Camunda Cloud Master Services Agreement
IMPORTANT – READ CAREFULLY. THIS MASTER SERVICES AGREEMENT (THE “AGREEMENT”) SETS OUT THE LEGAL TERMS AND CONDITIONS WHICH GOVERN THE RELATIONSHIP BETWEEN YOU (“CUSTOMER” OR “YOU”) AND THE CAMUNDA ENTITY SET FORTH IN SECTION 19.1 (“CAMUNDA”) (TOGETHER THE “PARTIES”) AND THE RELATED TERMS AND CONDITIONS APPLICABLE TO CAMUNDA CLOUD (“CAMUNDA CLOUD”). IF YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT, THEN YOU SHOULD NOT SELECT THE CHECKBOX MARKING YOUR ACCEPTANCE OF THESE TERMS, AT WHICH POINT YOU WILL NOT BE PERMITTED TO PURCHASE CAMUNDA CLOUD’S PROFESSIONAL TIER PLAN. DO NOT SELECT THE CHECKBOX MARKING YOUR ACCEPTANCE OF THESE TERMS UNLESS (1) YOU ARE AUTHORIZED TO ACCEPT AND AGREE TO THE TERMS OF THIS AGREEMENT AND (2) YOU INTEND TO ENTER INTO AND TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU SELECT THE CHECKBOX MARKING YOUR ACCEPTANCE OF THESE TERMS AND PROCEED TO PURCHASE A PROFESSIONAL TIER PLAN FOR CAMUNDA CLOUD, THIS AGREEMENT WILL BE EFFECTIVE IMMEDIATELY.
Camunda reserves the right to change the terms and conditions of this Agreement by providing the modified terms and conditions, along with an effective date for modified terms, to an email address registered with the Account. Customer’s acceptance of such modified terms shall be a condition of its continued use of the Account and Camunda Cloud. Otherwise, Customer agrees that the Agreement between the Parties may only be modified by an addendum signed by the Parties.
Definitions not otherwise defined in the Agreement or in the Documentation will have the meanings ascribed to them in this Section.
Affiliate means any entity which directly or indirectly controls, is controlled by, or is under common control with a party hereof, where “control” means holding of more than fifty percent (50%) of the issued stock or voting rights of an entity.
Alpha Version means a pre-release Version of Camunda Cloud.
Camunda Cloud means the software which is made available pursuant to this Agreement.
Cluster means a deployment of Camunda Components.
Component means each of the Cloud Console, Modeler, Zeebe, Operate, Tasklist and Optimize (each as defined in the Documentation or this Agreement).
Customer Usage Data means all information and data of Customer collected in connection with Customer’s use of Camunda Cloud and the Services by Camunda, including but not limited to information about browsers, implemented clients, and related pages accessed by users, API calls and Camunda Cloud Version. It may contain Personal Data such as hashed IP addresses and identifiers, including cookies, but is generally technical, aggregated and pseudonymized.
Decision Instance (“DI”) means the technical execution of a DMN decision model (e.g., a decision table) in the Camunda Decision Engine. Executions of single models as part of a composed decision model (e.g., in a DRD) will be counted separately. The DI may be part of the Usage Metrics.
Documentation means guidelines, instructions and recommended actions for Camunda Cloud available at https://docs.camunda.io/docs/components/.
Error means a problem which results from Camunda Cloud materially failing to perform as set forth in the Documentation.
Fees means the Monthly Base Fee, any Monthly Consumption Fee, fees for any Services and all fees for any upgrades to Usage Metrics or Resource Metrics.
Maintenance Work means the development and adaptation of Camunda Cloud by Camunda in order to improve Camunda Cloud and/or introduce new functions or eliminate Errors, which may lead to unavailability.
Major Release means the publication of a new Version of Camunda Cloud which increases the Version number by 1.0, as such new Version(s) are provided by Camunda at its discretion to its Customers generally. For example, Version 2.0 would be a Major Release compared to Version 1.0. Any such Major Release is provided by Camunda upon the terms and conditions as set forth in this Agreement. A Major Release generally contains features and bug fixes. A Major Release may contain incompatible API changes.
Malware means any computer code or other computer instructions, devices or techniques (including without limitation those known as Trojans or time bombs) that are intentionally designed to disrupt, disable, harm, infect, defraud, damage, or otherwise impede in any manner the operation of a network, computer program or computer system.
Minimum Term means the minimum period of time for which the Subscription is valid. The Minimum Term is one month, and the Subscription will commence on the Start Date.
Minor Release means the publication of a new Version of Camunda Cloud which increases the Version number by 0.1, as such new Version(s) are provided by Camunda at its discretion to its customers generally. For example, Version 1.1 would be a Minor Release compared to Version 1.0. Any such Minor Release is provided by Camunda upon the terms and conditions as set forth in this Agreement. A Minor Release generally contains functions and bug fixes. Minor Releases may add backwards compatible functionalities.
Monthly Base Fee means the monthly base fee specified in the Price List.
Monthly Consumption Fee means any fees incurred by Customer for its use, in any calendar month, of Usage Metrics or Resource Metrics in excess of the monthly Usage Metrics or Resource Metrics included in the Monthly Base Fee, calculated in accordance with Section 3 and the Price List.
Monthly Uptime Percentage means, for any Component, the total number of minutes in a calendar month minus the number of minutes of Downtime in that month, divided by the total number of minutes in that month. Any Component within a Cluster which is provisioned and running for only part of a calendar month is deemed to be 100% available during the portion of the month in which that Cluster was not provisioned and running.
Named Support Contact means those Customer-designated employees who have the right to contact Camunda via the applicable reporting method and who act as the primary interface between Customer and Camunda technical support. The number of eligible Named Support Contacts is specified in the Price List. Customer will indicate to Camunda those individuals who will serve as Customer’s Named Support Contacts, and Customer will provide to Camunda the name and email address of all Named Support Contacts. Camunda will have no obligation to address Support and Maintenance Services inquiries from anyone other than Customer’s Named Support Contacts. By providing written notice and appropriate contact information, Customer may change each Named Support Contact once per year for no additional fee. Despite the foregoing limitation, Customer may, upon a material change for the Named Support Contact (for example, leaving Customer or being reassigned to an unaffiliated division) transfer Named Support Contacts by submitting a support ticket.
Operate is the monitoring tool providing BPMN monitoring capabilities. Operate features are documented in the Documentation.
Patch Release means the publication of a new Version of Camunda Cloud which increases the Version number by 0.0.1, as such new Version(s) are provided by Camunda at its discretion to its Customers generally. For example, Version 1.1.1 would be a Patch Release compared to Version 1.1. Any such Patch Release is provided by Camunda upon the same terms and conditions as set forth in this Agreement. In Patch Releases, the latest bug fixes are ported back. Patch Releases do not contain any new features.
Personal Data means any information that relates to an identified or identifiable living individual. Only if Exhibit D is applicable, Personal Data includes personal information as defined in the CCPA.
Price List means the list set out at https://camunda.com/pricing/
Process Instance (“PI”) means the technical execution of a BPMN process definition in the Zeebe Engine, independent of current status (pending or completed). Additional process instances that are invoked via call activities are not counted separately. The PI may be part of the Usage Metrics.
Prohibited Entity has the meaning given to it in Section 18.1.
Renewal Term means each successive one (1) month term after the Minimum Term.
Reserved CPU Cores means the number of CPU cores purchased by Customer.
Reserved GB RAM means the gigabytes of RAM purchased by Customer.
Reserved GB Storage means the gigabytes of storage purchased by Customer.
Resource Metrics means the metrics that determine the Fee for the Subscription based on the amount of Reserved CPU Cores, Reserved GB RAM and Reserved GB Storage reserved by Customer.
Response Time means the time from the receipt of an incident or Support Request notification to the provision of an initial response by Camunda.
Services mean any Support and Maintenance Services which are provided with the Subscription, if applicable.
Service Data means any information, including Personal Service Data, processed or transmitted by or on behalf of Customer in the Camunda Cloud or in connection with performance of the Services during the Subscription Term. All Service Data processed under the terms of this Agreement will remain the property of Customer.
SLA means the service level agreement relating to Support and Maintenance Services as provided for in Section 5 of Exhibit A.
Stable means, in relation to a Cluster, that the Cluster uses a Version of Camunda Cloud which is not an Alpha Version.
Start Date means the commencement date of the Subscription, which is the date on which Customer accepts this Agreement.
Subscription means Customer´s right, for a fixed period of time, to use Camunda Cloud and receive Services, always subject to strict compliance with the terms of this Agreement.
Support and Maintenance Services means those services specified in Exhibit A.
Task User (“TU”) means a distinct string that has been assigned to a user task in the Camunda history. Each string will be counted once, i.e. if the same user has been assigned to more than one task during the Subscription Term, this will be only counted once. The TU may be part of the Usage Metrics.
Subscription Term means the period of time for which the Subscription is valid.
Third Party means any legal or natural person who is not a Party to this Agreement and who is not an Affiliate of any of the Parties.
Total Monthly Fee means the amount equal to the Monthly Base Fee plus any Monthly Consumption Fee accrued in the relevant calendar month.
Usage Metrics means the metrics that determines the fee for the Subscription, based on the amount of usage. The Usage Metrics are organized in tiers and cover Process Instances, Decision Instances and Task Users.
Version means a Patch Release, Minor Release or Major Release of Camunda Cloud.
Zeebe means the workflow engine providing BPMN execution capabilities as described in the Documentation.
2. Subject MatterThis Agreement sets forth the rights and obligations of the Parties with respect to the Subscription to Camunda Cloud and the Services. For the avoidance of doubt, the Parties hereby expressly acknowledge and agree that if Customer issues any purchase orders or similar documents in connection with its purchase of the Subscription, it will do so only for its own internal, administrative purposes and not with the intent to provide any contractual terms.
Customer agrees to pay a Monthly Consumption Fee for any Usage Metrics which it uses or Resource Metrics which it reserves in addition to those included in the Monthly Base Fee. Camunda will calculate the Monthly Consumption Fee at the end of each calendar month. The Monthly Consumption Fee for any excess Resource Metrics will be pro-rated based on the number of days in the relevant calendar month for which the Resource Metrics were reserved.
4. Registration and Camunda Cloud License
- In order to use Camunda Cloud and the Services, Customer must register for a Camunda Cloud Account (the “Account”). By creating the Account, Customer acknowledges that it is responsible for maintaining the security of this Account (including, but not limited to, login credentials and security keys) and for all activities that occur under this Account. Customer agrees to immediately notify Camunda of any unauthorized use of the Account, or any other breaches of security of which Customer becomes aware. Camunda will have no liability for any acts or omissions on Customer’s or any Third Party’s part, including any damages of any kind incurred as a result of such acts or omissions. Subject to Section 18.4, any notifications regarding Camunda Cloud or the Services will be sent to the email address registered with this Account.
