The terms and conditions contained here apply to the access and use of the Bluebeam’s Studio™ and Drawings™ cloud-based application services (the “Services”).
- Modification of the Services. Bluebeam reserves the right to revise, modify or update the Services from time to time in its sole discretion to add new features or functionality, modify existing features or functionality, or remove features or functionality.
- LICENSE AND RESERVATION OF RIGHTS.
- Reservation of Rights. All right, title, and interest in and to the Services and the Documentation, including, without limitation, all copyrights, patents (whether pending or issued), trade secret rights, trademarks, and other intellectual property, are owned and retained by Bluebeam. The Services and Documentation are protected by patent, copyright, and/or other intellectual property laws of the United States and other countries, as well as by international treaty provisions. Except as expressly set forth herein, Your access and use of the Services does not grant You any intellectual property rights in the Services or Documentation. All rights not expressly granted by Bluebeam are hereby reserved.
- PERSONAL INFORMATION.
- International Transfers. IF YOU ARE NOT A RESIDENT OF THE UNITED STATES, YOU ACKNOWLEDGE AND AGREE THAT ALL INFORMATION ACQUIRED VIA THE SERVICES OR IN CONNECTION WITH YOUR USE OF THE SERVICES (INCLUDING, WITHOUT LIMITATION, PERSONAL INFORMATION ASSOCIATED WITH YOUR USER ACCOUNT AND YOUR CONTENT) IS COLLECTED BY BLUEBEAM WITH YOUR CONSENT AND TRANSFERRED ACROSS NATIONAL BORDERS TO COUNTRIES WHERE BLUEBEAM AND ITS PARTNERS OPERATE, INCLUDING THE UNITED STATES AND SUCH OTHER COUNTRY(IES) THAT BLUEBEAM MAY ALLOW YOU TO SELECT.
- EU Transfers to the United Kingdom. The European Union Commission has not determined whether the United Kingdom’s data privacy laws, after the withdrawal of the United Kingdom from the European Union, will ensure an adequate level of protection for Personal Information collected from EU data subjects. Therefore, on and after the date that the United Kingdom exits the European Union, the transfer of Personal Information will be subject to the European Union Commission’s Standard Contractual Clauses (attached hereto).
- EU Transfers to Other Countries. Where Bluebeam transfers Personal Information to a country that is not within the European Economic Area and is not subject to an adequacy decision by the EU Commission, Bluebeam relies on the European Commission’s approved Standard Contractual Clauses and your consent in certain circumstances.
- Your Content. As between You and Bluebeam, all title, ownership rights and intellectual property rights in and to all Project Files, Session Files, documents, images, markups created by You (collectively “Your Content”) in connection with Your use of the Services is owned and retained by You. You are solely responsible for the accuracy, quality, integrity and legality of the Your Content. You agree to abide by (and be responsible for compliance with) all applicable laws and regulations regarding access and use of Your Content. You acknowledge and agree that the Services are not designed to process, manage or store any Sensitive Personal Information and You agree that You will not upload or use Sensitive Personal Information in connection with Your use of the Services. You are solely responsible for the secure transmission of the Your Content to the Services.
- Disclosure of Your Content. Bluebeam may disclose Your Content if the disclosure is necessary to comply with a valid court order or subpoena or to comply with applicable law, rule or regulation. Bluebeam will notify You of any request for such disclosure (unless prohibited by such process, law or regulation) and cooperate with You if You elect to contest the disclosure, seek confidential treatment of Your Content to be disclosed, or to limit the nature or scope of Your Content to be disclosed.
- PROJECTS, SESSIONS AND DRAWINGS.
- Host Responsibilities. A Host can create an unlimited number of Projects and Sessions. The Host is solely responsible for establishing and managing Attendee permissions, including, without limitation, access and use restrictions, for all Projects and Sessions. If Project Files or Session Files are confidential (or contain confidential information), it is the Host’s sole responsibility to implement all necessary permissions and access controls to maintain such confidentiality among the Attendees. Bluebeam shall not be responsible for securing or maintaining any confidential information added to a Project or Session, as applicable, by the Host or any Attendee.
