Integrations:
Trending Blog:
Security
Read Below
This document outlines the service level agreement for CUSTOMERs provisioned with Hosted Services with ASCENDO.AI. This document contains the Service Level Agreement for ASCENDO.AI. Please read it carefully as this is the official agreement in force at the present time. The agreement listed below supersedes any other written document you may have prior to today’s date. Exhibits to this agreement are also available highlighting additional terms. If you have questions or comments about this agreement, please do not hesitate to contact us.
SLA Objective
THIS SERVICE LEVEL AGREEMENT (“Agreement” or “SLA”) shall apply to all Hosted Services provided by ASCENDO.AI expressly as an addendum to the ASCENDO.AI’s Software As A Service (“SaaS”) for each customer/client/ / /administrator/end-user/user (“CUSTOMER”). ASCENDO.AI is committed to providing a highly available and secure network to support its CUSTOMERs. Providing the CUSTOMER with consistent access to Hosted Services is a high priority for ASCENDO.AI and is the basis for its commitment in the form of an SLA. The SLA provides certain rights and remedies in the event that the CUSTOMER experiences service interruption as a result of the failure of ASCENDO.AI infrastructure. The overall service availability metric is 99.99%, measured on a monthly basis.
Term Definitions
For the purpose of this Service Level Agreement, the terms in bold are defined as follows:
Available or Availability
When the CUSTOMER who’s account is active and enabled has reasonable access to the Hosted Service provided by ASCENDO.AI, subject to the exclusions defined in Downtime Minutes below.
Total Monthly Minutes
The number of days in the month multiplied by 1,440 minutes per day.
Maintenance Time
The time period during which the Hosted Service may not be Available each month so that ASCENDO.AI can perform routine maintenance to maximize performance is on an as-needed basis.
Downtime
The total number of minutes that the CUSTOMER cannot access the Hosted Service. The calculation of Downtime Minutes excludes time that the CUSTOMER is unable to access the Hosted Services due to any of the following:
(a) Maintenance Time
(b) CUSTOMER ‘sown Internet service provider
(c) Force Majeure event
(d) Any systemic Internet failures
(e) Enhanced Services
(f) Any failure in the CUSTOMER ‘sown hardware, software or network connection
(g) CUSTOMER‘s bandwidth restrictions
(h) CUSTOMER‘s acts or omissions
(i) Anything outside of the direct control of ASCENDO.AI
Cloud Providers
The infrastructure inside or major hosting providers – Amazon, Google, or Microsoft.
Problem Response Time
The time period after ASCENDO.AI’s confirmation of the Service event, from receipt of the information required from the CUSTOMER for ASCENDO.AI’s Support Team to begin resolution and open a trouble ticket in ASCENDO.AI’s systems. Due to the wide diversity of problems that can occur, and the methods required to resolve them, problem response time IS NOT defined as the time between the receipt of a call and problem resolution. After receiving a report of fault, ASCENDO.AI shall use a reasonable method to provide CUSTOMER with a progress update.
Affected SeatsASCENDO.AI’s Hosted Service is provided in a multi-tenant architecture where seats or applications of a CUSTOMER‘s domain may be extended across numerous servers. CUSTOMER may obtain remedy only for affected seats or applications residing on the server experiencing Downtime exceeding the SLA.
Maintenance Notices
ASCENDO.AI will communicate the date and time that ASCENDO.AI intends to make the Hosted Services un-Available via email from customer.service@ascendo.ai at least forty-eight (48) hours in advance (or longer if practical). The CUSTOMER understands and agrees that there may be instances where ASCENDO.AI needs to interrupt the Hosted Services without notice in order to protect the integrity of the Hosted Services due to security issues, virus attacks, spam issues, or other unforeseen circumstances. Below are the Maintenance Windows and their definitions:
Emergency Maintenance
These change controls happen immediately with little notification ahead of time; however, we will post the information to the website soon after or during the change.
Preventative Maintenance
These change controls are when we detect an item in the environment that we need to take action on, to avoid emergency change controls in the future. These change controls, if possible, will usually occur in low peak hours with the peak being defined by our network metrics.
Planned Maintenance
These are change controls being done to:
-
Support ongoing product and operational projects to ensure optimal performance
-
Deploy non-critical service packs or patches.
-
Periodic redundancy testing.
As a practice, Ascendo reserves the right to perform maintenance weekly on Sundays between the time of 7 PM Pacific to 10 PM Pacific. In addition to that window, if an additional maintenance window is required, where possible planned maintenance will be posted 5 days prior; however, certain circumstances may preclude us from doing so, such as an external vendor issuing a change control to ASCENDO.AI, e.g. the power company alerting us to perform power testing 48 hours ahead of time.
CUSTOMER Responsibility
Minimum Requirements
The required configurations CUSTOMER must have to access the Hosted Services include:
-
Internet connection with adequate bandwidth
-
Internet Browser
Standard Service Levels
Term of the Service Level Agreement
This Service Level Agreement shall only become applicable to the Hosted Services upon the later of (a) completion of the “stabilization period,” as such term is defined in the Statement of Work (if any), or (b) ninety (90) days from the provisioning of Hosted Services.
-
Category Level
-
Criteria: Unplanned interruption rendering the Services un-Available; no workaround
-
Problem Response Time: Will respond and begin remedy the problem within four hours; will establish escalation call for a status update until resolution. If ASCENDO.AI provides the Customer with an acceptable workaround then such an error will be re-classified as a Sev 2 issue.
-
-
Category Level
-
Criteria: Unplanned interruption rendering the Services un-Available; workaround available
-
Problem Response Time: Will respond and begin to remedy within one business day of receipt of such a request. We will provide periodic updates via the scheduled maintenance window.
-
-
Category Level
-
Criteria: Services are un-Available for a single User or a small percentage of CUSTOMER affected.
-
Problem Response Time: Will respond and begin to remedy within one week of the request. We will provide periodic updates via the scheduled maintenance window.
-
Service Levels – Enterprise
Term of the Service Level Agreement
This Service Level Agreement shall only become applicable to the Hosted Services upon the later of (a) completion of the “stabilization period,” as such term is defined in the Statement of Work (if any), or (b) ninety (90) days from the provisioning of Hosted Services. The Enterprise service levels are an extension of the standard service levels and need to be purchased separately.
Measurement
ASCENDO.AI uses a proprietary system to measure whether the Hosted Services are Available and the CUSTOMER agrees that this system will be the sole basis for the resolution of any dispute that may arise between the CUSTOMER and ASCENDO.AI regarding this Service Level Agreement.
Availability is calculated based on the following formula:
A = (T – M – D) / (T – M) x 100%
A = Availability
T = Total Monthly Minutes
M = Maintenance Time
D = Downtime
Problem Response Time
The response time per incident will vary upon the degrees defined below:
We will also perform a Quarterly Business Review on the overall Service Levels with the customer contact
Remedy and Procedure
The CUSTOMER’s remedy and the procedure for obtaining the CUSTOMER’s remedy in the event that ASCENDO.AI fails to meet the Service level metrics set forth above are as follows:
To qualify for remedy:
(a) There must be a support ticket documenting the event within 24 hours of the service interruption
(b) CUSTOMER account must be in good standing with all invoices paid and up to date
The CUSTOMER must notify ASCENDO.AI in writing within five (5) business days by opening a support ticket and providing the following details:
-
The subject of the email must be: “Claim Notice – CUSTOMER Domain.ASCENDO.AI” (CUSTOMER's main point of contact must be within Ascendo and only they can request the remedy)
-
List the type of Hosted Service that was affected
-
List the date the Downtime Minutes occurred
-
List application functionality affected by Downtime Minutes
-
List an estimate of the amount of actual Downtime Minutes
-
Ticket number of the documented event
ASCENDO.AI will confirm the information provided in the Claim Notice within five (5) business days of receipt of the Claim Notice. If ASCENDO.AI cannot confirm the Downtime Minutes, then the CUSTOMER and ASCENDO.AI agree to refer the matter to executives at each company for resolution. If ASCENDO.AI confirms that ASCENDO.AI is out of compliance with this Service Level Agreement, the CUSTOMER will receive the amount of Service Level Credits set forth above for the affected Service Level metric and the affected Seats for the affected month. The SLA credit will be reflected in the ASCENDO.AI invoice to the CUSTOMER in the month following ASCENDO.AI confirmation of the Downtime Minutes. Please note that SLA credits can only be applied to accounts that are in good standing with all invoices paid and up to date.
Service Level Agreement
Last Updated: May 17, 2023
GDPR Compliance
Last Updated: May 17, 2023
Our Commitment
The new General Data Protection Regulation (GDPR) is fundamentally about protecting and enabling the privacy rights of European Union (EU) citizens and residents. The GDPR establishes global privacy requirements governing how you manage and protect personal data while respecting individual choice—regardless of where data is sent, processed, or stored.
At Ascendo.ai, we believe that the GDPR is an important step towards strengthening data protection laws across the European Union and enabling individual privacy rights. This is why Ascendo.ai is committed to being GDPR-compliant across our cloud services. Ascendo.ai takes a principled approach to privacy, security, and compliance, with strong commitments to ensuring you can trust the cloud services you rely on.
Trust – Built Upon a Safe, Secure, and Compliant Cloud. As you prepare to comply with the GDPR, here is what else you can expect from Ascendo.ai:
-
You maintain control. When you entrust your data to the Ascendo.ai cloud, you remain the sole owner: you retain the rights, title, and interest in the data you store in our cloud services. You can take advantage of the features inherent in our product to meet your GDPR obligations related to deletion, rectification, transfer of, access to, and objection to the processing of personal data.