- During the Subscription Term, and subject to Customer’s compliance with this Agreement, Camunda grants Customer a limited, non-exclusive, non-transferable and non-sublicensable right to use Camunda Cloud during the Subscription Term within the Usage Metrics and the Resource Metrics.
- From time to time, Camunda may invite Customer to try beta products or services (“Beta Offerings”) at no additional charge. Beta Offerings will be clearly designated as beta, limited release, developer preview, non-production, evaluation or a similar description. Customer may accept or decline any such Beta Offerings in its sole discretion, and agrees that any Beta Offerings are for evaluation purposes and not for production use, are not supported by any Services, and may be subject to additional terms. Camunda may discontinue Beta Offerings at any time in its sole discretion and may or may not make them generally available. Clusters containing Beta Offerings cannot be updated to newer Versions: accordingly, Customer will need to delete such Clusters and replace them with a new Cluster to receive subsequent Versions of Camunda Cloud. Camunda will have no liability (including under any indemnities in this Agreement) for any harm or damage arising out of or in connection with a Beta Offering, which is provided “as is”, exclusive of any warranty whatsoever.
- Customer shall comply with all applicable laws, including export control and data privacy laws. Customer shall not: (i) execute or attempt to execute any Malware in Camunda Cloud or use or attempt to use Camunda Cloud to transmit Malware; (ii) use Camunda Cloud to store or distribute any information, material or data that is harassing, threatening, infringing, libelous, unlawful, obscene, or which violates the rights of any third party; (iii) use Camunda Cloud to compete against Camunda; (iv) use Camunda Cloud for purposes of monitoring performance or functionality (for example via penetration testing) other than for the purposes of measuring Downtime, or for any other benchmarking or competitive purposes including, without limitation, for the purpose of designing and/or developing any competitive services; (v) except as expressly permitted herein, make access to Camunda Cloud through Customer’s Account available to any third party; (vi) sell, resell, rent, lease, offer any time sharing arrangement, service bureau or any service based upon Camunda Cloud; (vii) interfere with or disrupt the integrity, security or performance of Camunda Cloud or Third Party data contained therein; (viii) attempt to gain unauthorized access to Camunda Cloud or any associated systems or networks; or (ix) modify, make derivative works of, disassemble, decompile or reverse engineer Camunda Cloud or any component thereof; (x) perform or attempt to perform any actions that would prevent use of Camunda Cloud by Camunda’s other licensees or customers.
- If Camunda believes, in its sole discretion, that Customer has violated or attempted to violate this Agreement, or the use of Camunda Cloud by Customer presents a material security risk, Camunda may suspend Customer’s use of Camunda Cloud until the violation or security risk has been corrected. Camunda will use reasonable efforts to provide Customer with advance written notice prior to implementing such suspension.
- Customer will indemnify Camunda from and against all and any losses, liabilities, damages, demands, suits, causes of action, judgments, costs and expenses (including court costs and reasonable attorneys’ fees up to any applicable statutory cap) arising out of or relating to claims brought against Camunda by Third Parties which (i) are based on a violation of this Agreement by Customer or (ii) relate to or arise from disputes involving Customer and relate to use of Camunda Cloud to the extent such any losses, liabilities, damages are not caused by Camunda’s breach of this Agreement.
- During the Subscription Term, and subject to Customer’s compliance with this Agreement, Camunda will provide Customer with Support and Maintenance Services for Camunda Cloud according to Exhibit A. Support and Maintenance Services will be delivered to Customer through the Internet, and when applicable, depending on the purchased SLA, via telephone.
- The Support and Maintenance Services are provided to Customer only according to the SLA.
7. Availability and Maintenance Work
- Camunda will use commercially reasonable efforts to ensure a Monthly Uptime Percentage for Components as set out in Exhibit B. Any Errors affecting Monthly Uptime Percentage must be reported to Camunda as soon as reasonably practicable via the agreed-upon reporting method.
- Camunda will use reasonable efforts to provide advance notice of any Maintenance Work, and will use reasonable efforts to carry out any non-emergency Maintenance Work leading to an interruption of technical usability outside business hours. However, Camunda is entitled to carry out ad hoc Maintenance Work to avoid future unavailability, address high security risks or high risks for overall platform stability, and provide other critical Patches or hotfixes. Customer agrees that Camunda may access Customer’s Clusters in order to carry out Maintenance Work.
8. Technical Requirements
Customer has and will retain sole responsibility for Customer’s information technology infrastructure, including computers, software, databases, electronic systems (including database management systems) networks and internet services, whether operated directly by Customer or through the use of Third Party services, required to use or receive Camunda Cloud and the Services.
9. Intellectual Property Rights
Except for the limited rights expressly granted in Section 4.2 of this Agreement, nothing in this Agreement transfers from Camunda to Customer any intellectual property rights, and all right, title and interest in and to any Camunda Cloud components and Services will remain (as between the parties) solely with Camunda. “Camunda”, the Camunda logos, and all other trademarks, service marks, graphics and logos used in connection with any use of Camunda Cloud and Services are trademarks or registered trademarks of Camunda.
10. Customer Usage Data
- During the Subscription Term, Customer grants Camunda a worldwide right to host, copy, use, execute, transmit and display Customer Usage Data, Customer applications and any Third Party products, as necessary to provide Camunda Cloud and the Services to Customer.
- Customer acknowledges that certain features used in connection with Camunda Cloud are configured to collect and report Customer Usage Data to Camunda to improve the user experience and to track usage of Camunda Cloud. Customer hereby consents and grants to Camunda a license to collect and use Customer Usage Data generated by Customer’s use of Camunda Cloud. Camunda will use Customer Usage Data subject to applicable law. In addition, Camunda collects information to ensure the security, stability and functionality of Camunda Cloud, including but not limited to IP addresses, error logs, crash reports and bug reports. Camunda will not acquire any right, title or interest from Customer in or to Customer’s Service Data or Third Party products.
11. Term and Termination
- After the Minimum Term, the Subscription will automatically renew for successive Renewal Terms unless terminated by either Party by providing written notice of non-renewal at least ninety (30) days prior to the end of the then-current Subscription Term. During the Subscription Term, this Agreement can only be terminated extraordinarily for good cause or as explicitly provided in this Agreement, in particular in Section 11.2.
- Either Party may terminate this Agreement and the Subscription at any time (i) if the other Party materially breaches this Agreement (including if Customer fails to pay Fees or has violated any export regulations) and, if such breach is curable, it has not been cured within thirty (30) days after the non-breaching Party has sent written notice thereof; (ii) Camunda exercises its right to change the terms and conditions of this Agreement by providing modified terms, along with an effective date for such modified terms, and Customer does not accept such modified terms on or before the effective date; or (iii) subject to any applicable law, if the other Party is dissolved or liquidated or takes any corporate action for such purpose, becomes insolvent or is generally unable to pay its debts as they become due, becomes the subject of any voluntary or involuntary bankruptcy proceeding under any domestic or foreign bankruptcy or insolvency law, makes or seeks to make a general assignment for the benefit of its creditors, or applies for, or consents to, the appointment of a trustee, receiver or custodian for a substantial part of its property. Notwithstanding the above, Camunda may terminate this Agreement and the Subscription for non-payment by Customer of any Fees unless Customer pays such Fees in full within ten (10) days after receipt of Camunda’s written notice of non-payment. The expiration or termination of this Agreement has no effect on the Subscription existing at the time of termination, which will remain in force until the end of the then-current Subscription Term, provided that if the termination is as a result of a material breach by Customer or Customer’s refusal to accept modified terms and conditions on or before the effective date of such terms, Camunda may terminate the Subscription existing at the time of termination by written notice to Customer. The terms and conditions of this Agreement continue to apply to the Subscription which is in force on the termination date of this Agreement until such time as the Subscription terminates.
- On expiration or termination of the Subscription for any reason and subject to any express provisions set out elsewhere in this Agreement:
- Customer will cease usage of (and will no longer have rights to access or use) Camunda Cloud, the Account and the Services;
- all earned but unpaid and undisputed Fees and other sums payable by Customer to Camunda will immediately become due and payable; and
- any Personal Data provided by Customer through Camunda Cloud will be treated by Camunda in accordance with the relevant personal data protection policies and the data processing agreement introduced by Camunda and applicable data protection law.
- The following provisions, which by their nature survive termination, continue after termination or expiration of this Agreement: (i) Sections 9, 11.3, 12, 14, 15, 16, 17, 18 and 19 of this Agreement, (ii) all associated definitions, and (iii) all accrued rights to payment.
12. Fees and payment
- Customer will pay the Monthly Base Fee in advance and will pay any Monthly Consumption Fee monthly in arrears. Customer will make payments via credit card and agrees to pay (i) the Monthly Base Fee on the Start Date and on each following month thereof unless the Subscription is terminated in accordance with this Agreement and (ii) any Monthly Consumption Fee via direct debit on the date on which such amount is billed by Camunda to Customer’s credit card (each applicable date, the “Payment Due Date”). Any amounts which are more than thirty (30) days overdue will bear a late payment fee of the lower of one-point five percent (1.5%) per month or the maximum rate allowed by law, accruing from and including the Payment Due Date to and excluding the date of actual payment. Any late payment fee accruing under this Section will be immediately due and payable by Customer. Customer shall pay all Fees in full without any set-off, recoupment, counterclaim, deduction, debit or withholding for any reason (other than any deduction or withholding of tax as may be required by applicable law).
- The Monthly Base Fee and the fee for any additional Resource Metrics are based on the Subscription purchased and reservations made, and not on actual usage. The Monthly Consumption Fee for additional Usage Metrics is based on actual usage. In addition, payment obligations are non-cancelable, and except as otherwise expressly provided for in this Agreement, Fees paid are non-refundable.
- All Fees are exclusive of any taxes, fees, and duties or other amounts, however designated, and including without limitation value added tax, sales tax and withholding taxes that are levied or based upon such charges, or upon this Agreement. Any applicable taxes including, but not limited to, withholding taxes, will be paid by Customer, or Customer will present an exemption certificate acceptable to the taxing authorities. Customer will not be liable for taxes imposed on Camunda based on Camunda’s income.
