Towards Customers

A. General Obligations

The Sharpr Group and its employees shall comply with the Sharpr Processor BCR, process Personal Data only upon a Customer’s instruction and shall have a duty to respect the security and confidentiality of Personal Data, pursuant to the measures provided in the contracts executed with Customers.

B. Transparency and Cooperation with Customers

The Sharpr Group undertakes to be transparent regarding its Personal Data processing activities and to provide Customers with reasonable cooperation within a reasonable period of time to help facilitate their respective data protection obligations regarding Personal Data.

C. Data Subject Rights

Members of the Sharpr Group act as Processors on behalf of Customers. As between the Sharpr Group and Customers, Customers have primary responsibility for interacting with Data Subjects, and the role of the Sharpr Group is generally limited to assisting Customers as needed.

i. Access, Correction, Amendment or Deletion Requests

The Sharpr Group shall promptly notify a Customer if the Sharpr Group receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. The Sharpr Group shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to that Customer.

The Sharpr Group shall provide Customers with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any request regarding Personal Data to the extent Customers do not have access to such Personal Data through their respective uses of the Services.

ii. Handling of Complaints

The Sharpr Group’s Privacy department shall be responsible for handling complaints related to compliance with the Sharpr Processor BCR.

Data Subjects may lodge a complaint about processing of their respective Personal Data that is incompatible with the Sharpr Processor BCR by contacting the relevant Customer or the Sharpr Group’s Privacy department at the email address privacy@sharpr.com. The Sharpr Group shall promptly communicate the complaint to the Customer to whom the Personal Data relates.

Customers shall be responsible for responding to all Data Subject complaints forwarded by the Sharpr Group except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where the Sharpr Group is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply (such as lodging a complaint before the relevant data protection authority).

D. Regulatory Inquiries and Complaints

The Sharpr Group shall, to the extent legally permitted, promptly notify a Customer if the Sharpr Group receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, the Sharpr Group shall provide the Customer with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any regulatory inquiry or complaint involving the Sharpr Group’s processing of Personal Data.

5. Description of Processing Operations and Transfers

A. Purpose Limitation

The Sharpr Group shall process Personal Data only for the following purposes: (i) processing in accordance with a Customer’s instructions set forth in the Customer’s contract with a member of the Sharpr Group; and (ii) processing initiated by the Customer in its use of the Services. If the Sharpr Group cannot comply with such purpose limitation, a member of the Sharpr Group shall promptly notify the relevant Customer, and such Customer shall be entitled to suspend the transfer of Personal Data and/or terminate the applicable order form(s) in respect to only those Services which cannot be provided by the Sharpr Group in accordance with such Customer’s instructions. On the termination of the provision of such Services, the Sharpr Group and third-party sub-processors shall, at the choice of the Customer, return the Personal Data to the Customer and/or delete the Personal Data as set forth in the applicable customer contract.

B. Data Quality

Customers have access to, and control of, Personal Data in their use of the Services. To the extent a Customer, in its use of the Services, does not have the ability to anonymize, correct, amend or delete Personal Data, as required by applicable laws, the Sharpr Group shall comply with any request by a Customer in a reasonable period of time and to the extent reasonably possible to facilitate such actions by executing any measures necessary to comply with the law, in a reasonable period of time and to the extent reasonably possible to the extent the Sharpr Group is legally permitted to do so. The Sharpr Group will, to the extent reasonably required for this purpose, inform each member of the Sharpr Group to whom the Personal Data may be stored of any anonymization, rectification, amendment or deletion of such data. If any such anonymization, correction, amendment or deletion request is applicable to a third-party sub-processor’s processing of Personal Data, the Sharpr Group shall communicate such request to the applicable third-party sub-processor(s).

