Employee Records

Harri MSA

The information provided here is for Harri customers and users who have questions about our terms, policies, intellectual property, and compliance.

Master “Software As A Service” (SaaS) Subscription Agreement
This Master “Software As A Service” (SAAS) Subscription Agreement (“Agreement”) is effective as of the date set forth in the Schedule (“Effective Date”) between Harri (US) LLC (“Harri” or “Supplier”), and the Customer (“Customer”). Customer and Supplier may be referred to collectively as the “Parties” or individually as a “Party.” The Parties hereby agree as follows:
  1. Definitions
    1. “Add-On” means any integrations, applications, and other add-ons, whether developed by Supplier, a third party, or otherwise, that are used with the Services. Use of Add-Ons may be subject to additional terms and conditions, which will be provided to Customer prior to activation or use.
    2. “Customer Data” means any data, information or material provided or submitted by Customers and Authorized Users to the Site, including, without limitation, usernames; employee data and information, including, without limitation, employee personally identifiable information; passwords; and personally identifiable information about Customer and Authorized Users.
    3. “Documentation” means user guides, operating manuals, training materials, product/service descriptions, product/service specifications, technical manuals, supporting materials, Specifications, and other information relating to the Software or Services, including all subsequent revisions and additions thereto.
    4. “Harri’s Platforms” means Supplier’s implementation of certain hardware, software, databases, interfaces and applications in certain software-as-a-service applications and designed to operate as a talent marketplace, interviewing and hiring platform, and/or talent management solution.
    5. “Intellectual Property” means any patents, rights to inventions, registered designs, copyright and related rights, database rights, design rights, topography rights, trademarks, service marks, trade names and domain names, trade secrets, rights in unpatented know-how and any other intellectual or industrial property rights of any nature, and created at, any time before, or after, the date of this Agreement, including all applications (or rights to apply) for, and renewals or extensions of such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.
    6. “Schedule” means a schedule that describes the Software and Services being provided by Supplier to Customer. Each Schedule shall be considered part of and incorporated by reference into this Agreement. Each Schedule may incorporate such additional terms and conditions upon which Customer and Supplier may agree.
    7. “Services” means the services allowing Customer’s access and use of the Software and any other services provided by Supplier to Customer pursuant to this Agreement as specified in a Schedule.
    8. “Software” means the Harri Platform software identified in a Schedule, including any third party or open source software, and any client utilities, including program routines or database features provided by Supplier that are necessary to access the Software.
    9. “Specifications” means the objectives, requirements and specifications set forth in the applicable Schedule.
    10. “Supplier Affiliates” means any entities, whether incorporated or not, that, now or in the future, control, are controlled by, or are under common control with Supplier.
    11. “Third Party Product” means any Add-On, applications, integrations, software, code, online services, systems and other products not developed by Supplier.
  2. Services
    1. Services. Supplier shall perform the Services specified in the applicable Schedule in accordance with the terms and conditions of this Agreement. In performing the Services, Supplier agrees to provide its own personnel, equipment, tools and other materials at its own expense. Customer may use Harri’s Platforms to enable Add-Ons for use with the Services. Supplier may monitor Customer’s and Authorized Users’ use of the Software and Services for compliance, security, and operational purposes. Supplier reserves the right to suspend or terminate access to the Software or Services, with or without notice, in the event of any actual or suspected violation of this Agreement, security threat, or to protect the integrity of the Services.
    2. Service Level Commitments. Supplier will provide the Services in accordance with the service level agreements attached to the applicable Schedule (“SLAs”). If there are no SLAs attached to the applicable Schedule, the SLAs set forth at https://harri.com/legal/sla shall apply.
    3. Third Party Services. Customer acknowledges and agrees that Supplier may provide or make available Third Party Products in connection with the Services. Supplier makes no representations or warranties regarding, and shall have no responsibility or liability for, the performance, security, compliance, or availability of any Third Party Products. Customer’s use of Third Party Products is at Customer’s sole risk and subject to the terms and conditions of the applicable third party provider.
    4. Use of Artificial Intelligence By using the Services, you understand and agree that Harri’s Platforms may use artificial intelligence, machine learning algorithms, and automated decision-making systems (together, “AI”) to assist in the performance of certain functions as may be set forth in more detail in the applicable SOW, all intended to be in accordance with applicable law. Customer acknowledges that it has read and agrees to the Artificial Intelligence Terms Addendum (“AI Addendum”), attached as Addendum A and incorporated herein by reference. The Parties agree that the AI Addendum shall be executed by both Supplier and Customer and shall form an integral part of this Agreement.

