SugarCRM SupportResourcesSugarCRM Product Subscription TermsMaster Subscription Agreement

Master Subscription Agreement

(Released May 17, 2018)

PLEASE READ THIS MASTER SUBSCRIPTION AGREEMENT CAREFULLY BEFORE ACCEPTING.  THE TERMS AND CONDITIONS OF THIS MASTER SUBSCRIPTION AGREEMENT, ANY ADDITIONAL TERMS AND ANY ORDER FORMS ENTERED INTO BY YOU AND SUGARCRM INC. ("SUGARCRM") ARE COLLECTIVELY REFERRED TO AS THE "AGREEMENT."  UNLESS OTHERWISE DEFINED HEREIN, CAPITALIZED TERMS SHALL HAVE THE MEANINGS SET FORTH IN SECTION 12 BELOW.

BY ACCEPTING, YOU ARE AGREEING ON BEHALF OF THE ENTITY ORDERING THE SUGARCRM PRODUCT ("COMPANY") THAT COMPANY WILL BE BOUND BY AND BECOME A PARTY TO THE AGREEMENT AND CERTIFYING THAT YOU HAVE THE AUTHORITY TO BIND COMPANY.  IF COMPANY DOES NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT OR IF YOU DO NOT HAVE THE AUTHORITY TO BIND COMPANY TO THIS AGREEMENT, DO NOT SELECT THE "ACCEPT" BOX OR SIGN (EITHER MANUALLY OR ELECTRONICALLY) THE ORDER FORM ISSUED TO YOU BY SUGARCRM.

UNLESS AND UNTIL COMPANY HAS AGREED TO BE BOUND BY ALL OF THE TERMS OF THE AGREEMENT, COMPANY HAS NOT BECOME A LICENSEE OF, AND IS NOT AUTHORIZED TO USE, THE SUGARCRM PRODUCT. THE "EFFECTIVE DATE" OF THIS AGREEMENT IS THE DAY THAT YOU CHECK THE "ACCEPT" BOX OR SIGN (EITHER MANUALLY OR ELECTRONICALLY) THE ORDER FORM ISSUED TO YOU BY SUGARCRM.

