Last updated in February 2021
1.1. Your use of Astute’s products, services, content and web sites (referred to collectively as the “Service” or “Services” in this document and excluding any services provided to you or your employees by Astute under a separate written agreement) is subject to the terms of a legal agreement between you and Astute (as defined below in Section 16.1) contained in this document and/or any other document expressly referred to herein. The Services are accessed through Astute’s proprietary software application(s) (referred to as the “Software” below) accessible at web platform at www.socialbakers.com operated by our affiliate Socialbakers a.s. (“Socialbakers”) and consist in AstuteBotTM, AstuteSocialTM or other Astute products and features that are incorporated into a Socialbakers single log-in, centralised web dashboard that enables you to access data, metrics and analytics from social profiles on multiple social networks (referred to as the “Socialbakers Platform”). The Services are provided as “Software as a Service (SaaS)” subscription services and we will not be delivering copies of the Software to you as part of the Services. This document explains how the agreement is made up and sets out some of the terms of that agreement.
1.2. Unless otherwise agreed in writing with Astute, your agreement with Astute will always include, at a minimum, the terms and conditions set out in this document (the “Terms”).
1.3. The purchase terms of Socialbakers (the “Purchase Terms”) that you accept when executing a binding purchase order with Socialbakers (the “Binding Order”) will govern your purchase. These Terms do not affect your legal relationship with Socialbakers, and you remain responsible for complying with the Purchase Terms.
1.4. These Terms form a legally binding agreement between you and Astute in relation to your use of the Services. It is important that you take the time to read them carefully.
1.5. If there is any contradiction between the Binding Order and these Terms, then the Binding Order shall take precedence in relation to Services listed on that Binding Order.
2.1. In order to use the Services, you must firstly agree to the Terms. You may not use the Services if you do not accept the Terms. You can accept the Terms by signing a written copy of the Terms and delivering it to Astute.
2.2. You may not use the Services and may not accept the Terms if (A) you are not of legal age to form a binding contract with Astute; (B) when signing on behalf of an entity, you are not authorized to legally bind your company or organization to such terms; or (C) you are a person or entity barred from receiving the Services under the laws of State of Ohio or other countries including the country in which you are resident or from which you use the Services.
2.3. The Services are provided by Astute for consideration. The prices applicable to your use of the Services are stipulated in your Binding Order which defines your Payment Terms. Socialbakers will invoice you for the Services in accordance with the terms stipulated in your Payment Terms.
2.4. Astute is not responsible for the payment processing provided by any third party.
2.5. Fees quoted in your Binding Order exclude any and all applicable taxes and similar fees (other than taxes solely based on Socialbakers’ and/or Astute’s income) now in force or imposed in the future on provision of the Services, including any sales, use or value added taxes, services tax or withholding tax, and you shall be responsible for payment of all such taxes.
3.1. The Terms are provided in English. If Astute has provided you with a translation of the English language version of the Terms, you agree that the translation is provided only for your convenience, and that the English language versions of the Terms will govern your relationship with Astute.
3.2. If there is any contradiction between the English language version of the Terms and the translation, the English language version shall take precedence.
4.1. Astute may have subsidiaries and affiliated legal entities in other countries. At times, these companies or their employees may serve as contact points with respect to the Services provided to you by Astute. Even where Astute’s subsidiaries or affiliates are your primary contact points, Astute as the Services provider will remain ultimately responsible for the provision of Services hereunder. Astute may use services of independent service providers/contractors who may provide Services to you on our behalf.
4.2. Astute is constantly innovating in order to provide the best possible experience for its users. You acknowledge and agree that the form and nature of the Services which Astute provides may change from time to time without prior notice to you.
4.3. As part of this continuing innovation, you acknowledge and agree that Astute may permanently or temporarily stop providing the Services (or any features within the Services) to you or to users generally at Astute’s sole discretion, without prior notice to you. If you have pre-paid the Services for a fixed period of time and (A) Astute stops providing the Services for any reason other than your breach pursuant to Section 12.3 A or legal requirement pursuant to Section 12.3 B; or (B) you terminate the Terms for Astute’s material breach pursuant to Section 12.3 A; Astute will refund to you pro-rata the corresponding fees for Services already paid by you equivalent to the part or remainder of the term in which you will not use the Services.
4.4. You understand and agree that Astute may at its full discretion suspend access to your account for (i) delay with any payment (including delay resulting from your failure to provide billing details or failure to cooperate in order to enable Socialbakers to issue a valid invoice within (fifteen) 15 days from the Service start date stipulated on your Binding Order) or (ii) other breach of the Terms if such breach is material, and that in such case you may be prevented from accessing the Services, your account details or any files or other content which is contained in your account. If your access to the Services had been suspended for delayed payment or other (material) breach of the Terms, and subsequently was reactivated (e.g. after the breach had been cured), you still remain obliged to pay the Services fees for the entire subscription term including the period for which you could not access the Services as a result of your default; you will not be entitled to any compensation or refunds (whether monetary or in the form of extra days of Services / extended subscription term) for the period for which you could not use the Services. Such suspension of Service shall not be considered a breach of the Terms by Astute. Further, the foregoing is without prejudice to Astute’s right to terminate the legal agreement embodied in the Terms for material breach pursuant to Section 12.3 of the Terms.