      In the event of any conflict or inconsistency between the terms of this Agreement (including any Schedules, exhibits, or referenced documents) and the provisions set forth in the AI Addendum, the provisions of the AI Addendum shall control and govern with respect to any matters relating to the use of artificial intelligence, machine learning, automated decision-making, or any AI-related features, functionalities, outputs, or responsibilities. For the avoidance of doubt, this includes, but is not limited to, all disclaimers of liability, limitations of warranties, allocation of responsibilities, and indemnification obligations arising from or relating to the use of AI within the Services.
  3. Grant of Access to Software
    1. Grant of Access. Supplier hereby grants to Customer a non-exclusive, enterprise-wide and term-based right for Users to access the Software which shall run remotely on servers controlled and maintained by Supplier, and to use the Documentation in connection with Customer’s use of the Software. The term “enterprise-wide” shall mean use of the Software and Documentation by an unlimited number of users including employees and agents of Customer at the location(s) specified in the Schedule (“Authorized Users”). Customer shall have no right to receive either an object code or a source code version of the Software operating on the remote servers. Customer’s right of access hereunder is limited to the use of the Software as set forth by the terms and conditions of this Agreement, as well as the terms of the Schedule.
    2. Delivery/Account/Passwords. Customer and any Authorized Users will set up an account and password necessary for Customer’s and Authorized Users’ access to and use of the Software and Services. By registering, Customer and any Authorized User agree that all information is true and accurate and that Customer and any Authorized User will maintain and update the information as required in order to keep it current, complete and accurate. In all events, each Authorized User shall change his or her password at least every thirty (30) days, when instructed to by the Service, or in such intervals as directed by Supplier.
    3. System Monitoring. Customer recognizes that Supplier monitors access to the Software as part of its normal business practices. Should Supplier discover prohibited actions, Supplier may immediately suspend the suspect connection and commence a comprehensive investigation.
    4. Customer’s Responsibilities. Customer shall be responsible for: (i) Authorized Users’ compliance with this Agreement; (ii) the accuracy, quality, integrity and legality of any Customer Data, Customer information, or any other data and materials provided by Customer, and means by which Customer acquires such data; and (iii) preventing the unauthorized use of the Software or Services by Users or the use of the Software or Services by Authorized Users in violation of applicable law. Customer agrees that it shall not make the Software or the Services available to anyone except the Authorized Users, or use the Software or the Services to store or transmit material in violation of any party’s intellectual property rights or malicious code. If applicable, and except as expressly authorized by this Agreement or any Schedule, Customer will not copy, alter, decompile, reverse engineer, disassemble, or create derivative works from the Software. Customer shall promptly notify Supplier in writing of any actual or suspected security incident, data breach, or unauthorized access to the Software, Services, or Customer Data of which it becomes aware, and shall cooperate with Supplier in investigating and remediating any such incident.
  4. Term and Termination
    1. Term. The term of this Agreement (“Term”) begins on the Effective Date, as set forth on the Schedule, and continues until terminated by the Parties pursuant to the terms herein.

      The term of any Schedule hereunder shall be as set forth in such Schedule (the “Schedule Term”). Except as set forth in the applicable Schedule, at the end of the Schedule Term, the Schedule shall automatically renew for the same period as the Schedule Term (each a “Renewal Term”), unless otherwise terminated as provided herein and Supplier’s fees at that time shall govern any Renewal Term. In the event either Party does not wish to renew for a subsequent Schedule Term or Renewal Term, such Party shall provide sixty (60) days written notice to the other Party prior to the expiration of the then current Schedule Term or Renewal Term.
    2. Termination for Cause. Either Party may terminate this Agreement and/or any Schedule immediately upon notice to the other Party if the other Party: (i) materially breaches the Agreement or the terms of a Schedule, other than with respect to a payment obligation, and fails to remedy such breach within thirty (30) days after receiving notice of the breach from the other Party; (ii) materially breaches a payment obligation under the Agreement or such Schedule and fails to remedy such breach within sixty (60) days after receiving notice of the breach from the other Party; (iii) materially breaches the Agreement or such Schedule in a manner that cannot be remedied; or (iv) voluntarily commences bankruptcy or dissolution proceedings, has a receiver appointed for a substantial part of its assets, or ceases to operate in the ordinary course of business.
    3. Effect of Termination. Upon expiration or termination of this Agreement or any Schedule, as the case may be, for any reason, Customer’s right of access to the Services will immediately terminate. In no event will expiration or sooner termination of this Agreement relieve Customer of any obligation to pay the Fees payable for the period prior to the date of termination, and all Fees will become immediately due and payable if Supplier terminates this Agreement for cause. Supplier agrees that if Customer provides Supplier with written notice at least 30 business days prior to expiration or sooner termination of this Agreement, Supplier shall provide an export file of all Customer Data stored on the Harri Platform in reasonably usable digital format. Supplier’s obligation to provide an export file of Customer Data upon expiration or termination is conditioned upon Customer’s payment of all outstanding Fees. Supplier does not warrant that the exported data will be compatible with any third party systems or software.
  5. Payment Terms
    1. Fees. The fees for the Services and the right to access the Software, and any other payments, including set-up fees, are specified in each Schedule (“Fees”). Except as expressly provided in this Agreement, all Fees and other amounts paid or payable under this Agreement are non-refundable. Requests for payments shall be submitted by Supplier to Customer in the form of a written invoice, or as otherwise specified on the Schedule. Customer will send payments for all invoices within thirty (30) days of invoice date, or as otherwise specified on the Schedule. Customer will make payments by electronic funds transfer, or money order. If Customer is paying by credit card, Customer authorizes Supplier to charge monthly Fees in advance to Customer’s credit card without invoice, or as otherwise specified on the Schedule. The fees for any Add-Ons will be specified in a separate Schedule or shall be separately invoiced. Unpaid amounts shall bear interest from the due date thereof to the date of payment at a rate per annum equal to the lesser of (i) 1.5% of the outstanding balance due per month; or (ii) the maximum rate of interest permissible under applicable law. In addition, in the event Customer does not pay any amounts under this Agreement when due, Supplier may suspend the Services and access to the Software upon seven (7) days’ notice to Customer, and such suspension shall continue until all overdue amounts are paid in full to Supplier. Supplier shall not be liable for any costs, damages, or liabilities incurred by Customer as a result of such suspension.
    2. Taxes. If applicable, Customer shall pay to Supplier the sales/use tax, VAT, GST, or similar indirect tax relating to the taxable purchases of Services under this Agreement at the appropriate rate. Supplier and Customer shall cooperate to properly calculate any applicable taxes, to minimize such liability to the extent permissible under applicable law, and with respect to any claims for taxes asserted by applicable tax authorities. Taxes payable under this Agreement will be added to the Fees payable by Customer to Supplier, as applicable.
    3. Billing for Location Closures; Change of Control.
      1. Location Closures. Notwithstanding anything to the contrary in this Agreement or any Schedule, Supplier will not invoice Customer for any Services at locations which are closed by Customer, solely if (i) Customer notifies Supplier in writing, at least thirty (30) days prior to the closure, and (ii) as long as Customer provides reasonable evidence of closure (collectively, the “Closure Actions”). Customer must notify its assigned representative at AR@harri.com. Customer will not be credited for any Services and payments of Fees prior to the Closure Actions. Upon Supplier’s receipt of the Closure Actions, and after the location has been closed, the applicable location will be removed from the next invoice. For the avoidance of doubt, Customer will be required to pay the Fees until the actual closure of locations. If the Customer received a special incentive price (volume-based discount) based on the number of locations live or committed to go-live, Supplier has the right to modify the per employee, per month or location-based pricing for remaining locations to account for the change in volume-based pricing resulting from the closure.
      2. Change of Control. Solely upon Supplier’s prior written consent in accordance with Section 9(b) of this Agreement, Customer may assign this Agreement to the new owner or operator of a location, subject to Fee and payment terms in accordance with this Agreement, until the end of the then-current Term. Supplier will not honor requests to terminate or modify billing terms for sold or transferred locations.
  6. Representations and Warranties
    1. Supplier’s Representations and Warranties; Disclaimer; Third Parties.
      1. Performance. All Software and Services shall materially conform to the applicable Documentation, any Specifications and the description of Services as set forth in this Agreement, and the applicable Schedule.
      2. Ownership. To the knowledge of Supplier, neither the performance of the Services by Supplier nor the right of access to the Software and Services granted under this Agreement will in any way constitute an infringement, misappropriation, or other violation of any patent, copyright, trade secret, trademark, proprietary information, nondisclosure or other intellectual property right of any third party. There is currently no actual or threatened suit by any such third party based on an alleged violation of such right(s) by Supplier or other party known to Supplier. Notwithstanding anything to the contrary, Customer’s sole and exclusive remedy, and Supplier’s sole and exclusive liability, for any breach of the intellectual property warranty set forth in this section shall be limited to the indemnification obligations expressly provided in the “Indemnification” section of this Agreement. No other damages or remedies shall be available to Customer for any such breach.
      3. General Compliance with Laws. Supplier warrants that the Software and Services, when used in accordance with the Documentation and training provided by Supplier (if applicable), will comply with all applicable laws, ordinances, orders, directions, rules, and regulations of the federal, state, county, and municipal governments applicable thereto, all as they may be amended from time to time. Customer is solely responsible for ensuring that its use of the Software and Services complies with all applicable laws, rules, and regulations. Supplier shall have no liability for Customer’s failure to comply with any such laws, rules, or regulations.
      4. Customer Data. Supplier warrants that it employs reasonable managerial and technical measures to ensure that Customer Data is secure and processed in accordance with the Data Processing Addendum attached hereto as Addendum B, the terms, including all Exhibits, of which are incorporated herein.
      5. Supplier Disclaimer. Supplier disclaims all responsibility for any loss, injury, claim, liability, or damage to Customer’s software, equipment, or systems arising from Customer’s use of the Services and Software. Without limiting the foregoing, Supplier disclaims all responsibility for any loss, injury, claim, liability, or damage with respect to: (i) Customer’s misuse of the application process; (ii) Customer’s errors in any paperwork completed by Customer, including, without limitation, new hire documentation, employee applications, job postings, or employment forms required by any federal, state, city, or other law rule or mandate; and (iii) any misconduct or failure to perform committed by any employee or potential employee, including, without limitation, any failure to appear for work, or any breach of any agreement or employment policy. Supplier’s liability for any data breach or security incident shall be limited to the extent such breach or incident is not caused by factors outside Supplier’s reasonable control. Customer is solely responsible for securing its own systems, devices, and access credentials.

