Marfeel SaaS General Terms of Service GTOS

Last update: November 14, 2022 (download)

Previous versions

• March 1st, 2021 ( download )
• March 18th, 2021 ( download )
• March 22nd, 2021 ( download )
• May 31, 2021 ( download )
• August 4, 2021 ( download )
• November 15, 2021 ( download )
• February 04, 2022 ( download )
• April 21, 2022 ( download )

MARFEEL SaaS GENERAL TERMS OF SERVICE

Last update: November 14, 2022

This Contract is entered between Marfeel Solutions, S.L., a Spanish limited liability company with VAT number ESB65651259 (hereinafter may be referred as the COMPANY or MARFEEL) and the CLIENT. Both parties may be referred jointly as the PARTIES.

1. Scope of the agreement

1.1. This SAAS GENERAL TERMS OF SERVICE below set forth the rights and obligations of the PARTIES associated with the implementation and execution of the SERVICE (S) (defined below) on the CLIENT’S website. Before using the SERVICE, CLIENT must read and affirmatively indicate its acceptance of the following SAAS GENERAL TERMS OF SERVICE, and any applicable SERVICE ORDER FORM (as defined below) (individually or collectively the "Contract and/or the “Agreement”).

1.2. SERVICE(S): Are the proprietary software services that MARFEEL will provide to the CLIENT that are described in a specific SERVICE ORDER FORM and that will be governed by this SAAS General Terms of Service.

1.3SERVICE ORDER FORM:Is the document issued by MARFEEL which describes the SERVICE requested and accepted by the CLIENT and any specific terms and conditions. Each SERVICE ORDER FORM shall be deemed a two-party agreement between Marfeel and the Client and shall be deemed to incorporate be subject to all the terms and conditions of this Marfeel Saas General Terms of Service.

2. Fees and payment

2.1. Except with regard to Data any Free Period, MARFEEL will bill the CLIENT in advance and according to the Billing Frequency stated on the respective SERVICE ORDER FORM. Invoices must be paid within 10 days counted since the date of issuance.

2.2.Overdue invoices are subject to a late payment penalty of 20% of the total amount due. The imposition of the Late Payment Amount shall be in addition to any other rights and remedies of MARFEEL.

2.3. All amounts due shall be paid in EUROS or US DOLLARS. SERVICE fees are exclusive of all banking fees and all taxes, levies, or duties imposed by taxing authorities, and CLIENT is responsible for payment of all such fees, taxes, levies, or duties. In the event CLIENT is required to withhold any portion of SERVICE fees due to payments to banks or taxing authorities, (i) agrees to do so and to indemnify the COMPANY for any liability resulting from its failure to make such withholdings, and (ii) the COMPANY reserves the right to adjust the pricing of the SERVICE so that it is responsible for payment to MARFEEL of the full amount for the SERVICE, net of any such withholdings.

3. Term and termination

3.1. The Initial Date of the SERVICE ruled by this Agreement is described in the respective SERVICE ORDER FORM.

3.2. Each SERVICE ORDER FORM will remain in effect for the term indicated therewith counted since the Initial Date. Thereafter, it will renew automatically for the same term unless either party refuses such renewal by providing a written notice of termination of at least two (2) months before the end of the current term.

In case the CLIENT fails to comply with the notice period, the SERVICE ORDER FORM will deem to be automatically renewed for the same terms.

Under no circumstances MARFEEL will refund any prepaid fees or amounts paid by CLIENT.

3.3. Notwithstanding point 3.2, the CLIENT will have a 5 week period counted from the Initial Date in which it will be entitled to terminate the SERVICE ORDER FORM for any reason. If the CLIENT exercises this option, MARFEEL will not reimburse any kind of fees or amounts paid by the CLIENT.