5.1. To access the Services, you or your individual end-users will be required to register into the Socialbakers Platform and, pursuant to the terms of the Socialbakers Platform, provide identification, contact or similar details as part of the registration process for the Service or as part of your continued use of the Services. You may not use the Services based on these Terms independently without the Socialbakers Platform.
5.2. You agree to use the Services only for purposes that are permitted by (A) the Terms; (B) any applicable law, regulation, generally accepted practices, or guidelines in the relevant jurisdictions (including any laws regarding the export of data or software to and from the EU, the United States or other relevant countries); and (C) any other applicable rules (including, without limitation, Socialbakers Platform terms, Facebook, Twitter and other social media platform rules).
5.3. You agree not to access (or attempt to access) any of the Services by any means other than through the interface that is provided directly or indirectly by Astute, unless you have been specifically allowed to do so in a separate written agreement with Astute.
5.4. You agree that you will not engage in any activity that interferes with or disrupts the Services (or the servers and networks which are connected to the Services).
5.5. Unless you have been specifically permitted to do so in a separate agreement with Astute, you agree that you will not reproduce, duplicate, copy, sell, trade or resell the Services for any purpose. The Services can be used by you only for your own internal business purposes or, if you are an agency providing data analytics, marketing or similar services to your clients, you may use the Services solely for the benefit of your clients explicitly listed in the Binding Order. You may not use the Services for the benefit of any third parties not explicitly listed in the Binding Order. You acknowledge that use of the Services in breach of this Section 5.5 will be considered a material breach of these Terms, with all consequences resulting therefrom.
5.6. You agree that you will not engage in any activity that may amount to the misuse of our Services or that seeks to circumvent the Services’ terms. For example, if Astute provides you with any portion of a Service for free (as part of a trial, pilot or otherwise), you may not engage in data mining or other excessive use of the Service, beyond what is permitted by the free Service (and as advertised for that free Service at the time of the relevant promotion). Astute reserves the right to limit your activity on any of its free Services for any reason and without notice.
5.7. You agree that you are solely responsible for (and that Astute has no responsibility to you or to any third party for) any breach of your obligations under the Terms and for the consequences (including any loss or damage which Astute may suffer) of any such breach by you or your customers.
5.8. You acknowledge that additional third-party fees (such as internet service provider fee, Socialbakers Platform fee, social media platform fee, fee for boosted or promoted posts, third-party add-on fee or similar) may apply in connection with your use of Astute’s Services. Selected third party fees are payable by you directly to the relevant third party and the relevant third party receiving such additional fees is responsible for the processing of such fees. You agree that you are solely responsible for payment of such fees or for maintaining appropriate level of funds where applicable. Astute has no responsibility to you or to any third party for payment of any such fees or for unavailability of Services due to your failure to do so.
6.1. You agree and understand that you are responsible for maintaining the confidentiality of passwords associated with any account you use to access the Services pursuant to the terms of the Socialbakers Platform, through which Astute’s Services are accessible.
6.2. Accordingly, you agree that you will be solely responsible for all activities that occur under your account.
6.3. If you become aware of any unauthorised use of your password or of your account, you agree to notify Astute immediately at info at Socialbakers dot com.
7.1. We are serious about privacy of all individuals who use our Services or whose personal data we process.
7.2. We may process your personal data to provide and administer the Service and communicate with you, to provide a better user experience, inform you of new Services or Service features, and, in limited circumstance, to protect the Services and our rights. We process your personal data as a data controller. We may also process personal data as a data processor to the extent when (A) you are a data controller with respect to personal data specified in Annex 1, and (B) you instruct us to process such personal data on your behalf within the Services. As an example, we act as a data processor with respect to personal data included in the content of communication between you and your clients (or any other data subjects, as may be applicable, such as your followers or other persons interacting with you through your social media profiles) via your social network pages (e.g. Facebook messages). In such case, the data processing agreement in Annex 1 shall regulate the processing of such personal data. The nature and extent of processing, the type of personal data processed, the purposes and legal basis on which we process personal data, as well as the organisational and technical measures that we implemented to ensure the security of processing, are described in detail in our Privacy Policy available at https://astutesolutions.com/privacy-policy, which applies to the processing of personal data within or in connection with our provision of Services to you and sets out our commitment to protecting personal data and privacy of individuals.