        Customer shall not obtain from, rely on or hold Supplier responsible for any information or opinions supplied by Supplier regarding any federal laws, applicable state and local laws, including but not limited to any legal requirement to comply with, complete, or submit any state-specific forms, certificates, or documents, amendments to such statutory rules, codes, regulations, as well as any case law interpreting such statutes, rules, codes, and regulations (collectively, “The Laws”). Supplier disclaims any liability for any information it may give to Customer regarding The Laws, and Customer shall use the information at its own risk. Information provided by Supplier does not replace or waive Customer’s compliance obligations under The Laws or this Agreement. Customer acknowledges and agrees that it should obtain such legal or compliance information or any other advice regarding The Laws from its own counsel.
      6. Third Parties. Supplier does not provide or make any representation as to the quality or nature of any Third Party Products or any other representation, warranty or guaranty. Supplier disclaims all responsibility for Third Party Products, including, without limitation, for any delays, interruptions, transmission errors, security failures, or other problems arising from Customer’s use of the Third Party Products. Any warranty for Third Party Products, to the extent provided by the provider of such Third Party Products, will be passed through to Customer in accordance with the terms agreed to by the provider of the Third Party Products. Supplier makes no additional representations or warranties regarding Third Party Products.
    2. Customer’s Representations and Warranties. Customer represents and warrants that Customer possesses all legal right and/or authority to grant Supplier the rights to use, process, and store Customer Data as contemplated by this Agreement, and to use any of the content, information, names, or trademarks in any of Customer Data for all purposes contemplated by this Agreement and that the use, reproduction, distribution, transmission or display of Customer Data will not (a) violate any applicable laws (criminal or civil) or any rights of any third parties or (b) contain any material that is unlawful, infringe on a third party’s proprietary or intellectual property rights, or be otherwise objectionable, including, without limitation, any material that encourages conduct that would constitute a violation of any applicable law. Customer will provide Supplier with true, accurate and current Customer Data.