- Storage Space. You are allocated unlimited project storage space for Project Files and Session Files free of charge. You are allocated a limited number of Sheets to be shared among all of Your Drawings Uploaders as displayed in the Gateway. Bluebeam reserves the right to change the amount of storage provided for free, for a fee, or change the fee charged at any time in its sole discretion.
- Deletion of Project Files, Session Files and Sheets. The Host can delete a Project or Session at any time. Upon deletion, the Project or Session is archived for 120 days. At the end of said 120 days the Project or Session is purged and deletion cannot be undone. Upon deletion all Project Files, Session Files and Sheets and version history logs are permanently deleted. You are solely responsible for downloading and backing up Project Files, Session Files, Sheets and version logs on Your local computer or computer network prior to deleting a Project or Session. Bluebeam may also delete Project Files, Session Files or Sheets at any time in its sole and reasonable discretion upon prior notification to the Host by email.
- Deletion of Session Files for Inactivity. Sessions and Session Files will automatically be deleted if the Session has not been accessed by the Host or any Attendee for a period of eighty (80) days (an “Inactive Session”). The Host will receive an email notifying the Host that the Inactive Session will be archived in ten (10) days (i.e. 90 days from the date of the last access of the Session). A second email notification will be sent one hundred seventy (170) days from the last access or use of a Session notifying the Host that the Inactive Session will be permanently deleted. The Inactive Session will be permanently deleted ten (10) days thereafter (i.e. 180 days from the date of the last access of the Session).
- Drawings. Drawings functionality is only available if You have and maintain an active Maintenance subscription for the 2018 or later versions of the Software. The Account Owner is the default Gateway Admin. You may change the Account Owner and/or Gateway Admin at any time within the Gateway. Drawings may be accessed via an approved Client, mobile device utilizing Bluebeam’s Drawings mobile application or via the internet from any Device.
- Personal Information of the Host and Attendees. No Attendee is required to submit or use Personal Information in connection with a Project or Session apart from the information provided to Bluebeam to create a User Account. Further, the Services are not intended to host, maintain or secure Personal Information or Sensitive Personal Information. If a Host and/or Attendee voluntarily provides or submits Personal Information or Sensitive Personal Information as part of a Project or Session, (i) such Personal Information and Sensitive Personal Information is deemed public and voluntarily provided; and (ii) Bluebeam shall not be responsible for securing, maintaining or deleting such Personal Information or Sensitive Personal Information.
- Communications Between Attendees. Attendees may use the Services to communicate with the Host and other Attendees. If You opt out of receiving emails from Bluebeam, You will continue to receive emails from Hosts and Attendees of the Projects and Sessions to which they are an Attendee. Bluebeam shall not be responsible for any information communicated to You in connection with Host and/or Attendee communications made as part of a Project or Session.
- STUDIO PRIME.
- General Terms. Studio Prime is an optional subscription service subject to an annual subscription agreement and annual subscription fee.
- Prime Administrators. Provided You have executed the annual subscription agreement and established a Studio Prime account, You will be solely responsible for (A) inviting other Service users to become Prime Members; (B) managing all Prime Member accounts (including, without limitation, their access and permissions to Projects and Sessions for which they are Attendees); (C) assigning, creating, modifying and removing Prime Member permission and restrictions; and (D) controlling all content (including, without limitation, Project Files and Session Files) created or uploaded into or used in connection with Your Studio Prime Account.
- Prime Members. If a Services user is invited to become a Prime Member, that User Account becomes a Prime Member account under the control of the Prime Administrator. You expressly agree that the Prime Administrator, not You, will control Your access, permissions, content and all other aspects of your experience with the Services. You may only be a Prime Member of one (1) Studio Prime Account. Prime Member accounts are under the control of the Prime Administrator and may be created, modified or deleted in the discretion of the Prime Administrator. The Prime Administrator has access to all Prime Member content and activities.
