SugarCRM SupportResourcesSugarCRM Agreements and Terms of UseCurrent Master Subscription AgreementsMaster Subscription Agreement (EMEA)

Master Subscription Agreement (EMEA)

This agreement is between SugarCRM Inc. ("SugarCRM") and the party named above ("Company").

1 Subscription.

1.1 Deployment Model. The Product is made available and licensed to the Company pursuant to the terms of this Agreement and the relevant Order Form during the Subscription Term. The Product shall either be: (a) installed by or for Company at Company's premises, or on a Company-controlled server within a third-party data center ("On-Site"), or (b) hosted by SugarCRM and provided as a service ("Sugar Cloud").

1.2 Use of the Product.

1.2.1 Terms of Use. The terms of use that govern Company's use of the Product are set forth in Exhibit A hereto, unless otherwise agreed in an Order Form.

1.2.2 Usage Limits. SugarCRM will provide Company with a key enabling the Subscription Users for which Company has paid the applicable fees to access the Product. Company agrees to only allow said Subscription Users to access the Product and to not share user names, passwords, or log-in information with other persons or entities. Company administrator(s) may reassign a Subscription User account during the Subscription Term if a former Subscription User no longer requires access to or use of the Product. Company shall notify SugarCRM in writing immediately of any unauthorized use of, or access to, the Product or any Subscription User account or password thereof. Users of external applications accessing functionality or data stored inside the Product require a Subscription for each user who accesses the functionality or data.

1.3 Support. During the Subscription Term, and where Company purchases the Subscriptions directly from SugarCRM, SugarCRM will provide Company with SugarCRM's standard level of support at no additional charge as indicated at or its successor url (the "Support Services"). If Company purchases Subscriptions through an Authorized Partner, then Company shall instead obtain support services directly from that Authorized Partner.

1.4 Company Responsibilities. Company hereby assumes sole responsibility for: (a) Subscription Users' use of the Product in accordance with the SugarCRM product documentation, (b) ensuring that only Subscription Users use the Product, (c) the accuracy, integrity, and legality of Company Data and the means by which it acquires and uses such data (d) determining the suitability of the Product for Company's business, (e) complying with any and all regulations and laws applicable to the Company Data and Company's use of the Product, and (f) if consent must be obtained from Subscription Users under GDPR or other data privacy laws, obtaining and storing records of the required consent from each such user.

1.5 Restrictions. Company hereby agrees to not directly or indirectly do any of the following: (a) sublicense, resell, rent, lease, distribute, market, commercialize or otherwise transfer rights or usage to all or any portion of the Product, or provide the Product on a timesharing, service bureau or other similar basis, (b) remove or alter any patent, copyright, trademark or other proprietary notice in the Product or documentation, (c) modify, remove or disable any portion of the Critical Control Software, (d) use or modify the Product in any way that would subject the Product, in whole in or in part, to a copyleft license, (e) attempt to gain unauthorized access to, or disrupt the integrity or performance of, the Product or the data contained therein, (f) use the Product or permit it to be used for purposes of product evaluation, benchmarking or other comparative analysis intended for publication without SugarCRM's prior written consent (g) use the Product in violation of applicable laws governing data protection and privacy, (h) violate third-party rights in connection with the use of the Product, (i) file or participate in an examination proceeding or other challenge to the validity of a patent that covers the Product.

1.6 Third-Party Contractors. Company may use third-party contractors to assist with the installation, use and modification of the Product for Company's own internal business use. Company shall have a written contract in place with each such contractor that contains terms and conditions no less protective of the Product and of SugarCRM's Confidential Information and intellectual property than those contained in this Agreement. Company further agrees to have all such contractors disclaim and assign any and all rights, title and interests (including all intellectual property rights) in modifications of the Product to SugarCRM. Company assumes responsibility for such contractors' compliance with the terms of this Agreement.

2 Third-Party Software and Modules.

2.1 The Product utilizes or includes certain Third-Party Software. Company acknowledges that its use of Third-Party Software in conjunction with use of the Product is governed by the applicable third party's terms and conditions and privacy policies. See for a list of such software

2.2 Company may, by means of agreements solely between Company and third parties, acquire rights to and use Third- Party Modules to add functionality to the Product, provided that such use is limited to internal use by Company in a manner that does not violate any provisions of this Agreement. SugarCRM does not warrant or support Third-Party Modules.

2.3 Any Company Data exchanged with providers of Third-Party Software or Third-Party Modules is governed by that provider's respective privacy policy. Product features that interoperate with third-party services (such as Google) depend on the continuing availability of the third-party API and program for use with the Product. Access to the third-party API or program may require Company to create an account and enter into a separate agreement with the third-party API provider. If a third party ceases to make the API or program available, SugarCRM may cease providing such third-party features without entitling Company to any refund, credit, or other compensation.

3 Proprietary Rights.

3.1 Ownership of Product and Modifications. The parties agree that SugarCRM owns all right, title, interest and intellectual property in and to the Product and Modifications thereof ("SugarCRM Property"). No rights or use rights are granted to Company in the SugarCRM Property except as expressly provided herein. Company hereby does and will assign to SugarCRM all right, title and interest worldwide in the intellectual property rights embodied in all Modifications. To the extent any of the rights, title and interest are not assignable by Company to SugarCRM, Company herewith grants and agrees to grant to SugarCRM an exclusive, royalty-free, transferable, irrevocable, worldwide, fully paid-up license under Company's intellectual property rights to use, disclose, reproduce, license (with rights to sublicense through multiple tiers of sublicensees), sell, offer for sale, distribute, import and otherwise exploit the Modifications without restriction or obligation of any kind or nature. Modifications are licensed back to the Company as "Products" pursuant to this Agreement, during the Subscription Term. Except as expressly stated otherwise in this Agreement, SugarCRM retains all of its right, title and ownership interest in and to the SugarCRM Property, and no other intellectual property rights or licenses are granted to Company under this Agreement, either expressly or by implication, estoppel or otherwise, including, but not limited to, any rights under any of SugarCRM's or its Affiliate's patents.

3.2 Feedback. The parties agree that SugarCRM has unlimited rights to use and commercially exploit any feedback from Company about the SugarCRM Property or related services, as long as SugarCRM does not disclose Company's Confidential Information in so doing.

4 Company Data, Usage Data.

4.1 Company Data.

4.1.1 The parties agree that, as between them, Company owns the Company Data.

4.1.2 Processing of Company Data. Company hereby assumes sole responsibility for entering Company Data (including personal data) into the Product. Company grants SugarCRM the non-exclusive right to use, access and process all Company Data to the extent necessary for SugarCRM to provide the Product to Company and to perform its obligations under this Agreement, including technical support. Where the processing of Personal Data is within the scope of the GDPR, Exhibit B shall apply.

4.1.3 Security. SugarCRM will have in place and will maintain throughout the Subscription Term appropriate security measures to protect against accidental or unauthorized access, destruction, loss, alteration or disclosure of the Company Data.

4.2 Usage Data. SugarCRM may collect, use, process, store, and analyze Usage Data in order to create and/or compile anonymized and aggregated statistics about the Products and customer use thereof. See SugarCRM's privacy policy at

5 Payment.

5.1 Fees and Payment. Company agrees to pay all fees specified in the relevant Order Form, and Company further agrees that such fees are: (a) exclusive of taxes – see section 5.6 hereof, (b) fixed during the applicable Subscription Term, (c) quoted and payable in United States dollars (unless expressly agreed otherwise in an Order Form), (d) based upon the Subscription purchased per the agreed-upon number of Subscription Users, even if actual usage is lower, and (e) non-cancelable and non- refundable. Fees are due 30 days from the invoice date, unless otherwise noted in an Order Form.