7.3. Astute has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines in accordance with good industry practice and having regard to the state of technological development to protect your data against accidental loss, destruction, or alteration; unauthorized disclosure or access (including but not limited to taking reasonable steps to ensure the reliability of employees having access to your data and providing for limited access rights and access controls; authentication; personnel training; regular back up; data recovery and incident management procedures; restrictions on storing, printing and disposal of personal data; software protection of devices on which personal data are stored; etc.); or unlawful destruction.
7.4. Data collected from you or your end-users may be transferred to, and stored and processed in, the United States or any other country outside the EEA in which Astute or its affiliates, or Astute’s subcontractors, suppliers or vendors maintain facilities, subject to Astute implementing such appropriate legal mechanisms as required by applicable law to ensure an adequate level of personal data protection by the third-party processors, such as, to the extent applicable, the controller-to-processor Standard Contractual Clauses approved by the European Commission (2010/87/EU) for data transfers from the EU to the USA and/or other third countries.
7.5. You agree that Astute may use aggregated and anonymised data derived from the data provided by you or collected by the program analytics such as user behaviour and activities for its own statistics, for auditing, for the purposes of product and market research and analytics (which help Astute to optimise and improve its Services and their usability, the range of Services, and to develop new technologies, products and services), and for benchmarks and other analyses. Astute may publish such anonymised data and share them with third parties outside of Astute; however, Astute will not directly or indirectly transfer any data received from you to (or use such data in connection with) any ad network, ad exchange, data broker, or other advertising or monetization related toolset.
8.1. You understand that all information such as, without limitation, data files, written text, computer software, music, audio files or other sounds, photographs, and videos or other images (all such information being hereinafter referred to as the “Content”) which you may have access to as part of, or through your use of, the Services are the sole responsibility of the person from which such Content originated. Astute assumes no responsibility or liability for any Content not originated by Astute.
8.2. You should be aware that Content presented to you as part of the Services, including but not limited to advertisements in the Services and sponsored Content within the Services (if any), may be protected by intellectual property, proprietary or privacy rights owned by the sponsors or advertisers who provide such Content to Astute (or by other persons or companies on their behalf), and that the Content may include sensitive personal data. You may not modify, rent, lease, loan, sell, distribute or create derivative works based on such Content (either in whole or in part), unless you have been specifically told that you may do so by Astute or by the owners of that Content, in a separate agreement.
8.3. You understand that by using the Services you may be exposed to Content that you may find offensive, indecent or objectionable and that, in this respect, you use the Services at your own risk.
8.4. You agree that you are solely responsible for (and that Astute has no responsibility to you or to any third party for) any Content that you create, transmit or display while using the Services and for the consequences of your actions (including any loss or damage which Astute or third parties may incur and including any other legal liability, whether liability under civil, commercial, tort, penal or administrative law or any other legal theory) by doing so. You may not use the Services to intentionally transmit or make public infringing, libelous, or otherwise unlawful or tortious Content or to store, transmit or make public any Content in violation of third party’s intellectual property or similar rights. You shall indemnify and hold Astute harmless from all claims and all liabilities, costs, proceedings, damages and expenses awarded against, or incurred or paid by Astute as a result of or in connection with (i) your breach of any third party’s intellectual property or similar rights or (ii) your breach of warranty under Section 11.5 below.
9.1 You acknowledge and agree that Astute (or Astute’s licensors) owns all legal rights, title and interest in and to the Services, including any intellectual property rights which subsist in the Services (whether those rights happen to be registered or not, and wherever in the world those rights may exist). You further acknowledge that the Services may contain information which is designated confidential by Astute and that you shall not disclose such information without Astute’s prior written consent.
9.2. Unless you have agreed otherwise in writing with Astute, nothing in the Terms gives you a right to use any of Astute’s trade names, trademarks, service marks, logos, domain names and any other distinctive brand features.
9.3. Other than the limited license set forth in Section 11, Astute acknowledges and agrees that it obtains no right, title or interest from you (or your licensors) under the Terms in or to any Content that you submit, post, transmit or display on, or through, the Services, including any intellectual property rights which subsist in that Content (whether those rights happen to be registered or not, and wherever in the world those rights may exist). Unless you have agreed otherwise in writing with Astute, you agree that you are responsible for protecting and enforcing those rights and that Astute has no obligation to do so on your behalf.
9.4. You agree not to remove, obscure, or alter any proprietary rights notices (including copyright and trademark notices) which may be affixed to or contained within the Services or any outputs, if applicable.
9.5. Unless you have been expressly authorised to do so in writing by Astute, you agree that, in connection with the Services, you will not use any trade mark, service mark, trade name, logo of any third-party company or organisation in a way that is likely or intended to cause confusion about the owner or authorised user of such marks, names or logos.