- Camunda reserves the right to change its Fees, Camunda Cloud, the Services and the Subscription model available under this Agreement. Any changes to Fees or the Subscription model which Camunda makes will not apply to Customer with respect to any fully paid Subscription Term: any such changes will become effective as of the next Renewal Term, subject to a prior written notice by Camunda.
- The Parties agree that Customer may pay Fees through a Third Party (“Paying Agent”) provided that Customer specifies Customer as the “ship to” party and the Paying Agent as the “bill to” party in the sign-up process. Additionally, the Paying Agent and Customer will enter into a separate agreement setting forth the fees to be paid by Customer to the Paying Agent for the Subscription, as well as any other terms or conditions that apply between them. Customer acknowledges that Camunda will not be responsible for the obligations of any Paying Agent to Customer under such separate agreement, for the acts or omissions of the Paying Agent, or for any products or services furnished to Customer by the Paying Agent. Camunda agrees that, subject to receiving payment from the Paying Agent, it shall be responsible to Customer, pursuant to the terms and conditions of this Agreement, for the Subscription of Camunda Cloud and the Services.
13. Data Protection
- Personal Service Data: If Personal Service Data is processed on behalf of Customer in connection with the Subscription, then (i) if the Data Processing Agreement in Exhibit C is applicable, Camunda acts, or is deemed to act, as a Data Processor within the scope of that Data Processing Agreement and Customer shall be considered the Data Controller under the EU General Data Protection Regulation (GDPR) and (ii), if the CCPA Data Protection Addendum in Exhibit D is applicable, Camunda acts as, or is deemed to act as Service Provider within the scope of that CCPA Data Protection Addendum under the California Consumer Privacy Act (CCPA) and Customer shall be considered a Business under CCPA. For the avoidance of doubt, Camunda does not act as a Data Processor or Service Provider when it collects any data which is not Personal Service Data.
- Data protection contact: Customer may contact firstname.lastname@example.org for any issues related to data protection arising out of or in connection with this Agreement.
- “Confidential Information” means any information disclosed by either Party (the “Disclosing Party”) to the other Party (the “Receiving Party”) in any form or medium that the Disclosing Party considers confidential, whether or not marked, designated or otherwise identified as “confidential”. Without limiting the foregoing each Party’s product road maps, product development plans, pricing, business plans, customer lists, business and financial information shall be deemed to be such Party’s Confidential Information. Confidential Information will not, however, include any information which (a) was publicly known or made generally available in the public domain prior to the time of disclosure by the Disclosing Party; (b) becomes publicly known and made generally available after disclosure by the Disclosing Party to the Receiving Party through no action or inaction of the Receiving Party and/or without breach of a confidentiality obligation; (c) is already in the possession or comes into the possession of the Receiving Party where such possession is not the result of a breach of confidentiality, in each case, as shown by the Receiving Party’s files and records immediately prior to the time of disclosure; or (d) is independently developed by the Receiving Party without use of or reference to the Disclosing Party’s Confidential Information, as shown by documentation or other evidence in the Receiving Party’s possession.
- Except to the extent authorized in writing by the Disclosing Party (including in this Agreement), the Receiving Party shall hold in confidence and not use or disclose any Confidential Information of the Disclosing Party to any third party other than Affiliates. Each Party agrees that it shall take reasonable measures to protect the secrecy of and avoid disclosure and unauthorized use of the Confidential Information of the other Party and to comply with the legal and contractual provisions on data protection when processing the Confidential Information. Without limiting the foregoing, each Party shall take at least those measures that it takes to protect its own confidential information and shall ensure that its employees who have access to Confidential Information of the other Party are subject to obligations of confidentiality and non-disclosure at least as stringent as those found herein. For the avoidance of doubt, the Receiving Party’s obligations under this Section with respect to any Confidential Information that constitute trade secrets under any applicable law will continue until such time, if ever, as such Confidential Information ceases to qualify for trade secret protection under one or more such applicable laws other than as a result of any act or omission of the Receiving Party.
- The Receiving Party or any of its representatives shall be permitted to disclose Confidential Information if and to the extent they are required to do so by applicable law. If the Receiving Party or any of its Affiliates or representatives is compelled by applicable law to disclose any Confidential Information then, to the extent permitted by applicable law, the Receiving Party shall: (i) promptly, and prior to such disclosure, notify the Disclosing Party in writing of such requirement so that the Disclosing Party can seek a protective order or other remedy or waive its rights under this Section; and (ii) provide reasonable assistance to the Disclosing Party, at the Disclosing Party’s sole cost and expense, in opposing such disclosure or seeking a protective order or other limitations on disclosure.
- Because of the unique and proprietary nature of the Confidential Information, it is understood and agreed that the Disclosing Party’s remedies at law for a breach by the Receiving Party of its obligations under this Section may be inadequate and that the Disclosing Party is entitled to seek equitable relief (including without limitation provisional and permanent injunctive relief and specific performance).
- Upon expiration or termination of this Agreement for any reason, the Receiving Party will return or destroy all copies of all Confidential Information of the Disclosing Party in its possession or under its control upon request of the Disclosing Party, provided that the Receiving Party is not required to return or destroy any Confidential Information if and to the extent that (i) it is required to retain such Confidential Information by law, regulation or court order, or (ii) such Confidential Information is automatically retained as part of a computer back-up, recovery or similar archival or disaster recovery system in accordance with internal record-keeping policies. Any Confidential Information which is not returned or destroyed remains subject to the confidentiality obligations of this Agreement.
- The Receiving Party is prohibited from obtaining Confidential Information by means of so-called Reverse Engineering. “Reverse Engineering” shall mean all actions, including observing, testing, examining and disassembling or reassembling with the purpose of obtaining Confidential Information. The Receiving Party shall refrain from exploiting or imitating Confidential Information outside the scope of its purpose in any manner whatsoever (in particular by means of Reverse Engineering) or having it exploited or imitated by third parties and, in particular, from applying for intellectual property rights – in particular trademarks, designs, patents or utility models – to the Confidential Information.
15. Representations and Warranties
- Each Party represents and warrants the following: (i) entering into and carrying out the terms and conditions of this Agreement will not violate any obligation binding upon it and (ii) it does and will comply with all applicable laws (including export control laws and regulations) in connection with its performance under this Agreement. Customer represents and warrants that the acceptance of this Agreement and the performance of its obligations hereunder have been duly authorized and this Agreement is validly and legally binding on it and enforceable in accordance with its terms.
- Camunda warrants that (i) it will perform all applicable Services in a professional, workmanlike manner, consistent with generally accepted industry practice and (ii) Camunda Cloud will function substantially in accordance with the applicable Documentation. In the event of a breach of the foregoing warranty, Camunda’s sole obligation, and Customer’s exclusive remedy, shall be for Camunda at its sole discretion to re-perform the applicable Services or correct any Error in Camunda Cloud, as applicable. Camunda’s obligations to correct any Error in Camunda Cloud will not apply if: (i) Customer fails to update to new Versions of Camunda Cloud made available to Customer which would address any breach of this warranty; (ii) the Camunda Cloud software has been altered, except by or on behalf of Camunda; (iii) Camunda Cloud has not been used or operated in accordance with this Agreement and/or the Documentation; or (iv) Camunda Cloud is used on systems not meeting specifications identified by Camunda in the Documentation.
- THE SERVICES REPRESENT AN AGREEMENT FOR SERVICES AND NOT FOR THE SUPPLY OF GOODS. EXCEPT AS SET FORTH IN SECTIONS 15.1 and 15.2, CAMUNDA CLOUD AND THE SERVICES ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, AND CAMUNDA MAKES NO ADDITIONAL WARRANTIES WHETHER EXPRESSED, IMPLIED OR STATUTORY REGARDING OR RELATING TO THE SERVICES, CAMUNDA CLOUD OR ANY MATERIALS FURNISHED OR PROVIDED TO CUSTOMER UNDER THIS AGREEMENT. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, CAMUNDA SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT WITH RESPECT TO THE SERVICES, CAMUNDA CLOUD AND ANY MATERIALS FURNISHED OR PROVIDED TO CUSTOMER UNDER THIS AGREEMENT. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY CAMUNDA, ITS DISTRIBUTORS, AGENTS, CONTRACTORS OR EMPLOYEES INCREASES THE SCOPE OF THIS WARRANTY.
16. Intellectual Property Rights
- Customer shall at its sole expense indemnify, defend, and hold harmless Camunda and its Affiliates against any and all losses, liabilities, expenses (including reasonable legal fees up to any applicable statutory cap) suffered or incurred by Camunda or its Affiliates by reason of any claim, suit or proceeding (each a “Claim”) arising out of or in connection with (i) Customer’s Service Data or use of Service Data, including, without limitation, any assertion that Customer’s Service Data or the use thereof may infringe any copyright, trademark, or other intellectual property or other rights of any individual or entity, are a misappropriation of any individual or entity’s trade secret, or contain any libelous, defamatory, disparaging, pornographic, or obscene materials or use thereof caused death or bodily injury or damage to the real or tangible property of any third party, or violate the privacy rights of any individual or (ii) any breach of or failure by Customer to comply with this Agreement.
- Camunda will: (i) notify Customer in writing of any Claim promptly after its receipt of the Claim, (ii) not acknowledge the alleged basis of the Claim, (iii) allow Customer to assume control of the defense and any settlement negotiations related to the claim and (iv) cooperate with Customer, at Customer’s expense, in the defense and any related settlement negotiations related to the Claim. If requested by Camunda to defend a Claim, Customer will not agree to any settlement without the prior written consent of Camunda.
17. LIMITATION OF LIABILITY
- EXCEPT FOR ANY LIABILITY UNDER “CONFIDENTIALITY”, UNDER NO CIRCUMSTANCES SHALL EITHER PARTY OR THEIR RESPECTIVE AFFILIATES BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES.
- UNDER NO CIRCUMSTANCES SHALL EITHER PARTY OR THEIR RESPECTIVE AFFILIATES BE LIABLE FOR ANY SPECIAL OR PUNITIVE DAMAGES, LOSS OF PROFITS, LOSS OF USE, BUSINESS INTERRUPTION OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES (REGARDLESS OF WHETHER SUCH DAMAGES ARISE OUT OF CONTRACT, NEGLIGENCE OR OTHER LEGAL THEORIES, AND REGARDLESS OF WHETHER SUCH DAMAGES ARE CHARACTERIZED AS DIRECT, INDIRECT OR OTHERWISE) ARISING FROM OR RELATED TO THIS AGREEMENT. CAMUNDA WILL LIABLE FOR LOSS OF DATA ONLY TO THE EXTENT SUCH LOSS IS DIRECT AND WOULD HAVE OCCURRED EVEN IF CUSTOMER HAD MADE A BACKUP OF ALL THE RELEVANT DATA.