5.2 Purchases from Authorized Partner. If Company purchases a Subscription to the Product from an Authorized Partner, Company (a) appoints Authorized Partner to act as Company's representative in the procurement and management of the Product and agrees that SugarCRM may deal with the Authorized Partner on that basis, and (b) Company will submit payment to the Authorized Partner, and the Authorized Partner will in turn submit payment to SugarCRM on Company's behalf in accordance with its agreement with SugarCRM.

5.3 Additional Subscription Users. Additional Subscription Users may be added during a Subscription Term at the then- current Subscription User Subscription fee, pro-rated beginning in the initial month in which Subscription Users are added through the remaining then-current Subscription Term, such that the Subscription Term runs concurrently for all Subscriptions.

5.4 Renewal. Fees for any renewals of this Agreement shall be set at the then-current SugarCRM list price, unless otherwise stated on the Order Form or agreed to in writing by SugarCRM.

5.5 Overdue Charges. Undisputed overdue amounts will accrue interest at a rate of 1.0% per month, or the rate specified by law, whichever is lower. SugarCRM may, without limiting its rights and remedies, suspend Company's use of the Product and Support Services until overdue amounts are paid in full.

5.6 Taxes. Fees specified in quotes and Order Forms do not include any Taxes (see definition at 12.14 below). Company is solely responsible for payment of all Taxes associated with its purchases hereunder, excluding any Taxes based on SugarCRM's net income or property.

5.7 Use Reporting. Company shall maintain accurate records necessary to verify the number of Subscription Users. Within 30 days of delivery of a written request by SugarCRM, Company shall provide SugarCRM or its third-party appointee with (i) copies of such records or (ii) alternatively at SugarCRM's sole discretion, a report regarding the Product being utilized by Company and the number of Subscription Users authorized to use the Product. If Company has more Subscription Users than Company has paid for, Company shall immediately pay the applicable fees for the additional Subscription Users, commencing on the effective date of the applicable Order Form through the remainder of the then-current Subscription Term, in addition to reasonable auditing firm costs incurred by SugarCRM in reviewing such records.

6 Term and Termination.

6.1 Term. This Agreement commences on the Effective Date and continues through the Subscription Term until all Subscriptions hereunder have expired or have been terminated. The Subscription Term shall be as specified in the applicable accepted Order Form.

6.2 Termination by Company or SugarCRM. Either party may terminate this Agreement and any then-current Order Form prior to the end of a Subscription Term if the other party: (i) materially breaches its obligations hereunder and, where such breach is curable, such breach remains uncured for 30 days following written notice of the breach or (ii) becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors.

6.3 Effect of Termination. Except as expressly set forth in this Agreement, no refunds of payments will be made in the event of termination, unless termination of this Agreement is a result of a material and uncured breach by SugarCRM as set forth in Section 6.2, in which case Company will be entitled to a refund of the pro-rata portion of fees associated with such breach from the date of termination to the end of the Subscription Term. Upon expiration or termination of this Agreement, the rights granted under this Agreement and any then-current Order Forms will be immediately revoked and SugarCRM may immediately deactivate Company's account. SugarCRM shall be entitled to keep copies of Company Data solely to the extent necessary for the performance of its obligations under this Agreement. In no event shall any termination relieve Company of the obligation to pay any fees payable to SugarCRM for any period prior to the effective date of termination, unless otherwise stated in this Agreement.

6.4 Surviving Provisions. Sections 1.5, 3, 6.3, 7, 8.3, 9, 10, 11 and 12, and Exhibit A section B9, shall survive termination or expiration of this Agreement.

7 Confidentiality.

Confidentiality. During the Term of this Agreement, the parties may share private, proprietary, or otherwise confidential information with each other. The parties therefore agree as follows:

(a) Such information shall be considered "Confidential Information" if it (i) is marked or indicated by the disclosing party as confidential, or (ii) should reasonably be considered as confidential. Confidential Information does not include information that: (a) was already known to the Recipient through no wrongful act of Recipient or its agents or the party that disclosed it to Recipient, or (b) was already in the public domain through no wrongful act of the Recipient or its agents, or (c) is independently developed by the Recipient without reference to any Confidential Information disclosed hereunder.

(b) The party receiving Confidential Information (the "Recipient") will (i) protect Confidential Information from disclosure to third parties, using the same care and diligence that the Recipient uses to protect its own proprietary and confidential information, but in no case less than reasonable care; (ii) disclose Confidential Information to its and its Affiliates' employees, officers, directors, or agents on a need-to-know basis and only to the extent necessary to fulfill the purposes of this Agreement, and (iii) ensure that each such person abides by the terms of this Agreement and this section 7 in particular.

(c) The Recipient will promptly notify the disclosing party in writing of any (i) disclosure of Confidential Information in violation of this Agreement, and (ii) subpoena, demand, court order, or other legal demand requiring production or disclosure of Confidential Information in sufficient time for the disclosing party to seek to prevent such production or disclosure.

(d) Confidential Information disclosed under this Agreement shall be and remain the sole property of the disclosing party.

(e) Upon expiration or termination of this Agreement, the Recipient will comply with any request from the disclosing party to promptly return or destroy all copies of Confidential Information disclosed hereunder, provided, however, that the Recipient shall be entitled to retain archival or back-up copies of Confidential Information solely for legal, regulatory, compliance, or reasonable document-retention purposes.

(f) The parties agree that the disclosing party will suffer irreparable injury if its Confidential Information is disclosed in violation of the terms of this Agreement. The parties therefore agree that the disclosing party shall be entitled to obtain injunctive relief against a threatened breach or continuation of any such breach.

8 Warranties.

8.1 SugarCRM Warranty. SugarCRM warrants that the Product will perform materially in accordance with the online user specifications for the Product. If the Product does not conform to such warranty, and Company notifies SugarCRM of the same in writing within 30 days of when Company has become or should have become aware of such issue, SugarCRM will use commercially reasonable efforts to repair or replace the non-conforming portions of the Product. Company agrees that SugarCRM will not be responsible for any non-conformance resulting from or caused by any of the following: (i) Malicious Code present in the Company Data, (ii) modification of the Product, unless the same was made done pursuant to SugarCRM's specific written instruction, (iii) hardware or software not supplied by SugarCRM. Company's sole and exclusive remedy for an uncured breach of the warranty contained in this Section 8.1 shall be to terminate the Agreement and, where Company exercises such right of termination, have SugarCRM refund to Company the pro rata portion of any pre-paid Subscription fees from the effective date of such termination to the end of the Subscription Term.

8.2 Mutual Warranty. Each party warrants to the other party that it has the legal power and authority to enter into this Agreement.


9 Indemnity.

(a) SugarCRM will defend Company against claims that the Product infringes a third party's U.S. patent, trademark, or copyright, and SugarCRM will indemnify Company against damages and costs (including reasonable attorneys' fees) finally awarded by a court of competent jurisdiction, or paid in a settlement of the claim approved in writing by SugarCRM.

(b) SugarCRM will have no obligation to defend or indemnify for claims that arise from Company's (i) modification of the Product, or use or combination of the Product with software, hardware, data, or processes not provided by SugarCRM, if the Product would not infringe but for such use, combination, or modification, unless the same was made done pursuant to SugarCRM's specific written instruction, or (ii) continued use of the Product after being notified that SugarCRM has taken one or more of the measures set forth in section 9(c)(i) or (ii).

(c) In the event that SugarCRM believes or it has been legally determined that the Product or any part thereof may or does violate third-party intellectual property rights, SugarCRM may, in its sole discretion: (i) procure for Company the right to continue using such Product or any applicable part thereof, or (ii) modify or replace such Product or the subject part thereof with a non-infringing version (or part thereof). If SugarCRM determines in its sole discretion that (i) or (ii) of this Section 9(c) are not commercially feasible, Company shall have the right to terminate this Agreement solely with respect to the infringing product; in the case of such a termination, SugarCRM will refund to Company the pro rata unused portion of any pre-paid Subscription fees for the infringing product.