3.4. MARFEEL may terminate this Agreement immediately and retain any fees previously paid by the CLIENT, if in its sole discretion, determines that the CLIENT: i) fails to comply with any provision stated herein or any other instruction as provided by MARFEEL; ii) fails to use the SERVICES in a fair and honest manner, iii) or does not cooperate with MARFEEL to ensure the fulfillment of the contract; or iv) use the SERVICES in any way that may hinder the performance of the SERVICES or MARFEEL networks.

MARFEEL may also, permanently or temporarily, terminate, suspend, or otherwise refuse to permit the CLIENT’s use of the SERVICE(S) upon reasonable prior notice without incurring liability as a result thereof, if in its sole determination, CLIENT violates, is reasonably likely to violate this CONTRACT, including without limitation, by the nonpayment of fees.

3.5. Upon termination of this Agreement, all licenses, and any other rights and SERVICE (S) provided by MARFEEL to CLIENT in this Contract, shall cease immediately, and, unless otherwise specified in an applicable SERVICE ORDER FORM, MARFEEL will have no obligation to store, retain or provide any Traffic Data (historical or otherwise) to the CLIENT.

Survival: Sections 2, 5 to 8 inclusive, and section 10.5 shall survive any termination of this Contract. Upon any termination of this Contract, CLIENT must cease any further use of the SERVICE.

4. Rights and obligations

4.1. Subject to this SAAS GENERAL TERMS OF SERVICE, MARFEEL grants the CLIENT a non-sublicensable, non-transferable, non-exclusive, revocable, limited license to use: (i) the SERVICES and (ii) certain proprietary documentation in the form generally made available by MARFEEL for use with the Software (the “Documentation”) solely to receive the COMPANY’s SERVICE. The CLIENT use of the SERVICE shall be restricted pursuant to the terms and conditions of this Contract in compliance with the Laws and applicable policies set by the COMPANY. MARFEEL also grants a nonexclusive, non transferable, revocable, limited license to access and use its API solely in connection with its use of the SERVICE.

4.2. CLIENT shall and agrees to: (i) use the SERVICES in accordance with this Contract and all Documentation; (ii) be responsible for its users compliance with this Contract; (iii) that the COMPANY bears no liability, for the use of its account by any third party, or for the use of the SERVICE through a third party’s account, and for the acts and/or omissions of such third party; (iv) the COMPANY has the right to change, modify, add to or discontinue or retire any aspect or feature of its SERVICE at any time without any obligation to give the CLIENT notice of any changes, provided that there is no substantial modification in the SERVICES rendered for the websites covered. In case there is a substantial modification in the SERVICES provided for the websites covered, MARFEEL will notify the client with 15 business days written notice. From time to time, MARFEEL may, but is under no obligation to, release upgrades, fixes or new versions of the SERVICE, although these upgrades may not be consistent across all platforms and devices; (v) use commercially reasonable efforts to prevent unauthorized use or access to the SERVICES by any third party, any account or password, or any copying of the SOFTWARE, and notify the MARFEEL immediately of any such unauthorized use, access or copying; not to give access to the SERVICES to any non authorized personnel and/ or any third party. and (vi) be solely responsible for: (a) having express consent and/or a legal basis to collect and process the relevant personal data of their websites visitors; (b) Making appropriate disclosures, such as having a Privacy Policy that includes all relevant requisites required by applicable law and all practices executed by the CLIENT, personally or with a service provider acting as processor - with respect with the collection, use and disclosure of personal data or other information; c) any acquisition, implementation, support or maintenance of third-party products or services purchased by Customer that may interoperate with the Services.

4.3. CLIENT shall own all rights in and to all Traffic Data, subject to the rights and licenses granted herein. “Traffic Data” means all data and information created, received, processed or provided by MARFEEL in performing the SERVICE, or that results from performance of the SERVICE for the CLIENT. CLIENT hereby grants MARFEEL all necessary rights to access and track Traffic Data concerning CLIENT`S website, solely in connection with providing the SERVICE during the term of this Contract. MARFEEL disclaim any ownership of Traffic Data.