- EXCEPT FOR ANY LIABILITY ARISING FROM A VIOLATION OF EITHER PARTY’S INTELLECTUAL PROPERTY RIGHTS UNDER THIS AGREEMENT, IN NO EVENT SHALL EITHER PARTY OR THEIR RESPECTIVE AFFILIATES’ TOTAL, CUMULATIVE LIABILITY UNDER THIS AGREEMENT EXCEED THE AMOUNT EQUAL TO THE AMOUNT PAID BY CUSTOMER TO CAMUNDA UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS IMMEDIATELY PRIOR TO THE EVENT GIVING RISE TO LIABILITY.
- NOTHING IN THIS AGREEMENT SHALL EXCLUDE OR LIMIT EITHER PARTY’S LIABILITY FOR DEATH OR PERSONAL INJURY CAUSED BY NEGLIGENCE OF THAT PARTY, ITS OFFICERS, EMPLOYEES, CONTRACTORS OR AGENTS, FRAUD OR FRAUDULENT MISREPRESENTATION OR ANY OTHER WARRANTIES, CONDITIONS, OBLIGATIONS OR DUTIES WHICH ARE REQUIRED BY MANDATORY LAW EXCEPT TO THE EXTENT PERMISSIBLE UNDER SUCH MANDATORY LAW.
18. General Provisions
Camunda Cloud may be subject to export laws and regulations of the United States, the European Union, the United Kingdom, the Federal Republic of Germany, and other jurisdictions.
Both Parties represent and warrant that they or any of their Affiliates (i) is not a Prohibited Entity, or (ii) has not taken and will not take any action, directly or indirectly, that would result in a violation of Sanctions, or that would otherwise cause the other Party or its Affiliates to violate Sanctions.
For purposes of this section, “Sanctions” means to the extent applicable to the Parties, any and all economic or financial sanctions, sectoral sanctions, secondary sanctions, or trade embargoes administered or enforced from time to time by (i) the United States, including those administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control, the U.S. Department of State, or the U.S. Department of Commerce, or through any existing or future Executive Order; (ii) the United Nations Security Council; (iii) the European Union; (iv) the United Kingdom; or (v) any other government authority with jurisdiction over the Parties. “Prohibited Entity” means (i) a person (an entity or an individual) on any list of targets designated pursuant to any Sanctions, (ii) a person, countries, or territories that are the target of any territorial or country-based Sanctions programs, (iii) an entity with its registered offices in Russia, or (iv) a person owned or controlled by any person covered by (i), (ii), or (iii).
Camunda may assign this Agreement in the event of a merger, acquisition, change of control or sale of all or substantially all of its business or assets. Other than in these limited instances, however, neither Party may assign, transfer or sublicense any obligation or benefit under this Agreement without the written consent of the other Party, which consent by Camunda will not be unreasonably withheld in the event of the merger or sale of all or substantially all of the business or assets of Customer. Notwithstanding the foregoing, Camunda may assign or transfer this Agreement or parts of the rights and obligations of this Agreement solely to Camunda’s parent company, Camunda Services GmbH, without the requirement of Customer’s consent.
Camunda may subcontract all or part of its obligations under this Agreement to any Third Party or Affiliate; provided, however, that Camunda shall remain responsible for the performance of such obligations and for compliance with the terms and conditions of this Agreement.
All notices under this Agreement will be delivered by email; if to Camunda at email@example.com; if to Customer at any one of the email addresses provided to Camunda via the Account. Any notices which also require physical delivery will be in writing and will be personally delivered or sent by prepaid certified or registered mail to the address of the Party to whom notice is being provided or such other address as such Party last provided to the other by written notice. Any notices are deemed to have been given or made and to have been received on (i) the day of delivery if personally delivered, (ii) on the day of sending if sent via email before 5:00 p.m. on a business day in the jurisdiction of the recipient’s registered address, and otherwise on the next business day, and (iii) on the third business day following postage if sent by prepaid certified or registered mail. A notice will not be deemed to have been sent via email if the sender receives an automated system notification that the email has failed to send or has failed to reach the recipient’s inbox.
- No Waiver
No failure or delay in exercising any right hereunder will operate as a waiver thereof, nor will any partial exercise of any right or power hereunder preclude further exercise.
- Relationship between the Parties
The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties, nor does it authorize any Party to make or enter into any commitments for or on behalf of any other Party except as expressly provided for. Each Party confirms that it is acting on its own behalf and not for the benefit of any Third Party. Each Party will be solely responsible for payment of all compensation owed to its employees, as well as all employment-related taxes.
- Entire Agreement; Order of Precedence
This Agreement constitutes the entire agreement between the Parties in relation to the subject matter hereof. It supersedes and extinguishes any prior understandings, agreements, warranties, undertakings, conditions or representations in this regard and both Parties hereby expressly acknowledge and agree that they have not relied upon any other understandings, agreements, warranties undertakings, conditions or representations except those contained herein. The Parties acknowledge and agree that the contents of any purchase order or similar document provided by Customer (whether before or after the date of Customer’s acceptance of this Agreement) are rejected and do not apply to the relationship between the parties. In the event of any conflict between the terms and conditions of any of the foregoing documents, the conflict will be resolved based on the following order of precedence: first, the DPA and CCPA Addendum, if applicable and as amended from time to time; and second, this Agreement, including all other exhibits and as amended from time to time.
- Event of Force Majeure
Except in relation to any duty to pay, neither Party hereto is liable for any breach of its obligations hereunder resulting from causes beyond its reasonable control including but not limited to fires, floods, earthquakes, pandemic or epidemic illness, civil unrest, terrorism, cyber attacks, strikes or protests (of its own or other employees), insurrection or riots, embargoes, requirements or regulations of any civil or military authority or Internet service provider, or failure or delay of a Third Party application (an “Event of Force Majeure”). Each of the Parties hereto agrees to give reasonable notice (to the extent any such notice is possible) to the other upon becoming aware of an such an Event of Force Majeure. Such notice will contain details of the circumstances giving rise to the Event of Force Majeure. If a default due to an Event of Force Majeure continues for more than thirty (30) days, then the Party not in default is entitled to terminate this Agreement. Neither Party has any liability to the other in respect of the termination of this Agreement as a result of an Event of Force Majeure, except in relation to any unpaid Fees.
Either Party to this Agreement may publicize the existence of the business relationship established by this Agreement in connection with its products, promotions, or publications. Customer agrees to act as a reference customer for Camunda, and to participate in a case study as reasonably requested by Camunda. Customer grants to Camunda, during the Subscription Term, a limited, personal, non-exclusive, non-transferable license to use and distribute Customer’s logo on Camunda’s website. Despite the foregoing, neither Party may disclose the specific terms of this Agreement, except as required by applicable law.
- Human Rights
Each Party will comply with internationally proclaimed human rights such as the Universal Declaration of Human Rights and will not contribute to or be complicit in human rights abuses of any kind. Both Parties comply with the eight Conventions of the International Labour Organization (ILO), which regulate international labor standards.
If any provision of this Agreement is or becomes illegal, unenforceable or invalid, this will not affect or impair the legality, enforceability or validity of the remaining provisions of this Agreement. The remaining terms and provisions of this Agreement will be applied so as to give effect to the original intent of the parties (as evidenced by the illegal, unenforceable or invalid provision) to the fullest extent possible.
19. Contracting Party, Governing Law and Venue
- The Camunda entity entering into this Agreement, the law governing this Agreement and any non-contractual obligations, disputes or lawsuits arising out of or in connection with this Agreement, and the courts that have jurisdiction over any such dispute or lawsuit, depend on where Customer is domiciled. Each Party agrees to the applicable governing law below without regard to choice or conflicts of law rules, and to the exclusive jurisdiction of the applicable courts below. Accordingly, any dispute, legal action or proceeding arising out of or relating to this Agreement must be brought in the applicable courts below, and each Party irrevocably waives all objections to any proceedings in such courts, whether on the grounds of venue or on the grounds that they have been brought in an inconvenient forum.
|If Customer is domiciled in:||The Camunda entity entering into this Agreement is:||Governing law:||Exclusive jurisdiction:|
|The United States of America, Canada and Mexico|
275 Battery Street, Suite 2600, San Francisco, CA 94111, USA
|Delaware and controlling United States federal law||New Castle County, Delaware, USA|
|Germany, Austria, Switzerland|
Camunda Services GmbH
|Germany, excluding both CISG and conflict of laws provisions||Berlin, Germany|
|United Kingdom and Ireland|
Moorcrofts LLP Thames House, Mere Park, Dedmere Road, Marlow, United Kingdom, SL7 1PB
|England and Wales, excluding both CISG and conflict of laws provisions||London, England|
|Any other country|
Camunda Services GmbH
Zossener Strasse 55-58, 10961 Berlin, Germany
|England and Wales, excluding both CISG and conflict of laws provisions||London, England|
- Conflict Resolution
If a conflict arises between the Parties out of or in connection with this Agreement, the use of Camunda Cloud or the provision of the Services, the Parties will first seek an amicable settlement and, if no resolution is reached, the Parties undertake to conduct mediation in accordance with the DIS Mediation Rules before resorting to a court of law. Any court action is permissible if a hearing date has taken place within the mediation framework or if more than sixty (60) days have elapsed since the mediation request by either Party.
- Local Law Requirements USA
With respect to Customers domiciled in the United States of America and Canada, the new Sections 18.14 and 18.15 are added to the Agreement as follows:
High Risk Activities
Camunda Cloud is not designed, manufactured or intended for use or resale as on-line control equipment in hazardous environments requiring fail-safe performance, such as in the operation of nuclear facilities, air traffic control, or direct life support machines, in which the failure of Camunda Cloud could lead directly to death, personal injury, or severe physical or environmental damage (“High Risk Activities”). Accordingly, Camunda specifically disclaims any express or implied warranty of fitness for High Risk Activities.
Camunda Cloud and the Documentation are “commercial items”, as defined in 48 C.F.R. §2.101, consisting of “commercial computer software” and “commercial computer software documentation,” as such terms are used in 48 C.F.R. §12.212 or 48 C.F.R. §227.2702-4, as applicable. Consistent with 48 C.F.R. §12.212 or 48 C.F.R. §§227.2702-1 through 227.7202-4, as applicable, the commercial computer software and commercial computer software documentation are (if applicable) being licensed to U.S. government end users (a) only as commercial items and (b) with only those rights that are granted to all other end users pursuant to the terms and conditions set forth in this Agreement and any applicable license agreement for Camunda Cloud.