C. Sub-processing

i. Sub-processing

Within the Sharpr Group As set forth in applicable contracts with Customers, members of the Sharpr Group may be retained as sub-processors of Personal Data, and depending on the location of the Sharpr Group member, processing of Personal Data by such sub-processors may involve transfers of Personal Data. The Sharpr Processor BCR extends to all members of the Sharpr Group.

ii. Sub-processing by Third Parties

As set forth in applicable contracts with Customers, members of the Sharpr Group may retain thirdparty sub-processors, and depending on the location of the third-party sub-processor, processing of Personal Data by such sub-processors may involve transfers of Personal Data. Such third-party subprocessors shall process Personal Data only (i) in accordance with the Customer’s instructions set forth in the Customer’s contract with a member of the Sharpr Group; or (ii) if processing is initiated by the Customer in its use of the Services. The current list of third-party sub-processors engaged in processing Personal Data, including a description of their processing activities, is available at here. Such third-party sub-processors have entered into written agreements with a member of the Sharpr Group in accordance with the applicable requirements of Articles 16, 17, 25 and 26 of EU Data Protection Directive and Sections 3 – 10 of the Sharpr Processor BCR as applicable to the third-party subprocessor’s processing activities.

iii. Notification of New Sub-processors and Objection Rights

As set forth in applicable contracts with Customers, the Sharpr Group shall provide Customers with prior notification before a new sub-processor begins processing Personal Data. Within thirty (30) days of receiving such notice, a Customer may object to the Sharpr Group’s use of a new sub-processor subject to the following:

It would be unreasonable for a Customer to object to a new sub-processor that is a member of the Sharpr Group if (a) the sub-processor is subject to the Sharpr Processor BCR; and (b) has achieved a third-party, internationally-recognized security certification (e.g., ISO 27001) unless the Customer demonstrates reasonable suspicion that the new sub-processor will not be able to comply with its obligations under the Sharpr Processor BCR.

Unless a Customer demonstrates reasonable suspicion that a new third-party sub-processor introduces unreasonable risk to the protection of Personal Data (e.g., a history of security breaches), it would be unreasonable for a Customer to object to a new third-party sub-processor if (a) the new third-party sub-processor is located in a country that provides an adequate level of protection per the European Commission or has entered into a contract with a member of the Sharpr Group containing the applicable requirements of the European Commission’s controller-to-processor standard contractual clauses; and (b) the new third-party sub-processor has passed the Sharpr Group’s vendor security evaluation based on a third-party, internationally-recognized security framework.

In the event a Customer objects to a new sub-processor, and that objection is not unreasonable under the standards described above, the Sharpr Group will use reasonable efforts to make available to the Customer a change in the Services or recommend a commercially reasonable change to the Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new subprocessor without unreasonably burdening the Customer. If the Sharpr Group is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, the Customer may terminate the applicable order form(s) in respect only to those Services which cannot be provided by the Sharpr Group without the use of the objected-to new sub-processor by providing written notice to the member of the Sharpr Group with whom the customer has contracted. Such Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.

6. Confidentiality and Security Measures

A. Confidentiality and Training The Sharpr Group shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have executed written confidentiality agreements and have received appropriate training on their responsibilities. Additionally, the Sharpr Group shall ensure that its personnel responsible for the development of tools used to process Personal Data have received appropriate training on their responsibilities. The Sharpr Group shall also ensure that its personnel engaged in the processing of Personal Data are limited to those personnel who require such access to perform the Sharpr Group’s obligations under applicable contracts with Customers.

B. Data Security The Sharpr Group shall maintain appropriate administrative, technical and physical safeguards for protection of the security, confidentiality and integrity of Personal Data, as set forth in applicable contracts with Customers. The Sharpr Group regularly monitors compliance with these safeguards. The Sharpr Group will not materially decrease the overall security of the Services during a Customer’s applicable subscription term.

C. Security Breach Notification In the event a member of the Sharpr Group becomes aware of any unauthorized access to or disclosure of Personal Data, the Sharpr Group will promptly notify affected Customers to the extent such notification is permitted by applicable law.

D. Audits The Sharpr Group shall maintain an audit program to help ensure compliance with the Sharpr Processor BCR, including the following third-party audits and certifications, internal verification and audits by Customers. The audit program covers all aspects of the Sharpr Processor BCR, including methods for ensuring non-compliance is addressed.

i. Third-Party Audits and Certifications The following third-party audits and certifications are applicable to the Services. The Sharpr Group agrees to maintain such audits and certifications, or their successors.

ISO 27001 certification: The Sharpr Group is subject to an information security management system (ISMS) in accordance with the ISO 27001 international standard. Sharpr is ISO 27001 compliant and the cloud infrastructure used by Sharp is ISO 27001 is ISO 27001 certified. The scope of the Sharpr Group’s ISO 27001certification is set forth in the Security, Privacy and Architecture Documentation for the Services.