(d) Company will defend SugarCRM against claims or proceedings alleging that Company Data or SugarCRM's transmission or hosting thereof infringes or violates the rights of a third party or violates data privacy or protection laws, and Company will indemnify Sugar against damages and costs (including reasonable attorneys' fees) finally awarded by a court of competent jurisdiction or assessed by a governmental entity or in a settlement of the claim approved in writing by Company.

(e) Conditions. Neither party shall be required to defend or indemnify the other unless the party seeking a defense or indemnification (the "Requestor") (i) notifies the other party within ten (10) calendar days of the claim being served on the Requestor, (ii) gives sole control of the defense and settlement of the claim to the other party, and (iii) provides all information and assistance reasonably requested by the other party in defending or settling such claim at the Requestor's expense.

10 Limitation of Liability.




11 General.

11.1 Publicity. SugarCRM may include the Company name on a customer list and Company shall cooperate with SugarCRM in connection with any publicity regarding Company's use of the Product and/or services.

11.2 United States Government Users. The Product was fully developed at private expense and is commercial computer software as defined in FAR 2.101. Any related documentation, technical data, or services are also commercial. In accordance with FAR 12.212 and DFARS 227.7202, all rights conferred in the Product, related documentation, technical data, services, or any deliverable to the United States Government are specified in this Agreement. All other uses are prohibited and no ownership rights are conferred.

11.3 Export Compliance. The Product is subject to certain export control laws and regulations, including those of the United States Government. Company agrees to fully cooperate with SugarCRM in securing any legally-required export licenses and authorizations. Company agrees to comply with all such laws and regulations relating to the Product. Company agrees to make its records available to SugarCRM upon reasonable request to permit SugarCRM to confirm Company's compliance with its obligations as set forth in this Section. Company will not permit any Subscription User to use the Product in any U.S.- embargoed country or region. Company represents that it is not named on any U.S.-government sanctioned or denied party list.

11.4 Assignment. Neither party may assign any of its rights or obligations under this Agreement, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld), except in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of the party's assets. In the case of an assignment permitted under this Section, the assigning party agrees to ensure that the assignee agrees in writing to the terms of this Agreement.

11.5 Relationship of the parties. SugarCRM and Company are independent entities, and nothing in this Agreement or any attachment hereto creates or will create any partnership, joint venture, agency, franchise, sales representative, or employment relationship between the parties.

11.6 No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.

11.7 Choice of Law. This Agreement shall be governed by and construed in accordance with the laws of the State of California and the federal U.S. laws applicable therein, excluding its conflicts of law provisions. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply to this Agreement.

11.8 Disputes; Arbitration. The parties agree that all disputes between them shall be finally resolved by binding arbitration under the auspices of the International Chamber of Commerce (ICC). Disputes over fees shall be resolved by a single neutral arbitrator; if the parties cannot agree on an arbitrator, the arbitration entity (ICC) shall appoint one. All other disputes shall be resolved before a panel of three neutral arbitrators, with each party selecting one arbitrator and the two arbitrators selecting the third arbitrator. The arbitrator(s) shall give a written opinion stating the factual basis and legal reasoning for their decision. The prevailing party shall be entitled to an award of its reasonable attorneys' fees and costs associated with the arbitration. Any arbitration shall take place in Paris, France. The arbitration proceedings shall be conducted in the English language. An arbitration award shall be enforceable in a court of competent jurisdiction over the parties. No legal action shall be initiated or filed more than one (1) year after the cause of action arises. Notwithstanding the foregoing, any (a) request by a party for injunctive relief shall be brought before a court of competent jurisdiction and not through arbitration, nor shall arbitrators have the authority to issue injunctive relief, and (b) claim of breach of Section 7(b) or (c) hereof may be separately brought before and decided by a court of competent jurisdiction; the parties hereby voluntarily waive a trial by jury of all such claims.

11.9 Force Majeure. Neither party shall be liable to the other for any delay or failure to perform hereunder (excluding payment obligations which may be delayed but not excused) due to circumstances beyond such party's reasonable control, including acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems (excluding those involving such party's employees), service disruptions involving hardware, software or power systems not within such party's reasonable control, and denial of service attacks.

11.10 Official Language. Except as prohibited by law, the only binding versions of the document(s) that comprise this Agreement are the English versions, notwithstanding any actual or apparent agreement to non-English versions of the Agreement. Any translations of such documents are provided for convenience only and may not reflect the final version of said documents.

11.11 Entire Agreement. The Agreement represents the entire agreement of the parties concerning the subject matter thereof and is intended to be the final expression of their parties' agreement and intent. The Agreement supersedes all prior and contemporaneous agreements, proposals, and representations, whether written or oral. The parties agree that any terms or conditions stated or referenced on Company's purchase order form(s) or related documents that contradict the Order Form issued by SugarCRM or its Authorized Partners are null and void. No amendment or waiver of any provision of the Agreement shall be effective unless in writing and signed by both parties.

11.12 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, such provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions shall remain in effect.

11.13 Manner of Giving Notice. Notices regarding this Agreement shall be in writing and addressed to Company at the address or email address(es) Company provides, or, in the case of SugarCRM, to

11.14 This Agreement may be executed in counterparts.

12 Definitions.

12.1 "Affiliate" means a company that is controlled by, is under common control with, or that controls a party hereto.

12.2 "Agreement" includes this Master Subscription Agreement, the Order Form, the Data Processing Agreement between the parties if any, and any SugarCRM terms and conditions incorporated by reference in those documents, and does not include non-English translations of any of said documents except to the extent they may be required by law.

12.3 "API" means application programming interfaces provided by SugarCRM as part of the Product or which is made available by a third party, which set forth rules and specifications that Third-Party Modules may utilize to access Company Data.

12.4 "Authorized Partner" means a company that is in good standing under SugarCRM's partner or reseller program. 12.5 "Company Data" means any data, information or material stored by Company in the Product.

12.6 "Critical Control Software" means software with functionality that reports the number of authorized Subscription Users, and provide SugarCRM (and Authorized Partners, where applicable) with the ability to monitor certain usage of the Product.

12.7 "Malicious Code" means viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents, or programs.

12.8 "Modifications" means the Product as updated, upgraded, changed, enhanced, or customized to enable Company to use the Product in Company's unique environment or instance.

12.9 "Order Form" means (i) a document for purchases of Subscriptions hereunder, prepared by SugarCRM or an Authorized Partner, that is signed by Company and that is accepted by SugarCRM, (ii) the documentation associated with Company's purchase via SugarCRM's website store including any order confirmations sent by SugarCRM, and (iii) subject to Section 11.13, a Company prepared purchase order, if accepted by SugarCRM.

12.10 "Product" means the products developed or otherwise owned or in which SugarCRM has licensing rights and which are licensed to Company under this Agreement for Company's use during the Subscription Term.

12.11 "Subscription" means Company's right to use the Product for the Subscription Term, per the terms of the Agreement and the related Order Form(s).

12.12 "Subscription Term" means the period of time which Company may access the applicable Product as set forth in an Order Form.

12.13 "Subscription User" means an individual employee, contractor or agent of Company authorized to use the applicable Product for which a Subscription has been purchased and who has been given a user identification and password.

12.14 "Taxes" means any direct or indirect local, state, federal or foreign taxes, levies, duties or similar governmental assessments of any nature, including VAT (subject to reverse charge), GST (subject to reverse charge), excise, sales, use or withholding taxes.

12.15 "Third-Party Modules" means software developed by a third party that may add functionality to the Product, the use of which software is governed by the applicable terms and conditions specified by such third party.

12.16 "Third-Party Software" means applications or software products, modules, or add-ons that are developed by third parties, and that may interoperate with the Product, the use of which software is governed by the applicable terms and conditions specified by such third party.