- WARRANTIES; DISCLAIMERS OF WARRANTY; LIMITATION OF LIABILITY.
- DISCLAIMER OF WARRANTIES. THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE” BASIS WITHOUT WARRANTY OF ANY KIND WHATSOEVER AND YOUR USE OF THE SERVICES IS AT YOUR OWN RISK. BLUEBEAM DOES NOT WARRANT THAT THE FUNCTIONS OF THE SERVICES WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE. BLUEBEAM DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES RELATED TO: NON-INFRINGEMENT, LACK OF VIRUSES, ACCURACY OR COMPLETENESS OF RESPONSES OR RESULTS, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. YOU ASSUME RESPONSIBILITY FOR SELECTING THE SERVICES TO ACHIEVE YOUR INTENDED RESULTS, AND FOR THE USE OF THE SERVICES. BLUEBEAM RESERVES THE RIGHT TO DISCONTINUE THE SERVICES AT ANY TIME.
- LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT AND UNDER NO LEGAL THEORY (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) SHALL BLUEBEAM BE LIABLE FOR ANY LOST REVENUES, LOST PROFITS, OR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE SERVICES.
- INDEMNIFICATION. You agree to defend, indemnify, and hold harmless Bluebeam, its parent, subsidiaries, directors, officers, employees, agents and contractors from and against any and all damages, claims, suits, or proceedings (including reasonable attorneys’ fees) brought by any third party, including an Attendee, that alleges the access, use or provision of Your Content, any other files, metadata, communications or Personal Information uploaded or transmitted by You in connection with the Services violates any applicable law, regulation or the priority rights of others.
- TERMINATION AND SURVIVAL.
- Termination by You. You may terminate Your access to and use of the Services at any time, with or without cause, upon deleting the applicable User Account(s) and providing Bluebeam with written notice of termination to [email protected].
- GENERAL TERMS.
- Third Party Charges. You acknowledge and agree that access to the Services may require the payment of third party fees (such as telephone charges, ISP, or other charges) and that You are solely responsible for paying such fees. Bluebeam is not responsible for providing access or any software or equipment that You may need to be able to utilize the Services.
- Bluebeam Communications. Notwithstanding any preferences You may select for communications from Bluebeam, Bluebeam may send You e-mails regarding maintenance or matters concerning the Services.
- “Attendee” means a Services user who is invited by a Host to participate in a Project or Session.
- “Chat” means an exchange of communications between the Attendees in a Session.
- An approved “Client” is Revu (for Windows, for Mac or for iPad), Vu, and certain third party applications developed in conjunction with Bluebeam’s developer network that provide access to the Services.
- “Drawings” means a Studio feature that delivers Project Files to Services users in the field (online, mobile or within the Software).
- “Drawings Uploaders” means those Services users to whom the Gateway Admin grants permission to upload Project Files into Drawings.
- “Gateway Admin” means the Account Owner, or other Services user that the Account Owner may designate, with the authority to grant and revoke permissions for other Services users to access and use Drawings.
- “Host” means the Services user who initiates a Project or Session and who has administrative access and control of the Project or Session, as applicable.
- “Markup” refers to any visual element added by a Host or an Attendee to a Session File.
- “Personal Information” means any information that may be used to identify a natural person, including, without limitation, names, addresses, telephone numbers, e-mail addresses and such other identifiable information as may be defined by applicable law.
- “Project” means a set of functions that allows (i) a Host to upload, access, manage, check in, check out, modify and store Project Files on the Services’ cloud-based servers; (ii) a Host to add, modify and remove Project Files, Attendees and Attendee permissions in a Project; and (iii) Attendees to access, check in, check out, modify and use Project Files as authorized by the Host.
- “Project Files” are documents and other computer files uploaded, accessed, modified and stored by the Host and Attendees according to their respective permissions in connection with a Project.