4.4. CLIENT shall not, and shall not allow others to: (i) cause or permit the reverse engineering, disassembly, or decompilation of any portion of the SERVICES; (ii) remove any copyright notices, trademarks or other proprietary notices or restrictions from the SERVICES; (iii) use or modify the SERVICES in any way that would subject the Product, in whole or in part, to a Copyleft License (as defined below); (iv) use the SERVICES, or permit it to be used, for purposes of evaluation benchmarking, performance tests or other comparative analysis intended for publication or disclosure to third parties; (v) except as permitted by this Contract, directly or indirectly: distribute, spread, disseminate, communicate, sell, sublicense, rent, lease, market, use or commercialize the SERVICE (or any portion thereof); (vi) provide the SERVICE on a time sharing, hosting, COMPANY or other similar basis; (vii) copy any features, functions or graphics of the Product for any purpose other than what is expressly authorized under this Contract; (viii) send, store, access or authorize a third party to send, store or access spam, unlawful, infringing, obscene or libelous material, viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs; (ix) interfere with or disrupt the integrity or performance of the SERVICES. “Copyleft License” means a software license that requires that information necessary for reproducing and modifying such software must be made available publicly to recipients of executable versions of such software.

4.5. Nothing in this Agreement grants the CLIENT any rights whatsoever in or relating to the source code of the Software, other than the limited right to place the COMPANY JavaScripts on CLIENT’S website(s). All ownership rights, title, and Intellectual Property Rights in and to the SERVICE shall remain in COMPANY and/or its licensors.

4.6. The COMPANY is the owner of all the Intellectual Property rights over the SERVICES, the trademarks, distinctive signs and contents associated with it, which have not been generated by clients, partners or collaborators.

4.7.The CLIENT accepts that MARFEEL may use its name and/ or logo to apply to awards, case studies, public relations and other marketing purposes.

4.8. The CLIENT acknowledges that Marfeel may need to access the CLIENT’s platform for the following purposes: to ensure that the SERVICE is provided to the expected level OR to optimize the platform OR to verify that the platform is functioning adequately, unless indicated otherwise via written statement from the CLIENT.

5. Warranty disclaimer

5.1. MARFEEL makes no warranty of any kind, whether express, implied, statutory or otherwise, including without limitation, merchantability, fitness for a particular use and noninfringement. The SERVICE is provided by the COMPANY and its licensors “as is” and “as available”. CLIENT assumes all risk for the use of the SERVICE, including without limitation any harm caused by viruses, works, or other damaging materials. In no event does the COMPANY guarantee any results, increased traffic, user engagement for the CLIENT. MARFEEL does not warrant that the service or any portion thereof, are accurate, error or bug free, that the use of the service will be uninterrupted, or that the service’s operation will not negatively affect other software or hardware. This section 5 applies to the maximum extent allowed by applicable law. The service is offered by MARFEEL from its facilities in Spain. MARFEEL makes no representations that the SERVICE is appropriate or available for use in other countries. Those who access or use the SERVICE from other jurisdictions do so at their own risk and are responsible for compliance with all applicable laws, including but not limited laws related to the collection of data from client`s website’s end users. Additionally, MARFEEL will do its best effort to provide accurate classification in regards to traffic, sources and channels but cannot always guarantee the precision in the aforementioned classification, given that this data comes from Tech Providers, who may deliberately hide or disguise attributes, in order to properly classify these previous items. Due to this reason, any allegations of imprecision cannot constitute grounds for an early termination of the contract.

6. Limitation of liability

6.1. In no event will MARFEEL and/or its officers, directors, employees, agents or representatives be liable (i) for any indirect, special, incidental, consequential, exemplary or punitive damages related to or arising from CLIENT`s use, misuse, or inability to use the SERVICE; including but not limited, to contract or tort and whether or not the COMPANY was or should has been aware or advised of the possibility of such damage; or (ii) for any claim attributable to errors, omissions, or other inaccuracies in the SERVICE or destructive properties of the SERVICE. In no event shall the COMPANY aggregate liability under this Contract exceed the total sum of monies paid from CLIENT to the COMPANY as consideration for use of the SERVICE during the three (3) months immediately preceding the event giving rise to such liability.