9.6. Astute shall indemnify and hold you harmless against all claims and all direct liabilities, costs, proceedings, damages and expenses awarded against, or incurred or paid by, you as a result of or in connection with any actual and proven infringement by Astute of any third party’s intellectual property rights. In respect of the indemnities set out in this Section 9.6, Astute shall be granted sole control and authority over the defence and/or settlement of any claim, suit or action for which Astute is providing an indemnity. You shall give Astute prompt written notice of any claim, and, upon Astute’s request and at Astute’s expense, shall provide reasonable assistance with the defence of the claim. The claims against Astute based on this Section 9.6 can be brought within one (1) year from the expiry or termination of your relationship with Astute.
10.1. Astute gives you a worldwide, royalty-free, non-assignable and non-exclusive right and licence to access and use the Services through the Software, on a subscription basis, for the term and in the scope stipulated in your Binding Order or a similar document incorporating the Terms. Any Services unused during your subscription term (incl. but not limited to situations where you do not use the prepaid Services in full scope or if you do not use the prepaid Services for the full duration of the subscription term) shall expire at the end of the subscription term and cannot be transferred to consecutive terms or be refunded. The licence granted in this Section 10.1 is for the sole purpose of enabling you (end-users within your organization, as designated on your Binding Order or a similar document incorporating the Terms) to use and enjoy the benefit of the Services as provided by Astute, in the manner permitted by the Terms (in particular Section 5) and the Binding Order. You may not use the Services for the benefit of any third parties unless they are explicitly listed in the relevant Binding Order; if you are an agency, this means you are only permitted to use the Services for the benefit of the specific clients approved in writing in the Binding Order or a similar document incorporating the Terms. You acknowledge that this is a SaaS agreement and that (i) the Software is not sold, and (ii) we will not be delivering copies of the Software to you as part of the Services.
10.2. You may not (and you may not permit anyone else to) copy, modify, create a derivative work of, reverse engineer, decompile or otherwise attempt to extract the source code of the Software, ideas or patterns underlying the Service or any part thereof, unless this is expressly permitted or required by law, or unless you have been specifically told that you may do so by Astute in writing. You may not access and/or use the Service and the underlying Software, ideas or patterns in order to build a similar or competitive product. You further may not (and you may not permit anyone else to) attempt to gain unauthorized access to the Services, its particular features or third-party content created by or for another Astute’s customer, interfere with or disrupt the integrity or performance of the Services or third-party content contained therein or perform penetration test, denial of service simulation or automated vulnerability scan of the Services.
10.3. Unless Astute has given you specific written permission to do so, you may not assign (or grant a sub-licence of) your rights, grant a security interest in or over your rights, or otherwise transfer any part of your rights granted hereunder.
10.4. You acknowledge that any breach of Section 10 by you or your end-users shall constitute a material breach of the Terms, with all consequences arising therefrom.
11.1. You retain copyright and any other intellectual property rights you already hold in Content which you submit, post or display on or through the Services.
11.2. If you provide, as part of your use of Astute’s Services or as part of the Content which you submit, post or display on or through the Services, any photograph or other materials protected by personality or privacy rights, you specifically agree that Astute may use such photograph or other materials for the sole purpose of providing the Services.
11.3. You understand that Astute, in performing the required technical steps to provide the Services to you, may transmit or distribute your Content over various public networks and in various media. You agree that this licence shall permit Astute to take these actions.
11.4. You acknowledge that provision of Astute’s Services (or particular features within the Services) may be conditioned upon and subject to (A) you giving Astute appropriate access level to your social media content by providing respective social media platform access permissions; and (B) you having appropriate user permissions or roles within the respective social media platform. As a result, when using Astute’s Services, you may be required to grant Astute certain permissions (through a dedicated permission token or a similar permission mechanism) to allow the Services access specific information and perform the requested actions.
11.5. You confirm and warrant to Astute that you have all the rights, power and authority necessary to grant the above licence, access and permissions to Astute.
11.6. If any permission granted by you results in Astute obtaining access to a private layer of data available through the respective social media platform, Astute will keep such information confidential at all times, except where legally compelled to disclose the relevant information. Such obligation will not, however, apply to any information that (i) was publicly known and made generally available in the public domain prior to grating the permission to Astute; (ii) becomes publicly known and made generally available after granting the permission to Astute other than as a result of a violation of this Section 11.6 by Astute; (iii) is already in the possession of Astute at the time of granting the permission; (iv) is obtained by Astute from a third party without a breach of the third party’s obligations of confidentiality; or (v) is independently developed by Astute without the use of your confidential information. If a separate non-disclosure agreement stipulating similar confidentiality obligations is in place between you and Astute, the stricter of the confidentiality obligations shall apply.
12.1. The Terms will continue to apply during the term stipulated in your Binding Order or other similar document incorporating the Terms, or, if no such term is stipulated, until terminated by either you or Astute as set out below.
12.2. During the agreement term stipulated in your Binding Order, each party may only terminate the Terms for reasons stipulated in Section 12.3.
