This End-User License Agreement ("EULA") is a legal agreement between you and UGARIT L.L.C
The customer agreeing to these terms (“Customer”), and Ugarit LLC or any other entity that directly or indirectly controls, is controlled by, or is under common control with Ugarit LLC (as applicable, “Ugarit”), have entered into an agreement under which Ugarit has agreed to provide Formera products or services to Customer (as amended from time to time, the "Agreement"). These Formera Data Collection/Management/Processing and Security Terms, including their appendices, (the “Terms”) will be effective and replace any previously applicable data processing and security terms as from the Terms Effective Date (as defined below). These Terms supplement the Agreement.
1. Introduction
These Terms reflect the parties’ agreement with respect to the terms governing the Collection/Management/Processing and security of Customer Data under the Agreement.
2. Definitions
2.1 Capitalized terms used but not defined in these Terms have the meanings set out in the Agreement. In these Terms, unless stated otherwise:
Account has the meaning given in the Agreement or, if no such meaning is given, means Customer’s account for the Services.
Additional Product means a product, service or application provided by Ugarit or a third party that: (a) is not part of the Services; and (b) is accessible for use within the user interface of the Services or is otherwise integrated with the Services.
Additional Security Controls means security resources, features, functionality and/or controls that Customer may use at its option and/or as it determines, including the Admin Console and other features and/or functionality of the Services such as logging and monitoring, and identity and access management.
Admin Console has the meaning given in the Agreement or, if not such meaning is given, means the online console(s) and/or tool(s) provided by Ugarit to Customer for administering/managing the Services.
Affiliate has the meaning given in the Agreement or, if not such meaning is given, means any entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
Customer Data has the meaning given to “Developer Data” in the Agreement or, if no such meaning is given, means data provided by or on behalf of Customer or Customer End Users via the Services under the Account.
Customer End Users has the meaning given to “End Users” in the Agreement or, if no such meaning is given, means the users of Customer’s services (for example, the users of a Customer app).
Customer Personal Data means the personal data contained within the Customer Data.
Data Incident means a breach of Ugarit’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Ugarit. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
Cloud Service Provider has the meaning given in Section 5.4 (Cloud Service Provider).
Security Practices has the meaning given in Section 7 (Ugarit Security Measures).
Sub-processors means third parties authorized under these Terms to have logical access to and process Customer Personal Data in order to provide parts of the Services.
Term means the period from the Terms Effective Date until the end of Ugarit provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Google may continue providing the Services for transitional purposes.
Terms Effective Date means, as applicable: (a) 21 March 2019, if the Customer agreed to these Terms prior to or on such date; or (b) the date on which Customer agreed to these Terms, if such date is after 21 March 2018.
3. Duration of these Terms
These Terms will take effect on the Terms Effective Date and, notwithstanding expiry of the Term, will remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by Ugarit as described in these Terms.
4. Processing of Data
4.1. Roles and Regulatory Compliance; Authorization.
4.1.1. Processor and Controller Responsibilities. The parties acknowledge and agree that:
- the subject matter and details of the processing are described in Appendix 1;
- Ugarit is a processor of that Customer Data under the Data Protection Legislation;
- Customer is a controller or processor, as applicable, of that Customer Personal Data under Data Protection Legislation; and
- each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of that Customer Personal Data.
4.1.2. Authorization by Third Party Controller. If Customer is a processor, Customer warrants to Ugarit that Customer’s instructions and actions with respect to that Customer Data, including its appointment of Ugarit as another processor, have been authorized by the relevant controller.
4.2. Scope of Data Collection/Processing/Management/Collaboration.
Customer’s Instructions
By entering into these Terms, Customer instructs Ugarit to collect, process and manage Customer Data:
(a) to provide all related Formera services
(b) all needed operations and services to ensure Customer’s business continuity (including Domain admin account and other functionality of the Services)
(c) as documented in the form of the Agreement, including these Terms
(d) as further documented in any other written instructions given by Customer and acknowledged by Ugarit as constituting instructions for purposes of these Terms.