-
You have full visibility. The Ascendo.ai cloud service protects your data from inappropriate access or use by unauthorized individuals with robust measures, including restricting access by Ascendo.ai personnel and subcontractors. In addition to these commitments, Ascendo.ai provides you with the ability to monitor how data is managed and who has access to what data within your organization. Our service runs on world-class Cloud provider data centers and is certified to internationally recognized security standards, protected by 24-hour physical surveillance, and continuously monitored using strict access controls. Our architecture keeps your data logically isolated from the data of other customers. In addition to running on secured cloud infrastructure, we have a comprehensive security strategy. Each cloud service has built-in security features to help you secure your data, including data-at-rest encryption, encryption in transit, comprehensive role-based access control, and access monitoring.
-
We commit to rapid response. Ascendo.ai has robust security incident response processes and commits to notifying our customers in accordance with the GDPR. Our security team does not have to wait for an incident to occur. We anticipate issues and then prioritize and resolve them based on the impact on your data or services.
Partnering to Comply with the GDPR.
Compliance is a shared responsibility and we are committed to partnering with you to help you successfully comply with the GDPR. Requirements such as greater data access and erasure rules, privacy by design, and data breach notification processes may mean changes for your organization. Therefore, it is important to understand your obligations related to the GDPR regardless of where your organization resides.
Ascendo operates the ascendo.ai website, which provides information about our products and services. Ascendo.ai is committed to protecting the personal privacy of our website visitors and product users. We are committed to supporting GDPR and you can request our “GDPR Position” document by contacting us and requesting it.
This page is used to inform website visitors regarding our policies with the collection, use, and disclosure of Personal Information for users of the ascendo.ai website. For users of our product, we ask that they consent to the “Ascendo User Consent” document. The document can be viewed here
If you choose to use ascendo.ai, then you agree to the collection and use of information about this policy. The Personal Information that we collect is used for providing and improving the website and our product. We will not use or share your information with anyone except as described in this Privacy Policy.
Information Collection and Use
For a better experience, while using our Service, we may require you to provide us with certain personally identifiable information, including but not limited to your name, phone number, email, and postal address. The information that we collect will be used to contact or identify you. If you are a user of the Ascendo application including Slack, we store the email ID, user name, and phone number.
Log Data
We want to inform you that whenever you visit our Service, we collect information that your browser sends to us which is called Log Data. This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser version, pages of our Service that you visit, the time and date of your visit, the time spent on those pages, and other statistics.
Cookies
Cookies are files with a small amount of data that is commonly used as an anonymous unique identifier. These are sent to your browser from the website that you visit and are stored on your computer’s hard drive. Our website uses these “cookies” to collect information and to improve our website.
Service Providers
We may employ third-party companies and individuals due to the following reasons:
-
To facilitate our website;
-
To perform website-related services; or
-
To assist us in analyzing how our website is used.
We want to inform our Service users that these third parties have access to your Personal Information. The reason is to perform the tasks assigned to them on our behalf. However, they are obligated not to disclose or use the information for any other purpose.
Security
We value your trust in providing us with your Personal Information, thus we are striving to use commercially acceptable means of protecting it. Please review our complete security policy here. But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and we cannot guarantee its absolute security.
Data Retention
The time period for which Ascendo.ai retains customer data depends on the purpose for which it is used. Ascendo.ai retains customer data for as long as an account is active or in accordance with the agreement(s) between Ascendo.ai and the customer unless Ascendo.ai is required by law to dispose of data earlier or retain data longer.
Data Disposal
Ascendo.ai disposes of customer data within 30 days of a request by a current or former customer or in accordance with the Customer’s agreement(s) with Ascendo.ai. The main customer contact noted in the Customer’s agreement(s) with Ascendo.ai may send a request to delete by contacting Ascendo customer support via email at askascendo.support@ascendo.ai. Ascendo.ai may retain and use data necessary for the contract such as proof of contract in order to comply with its legal obligations, resolve disputes, and enforce agreements. Ascendo.ai hosting and service providers are responsible for ensuring the removal of data from disks allocated to Ascendo.ai use before they are repurposed and the destruction of decommissioned hardware. Only a limited number of Ascendo.ai employees have access to delete customer data.
Links to Other Sites
Our Service may contain links to other sites. If you click on a third-party link, you will be directed to that site. Note that these external sites are not operated by us. Therefore, we strongly advise you to review the Privacy Policy of these websites. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
Changes to This Privacy Policy
We may update our Privacy Policy from time to time. Thus, we advise you to review this page periodically for any changes. We will notify you of any changes by posting the new Privacy Policy on this page. These changes are effective immediately after they are posted on this page.
Contact Us
If you have any questions or suggestions about our Privacy Policy, do not hesitate to contact us at policy@ascendo.ai.
Privacy Policy
Last Updated: May 17, 2023
PRIVACY POLICY OF ASCENDO
This consent form is part of Ascendo's GDPR compliance efforts. Ascendo is committed to protecting the privacy of our user’s Personal Information.
If you have any questions about this consent or issues with the use of personal information, please contact the Ascendo Data Protection Officer: Ascendo, 228 Hamilton Avenue, Palo Alto, CA 94301. policy@ascendo.ai
By consenting, you agree to provide personal information that will only be used by Ascendo for the operations of our software and system. We require only the minimum personal information necessary for the operation of the system. Without this personal information, we will not be able to provide access to the software and system.
The required information is: First or Given name, Last or Surname, and Email (used as login name and for password resets/system notifications). Other optional information is requested to enable follow-up contact regarding software and system operations. If you give this optional information you consent to its use as outlined here. The optional information is: Address and phone Number(s): Personal information may be gathered as a consequence of using the system for the purpose of improving operations of the system. If you use the system you are consenting to our use of this information as outlined here.
The gathered information is: IP address, Geographical Location, and Browser/Operating System details. This information may be used to determine system usage in aggregate but will not be used to profile individual work patterns or usage.
The personal data gathered will be kept as long as the licensee of the system deems it necessary. You have the right to request access to the data, rectification of any errors in the data, and erasure of the data. You may also withdraw your consent. If you feel your personal data has been misused, you have the right to lodge a complaint with Ascendo and/or the EU supervisory authority in your country.
User Consent :
First Name: ____________________
Last Name: ____________________
Email: _______________________
By signing this you consent to the use of your personal
information as described.
Signature: _____________________
Date: ________________________
ASCENDO USER CONSENT
Privacy User Content
Last Updated: May 17, 2023
Security Policies
Last Updated: May 17, 2023
ASCENDO.AI PRIVACY AND SECURITY STANDARDS
1. Purpose
Ascendo.ai relies on the integrity and accuracy of its data in order to deliver Ascendo prediction SaaS services. It is therefore paramount that the confidentiality, integrity, and availability of the customer data are ensured. All employees and approved subcontractors of Ascendo that process or manage Ascendo (and customer) Information must adhere to these requirements to ensure that Ascendo.ai maintains the trust of all relevant stakeholders and remains in compliance with relevant legal and regulatory requirements.
2. Scope
The scope of this document includes what Ascendo will process, have access to, transmit, or store customer information. This includes, but is not limited to:
-
Employees involved in the design, development, operation, and hosting of information systems.
-
All staff, including contractors and third parties employed directly and indirectly by Ascendo (i.e., subcontractors).
In the instance where services are provided by Ascendo’s sub-vendors (4th, 5th, or 6th party vendors), Ascendo.ai is fully liable and responsible for all subcontractor adherence to these privacy and security standards.
3. Access Control
3.1 Access control program, applicable where Ascendo maintains access to Customer data
a. Ascendo manages access to internal and external applications via security groups.
b. Ascendo allocates system privileges and permissions to users and groups using the principle of least privilege.
c. Ascendo assigns application and data rights based on user groups and roles, and grants access to information based on job function (i.e., role-based security).
3.2 Entitlement reviews
a. Ascendo requires approval to add, change, or delete users to its networks and systems that process, transmit, or store customer information.
b. Ascendo implements role-based security to ensure access to the application is restricted based on defined functional roles.
c. Ascendo promptly removes application, platform, and network access for terminated users upon notification of termination.
d. Ascendo promptly updates user access rights based on changes in job responsibilities.
e. Ascendo reviews access privileges to systems and corporate networks, including administrative access privileges, at a minimum on a bi-annual basis.
f. Ascendo uses separate administrative accounts to perform privileged functions and the accounts are restricted to individuals who are authorized.
3.3 Remote access
a. Ascendo shall not allow remote access into the Ascendo’s network to perform work for or on behalf of the customer except by support resources for system administration and production system support work.
b. In the case of remote access for IT support resources, traffic with the remote device will be encrypted (i.e., VPN) and the remote user must utilize multi-factor authentication.
4. Change Management
a. Ascendo follows documented change management policies for requesting, testing, and approving application, infrastructure, and product-related changes.
b. Changes undergo various levels of review and testing including security and code reviews, regression, and acceptance testing prior to approval for implementation.
c. Following the successful completion of testing, Ascendo ensures appropriate managers must approve changes prior to implementation in a production environment.
5. Software Development Life Cycle
a. Ascendo’s Software Development Life Cycle (SDLC) methodology governs the acquisition, development, configuration, maintenance, modification, and management of infrastructure and software components. The SDLC methodology is consistent with the defined security, availability, and confidentiality policies of Ascendo.
b. System source/object code must be protected from unauthorized access. Access privileges to the source code repository are reviewed periodically and limited to authorized employees.
c. Ascendo ensures that customer Information on the hosted environment is segregated from other customer data by appropriate physical, technical, and/or logical means.
d. Application development environments must be segregated from the production environment. Usage of "Production" data in Non-Production/Lower environments is prohibited. Usage of production data in the lower environments for the intent of development or testing requires approval from the Ascendo CTO. And will be treated as an Exemption. Logical access controls for the two environments to ensure authorized individuals move code to production.
6. Maintenance
Ascendo’s maintenance windows are scheduled and communicated to customers in advance. In the event of a service interruption, Ascendo notifies customers describing the affected services. If additional maintenance is needed, Ascendo notifies customers in advance of scheduled maintenance occurring outside of the scheduled window. Ascendo communicates upgrades, new releases, and minimum release version requirements to customers.