  1. Subscription
    • 1.1 Deployment Model. The Product is made available to the Company pursuant to the terms of this Agreement and the relevant Order Form during the Subscription Term. The Product shall either be: (a) installed by or for Company at Company's premises, or on a Company-controlled server within a third party data center ("On-Site"), or (b) hosted by SugarCRM, and provided as a service ("Sugar Cloud"). Company can migrate from one deployment model to another at any time during the Subscription Term, subject to any applicable SugarCRM migration fees and any terms and conditions that apply to the new deployment model.
    • 1.2 Use of the Product.
      • 1.2.1 Terms of Use. The terms of use that govern Company's use of the Product are attached in Exhibit A, unless otherwise agreed in an Order Form.
      • 1.2.2 Usage Limits. SugarCRM will provide Company with a key to access the Product solely by the specific number of Subscription Users for which Company has paid the applicable fees. The Product may not be accessed or used by more than the specified number of Subscription Users.  Subscription User accounts and passwords are specific to individual Subscription Users, and may not be shared among or by other users. Company administrator(s) may however reassign a Subscription User account during the Subscription Term, if a former Subscription User no longer requires access to or use of the Product. Company shall notify SugarCRM in writing immediately of any unauthorized use of, or access to, the Product or any Subscription User account or password thereof. Users of external applications accessing functionality or data stored inside the Product require a Subscription for each user who accesses the functionality or data.
    • 1.3 Support. During the Subscription Term, and where Company purchases the subscriptions directly from SugarCRM, SugarCRM will provide Company with SugarCRM's standard level of support at no additional charge as indicated at https://www.sugarcrm.com/page/support-offerings/en (the "Support Services"). If Company purchases subscriptions through an Authorized Partner, then Company shall instead obtain support directly from that Authorized Partner.   
    • 1.4 Company Responsibilities. Company shall: (a) be responsible for Subscription Users' compliance with this Agreement and shall use the Product only in accordance with the SugarCRM product documentation, (b) be responsible for the accuracy, integrity, and legality of Company Data and the means by which it acquires and uses such Company Data, and (c) be solely responsible for determining the suitability of the Product for Company's business and complying with any regulations and laws, (including, without limitation, export, data protection and privacy laws) applicable to the Company Data and Company's use of the Product.
    • 1.5 Restrictions. Company shall not, directly or indirectly: (a) sublicense, resell, rent, lease, distribute, market, commercialize or otherwise transfer rights or usage to all or any portion of the Product, or provide the Product on a timesharing, service bureau or other similar basis, (b) remove or alter any copyright, trademark or other proprietary notice in the Product or documentation, (c) modify, remove or disable any portion of the Critical Control Software, (d) use or modify the Product in any way that would subject the Product, in whole in or in part, to a Copyleft License, (e) attempt to gain unauthorized access to, or disrupt the integrity or performance of, the Product or the data contained therein, (f) use the Product, or permit it to be used, for purposes of product evaluation, benchmarking or other comparative analysis intended for publication without SugarCRM's prior written consent or (g) use the Product in violation of applicable data protection and privacy laws or otherwise breach any third party rights in connection with this Agreement or any Appendices hereto .
    • 1.6 Third Party Contractors. Company may use third party contractors to assist with the installation, use and modification of the Product for Company's own internal business use, including creation of Modifications. Company must have a written contract in place with each contractor that contains terms and conditions no less protective of the Product, SugarCRM's Confidential Information or intellectual property than those contained in this Agreement. For example contractors must assign their rights, title and interests (including all intellectual property rights) in Modifications to Company to ensure Company's compliance with Section 3.1. Company is responsible for compliance by its contractors with this Agreement.
  2. Third-Party Software; Third-Party Modules.
    • 2.1 Third-Party Software. The Product utilizes or includes certain Third Party Software. Company's use of the Product, including all Third Party Software accessible via APIs, is governed by the applicable Third-Party Software terms and conditions found at: http://www.sugarcrm.com/third-party-software.
    • 2.2 Third-Party Modules. Company may acquire and use Third-Party Modules to add functionality to the Product, provided that such use is limited to internal use by Company in a manner that does not violate any provisions of this Agreement. Any use by Company of Third-Party Modules and any exchange of Company Data between Company and the Third-Party Module provider are solely between Company and the Third-Party Module provider. SugarCRM does not warrant or support Third-Party Modules.
    • 2.3 Third-Party Privacy Policies and APIs. Any Company Data exchanged with Third-Party Software or Third-Party Modules is governed by that provider's respective privacy policy. Product features that interoperate with third party services (such as Google) depend on the continuing availability of the third party API and program for use with the Product. Access to the third party API or program may require Company to create an account and enter into a separate agreement with the third party API provider. If a third party ceases to make the API or program available, SugarCRM may cease providing such third party features without entitling Company to any refund, credit, or other compensation.
  3. Proprietary Rights.
    • 3.1 Ownership of Product and Modifications. SugarCRM owns all right, title and interest, including all intellectual property rights, in and to the Product, and all Modifications (collectively, the "SugarCRM Property"). Company hereby does and will assign to SugarCRM all right, title and interest worldwide in the intellectual property rights embodied in all Modifications. To the extent any of the rights, title and interest are not assignable by Company to SugarCRM, Company grants and agrees to grant to SugarCRM an exclusive, royalty-free, transferable, irrevocable, worldwide, fully paid-up license under Company's intellectual property rights to use, disclose, reproduce, license (with rights to sublicense through multiple tiers of sublicensees), sell, offer for sale, distribute, import and otherwise exploit the  Modifications without restriction or obligation of any kind or nature. Modifications are licensed back to the Company as "Products" pursuant to this Agreement, during the Subscription Term. Except as expressly stated otherwise in this Agreement, SugarCRM retains all of its right, title and ownership interest in and to the SugarCRM Property, and no other intellectual property rights or licenses are granted to Company under this Agreement, either expressly or by implication, estoppel or otherwise, including, but not limited to, any rights under any of SugarCRM's or its Affiliate's patents.
    • 3.2 Trademarks. SugarCRM's name, logo, trade names and trademarks are owned by SugarCRM, and no right is granted to Company to use any of the foregoing except as expressly permitted in this Agreement or by written consent of SugarCRM.
    • 3.3 Feedback. Company or its Subscription Users may provide suggestions, enhancement or feature requests or other feedback to SugarCRM with respect to the SugarCRM Product or other SugarCRM products and services (collectively, "Feedback"). Company grants SugarCRM an exclusive, royalty-free, transferable, irrevocable, worldwide, fully paid-up license to use, disclose, reproduce, license, sublicense, sell, offer for sale, distribute, import and otherwise exploit the Feedback without restriction or obligation of any kind or nature.
  4. Company Data, Usage Data and Regulated Data
    • 4.1 Company Data.
      • 4.1.1 Ownership of Company Data. Company retains all ownership of the Company Data.
      • 4.1.2 Processing of Company Data. Company is solely responsible for entering its Company Data (including personal data) into the Product. Company grants SugarCRM the non-exclusive right to use, access and process all Company Data for the sole purpose and only to the extent necessary for SugarCRM to provide the Product to Company and to perform its obligations under this Agreement, including to prevent or address support, service or technical problems.
      • 4.1.3 Security. SugarCRM will have in place and will maintain throughout the Subscription Term, appropriate technical and organizational measures to protect against accidental or unauthorized destruction, loss, alteration or disclosure of the Company Data, and adequate security programs and procedures to ensure that unauthorized persons will not have access to any equipment used by SugarCRM to process the Company Data.
    • 4.2 Usage Data. In the course of providing Company with the Product, SugarCRM may collect, use, process and store Usage Data in order to create and compile anonymized and aggregated statistics about the Products. For details on this see SugarCRM's privacy policy here: http://www.sugarcrm.com/legal/privacy-policy.
    • 4.3 Regulated Data in Relation to Products. The Sugar Cloud service is not configured to receive and store certain types of government regulated, controlled or similarly restricted data ("Regulated Data"), including without limitation technical data controlled by International Traffic in Arms Regulations and personal health information under the Health Insurance Portability and Accountability Act. Neither Company nor any Subscription Users shall use the Sugar Cloud version of the Product to store Regulated Data or provide access to or submit any Regulated Data to SugarCRM when requesting Support Services or otherwise. SugarCRM reserves the right to suspend or terminate the Subscription immediately if Company is found to be in violation of this Section.
  5. Payment
    • 5.1 Fees and Payment. Company shall pay all fees specified in the relevant Order Form and such fees are: (a) fixed during the applicable Subscription Term, (b) quoted and payable in United States dollars (unless expressly agreed otherwise in an Order Form), (c) based upon the number of Subscription Users purchased, even if actual usage is lower, (d) exclusive of taxes and (e) non-cancelable and non-refundable. Fees are due 30 days from the invoice date, unless otherwise noted in an Order Form. SugarCRM will invoice the Company based on the billing information in the Order Form.
    • 5.2 Purchases from Authorized Partner. If Company purchases a Subscription to the Product from an Authorized Partner, then Company appoints Authorized Partner to act as Company's representative in the procurement and management of the Product and that SugarCRM may deal with the Authorized Partner on that basis. If Company purchases a Subscription to the Product from an Authorized Partner, the Company will submit payment to the Authorized Partner and the Authorized Partner will submit payment to SugarCRM on Company's behalf in accordance with its agreement with SugarCRM.
    • 5.3 Additional Subscription Users. Additional Subscription User's may be added during a Subscription Term at the then-current Subscription User Subscription fee, pro-rated beginning in the initial month in which Subscription Users are added through the remaining then-current Subscription Term, such that the Subscription Term runs co-terminus for all Subscriptions.
    • 5.4 Renewal. Fees for any subsequent renewals shall be set at the then-current SugarCRM list price, unless otherwise stated on the Order Form or agreed to in writing by SugarCRM.
    • 5.5 Overdue Charges. Undisputed overdue amounts are subject to interest at a rate of 1.0% per month, or the maximum rate permitted by law, whichever is lower. If any undisputed charge owing by Company to SugarCRM or its Authorized Partner remain unpaid 30 days after its due date, SugarCRM may, without limiting its rights and remedies, suspend Company's use of the Product, and Support Services until such amounts are paid in full.
    • 5.6 Taxes.