- “Sensitive Personal Information” means sensitive, personally identifiable information such as social security numbers, banking and other financial information, healthcare or other medical related information, that is subject to specific regulations or laws that impose increased protections and/or obligations with respect to handling that type of information, including without limitation “protected health information” as such term is defined in the HIPAA Rules and “genetic data”, “biometric data”, “data concerning health” and other “sensitive personal information” as such terms are defined in the EU General Data Protection Regulation.
- “Session” means a set of functions that allows (i) a Host to upload, access, modify, Markup, manage and store Session Files on the Services’ cloud-based servers; (ii) a Host to add, modify and remove Session Files and Attendees in a Session; (iii) Attendees to access, Markup and use Session Files as authorized by the Host; and (iv) the Host and Attendees to Chat.
- “Session Files” are PDF files uploaded, accessed, modified and stored by the Host and Attendees, according to their respective permissions, in connection with a Session.
- A “Sheet” means one (1) page of a PDF (regardless of the page’s dimensions) of an architectural drawing.
- “Software” means Bluebeam’s Revu® software application.
- “Studio” means a cloud-based collaboration platform that connects users and gives them the ability to markup and review documents in real-time.
STANDARD CONTRACTUAL CLAUSES
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
The non-Bluebeam legal entity and/or individual accepting the Clauses using the email address provided to Bluebeam as part of your User Account (the “Data Exporter”)
443 South Raymond Avenue, Pasadena, California 91105 USA
(the “Data Importer”)
each a “Party”; together the “Parties”,
Clause 1 – Definitions
For the purposes of the Clauses:
a. “Personal Data”, “Special Categories of Data”, “Process/Processing”, “Controller”, “Processor”, “Data Subject” and “Supervisory Authority” shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data;
b. The “Data Exporter” means the Controller who transfers the Personal Data and who is identified above;
c. The “Data Importer” means the Processor who agrees to receive from the Data Exporter Personal Data intended for Processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC and who is identified above;
d. The “Subprocessor” means any Processor engaged by the Data Importer or by any other Subprocessor of the Data Importer who agrees to receive from the Data Importer or from any other Subprocessor of the Data Importer Personal Data exclusively intended for Processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
e. The “Applicable Data Protection Law” means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data applicable to a data controller in DocuSign Envelope ID: 6D492E42-9337-4E87-B1AD-78BFF32148EC DocuSign Envelope ID: 59E140DF-C76D-4F96-AFEA-C3813CA8A0F7 Salesforce Data Processing Addendum Page 15 of 22 November 2018 (GDPR, BCRs, Privacy Shield, and SCCs) – online the Member State in which the Data Exporter is established;
f. “Technical and Organisational Security Measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.
Clause 2 – Details of the transfer
The details of the transfer and in particular the special categories of Personal Data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3 – Third-party beneficiary clause
- The Data Subject can enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The Data Subject can enforce against the Data Importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity.
- The Data Subject can enforce against the Subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity. Such third-party liability of the Subprocessor shall be limited to its own Processing operations under the Clauses.
- The Parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by national law.
Clause 4 – Obligations of the Data Exporter
The Data Exporter agrees and warrants:
a. that the Processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the Applicable Data Protection Law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State;
b. that it has instructed and throughout the duration of the Personal Data Processing services will instruct the Data Importer to Process the Personal Data transferred only on the Data Exporter’s behalf and in accordance with the Applicable Data Protection Law and the Clauses;
c. that the Data Importer will provide sufficient guarantees in respect of the Technical and Organisational Security Measures specified in Appendix 2 to this contract;
d. that after assessment of the requirements of the Applicable Data Protection Law, the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
e. that it will ensure compliance with the security measures;
f. that, if the transfer involves Special Categories of Data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
g. to forward any notification received from the Data Importer or any Subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection Supervisory Authority if the Data Exporter decides to continue the transfer or to lift the suspension;
h. to make available to the Data Subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a DocuSign Envelope ID: 6D492E42-9337-4E87-B1AD-78BFF32148EC DocuSign Envelope ID: 59E140DF-C76D-4F96-AFEA-C3813CA8A0F7 Salesforce Data Processing Addendum Page 16 of 22 November 2018 (GDPR, BCRs, Privacy Shield, and SCCs) – online summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
i. that, in the event of subprocessing, the Processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the Personal Data and the rights of Data Subject as the Data Importer under the Clauses; and
j. that it will ensure compliance with Clause 4(a) to (i).
