End User License Agreement (EULA)March 2, 2021 2021-07-06 10:22
End User License Agreement (EULA)
FIRST. SUBJECT OF THE AGREEMENT.
This user license contract is an agreement between you (natural or legal person who, where applicable, is representing, manifesting their power for said purpose) (the CLIENT) and RONIN PIXELS, S.L. (hereinafter, RONIN PIXELS), with Tax ID no. B01879584 and registered address in Spain, at Plaza de España, no.13-2, C.P. 01001, Vitoria (Álava), registered in the Mercantile Registry of Álava.
The purpose of this contract is to regulate the conditions for granting a software user license, of a non-exclusive, personal and non-transferable nature under the terms and conditions provided herein.
The characteristics, specifications and functions of this software can be found at the Atlassian Marketplace.
SECOND. SCOPE FOR THE USER LICENSE OF THE PROGRAM.
By means of this contract, RONIN PIXELS grants the CLIENT a non-exclusive, personal and non-transferable right to use the software, and for the amount of time indicated in the Fourth clause of this contract.
RONIN PIXELS is the owner of the intellectual, industrial and exploitation rights over the software stipulated in this contract and, subsequently, the CLIENT acquires no right of this type except that which is required for use. In particular, the CLIENT may neither reproduce, introduce improvements, make new updates, successive versions or derivative programs, nor, in general, make any adaptations or modifications.
Neither can they, for themselves or for third parties, access, modify or use the source code, decompile, reverse engineer or disassemble, except to the extent permitted by law, nor assign, sublicense, distribute, rent, transmit in any other way copies of the software, or conduct exploitations for themselves, for third parties or on behalf of third parties.
The user license subsequently includes updates that, where applicable, are applied to the version acquired by the CLIENT but not to any personalized developments that may be of interest to the CLIENT, or other additional services such as, for example, training or maintenance, all of which are services that should be the subject of another specific contract for said service that, when applicable, they wish to contract.
In any event, the license is granted for the program to be used by the number of users allowed according to the product license under which the software stipulated in this contract is installed.
The price of this user license is that which is indicated in the specific area in the Marketplace.
All taxes applicable to the purchase or contracting of the software user license will be paid by the CLIENT.
The duration of this contract depends on the type of license contracted by the CLIENT, according to the following options:
- Paid license, Cloud Service: the duration can be monthly or annual, renewable for equal periods, depending on the payment frequency selected by the CLIENT.
- Paid license, downloadable to the server: of perpetual duration and including one year of updates. If the CLIENT wishes to have access to updates in successive years, they must renew the license annually.
- Paid license, downloadable to the Data Center: of annual duration, renewable for equal annual periods.
- Trial license: the duration is the trial period for the program.
The installation of the software stipulated in this contract should be carried out by the CLIENT following the steps given in the “Installation” section, in the RONIN PIXEL profile at the Atlassian Marketplace.
SIXTH. OBLIGATIONS OF THE PARTIES.
Obligations of RONIN PIXELS
RONIN PIXELS must comply with the following obligations:
- Provide the CLIENT with the program to download the software via the Atlassian Marketplace.
- Make the necessary updates on the version acquired by the CLIENT.
- Carry out, during the period of validity, the necessary modifications and corrections of any operating errors in the software contracted by the CLIENT.
- Collaborate with the CLIENT on everything necessary for the fulfillment of this contract.
- Comply with all other obligations covered in this contract.
Obligations of the CLIENT
THE CLIENT must comply with the following obligations:
- Pay the price for the software user license and, where applicable, each of the subsequent renewals.
- Follow the installation instructions.
- Be in possession of the necessary equipment, operating system, programs and applications in order for the software to work properly.
- Collaborate with RONIN PIXELS on everything necessary for the fulfillment of this contract.
- Inform RONIN PIXELS of any operating errors detected so that the necessary corrections and modifications can be made.
- Respect the intellectual property rights of RONIN PIXELS regarding the software stipulated in this contract.
SEVENTH. SECURITY MEASURES
RONIN PIXELS guarantees that it complies with the minimum requirements enforced by Atlassian for developers in terms of security measures. At RONIN PIXELS, we have created a Security Self-Assessment Program in order to self-evaluate our systems, which has been made available to Atlassian. In any case, on our website, we have published a Security Statement.