12.3. Each of the parties may at any time terminate the legal agreement embodied in the Terms if (A) the other party has materially breached any provision of the Terms and failed to cure the breach (where such breach is capable of being cured) within a reasonable cure period provided by the other party, or has acted in a manner which clearly shows that it does not intend to, or is unable to comply with the provisions of the Terms; or (B) a party is required to do so by law (for example, where the provision of the Services is or becomes unlawful); in addition, Astute may at any time terminate the legal agreement embodied in the Terms if (C) the partner with whom Astute offered the Services to you, or whom Astute uses or whose cooperation Astute needs in order to offer the Services to you (such as the social media platforms), has terminated its relationship with Astute or ceased to offer its APIs, data, programs, application or services that are essential for the Services; or (D) Astute is transitioning to no longer providing the Services to users in the country in which you reside or from which you use the Services; or (E) the provision of the Services to you by Astute is, in Astute’s opinion, no longer commercially viable. For the purposes of the Terms, your failure to make timely payments under the Terms and/or your Binding Order will be considered a material breach of the Terms if the due amount remains unpaid (fully or partially) more than 90 days after the payment due date. In the event you terminate the agreement for a material breach by Astute as described in (A) above, or if Astute ceases to provide any part or all of the Services during the agreement term for reasons stipulated in (C), (D) or (E) above, you shall not be required to make any payments for Services beyond the date of when you terminated the agreement or when Astute ceased to provide the Services (as applicable). In the event you prepaid the Services, Astute shall in such cases refund the pro-rata proportion of the pre-paid monthly fee.
12.4. Nothing in this Section 12 shall affect Astute’s rights regarding provision of Services under Section 4 of the Terms.
12.5. When your legal agreement with Astute comes to an end, all of the legal rights, obligations and liabilities that you and Astute have benefited from, been subject to (or which have accrued over time whilst your legal agreement with Astute has been in force) and/or which are expressed to continue indefinitely, shall be unaffected by this cessation, and the provisions of Section 16.7 shall continue to apply to such rights, obligations and liabilities indefinitely.
12.6 Further, you understand and agree that if you, despite the termination or expiration of your legal agreement with Astute for any reason, continue using the Services (e.g. in a situation when your fixed-term order for the Services expires), the terms and conditions contained in the Terms (including the Payment Terms) will continue to apply, and you undertake to pay for the use of the Services by you or your end-users in accordance with the Payment Terms.
13.1. The Services are provided “as is” and Astute, its subsidiaries and affiliates, and its licensors give you no warranty with respect to them. Services features that interoperate with social media networks depend on the continuing availability of those social media network’s APIs, data, application, programs and services for use with the Service. If any social media network ceases to make its APIs, data, application, programs or services available on reasonable terms for the Service, Astute may cease providing such Service features upon reasonable prior written notice to you pursuant to Section 12.3 (C). Astute is not liable or responsible for the quality, accuracy or truthfulness of services or information obtained from social media networks and used within the Services or for interruption of access to such information caused by downtime or unavailability of the social media networks. Social media network content is not created or edited by Astute. Astute expressly disclaims and has no responsibility or liability for any social media network content that may be collected, received or created by you or your end-users in use of the Service.
13.2. In particular, Astute, its subsidiaries and affiliates, and licensors do not represent or warrant to you that (A) your use of the Services will meet your requirements; (B) your use of the Services will be uninterrupted, timely, secure or free from error; (C) any information obtained by you as a result of your use of the Services will be accurate or reliable; and (D) that defects in the operation or functionality of any Software used to provide the Services will be corrected.
13.3. No conditions, warranties or other terms (including any implied terms as to satisfactory quality, fitness for purpose or conformance with description) apply to the Services except to the extent that they are expressly set out in the Terms.
13.4. Nothing in the Terms shall affect those statutory rights which you are always entitled to as a consumer and that you cannot contractually agree to alter or waive.
14.1. Nothing in the Terms shall exclude or limit Astute’s liability for losses which may not be lawfully excluded or limited by applicable law.
14.2. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WHATEVER THE LEGAL BASIS FOR THE CLAIM, ASTUTE WILL NOT BE LIABLE FOR ANY INDIRECT DAMAGES (INCLUDING, WITHOUT LIMITATION, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND WHATSOEVER (INCLUDING, WITHOUT LIMITATION, ATTORNEYS’ FEES), DAMAGES FOR LOST PROFITS OR REVENUES, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) DUE TO, RESULTING FROM, OR ARISING IN CONNECTION WITH THE TERMS, THE SERVICES, MATERIALS, OR THE FAILURE TO PERFORM OUR OBLIGATIONS.