Clause 5 – Obligations of the Data Importer
The Data Importer agrees and warrants:
a. to Process the Personal Data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
b. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
c. that it has implemented the Technical and Organisational Security Measures specified in Appendix 2 before Processing the Personal Data transferred;
d. that it will promptly notify the Data Exporter about:
i. any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
ii. any accidental or unauthorised access, and
iii. any request received directly from the Data Subjects without responding responding to that request, unless it has been otherwise authorised to do so;
e. to deal promptly and properly with all inquiries from the Data Exporter relating to its Processing of the Personal Data Subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the Processing of the data transferred;
f. at the request of the Data Exporter to submit its data Processing facilities for audit of the Processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the Supervisory Authority;
g. to make available to the Data Subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter;
h. that, in the event of subprocessing, it has previously informed the Data Exporter and obtained its prior written consent;
i. that the Processing services by the Subprocessor will be carried out in accordance with Clause 11;
j. to send promptly a copy of any Subprocessor agreement it concludes under the Clauses to the Data Exporter.
Clause 6 – Liability
- The Parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Subprocessor is entitled to receive compensation from the Data Exporter for the damage suffered.
- If a Data Subject is not able to bring a claim for compensation in accordance with paragraph 1 against the Data Exporter, arising out of a breach by the Data Importer or his Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract of by operation of law, in which case the Data Subject can enforce its rights against such entity.
- The Data Importer may not rely on a breach by a Subprocessor of its obligations in order to avoid its own liabilities.
- If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in paragraphs 1 and 2, arising out of a breach by the Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Subprocessor agrees that the Data Subject may issue a claim against the data Subprocessor with regard to its own Processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Subprocessor shall be limited to its own Processing operations under the Clauses.
Clause 7 – Mediation and jurisdiction
- The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject:
a. to refer the dispute to mediation, by an independent person or, where applicable, by the Supervisory Authority;
b. to refer the dispute to the courts in the Member State in which the Data Exporter is established.
- The Parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8 – Cooperation with supervisory authorities
- The Data Exporter agrees to deposit a copy of this contract with the Supervisory Authority if it so requests or if such deposit is required under the Applicable Data Protection Law.
- The Parties agree that the Supervisory Authority has the right to conduct an audit of the Data Importer, and of any Subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the Applicable Data Protection Law.
- The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Subprocessor preventing the conduct of an audit of the Data Importer, or any Subprocessor, pursuant to paragraph 2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9 – Governing Law
The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.
Clause 10 – Variation of the contract
The Parties undertake not to vary or modify the Clauses. This does not preclude the Parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11 – Subprocessing
- The Data Importer shall not subcontract any of its Processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor as are imposed on the Data Importer under the Clauses. Where the Subprocessor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Subprocessor’s obligations under such agreement.
- The prior written contract between the Data Importer and the Subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Subprocessor shall be limited to its own Processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Data Exporter is established.
- The Data Exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Data Exporter’s data protection Supervisory Authority.
Clause 12 – Obligation after the termination of Personal Data Processing services
- The Parties agree that on the termination of the provision of data Processing services, the Data Importer and the Subprocessor shall, at the choice of the Data Exporter, return all the Personal Data transferred and the copies thereof to the Data Exporter or shall destroy all the Personal Data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively Process the Personal Data transferred anymore.