      Customer further represents and warrants that it will at all times during the Term of this Agreement, comply with all applicable federal, state, local, and foreign laws, rules, and regulations in connection with its use of the Software, Services, and any outputs or data generated thereby, including but not limited to those relating to data protection, privacy, employment, labor, civil rights, and the use of artificial intelligence or automated decision-making systems. Notwithstanding the foregoing, Customer represents and warrants that it (ii) has provided (and shall continue to provide) all notices and privacy disclosures as may be required to inform employees about Supplier’s processing of Customer Data and of their rights in compliance with such laws, and (ii) has collected (and shall continue to collect) all consents as may be required under such laws.
    3. Mutual Representations and Warranties: Each Party represents and warrants to the other that:
      1. It has and will maintain the requisite corporate power and authority to enter into, and to carry out the transactions contemplated by the Agreement.
      2. The execution, delivery and performance of the Agreement and the consummation of the transactions contemplated by the Agreement (i) have been duly authorized by the requisite corporate action on the part of such Party and shall not conflict with, breach, or constitute a violation of any judgment, order or decree; and (ii) will not conflict with, breach or constitute a material default under any material contract by which it or any of their respective material assets are bound, or an event that would, with notice or lapse of time or both, constitute such a default.
      3. There is no proceeding pending or, to the knowledge of such Party, threatened that challenges or may have a material adverse effect on the Agreement or the transactions contemplated by the Agreement.
  7. Intellectual Property Rights. Each party retains all rights, title, and interest in and to its preexisting Intellectual Property, as well as any Intellectual Property created independently of this Agreement or, in the case of Supplier, created in connection with the Software and Documentation for all of its customers. Supplier owns all rights, title, and interest in and to Harri’s Platform, including all associated Intellectual Property rights. The parties acknowledge that all Intellectual Property in or related to Harri’s Platform—including, without limitation, patents, copyrights, know-how, work product, and the “Harri” trademark and trade name—are and shall remain the exclusive property of Supplier (and/or its Affiliates) worldwide. Customer shall not challenge or claim any ownership interest in any Intellectual Property related to Harri’s Platform.
  8. Confidential Information. The Parties acknowledge that during the course of this Agreement, each Party (a “Discloser”) may make confidential data available to the other Party (a “Recipient”) or Recipient may otherwise learn of trade secret or confidential information of Discloser (collectively, herein “Confidential Data”). Confidential Data includes all Discloser information not generally known or used by others and that gives, or may give, Discloser an advantage over its competitors or that could cause Discloser injury, loss of reputation or goodwill if disclosed. Such information includes, but is not necessarily limited to data or information of Discloser that identifies or concerns past, current or potential customers, business practices, financial results, research, development, systems and plans; and/or certain information and material identified by Discloser as “Confidential”; and/or data received from Discloser and enhanced by Recipient and/or material, non-public information related to Discloser or Discloser’s businesses. Confidential Data may be written, oral, recorded, or maintained on other forms of electronic media. Because of the sensitive nature of the information that Recipient and its employees, subcontractors or agents may become aware of as a result of this Agreement, the intent of the parties is that these provisions be interpreted as broadly as possible to protect Confidential Data.
    1. Obligation of Confidentiality. Recipient acknowledges that all Confidential Data furnished by Discloser is considered proprietary and strictly confidential. Recipient also acknowledges that the unauthorized use or disclosure of any Confidential Data will cause irreparable harm to Discloser. Accordingly, Recipient agrees that Discloser shall be entitled to equitable relief, including injunctive relief (without bond), in addition to all other remedies available at law for any threatened or actual breach of this Agreement or any threatened or actual unauthorized use or disclosure of Confidential Data.
    2. Confidentiality Standards. Recipient will employ, at a minimum, the same security measures to protect Confidential Data received from Discloser, or which it becomes aware of about Discloser, that it would employ for its own comparable confidential information (but in no event less than a reasonable degree of care in handling Confidential Data).
    3. Disclosure. Recipient agrees that, should third parties request Recipient or its subcontractors or agents to submit Confidential Data to them pursuant to subpoena, summons, search warrant or other lawful process, Recipient will notify Discloser immediately upon receipt of such request. In no case shall such notice be received by Discloser later than five (5) business days after receipt by Recipient. If Discloser objects to the release of the Confidential Data, Recipient will permit counsel chosen by Discloser to represent Recipient in order to resist release of the Confidential Data. Provided that Recipient is otherwise in compliance with this Agreement, Discloser will indemnify Recipient for all reasonable expenses incurred by Recipient in connection with resisting the release of the Confidential Data.
    4. Ownership. Recipient agrees that all Confidential Data shall at all times remain the sole property of Discloser and, if in tangible form such as (by way of example and not limitation), in writing or on tape, disk, or other electronic media, such tangible material and all copies shall be returned to Discloser within five (5) business days after termination of this Agreement or any applicable Schedule or upon demand at any other time. No rights or licenses, express or implied, are granted by Discloser to Recipient under any patents, copyrights, trade secrets, or other proprietary rights of Discloser as a result of or related to this Agreement.
    5. Exceptions. The obligations set forth in subsections 1 through 5 above shall not apply to:
      1. any disclosure specifically authorized in writing by Discloser; or
      2. Confidential Data that: (i) has become well known in the trade; or (ii) was disclosed to Recipient by a third party not under an obligation of confidentiality to Discloser; or (iii) was independently developed by Recipient not otherwise in violation or breach of this Agreement or any other obligation of Recipient to Discloser; or (iv) was rightfully known to Recipient prior to entering into this Agreement.
    6. The obligations of each party set forth in Sections (1) through (6) above shall survive the completion or termination of this Agreement and shall remain in effect for five (5) years after completion or termination of this Agreement. Notwithstanding the foregoing, Recipient’s obligations with respect to any Confidential Data that constitutes a trade secret under applicable law shall survive for so long as such Confidential Data remains a trade secret and information subject to such exceptions that constitutes “personal information” or “personal data” shall be handled pursuant to applicable data protection laws.
  9. Indemnification.
    1. Third Party Claims Against Supplier. Customer will indemnify, defend and hold harmless Supplier, the Supplier Affiliates and their respective directors, officers, employees and agents (collectively, the “Supplier Indemnified Party”) from and against any and all third party claims, losses, damages, suits, fees, judgments, costs and expenses (collectively, “Third Party Claims”), including reasonable attorneys’ fees incurred in responding to such Third Party Claims, that the Supplier Indemnified Party may suffer or incur arising out of or in connection with: (i) Customer’s breach of any privacy, confidentiality, or data security obligation under this Agreement; (ii) a claim of intellectual property infringement based on Customer’s misuse of the Software, or unapproved combination of the Software with other proprietary technology which gives rise to such claim; (iii) any personal injury (including death) or damage to property resulting from Customer’s acts or omissions; and (iv) Customer’s violation or alleged violation of any applicable federal, state, local, or foreign law, rule, regulation, or ordinance, including but not limited to those relating to data protection, employment, labor, civil rights, or the use of artificial intelligence or automated decision-making systems, in connection with Customer’s use of the Software, Services, or any outputs thereof. Customer’s obligations under this Section shall apply on a worldwide basis and include both U.S. and non-U.S. jurisdictions.
    2. Third Party Claims Against Customer. Supplier will indemnify, defend and hold harmless Customer, the Customer affiliates and their respective directors, officers, employees and agents (collectively, the “Customer Indemnified Party”) from and against any and all third party claims, losses, damages, suits, fees, judgments, costs and expenses (collectively, “Third Party Claims”), including reasonable attorneys’ fees incurred in responding to such Third Party Claims, that the Customer Indemnified Party may suffer or incur arising out of or in connection with (i) Supplier’s breach of any privacy, confidentiality, or data security obligation under this Agreement; (ii) a claim of intellectual property infringement based on Supplier’s misuse of the Software, or unapproved combination of the Software with other proprietary technology which gives rise to such claim; and (iii) any personal injury (including death) or damage to property resulting from Supplier’s acts or omissions. Supplier’s obligations under this Section shall apply on a worldwide basis and include both U.S. and non-U.S. jurisdictions.
    3. Indemnification Procedure. If any Third Party Claim is commenced with respect to which either the Customer Indemnified Party or the Supplier Indemnified Party (the Indemnified Party”), as the case may be, is entitled to indemnification under this Section, the Indemnified Party will provide notice thereof to other party (the “Indemnifying Party”). The Indemnifying Party will be entitled, if it so elects in a notice promptly delivered to the Indemnified Party, to immediately take control of the defense, settlement, and investigation of any Third Party Claim and to employ and engage attorneys reasonably acceptable to the Indemnified Party to handle and defend the same, at the Indemnifying Party’s sole cost. The Indemnified Party will cooperate in all reasonable respects, at the Indemnifying Party’s cost and request, in the investigation, trial and defense of such Third Party Claim and any appeal arising therefrom. The Indemnifying Party will not consent to the entry of any judgment or enter into any settlement with respect to a Third Party Claim without the Indemnified Party’s prior written consent. The Indemnified Party may also, at its own cost, participate through its attorneys or otherwise in such investigation, trial and defense of any Third Party Claim and related appeals. If the Indemnifying Party does not assume full control over the defense of a Third Party Claim as provided in this Section, the Indemnified Party will have the right to defend the Third Party Claim in such manner as it may deem appropriate, at the cost and expense of the Indemnifying Party
    4. Limitation of Liability. Except for any damages arising out of a party’s act of fraud or intentional criminal misconduct (collectively, the “Excluded Items”) and indemnification obligations, in no event shall either party be liable to the other party under, in connection with, or related to this agreement, for any indirect, consequential, special, incidental, or punitive damages, including without limitation, lost profits or loss of goodwill, any lost wages, lost compensation, back pay, unpaid overtime or other compensation, or other payments claimed by any employee or agent of a customer, whether based on breach of contract, warranty, tort, product liability or otherwise, and whether or not such damages were foreseeable. The remedies specified in this agreement are cumulative and in addition to any remedies available at law or in equity.