14.3. Subject to overall provision in Section 14.1 above, Astute, its subsidiaries and affiliates, and its licensors shall not be liable to you for any indirect or consequential losses which may be incurred by you. Indirect and consequential losses shall include (A) any loss of profit (whether incurred directly or indirectly), loss of goodwill or business reputation, or any loss of data suffered by you; (B) loss or damage which may be incurred by you as a result of (i) any reliance placed by you on the completeness, accuracy or existence of any advertising, or as a result of any relationship or transaction between you and any advertiser or sponsor whose advertising appears on the Services; (ii) any changes which Astute may make to the Services, or for any permanent or temporary cessation in the provision of the Services (or any features within the Services); (iii) the deletion of, corruption of, or failure to store, any Content and other communications data maintained or transmitted by or through your use of the Services; (iv) your failure to provide Astute with accurate account information; (v) your failure to keep your password or account details secure and confidential.
14.4. The limitations of Astute’s liability to you in Section 14.3 above shall apply whether or not Astute has been advised of or should have been aware of the possibility of any such losses arising.
14.5. Except for liabilities arising out of Astute’s indemnification obligations under Section 9.6 above, Astute’s liability for damage incurred by you as a result of or in connection with the Services shall be limited to direct damages up to the amount you paid to Astute for the Services giving rise to that liability during the last three months before the occurrence of Astute’s liability (or amount corresponding to a three-month Service fee, as applicable). Astute and you agree that this limitation reflects the damage that can be foreseen at the time of conclusion of this legal agreement between you and Astute, taking into account all circumstances the parties know or should know while exercising due care and that can arise from a breach of Astute’s obligations under the Terms.
15.1. Any changes to the Terms shall be made by a written amendment and shall be effective once both parties have signed such amendment.
16.1. “Astute” or “we” means Astute, Inc., whose principal place of business is at 4400 Easton Commons Suite 250 Columbus, Ohio, 43219 . “You” means the entity or individual that is entering into the legal agreement for the Services with us and that is identified on the Binding Order (or this agreement, if applicable). Equally, where applicable, “you” means the individual that is using the Services, or who is registered with Astute.
16.2. Sometimes when you use the Services, you may (as a result of or through your use of the Services) use a service or download a piece of software or purchase goods, which are provided by another person or company. Your use of these other services, software or goods may be subject to separate terms between you and the company or person concerned. If so, the Terms do not affect your legal relationship with these other companies or individuals and you remain responsible for complying with the terms of use of such third party’ services, software or goods. If you use third parties’ services, software or goods while using the Services, you declare that you act in compliance with their terms of use. In particular, if you use Facebook, Twitter or YouTube while using the Services, you must comply with the applicable Facebook (https://www.facebook.com/terms.php), Twitter (https://twitter.com/en/tos), YouTube (https://www.youtube.com/t/terms) or Google (https://www.google.com/intl/en/policies/privacy/) or Socialbakers (https://www.socialbakers.com/terms-and-conditions) rules in versions effective as of the date of use of such services.
16.3. The Terms constitute the whole legal agreement between you and Astute and govern your use of the Services (excluding any services which Astute may provide to you under a separate written agreement), and completely replace any prior agreements between you and Astute in relation to the Services.
16.4. All notices, permissions and approvals hereunder shall be in writing and shall be in person or in writing and sent via certified or registered mail, return receipt requested, or overnight courier service. Notices shall be addressed to President and CTO Alex George 4400 Easton Commons, Suite 250 Columbus, OH 43219 6145086100 alegeo@astutesolutions.com. Notices to you shall be address to your signatory unless otherwise designated below. Billing related notices to you shall be addressed to the relevant billing contact designated by you.
16.5. Except for performance of a payment obligations, neither party will be responsible for any failure to perform or delay in performing any of its obligations under the Terms where and to the extent that such failure or delay results directly or indirectly from an event beyond such party’s reasonable control.
16.6. The parties agree that if one of them does not exercise or enforce any legal right or remedy which is contained in the Terms (or which such party has the benefit of under any applicable law), this will not be taken to be a formal waiver of such party’s rights and that those rights or remedies will still be available to it.
16.7. If any court of law, having the jurisdiction to decide on this matter, rules that any provision of the Terms is invalid, then that provision will be removed from the Terms without affecting the rest of the Terms. The remaining provisions of the Terms will continue to be valid and enforceable.
16.8. The Terms, and your relationship with Astute under the Terms, shall be governed by law of the State of Ohio. You and Astute agree to submit to the jurisdiction of the courts of the State of Ohio to resolve any legal matters arising from the Terms. Notwithstanding this, you agree that Astute shall still be allowed to apply (A) for payment orders (or otherwise enforce payment for Services provided under the Terms) in the jurisdiction in which you have your registered seat or principal place of business, and (B) for injunctive remedies (or an equivalent type of urgent legal relief) in any jurisdiction. Each party hereby waives any right to a jury trial in connection with any action or litigation in any way arising out of or related to the Binding Order/these Terms.