7. Indemnification

7.1. CLIENT hereby agrees, at its expense, to indemnify, defend and hold harmless the COMPANY, its licensors, subcontractors, and its respective directors, officers, shareholders, employees and agents from and against losses, damages, expenses, liabilities and cost arising out of a third party claim, actions, or allegations made against MARFEEL relating to, incurred in connection with, or based upon: i) CLIENT` use of the SERVICE in breach of this contract; ii) infringement based on information, data or content submitted in connection with the SERVICE; and/or; iii) CLIENT infringement or potential infringement of any trademark, copyright, and/or intellectual property right. The CLIENT will reimburse MARFEEL for all necessary or convenient expenditure in connection with such claims.

8. Non-disclosure and confidential information

8.1. Confidential Information means any information that has been disclosed to any of the PARTIES as a result of the performance of the rights and duties described hereto, which is not available for the public domain as, for example, any information related to business, properties customers, operations, facilities, procedures, methods, transactions, knowhow or any other aspect of the activity of the PARTIES.

8.2. The PARTIES agree and undertake to maintain the Confidential Information in the strictest secrecy. No PARTY shall disclose the Confidential Information for any purpose different to the purpose associated with the present SAAS GENERAL TERMS OF SERVICE, unless any governmental agency in the exercise of their powers, requires the information.

8.3. Upon termination of the present SAAS GENERAL TERMS OF SERVICE, each PARTY, upon request of the other, will return or destroy all copies of all of the other’s Confidential Information in its possession or control (unless impracticable), except to the extent such Confidential Information must be retained pursuant to applicable law or a PARTY’s document retention policy.

9. Data processing

9.1. The PARTIES acknowledge that MARFEEL, as Data Processor, undertakes to process personal data on behalf of the CLIENT following its instructions, according to article 28 of the General Data Protection Regulation (GDPR). This Contract will be subject to the Data Processing Addendum attached as Appendix A.

9.2. The Client declares that it knows the content of Marfeel Privacy Policy located at Marfeel Saas Privacy Policy

9.3. For the processing of Personal Data of California users and households, please refer to Appendix B.

9.4. For the processing of Personal Data of users located in the Federative Republic of Brazil, please refer to Appendix C.

9.5. The personal data of the parties, as well as of those other persons in charge of monitoring or executing the same, will be collected and processed, respectively, by Marfeel and the Client for the following purposes:

• To carry out an adequate management of the contractual relationship with the company in which they work or of which they are a representative.

• To maintain commercial contact with the company in which they work or of which they are a representative.

The legal basis that legitimates the processing of personal data is the existence of a legal or contractual relationship.

The data will be processed for the entire duration of the contractual relationship between the parties. Once the contractual relationship has ended, the data shall be blocked for the period during which any liability may arise from the processing or from the contract. Once the legal period of limitation has expired and these responsibilities have expired, the data will be deleted.

Data subjects have the right to access, rectify, delete, limit and oppose the processing of the data, as well as to exercise the other rights recognized in the current legislation on data protection, by contacting the corresponding data controller at the following address:

• Marfeel: The contact details of the Data Protection Officer are the following: e-mail: dpo@marfeel.com; Address: Avenida Josep Tarradellas, 20-30, sixth floor. 08029 – Barcelona.

• The Client: the e-mail and postal address provided at the time of the contract.

They may also file a claim with the competent data protection authority.