      Except for the Excluded Items and indemnification obligations, the maximum liability of either party under this agreement shall not exceed all fees or other compensation paid or payable by Customer to Supplier during the six (6) month period preceding the date any claim hereunder accrues, provided, however, that, this limitation shall not apply to any claims by Supplier for the non-payment of any fees or other remuneration pursuant to this agreement.
  10. General Provisions
    1. Independent Contractor. Customer is an independent contractor of Supplier, and this Agreement will not be construed as creating a relationship of employment, agency, partnership, joint venture, or any other form of legal association. Neither Party has any power to bind the other Party or to assume or to create any obligation or responsibility on behalf of the other Party or in the other Party’s name.
    2. Assignment. Supplier may assign its rights and duties under this Agreement to any party at any time without notice to Customer, including in connection with a merger, acquisition, or sale of assets, or by operation of law or otherwise. Customer may not assign or transfer this Agreement, in whole or in part, whether by operation of law or otherwise, without Supplier’s prior written consent. Any attempted assignment in violation of this Section shall be null and void. For the avoidance of doubt, any change of control of Customer shall be deemed an assignment requiring Supplier’s prior written consent.
    3. Notices. Except as specifically provided elsewhere in this Agreement, all notices required or permitted to be given by one party to the other under this Agreement shall be in writing and shall be sufficient if made to the parties at the respective addresses set forth below or to such other person or address as the party to receive the notice has designated by notice to the other party and by: (i) personal delivery (including delivery by any commercial delivery service); (ii) registered or certified mail, postage prepaid, return receipt requested; (iii) facsimile transmission (“Fax”); or (iv) e-mail transmission. The date of notice to the other party shall be, regardless of the date appearing on the notice: the date upon which such notice is actually delivered; or if the notice is given by registered or certified mail, the date upon which it is deposited in the mail; or if sent by Fax or confirmed e-mail transmission, the date on which the Fax or e-mail transmission was sent, provided an original is received by the addressee by any commercial delivery service within one (1) business day of the Fax.