- Local Law Requirements Germany
With respect to Customers domiciled in Germany, Austria or Switzerland:
The third sentence in Section 11.2 of this Agreement is replaced with the following:
Notwithstanding the above, Camunda may terminate this Agreement and the Subscription for non-payment by Customer of any Fees, unless Customer pays such Fees in full within sixty (60) days after receipt of Camunda’s written notice of non-payment.
- The third sentence of Section 12.1 of this Agreement is replaced with the following:
Any amounts which are more than thirty (30) days overdue will bear a default rate of interest of nine (9) percentage points above the basic rate of interest per year, accruing from and including the Payment Due Date to and excluding the date of actual payment.
- The following sentence is added at the end of Section 14.3 of this Agreement:
The Receiving Party shall furthermore indicate in the course of disclosure that, if this is the case, Trade Secrets are concerned and shall ensure that the provisions of Sections 16 et seq. of the German Trade Secrets Act are applied.
- Section 14.5 of this Agreement is replaced with the following section:
14.5 Confidential Information shall be deemed to include in particular: Trade Secrets, products, manufacturing processes, know-how, inventions, business relations, business strategies, business plans, financial planning, personnel matters, digitally embodied information (data), any documents and information of the Disclosing Party which are subject to technical and organizational secrecy measures and which are marked as confidential or are to be considered confidential according to the nature of the information or the circumstances of the transmission. Without prejudice to any rights it may have under the German Trade Secret Act (Geschäftsgeheimnisgesetz), the Disclosing Party shall have all property rights, rights of use and exploitation rights with respect to the Confidential Information, unless otherwise provided in this Agreement. The Receiving Party is aware that the Confidential Information described above has not previously been generally known or readily accessible, either in its entirety or in its details, and is therefore of commercial value and is protected by the Disclosing Party through appropriate confidentiality measures. If a Confidential Information under this Section 14 does not meet the requirements of a Trade Secret within the meaning of the German Trade Secret Act, such information shall nevertheless be subject to the obligations of this Section 14.
- The last sentence of Section 14.6 of this Agreement is replaced with the following:
The Receiving Party shall refrain from exploiting or imitating Confidential Information outside the scope of its purpose in any manner whatsoever (in particular by means of Reverse Engineering) or having it exploited or imitated by third parties and, in particular, from applying for intellectual property rights – in particular trademarks, designs, patents or utility models (Gebrauchsmuster) – to the Confidential Information.
- Section 15.1 of this Agreement is replaced with the following section, and Sections 15.2 and 15.3 of this Agreement are deleted in their entirety:
15.1 Each Party has ensured and will ensure the following: (i) entering into and carrying out the terms and conditions of this Agreement will not violate any obligation binding upon it and (ii) each Party will comply with all applicable laws in connection with its performance under this Agreement. Customer has ensured and will ensure that the acceptance of this Agreement and the performance of its obligations hereunder have been duly authorized and that the Agreement is validly and legally binding on such Party and enforceable in accordance with its terms.
- Section 17 of this Agreement is replaced in its entirety with the following section:
17.1 Camunda will be liable without limitation for all losses caused by Camunda and by its legal representatives or vicarious agents in cases of intent or gross negligence, the absence of a guaranteed quality (“garantierte Beschaffenheit“) and for mortal injury, bodily harm and damage to health, as well as in accordance with the provisions of the Product Liability Act (“ProdHftG”).
17.2 In cases involving a simple negligent breach (“leichte Fahrlässigkeit”) of Primary obligations (“Kardinalpflicht”), Camunda’s liability will be limited to replacement of the foreseeable damage typically occurring. Primary obligations are such basic duties which form the essence of the Agreement, which were decisive for the conclusion of the Agreement and on the performance of which the Parties may rely. Other than this, Camunda’s liability for simple negligent breaches (“leichte Fahrlässigkeit”) of accessory contractual obligations is excluded. Further liability – for whatever legal reason – on the part of Camunda and Camunda’s vicarious agents is excluded. A strict liability of Camunda for defects due to pre-existing deficiencies in Camunda Cloud is excluded.
17.3 If Customer´s losses result from a loss of data, Camunda will only be liable for this to the extent that the damage that would have resulted even if Customer had made a backup of all the relevant data.
- The last sentence of Section 18.2 of this Agreement is deleted.
- Local Law Requirements England and Wales
With respect to Customers domiciled in the United Kingdom and Commonwealth or any other country than the United States of America, Canada, Germany, Austria or Switzerland:
- Section 11.2 of this Agreement is replaced with the following section:
11.2 Either Party may terminate this Agreement and the Subscription at any time, if (i) the other Party fails to pay any amount due and payable under the Agreement on the due date for payment and such remains unpaid not less than 14 days after the date on which the non-paying Party receives written notice of such failure to pay, (ii) the other Party commits a material breach of any term of this Agreement (other than failure to pay any amounts due) and (if such breach is remediable) fails to remedy that breach within a period of 30 days after being notified in writing to do so, (iii) the other Party repeatedly breaches any of the terms of the Agreement in such a manner as to reasonably justify the opinion that its conduct is inconsistent with it having the intention or ability to give effect to the terms of the Agreement, (iv) Camunda exercises its right to change the terms and conditions of this Agreement by providing modified terms, along with an effective date for such modified terms, and Customer does not accept such modified terms on or before the effective date; (v) the other Party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986, (vi) subject to any applicable law (A) the other Party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with its creditors other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other Party, (B) a petition is filed, a notice is given, a resolution is passed, or an order is made, for or on connection with the winding up of that other Party other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other Party, (C) an application is made to court, or an order is made, for the appointment of an administrator or if a notice of intention to appoint an administrator is given or if an administrator is appointed over the other Party, (D) the holder of a qualifying floating charge over the assets of that other Party has become entitled to appoint or has appointed an administrative receiver, (E) the holder of a qualifying floating charge over the assets of that other Party has become entitled to appoint or has appointed an administrative receiver, (F) a person becomes entitled to appoint a receiver over the assets of the other Party or a receiver is appointed over the assets of the other Party, or (G) a creditor or encumbrancer of the other Party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of its assets and such attachment or process is not discharged within 14 days or (vii) subject to any applicable law, any event occurs, or proceeding is taken, with respect to the other Party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned under Section 11.2(vi) above. The expiration or termination of this Agreement has no effect on the Subscription existing at the time of termination, which will remain in force until the end of the then-current Subscription Term, provided that if the termination is as a result of a material breach by Customer or Customer’s refusal to accept modified terms and conditions on or before the effective date of such terms, Camunda may terminate the Subscription existing at the time of termination by written notice to Customer. The terms and conditions of this Agreement continue to apply to the Subscription that is in force on the termination date of Customer’s acceptance of this Agreement until such time as the Subscription terminates.
- the new Sections 18.14 and 18.15 are added to the Agreement as follows:
18.14 Service of Process
The Parties agree that in the event of a claim being commenced in relation to any non-contractual obligations, disputes or lawsuits arising out of or in connection with this Agreement, a claim form and any other documents relating to such a claim will be served at the respective Parties’ registered address even if such address is outside of England and Wales.
18.15 Rights of Third Parties
A person who is not a Party to this Agreement has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce or enjoy the benefit of any term of this Agreement.
Exhibit A “Support and Maintenance Services”
Terms not defined in this Exhibit have the same meaning set forth in the Agreement. In addition:
8×5 means that Support and Maintenance Services are available from Monday to Friday 9am – 5pm (adjusting for daylight savings hours) in the Selected Time Zone.
Business Hour means one hour in the period between Monday to Friday 9am – 5pm (adjusting for daylight savings hours) in the Selected Time Zone.
Critical Errors means Errors that cause a severe failure which makes it impossible to use Camunda Cloud in production. This includes continued Downtime of or Errors with Zeebe.
Major Errors means Errors that severely restrict the use of Camunda Cloud and for which troubleshooting is urgently needed, but which do not prevent use of Camunda Cloud in production. This includes continued Downtime of or Errors with Cloud Console, Operate or Tasklist (each as defined in the Documentation).
Selected Time Zone means the time zone specified by Customer to Camunda in writing, which may be any time zone between UTC−08:00 and UTC+01:00 or, if no such time zone is specified, UTC.
Support Requests means questions and requests from Customer that are designated as less critical, for example because Customer’s operations in Camunda Cloud are minimally impacted, a workaround exists that minimizes impact to Customer’s operations, or Customer wishes to register a request for a new or enhanced feature. These requests are processed as Support Requests provided that they concern the functionality of Camunda Cloud.
Subject to each of the other provisions of the Agreement, with the purchase of the Subscription, Camunda will provide the following Support and Maintenance Services during the applicable Subscription Term:
- support Customer Named Support Contacts with their questions concerning the use of Camunda Cloud in the process of development and in the operation of process applications (including, for example, by providing help with definable problems of development or by explaining the functions and their use);
- make available new Versions of Camunda Cloud as outlined below; and
- respond to Support Requests within the time periods set out for the SLA.
- New Versions
Support and Maintenance Services are provided for all Versions of Camunda Cloud that are supported (as specified in the Documentation) and in any event for a period of six (6) months from the release date for any Minor Release of Camunda Cloud. For further Support and Maintenance Services thereafter, Customer must update to a more recent Version of Camunda Cloud if available. If a more recent Version is not available, Camunda will maintain Support and Maintenance Services on the then-current Version of Camunda Cloud pursuant to this Agreement until a new Version is available. Alpha Versions of Camunda Cloud are not supported. Camunda publishes new Versions of Camunda Cloud from time to time via the Account: however, Clusters using an Alpha Version of Camunda Cloud cannot be updated. Accordingly, Customer will need to delete Clusters using an Alpha Version and replace them with a Stable Cluster to receive a new Version. After Camunda provides a new Version, the Documentation will also be adapted accordingly and Camunda will notify the Named Support Contacts.
- Customer´s responsibilities
Customer acknowledges that its cooperation is essential to the proper performance of Support and Maintenance Services by Camunda. To enable Camunda to provide Support and Maintenance Services, Customer agrees to the following:
- If an Error occurs, a Named Support Contact will promptly inform Camunda via the agreed upon reporting method set out in the right-hand column of the table in section 5 below;
- The Error must be reproducible by Camunda without using a special, adapted or extended Version of Camunda Cloud. If necessary, Customer agrees to assist Camunda in reproducing the Error, including for example via a unit test. Should such a reproduction be impossible, the Error will be described as precisely as possible;
- If an Error is reported, Customer will (A) provide Camunda with the information requested to eliminate the problem and support Camunda in eliminating the Error; and (B) inform Camunda of any modifications it has made to Camunda Cloud software operated by Customer (e.g., client libraries or Modeler) or any other issues of which Customer is aware; and
- Unless not commercially reasonable to do so, Customer will implement suggestions from Camunda on elimination of Errors.