4.3. Infrastructure Providers. Customer authorizes the engagement of Azure Cloud Services and Google Cloud services (“Infrastructure Providers”) to provide underlying infrastructure services in the provision of the Services. Infrastructure Provider’s role includes storing Customer Data but Infrastructure Provider will not be a Third Party Subprocessor for the purposes of these Terms.
5. Data Deletion
5.1. Deletion by Customer. Ugarit will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to Ugarit to delete the relevant Customer Data from Formera platform systems in accordance with applicable law. Ugarit will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days.
5.2. Deletion on Termination. On expiry of the Term, Customer instructs Ugarit to delete all its Data (including existing copies) from Formera platform in accordance with applicable law. Ugarit will, after a recovery period of up to 30 days following such expiry, comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days. Without prejudice to Section 9.1 (Access; Rectification; Restricted Processing; Portability), Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards.
6. Data Security
6.1. Ugarit’s Security Measures, Controls and Assistance.
6.1.1. Ugarit’s Security Measures. Ugarit will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the "Security Measures"). As described in Appendix 2, the Security Measures include measures to encrypt data; to help ensure ongoing confidentiality, integrity, availability and resilience of Formera platform and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Ugarit may update or modify the Security Measures from time to time, without any sort of obligation to inform the Customer.
6.1.2. Security Compliance by Ugarit Staff. Google will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.1.3. Additional Security Controls. In addition to the Security Measures, Ugarit will make the Additional Security Controls available to: (a) allow Customer to take steps to secure its Data; and (b) provide Customer with information about securing, accessing and using Customer Data.
6.1.4. Ugarit’s Security Assistance.
Customer agrees that Ugarit will assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of data and data breaches:
(a) implementing and maintaining the Security Measures in accordance with Section 6.1.1;
(b) making the Additional Security Controls available to Customer in accordance with Section
6.1.5 (Additional Security Controls);
6.2. Data Incidents
6.2.1. Incident Notification. If Formera team becomes aware of a Data Incident, Ugarit will:
(a) notify Customer of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and
(b) promptly take reasonable steps to minimize harm and secure Customer Data.
6.2.2. All incidents related to “Infrastructure providers” are not considered under Ugarit responsibility.
6.2.3. Customer has no right to ask Ugarit for any compensations or penalties resulted by any sort of Data Incidents.
6.2.4. Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Ugarit recommends Customer take to address the Data Incident.
6.2.5 Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid.
6.2.6 No Assessment of Customer Data by Ugarit. Google will not assess the contents of Customer Data to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Incident(s).
6.3. Customer’s Security Responsibilities and Assessment.
6.3.1 Customer’s Security Responsibilities. Customer agrees that, without prejudice to Ugarit’s obligations under Section 6.1 (Google’s Security Measures,
Controls and Assistance) and Section 7.2 (Data Incidents):
(a) Customer is solely responsible for its use of the Services, including:
- making appropriate use of the Services and the Additional Security Controls to ensure a level of security appropriate to the risk in respect of the Customer Personal Data.
- securing the account authentication credentials, systems and devices Customer uses to access the Services.
- backing up its Data;
6.3.2. Customer’s Security Assessment.
6.3.2.1. Customer is solely responsible for reviewing the Security Documentation and evaluating for itself whether the Services, the Security Measures, the Additional Security Controls and Ugarit’s commitments under this Section 7 (Data Security) will meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Legislation.
6.3.2.2. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Data as well as the risks to individuals) the Security Measures implemented and maintained by Ugarit as set out in Section 7.1.1 (Ugarit Security Measures) provide a level of security appropriate to the risk in respect of the Customer Data.
7. Data Subject Rights; Data Export
7.1. Access; Rectification; Restricted Processing; Portability. During the Term, Ugarit will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided within Formera platform as described in Section 6.1 (Deletion by Customer), and to export Customer Data.
7.2. Data Subject Requests
7.2.1. Customer’s Responsibility for Requests. During the Term, if Ugarit receives any request from a data subject in relation to Customer Data, Google will advise the data subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
7.2.2. Ugarit’s Data Subject Request Assistance. Customer agrees that Ugarit will (taking into account the nature of the processing of Customer Data) assist Customer in fulfilling any obligation to respond to requests by data subjects.