SSAE 16 Service Organization Control (SOC) reports: Sharpr’s cloud infrastructure undergoes an independent evaluation in the form of SSAE 16 Service Organization Control (SOC) reports, which are available to Customers upon request.

ii. Internal Verification

The Sharpr Group has appointed a network of privacy personnel responsible for overseeing and ensuring compliance with the Sharpr Group’s data protection responsibilities at a local and global level, including compliance with this Sharpr Processor BCR, advising management on data protection matters, liaising with data protection authorities, and handling data protection-related complaints. Each member of the Sharpr Group shall be assigned such a member of network of privacy personnel. Such privacy personnel are primarily responsible for privacy-related matters and report to the Sharpr Group’s appointed privacy leader, who reports to the Sharpr Group’s general counsel, and benefit from the support of the Sharpr Group’s top management. The Sharpr Group’s appointed privacy leader is responsible for the Sharpr Group’s compliance with applicable privacy and data protection laws and leads the Sharpr Group’s network of privacy personnel. The Sharpr Group’s network of privacy personnel have regional responsibility for the Sharpr Group’s compliance with applicable privacy and data protection laws. The Sharpr Group’s compliance department shall conduct an annual assessment of the Sharpr Group’s compliance with the Sharpr Processor BCR, which is provided to the Sharpr Group’s appointed privacy leader, compliance officer and salesforce.com, inc.’s board of directors. Such an assessment shall include any necessary corrective actions, timeframes for completing such corrective actions, and follow up by Sharpr’s compliance department to ensure such corrective actions have been completed.

iii. Customer Audits

Upon a Customer’s request, and subject to appropriate confidentiality obligations, the Sharpr Group shall make available to the Customer (or such Customer’s independent, third-party auditor that is not a competitor of the Sharpr Group) information regarding the Sharpr Group’s and third-party subprocessors’ compliance with the data protection controls set forth in this Sharpr Processor BCR. This includes providing the requesting Customer a report of the Sharpr Group’s audits of third-party processors, which Customers instruct the Sharpr Group to conduct in their applicable contracts. A Customer (or such Customer’s independent, third-party auditor that is not a competitor of the Sharpr Group) may also request to conduct an on-site audit of the architecture, systems and procedures relevant to the protection of Personal Data at the locations where Personal Data is stored, including applicable members of the Sharpr Group and third-party sub-processors, by following the instructions set forth in its applicable contract. Customers shall reimburse the Sharpr Group for any time expended by the Sharpr Group or its third-party sub-processors for such on-site audit at the Sharpr Group’s then-current professional service rates, which shall be made available to Customers upon their request. Before any such on-site audit commences, the requesting Customer and the Sharpr Group shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which the Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by the Sharpr Group or its third-party subprocessors. As set forth in applicable contracts with Customers, a Customer who performs an audit in accordance with this Section must promptly provide the Sharpr Group with information regarding any noncompliance discovered during the course of an audit.

7. Third-Party Beneficiary Rights

Data Subjects may directly enforce against third-party sub-processors breaches of the written agreement with members of the Sharpr Group which relate to the third-party sub-processors’ obligations to comply with Sections 3-10 of the Sharpr Processor BCR, as applicable to the thirdparty sub-processor’s processing activities, as third-party beneficiaries. Such third-party beneficiary rights shall be limited to those situations where a Data Subject is unable to bring a claim against the relevant Customer and members of the Sharpr Group because such entities have factually ceased to Sharpr Processor exist in law or become insolvent and have not named successor entities to assume their respective legal obligations. Such third-party liability of third-party sub-processors shall be limited to their own processing operations. In accordance with Section 8 of the Sharpr Processor BCR, a Data Subject’s third-party beneficiary rights, if applicable, shall cover judicial remedies for any breach of the rights provided in the Sharpr Processor BCR and the right to receive compensation for damages.

8. Liability and Enforcement

Sharpr’s contracts with Customers shall include a reference to the Sharpr Processor BCR. In accordance with such contracts, Customers shall have the right to enforce the Sharpr Processor BCR against the Sharpr Group, including judicial remedies and the right to receive compensation.