12.17 "Usage Data" means diagnostic and usage related content from the computer, mobile phone or other devices the Company's Subscription Users use to access the Product and may include, but is not limited to, IP addresses, internet service, location, type of browser, modules and features that are used and/or accessed, and licensing, system and service performance data. Usage Data does not include Company Data.

Exhibit A

Terms of Use

A. The following are the unique Terms of Use of the Portal (if included in Company's Product subscription):

1. Definitions.

(a)  "Portal" means a Software module provided by SugarCRM that is designed to communicate with the Product.

(b)  "Portal User" means an individual who is an employee of one of Company's customers, who is permitted to access and use the Portal. A Subscription User, Company and/or Affiliate employee, contractor or agent shall not be a Portal User.

2. A Portal User is only licensed to (i) Access the Portal of the Sugar product; (ii) Register as a user of the Portal and manage their user profile; (iii) Access, search, and view articles from the Knowledge Base of the Portal; (iv) Submit and view Cases through the Portal; and (v) Submit and view Bugs through the Portal. Portal Capitalized Terms, not defined elsewhere, have the meaning described in the Sugar documentation under Role Management – Module Level Permissions and Developer Tools – Sugar Portal. Portal User accounts cannot be shared or used by more than one individual. Company acknowledges that the product does not contain technical restrictions to limit the usage and therefore Company is responsible for and agrees to limit access in accordance with the license description. Company agrees that it will ensure compliance with the license terms, specifically that it tracks and ensures that Portal Use licenses are only used as permitted in this Agreement and the relevant Order Form.

3. Company shall be responsible for any acts or omissions of Company's Portal Users and Company's Portal Users' compliance with all of the terms of this Agreement. Upon request by SugarCRM, Company will certify to SugarCRM, within 30 days after having received the request, Company's compliance with this Order Form, specifically with respect to the Portal Use licenses. SugarCRM reserves the right to audit compliance at any time.

B. The following are the terms of use that apply when SugarCRM is providing Sugar Cloud:

1. Sugar Cloud Usage Rights. Subject to the Terms of Use and the terms of the Agreement, Company shall have the right to access, use and modify the Product during the Subscription Term solely for Company's own internal business purposes. The Product may be accessed through a web browser and/or mobile web client. Company agrees to comply with the following Sugar Cloud usage guide: or its successor url.

2. Software Releases. During the Subscription Term, if Company has paid the applicable fees and is in compliance with the terms and conditions of the Agreement, SugarCRM shall provide automatic updates to Company's instance of the Product with Software Releases. "Software Releases" may be comprised of Maintenance Releases and/or Feature Releases (as defined below).

"Maintenance Releases" means an update to the Product which includes fixes to known defects and does not intentionally introduce any new or modified application behavior.

"Feature Releases" means a software update which includes both fixes to known defects and introduces new or modified application behavior or changes the available features or functionality of the Product.

3. Customizations. If Company decides to customize the Product for Company's environment, Company agrees that such customization will be Sugar-certified customizations using the Sugar Module Loader (or other SugarCRM-approved method) and compliant with established industry security standards.

4. Development. Company agrees that it will not, directly or indirectly, conduct any activity that will degrade performance beyond an acceptable level, including but not limited to: (a) conducting automated functionality tests or load tests on the Product against Company's staging and/or testing environments, (b) creating Internet links to the Product, and/or (c) deploying custom modifications that adversely impact the SugarCRM infrastructure due to incompatible code, inefficient code or architecture practices. Company also agrees not to "frame," "fork" or "mirror" any part of the Product on any other device. If Company does any of the foregoing, SugarCRM shall have the right to terminate or suspend Company's account and access to the Product without any refund or credit until Company corrects such violation to SugarCRM's reasonable satisfaction.

5. Data Storage. With respect to Sugar Cloud, the maximum disk storage space, including any replication(s) of Company's environment (i.e., sandbox) will be determined based on the Product subscription purchased by Company (the "Storage Limit"). If the amount of storage required by Company exceeds the Storage Limit, SugarCRM shall invoice Company the then-current storage fees for such excess use. Company agrees to pay such data storage fee within thirty (30) days of invoice.

6. Regulated Data in Relation to Products. The Sugar Cloud service is not configured to receive or store government- regulated, controlled or similarly restricted data ("Regulated Data"), including without limitation technical data controlled by International Traffic in Arms Regulations and personal health information under HIPAA. Company agrees that neither Company nor any Subscription Users will use the Sugar Cloud version of the Product to store Regulated Data or provide access to or submit or transmit any Regulated Data to SugarCRM when requesting Support Services or otherwise. SugarCRM reserves the right to suspend or terminate the Subscription immediately if Company is found to be in violation of this Section

7. Backup of Data. Company may submit a request to SugarCRM, to receive the number of recoveries of Company's Data from backup per calendar month free of charge (the "Recoveries") as indicated by the Product Subscription that is purchased by Company. Additional Recoveries may be available for an additional charge at SugarCRM's then-current rate for such backup services, which rate can be ascertained by contacting a SugarCRM sales representative.

8. Replication of Environment (Sandbox). Upon Company's request to SugarCRM and at no additional charge, Company is entitled to receive the number of duplicates of Company's production environment (data application logic and configuration) ("SandBox") per calendar month, as indicated by the Product version for which Company has purchased a Subscription. Any additional requests for a Sandbox shall be subject to SugarCRM's then-current fees for such services. A Sandbox is intended to be used for development, testing, or staging of any modifications to Company's production environment instance, and not for use as a production environment instance.

9. Handling of Company Data Post Termination. If Company is using Sugar Cloud as of the effective date of termination, upon written request by Company made within ninety (90) days of the effective date of expiration or termination of the Agreement (the "Post-Term Period"), SugarCRM agrees to make available to Company, a copy of Company's production environment. Further, during the Post-Term Period and upon the Company's request, SugarCRM shall grant the Company limited access to Sugar Cloud for the sole purpose of permitting the Company to retrieve Company Data, provided that the Company has paid in full all good faith undisputed amounts owed to SugarCRM. Upon expiration of the Post-Term Period, SugarCRM will have no further obligation to maintain for or provide to Company any of the Company Data and may thereafter, unless legally prohibited, delete all Company Data in its systems or otherwise in its possession or under its control.

C. The following are the terms of use that apply to the On-Site Product (whether hosted by Company or by a third party on behalf of Company):

1. License Grant. Subject to the terms of this Agreement, SugarCRM will make the Product available to Company and its Subscription Users for use at the Company's premises or on a Company-controlled server within a third-party data center, and grants Company, during the Subscription Term only, a non-exclusive, revocable, non-transferable (except as provided in Section 11.5 of the Agreement) right to install, use and modify the Product solely for Company's own internal business purposes.

2. Delivery. SugarCRM shall electronically deliver or make available the Product and the information necessary for Company's use and installation of the Product.

3. Software Releases. During the Subscription Term, SugarCRM may provide Long Term Supported Releases to the Product, from time to time. Company understands and agrees that, Company may not have immediate access to new or improved features or newer versions of the Product until the Long Term Supported Release is issued to On-Site customers by SugarCRM. "Long Term Supported Release" means a Product update that includes fixes to known defects, introduces a new or modifies existing application behavior and/or changes the available features or functionality of the Product.

4. End-of-Life Policy. Company understands and acknowledges that SugarCRM regularly retires older versions of the Product and that Support Services on the older versions of the Product are only provided to customers for a designated period of time (the "End-of-Life Policy"). The End-of-Life Policy for Product versions can be found at: or its successor url. Company understands that Support Services for the Product will end according to the End of Support Dates indicated therein and that prior to the End of Support Date for the version of the Product that Company is using, Company must upgrade to the latest supported version of the Product in order to continue receiving Support Services from SugarCRM. SugarCRM reserves the right to modify its End-of-Life Policy in the future, by providing notices of such modifications at the URL noted above.