      If to Supplier:

      Harri (US) LLC

      665 Broadway, Suite 402

      New York, NY 10013

      info@harri.com

      If to Customer:

      Address provided in Schedule

    4. Severability. Any provision of this Agreement which is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof. Any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction.
    5. Governing Law; Venue. This Agreement is entered into in the State of New York. This Agreement shall be governed by and construed under the laws of the State of New York, excluding that body of law applicable to conflicts of law. The Parties hereby irrevocably and unconditionally consent to the sole and exclusive jurisdiction of the federal and state courts located in the State, City, County of New York for any actions, suits or proceedings arising out of or relating to this Agreement and the transactions contemplated hereby (and each Party agrees not to commence any action, suit or proceeding relating hereto except in such courts), and each party hereby waives the defenses of lack of personal jurisdiction, improper venue, and forum non-conveniens with respect to such courts. Each party further agrees that service of any process, summons, notice or document by U.S. registered mail, return receipt requested to the address set forth above shall be effective service of process for any action, suit or proceeding brought against a Party in any such court.
    6. Force Majeure. Neither party will be liable to the other for delay or failure to comply with the provisions of this Agreement due to events or circumstances beyond that entity’s direct control, and without its fault or negligence, including without limitation, the following: acts of God; war; riot; acts of civil or military authorities; fire; accident; labor disputes and strikes; embargoes; epidemics; power shortages; and earthquakes, floods or other unusually severe weather. Supplier is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the Internet. Customer acknowledges that the Services may be subject to limitations, delays, and other problems inherent in the use of communications facilities.
    7. Construction. This Agreement Shall Be Construed Without Regard To The Party Or Parties Responsible For The Preparation Of The Same And Shall Be Deemed As Prepared Jointly By The Parties Hereto. Any Ambiguity Or Uncertainty Existing Herein Shall Not Be Interpreted Or Construed Against Any Party Hereto. Each Of The Parties Hereto States That It Has Read Each Of The Paragraphs Of This Agreement And Is Freely And Voluntarily Entering Into This Agreement Under No Duress, And That It Understands The Same And Understands The Legal Obligations Thereby Created.
    8. Headings. The headings of sections of this Agreement are for convenience of reference only and will not affect the meaning or interpretation of this Agreement in any way.
    9. Survival. Those provisions of this Agreement that, by their nature, are intended to survive the termination or expiration of this Agreement, will remain in full force and effect following the termination or expiration of this Agreement, including without limitation: Payment, Confidential Information, Indemnification, Exclusion of Damages and Remedies, General Provisions.
    10. Non-Waiver. No term or provision hereof shall be deemed waived and no breach excused, unless such waiver or consent shall be in writing and signed by the party claimed to have waived or consented. Any consent by any party to, or waiver of, a breach by the other, whether express or implied, shall not constitute a consent to, waiver of, or excuse for any other different or subsequent breach.
    11. Conflict Between Agreement and Schedules. In the event of any conflict or inconsistency in the interpretation of this Agreement (including all Schedules executed hereunder), unless otherwise expressly stated in a Schedule, such conflict or inconsistency will be resolved by giving precedence according to the following order: (1) the applicable Schedule, (2) this Agreement, then (3) Terms of Use and Privacy Policy.
    12. Entire Agreement. This Agreement, including all Schedules and documents referenced herein or attached hereto, is the complete and exclusive statement of the agreement between the Parties with respect to the subject matter hereof, and supersedes and replaces all proposals and all other prior agreements, communications, and understandings (written and oral) regarding its subject matter. Neither party has made, or has relied upon, any representations or warranties (whether written or oral), except as set forth in this Agreement.
In case of differences in the interpretation of the English and translated texts of the Master”Software As A Service” (SaaS) Subscription Agreement statement, the English text will prevail.


ADDENDUM A
Artificial Intelligence Terms Addendum

Harri (US) LLC (“Harri” or “Supplier“) makes available certain features and functionalities within Harri’s platforms that utilize artificial intelligence, machine learning, and automated decision-making systems (collectively, “AI Services“).

This artificial intelligence terms addendum (this “AI Addendum“) is entered into by and between Harri and the customer identified on the signature page hereto (“Customer“) and sets forth the terms under which Supplier makes its AI Services available for Customer’s use, and applies to the use of all AI Services by Customer offered by Supplier, or third party products, applications or functionality that interoperate with services offered by Supplier, that incorporate AI Services. This AI Addendum is hereby incorporated into and made a part of the master agreement defined on the signature page attached hereto (“Agreement“). Except as expressly modified by this AI Addendum, all terms and conditions of the Agreement remain in full force and effect. In the event of any conflict between the AI Addendum and the Agreement, this AI Addendum will govern with respect to the subject matter contemplated herein.
  1. Use of De-Identified Data Supplier may use De-identified Data, as defined in the Data Protection Addendum (“DPA”), for the sole purpose of developing, training, and improving Harri’s artificial intelligence models, algorithms, and related services (“AI Training”). Harri represents and warrants that all De-Identified Data used for AI Training will not be used to identify or re-identify any individual or Client, and Harri will maintain appropriate technical and organizational measures to ensure such De-identification. Use of De-identified Data for AI Training may continue unless otherwise directed by Customer through written notice.
  2. AI Use Disclaimer. Each party hereto acknowledges and agrees that any and all data processed by Supplier utilizing the AI Services hereunder, to the extent that it contains personal data or personal information, as such terms are defined under data protection laws, remains subject at all times to the data protection, confidentiality, and security obligations set forth in the Agreement (including without limitation the data protection addendum attached to the Agreement or other contractual provisions relating to data privacy, data security, and the processing of personal information).