      • 5.6.1 General Taxes. Unless otherwise provided in an Order Form and subject to Section 5.6.2 below, fees specified in quotes or Order Forms, do not include any Taxes, and Company is responsible for payment and reimbursement of all Taxes associated with its purchases hereunder, excluding any Taxes based on SugarCRM's net income or property.
      • 5.6.2 Withholding Taxes. If Company is legally required to pay withholding Taxes on the fees (or make any similar tax reduction) (each a "Fee Reduction Tax"), then (i) Company shall deduct the applicable Fee Reduction Tax from the fees prior to payment to SugarCRM; (ii) timely remit the Fee Reduction Taxes to the appropriate taxing authorities; and (iii) promptly furnish SugarCRM with tax receipts evidencing the payments of the Fee Reduction Taxes on such fees.  If Company breaches the obligations in this Section it shall indemnify SugarCRM against any costs, claims and liabilities arising as a result of the breach. If Company believes that Fee Reduction Taxes will apply to fees under this Agreement, then Company will notify SugarCRM promptly, but within no more than 5 days of the Effective Date of this Agreement.  If the parties have negotiated fees without expressly accounting for the then-current Fee Reduction Taxes and the parties later determine that such taxes are in fact required (or have increased or decreased during the course of this Agreement), then the fees payable by Company under this Agreement shall be adjusted to the extent necessary to ensure that, after such Fee Reduction Taxes are applied, SugarCRM receives and retains, a net amount equal to the fees that SugarCRM would have received and retained absent the deductions required for the Fee Reduction Taxes.  The newly adjusted fees will be documented in writing.
    • 5.7 Audit and Reporting. Company shall maintain accurate records necessary to verify the number of Subscription Users. Within 30 days of delivery of a written request by SugarCRM, Company shall provide SugarCRM or its third party appointee with (i) copies of such records or (ii) alternatively at SugarCRM's sole discretion, a report regarding the Product being utilized by Company and the number of Subscription Users authorized to use the Product. If Company has more Subscription Users than Company has paid for, Company shall immediately pay the applicable fees for the additional Subscription Users, commencing on the effective date of the applicable Order Form through the remainder of the then current Subscription Term, in addition to reasonable costs incurred by SugarCRM associated with reviewing such records.
  6. Term and Termination
    • 6.1 Term. This Agreement commences on the Effective Date and continues through the Subscription Term until all Subscriptions hereunder have expired or have been terminated. The Subscription Term shall be as specified in the applicable accepted Order Form.
    • 6.2 Termination by Company or SugarCRM. Either party may terminate this Agreement and any then-current Order Form prior to the end of a Subscription Term if the other party: (i) materially breaches its obligations hereunder and, where such breach is curable, such breach remains uncured for 30 days following written notice of the breach or (ii) becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors.
    • 6.3 Effect of Termination. No refunds of payments will be made, unless termination of this Agreement and any then-current Order Forms is a result of a breach by SugarCRM under Section 6.2, in which case Company will be entitled to a refund of the pro rata portion of fees associated with the unused remainder of the Subscription Term. Upon expiration or termination of this Agreement, the rights granted under this Agreement and any then-current Order Forms will be immediately revoked and SugarCRM may immediately deactivate Company's account. SugarCRM may keep copies of Company Data solely to the extent necessary for the performance of its obligations under this Agreement (eg Exhibit A, Section B8). In no event shall any termination relieve Company of the obligation to pay any fees payable to SugarCRM for any period prior to the effective date of termination, unless otherwise stated in this Agreement.
    • 6.4 Surviving Provisions. Sections 1.5, 3, 6.3, 7, 10, 11 and 12 shall survive termination or expiration of this Agreement.
  7. Confidentiality.
    • 7.1 Confidentiality. The receiving party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care)  (i) not to use any Confidential Information of the disclosing party for any purpose outside the scope of this Agreement and (ii)  limit access to any Confidential Information of the disclosing party, except (a) for those employees, representatives, or contractors of the receiving party who require access to the Confidential Information to enable receiving party to exercise its rights and obligations under this Agreement and who are bound by written agreement, with terms at least as restrictive as these, not to disclose third-party confidential or proprietary information disclosed to such party, or (b) as disclosure may be required by law or governmental regulation, subject to the receiving party providing to the disclosing party written notice to allow the disclosing party to seek a protective order or otherwise prevent the disclosure. The receiving party does not need to provide notice before disclosure if the receiving party is informed that it is legally prohibited from giving notice. Nothing in this Agreement will prohibit or limit the receiving party's use of information: (i) previously known to it without obligation of confidence, (ii) independently developed by or for it without use of or access to the disclosing party's Confidential Information, (iii) acquired by it from a third party that is not under an obligation of confidence with respect to such information, or (iv) that is or becomes publicly available through no breach of this Agreement. The receiving party acknowledges the irreparable harm that improper disclosure of Confidential Information may cause; therefore, the injured party is entitled to seek equitable relief, including temporary restraining order(s) or preliminary or permanent injunction, in addition to all other remedies, for any violation or threatened violation of this Section.  The terms of this Agreement and Product source code of the Product are Confidential Information of SugarCRM or its licensors.
    • 7.2 Destruction. Within 5 days after a disclosing party's request, the receiving party shall return or destroy the disclosing party's Confidential Information; provided, however, that the receiving party shall be entitled to retain archival copies of the Confidential Information of the disclosing party solely for legal, regulatory or compliance purposes unless otherwise prohibited by law.
  8. Warranties.
    • 8.1 SugarCRM Warranties. SugarCRM warrants that (a) the Product shall perform materially in accordance with the online user guide for the applicable Product, and (b) SugarCRM will use commercially reasonable measures to detect whether the Product contains any Malicious Code. If the Product does not conform to the warranty specified in Section 8.1(a) above, Company must notify SugarCRM in writing within 30 days of the breach of warranty, and SugarCRM agrees to use commercially reasonable efforts to cure the non-conforming portions of the Product. SugarCRM is not responsible for any non-compliance resulting from or caused by any (i) Malicious Code present in the Company Data, (ii) Modifications made by anyone other than SugarCRM, including by way of example, Modifications made by Company or any Authorized Partners or (iii) hardware or software not supplied by SugarCRM. Company's sole and exclusive remedy for an uncured breach of any of the warranties contained in this Section shall be to terminate the Agreement and, notwithstanding anything to the contrary in this Agreement, have SugarCRM refund to Company the pro rata unused portion of any pre-paid Subscription fees.
    • 8.2 Mutual Warranty. Each party warrants to the other party that it has the legal power and authority to, and hereby does, enter into this Agreement.
    • 8.3 Disclaimer of Warranties. EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, THE SUGARCRM PRODUCT IS PROVIDED TO COMPANY STRICTLY ON AN "AS IS" BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. SUGARCRM'S PRODUCT OR SERVICE MAY BE SUBJECT TO LIMITATIONS OR ISSUES INHERENT IN THE USE OF THE INTERNET AND SUGARCRM IS NOT RESPONSIBLE FOR ANY PROBLEMS OR OTHER DAMAGE RESULTING FROM SUCH LIMITATIONS OR ISSUES.
  9. Third Party Claims.
    • 9.1 SugarCRM. SugarCRM shall at its expense (a) defend or settle any third party claims, actions and demands brought against Company and its Affiliates, officers, directors, employees or agents, where the third party claimant expressly asserts that (i) the Product infringes such third party's trademarks, copyrights or US patents, or (ii) SugarCRM misappropriated such third party's trade secrets in the development of the Product, and (b) pay damages, if any, finally awarded by a court of competent jurisdiction against the Company indemnified parties or agreed upon in settlement by SugarCRM (including other reasonable out-of-pocket costs incurred by Company or its Affiliates, including reasonable attorneys' fees, in connection with enforcing this Section 9.1), subject to the exclusions (1)-(5) set forth below.  SugarCRM has no obligation to Company under this Section for any claim, action or demand to the extent that such claim, demand or action is based on: (1) Third Party Software, Company Software or Company Data, (2) Modifications where the Product would not infringe but for the Modifications and excluding Modifications made by SugarCRM, (3) combination of the Product with other products, processes or materials where the Product would not infringe except for such combination, (4) where Company continues to use the Product after being notified of allegedly infringing activity or being informed of Modifications that would have avoided the alleged infringement, or (5) where Company's use of the Product is not in accordance with this Agreement. In the event that SugarCRM believes the Product, or any part thereof, may be the subject of an infringement or a misappropriation claim as to which this Section applies, then SugarCRM may, in its discretion and at its sole expense:  (1) procure for Company the right to continue using such Product or any applicable part thereof, (2) replace such Product, or infringing part thereof, with a non-infringing version (or part thereof), (3) modify such Product, or infringing part thereof, so as to make it non-infringing, or (4) in the event that (1), (2) or (3) are not commercially feasible, then Company shall have the right to terminate this Agreement solely with respect to the infringing Product, and, notwithstanding anything to the contrary in this Agreement, have SugarCRM refund to Company the pro rata unused portion of any pre-paid Subscription fees. This Section states SugarCRM's sole liability to, and Company's exclusive remedy for, INFRINGEMENT CLAIMS OF ANY KIND in connection with the sugarcrm products or services delivered under or in connection with this agreement.
    • 9.2 Company. Company shall at its expense (a) defend or settle any third party claims, actions and demands brought against SugarCRM and its Affiliates, officers, directors, employees and agents, and (b) pay all damages, if any, finally awarded against the SugarCRM indemnified parties or agreed upon in settlement by Company (including other reasonable out-of-pocket costs incurred by SugarCRM or its Affiliates, including reasonable attorneys' fees, in connection with enforcing this Section) arising from: (i) Company's breach or violation of Company's responsibilities under Sections 1.4 or 1.5, (ii) claims that Company Data or SugarCRM's transmission or hosting thereof infringes or violates the rights of a third party, (iii) claims that Company's or its Subscription Users' use of the Product or services in violation of this Agreement infringes or violates the rights of such third party, or (iv) claims that Company failed to comply with applicable laws, rules or regulations in its performance of this Agreement.
    • 9.3 Indemnification Procedures. The party entitled to seek coverage pursuant to this Section (the "Indemnified Party") shall: (a) promptly notify the other party obligated to provide such indemnification (the "Indemnifying Party") in writing of any such claim, (b) give sole control of the defense and settlement of any such claim to the Indemnifying Party (provided that Indemnifying Party may not settle any claim in a manner that adversely affects Indemnified Party's rights, imposes any obligation or liability on the Indemnified Party or admits liability or wrongdoing on the part of Indemnified Party, in each case, without Indemnified Party's prior written consent), and (c) provide all information and assistance reasonably requested by the Indemnifying Party, at the Indemnifying Party's expense, in defending or settling such claim. The Indemnified Party may join in defense with counsel of its choice at the Indemnified Party's own expense.