- Excluded services
Support and Maintenance Services under this Agreement do not include any of the following:
- support and maintenance services on Customer’s premises;
- support and maintenance services for any Version of Camunda Cloud modified by Customer,
- installation on Customer’s hardware for the purpose of achieving initial operational readiness of Camunda Cloud;
- development of software programs (e.g., add-on modules or components) that have other functions than those described in the applicable Documentation of Camunda Cloud;
- programming services to integrate Camunda Cloud with products of Customer or Third Parties;
- support of adaptations and extensions of Camunda Cloud programmed by Customer;
- support and maintenance services for the integration of Camunda Cloud into the data processing environment of Customer;
- introduction and training of Customer’s employees in the use of Camunda Cloud;
- recommendation of action for the optimal use of Camunda Cloud;
- Error correction and Consulting Services in case of operational Errors that are based on non-compliance with the operating conditions for Camunda Cloud contained in the applicable Version of the Documentation;
- support and maintenance services which become necessary due to Customer’s failure to cooperate in accordance with paragraph 3 above; and
- any other services not specifically set forth herein, including, but not limited to, customization, programming, integration, recovery of data, support of Customer-specific adaptations or add-on programs and program components, support of modifications, installation, training, analysis or corrections of Errors caused by Customer’s non-compliance with this Agreement or Documentation or unauthorized modifications.
Subject to each of the other provisions of the Agreement, with the purchase of the Subscription, Camunda will respond to Support Requests regarding Errors as defined in the table below. The timeframes in the table regarding response times set forth the time period in which Camunda will initially provide a qualified response to Customer, but do not represent resolution time frames.
|Severity Level||Service Availability Times||Response Times||Reporting Method|
|1 (Critical Error)||8×5||8 Business Hours|
Primary: ticketing system
Secondary: normal hotline
|2 (Major Error)||8×5||8 Business Hours|
Primary: ticketing system
Secondary: normal hotline
|3 (Support Requests)||8×5||16 Business Hours||Ticketing system|
Exhibit B “Availability Targets and Availability Service Credits”
- Terms not defined in this Exhibit have the same meaning set forth in the Agreement. In addition:
- a suspension of Customer’s use of Camunda Cloud in accordance with this Agreement;
- Customer’s use of Camunda Cloud outside the Resource Metrics;
- Customer’s breach of this Agreement or unauthorized actions through Customer’s Account;
- factors outside of Camunda’s reasonable control, including but not limited to any Event of Force Majeure (as defined in Section 18.9), Customer’s systemic internet issues, Customer’s inadequate bandwidth, and any other act or omission of any third party services, hardware or software provider;
- Customer’s failure to use Camunda-supported clients with acceptable configuration values as defined in the Documentation;
- failure by Customer to take any reasonable remedial action in relation to Camunda Cloud as recommended by Camunda to prevent Downtime, or otherwise preventing Camunda from doing taking such remedial action;
- Customer’s negligence or willful misconduct, which may include failure to follow agreed-upon procedures;
- scheduled Maintenance Work that takes place upon at least five (5) days notice;
- ad hoc Maintenance Work carried out to avoid future unavailability, address high security risks or high risks for overall platform stability, and provide other critical Patches or hotfixes; or
- updates to Clusters initiated by Customer; or
- Customer’s failure to provide information required by Camunda to provision or run any Cluster.
- Camunda will use commercially reasonable efforts to ensure a Monthly Uptime Percentage of 99.5% for Zeebe within each Stable Cluster (the “Zeebe Availability Target”) and 95.0% for Cloud Console and all other Components within each Stable Cluster (together with Zeebe Availability Target, the “Availability Targets”). Availability Targets do not apply to Components within a Cluster which uses an Alpha Version of Camunda Cloud, or to Components within Clusters which use a Version of Camunda Cloud for which Support and Maintenance Services are no longer supported (as specified in paragraph 2 of Exhibit A). If the Monthly Uptime Percentage for Zeebe within a Stable Cluster falls below the Zeebe Availability Target in any calendar month, Camunda will, subject to Customer’s compliance with this Exhibit, provide the following Availability Service Credit, calculated as a percentage of the Total Monthly Fee:
|Monthly Uptime Percentage||Availability Service Credit|
|Less than 99.5% but equal to or greater than 99.3%||5% of the Total Monthly Fee|
|Less than 99.3% but equal to or greater than 99.0%||10% of the Total Monthly Fee|
|Less than 99.0%||25% of the Total Monthly Fee|
- Customer will not be eligible to receive any Availability Service Credits if, on the date that an Availability Service Credit is requested, any Fees then due and payable by Customer are outstanding. To receive an Availability Service Credit, Customer must submit a claim by logging a support ticket. To be eligible, the credit request must be received by Camunda within five (5) calendar days after the last day of the month in which Zeebe does not meet the Zeebe Availability Target within any Cluster, and must include all information reasonably necessary for Camunda to verify the claim, including:
- the words “Availability Service Credit Request” in the subject line;
- the Cluster ID if any Cluster for which the Availability Service Credit is requested;
- a description of the applicable client(s) (as specified in the Documentation), the version of each such client, and the configurations for each such client; and
- a description of the events resulting in Downtime, including the time and duration of the Downtime and Customer requests logs that document the failed write attempts.
- Camunda will evaluate Customer requests and determine in good faith whether an Availability Service Credit is owed based on its system logs, monitoring reports, configuration records, and other available information. If Camunda confirms that the Monthly Uptime Percentage applicable to the month of such request did not meet the Zeebe Availability Target, then Camunda will issue the Availability Service Credit to Customer within one billing cycle following the month in which Customer’s request is confirmed. Customer’s failure to provide the request and other information as required above will disqualify Customer from receiving an Availability Service Credit. Availability Service Credits are not refundable in cash and can only be used as a credit against future billing charges. Camunda will apply any Availability Service Credits against Customer’s next billing charge. Availability Service Credits are exclusive of any applicable taxes charged to Customer or collected by Camunda. Availability Service Credits are Customer’s sole and exclusive remedy for any unavailability of any Components within Clusters. Availability Service Credits expire without refund twelve (12) months from issuance.
Exhibit C “Data Processing Agreement”
This Data Processing Agreement (“DPA”) between Camunda and Customer is an addendum to, and forms part of, the Agreement and is effective upon acceptance of the Agreement. Terms not otherwise defined herein, including but not limited to the terms “controller” “data subject”, “Personal Data”, “Personal Service Data”, “processing”, “personal data breach” and “supervisory authority” shall have the meaning as set forth in the Agreement or the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“General Data Protection Regulation” or “GDPR”).
1. Scope of the DPA and roles of the Parties
1.1 This DPA applies to any and all activities associated with the Agreement, in whose scope Customer’s Personal Service Data is submitted to and processed within Camunda Cloud or the Services by Camunda, Camunda’s employees or agents as per the instructions of Customer as a controller and the GDPR being applicable to such processing. Unless provided for otherwise in the Agreement, the processing will be limited to the storage or processing of certain limited Personal Service Data on a server and incidental access to such data when providing Camunda Cloud or the Services pursuant to the Agreement. This DPA details the Parties’ obligations in relation to the protection of Personal Service Data.
1.2 Customer shall be the “controller” in accordance with Art. 4 no. 7 GDPR and Camunda shall be “processor” in accordance with Art. 4 no. 8 GDPR.
2. Nature and Purpose, Duration and Specification of Processing Operations
2.1 The nature and purpose of the data processing under this DPA is the provision of the Services and Camunda Cloud to Customer and the performance of Camunda’s obligations under the Agreement and this DPA (or as otherwise agreed by the Parties).
2.2. The categories of Personal Data and data subjects which may be subject to the processing within the scope of this DPA are listed in Appendix 1. Appendix 1 can be amended by written notice to Camunda, provided that Camunda confirms the receipt of such notice in writing.
2.3 The duration of the processing shall correspond to the Subscription Term.
3.1 “Applicable Law” means all laws, rules and regulations applicable to each Party in its use of or provisioning of Camunda Cloud and the Services, including but not limited to those applicable to the processing of Personal Data. This means, in particular, the GDPR and all national laws validly amending the applicable rules for the processing of Personal Data, or in relation to the United Kingdom or Switzerland, the respective laws applicable in these countries. Within the scope of this DPA, Customer shall be solely responsible for compliance with Applicable Laws including but not limited to the lawfulness of disclosing Personal Data to Camunda and the lawfulness of having Personal Data processed on behalf of Customer.
3.2 Customer’s individual instructions on data processing shall, initially, be as detailed in the Agreement. Customer shall subsequently be entitled to modify, amend or replace such individual instructions in writing or in a machine-readable format (e.g. via email) by issuing such instructions to the point of contact designated by Camunda. Instructions not foreseen in or covered by the Agreement shall be treated as requests for changes to the Agreement and will only be effective if documented in a written addendum which is signed by both Parties. Customer shall, without undue delay, confirm in writing or by email any oral instruction given.
4. Camunda’s obligations
4.1 Except where expressly permitted by Art. 28 para. 3 lit. a) GDPR, Camunda shall process Personal Service Data only within the scope of the Agreement and the documented instructions issued by Customer, unless required to do so by Applicable Law to which Camunda is subject to. In such case, Camunda shall inform Customer of that legal requirement before processing, unless Applicable Law prohibits such information from being shared on important grounds of public interest.
4.2 If Camunda believes that an instruction would be in breach of Applicable Law, Camunda will notify Customer of such belief without undue delay. Camunda is entitled to not perform the relevant instruction until Customer confirms that it complies with Applicable Law or modifies such instruction.
4.3 Camunda shall, within Camunda’s scope of responsibility, organize Camunda’s internal organization so that it satisfies the specific requirements of the Applicable Law. Camunda shall, in particular, taking into account the nature of the Personal Service Data and the risks involved in the processing of any such Personal Service Data, maintain reasonable and appropriate technical and organizational measures designed to ensure the adequate protection of Customer’s Personal Service Data, which will fulfill the requirements of the GDPR and specifically its obligations under Art. 32 GDPR. The measures implemented at the time of establishing this DPA are set forth in Annex 2 to this DPA. Customer is familiar with these technical and organizational measures, and is responsible for determining that such measures ensure a level of security appropriate to the risk associated with Personal Service Data. Camunda reserves the right to modify the measures and safeguards implemented, provided that the level of security shall not be less protective than initially agreed.