16.9. Neither Party may assign any of its rights nor delegate any of its duties under these Terms without the prior written consent of the other Party, which consent will not be unreasonably withheld, provided that Astute may use independent service providers/contractors to deliver Services as provided in Section 4.1. Any unauthorized assignment of these Terms will be null and void. Notwithstanding the foregoing, either party may assign these Terms in its entirety (including Binding Orders and Annexes), without consent of the other Party, to the acquiring person in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets not involving a direct competitor of the other Party. A Party’s sole remedy for any purported assignment by the other Party in breach of the paragraph shall be, at the nonassigning Party’s election, termination of the Binding Order and these Terms upon written notice to the assigning Party. Subject to the foregoing, these Terms shall bind and inure to the benefits of the Parties, their respective successors and permitted assigns.
16.10. Annexes and Exhibits to these Terms are hereby incorporated into these Terms and binding on both parties.
This Annex 1 – Data processing agreement shall only apply if Astute provides to you Services or Services’ features within which we only have access to certain personal data because you give us your permission, authorization, token or other mechanism that allows us to access, collect or otherwise process such data, and thereby instruct us to process such personal data on your behalf; for example:
As a data controller with respect to any personal data that you instruct us to process in the context of the Services, you are responsible for the lawfulness of such processing, including the requisite legal titles (consents or other, as may be applicable) for processing. Further, if you instruct Astute to make your data available to, or share your data with, your other service providers, for example by connecting your Astute account with the accounts you have with your other service providers, you remain responsible for implementing the requisite legal measures (such as a data processing agreement between you and your other service provider) for the processing of the data you instruct us to furnish to your other service provider. Astute is not liable for any misprocessing of data that could occur by your provision of the data to Astute or your instruction to Astute to process such data on your behalf.
This Annex 1 – data processing agreement does not apply in situations where we collect and process personal data as a data controller (see our Privacy Policy for further details).
“CCPA” means the California Consumer Privacy Act of 2018, Civil Code sections 1798.100 et seq.;
“DPA” means the data processing agreement included in this Annex 1;
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“Services” means, for the purpose of this Annex 1, all Services Astute provides to you under the Terms as your data processor, as specified in the Preamble of this DPA;
“Terms” means the Terms to which this Annex 1 is appended to.
The terms “personal data”, “processing” and “data subject” shall have the meaning ascribed to them in the GDPR. The term “personal data” includes “personal information” as defined in the CCPA; the term “data subject” includes “consumer” as defined in the CCPA.
The object/scope of this DPA is the processing of personal data in connection with the provision of the Services specified in this DPA, in particular its Exhibit A.
The duration of this DPA shall correspond to the term of your subscription to Astute’s Services.
4.1. The nature and purpose of the intended processing are defined in the Terms and correspond to the provision of the Services defined in this DPA.
4.2. Each and every transfer of personal data beyond the EU / EEA shall only take place if the specific conditions as laid down in Art. 44 et seq. GDPR have been fulfilled. All transfers of personal data out of the European Union, European Economic Area, United Kingdom, and Switzerland under this DPA shall be governed by the Standard Contractual Clauses in Exhibit B.
4.3. The types of personal data processed under this DPA and categories of data subjects are specified in Exhibit A hereto. The scope of personal data is determined and controlled by you in your sole discretion, and may include, without limitation:
The exact scope of personal data processed will always depend on the specific Service you use.
5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we are obliged to implement appropriate technical and organizational measures in such a manner that the processing of personal data will meet the requirements of applicable data protection laws and this DPA.
5.2. We have implemented technical and organisational measures as specified in the Security Policies and Practices available at: https://astutesolutions.com/data-security. You hereby acknowledge and agree that these measures are appropriate and sufficient to conform to the applicable data protection laws.
6.1. We will only erase or block personal data upon instruction issued by you. In case of requests regarding the rectification, restriction or the erasure directly addressed to us by a data subject, we will inform you about such request without undue delay.
6.2. Where appropriate we will assist and support you in fulfilment of your obligations under the GDPR and/or CCPA to respond to requests for exercising the data subject’s right, in particular the ‘right to be forgotten’, rectification, restriction, data portability, information and access rights.
6.3. You hereby agree that Astute shall not be liable if you do not take action on the data subject’s request, or if you do not respond correctly or in a timely manner.
7.1. We undertake to:
8.1. We shall engage another processor (i. e. a sub-processor) only in accordance with this DPA. The mechanism hereby stipulated shall be considered a general written authorisation from you (pursuant to Article 28 par. 2 of the GDPR, to the extent applicable).
8.2. If we engage another processor for carrying out specific processing activities on your behalf, the same obligations as set out in this DPA shall be imposed on that other processor by way of a written contract.