    Customer acknowledges and agrees that: (i) the AI Services are intended solely to assist and support Customer in performing certain functions, and all outputs, recommendations, analyses, or other results generated by or through the AI Services (“AI Outputs“) are for informational purposes only; (ii) Supplier does not warrant or guarantee the accuracy, completeness, reliability, legality, or suitability of any AI Outputs; (iii) Supplier does not and cannot control or verify the data, instructions, or other inputs provided by Customer or its Authorized Users to the AI Services (“Customer Inputs“), nor the manner in which Customer or its Authorized Users use, interpret, or rely upon any AI Outputs; and (iv) all decisions made by Customer or its Authorized Users based on, or in connection with, any AI Outputs are the sole responsibility of Customer.

    TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, SUPPLIER DISCLAIMS ALL LIABILITY AND RESPONSIBILITY FOR:
    • ANY ACTS OR OMISSIONS OF CUSTOMER OR ITS AUTHORIZED USERS IN CONNECTION WITH THE PROVISION OF CUSTOMER INPUTS OR THE USE OF ANY AI OUTPUTS;
    • ANY ERRORS, INACCURACIES, OR OMISSIONS IN AI OUTPUTS;
    • ANY BUSINESS, OPERATIONAL, LEGAL, OR OTHER DECISIONS MADE BY CUSTOMER OR ITS AUTHORIZED USERS BASED ON OR IN RELIANCE UPON ANY AI OUTPUTS;
    • ANY CONSEQUENCES, DAMAGES, OR LOSSES ARISING FROM CUSTOMER’S USE OF, OR RELIANCE ON, THE AI SERVICES OR AI OUTPUTS, INCLUDING BUT NOT LIMITED TO EMPLOYMENT, SCHEDULING, HIRING, OR OTHER PERSONNEL DECISIONS; AND
    • ANY FAILURE OF THE AI SERVICES TO ACHIEVE ANY PARTICULAR RESULT OR OUTCOME.
    Supplier does not provide legal, regulatory, compliance, or other professional advice, and Customer is solely responsible for obtaining such advice as it deems necessary.
  3. Customer Responsibilities. Customer acknowledges and agrees that it is solely responsible for:
    • providing accurate, complete, and lawful Customer Inputs to the Harri Platforms and AI Services;
    • reviewing, evaluating, and independently verifying all AI Outputs before taking any action or making any decision based on such outputs;
    • to the extent required by law: providing any notice or disclosure; obtaining consent; providing an opt-out or an opportunity to review or appeal; and/or providing disclosure of adverse decisions made with reference to the Output;
    • ensuring that its use of the Harri Platforms, including the AI Services and any AI Outputs, complies with all applicable laws, regulations, and internal policies;
    • implementing appropriate safeguards and controls to prevent unauthorized or inappropriate use of the Harri Platforms, AI Services, and AI Outputs by its personnel or Authorized Users;
    • promptly notifying Supplier if Customer becomes aware of any errors, inaccuracies, or inappropriate recommendations in any AI Outputs, or any use of the Harri Platforms or AI Services that is not in compliance with this Agreement or applicable law; and
    • not using the Harri Platforms, AI Services, or AI Outputs in any manner that may cause harm to individuals, violate the rights of any third party, or result in unlawful or discriminatory practices.
    Customer’s decisions, actions, or inactions arising from Customer’s use of the AI Services or submission of all Inputs, including, without limitation, ensuring such decisions, actions, or inactions comply with applicable laws, regulations, and other legal requirements including without limitation data protection, intellectual property, labor and employment, civil rights and the use of artificial intelligence or machine learning.