7. Data Management & Security
7.1 Data Ownership
Notwithstanding anything herein to the contrary, Ascendo acknowledges that each customer is the exclusive owner of all rights, title, and interest in and to any of the customer-specific data. The foregoing includes, without limitation, all patent, copyright, trademark, trade secrets, and all other proprietary, licensing, and privacy rights in and to their respective Customer Data. Notwithstanding anything to the contrary, Ascendo shall have the right to collect and analyze data and other information relating to the provision, use, and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Customer Data and data derived therefrom), and Ascendo will be free to (I) use such information and data to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and other Company offerings, and (ii) disclose such data solely in aggregate, or other de-identified form in connection with its business. No rights or licenses are granted except as expressly set forth herein. Ascendo hereby waives any and all statutory and common law liens it may now or hereafter have with respect to Customer data.
7.2 Limitations on use
Ascendo will access, use and disclose Confidential Information only when it is necessary to perform the customer’s obligations under a Purchasing Agreement. Ascendo will not disclose Confidential Information other than to Ascendo personnel and any other sub-contractors who:
a. Need such access to assist Ascendo in the performance of a Purchasing Agreement.
b. Have agreed in writing to be bound by a duty of confidentiality no less protective to the Confidential Information than the Term set forth in the respective Customer Agreement.
7.3 Applicable Laws
In addition to any obligation that Ascendo may have under a Purchasing Agreement, Ascendo will comply with all applicable privacy and data protection laws, rules, and regulations in any jurisdiction where the Products and/or Services may be provided regarding Confidential Information to which it is subject including, without limitation:
a. State security breach notification laws.
b. Laws regarding the protection of Social Security numbers.
c. Laws imposing minimum security requirements.
d. Laws requiring the secure disposal of records containing certain personal data.
e. All other applicable federal, state, and local requirements.
f. Electronic storage industry standards concerning privacy, data protection, confidentiality, or information security.
7.4 End-of-Term Handling
Upon termination or expiration of the agreement or upon the customer’s written request, Ascendo will return to the customer all copies of the customer’s information already in Ascendo’s possession or within its control within 30 (thirty) days. Ascendo shall maintain procedures for the removal of customer Information from electronic media before the media are available for re-use. Alternatively, with the customer’s prior written consent, Ascendo may destroy such customer information; provided that the customer information is:
a. Destroyed in accordance with applicable laws, rules, or regulations.
b. Sanitized via the use of industry-accepted standards (clear, purge, destroy).
c. Rendered unreadable, undecipherable, and otherwise incapable of reconstruction.
d. Backup copies are purged/removed by following an established process for data backups.
7.5 Data Encryption
a. Ascendo will encrypt data at rest and in transit using industry-standard encryption techniques for
b. Ascendo will also use standard encryption techniques for data backups.
c. Any systems which maintain, transmit, or store customer data shall be encrypted.
7.6 Data Storage
Ascendo stores data solely on their target servers and not on any laptop or portable device (unless there is explicit written permission from the customer). Ascendo uses Amazon AWS and Google GCP as the preferred cloud service providers.
7.7 Information Security Program
a. Ascendo maintains a written Information Security program that complies with applicable global industry-recognized security frameworks.
b. Ascendo has internal policies, standards, and operating procedures related to security, availability, and confidentiality that are available to personnel. Ascendo reviews, updates, and approves security policies and procedures at least annually to maintain their continuing relevancy and accuracy. Ascendo’s personnel Privacy Policy describes confidentiality and privacy commitments to our customers and is available on the Ascendo website.
c. Ascendo’s CTO acts as the Chief Information Security Officer and Governance, Risk and Compliance officer. He/she is responsible for developing, maintaining, reviewing, and approving Ascendo’s security, availability, and confidentiality standards and policies.
d. Ascendo shall monitor, evaluate, and adjust, as appropriate its Information Security program in light of any relevant changes in technology or industry standards, the sensitivity of customer information, internal or external threats to the Ascendo or customer, requirements of applicable work orders, and customer’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to information systems.
e. Ascendo conducts periodic security awareness campaigns to educate employees on their responsibilities for creating and maintaining a secure workplace.
7.8 Risk Management
Ascendo has a formal cyber security risk assessment and management process that includes mitigation of any identified findings.
8. Incident Response & Notification
a. Ascendo shall contact customers upon the occurrence of any Security Incident.
b. Ascendo shall promptly notify customers of any vulnerability discovered through internal monitoring or testing that impacts its security safeguards or Services provided to the customer (each, an “Impact”). Impact means any reported security incident that materially exposes the customer’s data to unauthorized usage and that will not be remediated, and/or for which compensating control will not be in place, within ninety (90) days of the discovery of the Impact.
c. Ascendo shall promptly develop and implement an appropriate action plan to address and resolve any Impact, vulnerabilities, and/or recommendations identified during such an event. Ascendo, at its own expense, shall undertake remedial action to the extent necessary to comply with Ascendo’s obligations under the respective customer agreement.
d. Ascendo shall maintain a documented and tested incident-handling program, and ensure that all Security Incidents follow Ascendo’s incident-handling program.
e. Ascendo shall use reasonable efforts to notify customer representatives within thirty (30) minutes after becoming aware of any Incident or suspected or actual data security breach. This includes a security breach of Ascendo’s systems used to conduct or process its Services or to store customer confidential information. Such security breaches will include, without limitation, third-party incursions that could in any way result in unauthorized access to any customer confidential information.
f. Ascendo shall not notify law enforcement or federal or state regulatory authorities of any such security breach without prior notice to customers unless otherwise required by applicable law. In the event that Ascendo notifies customers of a suspected or actual security breach, Ascendo shall, if requested by the respective affected customer, grant access to customer representatives or a qualified third party agreed to by the customer and Ascendo to Ascendo’s systems and premises to allow such representatives or third party to perform an investigation (including the installation of any monitoring or diagnostic software) deemed necessary by the customer to locate the source of such security breach. Each party shall act reasonably and in good faith in the selection of such third party.
g. Ascendo shall, and shall cause its Representatives to, provide the affected customer with the following information concerning any suspected or actual security breach by or involving any person or in any systems, processes, hardware or software used to store, transmit or otherwise affect confidential information:
i. The date of the security breach.
ii. Details concerning the data compromised (e.g., strategic financial information, or customer names and addresses).
iii. The method of the security breach.
iv. Appropriate Ascendo security personnel contacts and security personnel contacts of its Representatives.
v. The name of any person and or law enforcement agency assisting Ascendo with the investigation of the suspected or actual data security breach.
vi. A list of all parties known to have gained unauthorized access to the affected customer's confidential information for the limited purpose of assessing the customer’s exposure.
vii. Any other information which affected customer reasonably requests from Ascendo and/or its Representatives concerning such suspected or actual data security breach, including without limitation any forensics report(s).
Ascendo shall provide the information listed in (i)-(vii) as soon as is reasonably practicable and in any event, shall provide the information listed in (i)-(vi) to the affected customer within twelve (12) hours of Ascendo’s initial notification of the actual or suspected security breach. Ascendo and/or its Representatives must provide the affected customer with copies of any reports concerning the security breach as soon as practicable. Ascendo and/or its Representatives agree not to issue any press release or other public announcement concerning the suspected or actual data security breach without the prior approval of the affected customers.
h. Ascendo shall cooperate with the affected customers to ensure that appropriate security measures and procedures are implemented by a mutually agreeable deadline and using a mutually agreeable approach if the customer notifies Ascendo that the customer believes that Ascendo’s or any of its Representatives' security procedures in connection with the Services are inadequate or do not comply with the security requirements. Ascendo shall immediately take appropriate steps to ensure that any actual data security breach does not continue. With respect to matters under this section, Ascendo and the customer agree that they shall act reasonably and in good faith and shall not unreasonably withhold, delay, or condition their consent or cooperation.
i. Any fraud or security incident can be sent to Ascendo through ascendoinfosec@ascendo.ai. Note that this email should be used only for the purpose of noting security and fraud incidents and in no situation should be used for any other purposes such as spam or marketing.
9. Password Management & Authentication Controls
a. Authorized users must identify and authenticate to Ascendo’s network, applications, and platforms using their unique user ID and password.
i. Use of shared accounts to enable interactive access to the application and/or data by multiple users is prohibited.
ii. Accounts must be locked after 60 minutes of inactivity (i.e., idle session).
iv. Accounts must be removed/secured if in a disabled state for a period no greater than 90 days (if the disabled account cannot be deleted, all associated permissions must be removed).
v. Accounts can use multifactor authentication to log in to Ascendo’s network.
b. Password complexity.
i. Passwords must be at least 8 (eight) characters in length.
ii. Passwords must contain one of each character: upper case, lower case, numeric, and special character. (Note: if using multi-factor authentication (MFA), a combination of three of the above characters is acceptable).
iii. Must be masked during authentication.
iv. Must be set to expire within 120 days or less.
v. Password history must restrict the use of the previous 4 (four) password iterations.
vi. All passwords must be secured while stored or transmitted (encrypted/hashed).
vii. Passwords must not be saved for the intent of bypassing future log-on (i.e., save password check box).
viii. Communication of the initial password must be in a secure manner.
ix. Default passwords for accounts must be changed prior to use (e.g., Ascendo supplied, application, database, etc.).
10. Network Security & Monitoring
10.1 Intrusion Detection
a. Network perimeter defense solutions including an Intrusion Detection System and firewalls are in place to prevent malicious network activity. Security operations personnel monitor items detected and take appropriate action.
b. Firewall configurations and rules are reviewed at least annually. Significant changes to firewall rules follow the Change Management (Section 4) process and require approval by Ascendo’s Change Advisory Board led by CTO.