8. Data Transfers
Ugarit has all the needed rights - and without any needed approval from the Customer - to transfer Customer data to any region or any other infrastructure provider, which is subject to keep the same level of security for Customer data.
9. Sub-processors
9.1. Consent to Sub-processor Engagement. Customer specifically authorizes Ugarit to engage its Affiliates as Sub-processors. In addition, Customer generally authorizes Ugarit to engage any other third parties as Sub-processors (“Third Party Sub-processors”).
9.2. Requirements for Sub-processor Engagement. When engaging any Sub-processor, Ugarit will:
(a) ensure that the Sub-processor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it,
and does so in accordance with the Agreement (including these Terms) and Privacy Shield.
(b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor.
10. Formera platform Data Protection Team; Processing Records
Customer acknowledges that Ugarit is required to collect/manage/maintain all Customer data records included in all designed forms by the Customer admin, in such a way the keep Customer business continuity.
11. Liability
If the Agreement is governed by the laws of:
- (a) Turkey, then, notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Terms will be limited to maximum of one year subscription in Formera platform; or
- (b) a jurisdiction that is not in Turkey, then the liability of the parties under or in connection with these Terms will be subject to the exclusions and limitations of liability in the Agreement.
12. Data Request Policy
Ugarit receives requests from users and government agencies to disclose data other than in the ordinary operation and provision of the Services. This Data Request Policy outlines Ugarit’s policies and procedures for responding to such requests for Customer Data. Any capitalized terms used in this Data Request Policy that are not defined will have the meaning set forth in the Customer Terms of Service. In the event of any inconsistency between the provisions of this Data Request Policy and the Customer Terms of Service or written agreement with Customer, as the case may be, the Customer Terms of Service or written agreement will control.
12.1. Requests for Customer Data by Legal Authority
Except as expressly permitted by the Contract or in cases of emergency to avoid death or physical harm to individuals, Ugarit will only disclose Customer Data in response to valid and binding compulsory legal process. Ugarit requires a search warrant issued by a court of competent jurisdiction to disclose Customer Data.
All requests by courts, government agencies, or parties involved in litigation for Customer Data disclosures should be sent to legal@formera.xyz and include the following information: (a) the requesting party, (b) the relevant criminal or civil matter, and (c) a description of the specific Customer Data being requested, including the relevant Customer’s name and relevant Authorized User’s name (if applicable), domain name in Formera platform, and type of data sought.
Requests should be prepared and served in accordance with applicable law. All requests should be narrow and focused on the specific Customer Data sought. All requests will be construed narrowly by Formera team, so please do not submit unnecessarily broad requests. If legally permitted, Customer will be responsible for any costs arising from Ugarit’s response to such requests.
Ugarit is committed to the importance of trust and transparency for the benefit of our Customers and does not voluntarily provide governments with access to any data about users for surveillance purposes.
12.2. Customer Notice
Ugarit will notify Customer before disclosing any of Customer’s Data so that the Customer may seek protection from such disclosure, unless Ugarit is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm to people or property associated with the use of such Customer Data. If Ugarit is legally prohibited from notifying Customer prior to disclosure, Ugarit will take reasonable steps to notify Customer of the demand after the nondisclosure requirement expires.
12.3. Domestication and International Requests
Ugarit requires that any individual issuing legal process or legal information requests (e.g., discovery requests, warrants, or subpoenas) to Ugarit properly domesticate the process or request and serve Ugarit in a jurisdiction where it is resident or has a registered agent to accept service on its behalf. Ugarit does not accept legal process or requests directly from law enforcement entities outside Turkey. Foreign law enforcement agencies should proceed through a Mutual Legal Assistance Treaty or other diplomatic or legal means to obtain data through a court where Ugarit is located.
13. Effect of these Terms
Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between these Terms and the remaining terms of the Agreement, these Terms will govern.
14. Changes to these Terms
14.1. Changes to URLs. From time to time, Ugarit may change any URL referenced in these Terms and the content at any such URL.