10. General clauses

10.1. Neither PARTY may assign, in whole or in part, its rights or duties under these terms to a third PARTY without the prior written consent of the other PARTY, with the exception of a merger, acquisition or sale of all or substantially all of the PARTY’s assets, stock or business or any other corporate transaction. Notwithstanding the foregoing, Marfeel may assign this contract to any of its Affiliates without the CLIENT prior consent.

10.2. Communications: (i) The CLIENT shall direct all communications related to these conditions to: Av Josep Tarradellas 20-30, 6th Floor, 08029 Barcelona (Spain); TAX ID: ESB65651259; email: finance@marfeel.com (ii) COMPANY shall direct all communications aimed to the CLIENT to the address appointed by the CLIENT in the SERVICE ORDER FORM. (iii) Notifications conducted this way will take effect as of the date of receipt or, alternatively, from the tenth day following shipment.

10.3. The relationship between the PARTIES is governed by the terms and conditions set forth in these SAAS GENERAL TERMS OF SERVICE approved by the PARTIES and the respective SERVICE ORDER FORM, which must be jointly and uniquely interpreted. All terms and conditions specified under the “CONDITIONS” section in the SERVICE ORDER FORM will prevail over the SAAS GENERAL TERMS OF SERVICE. Any communication – written or oral - that is not reflected in the SAAS GENERAL TERMS OF SERVICE or in the SERVICE ORDER FORM will not be valid, except in the case of a contract termination, which shall be governed by Section 3.

10.4. MARFEEL reserves the right to update this document from time to time, in order to adapt it to its new products, SERVICE, price and any other associated conditions. When a unilateral novation of the conditions may constitute a relevant and substantial change regarding the previous terms the COMPANY shall notify immediately any material changes to this SAAS GENERAL TERMS OF SERVICE and the CLIENT shall be entitled to request for the termination of the SERVICE during the THIRTY (30) days after receiving the novation, unless it has engaged a fixed term plan and the amendment does not involve the payment of an additional amount in the same period.

10.5. These SAAS GENERAL TERMS OF SERVICE shall be interpreted, governed, and construed in accordance with the Spanish laws, excluding any other national, regional or local law. Waiving any other jurisdiction, the PARTIES agree to submit any dispute or discrepancy originated by these conditions to the exclusive jurisdiction of the Courts of the city of Barcelona.

10.6. In the event that any provisions of the SAAS GENERAL TERMS OF SERVICE are held invalid, unlawful or unenforceable by a competent Court or by any future legislative act, such act shall not limit or preclude the validity or enforceability of any other provisions of this document. Any such provision held invalid shall be substituted by a provision of similar effect reflecting the original intent.

Appendix A

Data Processing Addeundum

The COMPANY as the Processor undertakes to process personal data on behalf of the CLIENT, being the Controller, in accordance with the conditions laid down in this Data Processing Addendum. The processing will be executed exclusively within the framework of the SAAS GENERAL TERMS OF SERVICE, and for all such purposes as may be agreed to subsequently.

Object

In order to perform the Services under the framework of the SAAS GENERAL TERMS OF SERVICE, and to provide the Services effectively, the Processor may have access to personal data for which the Controller is responsible.

The Processor must carry out the required processing of Personal Data in order to carry out the SERVICES indicated in SAAS GENERAL TERMS OF SERVICE.

Term

This Data Processing Agreement is accessory to the main contract for the provision of the Services, so its duration is linked to the duration of the SAAS GENERAL TERMS OF SERVICE.

Nature and purpose of the processing

Generate Real time statistics based on website visitors in order for the Controller to know what’s happening on his website, and also segment visitors in accordance with Controllers criteria.

Categories of Personal Data:

Device Information: IP address. Operating system version. Device, Country. Navigation level; User agent; User ID.

User Navigation information:

Device Information: device from which a visitor accesses the Publisher’s website. The information obtained is device model, operating system and version, the unique identifier of the device, and the mobile network.

Location information: IP address, time zone, and mobile service provider, allowing to get website visitors general location.

