MASTER SERVICES AGREEMENT

Each Order Form and SOW signed by Customer and spaceti s.r.o., a limited liability company having its registered office at Kateřinská 466/40, 120 00, Prague, Czech Republic, ID no.: 05137659 (“Spaceti”) is subject to this Master Service Agreement (the “Agreement”).

Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

Beta Services” means Spaceti services or functionality that may be made available to Customer to try at its option at no additional charge which is clearly designated as beta, pilot, limited release, developer preview, non-production, evaluation, or by a similar description.

Customer” means any entity that purchases the Services, Professional Services or HW, as more particularly detailed in the Order Form or SOW.

Customer Data” means electronic data and information submitted by or for Customer to the Services, excluding Non-Spaceti Applications.

Documentation” means the applicable Service’s product description documentation in the Order Form, Security Documentation and Infrastructure and Sub-processors (both as defined in the DPA) and its usage guide and policy, as updated from time to time, accessible via login to the applicable Service.

Free Services” means Services that Spaceti makes available to Customer free of charge. Free Services exclude Services offered as Purchased Services.

Malicious Code” means code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and Trojan horses.

Non-Spaceti Application” means a Web-based, mobile, offline or other software application functionality that interoperates with a Service, that is provided by Customer or a third party. Non-Spaceti Applications, other than those obtained or provided by Customer, will be identifiable as such.

“Normal Working Hours” means the time between 9:00 AM and 6:00 PM in the Czech Republic on a Business Day where Business Day means any day that is not a Saturday, Sunday or public holiday in the Czech Republic.

Order Form” means an ordering document or online order specifying the Services and HW to be provided hereunder that is entered into between Customer and Spaceti or any of their Affiliates, including any addenda and supplements thereto. By entering into an Order Form hereunder, an Affiliate agrees to be bound by the terms of this Agreement as if it were an original party hereto.

Purchased Services” means Services that Customer or Customer’s Affiliate purchases under an Order Form or online purchasing portal, as distinguished from Free Services.

Services” means the online SW products and services that are ordered by Customer under an Order Form or online purchasing portal, or provided to Customer free of charge (as applicable) or under a free trial, and made available online by Spaceti, including associated Spaceti offline or mobile components, as described in the Documentation. “Services” exclude HW, Professional Services and Non-Spaceti Applications.

SOW” means a Statement of Work describing Professional Services to be provided hereunder, that is entered into between Customer and Spaceti or any of their Affiliates or which is incorporated into an Order Form that is entered into between Customer and Spaceti or any of their Affiliates. By entering into a SOW hereunder, an Affiliate agrees to be bound by the terms of this Agreement as if it were an original party hereto.

 User” means, in the case of an individual accepting these terms on his or her own behalf, such individual, or, in the case of an individual accepting this Agreement on behalf of a company or other legal entity, an individual who is authorized by Customer to use a Service, for whom Customer has purchased a subscription (or in the case of any Services provided by Spaceti without charge, for whom a Service has been provisioned), and to whom Customer (or, when applicable, Spaceti at Customer’s request) has supplied a user identification and password (for Services utilizing authentication). Users may include, for example, employees, consultants, contractors and agents of Customer or Customer Affiliates, and third parties with which Customer or Customer Affiliate transacts business.

NOTWITHSTANDING THE “REPRESENTATIONS, WARRANTIES, EXCLUSIVE REMEDIES AND DISCLAIMERS” SECTION AND “INDEMNIFICATION BY SPACETI” SECTION BELOW, THE FREE SERVICES ARE PROVIDED “AS-IS” WITHOUT ANY WARRANTY AND SPACETI SHALL HAVE NO INDEMNIFICATION OBLIGATIONS NOR LIABILITY OF ANY TYPE WITH RESPECT TO THE FREE SERVICES UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE SPACETI’S LIABILITY WITH RESPECT TO THE FREE SERVICES SHALL NOT EXCEED $1,000.00. WITHOUT LIMITING THE FOREGOING, SPACETI AND ITS AFFILIATES AND ITS LICENSORS DO NOT REPRESENT OR WARRANT TO CUSTOMER THAT: (A) CUSTOMER’S USE OF THE FREE SERVICES WILL MEET CUSTOMER’S REQUIREMENTS, (B) CUSTOMER’S USE OF THE FREE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR, AND (C) USAGE DATA PROVIDED THROUGH THE FREE SERVICES WILL BE ACCURATE. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE “LIMITATION OF LIABILITY” SECTION BELOW, CUSTOMER SHALL BE FULLY LIABLE UNDER THIS AGREEMENT TO SPACETI AND ITS AFFILIATES FOR ANY DAMAGES ARISING OUT OF CUSTOMER’S USE OF THE FREE SERVICES, ANY BREACH OF THIS AGREEMENT BY CUSTOMER AND ANY OF CUSTOMER’S INDEMNIFICATION OBLIGATIONS HEREUNDER.

(c) the Services will perform materially in accordance with the applicable Documentation, and (d) subject to the “Integration with Non-Spaceti Applications” section above, Spaceti will not materially decrease the overall functionality of the Services. For any breach of a warranty above, Customer’s exclusive remedies are those described in the “Termination” and “Refund or Payment upon Termination” sections below.

howsoever caused and whether or not such losses are foreseeable, even if that party or its Affiliate has been advised (or is otherwise aware) of the possibility of such losses in advance.

Exhibit A – Data Processing Addendum

   

Exhibit A

DATA PROCESSING ADDENDUM

 (Revision August 2019)

This Data Processing Addendum, including its Schedules, (“DPA”) forms part of the Master Services Agreement between Spaceti and Customer for the purchase of services from Spaceti (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data.

All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

In the course of providing the Services to Customer pursuant to the Agreement, Spaceti may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith:

Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.