14.2. Changes to these Terms. Ugarit may change these Terms if the change:
- (a) is expressly permitted by these Terms, including as described in Section 14.1 (Changes to URLs);
- (b) reflects a change in the name or form of a legal entity;
- (c) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or
-
(d) does not:
- result in a degradation of the overall security of the Services;
- expand the scope of, or remove any restrictions on, Ugarit’s processing of Customer Data, as described in Section 5.2.2 (Google’s Compliance with Instructions);
- otherwise have a material adverse impact on Customer’s rights under these Terms, as reasonably determined by Ugarit.
14.3. Notification of Changes. If Ugarit intends to change these Terms, Ugarit will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by sending an email to the Notification Email Address. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Ugarit within 90 days of being informed by Ugarit of the change. In such case, Customer may not ask for any compensations from Ugarit.
Appendix 1: Subject Matter and Details of the Data Processing
Subject Matter Ugarit provision of the Formera platform services to Customer.
Duration of the Processing The Term plus the period from the expiry of the Term until deletion of all Customer Data in accordance with these Terms
Nature and Purpose of the Data collection/management Ugarit will process Customer Data for the purposes of providing Formera Services to Customer in accordance with these Terms.
Categories of Data Data relating to individuals provided to Ugarit via Formera Services, by (or at the direction of) Customer, Customer beneficiaries or by Customer End Users.
Data Subjects Data subjects include the individuals about whom data is provided to Ugarit via Formera Services by (or at the direction of) Customer, Customer beneficiaries or by Customer End Users.
Appendix 2: Security Measures
As from the Terms Effective Date, Ugarit will implement and maintain the Security Measures set out in this Appendix 2. Ugarit may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
1. Data Center and Network Security
Formera is being deployed on Azure cloud services, which has several data centers around the globe. All terms related to infrastructure provider redundancy, availability, etc can be found in the following links:
Formera platform is being deployed on several servers in different locations to ensure maximum level of availability and business continuity. Customer data is being replicated and backed up periodically to allow recovering it in case of any disaster.
External Attack Surface. Azure employs multiple layers of network devices and intrusion detection to protect its external attack surface. Ugarit considers potential attack vectors and incorporates appropriate purpose-built technologies into external facing systems.
Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. More details can be found in: https://privacy.microsoft.com/en-us/privacystatement
Incident Response. Ugarit monitors a variety of communication channels for security incidents, and Formera team security personnel will react promptly to known incidents.
Encryption Technologies. Formera platform deploys HTTPS encryption (also referred to as SSL or TLS connection). Formera servers support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.
2. Customer Data
Formera platform logically isolates the Customer’s data. Customer will be given control over specific data sharing policies (i.e. its specific domain only). Those policies, in accordance with the functionality of the Services, will enable Customer to determine the product sharing settings applicable to Customer End Users for specific purposes.
3. Confidentiality
We place strict controls over our employees’ access to the data you and your users make available via the Formera platform services and are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. The operation of the Formera platform services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the Formera, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to Customer Data is logged.
All of our employees and contract personnel are bound to our policies regarding Customer Data and we treat these issues as matters of the highest importance within our company.
4. Personnel Security
Ugarit personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Ugarit conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Ugarit’s confidentiality and privacy policies. Personnel are provided with security training. Personnel handling Customer Data are required to complete additional requirements appropriate to their role (eg., certifications). Ugarit’s personnel will not process Customer Data without authorization.
5. Sub-processor and Infrastructure Provider Security
(a) Sub-processors. Before onboarding Sub-processors, Ugarit conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Ugarit has assessed the risks presented by the Sub-processor, then subject to the requirements set out in Section 10.2 (Requirements for Sub-processor Engagement) of these Terms, the Sub-processor is required to enter into appropriate security, confidentiality and privacy contract terms.
(b) Infrastructure Provider (Formera is being hosted using Azure Cloud). Details regarding the Data Center, Network Security, and Site Control security standards of the Infrastructure Provider, including the Infrastructure Provider’s SOC 3 Report, are publicly available at https://www.microsoft.com/en-us/trustcenter/security/azure-security (as may be modified or updated by the Infrastructure Provider from time to time).