9. Cooperation with Data Protection Authorities

The Sharpr Group shall cooperate with member state data protection authorities with jurisdiction over the Sharpr Group or competent for Customers, reply to any requests they make within a reasonable time frame and abide by the advice and recommendations of the relevant member state data protection authorities regarding the interpretation and application of the Sharpr Processor BCR. Upon request and subject to duties of confidentiality, the Sharpr Group shall provide relevant member state data protection authorities with jurisdiction over the Sharpr Group or competent for Customers (i) a copy of the Sharpr Group’s annual assessment of compliance with the Sharpr Processor BCR and/or other documentation reasonably requested; and (ii) the ability to conduct an onsite audit of the Sharpr Group’s architecture, systems and procedures relevant to the protection of Personal Data.

10. Local Law Requirements

As set forth in applicable contracts with Customers, the Sharpr Group shall comply with applicable law in its processing of Personal Data. Where applicable law requires a higher level of protection for Personal Data than provided for in the Sharpr Processor BCR, the local applicable law shall take precedence.

Where the Sharpr Group reasonably believes that applicable law prevents it from fulfilling its obligations under the Sharpr Processor BCR or the instructions of a Customer, it shall promptly notify the Sharpr Group’s Privacy department in addition to affected Customers and the data protection authority competent for the Customer. In such a case, the Sharpr Group shall use reasonable efforts to make available to the affected Customers a change in the Services or recommend a commercially reasonable change to the Customers’ configuration or use of the Services to facilitate compliance with applicable law without unreasonably burdening Customers. If the Sharpr Group is unable to make available such change within a reasonable period of time, Customers may terminate the applicable order form(s) in respect to only those Services which cannot be provided by the Sharpr Group in accordance with applicable law by providing written notice to the member of the Sharpr Group with whom the customer has contracted. Such Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.

In accordance with applicable contracts with Customers, the Sharpr Group shall communicate any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body to the impacted Customer unless the Sharpr Group is prohibited by law from providing such notification.

To the extent the Sharpr Group is prohibited by law from providing such notification, the Sharpr Group shall (1) review each request on a case-by-case basis; (2) use best efforts to request that the confidentiality requirement be waived to enable the Sharpr Group to notify the appropriate data protection authority competent for the Customer; and (3) maintain evidence of any such attempt to have a confidentiality requirement waived On an annual basis, the Sharpr Group shall provide the appropriate data protection authorities competent for impacted Customers with general information about the types of legally binding requests for disclosure of Personal Data the Sharpr Group receives by law enforcement authorities. 

Appendix A – Services to which the Sharpr Processor BCR Applies

The Sharpr Processor BCR applies to the services branded as the following:

  • The Sharpr Services, which provide customer relationship management applications and a platform upon which customers may build their own applications.

[1] For clarity, a Customer (as defined in Section 2) may be a Controller or a Processor of Personal Data. Where a Customer is a Processor of Personal Data, the Sharpr Group shall process Personal Data as sub-processors on behalf of the Controller. Instructions from the Controller regarding the processing Personal Data shall be given through the Processor.

This document was last updated on May 29, 2020

License

PLEASE READ THIS LICENSED PROGRAM END USER LICENSE AGREEMENT (“AGREEMENT”) CAREFULLY BEFORE USING SOFTWARE FROM SHARPR. BY DOWNLOADING OR USINGSHARPR SOFTWARE, YOU SIGNIFY YOUR ASSENT TO AND ACCEPTANCE OF THIS END USER LICENSE AGREEMENT AND ACKNOWLEDGE YOU HAVE READ AND UNDERSTAND THE TERMS. AN INDIVIDUAL ACTING ON BEHALF OF AN ENTITY REPRESENTS THAT HE OR SHE HAS THE AUTHORITY TO ENTER INTO THIS END USER LICENSE AGREEMENT ON BEHALF OF THAT ENTITY. IF YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT, THEN YOU MUST NOT USE THESHARPR SOFTWARE. EXCEPT AS SET FORTH HEREIN, THIS END USER LICENSE AGREEMENT DOES NOT PROVIDE ANY RIGHTS TO SHARPR SERVICES SUCH AS ADDITIONAL SOFTWARE, CONSULTING SERVICES, MAINTENANCE, UPGRADES OR SUPPORT EXCEPT AS SET FORTH HEREIN. USING THE SOFTWARE ACCOMPANYING THIS LICENSE INDICATES YOUR ACCEPTANCE OF THESE TERMS AND CONDITIONS. READ ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT PRIOR TO INSTALLING OR USING THE SOFTWARE. IF YOU DO NOT ACCEPT THESE TERMS, YOU MUST DELETE THE SOFTWARE FROM YOUR HARDWARE.