EIGHTH. SERVICE LEVEL AGREEMENT
All vulnerabilities reported by the CLIENT will be addressed and resolved in accordance with the requirements established by Atlassian for developers in their Marketplace:
If the problem is verified, next steps are:
- Assign the proper severity of the problem.
- Assign the proper priority for fixing this problem.
- Note the required timelines for fixes as per Atlassian Security Requirements:
|Critical||CVSS v3 >= 9.0||Must be fixed within 4 weeks of being reported and CVSS scored.|
|High||CVSS v3 >= 7.0||Must be fixed within 6 weeks of being reported and CVSS scored.|
|Medium||CVSS v3 < 4.0||Must be fixed within 8 weeks of being reported and CVSS scored.|
|Low||CVSS v3 < 4.0||Must be fixed within 25 weeks of being reported and CVSS scored|
You can also see the Service Level Agreement that we have published on our website.
RONIN PIXELS guarantees to the CLIENT that the program will function correctly during the term of this contract and that it complies with the technical specifications stipulated by Atlassian Marketplace.
RONIN PIXELS undertakes to carry out the necessary modifications, adjustments and corrections to resolve any program errors notified in writing by the CLIENT. This obligation will not be applicable when the CLIENT misuses or makes negligent use of the program or does not use the program in accordance with the required technical requirements.
The program is provided to the CLIENT as it is, of which said party is aware, and is therefore not guaranteed to achieve a specific result, a certain purpose or meet specific expectations.
No responsibility whatsoever can be attributed to RONIN PIXELS for errors that are or have been caused by the use – by users or by third-party personnel not authorized by RONIN PIXELS – of the program or of any of its elements including their manipulation (especially, of the source and/or object codes). Said errors are also exempt from this guarantee. In the case of tampering with the object and source codes of the program, RONIN PIXELS will be exempted from any responsibility.
RONIN PIXELS will not be held liable for damages that the CLIENT may suffer as a result of using the software, only being held liable for those that occur through intent or gross negligence, the maximum amount of compensation being the price paid by the CLIENT for contracting the license.
In the same way, neither will they be liable for damages that the CLIENT may cause to third parties as a result of work carried out using the software.
RONIN PIXELS only guarantees compliance with the technical functionalities and specifications of the software stated, not that it is useful or valid for the use that the CLIENT wishes to make of it.
ELEVENTH. INTELLECTUAL AND INDUSTRIAL PROPERTY.
The CLIENT acknowledges that all intellectual property rights and, where appropriate, industrial rights, of the program belong solely and exclusively, to RONIN PIXELS in such a way that the CLIENT does not subsequently acquire any intellectual property rights or rights of any other type over the software, beyond the right of use that is stipulated in this contract.
The CLIENT is expressly prohibited from reproducing, transmitting, modifying, adapting, making new versions or derivative programs, decompiling, reverse engineering or disassembling, sub-licensing, distributing and any other activity described in the second Clause, without the express authorization of RONIN PIXELS.
A. INFORMATION ON THE PROCESSING OF THE CLIENT’S PERSONAL DATA BY RONIN PIXELS
In accordance with stipulations in Regulation (EU) 2016/679 of the European Parliament and Council, of the 27th of April 2016, relating to the protection of natural persons with regard to the processing of personal data and the free circulation of said data and repealing Directive 95/46/CE (General Data Protection Regulation), RONIN PIXELS informs the CLIENT of the following in relation to the processing of their personal data:
- Data controller: RONIN PIXELS, S.L., with Tax ID no. B01879584, and registered address in Spain, at Plaza de España, no. 13-2º, C.P. 01001 in Vitoria (Álava).
- Purpose of the processing: The CLIENT’s personal data will be used for the proper maintenance, development and management of this contractual relationship and the services derived from it.
To this end, RONIN PIXELS will use the CLIENT’s personal data to send them, by electronic means, offers, promotions, news, activities and other information about products and services similar to those stipulated in this contract, using the Acumbamail platform, developed by ACUMBAMAIL, S.L., with Tax ID no. B13538590 and registered address at Avenida Rey Santo 3D, planta 3, oficina 2 – C.P. 13001 in Ciudad Real (Spain).