4.4 Camunda shall implement a data protection management procedure according to Art. 32 para 1 lit. d) GDPR, for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to reasonably ensure the security of the processing. Camunda will further, by way of regular self-audits, reasonably ensure that the processing of Personal Service Data conforms with the provisions according to Customer’s instructions or as agreed with Customer.
4.5 Taking into account the nature of the processing, Camunda shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising data subjects’ requests, as laid down in chapter III of the GDPR. Camunda shall assist Customer in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR taking into account the nature of the processing and the information available to Camunda.
4.6 Camunda ensures that (i) any person entitled to process Personal Service Data on behalf of Customer as the controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy and all such secrecy obligations shall survive the termination or expiration of such data processing, and (ii) all employees authorized to process Personal Service Data and other such persons as may be involved in data processing within Camunda’s scope of responsibility is prohibited from processing Personal Service Data outside the scope of the instructions.
4.7 Camunda shall notify Customer, without undue delay, if Camunda becomes aware of a personal data breach within Camunda’s scope of responsibility. In the event of any breach, Camunda shall implement the measures necessary to secure Personal Service Data and mitigate potential negative consequences for the affected data subjects. Camunda shall coordinate such efforts with Customer without undue delay. Camunda shall notify Customer of the point of contact for any issues related to data protection arising out of or in connection with the Agreement.
4.8 Camunda shall correct or erase Personal Service Data if so instructed by Customer and where covered by the scope of the instructions if this is permissible. Where an erasure consistent with data protection requirements or a corresponding restriction of processing is impossible, Camunda will, based on Customer’s instructions, and unless otherwise agreed in the Agreement, destroy all carrier media and other material or return the same to Customer in compliance with data protection requirements. In specific cases designated by Customer, such Personal Service Data will be stored or handed over. The associated remuneration and protective measures shall be agreed upon separately, unless already agreed upon in the Agreement.
4.9 Camunda shall, upon termination of the data processing and upon Customer’s instruction, return all Personal Service Data, carrier media and other materials to Customer or delete the same. In case of testing and discarded material, no instruction shall be required.
4.10 Customer shall bear any extra cost caused by deviating requirements in returning or deleting data.
4.11 Where a data subject asserts any claims against Customer in accordance with Art. 82 GDPR, Camunda will support Customer in defending against such claims to the extent they arise in connection with the processing of Personal Service Data by Camunda within the scope of this DPA only, and to the extent this is possible. Camunda reserves the right to a reasonable compensation for such support.
5. Customer’s obligations
5.1 Customer shall notify Camunda in sufficient detail and without undue delay of any defect or irregularity detected by Customer in Camunda’s provision of Camunda Cloud or any Services concerning data protection.
5.2 Section 4.11 of this DPA shall apply, mutatis mutandis, to claims asserted by data subjects against Camunda in accordance with Art. 82 GDPR.
5.3 Customer shall notify Camunda of the point of contact for any issues related to data protection arising out of or in connection with the Agreement.
5.4 Customer shall notify Camunda in writing of the names of the persons who are entitled to issue instructions to Camunda. Unless otherwise specified at a later date, the point of contact designated during the sign-up or onboarding process shall be entitled to issue instructions. If no point of contact has been designated, the managing directors and designated Data Protection Officer of the Customer shall be entitled to issue instructions to Camunda.
6. Enquiries by data subjects
Where a data subject asserts claims for rectification, erasure (deletion), restriction (blocking), transmission or access against Camunda, and where Camunda is able to correlate the data subject to Customer based on the information provided by the data subject, Camunda shall refer such data subject to Customer. Camunda shall forward the data subject’s claim to Customer without undue delay. Camunda shall support Customer, to a reasonable extent and at Customer’s expense, and based upon Customer’s instructions. Camunda shall not be liable in cases where Customer fails to respond to the data subject’s request or fails to do so correctly and/or in a timely manner.
7. Options for documentation and audits
7.1 Camunda shall document and make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA. Customer shall have the right to assess Camunda’s compliance with the obligations agreed upon in this DPA by appropriate measures.
7.2 Where, in individual cases, audits and inspections by Customer or an auditor appointed by Customer are required at Camunda’s working premises and allowable under applicable law to determine Camunda’s compliance with this DPA, to the extent that such information is within Camunda’s control and Camunda is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, such audits and inspections will be conducted during regular business hours, and without interfering with Camunda’s operations and upon prior notice of at least 30 days. Camunda shall be entitled to reject auditors that (i) are competitors of Camunda, (ii) are not sufficiently qualified to conduct such an audit, or (iii) are not independent. At least one employee of Camunda may accompany the auditors at any time. Camunda may memorialize the results of the audit in writing which shall be confirmed by Customer.
7.3 Customer hereby consents to the appointment of a competent, independent external auditor by Camunda if Camunda so chooses, provided that Camunda provides a copy of the audit report to Customer.
7.4 Camunda may also determine that any audits and inspections require the execution of a confidentiality undertaking protecting the data of other customers and the confidentiality of the technical and organizational measures and safeguards implemented. In this case, execution of such a confidentiality undertaking will be a prerequisite for any audit or inspection.
7.5 Camunda reserves the right to charge a reasonable fee for Camunda’s support in conducting inspections based on Camunda’s reasonable costs. Camunda’s time and effort for such inspections shall be limited to one day per calendar year, unless agreed upon otherwise.
7.6 Where a data protection supervisory authority or another supervisory authority with statutory competence for Customer conducts an inspection, Section 7.2 of this DPA above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations the breach of which is sanctionable under the applicable criminal code.
7.7 Camunda shall audit its Sub-processors (as defined below) on a regular basis and will upon Customer’s request confirm their compliance with Applicable Law and the obligations set upon the Sub-processors according to the data processing agreement concluded with them. If Customer provides reasoned, adequately detailed justifications for further audits and Camunda (acting reasonably) considers such justifications to be valid, Customer may instruct Camunda to conduct further audits, which Camunda will conduct to the extent permitted.
8.1 “Sub-processor” means a third party subcontractor engaged by Camunda that performs Camunda’s obligations under this DPA on behalf of Camunda. Customer hereby consents to Camunda’s use of Sub-processors. A list of current Sub-processors can be found in Appendix 3.
8.2 Camunda shall conclude with such Sub-processors the contractual instruments necessary to ensure an appropriate level of data protection and information security in accordance with Art. 28 para. 4 GDPR. Where Camunda commissions Sub-processors, Camunda is responsible for ensuring that every Sub-processor is subject to obligations regarding the processing of Personal Data that are no less protective than those to which Camunda is subject under this DPA.
8.3 If Camunda intends to instruct additional Sub-processors in the future, Camunda will notify Customer thereof in writing (email to the email address(es) provided in accordance with Section 5.3 of this DPA shall be sufficient) and will give Customer the opportunity to object to the engagement of the new Sub-processor within 10 business days after being notified. The objection must be based on reasonable grounds (e.g. if Customer proves that Sub-processor does not act in compliance with this DPA and the Applicable Law and, therefore, significant risks for the protection of its Personal Data exist at the Sub-processor). If Camunda and Customer are unable to resolve such an objection, either Party may terminate the Agreement by providing written notice to the other Party. Customer shall not be entitled to any refund of Fees unless the objection is based on justified reasons of non-compliance with Applicable Law, in which case it is entitled to receive a pro-rata refund of any Fees paid.
8.4 If Customer does not object to the engagement of a third party in accordance with this Section within 10 business days after notice is given by Camunda, the Sub-processor shall be deemed a Sub-processor to which Customer consented for the purposes of this DPA.
8.5 Camunda is entitled to engage a Sub-processor located outside the EEA, the United Kingdom and Switzerland. If so, Camunda shall implement appropriate contractual and technical safeguards to ensure compliance with the requirements under Art. 44 et seq. GDPR on international data transfers. For compliance with international data transfers, Customer authorizes Camunda on its behalf to enter into the EU Standard Contractual Clauses pursuant to European Commission Decision of 4 June 2021 (“SCC”). Camunda may amend or replace the SCC by other appropriate safeguards as required under Applicable Law for transfers of Personal Data to third countries once made available by the European Commission or once further guidance about the use of the SCC and accompanying supplementary measures becomes available. Camunda will conduct a transfer impact assessment (“TIA”) prior to the engagement of any new Sub-processor located outside the EEA, the United Kingdom and Switzerland.
8.6 Camunda is entitled to engage a Sub-processor located outside the EEA, the United Kingdom and Switzerland. If so, Camunda shall implement appropriate contractual and technical safeguards to ensure compliance with the requirements under Art. 44 et seq. GDPR on international data transfers. For compliance with international data transfers, Customer authorizes Camunda on its behalf to enter into the EU Standard Contractual Clauses pursuant to European Commission Decision of 4 June 2021 (“SCC”). Camunda may amend or replace the SCC by other appropriate safeguards as required under Applicable Law for transfers of Personal Data to third countries once made available by the European Commission or once further guidance about the use of the SCC and accompanying supplementary measures becomes available. Camunda will conduct a transfer impact assessment (“TIA”) prior to the engagement of any new Sub-processor located outside the EEA, the United Kingdom and Switzerland.
8.7 For the Services provided by Camunda and its Sub-processors, Customer may be able to select between several data centers worldwide (e.g. within the EEA, the United Kingdom, the United States of America or other countries). If an outside the EEA location is selected, Customer is solely liable for compliance with Applicable Law in relation to the international transfer of personal data.
If Customer is a Controller located outside the EEA, enters into this Agreement including a DPA with Camunda Services GmbH, and chooses a data location within the EEA, Camunda and Customer hereby agree that Module 4) of the New Standard Contractual Clauses (Controller to Processor) apply and Camunda shall be acting a Data Exporter and Customer acting as Data Importer within the meaning of the SCC.
10. Safeguards and Support for international data transfers
Camunda undertakes to provide reasonable support to Customer to ensure compliance with the requirements imposed on the transfer of Personal Data to third countries with respect to data subjects located in the EEA, United Kingdom and Switzerland. Camunda will do so, in particular, by providing information to Customer which is reasonably necessary for Customer to complete a TIA. Customer warrants that it will have successfully completed an appropriate TIA prior to any processing under the DPA if required.