10.2 Patch Management
a. All Laptops, desktops, servers (and any other hardware asset) owned by the Ascendo must have up-to-date database and operating system security patches installed to protect the asset from known vulnerabilities.
b. Critical security patches must be applied within 72 hours. Non-critical security patches should be applied at least quarterly or more frequently. Ascendo should be made aware of any vulnerabilities that cannot be patched.
10.3 Threat and Vulnerability Management and Security Testing
a. Ascendo shall maintain a threat and vulnerability management program, which includes at a minimum regular vulnerability scans using industry-recognized tools.
b. Ascendo shall perform vulnerability and threat assessment testing (VTA Testing) of Ascendo systems and facilities that are used to support customer engagements at least annually. VTA Testing shall determine if vulnerabilities exist within technology, including applications, systems, and networks that are used by Ascendo to provide Ascendo Products or Services hereunder. VTA Testing must adhere to the following:
i. Be based on industry-accepted penetration testing approaches.
ii. Include testing from inside and outside the network.
iii. Include testing to validate segmentation.
iv. Include network layer, operating system, and application layer testing.
10.4 Logging and Monitoring
a. Ascendo will work with cloud service providers for real-time logging of security information from applications and databases, servers, firewalls, routers, and intrusion detection system devices. Logs contain details on the date, time, source, and type of events (actions performed, object or account affected, etc.). Ascendo’s admin team reviews key reports daily and follows up on events, as necessary.
b. Ascendo continuously monitors application, infrastructure, network, and data storage space and system performance on a 24X7 basis.
c. Ascendo enabled System logging for end-user and administrator activity and is reviewed as necessary and updates executed by privileged system users.
10.5 DMZ
a. When providing internet-based services and products to customers Ascendo shall protect customer’s information by the implementation of a network DMZ. Web servers providing service to customers shall reside in the DMZ. Any system or information resource storing customer’s information (such application and database servers) shall reside in a trusted internal network.
11. Next Gen Anti-Virus and Malware Controls
Ascendo will use a system-centric approach to endpoint security that examines every process on every endpoint to algorithmically detect and block malicious tools, tactics, techniques, and procedures upon which attackers rely. All Ascendo desktops and laptops have next-gen anti-virus installed for virus and malware infections. Endpoint devices are scanned in real-time and a full system scan is performed weekly. Virus definition updates are pushed out to endpoint devices automatically from the anti-virus software central administration console as they become available.
12. Mobile and Portable Devices
Not applicable at this time.
13. Human Resources & Third-Party Security
a. New employees sign a confidentiality agreement and acknowledge security policies during the new employee onboarding process.
b. Background checks are run in accordance with relevant laws and regulations. The background checks are commensurate to an individual's job duties and include at minimum social security verification and a criminal history check.
c. Ascendo maintains a disciplinary process to take action against personnel that do not comply with company policies, including but not limited to, those put in place to meet its security, availability, and confidentiality commitments and requirements.
d. Ascendo management team assesses the risk associated with new vendors (i.e., sub-vendors and/or sub-contractors) prior to onboarding and has an ongoing risk management process for existing vendors.
e. Ascendo communicates security and confidentiality requirements and operational responsibilities to third parties (i.e., sub-vendors, 4th or 5th party, etc.) through contractual agreements.
14. Business Continuity
14.1 Business Continuity Management and Disaster Recovery
Ascendo has a business continuity plan and a disaster recovery plan in place to manage significant disruptions to its operations and infrastructure. Ascendo will be able to resume the full performance of their contractual services in 72 hours.
a. Management reviews, updates, and approves these plans annually.
b. Exercises are conducted to test the response to a specific incident on a regular basis.
14.2 Backup Procedures
Ascendo will provide the Products, Services, and/or Network (as applicable) in accordance with the following procedures to enhance security. Ascendo will:
a. Ensure that customer data is backed up on a daily basis and backup is encrypted
b. Store copies of customer data and data recovery procedures in a different place from where the primary computer equipment processing the customer data is located.
c. Have specific procedures in place governing access to copies of customer data.
d. Review data recovery procedures at least annually.
15. Physical & Environmental Security
Ascendo uses third-party cloud service providers and as such the physical access is controlled by Amazon and Google.
16. Standard of Conduct
Ascendo and any of its Representatives performing Services or providing Products on the customer’s premises or accessing the customer’s networks remotely shall comply with all of the customer’s security, supervision, and other standard procedures and policies as communicated to Ascendo and such Representatives.
Appendix A - Glossary
Term
Definition
Critical Security Patch
A set of changes to a computer program to fix security vulnerabilities.
Finding
An issue related to an internal control review.
Risk
A potential situation where the system or data may be exposed to a cyber threat.
Security Breach
A security breach is any incident that results in unauthorized access to data, applications, services, networks, and/or devices by bypassing their underlying security mechanisms.
Security Event
A security event is a change in the everyday operations of a network or information technology service indicating that a security policy may have been violated or a security safeguard may have failed.
Security Incident
A security incident is an event that may indicate that an organization's systems or data have been compromised or that measures put in place to protect them have failed.
Vulnerability
A vulnerability is a weakness that can be exploited by a Threat Actor, such as an attacker, to perform unauthorized actions within a computer system.
Terms of Service (“ Agreement ”) constitute a contract between Ascendo.AI (“Ascendo”), and you, the customer that has signed up for the Services and agreed to the terms of this Agreement (“ Customer ”). Ascendo wishes to provide and you wish to have the right to access pursuant to the terms of this Agreement, a subscription service. This Agreement includes and incorporates the Order Form with which you purchased the Services and any subsequent Order Forms (submitted in written or electronic form). By accessing or using the Services, you agree to be bound by this Agreement. If you are entering into this Agreement on behalf of a company, organization or other entity, you represent that you have such authority to bind such entity and are agreeing to this Agreement on behalf of such entity. If you do not have such authority to enter into this Agreement or do not agree with these terms and conditions, you may not use the Services.
Ascendo Terms of Service
Section 1: Definitions
1.1 The following terms, when used in this Agreement will have the following meanings:
“Confidential Information” means any information or data disclosed by either party that is marked or otherwise designated as confidential or proprietary or that should otherwise be reasonably understood to be confidential in light of the nature of the information and the circumstances surrounding disclosure. However, “Confidential Information” will not include any information which (a) is in the public domain through no fault of receiving party; (b) was properly known to receiving party, without restriction, prior to disclosure by the disclosing party; (c) was properly disclosed to receiving party, without restriction, by another person with the legal authority to do so; or (d) is independently developed by the receiving party without use of or reference to the disclosing party’s Confidential Information.
“Documentation” means the printed and digital instructions, online help files, technical documentation, and user manuals made available by Ascendo for the Services, which Ascendo may modify from time to time.
“Order Form” means an invoice, order form, quote, or other similar document that sets forth the specific Services and pricing therefore, and that references this Agreement and is mutually executed by the parties.
“Services” means the SaaS-based platform and Software products ordered by or made available to the Customer under an Order Form (collectively with the described services in the applicable Order Form or Documentation).
“Software” means Ascendo proprietary software which may integrate with Customer’s Third-Party Services, network or applications, as provided in the Documentation and any updates, fixes, or patches developed from time to time.
Section 2: Services
2.1 Provision of Ascendo Platform. Subject to the terms and conditions of this Agreement, Ascendo hereby grants Customer and its registered employees and contractors (“Users”) a non-exclusive, non-sublicensable, non-transferable license to use and access the Services. The Services are subject to modification from time to time at Ascendo’s sole discretion, provided the modifications do not materially diminish the functionality of the Services provided by Ascendo.
2.2 Data Security. Ascendo maintains a commercially reasonable security program that is designed to
(i) ensure the security and integrity of Customer data uploaded by or on behalf of Customer to the Services (“Customer Data”);
(ii) protect against threats or hazards to the security or integrity of Customer Data; and
(iii) prevent unauthorized access to Customer Data. Solely if and to the extent Ascendo processes Customer Personal Data (as defined in the DPA) that is subject to the GDPR (as defined in the DPA), the GDPR Data Processing Addendum provided onhttps://www.ascendo.ai/security-standards will apply (“DPA”). Solely if and to the extent Ascendo processes Customer Personal Information (as defined in the CCPA Addendum) that is subject to the CCPA (as defined in the CCPA Addendum), the CCPA Addendum provided on, will apply.
2.3 Limitations. The rights granted herein are subject to the following restrictions (the “License Restrictions”). Customer will not directly or indirectly:
(a) reverse engineer, decompile, disassemble, modify, create derivative works of or otherwise create, attempt to create or derive, or permit or assist any third party to create or derive, the source code, object code or underlying structures, ideas or algorithms of the Services or any data related to the Services;
(b) attempt to probe, scan, or test the vulnerability of the Services, breach the security or authentication measures of the Services without proper authorization, or willfully render any part of the Services unusable;
(c) use or access the Services to develop a product or service that is competitive with Ascendo’s products or Services or engage in competitive analysis or benchmarking;
(d) share, transfer, distribute, resell, lease, license, or assign Services or otherwise offer the Services on a standalone basis; or
(e) otherwise, use the Services outside the scope expressly permitted hereunder and in the applicable Order Form.
2.4 Ascendo reserves the right to suspend Customer’s (or any User’s) access to the Services immediately
(i) in the event that Customer breaches this Section 2.3 or Section 4 of this Agreement, or breaches any other provision of this Agreement and fails to correct that breach within the applicable cure period; or (ii) as it deems reasonably necessary to respond to any actual or potential security or availability concern that may affect customers or Users. Customer Responsibilities.
(a) Customer will only use the Services in accordance with the Documentation and as set forth in this Agreement. Customer acknowledges that Ascendo’s provision of the Services is dependent on Customer providing all reasonably required cooperation (including the prompt provision of access to Customer’s applications, software systems, personnel, cooperation, and materials as reasonably required and any other access as may be specified in the applicable Order Form), and Customer will provide all such cooperation in a diligent and timely manner.