In this sense, the use of this platform implies installation, by the provider of the aforementioned service, in said communication distribution, of devices to monitor the activity of recipients, in order to review the opening of emails and activation of links contained in said emails, and to use the information collected to prepare campaign monitoring reports.
- Legitimization of the processing: the legal basis that legitimizes the processing of the CLIENT’s personal data is that it is necessary for the execution of this contract.
Regarding the sending of commercial information, the legal basis that legitimizes said processing is that it is necessary in order to satisfy legitimate interests pursued by RONIN PIXELS as stipulated in article 6.1. f) of the RGPD. This is without prejudice to your opportunity to oppose the sending of said commercial information.
- Recipients of data: personal identification and billing data will be communicated, where appropriate, to the tax authorities in order to comply with legal and tax obligations, as well as to the financial entity through which the company manages collections for its products and services.
Equally, for some matters, RONIN PIXELS uses third-party services, which act as data processors, with whom it has signed the corresponding data processing contract in accordance with the provisions of article 28.3 of the RGPD.
- International data transfers: we inform you that, for some information management and administrative tasks, we use services offered by providers who act as data processors and that, despite being outside the European Union and the European Economic Area, the international data transfers implied with using said service also have the adequate guarantees covered in article 46.2 c) of the General Data Protection Regulation (standard contractual clauses adopted by the European Commission according to Decision 2010/87/UE). Said service providers are those indicated in the section “Third party service providers” of this same clause.
- Conservation period: the CLIENT’s personal data will be kept for the duration of the contractual relationship and, once this has ended, for the amount of time necessary in order to comply with legal obligations.
In relation to the sending of commercial information, personal identification and contact data will be kept until you express your opposition to continuing to receiving said communications.
- Data protection rights: the CLIENT can request access to their personal data, its rectification, deletion, limitation of treatment and opposition, as well as the right to its portability. To exercise said rights, a written request must be sent to RONIN PIXELS at info /at/ roninpixels /dot/ com.
- Appeal before the supervisory authority: The CLIENT may file a claim before the Spanish Agency for Data Protection, either through its electronic headquarters or registered address, at Calle Jorge Juan, no. 6, C.P. 28001 in Madrid.
B. THIRD PARTY SERVICE PROVIDERS
At RONIN PIXELS, we have contracted different services with third parties in order to provide the service contracted by the CLIENT that imply the existence of international data transfers, with the adequate guarantees covered in article 46.2 c) of the General Data Protection Regulation (standard contractual clauses adopted by the European Commission according to Decision 2010/87/UE), which are the following:
Atlassian Pty Ltd
|Service Provided||Management of incidents flagged by clients, using Jira Service Desk|
Project management using Confluence
|Standard contractual clauses or Data Processing Addendum||https://www.atlassian.com/legal/data-processing-addendum|
|Service Provided||Application hosting using Heroku|
|Standard contractual clauses or Data Processing Addendum||https://c1.sfdcstatic.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf|
|Service Provided||Sales management|
|Standard contractual clauses or Data Processing Addendum||https://legal.hubspot.com/dpa|
|Standard contractual clauses or Data Processing Addendum||https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=2&Keyword=DPA|
C. CONFIDENTIALITY AND DUTY OF SECRECY IN RELATION TO THE CLIENT’S TECHNICAL INCIDENTS
In order to provide its services to the CLIENT, RONIN PIXELS does not require access to personal data for which the CLIENT is responsible, therefore RONIN PIXELS will not be considered the data processor. However, should said access be required in order to resolve an incident, the following conditions will be taken into consideration:
- Purpose of the processing.- The following clauses empower RONIN PIXELS, data processor, on behalf of the CLIENT, data controller, to process the personal data necessary to provide the services described in this contract.
RONIN PIXELS may carry out the actions and processing necessary for the proper fulfillment of this contract, with the following being included in said processing, where appropriate: the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, collation or interconnection, limitation, deletion or destruction, copying, analysis or sending,
- Identification of the information concerned.- For the execution of the services derived from the fulfillment of this contract, the CLIENT, as data controller, makes available to RONIN PIXELS, data processor, the categories and personal data that are necessary for the fulfillment of this contract.