8.3. The sub-processors currently engaged by us and hereby authorized by you are listed in Exhibit A hereto. We will inform you of any intended changes concerning the addition or replacement of other processors, including full details of the processing to be undertaken by the new processor(s), giving you the opportunity to object to such changes.
8.4. If you have a reasonable basis to object to our use of another new processor, you shall notify us promptly in writing within 5 days after being notified. For the avoidance of doubt, you hereby agree that if you are not able to show evidence that the new processor provides an unacceptable risk to the protection of personal data (e.g., the other processor has a history of security breaches) or is your direct competitor, it would be unreasonable for you to object if the other processor has passed our vendor security evaluation.
8.5. Notwithstanding the foregoing, if you object to the engagement of another processor and your objection is not unreasonable, the parties will come together in good faith to discuss an appropriate solution. We may in particular choose not to use the intended processor, or engage the processor only after we take the corrective steps and / or measures requested by you.
8.6. If you interconnect the direct messaging or other similar features of Astute Services with a third-party application, the third-party application will have access via APIs to data from Astute Community direct messaging or similar feature. In such cases, the third-party vendors with whom data are shared shall not be considered our sub-processors engaged by us according to this Section 8; the processing of the shared data shall be subject to a separate data processing agreement or a similar contractual arrangement concluded directly between you and your relevant third-party vendor.
9.1. Upon reasonable advance notice of at least 90 days and in order to ensure and review compliance with the technical and organizational security measures and the obligations laid down in this DPA, we shall permit you to conduct periodic audits or to have them carried out by an auditor mandated by you. We shall, at your written request and within a reasonable period of time, submit to you any and all information, documentation and other factual evidence necessary for the audit. The audit result shall be documented appropriately.
9.2. Audits shall be conducted during reasonable times, shall be of reasonable duration, and shall not unreasonably interfere with our day-to-day operations. In the event that you conduct an audit through a third-party independent contractor, such independent contractor shall be required to enter into a non-disclosure agreement. Additionally, such independent contractor must not be our direct or indirect competitor, nor a person who can reasonably be considered by us unfit (from professional, experience and historic reasons) to perform such audit.
10.1 Unless otherwise stipulated herein, the provisions of the Terms shall apply, including any exclusions and limitation of warranties and liabilities provided therein. Provisions in this DPA shall have precedence over any provisions of the Terms relating to the processing of personal data by Astute in the position of a data processor, if any.
| Subject Matter and Nature of Processing | The subject matter of the processing of personal data is set out in the Terms. The nature of the processing means any operation that Astute may perform on personal data or on sets of personal data when providing Services, which may include in particular collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, disclosure by transmission or otherwise making available, alignment or combination, erasure or destruction of data (whether or not by automated means). |
| Purposes of processing | Provision of Socialbakers’ Services (SaaS) consisting in data analytics and social media management (including, where applicable, “Community” and “customer care” management) for marketing on social media. |
| Categories of data | As a data controller you may submit or allow access to personal data within the customer care feature of Astute Service “AstuteBot”, review management feature of Astute Service “AstuteSocial” or other Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to the following categories of personal data:
|
| Categories of data subjects | As a data controller you may submit or allow access to personal data within the customer care feature of Astute’s Service “AstuteBot”, review management feature of Astute Service “AstuteSocial” or other Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:
|
| Location of processing operations | Czech Republic, EU, USA (Astute’s Services are hosted on AWS cloud). For full information see Astute Privacy Policy available at https://astutesolutions.com/privacy-policy. |
| Sub-processors | The then-current sub-processors are:
|
These Standard Contractual Clauses shall be incorporated by into the legal agreements between you and Astute as set forth in the Terms and shall be binding for both parties.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection,
Entity defined as “you” in the Terms (as data exporter)
and
Astute, Inc. as defined in the Terms (as data importer),
each a “party,” together “the parties,”
have agreed on the following Contractual Clauses (the “Clauses” or “Standard Contractual Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 below which forms an integral part of the Clauses.
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 below;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11; and
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Data exporter: You are the data exporter. The data exporter is a user of Services as defined in the DPA.
Data importer: The data importer is Astute, Inc.
Data subjects: Data subjects are defined in Exhibit A to the DPA.
Categories of data: Categories of personal data are defined in Exhibit A to the DPA.
Processing operations: Provision of the Services as described in the DPA and Exhibit A to the DPA.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Data importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines in accordance with good industry practice and having regard to the state of technological development to protect personal data against accidental loss, destruction, or alteration; unauthorized disclosure or access (including but not limited to taking reasonable steps to ensure the reliability of employees having access to your data and providing for limited access rights and access controls; authentication; personnel training; regular back up; data recovery and incident management procedures; restrictions on storing, printing and disposal of personal data; software protection of devices on which personal data are stored; etc.); or unlawful destruction.
The implemented technical and organizational measures, internal controls, and information security routines intended to protect personal data are further defined in https://astutesolutions.com/data-security.