User Navigation Information: Information about the use of the Publisher’s website. Specifically, the frequency of use, the sections visited, use of specific functions, time spent in each section, scrolling done, etc.

Information provided by the Publisher: Publishers may submit some personal information, such as visitor user ID on the Publisher’s website.

Information deduced or calculated through MARFEEL proprietary software Tool : All the information collected allows to generate information regarding visitor`s interests (e.g. engagement to the media, favorite sections, contents, authors, etc. of the Publisher’s website or other similar parameters.

Categories of Data Subject:

Website(s) visitors*.*

Controller obligations

The Controller, in addition to comply with any obligations provided in the SAAS GENERAL TERMS OF SERVICE, this Data Processing Agreement and the Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) or other applicable regulation - must observe the following obligations in the performance of the following tasks:

A. Provide or make available to the Processor the data referred to in this document, as well as the necessary instructions to carry out the processing of the data.

B. Provide the website`s visitor with the information regarding the processing of their data through the SOFTWARE. The information must comply with the content established in Articles 12 and 13 of the GDPR. MARFEEL will not be held responsible for the failure to comply or defective compliance with the obligation to inform.

C. Collect websites visitor data using appropriate legal basis. The Client acknowledges that the SERVICES may involve the installation of tracking devices in the websites visitor browser (such as cookies), so the Client shall comply with the rules on their use and installation. In this sense, the Client shall provide clear and comprehensive information about the purposes of any cookie or similar technology that stores information (or accesses information stored) on website`s visitor’s devices, and obtain, where appropriate, their prior consent (which must be to the GDPR standard).

Although Marfeel may provide support or assistance regarding the configuration and implementation of mechanisms to inform and obtain consent of website visitors in relation to said cookies, compliance with said obligations shall continue to be the responsibility of the Client. Any proposal made by Marfeel in relation to the information and consent of the website visitors may only be considered as mere suggestions based on standard practices, and in no case as legal advice or any other kind of advice on the matter. Marfeel cannot be held responsible for the decisions taken by the Client with the information provided by Marfeel, which will be taken at their own risk.

D. Respond to the request for exercising the data subject rights, such as the rights of access, rectification, deletion and opposition, limitation to the processing, portability of the data and not to be subject to automated individual decisions, in collaboration with the Processor.

E. Carry out, if appropriate, an assessment of the impact that the processing operations executed by the Processor have on the protection of personal data.

F. Ensure, before and during the processing, compliance with applicable regulations on data protection by the Processor.

G. Supervise the processing, including the performance of inspections and audits.

H. Communicate to the Processor any variation that may occur in the personal data provided, so that it can be updated.

Processor obligations

A. The Processor shall refrain from making use of the personal data for any purpose other than as specified by the Controller. The Processor will only process the personal data on documented instructions from the Controller.

If the Data Processor considers that compliance with an instruction from the Controller could mean a breach of data protection regulations, Processor will immediately inform the Controller of such circumstances. In this communication, the Processor will ask the Controller to amend, withdraw or confirm the instruction given, and may suspend compliance until there is a decision by the Controller.

B. All personal data processed on behalf of the Controller shall remain property of the Controller and/or the relevant Data subjects. The Processor shall take no unilateral decisions regarding the processing of the personal data for other purposes, including decisions regarding the provision thereof to third parties and the storage duration of the data.

C. The Processor will endeavor to take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration or disclosure of personal data) in connection with the performance of processing personal data under this Data Processing Agreement.

Data collected on behalf of the Controller for the provision for the provision of the services described in the SAAS GENERAL TERMS OF SERVICE, will be pseudonymized, so that each Data Subject will be assigned a randomly-generated identification code and/or any other kind of pseudonymization technique in order to erase data that may directly or indirectly identify them particularly (e.g. anonymizing the last octet of the IP address).