(b) Customer will (i) be responsible for all use of the Services under its account (whether or not authorized), (ii) use commercially reasonable efforts to prevent unauthorized access to or use of the Services and notify Ascendo promptly of any such unauthorized access or use and (iii) be responsible for obtaining and maintaining any equipment, software, and ancillary services needed to connect to, access or otherwise use the Services, including as set forth in the Documentation. The customer will be solely responsible for its failure to maintain such equipment, software, and services, and Ascendo will have no liability for such failure (including under any service level agreement, if applicable). In addition, the Customer will be responsible for ensuring that its systems (e.g., APIs) have sufficient bandwidth to use the Services.
(c) Customer will not use the Services to transmit or provide to Ascendo any financial or medical information of any nature, or any sensitive personal data (e.g ., social security numbers, driver’s license numbers, birth dates, personal bank account numbers, passport or visa numbers, and credit card numbers).
(d) Customer’s use of third-party products or services that are not licensed to Customer directly by Ascendo (“Third Party Services”) shall be governed solely by the terms and conditions applicable to such Third-Party Services, as agreed to between Customer and the third party. Ascendo does not endorse or support is not responsible for, and disclaims all liability with respect to Third Party Services, including without limitation, the privacy practices, data security processes, or other policies related to Third Party Services. The customer agrees to waive any claim against Ascendo with respect to any Third-Party Services.
(e) Customer may enable integrations between the Services and Third-Party Services (each, an “Integration”). By enabling an Integration between the Services and its third-party Services, Customer is instructing Ascendo to share the Customer Data necessary to facilitate the Integration. The customer is responsible for providing any and all instructions to the Third-Party Service provider about the use and protection of Customer Data. Ascendo and Third-Party Service providers are not subprocessors of each other.
(f) Customer acknowledges that the Services will require Users to share with Ascendo certain information which may include personal information regarding Users (such as usernames, passwords, email addresses and/or phone numbers) solely for the purposes of providing and improving the Services. Prior to authorizing an individual to become a User, Customer is fully responsible for obtaining the consent of that individual, in accordance with Applicable Law, to the use of his/her information by Ascendo AI, which use is described in Ascendo’s Services Privacy Notice, located at https://www.ascendo.ai/privacy. Customer represents and warrants that all such consents have been or will be obtained prior to authorizing any individual to become a User.
(g) Customer will be fully responsible for Users’ compliance with this Agreement and any breach of this Agreement by a User shall be deemed to be a breach by Customer. Ascendo’s relationship is with Customer and not individual Users or third parties using the Services through Customer, and Customer will address all claims raised by its Users directly with Ascendo AI.
Section 3: Fees
3.1 Fees. The Customer will pay Ascendo AI the fees set forth in the Order Form. Except as otherwise specified herein or in any applicable Order Form, (a) fees are quoted and payable in United States dollars and (b) payment obligations are non-cancelable and non-pro-ratable for partial months, and fees paid are non-refundable. Ascendo reserves the right to change the fees or applicable charges and to institute new charges and fees at the end of the initial term, as specified in the Order Form, or then-current renewal term, upon thirty (30) days prior notice to Customer (which may be sent by email).
3.2 Late Payment. Ascendo may suspend access to the Services immediately upon notice if the Customer fails to pay any amounts hereunder at least fifteen (15) days past the applicable due date.
3.3 Taxes. All amounts payable hereunder are exclusive of any sales, use, and other taxes or duties, however designated (collectively “Taxes”). The Customer will be solely responsible for payment of all Taxes, except for those taxes based on the income of Ascendo. The Customer will not withhold any taxes from any amounts due to Ascendo.
Section 4: Proprietary Rights and Confidentiality
4.1 Proprietary Rights. As between the parties, Ascendo exclusively owns all rights, title, and interest in and to the Services and Ascendo’s Confidential Information, and Customer exclusively owns all rights, title, and interest in and to the Customer Data and Customer’s Confidential Information.
4.2 Feedback. Customers may from time to time provide Ascendo suggestions or comments for enhancements or improvements, new features or functionality, or other feedback (“Feedback ”) with respect to the Services. Ascendo will have full discretion to determine whether or not to proceed with the development of any requested enhancements, new features, or functionality. Ascendo will have the full, unencumbered right, without any obligation to compensate or reimburse the Customer, to use, incorporate, and otherwise fully exercise and exploit any such Feedback in connection with its products and services.
4.3 Confidentiality. Each party agrees that it will use the Confidential Information of the other party solely in accordance with the provisions of this Agreement and it will not disclose, or permit to be disclosed, the same directly or indirectly, to any third party without the other party’s prior written consent, except as otherwise permitted hereunder. However, either party may disclose Confidential Information (a) to its employees, officers, directors, attorneys, auditors, financial advisors, and other representatives who have a need to know and are legally bound to keep such information confidential by confidentiality obligations consistent with those of this Agreement; and (b) as required by law (in which case the receiving party will provide the disclosing party with prior written notification thereof, will provide the disclosing party with the opportunity to contest such disclosure, and will use its reasonable efforts to minimize such disclosure to the extent permitted by applicable law. Neither party will disclose the terms of this Agreement to any third party, except that Ascendo may confidentially disclose such terms to actual or potential lenders, investors, or acquirers. Each party agrees to exercise due care in protecting Confidential Information from unauthorized use and disclosure. In the event of an actual or threatened breach of the provisions of this Section or the License Restrictions, the non-breaching party will be entitled to seek immediate injunctive and other equitable relief, without waiving any other rights or remedies available to it. Each party will promptly notify the other in writing if it becomes aware of any violations of the confidentiality obligations set forth in this Agreement.
4.4 Machine Learning and Aggregation. The Customer acknowledges that a fundamental component of the Services is the use of data aggregation and machine learning for the purpose of improving and providing Ascendo’s products and services. Notwithstanding anything to the contrary, Customer agrees that Ascendo is hereby granted the right to use (during and after the term hereof) information submitted using the Services to aggregate personally identifiable information and de-identify such information, including information related to vendors and train its algorithms internally through machine learning techniques for such purpose.
4.5 Performance Metrics. Customer agrees that Ascendo has the right to aggregate, collect, and analyze data and other information relating to the access or use of the Services by or on behalf of Customer or any User, including any performance, analytics, or statistical data and shall be free (during and after the term hereof) to (i) use such data and other information to improve Ascendo’s products and services, and (ii) disclose such data and other information solely in an aggregated and de-identified format.
Section 5: Warranties and Disclaimers 5.1 Ascendo. Ascendo represents and warrants that it will not knowingly include, in the Services released to Users and provided to Customer hereunder, any computer code or other computer instructions, devices, or techniques, including without limitation those known as viruses, disabling devices, trojans, or time bombs, that intentionally disrupt, disable, harm, infect, defraud, damage, or otherwise impede in any manner, the operation of a network, computer program or computer system or any component thereof, including its security or User data. If, at any time, Ascendo fails to comply with the warranty in Section 5 .1, Customer may promptly notify Ascendo in writing of any such noncompliance. Ascendo will, within 30 days of receipt of such written notification, either correct the noncompliance or provide Customer with a plan for correcting the noncompliance. If the noncompliance is not corrected or if a reasonably acceptable correction plan is not established during such period, Customer may terminate this Agreement and receive a refund of any pre-paid but unearned subscription fees, prorated on a monthly basis, as its sole and exclusive remedy for such noncompliance. This provision does not apply to the Customer’s use of free Services.
5.2 Customer. Customer warrants that it has all rights necessary to provide any information, data or other materials that it provides hereunder, and to permit Ascendo to use the same as contemplated hereunder.
5.3 DISCLAIMERS. EXCEPT AS EXPRESSLY SET FORTH HEREIN, EACH PARTY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, TITLE, NON- INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. THE CUSTOMER ACKNOWLEDGES THAT THE SERVICES ARE BASED ON PREDICTIVE STATISTICAL MODELS, AND ARE INTENDED TO AUGMENT THE EFFICIENCY OF, BUT NOT REPLACE, CUSTOMER’S IT HELPDESK. THE SERVICES MAY CONTAIN BUGS, MAKE ERRORS, OR MISINTERPRET IT ISSUES, AND IN SUCH CASES ASCENDO CAN DISENGAGE ANY FUNCTIONALITY OF THE SERVICES AT THE CUSTOMER’S REQUEST. ASCENDO DOES NOT REPRESENT OR WARRANT THAT ANY OR ALL IT HELPDESK TICKETS WILL BE RESOLVED OR THAT HUMAN INTERVENTION WILL NOT BE REQUIRED TO RESOLVE AN IT HELPDESK TICKET.
5.4 BETA PRODUCTS. FROM TIME TO TIME, CUSTOMERS MAY HAVE THE OPTION TO PARTICIPATE IN A PROGRAM WITH ASCENDO WHERE CUSTOMER GETS TO USE ALPHA OR BETA PRODUCTS, FEATURES, OR DOCUMENTATION (COLLECTIVELY, “BETA PRODUCTS”) OFFERED BY ASCENDO. THE BETA PRODUCTS ARE NOT GENERALLY AVAILABLE AND ARE PROVIDED “AS IS”. ASCENDO DOES NOT PROVIDE ANY INDEMNITIES, SERVICE LEVEL COMMITMENTS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, TITLE, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, IN RELATION THERETO. CUSTOMERS OR ASCENDO MAY TERMINATE THE CUSTOMER’S ACCESS TO THE BETA PRODUCTS AT ANY TIME.