- Obligations of the data processor.- The data processor and their personnel are obliged to:
- Use the personal data being processed, or the data collected for inclusion, only for the purpose of this assignment. Under no circumstances may they use the data for their own purposes or for purposes other than those covered in this contract.
- Process the data in accordance with the instructions of the data controller.
Should the data processor consider that any of the instructions violate the RGPD or any other provision on data protection of the Union or the Member States, the data processor will immediately inform the data controller.
If no clear instructions are provided by the data controller as to how the data processor should act with respect to the personal data to which they have access, before proceeding to process any data, they should contact the controller and clarify said instructions.
- Keep, in writing, a record of all categories of processing activities carried out on behalf of the controller, which contains:
- The name and contact details of the data processor or processors and of each controller on behalf of whom the processor is acting and, where appropriate, the representative of the controller or processor and the data protection officer.
- The processing categories carried out on behalf of each controller.
- Where appropriate, transfers of personal data to a third country or international organization, including the identification of said third country or international organization and, in the case of transfers indicated in article 49 section 1, second paragraph of the RGPD, documentation on appropriate safeguards.
- An overview of the technical and organizational security measures relating to:
- The pseudonymization and encryption of personal data.
- The ability to guarantee the permanent confidentiality, integrity, availability and resilience of the processing systems and services.
- The ability to restore availability and access to personal data quickly, in the event of a physical or technical incident.
- The process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to guarantee the security of the processing.
In order to verify that the data processor is offering sufficient guarantees in order to apply appropriate technical and organizational measures, so that the processing complies with the requirements of the General Data Protection Regulation and guarantees the protection of the rights of the interested party, the CLIENT may question RONIN PIXELS about said measures both before contracting and during the provision of services.
- Not to communicate data to third parties, unless they have the express authorization of the data controller, in legally admissible cases.
The data processor may communicate the data to other data processors of the same data controller, in accordance with the instructions of the data controller. In this case, the data controller will identify, in advance and in writing, the entity (company name, tax ID and address) to which the data should be communicated, the data to be communicated and the security measures to be applied in order to proceed with the communication, after analyzing the risk of said communication and the type of personal data being transmitted.
If the data processor has to transfer personal data to a third country or an international organization, by virtue of the Union Law or that of the Member States applicable, they will inform the CLIENT of this legal requirement in advance, except when said right prohibits this for reasons of substantial public interest.
Regarding the international transfer of data, RONIN PIXELS must notify the CLIENT and certify, in writing, compliance with the requirements demanded by current regulations on data protection before proceeding with said transfer, ensuring that the entity that receives the data will provide the same security and will comply with all requirements demanded by the Data Protection General Regulation.
- Subcontracting. Not to subcontract any of the services that are part of the object of this contract that involve the processing of personal data, except the auxiliary services necessary for the normal operation of the services of the processor.
Should it be necessary to subcontract processing, this must be communicated beforehand and in writing to the data controller, 15 days in advance, indicating the processing intended to be subcontracted and clearly and unequivocally identifying the subcontractor company and its contact details (as a minimum, company name, tax ID, address and social purpose). Subcontracting can be carried out only if the data controller does not express their opposition within the established period.
The subcontractor, who will also take on the status of data processor, is also obliged to comply with the obligations established in this document for the role of data processor and the instructions issued by the controller. It is the responsibility of the initial data processor to regulate the new relationship so that the new processor is subject to the same conditions (instructions, obligations, security measures…) and with the same formal requirements as themselves, with regard to the correct processing of personal data and guaranteeing the rights of the affected persons. In the event of non-compliance by the sub-processor, the initial processor will remain fully accountable to the data controller for compliance with the obligations.
- Maintain the duty of secrecy regarding the personal data to which they have had access by virtue of this assignment, even after its purpose has been completed.
- Guarantee that the people authorized to process personal data agree, expressly and in writing, to respect confidentiality and comply with the corresponding security measures, of which they must be duly informed.
- Ensure that the supporting documentation of compliance with the obligation established in the previous section is constantly at the disposal of the data controller.
- Guarantee the necessary training in the protection of personal data for the people authorized to process personal data.
- Assist the data controller in responding to the exercising of rights to:
- Access, rectification, deletion and opposition
- Limitation of processing
- Data portability
- Not to be the subject of automated individual decisions (including profiling).