D. The Processor shall warrant compliance with the applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the GDPR.

E. In the event of a security leak and/or the leaking of data, as referred to in article 34a of the GDPR, the Processor shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the leak. The Processor will endeavor that the furnished information is complete, correct and accurate. The duty to report includes in any event the duty to report the fact that a leak has occurred, including details regarding:

· the (suspected) cause of the leak;

· the (currently known and/or anticipated) consequences thereof;

· the (proposed) solution;

· the measures that have already been taken.

The Processor shall assist the Controller in relation to the obligation to notify personal data breaches in accordance with the RGPD (in particular, articles 33 and 34 of the RGPD) and any other applicable regulation, present or future, that modifies or complements such obligations.

F. Keep in writing, a record of processing activities carried out on behalf of the person in charge.

G. Not to communicate, disclose or transfer the personal data in its custody to third parties, not even for its conservation, unless it has the express authorization of the Controller. The Processor may communicate the data to other data processors.

H. Guarantee the adequate training in data protection of the employees authorized to process personal data. The Processor shall ensure that employees or other persons authorized to process the personal data under this Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

J . Assist the Controller:

a) in the performance of audits or inspections, carried out by the Controller or by another auditor authorized by the Controller. The audits may be carried out periodically, in a planned or “ad hoc” way, at the most, once a year, unless there are circumstances that justify its realization exceeding this limit, and after notifying the Controller with 45 calendar days period of notice, during the Processor’s usual working hours.

b) in carrying out impact assessment on the protection of personal data of the processing operations to be carried out by the Data Processor and, where appropriate, in conducting prior consultations with the supervisory authority.

K. Delete or return all the personal data to the Controller after the end of the provision of services relating to processing and delete existing copies unless Union or Member State law requires storage of the personal data. Processor may keep a copy with the data duly blocked, while responsibilities may arise from the execution of the Services. Take reasonable measures to periodically review the data held, and erase or anonymize it for statistical purposes when it is no longer needed.

L. Make available to the Controller, at its request, all information necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement.

Limitation of Liability:

The Processor shall only be responsible for processing the personal data in accordance with the Controller’s instructions and under the (ultimate) responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor, and processing by third parties and / or for other purposes.

Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller willl defend, indemnify, and hold harmless the Processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Data Processing Clause and/or related with the breach of this Data Protection Addendum by the Controller . For further information, consult the Opinion 2/2010 on behavioral advertising of the Working Group of article 29.

Engaging subcontractors

The Processor is authorized within the framework of the SERVICE Provision Agreement to engage third parties, without the prior approval of the Controller being required. Prior to the engagement, the Processor shall inform the Controller about the third party/parties engaged.

The Processor shall in any event ensure that such third parties will be obliged to agree in writing to the same duties that are agreed between the Controller and the Processor.

Currently, MARFEEL has entered into a contract with the following service providers:

• SCALEWAY, SAS located in France which guarantees a high level of security and availability of the information systems and that provides data hosting services.

• HETZNER ONLINE GMBH located in Germany which guarantees a high level of security and availability of the information systems and that provides data hosting services.

• OVH HISPANO S.L., located in Spain which guarantees a high level of security and availability of the information systems and that provides data hosting services.

International Transfer

The Processor may process the personal data in countries outside the European Union or the European economic area, only with subcontractors that guarantee an adequate level of protection and it satisfies the other obligations applicable to it pursuant to this Data Processing Clause and the GDPR, and with a written authorisation from the Controller. In the case that the Controller is an entity located outside the European Economic Area (EEA), all flows of personal data from the Processor (Exporter) to the Controller (Importer) obtained or derived from the provision of the SERVICES stated in the GTOS, must comply with the conditions laid down on Chapter V of GDPR. As a result, in order to meet these conditions, the CLIENT and MARFEEL pursuant to Article 46(2)(c) of Regulation (EU) 2016/679, declare and acknowledge that by signing this GTOS, the Standard Contractual Clauses Module IV, as adopted by the European Commission on July 4, 2021 in resolution C (2021) 3701, contained in the following link, will be an integral part of this DPA: https://marfeel.anticipa.io/public/uploads/marfeel/pdf/files/01_11_2022_22_25_31_SCC_Marfeel.pdf

Appendix B

California Consumer Privacy Act

1. The CLIENT is the sole responsible to determine its subjection to the California Consumer Privacy Act of 2018 (“CCPA”). In case CCPA is applicable, the parties will be subject to the conditions set forth in this section.