Section 6: Indemnification
6.1 Indemnity by Ascendo. Ascendo will defend Customer against any claim, demand, suit, or proceeding (“ Claim ”) made or brought against Customer by a third party alleging that the use of the Services as permitted hereunder infringes a United States patent or copyright or misappropriates a trade secret and will indemnify Customer for any damages finally awarded against (or any settlement approved by Ascendo) Customer in connection with any such Claim; provided that (a) Customer will promptly notify Ascendo of such Claim, (b) Ascendo will have the sole and exclusive authority to defend and/or settle any such Claim (provided that Ascendo may not settle any Claim without Customer’s prior written consent, which will not be unreasonably withheld unless it unconditionally releases Customer of all related liability) and (c) Customer reasonably cooperates with Ascendo in connection therewith. If the use of the Services by Customer has become, or in Ascendo’s opinion is likely to become, the subject of any claim of infringement, Ascendo may at its option and expense (i) procure for Customer the right to continue using and receiving the Services as set forth hereunder; (ii) replace or modify the Services to make it non-infringing (with comparable functionality); or (iii) if the options in clauses (i) or (ii) are not reasonably practicable, terminate this Agreement and provide a pro-rata refund of any prepaid fees corresponding to the terminated portion of the applicable subscription term. Ascendo will have no liability or obligation with respect to any Claim if such Claim is caused in whole or in part by (A) compliance with designs, guidelines, plans, or specifications provided by Customer; (B) use of the Services by Customer not in accordance with this Agreement; (C) modification of the Services by any party other than Ascendo without Ascendo’s express consent; (D) Customer Confidential Information or (E) the combination, operation or use of the Services with other applications, portions of applications, product(s) or services where the Services would not by itself be infringing (clauses (A) through (E), “ Excluded Claims ”). This Section states Ascendo’s sole and exclusive liability and obligation, and Customer’s exclusive remedy, for any claim of any nature related to infringement or misappropriation of intellectual property.
6.2 Indemnification by Customer. Customer will defend Ascendo against any Claim made or brought against Ascendo by a third party arising out of the (i) Customer breach of any laws or regulations (including with respect to privacy); (ii) Customer’s or any User's use of the Services; (iii) Customer’s violation of any agreements it has with any User; or (iv) Excluded Claims, and Customer will indemnify Ascendo for any damages finally awarded against (or any settlement approved by Customer) Ascendo in connection with any such Claim; provided that (a) Ascendo will promptly notify Customer of such Claim, (b) Customer will have the sole and exclusive authority to defend and/or settle any such Claim (provided that Customer may not settle any Claim without Ascendo’s prior written consent, which will not be unreasonably withheld unless it unconditionally releases Ascendo of all liability) and (c) Ascendo reasonably cooperates with Customer in connection therewith.
Section 7: Limitation of Liability
UNDER NO LEGAL THEORY, WHETHER IN TORT, CONTRACT, OR OTHERWISE, WILL EITHER PARTY BE LIABLE TO THE OTHER UNDER THIS AGREEMENT FOR (A) ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY CHARACTER, INCLUDING DAMAGES FOR LOSS OF GOODWILL, LOST PROFITS, LOST SALES OR BUSINESS, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, LOST CONTENT OR DATA, EVEN IF A REPRESENTATIVE OF SUCH PARTY HAS BEEN ADVISED, KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES, OR (B) EXCLUDING A PARTY’S INDEMNIFICATION OBLIGATIONS OR THE BREACH OF SECTION 2.3 (LIMITATIONS), SECTION 2.4 (CUSTOMER RESPONSIBILITIES) OR SECTION 3 (FEES), ANY DIRECT DAMAGES, COSTS, OR LIABILITIES IN EXCESS OF THE AMOUNTS PAID BY CUSTOMER UNDER THE APPLICABLE ORDER FORM DURING THE TWELVE (12) MONTHS PRECEDING THE INCIDENT OR CLAIM.
Section 8: Termination
8.1 Term. The term of this Agreement will commence on the effective date of the initial Order Form and continue until terminated as set forth below. The initial term of each Order Form will begin on the Order Form effective date of such Order Form and will continue for the subscription term set forth therein. Except as set forth in such Order Form, the term of such Order Form will automatically renew for successive renewal terms equal to the length of the initial term of such Order Form, unless either party provides the other party with written notice of non-renewal at least thirty (30) days prior to the end of the then-current term.
8.2 Termination. Each party may terminate this Agreement upon written notice to the other party if there are no Order Forms then in effect. Each party may also terminate this Agreement or the applicable Order Form upon written notice in the event (a) the other party commits any material breach of this Agreement or the applicable Order Form and fails to remedy such breach within thirty ( 3 0) days after written notice of such breach or (b) subject to applicable law, upon the other party’s liquidation, commencement of dissolution proceedings or assignment of substantially all its assets for the benefit of creditors, or if the other party become the subject of bankruptcy or similar proceeding that is not dismissed within sixty (60) days.
8.3 Survival. Upon termination of this Agreement, all rights and obligations will immediately terminate except that any terms or conditions that by their nature should survive such termination will survive, including the License Restrictions and terms and conditions relating to proprietary rights and confidentiality, disclaimers, indemnification, limitations of liability and termination and the general provisions below.
Section 9: General
9.1 Export Compliance. Each party will comply with the export laws and regulations of the United States, European Union, and other applicable jurisdictions in providing and using the Services.
9.2 Publicity. Customer agrees that Ascendo may refer to Customer’s name and trademarks in Ascendo’s marketing materials and website; however, Ascendo will not use Customer’s name or trademarks in any other publicity (e.g., press releases, customer references, and case studies) without Customer’s prior written consent (which may be by email).
9.3 Assignment; Delegation. Neither party hereto may assign or otherwise transfer this Agreement, in whole or in part, without the other party’s prior written consent, except that either party may assign this Agreement without consent to a successor to all or substantially all of its assets or business related to this Agreement. Any attempted assignment, delegation, or transfer by either party in violation hereof will be null or void. Subject to the foregoing, this Agreement will be binding on the parties and their successors and assigns.
9.4 Amendment; Waiver. No amendment or modification to this Agreement, nor any waiver of any rights hereunder, will be effective unless assented to in writing by both parties. Any such waiver will be only to the specific provision and under the specific circumstances for which it was given and will not apply with respect to any repeated or continued violation of the same provision or any other provision.
Failure or delay by either party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision.
9.5 Relationship. Nothing contained herein will in any way constitute any association, partnership, agency, employment, or joint venture between the parties hereto, or be construed to evidence the intention of the parties to establish any such relationship. Neither party will have the authority to obligate or bind the other in any manner, and nothing herein contained will give rise or is intended to give rise to any rights of any kind to any third parties.
9.6 Unenforceability. If a court of competent jurisdiction determines that any provision of this Agreement is invalid, illegal, or otherwise unenforceable, such provision will be enforced as nearly as possible in accordance with the stated intention of the parties, while the remainder of this Agreement will remain in full force and effect and bind the parties according to its terms.
9.7 Governing Law. This Agreement will be governed by the laws of the State of California, exclusive of its rules governing choice of law and conflict of laws. This Agreement will not be governed by the United Nations Convention on Contracts for the International Sale of Goods.
9.8 Notices. Any notice required or permitted to be given hereunder will be given in writing by personal delivery, certified mail, return receipt requested, or by overnight delivery. Ascendo may provide notice using the information provided in the most recent Order Form and Customer may provide notice using the contact information provided on https://www.ascendo.ai.
9.9 Entire Agreement. This Agreement comprises the entire agreement between Customer and Ascendo with respect to its subject matter and supersedes all prior and contemporaneous proposals, statements, sales materials, or presentations and agreements (oral and written). No oral or written information or advice given by Ascendo, its agents, or employees will create a warranty or in any way increase the scope of the warranties in this Agreement. In the event of any conflict between this Agreement and the DPA or CCPA Addendum, the DPA and/or CCPA Addendum, as applicable, will govern
9.10 Force Majeure. Neither Party will be deemed in breach hereunder for any cessation, interruption, or delay in the performance of its obligations due to causes beyond its reasonable control (“ Force Majeure Event ”), including earthquake, flood, or other natural disasters, act of God, labor controversy, civil disturbance, terrorism, war (whether or not officially declared), cyber-attacks (e.g., denial of service attacks), or the inability to obtain sufficient supplies, transportation, or other essential commodity or service required in the conduct of its business, or any change in or the adoption of any law, regulation, judgment or decree.
9.11 Government Terms. Ascendo provides the Services, including related software and technology, for ultimate federal government end use solely in accordance with the terms of this Agreement. If Customer (or any of its customers) is an agency, department, or other entity of any government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Services, or any related documentation of any kind, including technical data, software, and manuals, is restricted by the terms of this Agreement. All other use is prohibited and no rights than those provided in this Agreement are conferred. The Services were developed fully at private expense.
9.12 Interpretation. For purposes hereof, “including” means “including without limitation”.
Last Updated: May 17, 2023
Ascendo.AI Subprocessors
Please register to be notified of any changes to the Subprocessor list on this page. If a change occurs, you will receive an email to the address that you provide.
Subprocessor Policy
Last Updated: June 2, 2023
Ascendo.AI may engage the following entities to process personal data that you include in your use of Ascendo.AI’s Cloud Services:
Cloud Providers
Data Types
Description of Processing
Third-Party Entity
Google, Inc.
Cloud Provider
Ascendo.AI, runs on top of GCP. These cloud providers host the personal data you store in the Cloud Services.
Cloud Provider
MongoDB, Inc.
Cloud Provider DB
Headquartered Location
Data Types
Description of Processing
Third-Party Entity
To provide support and perform other service functions, we may also engage the following entities to process personal data on your behalf:
Other Third-Party Subprocessor
Twilio, Inc.
2FA and SMS Alerts
If you turn on two-factor authentication or SMS alerts, Twilio receives basic info to provide you authentication codes and text alerts (e.g., phone number).
San Francisco, CA
Slack Technologies
Support Channel
If you engage in Support via Slack receives basic Contact info( e.g., name, email address).