D. Hint. The following are terms of use that apply to the SugarCRM Hint ("Hint") add-on product (if included in the Subscription purchased by Company):

1. Content. Hint provides access to certain data and information ("Content"), including Content regarding companies and/or individuals, which is licensed to SugarCRM from third parties ("Content Providers"). SugarCRM reserves the right to replace Content Providers and to provide different Content or cease providing certain types of Content, at its sole discretion. Company agrees that any use of Hint or the Content by Company will be in compliance with all applicable laws and regulations. Any provisions in the Master Subscription Agreement regarding SugarCRM's obligations for third-party claims or indemnification do not apply to Content.

2. License. SugarCRM grants Company a limited nonexclusive right to install the Hint module in Company's instance of Sugar and to access and use the Hint service via the Hint module during the Subscription Term. The number of users licensed and authorized to use Hint shall not exceed the number of Subscription Users indicated in the Order Form, and Company is required to purchase a Subscription to Hint equal to the number of Sugar Subscription Users that it has licensed. Content may only be accessed through Hint and such Content may only be saved within the database associated with the Sugar instance. Company is required to purchase a Subscription to Hint equal to the same number of Sugar Subscription Users that it has licensed. Company administrator(s) may reassign a Hint user license during the Subscription Term if a former Hint User Subscription User no longer requires access to or use of the Hint service.

3. Support. Hint is supported in accordance with the standard support terms for the Sugar product. Any service level or uptime commitments contained in this Agreement with regards to Sugar do not apply to Hint.

4. Third-Party Copyrighted Materials. Certain Content may be a web site link to a third-party web site. All title and intellectual property rights in and to the content of any third-party web site that may be linked to or viewed in connection with Hint is the property of the respective third-party content owner and may be protected by applicable copyright or other intellectual property rights. Any use by Company of the third-party web site is subject to the terms and conditions provided by such third party, and no rights to any third-party web site are granted to Company.

5. Interoperation between Sugar and Hint. Hint interoperates with the Company's instance (whether On-Site or Sugar Cloud) of Sugar. Hint is a Sugar Cloud service only. SugarCRM offers Hint via servers located in the United States (or such other location(s) as SugarCRM may determine in its sole discretion) regardless of the location of Company's Sugar deployment.

6. Usage Data. In the course of Company's use of Hint, SugarCRM may collect, use, process and store usage data, including in order to create and compile anonymized and aggregated statistics about Hint. For details see SugarCRM's privacy policy here:

7. Personal Data. Personal data is any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under the EU GDPR and any related national laws governing data protection). If the Company is using Hint for obtaining personal data from EU data subjects, the following shall apply:

a. Company shall not use Hint for obtaining or attempting to obtain or enriching (a) personal data of any EU data subjects below the age of 16, or (b) other sensitive data such as data regarding racial or ethnic origin, political opinions, religious or philosophical believes or trade union membership, data concerning health or sex life or sexual orientation.

b. Company may only transfer any data of EU data subjects to countries outside EU if Company is in compliance with GDPR Art. 46 (1) and (2).

8. Restrictions. Company shall not (a) use the Content to determine a consumer's eligibility for (i) credit or insurance for personal, family or household purposes, (ii) employment, (iii) a government license or benefit, or (iv) any other purpose governed by the Fair Credit Reporting Act; (b) access or use Hint or the Content in order to build a similar or competitive service; (c) except as expressly permitted herein, resell, copy, reproduce, distribute, republish, download, display, post or transmit any part of Hint or the Content; (d) access Content through any means other than the Hint user interface; (e) attempt to access the Content via an API directly; (f) except to the extent SugarCRM provides the ability to automatically export data, mass export any of the Content from Hint or Sugar through automated means, including by way of example, calls to Hint or an associated API that are made more frequently than may reasonably be performed by a human user using a standard web browser; (g) modify or create derivative works based on the software, program code or user interfaces comprising Hint; (h) copy, frame or mirror Hint, other than copying or framing on Company's own intranets or otherwise for Company's own internal business purposes; or (i) reverse engineer Hint, or attempt to gain unauthorized access to the Hint service or its related systems.



E. Collabspot. The following are terms of service that apply to the Collabspot Classic and Collabspot Connect add on (if included in the Subscription purchased by Company):

As used in these terms, "Service" refers to Company's use of the Collabspot Classic and/or Collabspot Connect add on, as applicable per Company's subscription license.

1. Content. The Service provides access to certain data and information ("Content") including Content regarding companies and/or individuals, which is obtained from the user's email accounts. Company agrees that its use of the Service will be in compliance with all laws and regulations applicable to the Company and the Content, including but not limited to applicable privacy laws.

2. License. Upon the purchase by Company of a subscription from SugarCRM to use the Service, SugarCRM grants Company a limited nonexclusive right to use the Service. The number of users licensed and authorized to use the Service shall not exceed the number of Subscription Users indicated in the Order Form. Subscriptions are for designated Subscription Users and cannot be shared or used by more than one user but may be reassigned to new Subscription Users replacing former Subscription Users who no longer require the use of the Service and the associated Sugar license.

3. Support. The Service is supported in accordance with SugarCRM's standard support terms. SugarCRM may regularly update and modify the Service at its sole discretion and without notice to Company. Any service level or uptime commitments contained in other agreements, statements of work, or terms of use/service not apply to the Service.

4. Interoperation with SugarCRM. The Service interoperates with the Company's instance of Sugar. Notwithstanding anything contrary in the Agreement, Collabspot is only available as Cloud based solution. SugarCRM offers the Service via servers located in the United States, regardless of the location of Company's Sugar deployment.

5. Usage Data. In the course of Company's use of the Service, SugarCRM may collect, use, process and store data regarding Company's use of the Service, and to create and compile anonymized and aggregated statistics about the Service. SugarCRM's privacy policy may be found here: The Service's use of information received from Gmail APIs will adhere to Google's Limited Use Requirements.

F. SugarMarket. The following are terms of use that apply to Sugar Market, formerly known as Salesfuion (the"Services"):

Notwithstanding anything contrary in the Agreement, Sugar Market is only available as Cloud based solution (and not on premise).

1. Company Rights and Responsibilities. Subject to the Terms of Use and the terms of the Agreement, Company shall have the right to access and use Sugar Market during the Subscription Term solely for Company's own internal business purposes. Company is responsible for ensuring that its End Users (defined as authorized employees, agents and contractors of Company) comply with all of the terms and conditions in this Agreement and Company shall be liable for all acts and omissions of its End Users. Company shall be solely responsible for obtaining and maintaining appropriate equipment and ancillary services needed to connect to, access, or otherwise use the Services, including, without limitation, computers, computer operating systems, internet access, and web browsers. Company shall be responsible for maintaining the security of Company's account access passwords. Company agrees to make every reasonable effort to prevent unauthorized third parties from accessing the Services and shall use no less than industry standard security precautions in connection with its use of the Services and content obtained therefrom.

2. Usage Restrictions and Requirements.

2.1. Company shall use the Services only for its own internal business operations and shall not use the Services in any manner that could damage, disable, disrupt, overburden, impair or otherwise interfere with SugarCRM's provision of the Services or the integrity or performance of the Services.

2.2. Company shall not use the Services to store or transmit: (a) any infringing, libelous, or otherwise unlawful or tortious material, (b) any material in violation of third-party privacy or confidentiality rights, or (c) any viruses, worms, defects, Trojan horses, or any items of a destructive nature.