1. License.  Subject to the terms of the Statement of Work as agreed upon by the parties hereto (“SOW”), Sharpr Corporation (“Licensor”) hereby licenses (the “License”) its Information Curation Licensed Platform (the “Licensed Program”) and the accompanying documentation, services, features and documentation (the “Documentation”) to you. The term “Licensed Program” shall also include any updates of the Licensed Program licensed to you by Licensor.  Subject to the terms of this agreement and the SOW, you have a non-exclusive and nontransferable right to use the Licensed Program for its own uses and not for commercial purposes (e.g., not for resale or rental or the like).  You agree to use your best efforts to prevent and protect the contents of the Licensed Program and Documentation from unauthorized disclosure or use. Licensor and its licensors reserve all rights not expressly granted to you. Licensor’s licensors are the intended third party beneficiaries of this agreement and have the express right to rely upon and directly enforce the terms set forth herein.

2. Limitation on Use:  You may not assign, transfer, rent, lease, sublicense, sell or otherwise transfer or distribute copies of the Licensed Program or Documentation to others. You may not modify or translate the Licensed Program or the Documentation without the prior written consent of Licensor. You may not reverse assemble, reverse compile or otherwise attempt to create the source code from the Licensed Program. You may not release the results of any performance or functional evaluation of any Licensed Program to any third party without prior written approval of Licensor for each such release. You may make copies of the Licensed Program in executable code form as necessary for your use and for backup or archive purposes. You agree to maintain records of the location and use of each copy, in whole or in part, of the Licensed Programs. Each Licensed Program is copyrighted and you agree to reproduce and apply the copyright notice and proprietary notice of Licensor to all copies made hereunder, in whole or in part and in any form, of Licensed Programs.

3. Transfer.  You may not sublicense, assign, delegate, rent, lease, time-share or otherwise transfer this License or any of the related rights or obligations for any reason. Any attempt to make any such sublicense, assignment, delegation or other transfer by you shall be void.

4. Copyright and Ownership.  The Licensed Program and related Documentation are copyrighted by Licensor and its licensors. You agree that the Licensed Program and Documentation belong to Licensor and its licensors. You agree that you neither own nor hereby acquire any claim or right of ownership to the Licensed Program and Documentation or to any related patents, copyrights, trademarks or other intellectual property. Licensor and its licensors retain all right, title and interest in and to the Documentation and all copies and the Licensed Program at all times, regardless of the form or media in or on which the original or other copies may subsequently exist. This License is not a sale of the original or any subsequent copy.  All content accessed through the Licensed Program is the property of the applicable content owner and may be protected by applicable copyright law. This License gives you no rights to such content. Licensor retains all rights in and to the Licensed Programs not expressly granted in this Agreement.

6. Service and Support.  Upon request, Licensor will provide technical support, technical maintenance, correction of technical errors and bugs, consultation, training, and other general consulting Services related to the Licensed Programs (together with the Customer Programming (as defined below), the “Services”).  All Services shall be described as set forth in the SOW.  If you notify Licensor of a program error respecting the Licensed Programs, or Licensor has reason to believe that error exists in the Licensed Program, Licensor shall at its expense verify and attempt to correct such error within thirty (30) working days after the date of notification. If you are not satisfied with the correction, then you may immediately upon notice terminate this Agreement.

7. Custom Programming.  Upon request, Licensor shall provide such custom programming as set forth on the SOW (“Custom Programming”).  All rights, title and interest in the Custom Programming as well all intellectual property rights therein or with respect thereto, are and shall be owned by Licensor and licensed to you.  For purposes of this Agreement and the Application, the Licensed Programs and the License granted by Licensor shall include all Custom Programming developed pursuant to this Agreement.

8. Fees.  In consideration for the License granted pursuant to this Agreement, you agree to pay Licensor a monthly License fee (“License Fee”) in the amount set forth in the SOW.  Unless otherwise stated in the SOW, all payments shall be made quarterly in advance.  In addition to the License Fee, in connection with the Services or any Custom Programming, you shall pay such service fees (“Service Fees”) as set forth in the SOW.  Unless as set forth in the SOW, all Service Fees shall be paid to Licensor within 45 days of invoicing.