San Francisco, CA
Google Inc.
Email Support
If you engage in email support via Gmail, Google receives basic contact info (e.g., name, email address).
If you include other personal data in your support emails (e.g., snippets of database logs, query outputs, etc.), this information would also be processed by Google
Mountain View, CA
Affiliates
Ascendo.AI may engage the following entities to process personal data that you include in your use of Ascendo.AI’s Cloud Services:
Location
Affiliate Entity
Ascendo.AI, Inc.
United States
MongoDB.Inc
Cloud Provider DB
These cloud providers host all the data you store in the Cloud Services
Google, Inc.
Cloud Provider
Ascendo.AI,
runs on top of GCP.These cloud providers host the personal data you store in the Cloud Services.
Ascendo.AI,
runs on top of GCP. These cloud providers host the personal data you store in the Cloud Services.
MongoDB, Inc.
These cloud providers host all the data you store in the Cloud Services
Third-Party Entity
Description of Processing
Slack Technologies
Cloud Provider
Ascendo.AI, runs on top of GCP. These cloud providers host the personal data you store in the Cloud Services.
Support Channel
Twilio, Inc.
2FA and SMS Alerts
Google, Inc.
Email Support
Data Types
Slack Technologies
Cloud Provider
Ascendo.AI, runs on top of GCP. These cloud providers host the personal data you store in the Cloud Services.
If you engage in Support via Slack receives basic Contact info( e.g., name, email address).
Twilio, Inc.
If you turn on two-factor authentication or SMS alerts, Twilio receives basic info to provide you authentication codes and text alerts (e.g., phone number).
Google, Inc.
If you engage in email support via Gmail, Google receives basic contact info (e.g., name, email address).
If you include other personal data in your support emails (e.g., snippets of database logs, query outputs, etc.), this information would also be processed by Google.
Headquartered Location
Slack Technologies
Cloud Provider
Ascendo.AI, runs on top of GCP. These cloud providers host the personal data you store in the Cloud Services.
San Francisco, CA
Twilio, Inc.
Google, Inc.
Mountain View, CA
San Francisco, CA
Last updated at " June 2rd 2023
Last updated at " June 2rd 2023
Data Processing Agreement and its Annexes (“DPA”) reflect the parties’ agreement with respect to the Processing of Personal Data by us on behalf of you in connection with the Ascendo Services under the Ascendo Customer Terms of Service available at Terms | Ascendo | Ascendo Terms of Service between you and us (also referred to in this DPA as the “Agreement”).
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order Form, or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
1. Definitions
“California Personal Information” means Personal Data that is subject to the protection of the CCPA.
"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or "CPRA").
"Consumer", "Business", "Sell", "Service Provider", and "Share" will have the meanings given to them in the CCPA.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and other applicable U.S. federal and state privacy laws, and the data protection and privacy laws of Australia, Singapore, and Japan, in each case as amended, repealed, consolidated or replaced from time to time; with regard to Ascendo.AI, Data Protection Laws exclude laws governing Sensitive Information, as defined in the General Terms.
“Data Subject” means the individual to whom Personal Data relates.
"Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.
"European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded or replaced.
“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
"Permitted Affiliates" means any of your Affiliates that (i) are permitted to use the Subscription Services pursuant to the Agreement, but have not signed their own separate agreement with us and are not a “Customer” as defined under the Agreement, (ii) qualify as a Controller of Personal Data Processed by us, and (iii) are subject to European Data Protection Laws.
“Personal Data” means any information relating to an identified or identifiable individual where (i) such information is contained within Customer Data; and (ii) is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
"Privacy Shield" means the EU-U.S. and Swiss-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to its Decision of July 12, 2016, and by the Swiss Federal Council on January 11, 2017, respectively; as may be amended, superseded or replaced.
"Privacy Shield Principles" means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of July 12, 2016; as may be amended, superseded, or replaced.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded or replaced.
“Sub-Processor” means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the provision of the Subscription Services under the Agreement. Sub-Processors may include third parties or our Affiliates but will exclude any Ascendo.AI employee or consultant.
“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A (1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.
2. Customer Responsibilities
a. Compliance with Laws. Within the scope of the Agreement and in its use of the services, you will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to us.
In particular but without prejudice to the generality of the foregoing, you acknowledge and agree that you will be solely responsible for: (i) the accuracy, quality, and legality of Customer Data and the means by which you acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); (iii) ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Subscription Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. You will inform us without undue delay if you are not able to comply with your responsibilities under this 'Compliance with Laws' section or applicable Data Protection Laws.
b. Controller Instructions. The parties agree that the Agreement (including this DPA), together with your use of the Subscription Service in accordance with the Agreement, constitute your complete Instructions to us in relation to the Processing of Personal Data, so long as you may provide additional instructions during the subscription term that are consistent with the Agreement, the nature and lawful use of the Subscription Service.
c. Security. You are responsible for independently determining whether the data security provided for in the Subscription Service adequately meets your obligations under applicable Data Protection Laws. You are also responsible for your secure use of the Subscription Service, including protecting the security of Personal Data in transit to and from the Subscription Service (including to securely backup or encrypt any such Personal Data).
3. Ascendo.AI Obligations
a. Compliance with Instructions. We will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industry that are not generally applicable to us.
b. Conflict of Laws. If we become aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new Instructions with which we are able to comply. If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Subscription Services until such time as you issue new lawful Instructions with regard to the Processing.
c. Security. We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA ("Security Measures"). Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
d. Confidentiality. We will ensure that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.
e. Personal Data Breaches. We will notify you without undue delay after we become aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by you. At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.
f. Deletion or Return of Personal Data. We will delete or return all Customer Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of your Subscription Service in accordance with the procedures set out in our Product Specific Terms. This term will apply except where we are required by applicable law to retain some or all of the Customer Data, or where we have archived Customer Data on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with our deletion practices. You may request the deletion of your Ascendo.AI account after the expiration or termination of your subscription by sending a request to policy@ascendo.ai
We strongly recommend retrieving your Customer Data prior to the end of your Subscription. If you need help retrieving your Customer Data during the Subscription Term, we will provide reasonable assistance to you, at your cost, and in accordance with the ‘Confidentiality’ section of the General Terms.
4. Data Subject Requests
The Subscription Service provides you with a number of controls that you can use to retrieve, correct, delete or restrict Personal Data, which you can use to assist it in connection with its obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests").
To the extent that you are unable to independently address a Data Subject Request through the Subscription Service, then upon your written request we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. You will reimburse us for the commercially reasonable costs arising from this assistance.
If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to us, we will promptly inform you and, will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
5. Sub-Processor
You agree we may engage Sub-Processors to Process Personal Data on your behalf, and we do so in three ways. First, we may engage Sub-Processors to assist us with hosting and infrastructure. Second, we may engage with Sub-Processors to support product features and integrations. Third, we may engage with Ascendo.AI Affiliates as Sub-Processors for service and support. Some Sub-Processors will apply to you as default, and some Sub-Processors will apply only if you opt in.
We have currently appointed, as Sub-Processors, the third parties and Ascendo.AI Affiliates listed in Annex 3 to this DPA. You may subscribe to receive notifications by email if we add or replace any Sub-Processors by completing the form available at here If you opt-in to receive such email, we will notify you at least 30 days prior to any such change.
We will give you the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 30 days of notifying you. If you do notify us of such an objection, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either not appoint the new Sub-Processor, or permit you to suspend or terminate the affected Subscription Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by you prior to suspension or termination). The parties agree that by complying with this sub-section, Ascendo.AI fulfills its obligations under Section 9 of the Standard Contractual Clauses.
Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this DPA.
6. Data Transfers
You acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement, and in particular that Personal Data may be transferred to and Processed by Ascendo.AI, Inc. in the United States and to other jurisdictions where Ascendo.AI Affiliates and Sub-Processors have operations. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
7. Demonstration of Compliance
We will make all information reasonably necessary to demonstrate compliance with this DPA available to you and allow for and contribute to audits, including inspections conducted by you or your auditor in order to assess compliance with this DPA, where required by applicable law. You acknowledge and agree that you will exercise your audit rights under this DPA and Clause 8.9 of the Standard Contractual Clauses by instructing us to comply with the audit measures described in this 'Demonstration of Compliance' section. You acknowledge that the Subscription Service is hosted by our hosting Sub-Processors who maintain independently validated security programs (including SOC 2) and that our systems are audited annually as part of SOC 2 compliance and regularly tested by independent third-party penetration testing firms. Upon request, we will supply (on a confidential basis) our SOC 2 report and summary copies of our penetration testing report(s) to you so that you can verify our compliance with this DPA. Further, at your written request, we will provide written responses (on a confidential basis) to all reasonable requests for information made by you necessary to confirm our compliance with this DPA, provided that you will not exercise this right more than once per calendar year unless you have reasonable grounds to suspect non-compliance with the DPA.
8. Additional Provisions for European Data
a. Scope. This 'Additional Provisions for European Data' section will apply only with respect to European Data.
b. Roles of the Parties. When Processing European Data in accordance with your Instructions, the parties acknowledge and agree that you are the Controller of European Data and we are the Processor.
c. Instructions. If we believe that your Instruction infringes European Data Protection Laws (where applicable), we will inform you without delay.
d. Sub-Processor Agreements. For the purposes of Clause 9(c) of the Standard Contractual Clauses, you acknowledge that we may be restricted from disclosing Sub-Processor agreements but we will use reasonable efforts to require any Sub-Processor we appoint to permit it to disclose the Sub-Processor agreement to you and will provide (on a confidential basis) all information we reasonably can.
e. Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to us, and you do not otherwise have access to the required information, we will provide reasonable assistance to you with any data protection impact assessments, and prior consultations with supervisory authorities (for example, the French Data Protection Agency (CNIL), the Berlin Data Protection Authority (BlnBDI) and the UK Information Commissioner's Office (ICO)) or other competent data privacy authorities to the extent required by European Data Protection Laws.
f. Transfer Mechanisms for Data Transfers.