2.3. Company shall not, directly or indirectly: (a) reverse engineer, decompile, disassemble, decipher, analyze, translate, or otherwise attempt to discover the source code, object code or underlying structure, ideas or algorithms of the Services or any software, documentation or data related to or provided with the Services (collectively, the "Software"); (b) modify, translate, or create derivative works based on the Services or the Software, or copy, rent, lease, distribute, pledge, assign, or otherwise transfer or encumber rights to the Services or the Software; (c) frame or mirror the Services; (d) use or access the Services to build or support, and/or assist a third party in building or supporting, products or services competitive to SugarCRM; (e) use the Services for purposes of evaluating SugarCRM's products, including performance, accuracy, benchmarking or other comparative analysis, and intended for publication without SugarCRM's prior written consent; or (f) remove any proprietary notices or labels from the Services or the Software.

3. Compliance with Laws. Company agrees to comply with all applicable laws and regulations with respect to its use of the Services, including without limitation the GDPR, all local or national laws applicable to bulk and commercial email in the regions where Company and End Users have business operations or where their email recipients are located (e.g., the CAN-SPAM Act and CASL). SugarCRM reserves the right to immediately suspend or terminate Services to any Company not adhering to these policies. Without limiting the foregoing, Company shall not, in any correspondence sent through the Services: (a) send email with false, misleading, or deceptive content, including to and from addresses, subject lines, header information, and message bodies; (b) use email lists generated through surreptitious means, including "scraping" or "harvesting"; (c) use purchased, rented or third party lists of email addresses; or (d) send Unsolicited Email. For purposes of this Agreement, the term "Unsolicited Email" means any email sent to persons other than: (i) persons with whom Company has an existing business relationship, or (ii) persons who have consented to the receipt of such email, including publishing or providing their email address in a manner from which consent to receive email of the type transmitted may be reasonably implied. Company will provide a clear, easy-to-use, and fully functional "unsubscribe" or "opt-out" method for recipients to revoke consent to receiving future emails from the sender, which must be included in every email sent via the Services. Company shall honor any and all such revocations of consent according to all applicable laws. Company will also provide the sender's valid physical postal address within the content of each email sent via the Services.

4. Company Representations and Warranties. Company represents and warrants to SugarCRM that:it will use the Services only in compliance with all applicable laws and regulations, including those related to export, spamming, privacy, data protection, intellectual property, consumer and child protection, pornography, obscenity and defamation. Company agrees to abide by all access and use restrictions contained in any materials made available through the Services; and Company further represents and warrants that Company is not located in, under the control of, or a national or resident of a U.S. embargoed country or sanctions list.

5. Ownership. Company owns any data, information or material originated by Company that Company submits, collects or provides in the course of using the Services, including information regarding Company's contacts created through use of the Services ("Company Data"). Company shall be solely responsible for the accuracy, quality, content and legality of Company Data, the means by which Company Data is acquired and the transfer of Company Data outside of the Services. SugarCRM acquires no right, title or interest in or to Company Data under this Agreement except to the limited extent necessary to perform the Services. Company acknowledges and agrees that, as between Company and SugarCRM, SugarCRM is the sole and exclusive owner of all rights, title and interest in and to the Services and any information developed or collected by SugarCRM in connection with its operation of the Services (other than Company Data, as defined below), including but not limited to all ideas, inventions, inferences, discoveries, developments, formats and processes, and all copyrights, patent rights and other intellectual property and proprietary rights therein and thereto, and Company shall not assert any claims to the contrary. Any rights not expressly granted to Company herein are reserved by SugarCRM. All suggestions, enhancement requests, feedback, recommendations or other input provided by Company or any other party relating to the Services or Software shall be owned by SugarCRM, and Company hereby does and shall make all assignments and take all reasonable acts necessary to accomplish the foregoing ownership rights.

6. Overages. If at any time SugarCRM determines that Company's database size ("Database Size") has exceeded the maximum database size listed on an Order Form, SugarCRM shall notify Company (which may be via email) and Company shall have fourteen (14) days to bring its Database Size within the designated limit. If Company fails to do so within fourteen (14) days after receipt of SugarCRM's notice, Company will be charged SugarCRM's then-current usage fees applicable to such overage and such fees shall continue to apply for the remainder of the Term.

7. Company Support and Maintenance. SugarCRM will provide assistance and support for Company's use of the Services and will use commercially reasonable efforts to respond to and resolve all Company support issues. SugarCRM will have no obligation to support problems due to causes external to the Services or otherwise beyond the reasonable control of SugarCRM. The Services may be temporarily unavailable from time to time for scheduled maintenance, unscheduled emergency maintenance, or due to other causes beyond SugarCRM's reasonable control.

8. Changes to the Services; Discontinuance. SugarCRM may, without notice to Company, update or otherwise modify the Services in its sole discretion, including without limitation providing updates or modifying features or functionality, or removing features or functionality (collectively, "Updates"). This Agreement applies to all such Updates. In the event SugarCRM discontinues the sale of any material portion of the Services, SugarCRM will either (at SugarCRM's option): (a) terminate provision of the discontinued Services and refund Company pro-rata for the fees prepaid by Company with respect to the discontinued Services that would otherwise have been provided to Company; or (b) continue to provide the Services to Company through the end of Company's current Term, provided that the applicable fees for such period have been paid to SugarCRM.

9. Privacy Policy. SugarCRM shall treat Company Data in accordance with the terms set forth in the Privacy Policy located at or such other URL as may be provided by SugarCRM from time to time. Company herewith consents that SugarCRM uses the Sub-processors specified under (or any successor URL) in addition to the sub-processors referenced in Exhibit B.


Exhibit B

Data Processing Appendix

This Data Processing Appendix to the Master Subscription Agreement on the processing of personal data on behalf of a controller in accordance with Article 28 (3) of the GDPR.

This Data Processing Appendix ("DPA") details the parties' obligations on the protection of personal data associated with the processing of Personal Data on behalf of Company or an Authorized Affiliate ("Contract Processing") as described in the MSA and/or Professional Services Agreement (including any Order Forms, Statements or Work, annexes or schedules attached thereto or URLs referenced therein) entered into between the parties (as applicable, the "Principal Agreement").
As used in this DPA, all capitalized terms not otherwise defined herein shall have the meanings given to such terms in the Principal Agreement.

1. Scope, duration and specification of contract processing of Personal Data

The Principal Agreement defines the scope and duration of the data processing as well as the type and the purpose of the data processing. The details for the data processing are as specified in the attached Schedule A "Service Specific Schedule/Data Processing Description.
This DPA shall become effective on the Effective Date of the Principal Agreement and remain in force for the duration of the Principal Agreement.

2. Scope of application and Responsibilities

2.1 Relationship of the parties:

Company (a) is the sole Controller of Personal Data or (b) has been instructed by and obtained the authorization of the relevant Authorized Affiliate(s) to agree to the Processing of Personal Data by SugarCRM as set out in this DPA.
The parties agree that SugarCRM processes Personal Data on behalf of Company and Authorized Affiliates. Company is solely responsible for entering Personal Data into the Product and any combination or interoperation with third party software or products. Company retains all ownership in the Personal Data and shall have sole responsibility for the accuracy, quality, and legality of Personal Data, the means by which Company acquired Personal Data, and compliance with the applicable statutory requirements on data protection, including, but not limited to, the lawfulness of disclosing Personal Data to SugarCRM, the lawfulness of having Personal Data processed on behalf of Company as well as the lawfulness of any instructions it provides to SugarCRM. SugarCRM is not responsible for determining the requirements of laws applicable to Company ́s business or that SugarCRM ́s provision of the Service meet the requirements of such laws. Company will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable data protection laws.

2.2 Processing:

Company grants SugarCRM the non-exclusive right to use, access and process all Personal Data for the sole purpose and to the extent necessary for SugarCRM to provide the Product or Service to Company and to perform its obligations under the Principal Agreement.

2.3 Instructions:
Company ́s instructions on Contract Processing are as documented in the Principal Agreement ("Documented Instructions"). The Parties agree that Company may subsequently ask to amend, change or replace the Documented Instructions in writing. Those instructions must not change the material scope of the Services and shall only become binding upon execution of a written amendment to the Principal Agreement (hereinafter, a "New Processing Instruction"). The Parties agree that any costs of such New Processing Instruction, to the extent they exceed the scope of the Documented Instructions or require additional effort or costs will be paid by Company to SugarCRM.