  10. Limitation of Liability.
    • 10.1 Limitation on All Damages. EXCEPT FOR A BREACH BY COMPANY OF SECTION 1.5 AND COMPANY'S OBLIGATIONS TO PAY FEES UNDER ANY ORDER FORM ISSUED UNDER THIS AGREEMENT, IN NO EVENT SHALL EITHER PARTY'S LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, EXCEED IN THE AGGREGATE, THE LESSER OF THE TOTAL AMOUNT PAYABLE BY COMPANY TO SUGARCRM UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE ACT OR OMISSION GIVING RISE TO THE LIABILITY OR FIVE HUNDRED THOUSAND DOLLARS ($500,000).
    • 10.2 Disclaimer of Consequential Damages. EXCEPT FOR A BREACH BY COMPANY OF SECTION 1.5, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY LOST PROFITS OR REVENUE OR FOR ANY INDIRECT, SPECIAL, COVER, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES, ARISING UNDER THIS AGREEMENT AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING DISCLAIMER SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.
    • 10.3 Scope of Limitations on Liability. THE LIMITATIONS SET FORTH IN THIS SECTION 10 SHALL APPLY NOTWITHSTANDING THE FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY AND REGARDLESS OF THE LEGAL OR EQUITABLE THEORY ON WHICH CLAIMS ARE BROUGHT (CONTRACT, TORT, INCLUDING NEGLIGENCE OR OTHERWISE).
  11. General.
    • 11.1 Publicity. SugarCRM may include the Company name on a customer list and Company shall cooperate with SugarCRM in connection with any publicity regarding Company's use of the Product and/or services.
    • 11.2 United States Government Users. The Product was fully developed at private expense and is commercial computer software as defined in FAR 2.101. Any related documentation, technical data, or services are also commercial. In accordance with FAR 12.212 and DFARS 227.7202, all rights conferred in the Product, related documentation, technical data, services, or any deliverable to the United States Government are specified in this Agreement. All other uses are prohibited and no ownership rights are conferred.
    • 11.3 Export Compliance. Product is subject to all applicable export control laws and regulations, including, without limitation, those of the United States Government. Company shall fully cooperate with SugarCRM in securing any export licenses and authorizations required under applicable export control laws and regulations.  Company shall comply with all such laws and regulations and agrees that it shall not, directly or indirectly, export, re-export, divert, release, transfer, or disclose any such Product, or any direct product thereof, to any prohibited or restricted destination, end-use or end-user or to a government or other end user who requires a United States export license, except in accordance with all relevant export control laws and regulations.  Company shall make its records available to SugarCRM upon reasonable request to permit SugarCRM to confirm Company's compliance with its obligations as set forth in this Section. 
    • 11.4 Communications. Company authorizes SugarCRM and its Affiliates (and their successors and assigns, their contractors and SugarCRM business partners) to store and use Company's business contact information, including Company employee's and contractor's names, business phone numbers, and business e-mail addresses in connection with providing the Products or in furtherance of SugarCRM's business relationship with Company. 
    • 11.5 Assignment. Neither party may assign any of its rights or obligations under this Agreement, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including all Order Forms), without the consent of the other party, to its Affiliates or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns. Any attempted assignment in breach of this Section 11.5 shall be void.
    • 11.6 Relationship of the Parties. SugarCRM and Company are independent contractors, and nothing in this Agreement or any attachment hereto will create any partnership, joint venture, agency, franchise, sales representative, or employment relationship between the parties.
    • 11.7 No Third-Party Beneficiaries. There are no third party beneficiaries to this Agreement.
    • 11.8 Choice of Law and Jurisdiction. This Agreement is governed by and construed in accordance with the laws of the State of California and the federal U.S. laws applicable therein, excluding its conflicts of law provisions. Company and SugarCRM agree to submit to the personal and non-exclusive jurisdiction of the courts located in Santa Clara County, California. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply to this Agreement.
    • 11.9 Attorney's Fees. In any action related to this Agreement, if any party is successful in obtaining some or all of the relief it is seeking or in defending against the action, the other party shall pay, on demand, the prevailing party's reasonable attorneys' fees and reasonable costs.
    • 11.10 Manner of Giving Notice. Notices regarding this Agreement shall be in writing and addressed to Company at the address Company provides, or, in the case of SugarCRM, to legal@sugarcrm.com or alternatively addressed to SugarCRM Inc., Attn. General Counsel, 10050 North Wolfe Road SW2-130, Cupertino, CA 95014 USA. Notices regarding the Product in general may be given by electronic mail to Company's e-mail address on record with SugarCRM.
    • 11.11 Force Majeure. Neither party shall be liable to the other for any delay or failure to perform hereunder (excluding payment obligations which may be delayed but not excused) due to circumstances beyond such party's reasonable control, including acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems (excluding those involving such party's employees), service disruptions involving hardware, software or power systems not within such party's reasonable control, and denial of service attacks.
    • 11.12 Official Language. The Agreement and any Order Forms or exhibits attached hereto (the "Collective Agreements") entered into between Company and SugarCRM shall be in English. Any translations of the Collective Agreements that SugarCRM may provide to Company, are for Company's convenience only, and in all cases, unless otherwise prohibited by law, the English version of the Collective Agreements will govern the relationship between the parties. For the avoidance of doubt, if there is any contradiction between the English language version of the Collective Agreements and the translations, the English language version of the Collective Agreements will govern.
    • 11.13 Entire Agreement. This Agreement and any Order Forms or exhibits attached hereto or URLs referenced herein represent the entire agreement of the parties concerning its subject matter and is intended to be the final expression of their Agreement, and supersede all prior and contemporaneous agreements, proposals, or representations, whether written or oral. SugarCRM may offer additional Products that may be subject to supplemental terms and conditions applicable to those Products, the terms of which may be found here: support.sugarcrm.com/Resources. Except for the product description, quantity and fees, additional terms stated on Company's preprinted purchase order form shall be void. In the event of a conflict between this Agreement and a contemporaneous or later dated Order Form, the terms of the contemporaneous or later-dated Order Form will control with respect to that specific order. No failure or delay in exercising any right hereunder shall constitute a waiver of such right. No amendment or waiver of any provision of this Agreement or an Order Form shall be effective unless in writing and signed (either manually or electronically) by an authorized representative of Company and SugarCRM.
    • 11.14 Equitable Relief. Except as otherwise provided, remedies specified herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity.
    • 11.15 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, such provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions shall remain in effect.
  12. Definitions.
    • 12.1 "Affiliate" means a company that is Controlled by, under common Control with or Controls a party hereto.
    • 12.2 "API" means application programming interfaces provided by SugarCRM as part of the Product or which is made available by a third party, which set forth rules and specifications that Third Party Modules may utilize to access Company Data.
    • 12.3 "Authorized Partner" means a company that is in good standing under SugarCRM's partner or reseller program.
    • 12.4 "Company Data" means any data, information or material stored by Company in the Product.
    • 12.5 "Company Software" means applications and software products that are developed by or for Company.
    • 12.6 "Confidential Information" means information that one party provides to the other party during the term of this Agreement that is identified at the time of disclosure as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure.
    • 12.7 "Control" means ownership, directly or indirectly, of more than 50% of the voting securities that vote for the election of the board of directors or other managing body.
    • 12.8 "Copyleft License" means a software license that requires that information necessary for reproducing and modifying such software must be made available publicly to recipients of executable versions of such software (see, e.g., GNU General Public License and http://www.gnu.org/copyleft/).
    • 12.9 "Critical Control Software" means software with functionality that reports the number of authorized Subscription Users, and provide SugarCRM (and Authorized Partners, where applicable) with the ability to monitor certain usage of the Product.
    • 12.10 "Malicious Code" means viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents, or programs.
    • 12.11 "Modifications" means any work based on or incorporating all or any portion of the Product, including, without limitation, modifications, enhancements and customizations to the Product developed by SugarCRM, Company, a third party on either such party's behalf or any combination of such parties.
    • 12.12 "Order Form" means (i) a document for purchases of Subscriptions hereunder, prepared by SugarCRM or an Authorized Partner, that are signed by Company, and that are accepted by SugarCRM, (ii) the documentation associated with Company's purchase via SugarCRM's website store including any order confirmations sent by SugarCRM, and (iii) subject to Section 11.13, a Company prepared purchase order, if accepted by SugarCRM.
    • 12.13 "Product" means software that SugarCRM supplies, licenses and/or sells to Company from time to time during the Subscription Term which may be provided either On-Site or via Sugar Cloud, including any software that is downloadable from a third party app store (e.g. Sugar Mobile) or from Sugar Exchange.
    • 12.14 "Subscription" means Company's right to use the Product for the Subscription Term, per the terms of the Agreement and the related Order Form(s).
    • 12.15 "Subscription Term" means the period of time which Company may access the applicable Product as set forth in an Order Form.
    • 12.16 "Subscription User" means an individual employee, contractor or agent of Company authorized to use the applicable Product for which a Subscription has been purchased and who has been given a user identification and password.
    • 12.17 "Taxes" means any direct or indirect local, state, federal or foreign taxes, levies, duties or similar governmental assessments of any nature, including VAT (subject to reverse charge), GST (subject to reverse charge), excise, sales, use or withholding taxes.
    • 12.18 "Third-Party Modules" means software developed by a third party that may add functionality to the Product, the use of which software is governed by the applicable terms and conditions specified by such third party.
    • 12.19 "Third-Party Software" means applications or software products that are developed by third parties, and that may interoperate with the Product, the use of which software is governed by the applicable terms and conditions specified by such third party.
    • 12.20 "Usage Data" means diagnostic and usage related content from the computer, mobile phone or other devices the Company's Subscription Users use to access the Product and may include, but is not limited to, IP addresses, internet service, location, type of browser and modules that are used and/or accessed, licensing, system and service performance data. Usage Data does not, however, include Company Data 