2. This section reflects the Parties’ agreement in connection with CCPA and it shall apply to the extent that the CCPA applies to the CLIENT and only affects transactions of personal Information of consumers in California.

3. The PARTIES recognize that MARFEEL will act as CLIENT’s Service Provider (according to CCPA definition), so MARFEEL’s use or disclose of the Consumer Personal Information is limited to the specific purpose of performing the Services set forth in GENERAL TERMS OF SERVICE and in the Order Form, on behalf of the CLIENT and those permitted under the CCPA for Service providers.

4. Each Party will be separately and individually responsible for complying with the CCPA with respect to the processing of Consumer Personal Information. The CLIENT warrants that, either it maintains an up-to-date and easily accessible privacy policy to Consumers which meets the requirements established by the CCPA, including the information regarding the mechanism to opt-out, or, when permitted, the transfer of data to MARFEEL, is based on an opt-in mechanism.

5. In the event that a Consumer has exercised the right to be excluded from the sale of his/her personal data to the CLIENT, it shall inform MARFEEL without undue delay. The CLIENT shall provide MARFEEL with all the necessary information to proceed with such use limitation.

6. MARFEEL may refuse to receive and use any Data if it reasonably believes that processing of such Data may infringe the CCPA, pose a risk of liability or harm to Consumers, MARFEEL or any of MARFEEL’s agents or Customers.

7. MARFEEL may engage sub-providers to receive or transfer personal information as long as, when applicable: (i) each Subprovider warrants that it has the technical capability to receive, interpret, and comply with the CCPA and, if necessary for the performance of the applicable service, accurately re-transmit an “opt-out”; (ii) each such Subprovider is bound by a written agreement with MARFEEL that includes, and requires such Subprovider to comply with the obligations of MARFEEL as set forth in this section.

Appendix C

Lei Geral de proteçao de dados– Lei Nº 13.709/18 - (Hereinafter LGPD)

1. The parties agree that the processing of users located in the Federative Republic of Brazil (Hereinafter “Brazil”) shall be processed according to the following section and the Data Processing Agreement (DPA) found in the Appendix A of this document. In the event of any inconsistency between the DPA and this section, this section shall prevail.

2. The parties acknowledge that the CLIENT acts as a Controller (Controlador) of webpage user’s personal data and that MARFEEL acts as a processor (Operador).

3. Personal data shall be processed by MARFEEL in accordance with the instructions imparted by the CLIENT. The CLIENT may verify the adherence of the instructions and the rules regulating MARFEEL.

4. MARFEEL does not collect any direct user identifiable information such as a name, e-mail address, etc. However, MARFEEL collects identifiers that, when used, may allow the identification of the individual to whom the information in question may relate, such as online identifiers or location data. MARFEEL has implemented measures to prevent user identification.

5. MARFEEL, when acting as a processor, shall act according to the provisions of the LGPD and will be responsible for any damages caused by the processing when it does not comply with the obligations stated in Data Protection Legislation or when it has not followed the controller’s lawful instructions, in which case, MARFEEL will be deemed equivalent to the controller, except in cases of exclusion as provided in LGPD.

6. The identity and contact details of the Data Protection Officer, for the purpose of Section II, Chapter VI of the LGPD are as follows:

E-mail: dpo@marfeel.com

Phone: +34 93 178 59 50

Address: Avenida Josep Tarradellas, 20-30, sixth floor. 08029 – Barcelon