2.4 Prohibited data:
Company shall not disclose (and shall not permit any data subject to disclose) to SugarCRM any special and/or prohibited categories of Data for processing that are not expressly disclosed in Schedule A.

3. Obligations of SugarCRM

3.1 Purpose limitation:
SugarCRM shall process the Personal Data as necessary to perform its obligations under this DPA and in accordance with the Principal Agreement, including the Documented Instructions and any binding New Processing Instruction (the "Permitted Purpose"), except where otherwise required by any EU (or any EU Member State) law to which SugarCRM is subject.

3.2 Confidentiality of processing:
SugarCRM shall ensure that any person that it authorises to process the Personal Data (including SugarCRM ́s staff, agents and subcontractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security:
SugarCRM shall, organise SugarCRM's internal organisation so that it satisfies the specific requirements of data protection as follows: SugarCRM shall implement appropriate technical and organisational measures to protect (within SugarCRM's ́s scope of responsibility) the Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data. At a minimum, such measures shall include the measures identified in Schedule B. Company is familiar with these technical and organizational measures, and it shall be Company's responsibility that such measures ensure a level of security appropriate to the risk. SugarCRM shall be entitled to modify the security measures identified in Schedule B, provided, however, no modification shall be permissible if it materially deteriorates the level of protection contractually agreed upon.

3.4 Cooperation and data subjects' rights
a. SugarCRM shall provide reasonable assistance to Company to the extent it is agreed upon by the parties, at Company ́s expense, to enable Company to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Laws (including its rights of access, rectification, erasure, restriction, data portability and objection, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data. This shall only apply if (a) Company does not have the technical ability to address such a request itself or migrate Personal Data to another system or service provider; and (b) SugarCRM is legally permitted to do so and has reasonable access to the relevant Personal Data. Should any such request, correspondence, enquiry or complaint be made directly to SugarCRM and where SugarCRM is able to correlate the data subject to Company, based on the information provided by the data subject, SugarCRM shall refer such data subject to Company. SugarCRM shall not be liable in the event that Company fails to timely and/or properly respond to the data subject's request.
b. At Company's expense and written request, SugarCRM shall (taking into account the nature of the processing and the information available to SugarCRM) provide commercially reasonable assistance to Company in order for Company to fulfill its obligations enumerated in Articles 32 to 36 GDPR if Company does not otherwise have access to the relevant information, and where possible for SugarCRM.

3.5 Security incidents:

Upon becoming aware of a breach of personal data within SugarCRM`s scope of responsibility ("Security Incident"), SugarCRM shall inform Company without undue delay. SugarCRM shall implement reasonable measures necessary for securing Personal Data and for mitigating potential negative consequences for the data subject and shall keep Company informed about all material developments in connection with the Security Incident. SugarCRM will not access the contents of Personal Data in order to identify information, subject to any specific legal requirements. Company is solely responsible for complying with incident notification laws applicable to Company and fulfilling any third party notification duties. SugarCRM's notification of or response to a Security Incident under this Clause 3.6 will not be construed as an acknowledgement by SugarCRM of any fault or liability with respect to the Security Incident.

3.6 Deletion or return of Personal Data:
Upon termination or expiry of the Principal Agreement and unless agreed otherwise in the Principal Agreement, SugarCRM shall at the request of Company destroy or return to Company all Personal Data (including all copies of the Personal Data) in its possession or control). This requirement shall not apply to the extent that Documented Instructions require SugarCRM to keep the Personal Data for a longer period or SugarCRM is required by any EU (or any EU Member State) law to retain some or all of the Personal Data, in which event SugarCRM shall isolate and protect the Personal Data from any further processing except to the extent required by such law.

3.7 International transfers:
SugarCRM may transfer the Personal Data outside of the European Economic Area ("EEA") provided that either it is (i) to a recipient in a country that the European Commission has decided provides adequate protection for personal data, (ii) to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, (iii) to a recipient who is certified under the EU-U.S. Privacy Shield Framework, as administered by the US Department of Commerce, or (iv) to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

3.8 Privacy Shield:
SugarCRM Inc. has been certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as administered by the US Department of Commerce.

4. Obligations of the Company

4.1 Company shall notify SugarCRM, without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Company in the results of SugarCRM's product or work and any issues related to data protection arising out of or in connection with the Principal Agreement.

4.2. Where a data subject asserts any claims against SugarCRM in accordance with Article 82 of the GDPR, Company shall immediately notify SugarCRM in writing and shall support SugarCRM in defending against such claims

5. Documentation, Audits, Certifications

5.1 SugarCRM shall demonstrate to Company SugarCRM's compliance with this DPA by appropriate measures.

5.2 If Company is using SugarCRM On Demand Services the following will apply: For data centers used by SugarCRM as a hosting facility (the "Hosting Facilities"), any audit requirement will be satisfied by SugarCRM making available for review the then-current SSAE 16 SOC Type II audit report for the relevant Hosting Facility (or comparable industry-standard successor report). Company may need to execute a confidentiality agreement with the hosting provider to obtain such reports.

5.3 Where, in individual cases, onsite audits and inspections by Company are mandatorily required by Applicable Data Protection Laws or a Supervisory Authority, such onsite audits and inspections will be conducted during regular business hours, and without interfering with SugarCRM's operations, upon prior written notice of not less than 30 days. SugarCRM may also determine that such audits and inspections are subject to a longer prior notice, and the execution of a confidentiality undertaking protecting the data of other customers and the confidentiality of the technical and organizational measures and safeguards implemented. SugarCRM shall be entitled to rejecting auditors which are competitors of SugarCRM. Company shall, when carrying out an on-site audit in accordance with this Clause 5.3, take all reasonable measures to limit any impact on SugarCRM and its sub-processors by combining any audit requests Authorized Affiliates may have into one single audit. SugarCRM's time and effort for such inspections shall be limited to one day per calendar year in total for all audits requested by Company and any Authorized Affiliate. SugarCRM shall be entitled to requesting a remuneration for SugarCRM's assistance in conducting inspections and Company shall reimburse for any costs (including internal efforts) and expenses associated with any audit.

5.4 Where a data protection supervisory authority conducts an inspection, Clause 5.3 above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations the breach of which is sanctionable under the applicable criminal code.

6. Sub- processors

6.1 SugarCRM shall not subcontract any processing of the Personal Data to a third party subcontractor without the prior written consent of the Company. Company herewith consents that (a) SugarCRM Affiliates may be retained as Sub- processors in connection with the provision of the Services, and (b) SugarCRM uses the Sub- processors specified on the list available under at the following URL: #Data_Protection. Company herewith also consents to SugarCRM engaging additional third party subcontractors to process the Personal Data provided that: (i) SugarCRM provides at least 30 days' prior notice of the addition or removal of any Sub-processor (including details of the processing it performs or will perform), which may be given by posting details of such addition or removal at the URL specified above; (ii) SugarCRM imposes data protection terms on any sub-processor to the equivalent standards provided for by this DPA; and (iii) SugarCRM remains fully liable for any breach of this DPA that is caused by its sub-processor.

6.2 Company may object in writing the appointment of a third party processor for legitimate legal data protection reasons within 30 days after the notice was posted by SugarCRM in writing. If no such written refusal has been made, consent shall be deemed granted. If Company objects the appointment of a third party sub-processor as set forth herein, then SugarCRM shall have the option of either (a) not using that third party processor for its engagement with the Company, (b) terminate the Principal Agreement in writing by providing no less than 30 days prior written notice or (c) if the sub- processor affected is used for On Demand services, agree with Company on a migration to On Site deployment as set out in the Agreement.