Data Subject” means the identified or identifiable person to whom Personal Data relates.

GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.

Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor” means the entity which Processes Personal Data on behalf of the Controller.

 Security Documentation” means the Security Documentation applicable to the specific Services purchased by Customer, as updated from time to time, and accessible via login to the applicable Service, or as otherwise made reasonably available by Spaceti. The Security Documentation as of Effective Date is attached as Schedule 2 to this DPA.

Spaceti Group” means Spaceti and its Affiliates engaged in the Processing of Personal Data.

Sub-processor” means any Processor engaged by Spaceti or a member of the Spaceti Group.

Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

Spaceti shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Spaceti or its Sub-processors of which Spaceti becomes aware (a “Customer Data Incident”). Spaceti shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Spaceti deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Spaceti’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.

The procedure is set forth in Section 2.2 of the Agreement.

Spaceti shall ensure that the transfer of Personal Data which are undergoing Processing or are intended for Processing after transfer to a third country shall take place only if such transfer meets the conditions outlined in the GDPR, specifically Chapter V.

List of Schedules

Schedule 1: Details of the Processing

Schedule 2: Security Documentation (as of Effective Date)

Schedule 3: Spaceti Infrastructure and Sub-processors (as of Effective Date)

SCHEDULE 1 – DETAILS OF THE PROCESSING

Nature and Purpose of Processing

Spaceti will Process Personal Data as necessary to perform the Services or Professional Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Customer in its use of the Services or Professional Services.

Duration of Processing

Subject to Section 8 of the DPA, Spaceti will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Categories of Data Subjects

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

Type of Personal Data

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

SCHEDULE 2 – SECURITY DOCUMENTATION

(As of Effective Date)

Spaceti has implemented the following technical and organizational security measures to provide the ongoing confidentiality, integrity, availability and resilience of processing systems and services:

  • Confidentiality

Spaceti has implemented the following technical and organizational security measures to protect the confidentiality of processing systems and services, in particular:

  • Spaceti processes all customer data on remote server sites owned and operated by industry leading cloud service providers that offer highly sophisticated measures to protect against unauthorized persons gaining access to data processing equipment (namely telephones, database and application servers and related hardware).  Such measures include:
  • a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection;
  • data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders;
  • access logs, activity records, and camera footage are available in case an incident occurs;
  • data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training; 
  • access to the data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics;
  • only approved employees with specific roles may enter. 
  • Spaceti implements suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:
  • automatic time-out of user terminal if left idle, identification and password required to reopen;
  • issuing and safeguarding identification codes;
  • letting customers define individual user accounts with permissions across Spaceti resources;
  • Spaceti’s employees entitled to use its data processing systems are only able to access Personal Data within the scope of and to the extent covered by their respective access permission (authorization).  In particular, access rights and levels are based on employee job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.  This is accomplished by:
  • limited access to Personal Data to only authorized persons; 
  • industry standard encryption; and
  • Integrity 

Spaceti has implemented the following technical and organizational security measures to protect the integrity of processing systems and services, in particular:

  • Spaceti implements suitable measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: 
  • use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
  • industry standard encryption; and
  • avoiding the storage of Personal Data on portable storage media for transportation purposes and on company issued laptops or other mobile devices.
  • Spaceti does not access any customer content except as necessary to provide that customer with the Spaceti products and professional services it has selected. Spaceti does not access customers’ content for any other purposes. Accordingly, Spaceti does not know what content customers choose to store on its systems and cannot distinguish between Personal Data and other content, so Spaceti treats Customer Data the same. In this way, Customer Data benefits from the same robust Spaceti security measures, whether this content includes Personal Data or not. 
  • Availability

Spaceti has implemented the following technical and organizational security measures to protect the availability of processing systems and services, in particular:

  • Spaceti implements suitable measures to provide that Personal Data is protected from accidental destruction or loss. This is accomplished by:
  • infrastructure redundancy;
  • policies prohibiting permanent local (work station) storage of Personal Data; and 
  • performing regular data back-ups.

Spaceti has implemented the following technical and organizational security measures to protect the resilience of processing systems and services, in particular:

SCHEDULE 3

Spaceti Infrastructure and Sub-processors

(As of Effective Date)

Scope

This documentation describes the infrastructure environment and sub-processors and certain other entities material to Spaceti’s provision of the Services.

Capitalized terms used in this documentation are defined in Spaceti’s Master Services Agreement and/or Data Processing Addendum. In the event of conflict, the Data Processing Addendum definition shall prevail.

Infrastructure – Personal Data Storage

The following table describes the countries and legal entities engaged in the storage of Personal Data submitted by customers to the Services.

Entity Entity Type Country
Amazon Web Services, Inc. Third-party hosting provider
  • Germany
Heroku Third-party hosting provider
  • Ireland
  • USA

Personal Data Processing

The following legal entities are engaged in processing Personal Data for non-storage purposes.

Entity Name Entity Type Entity Country
spaceti s.r.o. Spaceti HQ
  • Czech Republic

Network Providers

The Services may use network providers to provide the Services, for security purposes, to support user authentication, and to optimize content delivery (the “Network Providers”). Spaceti uses Network Providers to provide private network capabilities and also to provide Content Delivery Network services (the “CDN”). CDN are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Content items to be served to subscribers or end users, such as images or attachments uploaded to the Services, may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by the CDN to enable its functions. The following describes use of Network Providers by the Services:

Network provider used Location Description of Services
Google Global Spaceti may use Google Firebase CDN services to provide the Services and to optimize content delivery via the Services.
Vodafone Global Spaceti may use Vodafone to provide the Services to enable more private communication between sensors used for the provision of the Services by creating a private network.

Spaceti customers may subscribe to notifications of new sub-processors by sending an e-mail to legal@spaceti.com.