- The Data Importer and the Subprocessor warrant that upon request of the Data Exporter and/or of the Supervisory Authority, it will submit its data Processing facilities for an audit of the measures referred to in paragraph 1.
For a signed copy, please email [email protected]
Appendix 1 to the Standard Contractual Clauses
The Data Exporter is:
The Data Exporter is a business entity that has contracted with the Data Importer in part for cloud-based services that allow the Data Exporter and its authorized and/or licensed users to upload, access, edit, markup, communicate and otherwise collaborate on the Data Exporter’s documents and materials hosted in the Data Importer’s cloud infrastructure.
The Data Importer is:
Bluebeam, Inc. and its subsidiaries provide hosted cloud services that enable its customers of all sizes to to upload, access, edit, markup, communicate and otherwise collaborate on documents and materials uploaded to its cloud infrastructure by its customers.
The Personal Data transferred concern the following categories of Data Subjects:
Data Subjects are the Data Exporter’s employees, former employees, contractors, business partners, or other individuals the Data Exporter engages with the Data Importer for access and use of the Data Importer’s cloud infrastructure.
Categories of data
The Personal Data transferred concern the following categories of data:
First and last name, title, employer, contact information (address, e-mail address, phone number, business address), IP address, voice, geolocation data, behavioral data, technical connection and use data
Special Categories of Data
The Personal Data transferred concern the following Special Categories of Data:
The Personal Data transferred will be subject to the following basic Processing activities:
For a signed copy, please email [email protected]
Appendix 2 to the Standard Contractual Clauses
Description of the Technical and Organisational Security Measures implemented by the Data Importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Bluebeam shall by itself, and shall ensure that all of its Subprocessors, at all times complies with the following minimum security requirements set forth in this Annex No. 2 and maintain data security in a manner which conforms to generally recognized industry standards, including, without limitation:
(i) maintain network security using: network firewall provisioning, intrusion detection, and vulnerability assessments;
(ii) preserve the confidentiality, integrity and accessibility of Your Content with administrative, technical and physical measures;
(iii) store, Process, and maintain Your Content solely on designated target servers with none of Your Content being transferred to any portable device or storage medium, unless encrypted and for the purpose of either providing technical support services or a designated backup; and
(iv) will store all backups including Your Content in encrypted form, using a commercially supported encryption solution.
Bluebeam shall implement availability control measures so that data is protected against accidental or willful destruction or loss. These measures include back-up strategies (online/offline; on-site/off-site), uninterruptible power supply, virus protection, firewall, reporting channels and disaster recovery plans.
Bluebeam shall implement rapid recoverability measures so that the availability of Personal Data and access to Personal Data can be quickly restored in the event of a physical or technical incident.
Testing and Evaluation
Bluebeam shall implement measures for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures in order to ensure that Processing is secure. These measures include data protection management, incident response management, privacy by default settings (Art. 25 Para. 2 of the GDPR).
Bluebeam shall implement input control measures so that it can be ascertained whether and by whom Personal Data has been input, amended or removed in data processing systems. These measures include using logs or document management.
Bluebeam shall implement transfer control measures to prevent unauthorised reading, copying, amendment or removal of data when transferred electronically or transported. These measures include encryption, virtual private networks (VPN), electronic signatures.
Bluebeam shall implement separation control measures so that data which has been collected for different purposes is processed separately. These measures include multi-client capability or sandboxing.
Bluebeam shall implement data access control measures to prevent unauthorised reading, copying, amendment or removal of data within the system. These measures include authorisation concepts, needs-based access rights, self auditing, and access logs.
Bluebeam shall implement system access control measures to ensure that the system is not used by unauthorised individuals, e.g. (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data media.
Bluebeam shall implement physical access control measures to ensure that unauthorised individuals are not able to gain access to data processing systems. These measures include swipe cards or chip cards, keys, electronic door openers, site security or doormen, alarm systems, video systems.