7. Assistance, amendments

7.1 Company will make a written request for any assistance referred to in this DPA. SugarCRM will charge Company no more than a reasonable charge to perform such assistance or New Processing Instructions, such charges to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable change control provision of the Agreement.

7.2 No waiver, amendment or modification of this DPA and/or any of its Schedules shall be valid and binding unless made in a signed writing.
7.3 In case of any conflict, the terms of this DPA shall take precedence over the terms of the Principal Agreement. Where individual terms of this DPA are invalid or unenforceable, the validity and enforceability of the other terms of this DPA shall not be affected.

8. Authorized Affiliates

8.1 Contractual Relationship.
Company's execution of this DPA is on behalf of itself and each of Company's Authorized Affiliates, such that a separate DPA is deemed to be entered into between SugarCRM and each such Authorized Affiliate. Company agrees on behalf of each Authorized Affiliate that the Authorized Affiliate is bound by the obligations under this DPA. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Principal Agreement and is only a party to the DPA. Company procures that all access to and use of the Services and the SugarCRM Product by Authorized Affiliates must comply with the terms and conditions of the Principal Agreement and any violation of the terms and conditions of the Principal Agreement by an Authorized Affiliate shall be deemed a violation by Company.

8.2 Communication.
Company shall remain responsible for coordinating all communication with SugarCRM under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates. SugarCRM shall be discharged of its obligations to inform or notify the Authorized Affiliates when SugarCRM has provided such information or notice to Company. Company is responsible for ensuring that all Instructions and decisions (e.g. regarding subcontractors) are identical for the Company and each of the Authorized Affiliates and undertakes to notify all Authorized Affiliates without any undue delay of any communication received by the Supplier.

8.3 Rights of Authorized Affiliates.
Authorized Affiliates (as Controllers) may have certain direct rights against SugarCRM. Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Supplier directly, the parties agree that Company undertakes to exercise all such rights or seek any such remedy on their behalf and to obtain all necessary permissions from the Authorized Affiliates. Company further undertakes to reimburse SugarCRM on behalf of the Authorized Affiliate for any additional costs and expenses. In addition, the Company shall be required to ensure that any and all rights and remedies sought by the Company and Authorized Affiliates are collective and consistent with each other.

8.4 Termination Right.
SugarCRM shall be entitled to terminate an Authorized Affiliate ́s participation in this DPA by providing written notice to Company in the event that (a) Principal Agreement does not expressly allow the use of the Product or Services by Authorized Affiliates, (b) such Authorized Affiliate is in breach of this DPA, or (c) Company is in default of payment of the additional costs, expenses or extra efforts caused by that Authorized Affiliate.

8.5 Company's Notification Obligation of Authorized Affiliates.
Pursuant to section 10(b)(v), Company shall notify SugarCRM in writing of all Authorized Affiliates, including each such Authorized Affiliate's name and address. Notwithstanding anything to the contrary, only affiliates included in such notification(s) shall be Authorized Affiliates under this DPA and the Principal Agreement.

9. Principal Agreement

Unless otherwise set forth herein, all terms and conditions of the Principal Agreement remain in full force and effect, including without limitation, indemnification, confidentiality and limitation of liability. For the avoidance of doubt, SugarCRM ́s total liability for all claims from the Company and all of its Authorized Affiliates arising out of or related to the Principal Agreement and each DPA shall apply in the aggregate for all claims under both the Principal Agreement and all DPAs established under the Principal Agreement, including by Company and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Company and/or to any Authorized Affiliate that is a contractual party to any such DPA. Also for the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules and Appendices.

10. Definitions

The terms "data subject" and "supervisory authority" as used herein have the meanings given in the GDPR.

(a) "Data Protection Laws" means the GDPR and any related national laws governing data protection.
(b) "Authorized Affiliate" means any of Company's Affiliate(s) which (i) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, (ii) is authorized by the Company to use the SugarCRM Product, (iii) is permitted to use the Product and Services pursuant to the Principal Agreement between Company and SugarCRM, (iv) has not signed its own Order Form or agreement with SugarCRM and (v) Company has notified SugarCRM in writing (at that such Affiliate has been authorized to use the SugarCRM Product, including notification of the full legal name of the Affiliate and the Affiliate's address.
(c) "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.
(d) "GDPR" means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(e) "Personal Data" means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws) where for each (i) or (ii), such data is Company Data or has been provided to SugarCRM in order to provide support under the Principal Agreement.
(f) "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(g) "Processor" means the entity which Processes Personal Data on behalf of the Controller.
(h) "Sub-processor" means any Processor engaged by SugarCRM.

Schedule A

Service Specific Schedule / Data Processing Description

This Schedule A forms part of the DPA and describes the processing that the processor will performed on behalf of the controller.

Data subjects*
The personal data to be processed concern the following categories of data subjects

• Customers
• Potential Customers • Employees

Categories of data*
The personal data to be processed concern the following categories of data

  • Customer contact data
  • Potential customer contact data
  • Employee contact data

Special categories of data (if appropriate)
The personal data to be processed concern the following special categories of data (please specify):


Processing operations
The personal data will be subject to the following basic processing activities:

  • Support Services
  • Hosting Services (if On Demand Product has been subscribed to by Company)
  • Professional Services (if Parties have entered into a separate Professional Services Agreement)

* If other data subjects or categories of data are implicated with Company's use of SugarCRM products and services, Company shall notify SugarCRM in writing and parties shall amend this Schedule A in writing.

Schedule B Minimum Security Measures

1. Physical Access Controls

SugarCRM has measures in place to prevent unauthorized persons from gaining access to SugarCRM premises where Company data is processed. Such measures include: controlling access to entry doors and sensitive areas, securing and limiting access to server rooms, installing video cameras where appropriate, using electronic ID badges for entering SugarCRM offices, controlling badge holder access and logging, and alarm monitoring. Visitors must arrive at the main entrance and are met by the sponsoring employee. Sugar's cloud service uses data center facilities which are SOC 2 certified.

2. Access Controls

SugarCRM has measures in place to prevent data processing systems from being used without authorization. Role based access policies are in place with a minimum necessary policy. Access to production systems and customer data is controlled and monitored. Such measures include locking of terminals; regulations for user authorization; role-based access, entitlement reviews and audit logging.

3. System Integrity Controls

SugarCRM has measures in place to insure data and system integrity. All production and customer data is encrypted in transit and at rest. Networks and systems are monitored with security tools for intrusion detection and prevention, DDOS Protection and Malicious code. All systems are monitored for viruses and malware. Key management systems are in place and encryption is in place for all password, key data and backups

4. Intervention Control

SugarCRM has implemented measures to prevent its personal data processing systems from being used by unauthorised persons by means of data transmission equipment. The measures taken include multifactor authentication, bastion host requirements for access to processing systems. Authentication is logged and monitored.

5. Transfer control

Technical measures to prevent Company Data from being processed or used during electronic transmission or during transport without authorization (e.g. by means of encryption or protection by passwords); Such measures include the following: authentication of authorized personnel, Data Loss Prevention tools and controlling the use of data media.

6. Input Control

If Company Data is processed on SugarCRM systems, access to Company Data will be recorded in log files. For any Company Data stored in the SugarCRM Product, Company is solely responsible for such data input and SugarCRM does not have any control or involvement in such data input.

7. Separation control

Measures to ensure that data collected for different purposes can be processed separately include an authorization concept which takes account the separate processing of data in Sugar's cloud environment. Customer ́s Company Data is logically separated from other customers' company data.

8. Availability controls

Technical measures to ensure that personal data stored in SugarCRM ́s internal systems are protected against accidental destruction or loss include the use of protection programs (such as malware and virus protection, DPI and firewalls), rejection of unauthorized users, backup and recovery policies. The Sugar cloud instance makes use of multiple data centers, and clustering to avoid interruptions in service.

Last modified: 2019-10-31 19:39:00