Exhibit A

Terms of Use

A. The following are the unique Terms of Use of the Portal (if included in the Product purchased by the Company):

  1. Definitions.
    • (a) "Portal" means a Software module provided by SugarCRM that is designed to communicate with the Product.
    • (b) "Portal User" means an individual who is an employee of one of Company's customers, who is permitted to access and use the Portal. A Subscription User, Company and/or Affiliate employee, contractor or agent shall not be a Portal User.
  2. Where applicable, Company shall have a non-exclusive, revocable, non-transferable right to access and use the Portal in a development and production environment during the Subscription Term, in each case solely for Company's own internal business purposes and limited to the number of concurrent Portal Users as indicated by the Product version that is purchased by Company. Concurrent usage is measured by the number of Portal Users logged in at any one point in time. Portal User accounts cannot be shared or used by more than one individual. Notwithstanding anything to the contrary in this Exhibit A, one (1) Company employee may access and use the Portal for administration purposes only (i.e., to provide access to Portal Users).
  3. Company shall be responsible for any acts or omissions of Company's Portal Users and Company's Portal Users' compliance with all of the terms of this Agreement.

B. The following are the terms of use that apply when SugarCRM is providing Sugar Cloud:

  1. Sugar Cloud Usage Rights.  Subject to the Terms of Use and the terms of the Agreement, Company shall have the right to access, use and modify the Product during the Subscription Term solely for Company's own internal business purposes.  The Product may be accessed through a web browser and/or mobile web client. Company agrees to comply with the following Sugar Cloud usage guide:
    http://support.sugarcrm.com/Resources/Sugar_Cloud_Policy_Guide/index.html
  2. Software Releases. During the Subscription Term, if Company has paid the applicable fees and is in compliance with the terms and conditions of the Agreement, SugarCRM shall provide automatic updates to Company's instance of the Product with Software Releases.  "Software Releases" may be comprised of Maintenance Releases and/or Feature Releases (as defined below).
    • "Maintenance Releases" means an update to the Product which includes fixes to known defects and does not intentionally introduce any new or modified application behavior.
    • "Feature Releases" means a software update which includes both fixes to known defects and introduces new or modified application behavior or changes the available features or functionality of the Product.  
  3. Customizations. If Company decides to customize the Product for Company's environment, Company agrees that such customization will be Sugar-certified customizations using the Sugar Module Loader (or other SugarCRM-approved method) and compliant with established industry security standards.
  4. Development. Company agrees that it will not, directly or indirectly, conduct any activity that will degrade performance beyond an acceptable level, including but not limited to: (a) conducting automated functionality tests or load tests on the Product against Company's staging and/or testing environments, (b) creating Internet links to the Product, and/or (c) deploying custom modifications that adversely impact the SugarCRM infrastructure due to incompatible code, inefficient code or architecture practices. Company also agrees not to "frame," "fork" or "mirror" any part of the Product on any other device. If Company does any of the foregoing, SugarCRM shall have the right to terminate or suspend Company's account and access to the Product without any refund or credit until Company corrects such violation to SugarCRM's reasonable satisfaction.
  5. Data Storage. With respect to Sugar Cloud, the maximum disk storage space, including any replication(s) of Company's environment (i.e., sandbox) will be determined based on the Product purchased by Company (the "Storage Limit"). If the amount of storage required by Company exceeds the Storage Limit, SugarCRM shall invoice Company the then-current storage fees for such excess use. Company agrees to pay such data storage fee within thirty (30) days of invoice.
  6. Backup of Data. Company may submit a request to SugarCRM, to receive the number of recoveries of Company's Data from backup per calendar month free of charge (the "Recoveries") as indicated by the Product version that is purchased by Company. Additional Recoveries may be available for an additional charge at SugarCRM's then-current rate for such backup services, which rate can be ascertained by contacting a SugarCRM sales representative.
  7. Replication of Environment (Sandbox). Upon Company's request to SugarCRM and at no additional charge, Company is entitled to receive the number of duplicates of Company's production environment (data application logic and configuration) ("SandBox") per calendar month, as indicated by the Product version that is purchased by Company. Any additional requests for a Sandbox shall be subject to SugarCRM's then-current fees for such services.  A Sandbox is intended to be used for development, testing, or staging of any modifications to Company's production environment instance, and not for use as a production environment instance.
  8. Handling of Company Data Post Termination. If Company is using Sugar Cloud as of the effective date of termination, upon written request by Company made within ninety (90) days of the effective date of expiration or termination of the Agreement (the "Post-Term Period"), SugarCRM agrees to make available to Company, a copy of Company's production environment. Further, during the Post-Term Period and upon the Company's request, SugarCRM shall grant the Company limited access to Sugar Cloud for the sole purpose of permitting the Company to retrieve Company Data, provided that the Company has paid in full all good faith undisputed amounts owed to SugarCRM. Upon expiration of the Post-Term Period, SugarCRM will have no further obligation to maintain for or provide to Company any of the Company Data and may thereafter, unless legally prohibited, delete all Company Data in its systems or otherwise in its possession or under its control.

C. The following are the terms of use that apply to the On-Site Product (whether hosted by Company or by a third party on behalf of Company):

  1. License Grant. Subject to the terms of this Agreement, SugarCRM will make the Product available to Company and its Subscription Users for use at the Company's premises or on a Company-controlled server within a third-party data center, and grants Company, during the Subscription Term only, a non-exclusive, revocable, non-transferable (except as provided in Section 11.5 of the Agreement) right to install, use and modify the Product solely for Company's own internal business purposes.
  2. Delivery. SugarCRM shall electronically deliver or make available the Product and the information necessary for Company's use and installation of the Product.
  3. Software Releases. During the Subscription Term, SugarCRM may provide Long Term Supported Releases to the Product, from time to time. Company understands and agrees that, Company may not have immediate access to new or improved features or newer versions of the Product until the Long Term Supported Release is issued to On-Site customers by SugarCRM.  "Long Term Supported Release" means a Product update that includes fixes to known defects, introduces a new or modifies existing application behaviour and/or changes the available features or functionality of the Product.
  4. End-of-Life Policy. Company understands and acknowledges that SugarCRM regularly retires older versions of the Product and that Support Services on the older versions of the Product are only provided to customers for a designated period of time (the "End-of-Life Policy"). The End-of-Life Policy for Product versions can be found at: http://support.sugarcrm.com/Resources/Supported_Versions/index.html.  Company understands that Support Services for the Product will end according to the End of Support Dates indicated therein and that prior to the End of Support Date for the version of the Product that Company is using, Company must upgrade to the latest supported version of the Product in order to continue receiving Support Services from SugarCRM. SugarCRM reserves the right to modify its End-of-Life Policy in the future, by providing notices of such modifications at the URL noted above.