When the affected persons exercise their rights of access, rectification, deletion and opposition, limitation of processing, data portability and when not the subject of automated individual decisions, before the data processor, they must communicate this by email to the address provided by the CLIENT.
Said communication must be made immediately and under no circumstances later than the business day following receipt of the request, together, where appropriate, with other information that may be relevant in order to resolve the request.
- Right to information. It is the responsibility of the data controller to facilitate the right to information when collecting data.
- Notification of data security breaches. The data processor will notify the data controller, without undue delay, and within a maximum period of 24 hours, using the email address provided by the client of any security breaches to the personal data under their control of which they are aware, together with all relevant information for the documentation and communication of the incident.
This notification is not necessary when it is unlikely that said breach of security constitutes a risk to the rights and freedoms of natural persons.
If available, as a minimum, the following information will be provided:
- Description of the nature of the personal data security breach, including, when possible, the categories and approximate number of affected parties, and the categories and approximate number of affected personal data records.
- The name and contact details of the data protection officer or another point of contact where more information can be obtained.
- Description of the possible consequences of the personal data security breach.
- Description of the measures adopted or proposed to remedy the personal data security breach, including, if applicable, the measures adopted to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that this is not possible, the information will be provided gradually without undue delay.
It is the responsibility of the data processor to communicate, as soon as possible, the data security breaches to the interested parties, when it is probable that said breach implies a high risk for the rights and freedoms of natural persons.
This communication must be made in clear and simple language and must, as a minimum:
Explain the nature of the data breach.
Indicate the name and contact details of the data protection officer or another point of contact where more information can be obtained.
Describe the possible consequences of the personal data security breach.
Describe the measures adopted or proposed by the data controller to remedy the personal data security breach, including, if applicable, the measures adopted to mitigate the possible negative effects.
- Support the data controller in carrying out impact assessments related to data protection, when appropriate.
- Support the data controller in conducting prior consultations with the supervisory authority, when appropriate.
- Make all information necessary to demonstrate compliance with their obligations available to the controller, as well as proof of audits or inspections carried out by the controller or another auditor authorized by them.
- Carry out an assessment of the risks for personal data involved in the data processing that RONIN PIXELS will carry out on behalf of the CLIENT and implement the appropriate technical and organizational security measures to guarantee a level of security appropriate to the risk that prevents the destruction, loss or accidental or illegal alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to said data, committing in any case to implement mechanisms to:
- Guarantee the permanent confidentiality, integrity, availability and resilience of the processing systems and services.
- Restore availability and access to personal data quickly, in the event of a physical or technical incident.
- Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the security of the processing.
- Pseudonymize and encrypt personal data, if applicable.
Destination of the data. Return the personal data to the data controller along with, if applicable, the supports on which they appear, once the service has been provided.
Said return implies the total deletion of the existing data on the computer equipment used by the data processor.
However, the data processor may retain a copy, with the data duly blocked, while responsibilities for the execution of the service may arise.
- Obligations of the data controller.- It is the responsibility of the data controller:
- To surrender the data referred to in section 2 of this clause to the data processor.
- To carry out the corresponding prior consultations.
- To ensure, beforehand and throughout the processing, compliance with the RGPD by the data processor.
- To supervise the processing, including carrying out inspections and audits.
This contract will be terminated for the general causes established in Spanish and European regulations and, specifically, for the following reasons:
- Due to expiry of its initial term of duration or any of its renewals.
- Due to mutual agreement between the parties.
- Due to breach of the contract by either of the parties.
- For other causes provided by Law.
In the event of non-compliance by either party with the obligations arising from this contract, the other party may consider it terminated, with no prior notice or compensation required, with communication of said termination to the opposite party being sufficient. This is without prejudice to any compensation that, for damages or losses, may correspond.
FOURTEENTH. APPLICABLE LEGISLATION AND JURISDICTION.
This contract is subject to Spanish legislation. For any discussion or controversy regarding the interpretation or compliance of this contract, the parties expressly agree to submit themselves to the Courts and Tribunals of Vitoria (Álava) in Spain, expressly waiving their own jurisdiction, if existing, unless Spanish procedural regulations establish a different one.