9. Term and Termination.   This License is effective until terminated by you or Licensor or in accordance with the SOW. This License automatically terminates if you fail to comply with its terms and conditions or the terms and conditions of the SOW. You agree that, upon such termination, you will either destroy all copies of the Licensed Program and Documentation, or return the original Licensed Program and Documentation to Licensor, together with any other material you have received from Licensor in connection with the Licensed Program and immediately cease further use of the Licensed Programs.

10. Third Party Content.  The Licensed Program may display, include, or make available content, data, information, applications or materials from third parties (“Third Party Material”).  You acknowledge and agree that Licensor is not responsible for examining or evaluating content, accuracy, completeness, timeliness, validity, copyright compliance, legality, decency, quality or any other aspect of such Third Party Material or web sites.  Licensor does not warrant or endorse and does not assume and will not have any liability or responsibility to you or any other person for any third party Materials.

11. No Warranty: YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT USE OF THE LICENSED PROGRAM IS AT YOUR SOLE RISK AND THAT THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED PROGRAM AND ANY SERVICES PERFORMED OR PROVIDED BY THE LICENSED PROGRAM (“SERVICES”) ARE PROVIDED “AS IS” AND “AS AVAILABLE”, WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND APPLICATION PROVIDER HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE LICENSED PROGRAM AND ANY SERVICES, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. APPLICATION PROVIDER DOES NOT WARRANT AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE LICENSED PROGRAM, THAT THE FUNCTIONS CONTAINED IN, OR SERVICES PERFORMED OR PROVIDED BY LICENSOR WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION OF THE LICENSED PROGRAM OR SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT DEFECTS IN THE LICENSED PROGRAM OR SERVICES WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY APPLICATION PROVIDER OR ITS AUTHORIZED REPRESENTATIVE SHALL CREATE A WARRANTY. SHOULD THE LICENSED PROGRAM OR SERVICES PROVE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON APPLICABLE STATUTORY RIGHTS OF A CONSUMER, SO THE ABOVE EXCLUSION AND LIMITATIONS MAY NOT APPLY TO YOU.

12. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL APPLICATION PROVIDER BE LIABLE FOR PERSONAL INJURY, OR ANY INCIDENTAL, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OR INABILITY TO USE THE LICENSED PROGRAM, HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT OR OTHERWISE) AND EVEN IF APPLICATION PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY FOR PERSONAL INJURY, OR OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY TO YOU. In no event shall Application Provider’s total liability to you for all damages (other than as may be required by applicable law in cases involving personal injury) exceed the amount of the License Fees and Service Fees paid by you.

13. The Licensed Program and related Documentation are “Commercial Items”, as that term is defined at 48 C.F.R. §2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation”, as such terms are used in 48 C.F.R. §12.212 or 48 C.F.R. §227.7202, as applicable. Consistent with 48 C.F.R. §12.212 or 48 C.F.R. §227.7202-1 through 227.7202-4, as applicable, the Commercial Computer Software and Commercial Computer Software Documentation are being licensed to U.S. Government end users (a) only as Commercial Items and (b) with only those rights as are granted to all other end users pursuant to the terms and conditions herein. Unpublished-rights reserved under the copyright laws of the United States.

14. Miscellaneous.  This Agreement and the License granted hereunder will be governed by the laws of the State of Utah, without reference to conflicts of laws principles.  This Agreement and the SOW constitute the entire agreement between the parties with respect to the Licensed Program and the Documentation, and supersedes any other written or oral agreement. The relationships established by this Agreement are non-exclusive; each party retains the right to enter into similar agreements with other parties.  You may not assign or transfer your rights or obligations under this Agreement without the prior written consent of Licensor.   The failure of either Licensor to enforce at any time any of the provisions hereof or exercise any right or option hereunder shall not be construed to be a waiver of the right of such party thereafter to enforce any such provisions or exercise such right or option.   Any consent by any Licensor to, or waiver of, a breach by the other, shall not constitute consent to, waiver of, or excuse of any other different or subsequent breach.

This document was last updated on May 29, 2020