D. The following are terms of use that apply to the SugarCRM Hint ("Hint") add-on product (if purchased by Company):

  1. Content. Hint provides access to certain data and information ("Content"), including Content regarding companies and/or individuals, which is licensed to SugarCRM from third parties ("Content Providers"). SugarCRM reserves the right to replace Content Providers and to provide different Content or cease providing certain types of Content, at its sole discretion. Company agrees that any use of Hint or the Content by Company will be in compliance with all laws and regulations applicable to the Company and the Content, including but not limited to applicable privacy laws. Any provisions in the Agreement regarding third-party claims or indemnification do not apply to Content.
  2. License. SugarCRM grants Company a limited nonexclusive right to install the Hint module in Company's instance of Sugar and access and use the Hint service via the Hint module during the Subscription Term. The number of users licensed and authorized to use Hint shall not exceed the number of Subscription Users indicated in the Order Form. Content may only be accessed through Hint and such Content may only be saved within the database associated with the Sugar instance. Company is required to purchase a subscription to Hint equal to the same number of Sugar Subscription Users that it has licensed. Subscriptions are for designated Subscription Users and cannot be shared or used by more than one user but may be reassigned to new Subscription Users replacing former Subscription Users who no longer require the use of Hint and the associated Sugar license.
  3. Support. Hint is supported in accordance with the standard support terms for the Sugar product. Hint is a hosted service and as a result SugarCRM may regularly update and modify Hint at its sole discretion and without notice to Company. Any service level or uptime commitments contained in the Agreement with regards to Sugar do not apply to Hint.
  4. Third-Party Copyrighted Materials. Certain Content may be a web site link to a third-party web site. All title and intellectual property rights in and to the content of any third-party web site that may be linked to or viewed in connection with Hint is the property of the respective third-party content owner and may be protected by applicable copyright or other intellectual property rights. Any use by Company of the third-party web site is subject to the terms and conditions provided by such third party, and no rights to any third-party web site are granted to Company.
  5. Interoperation between the Sugar and Hint. Hint interoperates with the Company's instance (whether On-Site or Sugar Cloud) of Sugar. Hint is a Sugar Cloud service only. SugarCRM offers Hint via servers located in the United States (or such other location(s) as SugarCRM may determine in its sole discretion) regardless of the location of Company's Sugar deployment.
  6. Usage Data. In the course of Company's use of Hint, SugarCRM may collect, use, process and store usage data, including in order to create and compile anonymized and aggregated statistics about Hint. For details see SugarCRM's privacy policy here: http://www.sugarcrm.com/legal/privacy-policy.
  7. Personal Data. Personal data is any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under the EU GDPR and any related national laws governing data protection). If the Company is using Hint for obtaining personal data from EU data subjects, the following shall apply:
    • (a) Company shall not use Hint for obtaining or attempting to obtain or enriching (a) personal data of any EU data subjects below the age of 16, or (b) other sensitive data such as data regarding racial or ethnic origin, political opinions, religious or philosophical believes or trade union membership, data concerning health or sex life or sexual orientation.
    • (b) Company may only transfer any data of EU data subjects to countries outside EU if Company is in compliance with GDPR Art. 46 (1) and (2).
  8. Restrictions. Company shall not (a) use the Content to determine a consumer's eligibility for (i) credit or insurance for personal, family or household purposes, (ii) employment, (iii) a government license or benefit, or (iv) any other purpose governed by the Fair Credit Reporting Act; (b) access or use Hint or the Content in order to build a similar or competitive service; (c) except as expressly permitted herein, resell, copy, reproduce, distribute, republish, download, display, post or transmit any part of Hint or the Content; (d) access Content through any means other than the Hint user interface; (e) attempt to access the Content via an API directly; (f) except to the extent SugarCRM provides the ability to automatically export data, mass export any of the Content from Hint or Sugar through automated means, including by way of example, calls to Hint or an associated API that are made more frequently than may reasonably be performed by a human user using a standard web browser; (g) modify or create derivative works based on the software, program code or user interfaces comprising Hint; (h) copy, frame or mirror Hint, other than copying or framing on Company's own intranets or otherwise for Company's own internal business purposes; or (i) reverse engineer Hint, or attempt to gain unauthorized access to the Hint service or its related systems.
  9. Warranty and Disclaimer. Hint is warranted as a Product under the Agreement. CONTENT IS PROVIDED "AS-IS," WITHOUT ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND SUGARCRM AND CONTENT PROVIDERS DISCLAIM ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. SUGARCRM AND CONTENT PROVIDERS DO NOT WARRANT THE COMPREHENSIVENESS, CORRECTNESS, OR ACCURACY OF THE CONTENT OR THAT ACCESS TO THE CONTENT WILL BE UNINTERRUPTED, CURRENT OR ERROR FREE. SUGARCRM AND CONTENT PROVIDERS MAKE NO WARRANTY WHATSOEVER ABOUT THE QUALITY, PROVENANCE OR LEGALITY OF CONTENT, OR THAT THE SOURCES OF ANY CONTENT HAD OR HAVE THE RIGHT OR AUTHORITY TO PROVIDE SUCH DATA TO IT OR THAT IT HAS THE RIGHT OR AUTHORITY TO PROVIDE IT TO COMPANY. COMPANY ASSUMES ALL RESPONSIBILITY AND RISK FOR ITS USE OF CONTENT.
  10. Limitation of Liability. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, IN NO EVENT SHALL SUGARCRM'S OR THE CONTENT PROVIDER'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THE COMPANY'S USE OF HINT EXCEED THE TOTAL AMOUNT PAID BY COMPANY FOR THE HINT SERVICES UNDER THE ORDER FORM.

The following Appendix is incorporated into the Agreement to the extent either (a) the Company is based in the EU, or (b) SugarCRM is processing personal data of EU data subjects.

Data Processing Appendix

This Data Processing Appendix on the processing of personal data on behalf of a controller in accordance with Article 28 (3) of the GDPR is an appendix to the Master Subscription Agreement.

Preamble

This Data Processing Appendix ("DPA") details the parties' obligations on the protection of personal data associated with the processing of Personal Data on behalf of Company or an Authorized Affiliate ("Contract Processing") as described in the MSA and/or Professional Services Agreement (including any Order Forms, Statements or Work, annexes or schedules attached thereto or URLs referenced therein) entered into between the parties (as applicable, the "Principal Agreement").

As used in this DPA, all capitalized terms not otherwise defined herein shall have the meanings given to such terms in the Principal Agreement.