(A) Ascendo.AI will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws) unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
(B) You acknowledge that in connection with the performance of the Subscription Services, Ascendo.AI, Inc. is a recipient of European Data in the United States. Subject to sub-sections (C) and (D), the parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement as follows:
(a) EEA Transfers. In relation to European Data that is subject to the GDPR (i) Customer is the "data exporter" and Ascendo.AI, Inc. is the "data importer"; (ii) the Module Two terms apply to the extent the Customer is a Controller of European Data and the Module Three terms apply to the extent the Customer is a Processor of European Data; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of this DPA; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined in accordance with the 'Contracting Entity; Applicable Law; Notice’ section of the Jurisdiction Specific Terms or, if such section does not specify an EU Member State, the Republic of Ireland (without reference to conflicts of law principles); (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and (viii) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.
(b) UK Transfers. In relation to European Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
(c) Swiss Transfers. In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with subsection (a), and the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".
(C) Where the Ascendo.AI contracting entity under the Agreement is not Ascendo.AI, Inc., such contracting entity (not Ascendo.AI, Inc.) will remain fully and solely responsible and liable to you for the performance of the Standard Contractual Clauses by Ascendo.AI, Inc., and you will direct any instructions, claims or enquiries in relation to the Standard Contractual Clauses to such contracting entity. If Ascendo.AI cannot comply with its obligations under the Standard Contractual Clauses or is breach of any warranties under the Standard Contractual Clauses or UK Addendum (as applicable) for any reason, and you intend to suspend the transfer of European Data to Ascendo.AI or terminate the Standard Contractual Clauses ,or UK Addendum, you agree to provide us with reasonable notice to enable us to cure such non-compliance and reasonably cooperate with us to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If we have not or cannot cure the non-compliance, you may suspend or terminate the affected part of the Subscription Service in accordance with the Agreement without liability to either party (but without prejudice to any fees you have incurred prior to such suspension or termination).
(D) Although Ascendo.AI, Inc. does not currently rely on the EU-US Privacy Shield as a legal basis for transfers of European Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for as long as Ascendo.AI, Inc. is self-certified to the Privacy Shield Ascendo.AI, Inc will process European Data in compliance with the Privacy Shield Principles and let you know if it is unable to comply with this requirement. In the event that Ascendo.AI adopts an alternative transfer mechanism (including any new or successor version of the EU-US Privacy Shield) for transfers of European Data to Ascendo.AI, Inc., such alternative transfer mechanism will apply automatically instead of the Standard Contractual Clauses described in this DPA (but only to the extent such alternative transfer mechanism complies with European Data Protection Laws), and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.
9. Additional Provisions for California Personal Information
a. Scope. The 'Additional Provisions for California Personal Information' section of the DPA will apply only with respect to California Personal Information.
b. Roles of the Parties. When processing California Personal Information in accordance with your Instructions, the parties acknowledge and agree that you are a Business and we are a Service Provider for the purposes of the CCPA.
c. Responsibilities. We certify that we will Process California Personal Information as a Service Provider strictly for the purpose of performing the Subscription Services and Consulting Services under the Agreement (the "Business Purpose") or as otherwise permitted by the CCPA, including as described in the 'Usage Data' section of our Privacy Policy. Further, we certify we i) will not Sell or Share California Personal Information; (ii) will not Process California Personal Information outside the direct business relationship between the parties, unless required by applicable law; and (iii) will not combine the California Personal Information included in Customer Data with personal information that we collect or receive from another source (other than information we receive from another source in connection with our obligations as a Service Provider under the Agreement).
d. Compliance. We will (i) comply with obligations applicable to us as a Service Provider under the CCPA and (ii) provide California Personal Information with the same level of privacy protection as is required by the CCPA. We will notify you if we make a determination that we can no longer meet our obligations as a Service Provider under the CCPA.
e. CCPA Audits. You will have the right to take reasonable and appropriate steps to help ensure that we use California Personal Information in a manner consistent with Customer’s obligations under the CCPA. Upon notice, you will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of California Personal Information.
f. Not a Sale. The parties acknowledge and agree that the disclosure of California Personal Information by the Customer to Ascendo.AI does not form part of any monetary or other valuable consideration exchanged between the parties.
10. General Provisions
a. Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA, we reserve the right to make any updates and changes to this DPA and the terms that apply in the ‘Amendment; No Waiver’ section of the General Terms will apply.
b. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
c. Limitation of Liability. Each party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA (and any other DPAs between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the 'Limitation of Liability' section of the General Terms and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA). For the avoidance of doubt, if Ascendo.AI, Inc. is not a party to the Agreement, the ‘Limitation of Liability’ section of the General Terms will apply as between you and Ascendo.AI, Inc., and in such respect, any references to ‘Ascendo.AI’, ‘we’, ‘us’ or ‘our’ will include both Ascendo.AI, Inc. and the Ascendo.AI entity that is a party to the Agreement. In no event will either party's liability be limited with respect to any individual's data protection rights under this DPA (including the Standard Contractual Clauses) or otherwise.
d. Governing Law. This DPA will be governed by and construed in accordance with the ‘Contracting Entity; ‘Applicable Law; Notice' sections of the Jurisdiction Specific Terms, unless required otherwise by Data Protection Laws.
11. Parties to this DPA
a. Permitted Affiliates. By signing the Agreement, you enter into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of yourself and in the name and on behalf of your Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer”, “you” and “your” will include you and such Permitted Affiliates.
b. Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.
c. Remedies. The parties agree that (i) solely the Customer entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all Instructions, authorizations, and communications with us under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.
d. Other rights. The parties agree that you will, when reviewing our compliance with this DPA pursuant to the ‘Demonstration of Compliance’ section, take all reasonable measures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Customer entity that is the contracting party to the Agreement and all of its Permitted Affiliates in one single audit.
Annex 1 - Details of Processing
A. List of Parties
Data Exporter:
Name: The Customer, as defined in the Ascendo.AI Customer Terms of Service (on behalf of itself and Permitted Affiliates)
Address: The Customer's address, as set out in the Order Form
Contact person’s name, position, and contact details: The Customer's contact details, as set out in the Order Form and/or as set out in the Customer’s Ascendo.AI Account
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer's use of the Ascendo.AI Subscription Services under the Ascendo.AI Customer Terms of Service
Role (controller/processor): Controller
Data Importer:
Name: Ascendo.AI, Inc.
Address: 228 Hamilton Avenue, Floor 3, Palo Alto, CA 94301 USA
Contact person’s name, position, and contact details: Ramki PitchuIyer, CPO, Ascendo.AI, Inc., 228 Hamilton Avenue, Floor 3, Palo Alto, CA 94301USA
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer's use of the Ascendo.AI Subscription Services under the Ascendo.AI Customer Terms of Service
Role (controller/processor): Processor
B. Description of Transfer
Categories of Data Subjects whose Personal Data is Transferred
You may submit Personal Data in the course of using the Subscription Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
Your Contacts and other end users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to your end users.
Categories of Personal Data Transferred
You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:
1. Contact Information (as defined in the General Terms).
2. Any other Personal Data submitted by, sent to, or received by you, or your end users, via the Subscription Service.
Sensitive Data transferred and applied restrictions or safeguards
The parties do not anticipate the transfer of sensitive data.
Frequency of the transfer
Continuous
Nature of the Processing
Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
1. Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to you; and/or
2. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
Purpose of the transfer and further processing
We will Process Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Subscription Services.
Period for which Personal Data will be retained
Subject to the 'Deletion or Return of Personal Data' section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
C. Competent Supervisory Authority
For the purposes of the Standard Contractual Clauses, the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR.
Annex 2 - Security Measures
We are currently observing the Security Measures described in Annex 2. All capitalized terms not otherwise defined herein will have meanings as set forth in the General Terms. For more information on these security measures, please refer to Ascendo.AI SOC 2 Type II Report.
a) Access Control
i) Preventing Unauthorized Product Access
Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers’ data centers. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems. The physical and environmental security controls are audited for SOC 2 Type II, among other certifications.
Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
ii) Preventing Unauthorized Product Use
We implement industry-standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignments, and traditional firewall rules.
Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.
Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for penetration testing of Ascendo.AI web application at least annually. The intent of these penetration tests is to identify security vulnerabilities and mitigate the risk and business impact they pose to the in-scope systems.
Bug bounty: A bug bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. We implement a bug bounty program in an effort to widen the available opportunities to engage with the security community and improve the product defenses against sophisticated attacks.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, product development, and research, to troubleshoot potential problems, to detect and respond to security incidents, and implement data security. Access is enabled through “just in time” (JITA) requests for access; all such requests are logged. Employees are granted access by role, and reviews of high-risk privilege grants are initiated daily. Administrative or high-risk access permissions are reviewed at least once every six months.
Background checks: Where permitted by applicable law, Ascendo.AI employees undergo third-party background or reference checks. In the United States, employment offers are contingent upon the results of a third-party background check. All Ascendo.AI employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
b) Transmission Control
In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and for free on every customer site hosted on the Ascendo.AI products. Our HTTPS implementation uses industry-standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.
c) Input Control
Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.
d) Availability Control
Infrastructure Availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and heating, ventilation, and air conditioning (HVAC) services.
Fault Tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online Replicas And Backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry-standard methods.
Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure the availability of information following interruption to, or failure of, critical business processes.
Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal of preventing single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
Annex 3 - Sub-Processors
To help Ascendo.AI deliver the Subscription Service, we engage Sub-Processors to assist with our data processing activities. A list of our Sub-Processors and our purpose for engaging them is located on our Ascendo.AI Sub-Processors Page available at https://www.ascendo.ai/subprocessor, which is incorporated into this DPA.