11. Liability and damages
The provisions on the Parties’ liability contained in the Agreement shall apply to any liability relating to data processing, unless otherwise agreed in this DPA.
The Parties may modify or supplement this DPA, with notice to the other Party, (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Applicable Law, (iii) to implement standard contractual clauses laid down by the European Commission or (iv) to adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Art 40, 42 and 43 of the GDPR. The informed Party shall notify the modifying Party if it does not agree to a modification, in which case the informed Party may terminate this DPA and the Agreement with two (2) weeks’ prior written notice. Customer shall not be entitled to any refund of Fees unless the objection to the modifications are based on justified reasons of non-compliance with Applicable Law, in which case it is entitled to receive a pro-rata refund of any Fees paid.
13. Obligations to inform, mandatory written form, choice of law
13.1 Where the Personal Service Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by Third Parties while in Camunda’s control, Camunda shall notify Customer of such action without undue delay. Camunda shall, without undue delay, notify all pertinent Parties in such action that any data affected thereby is in Customer’s sole property and area of responsibility, that data is at Customer’s sole disposition, and that Customer is the responsible body in the sense of the GDPR.
13.2 No modification of this DPA and/or any of its components – including, but not limited to, Camunda’s representations and warranties, if any – shall be valid and binding unless made in writing or in a machine-readable format (in text form), and furthermore only if such modification expressly states that such modification applies to the regulations of this DPA. The foregoing shall also apply to any waiver or modification of this mandatory written form.
13.3 In case of any conflict, the data protection regulations of this DPA shall take precedence over the provisions of the Agreement. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
13.4 This DPA is governed by the laws of the Federal Republic of Germany and the place of jurisdiction shall be Berlin unless and to the extent required otherwise by applicable data protection and privacy laws.
Appendix 1 – Specifications of the Processing
- Types of personal data
Personal Data being processed by Camunda on behalf of Customer could contain the types of Personal Data that Customers provide in process instances of their automated processes, including but not limited to personal data, that Customers store in order to bring about decisions in the respective process instances. Examples could include risk classification, references to personal data in third-party systems, identity data, contact details, professional data, meta data (i.e. data containing information on characteristics of other data) and purchase data.
- Categories of data subjects
Personal Data being processed by Camunda on behalf of Customer could refer to any category of data subject that Customers provide in process instances of their automated processes, including but not limited to Customer’s customers and potential customers, employees, suppliers and other Customer contacts.
- Data Exporter
Customer is the Data Exporter.
- Data Importer
Camunda is the Data Importer, an online service provider that offers process automation services through its SaaS Platform.
Appendix 2 – Technical and Organizational Measures
- Pseudonymization (Art.32 para. 1 lit. a) GDPR; Art. 25 para. 1 GDPR)
The processing of Personal Service Data in such a method/way, that the Personal Service Data cannot be associated with a specific Data Subject without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.
- For support tickets no Personal Service Data is required by Camunda; Customer may pseudonymize his Personal Service Data before sending it to the support team.
- Confidentiality, Integrity, Availability and Resilience (Art. 32 para. 1 lit. a) GDPR; Art. 25 para. 1 GDPR)
- Confidentiality (Art. 32 para. 1 lit. b) GDPR)
- Physical Access Control
No unauthorized access to Personal Service Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems
- Data related to support inquiries is currently stored at a data center in Frankfurt, Germany (https://www.leaseweb.com/de/node/3377) operated by Camunda.
- Camunda Cloud is hosted at an external cloud service provider (currently Google Cloud Platform), with whom Camunda has a data processing agreement in place.
- Electronic Access Control
No unauthorized use of the Personal Service Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media
- Access is secured by two-factor authentication mechanisms.
- Access is secured via a firewall, with strong encryption and by two-factor authentication mechanisms.
- Secure passwords are used and default passwords of systems and applications are changed as a matter of principle. Their structure and handling is in accordance with a documented password guideline.
- An effective and documented access control policy exists.
- The access control policy is assessed at least once per year.
- All staff are instructed to lock their workplaces when they leave them. Workplaces are configured with an automatic lock as standard.
- The access control policy defines the issuance and withdrawal of access rights, as well as their approval for internal and external staff.
- Internal Access Control (permissions for Customer rights of access to and amendment of data)
No unauthorized Reading, Copying, Changes or Deletions of Personal Service Data within the system, e.g. rights authorization concept, need-based rights of access, logging of system access events
- release of Personal Service Data only to authorized persons, including allocation of differentiated access rights and roles.
- Access rights are adjusted if the tasks carried out in the business processes change.
b. Integrity (Art. 32 para. 1 lit. b) GDPR)
- Data Transfer Control
No unauthorized Reading, Copying, Changes or Deletions of Personal Service Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature
- Use of adequate encryption technologies
- No physical transport of the Personal Service Data (e.g. via data carriers)
- use of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the Personal Service Data travels.
- Data Entry Control
Verification, whether and by whom personal data is entered into a Personal Service Data Processing System, is changed or deleted, e.g.: Log-In, Document Management
- Plausibility is guaranteed via the Login functions of the Camunda Cloud.
- Log systems and logging information are protected against unauthorized access, alteration and erasure, and are regularly evaluated.
- The clocks of all critical systems are synchronized using a reliable, agreed time server.
- Order Control
Measures that are suited for ensuring that the commissioned processing of personal data complies with the guidelines of the contracting Party.
- We have data processing agreements with all our subcontractors who process Personal Service Data on our behalf in place.
- External service-providers are evaluated before being contracted.
- Separation rule
Measures that are suited for ensuring that data that has been collected for different purposes can be kept separate during processing.
- Access to data is separated through application security for the appropriate Customers.
- Data that have been collected for different purposes are kept apart in such a way (physically or logically) that they are separated, processed, stored and erased in a manner appropriate to the purpose.
- Development, testing and production environments are separated.
c. Availability and Resilience (Art. 32 para. 1 lit. b) GDPR)
- Availability Control
Prevention of accidental or willful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning
- All Personal Service Data is stored on servers from our Cloud Service Provider (currently Google Cloud Platform).
- High availability via redundant servers can be determined by Customer.
- Availability incidents over and above a typical, slight disturbance in daily business are reported to specific units without undue delay.
Measures guaranteeing that data breaches are recognized and reported quickly
- A process has been established which ensures that security incidents are identified, assessed and dealt with appropriately.
- Escalation procedures and organizational interfaces are defined with all relevant parties, including the data protection officer.
- Staff who are responsible for the management of IT systems/applications are trained to recognize, classify and report security incidents.
- A process has been established guaranteeing information security for all critical business processes, even during a crisis or catastrophe.
- Processes and responsibilities have been defined in case of an emergency or crisis, and appropriate tests are held.
Appendix 3 – Camunda Sub-processors
Sub-processors processing Personal Data included in Service Data (Personal Service Data) uploaded by Customer or its Customers to the Camunda Cloud Offerings.
|Sub-processor||Purpose||Location (by country)|
|Google Cloud Platform LLC||Cloud Infrastructure|
|Cloudflare Inc.||Web Application Firewall||worldwide (depending on Customer’s location)|
Exhibit D “CCPA Data Protection Addendum”
The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. may apply to the data processing activities Camunda performs for and on behalf of its customers.
This CCPA Data Protection Addendum (“Addendum”) applies when CCPA (as defined below) is applicable to the processing of Personal Service Data on behalf of the Customer, forms part of the Agreement and is effective upon acceptance of the Agreement. In the event of a conflict between any of the provisions of this Addendum and the provisions of the Agreement, the provisions of this Addendum shall prevail.
All capitalized terms not defined in this Addendum shall have the meaning set forth in the Agreement.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the effective date of this Addendum;
“Consumer” means a “consumer” as such term is defined in the CCPA;
“Data Processing Services” means the Processing of Personal Service Data for any purpose permitted by the CCPA, such as for a permitted “business purpose” as such term is defined in the CCPA, or for any other purpose expressly permitted by the CCPA;
“Processing” means any operation or set of operations which is performed on Personal Service Data or on sets of Personal Service Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and “Process” will be interpreted accordingly;
“Sell” and “Sale” have the meaning given in the CCPA;
“Services” means the service(s) provided by Camunda to the Customer under the Agreement; and
“Subcontractor” means any person or legal entity engaged by the Service Provider who Processes any Personal Service Data on behalf of Camunda.
- Role of the Parties. For the purposes of the CCPA, the Parties acknowledge and agree that Camunda will act as a “Service Provider”, as such term is defined in the CCPA, in its performance of its obligations pursuant to the Agreement.
- Instructions for Processing. Camunda will retain, use and disclose Personal Service Data for the purpose of performing its obligations under the Agreement, and otherwise only as permitted by the CCPA or as required by law.
- No Disclosure of Personal Service Data. Camunda will not disclose, release, transfer, make available or otherwise communicate any Personal Service Data to another business or third party without the prior written consent of the Customer unless and to the extent that such disclosure is made to a Subcontractor for a business purpose pursuant to a written agreement to protect Personal Service Data in the same manner as provided herein or to an Affiliate for the purpose of performing its obligations under the Agreement. Notwithstanding the foregoing, nothing in this Agreement shall restrict Camunda’s ability to disclose Personal Service Data to comply with applicable laws or as otherwise permitted by the CCPA.
- No Sale of Personal Service Data. Camunda shall not sell, license, rent, disclose, release, transfer, make available or otherwise communicate any Personal Service Data to another business or third party for monetary or other valuable consideration without the consent of the Customer or the consumer to whom the Personal Service Data relates. Notwithstanding the foregoing, disclosures to a third party in the context of a merger, acquisition, bankruptcy or other insolvency proceeding shall be permitted in accordance with the terms of the Agreement.
- Access and Deletion. Camunda shall Process Personal Service Data in compliance with its obligations under the CCPA and, where possible, assist Customer to comply with Customer’s obligations under the CCPA, and specifically Camunda shall (i) upon Customer’s request and at Customer’s reasonable expense, provide the Customer with the ability to delete, access or procure a copy of Personal Service Data, and (ii) return or delete Personal Service Data promptly upon request following termination of the Agreement in accordance with the terms of the Agreement.
- Security Obligations. Camunda shall implement commercially reasonable administrative, physical, technical and organizational controls designed to protect the Personal Service Data against any unauthorized access, disclosure or use, and shall notify Customer of any security incident which may compromise the security of Personal Service Data in accordance with the terms set forth in the Agreement.
- Certification of Compliance. Camunda certifies that it understands the foregoing obligations and shall comply with them for the duration of the Agreement and for as long as Camunda Processes Personal Service Data.
Effective date: 12 October, 2021