  1. Scope, duration and specification of contract processing of Personal Data
    • The Principal Agreement defines the scope and duration of the data processing as well as the type and the purpose of the data processing. The details for the data processing are as specified in the attached Schedule A "Service Specific Schedule/Data Processing Description.
    • This DPA shall become effective on 25th of May 2018 and remain in force for the duration of the Principal Agreement.
  2. Scope of application and Responsibilities
    • 2.1    Relationship of the parties:
      • Company (a) is the sole Controller of Personal Data or (b) has been instructed by and obtained the authorization of the relevant Authorized Affiliate(s) to agree to the Processing of Personal Data by SugarCRM as set out in this DPA.
      • The parties agree that SugarCRM processes Personal Data on behalf of Company and Authorized Affiliates. Company is solely responsible for entering Personal Data into the Product and any combination or interoperation with third-party software or products. Company retains all ownership in the Personal Data and shall have sole responsibility for the accuracy, quality, and legality of Personal Data, the means by which Company acquired Personal Data, and compliance with the applicable statutory requirements on data protection, including, but not limited to, the lawfulness of disclosing Personal Data to SugarCRM, the lawfulness of having Personal Data processed on behalf of Company as well as the lawfulness of any instructions it provides to SugarCRM. SugarCRM is not responsible for determining the requirements of laws applicable to Company´s business or that SugarCRM´s provision of the Service meets the requirements of such laws. Company will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable data protection laws.
    • 2.2    Processing:
      • Company grants SugarCRM the non-exclusive right to use, access and process all Personal Data for the sole purpose and to the extent necessary for SugarCRM to provide the Product or Service to Company and to perform its obligations under the Principal Agreement.
    • 2.3    Instructions:
      • Company´s instructions on Contract Processing are as documented in the Principal Agreement ("Documented Instructions"). The Parties agree that Company may subsequently ask to amend, change or replace the Documented Instructions in writing. Those instructions must not change the material scope of the Services and shall only become binding upon execution of a written amendment to the Principal Agreement (hereinafter, a "New Processing Instruction"). The Parties agree that any costs of such New Processing Instruction, to the extent they exceed the scope of the Documented Instructions or require additional effort or costs will be paid by Company to SugarCRM.
    • 2.4    Prohibited data:
      • Company shall not disclose (and shall not permit any data subject to disclose) to SugarCRM any special and/or prohibited categories of Data for processing that are not expressly disclosed in Schedule A.
  3. Obligations of SugarCRM
    • 3.1    Purpose limitation:
      • SugarCRM shall process the Personal Data as necessary to perform its obligations under this DPA and in accordance with the Principal Agreement, including the Documented Instructions and any binding New Processing Instruction (the "Permitted Purpose"), except where otherwise required by any EU (or any EU Member State) law to which SugarCRM is subject.
    • 3.2    Confidentiality of processing:
      • SugarCRM shall ensure that any person that it authorises to process the Personal Data (including SugarCRM´s staff, agents and subcontractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    • 3.3    Security:
      • SugarCRM shall organise SugarCRM's internal organisation so that it satisfies the specific requirements of data protection as follows: SugarCRM shall implement appropriate technical and organisational measures to protect (within SugarCRM's ´s scope of responsibility) the Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data. At a minimum, such measures shall include the measures identified in Schedule B. Company is familiar with these technical and organizational measures, and it shall be Company's responsibility that such measures ensure a level of security appropriate to the risk. SugarCRM shall be entitled to modify the security measures identified in Schedule B, provided, however, no modification shall be permissible if it materially derogates from the level of protection contractually agreed upon.
    • 3.4    Cooperation and data subjects' rights
      • a. SugarCRM shall provide reasonable assistance to Company to the extent it is agreed upon by the parties, at Company´s expense, to enable Company to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Laws (including its rights of access, rectification, erasure, restriction, data portability and objection, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data. This shall only apply if (a) Company does not have the technical ability to address such a request itself or migrate Personal Data to another system or service provider; and (b) SugarCRM is legally permitted to do so and has reasonable access to the relevant Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to SugarCRM and where SugarCRM is able to correlate the data subject to Company, based on the information provided by the data subject, SugarCRM shall refer such data subject to Company. SugarCRM shall not be liable in the event that Company fails to timely and/or properly respond to the data subject's request.
      • b. At Company's expense and written request, SugarCRM shall (taking into account the nature of the processing and the information available to SugarCRM) provide commercially reasonable assistance to Company in order for Company to fulfill its obligations enumerated in Articles 32 to 36 GDPR if Company does not otherwise have access to the relevant information, and where possible for SugarCRM.
    • 3.5    Security incidents:
      • Upon becoming aware of a breach of personal data within SugarCRM`s scope of responsibility ("Security Incident"), SugarCRM shall inform Company without undue delay. SugarCRM shall implement reasonable measures necessary for securing Personal Data and for mitigating potential negative consequences for the data subject, and shall keep Company informed about all material developments in connection with the Security Incident. SugarCRM will not access the contents of Personal Data in order to identify information, subject to any specific legal requirements. Company is solely responsible for complying with incident notification laws applicable to Company and fulfilling any third-party notification duties. SugarCRM's notification of or response to a Security Incident under this Clause 3.6 will not be construed as an acknowledgement by SugarCRM of any fault or liability with respect to the Security Incident.
    • 3.6    Deletion or return of Personal Data:
      • Upon termination or expiry of the Principal Agreement and unless agreed otherwise in the Principal Agreement, SugarCRM shall at the request of Company destroy or return to Company all Personal Data (including all copies of the Personal Data) in its possession or control). This requirement shall not apply to the extent that Documented Instructions require SugarCRM to keep the Personal Data for a longer period or SugarCRM is required by any EU (or any EU Member State) law to retain some or all of the Personal Data, in which event SugarCRM shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
    • 3.7    International transfers:
      • SugarCRM may transfer the Personal Data outside of the European Economic Area ("EEA") provided that either it is (i) to a recipient in a country that the European Commission has decided provides adequate protection for personal data, (ii) to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, (iii) to a recipient who is certified under the EU-U.S. Privacy Shield Framework, as administered by the US Department of Commerce, or (iv) to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
    • 3.8 Privacy Shield:
      • SugarCRM Inc. has been certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as administered by the US Department of Commerce.
  4. Obligations of the Company
    • 4.1    Company shall notify SugarCRM, without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Company in the results of SugarCRM's product or work and any issues related to data protection arising out of or in connection with the Principal Agreement.
    • Where a data subject asserts any claims against SugarCRM in accordance with Article 82 of the GDPR, Company shall immediately notify SugarCRM in writing and shall support SugarCRM in defending against such claims.
  5. Documentation, Audits, Certifications
    • 5.1    SugarCRM shall demonstrate to Company SugarCRM's compliance with this DPA by appropriate measures.
    • 5.2    If Company is using SugarCRM Cloud Services the following will apply: For data centers used by SugarCRM as a hosting facility (the "Hosting Facilities"), any audit requirement will be satisfied by SugarCRM making available for review the then-current SSAE 16 SOC Type II audit report for the relevant Hosting Facility (or comparable industry-standard successor report). Company may need to execute a confidentiality agreement with the hosting provider to obtain such reports.
    • 5.3    Where, in individual cases, onsite audits and inspections by Company are mandatorily required by Applicable Data Protection Laws or a Supervisory Authority, such onsite audits and inspections will be conducted during regular business hours, and without interfering with SugarCRM's operations, upon prior written notice of not less than 30 days. SugarCRM may also determine that such audits and inspections are subject to a longer prior notice, and the execution of a confidentiality undertaking protecting the data of other customers and the confidentiality of the technical and organizational measures and safeguards implemented. SugarCRM shall be entitled to rejecting auditors which are competitors of SugarCRM. SugarCRM shall be entitled to requesting a remuneration for SugarCRM's assistance in conducting inspections and Company shall reimburse for any costs (including internal efforts) and expenses associated with any audit. SugarCRM's time and effort for such inspections shall be limited to one day per calendar year in total for all audits requested by Company and any Authorized Affiliate.
    • 5.4    Where a data protection supervisory authority conducts an inspection, Clause 5.3 above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations the breach of which is sanctionable under the applicable criminal code.
  6. Sub- processors
    • 6.1    SugarCRM shall not subcontract any processing of the Personal Data to a third-party subcontractor without the prior written consent of the Company. Company herewith consents that (a) SugarCRM Affiliates may be retained as Sub-processors in connection with the provision of the Services, and (b) SugarCRM uses the Sub-processors specified on the list available under at the following URL: https://support.sugarcrm.com/Resources/index.html#Data_Protection. Company herewith also consents to SugarCRM engaging additional third-party subcontractors to process the Personal Data provided that: (i) SugarCRM provides at least 30 days' prior notice of the addition or removal of any Sub-processor (including details of the processing it performs or will perform), which may be given by posting details of such addition or removal at the URL specified above; (ii) SugarCRM imposes data protection terms on any sub-processor to the equivalent standards provided for by this DPA; and (iii) SugarCRM remains fully liable for any breach of this DPA that is caused by its sub-processor.
    • 6.2    Company may object in writing the appointment of a third-party processor for legitimate legal data protection reasons within 30 days after the notice was posted by SugarCRM in writing. If no such written refusal has been made, consent shall be deemed granted. If Company objects the appointment of a third-party sub-processor as set forth herein, then SugarCRM shall have the option of either (a) not using that third-party processor for its engagement with the Company, (b) terminate the Principal Agreement in writing by providing no less than 30 days prior written notice or (c) if the sub-processor affected is used for cloud services, agree with Company on a migration to On-Site deployment as set out in the Agreement.
  7. Assistance, amendments
    • Company will make a written request for any assistance referred to in this DPA. SugarCRM will charge Company no more than a reasonable charge to perform such assistance or New Processing Instructions, such charges to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable change control provision of the Agreement.
    • No waiver, amendment or modification of this DPA and/or any of its Schedules shall be valid and binding unless made in a signed writing.
    • In case of any conflict, the terms of this DPA shall take precedence over the terms of the Principal Agreement. Where individual terms of this DPA are invalid or unenforceable, the validity and enforceability of the other terms of this DPA shall not be affected.
  8. Authorized Affiliates
    • 8.1    Contractual Relationship.
      • Company's execution of this DPA is on behalf of itself and each of Company's Authorized Affiliates, such that a separate DPA is deemed to be entered into between SugarCRM and each such Authorized Affiliate. Company agrees on behalf of each Authorized Affiliate that the Authorized Affiliate is bound by the obligations under this DPA.
    • 8.2    Communication.
      • Company shall remain responsible for coordinating all communication with SugarCRM under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates. SugarCRM shall be discharged of its obligations to inform or notify the Authorized Affiliates when SugarCRM has provided such information or notice to Company. Company is responsible for ensuring that all Instructions and decisions (e.g. regarding subcontractors) are identical for the Company and each of the Authorized Affiliates and undertakes.
    • 8.3    Rights of Authorized Affiliates.
      • Authorized Affiliates (as Controllers) may have certain direct rights against SugarCRM. Company undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the Authorized Affiliates and to reimburse SugarCRM on behalf of the Authorized Affiliate for any additional costs and expenses. In addition, the Company shall be required to ensure that any and all rights and remedies sought by the Company and Authorized Affiliates are collective and consistent with each other.
    • 8.4    Termination Right.
      • SugarCRM shall be entitled to terminate an Authorized Affiliate´s participation in this DPA by providing written notice to Company in the event that (a) Principal Agreement does not expressly allow the use of the Product or Services by Authorized Affiliates, (b) such Authorized Affiliate is in breach of this DPA, or (c) Company is in default of payment of the additional costs, expenses or extra efforts caused by that Authorized Affiliate.
    • 8.5    Company's Notification Obligation of Authorized Affiliates.
      • Pursuant to section 10(b)(v), Company shall notify SugarCRM in writing of all Authorized Affiliates, including each such Authorized Affiliate's name and address. Notwithstanding anything to the contrary, only affiliates included in such notification(s) shall be Authorized Affiliates under this DPA and the Principal Agreement.
  9. Principal Agreement
    • Unless otherwise set forth herein, all terms and conditions of the Principal Agreement remain in full force and effect, including without limitation, indemnification, confidentiality and limitation of liability. For the avoidance of doubt, SugarCRM´s total liability for all claims from the Company and all of its Authorized Affiliates arising out of or related to the Principal Agreement and each DPA shall apply in the aggregate for all claims under both the Principal Agreement and all DPAs established under the Principal Agreement, including by Company and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Company and/or to any Authorized Affiliate that is a contractual party to any such DPA. Also for the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules and Appendices.
  10. Definitions
    1. "Data Protection Laws" means the GDPR and any related national laws governing data protection.
    2. "Authorized Affiliate" means any of Company's Affiliate(s) which (i) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, (ii) is authorized by the Company to use the SugarCRM Product, (iii) is permitted to use the Product and Services pursuant to the Principal Agreement between Company and SugarCRM, (iv) has not signed its own Order Form or agreement with SugarCRM and (v) Company has notified SugarCRM in writing (at legal@sugarcrm.com) that such Affiliate has been authorized to use the SugarCRM Product, including notification of the full legal name of the Affiliate and the Affiliate's address.
    3. "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    4. "GDPR" means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
    5. "Personal Data" means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws) where for each (i) or (ii), such data is Company Data or has been provided to SugarCRM in order to provide support under the Principal Agreement.
    6. "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    7. "Processor" means the entity which Processes Personal Data on behalf of the Controller.
    8. "Sub-processor" means any Processor engaged by SugarCRM.

Schedule A

Service Specific Schedule / Data Processing Description

This Schedule A forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.

Data subjects*

The personal data to be processed concern the following categories of data subjects:

  • Customers
  • Potential Customers
  • Employees
Categories of data*

The personal data to be processed concern the following categories of data

  • Customer contact data
  • Potential customer contact data
  • Employee contact data
Special categories of data (if appropriate)

The personal data to be processed concern the following special categories of data (please specify):

None

Processing operations

The personal data will be subject to the following basic processing activities:

  • Support
  • Hosting (if Sugar cloud product has been subscribed to by Company)
  • Professional Services (if Parties have entered into a separate Professional Services Agreement)

* If other data subjects or categories of data are implicated with Company's use of SugarCRM products and services, Company shall notify SugarCRM in writing and parties shall amend this Schedule A in writing.

Schedule B

Minimum Security Measures

  1. Physical Access Controls
    SugarCRM has measures in place to prevent unauthorized persons from gaining access to SugarCRM premises where Company data is processed. Such measures include: controlling access to entry doors and sensitive areas, securing and limiting access to server rooms, installing video cameras where appropriate, using electronic ID badges for entering SugarCRM offices, controlling badge holder access and logging, and alarm monitoring. Visitors must arrive at the main entrance and are met by the sponsoring employee. All visitors are issued visitor badges upon presentation of a government-issued photo ID and are required to sign-out upon leaving the premises. Sugar's cloud service uses data center facilities which are SOC 2 certified.
  2. Logical Access Controls
    SugarCRM has measures in place to prevent data processing systems from being used without authorization. Such measures include locking of terminals; regulations for user authorization; obligation to comply with data confidentiality requirements; differentiated access regulations (e. g. partial blocking); controlled destruction of data media; processes for the checking and release of programs. Company Data is encrypted at rest in our cloud environment.
  3. Intervention Control
    SugarCRM has implemented measures to prevent its personal data processing systems from being used by unauthorised persons by means of data transmission equipment. The measures taken include access and authorization concepts with different user ID's and passwords for access to data processing systems.
  4. Transfer control
    Technical measures to prevent Company Data from being processed or used during electronic transmission or during transport without authorization (e.g. by means of encryption or protection by passwords); Such measures include the following: authentication of authorized personnel, controlling the removal and destruction of data media.
  5. Input Control
    If Company Data is processed on SugarCRM systems, access to Company Data will be recorded in log files. For any Company Data stored in the SugarCRM Product, Company is solely responsible for such data input and SugarCRM does not have any control or involvement in such data input.
  6. Separation control
    Measures to ensure that data collected for different purposes can be processed separately include an authorization concept which takes account the separate processing of data in Sugar's cloud environment. Customer´s Company Data is logically separated from other customers' company data.
  7. Availability controls
    Technical measures to ensure that personal data stored in SugarCRM´s internal systems are protected against accidental destruction or loss include the use of protection programs (such as firewall, SPAM filters), rejection of unauthorized users, backup and recovery concepts. The Sugar cloud instance makes use of multiple data centers, and clustering to avoid interruptions in service.

Last modified: 2018-05-21 23:03:09