    Customer further agrees that it will not rely solely on the AI Services or AI Outputs for any employment, scheduling, hiring, or other personnel decisions, and will exercise independent judgment and due diligence in all such matters. Customer understands and agrees that the AI Outputs constitute only suggestions and Customer is responsible for any decisions made when using any Output as a source and, to this end will ensure that before any such decision is made that the individuals making the decisions:
    • are provided with all data relevant to the decision;
    • are competent, and possess the knowledge and skills to make such decisions;
    • are trained in making such decisions and in using the AI Services, including without limitation, in recognizing automation bias or algorithmic aversion;
    • are provided with a meaningful decision-making role;
    • do not use the AI Outputs without independent consideration;
    • are provided with time and resources to make such decisions.
  4. Personal Information. Customer shall not provide, and shall cause its employees/agents to not provide, Supplier, the Harri Platform or any other technology used by Supplier in connection with the Services, any personal information that could be reasonably used to identify the race, sex/gender, gender identity, national origin, sexual orientation, age, religion, disability, genetic information, medical information/condition, pregnancy status, or marital status of any individual. Customer acknowledges and agrees that Supplier is not responsible for any consequences arising from Customer’s failure to comply with the prohibition set forth in this paragraph. Supplier disclaims all liability for any use or processing of such information in violation of this Section IV.
  5. Indemnification. Customer shall indemnify, defend, and hold harmless Supplier and its affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to: (i) Customer’s provision of Customer Inputs, including but not limited to whether such decisions, actions, or inactions comply with applicable laws, regulations, and other legal requirements including without limitation data protection, intellectual property, labor and employment, civil rights and the use of artificial intelligence or machine learning; (ii) Customer’s use of, or reliance on, any AI Outputs; (iii) any decisions or actions taken by Customer or its Authorized Users based on or in connection with the AI Services or AI Outputs; or (iv) Customer’s failure to comply with its responsibilities set forth in this AI Addendum.
  6. No Warranties. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE AI SERVICES AND ALL AI OUTPUTS ARE PROVIDED “AS IS” AND “AS AVAILABLE,” WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, OR NON-INFRINGEMENT. SUPPLIER DOES NOT WARRANT THAT THE AI SERVICES OR AI OUTPUTS WILL BE ERROR-FREE, UNINTERRUPTED, OR MEET CUSTOMER’S REQUIREMENTS OR EXPECTATIONS. SUPPLIER DOES NOT WARRANT THAT THE AI SERVICES OR ANY AI OUTPUTS WILL BE ACCURATE, COMPLETE, RELIABLE, ERROR-FREE, UNINTERRUPTED, OR MEET CUSTOMER’S REQUIREMENTS, OR THAT ANY ERRORS OR DEFECTS WILL BE CORRECTED. CUSTOMER ASSUMES ALL RISKS ASSOCIATED WITH THE USE OF THE AI SERVICES AND AI OUTPUTS, INCLUDING ANY RELIANCE ON THE ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY AI OUTPUTS. SOME JURISDICTIONS, INCLUDING CERTAIN STATES, DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS MAY NOT APPLY TO CUSTOMER. IN SUCH JURISDICTIONS, THE LIABILITY OF SUPPLIER SHALL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY LAW.
  7. Limitation of Liability. IN ADDITION TO ANY OTHER LIMITATIONS SET FORTH IN THIS AGREEMENT, SUPPLIER SHALL HAVE NO LIABILITY FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, DATA, OR USE, ARISING OUT OF OR RELATING TO CUSTOMER’S USE OF, OR RELIANCE ON, THE AI SERVICES OR AI OUTPUTS, EVEN IF SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING LIMITATIONS OF LIABILITY SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO CUSTOMER.
  8. Miscellaneous.
    1. Counterparts and Electronic Signatures. This AI Addendum may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. Signatures provided by electronic means shall be deemed to have the same legal effect as original signatures.
    2. Entire Agreement. This AI Addendum, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter.
    3. Amendment and Waiver. No amendment or modification of this AI Addendum shall be valid or binding unless in writing and signed by both parties. No waiver of any provision of this AI Addendum shall be effective unless in writing and signed by the party against whom the waiver is to be enforced.
    4. Severability. If any provision of this AI Addendum is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect.
    5. Governing Law. This AI Addendum shall be governed by and construed in accordance with the laws of the State specified in the Agreement, without regard to its conflict of law principles.


ADDENDUM B
Data Processing and Security Addendum

This Data Processing Addendum (“DPA“) is entered into between Harri (USA) LLC (“Vendor“), and the counterparty listed in the signature block below (“Client“) (each, a “Party” and collectively, the “Parties“). This DPA supplements and forms part of the Master Services Agreement (the “Agreement“) in which Vendor Processes Client Personal Data (defined below) from or on behalf of Client. This DPA will be effective as of the last signature date set forth below (the “Effective Date“). Capitalized terms not otherwise defined in this DPA shall have the meanings ascribed to them in the Agreement.
  1. Definitions. Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity. As used in this definition, “control” means ownership of, control of, or power to vote twenty-five (25) percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more other persons.

    Business Purpose” means the limited and specified Services described in the Agreement and any Statement of Work, or any other purpose specifically identified in Exhibit 1.

    Client Personal Data” means any Personal Data obtained by or provided to Vendor and Processed by Vendor (or a Sub-processor) in the course of providing the Services under the Agreement.

    Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data transmitted, stored or otherwise processed.

    Data Protection Laws” means, to the extent applicable, all federal and state laws and regulations relating to the Processing, protection, or privacy of Client Personal Data.

    Law” or “Laws” means all applicable federal, country, state, provincial, regional, territorial or local laws, and other laws, rules, and regulations (including, but not limited to, Data Protection Laws), ordinances, interpretive letters, and other official releases of or by any authority, decrees, orders, and codes (including any requirements for permits, certificates, approvals, and inspections), as the same are promulgated, supplemented, and/or amended from time to time.

    Personal Data” means any data or information that: (i) identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, household, or device; or (ii) is otherwise “personal information”, “personally identifiable information”, “personal data”, or similarly defined data or information under applicable Data Protection Laws.

    Privacy Rights Request” means an individual’s valid request to exercise their privacy rights under applicable Data Protection Laws.

    Sub-processor” means any person (including any entity or individual but excluding an employee of Vendor) appointed by or on behalf of Vendor to Process Client Personal Data under the Agreement.

    The terms “Business“, “Controller“, “Processing“, “Processor“, “Sell“, “Share“, and “Service Provider” shall have the same meaning assigned to them under applicable Data Protection Laws. The term “Controller” is deemed to include “Business” and the term “Processor” is deemed to include “Service Provider”.
  2. Roles. Client and Vendor acknowledge and agree that to the extent Data Protection Laws apply to the Processing of Client Personal Data under the Agreement, Client is the Controller, and Vendor is the Processor. For the avoidance of doubt, this DPA does not relieve either Party from the liability imposed on it under applicable Data Protection Laws by virtue of its role in the Agreement and this DPA.
  3. Client Obligations. Client has the sole responsibility for the accuracy, quality, and legality of Client Personal Data and the means by which Client acquires Client Personal Data and shares Client Personal Data with Vendor. Client will use the Services in compliance with all applicable Laws. Client represents and warrants that: (i) it provides and shall provide all notices as may be required to inform individuals about the Processing and their rights provided by and in compliance with applicable Data Protection Laws; and (ii) it has collected all consents and confirmations and/or opt-outs as may be required for Processing and/or transfer of Personal Data under applicable Data Protection Laws.
  4. Vendor Processing of Client Personal Data.
    1. Vendor will only Process Client Personal Data on behalf of Client for Business Purposes, unless required to do so by applicable Law, in which case Vendor shall, without undue delay, notify Client of such requirement. The instructions set forth in this DPA, the Agreement, any SOW, or other duly documented instructions are Client’s complete instructions to Vendor for the Processing of Client Personal Data. The instructions are more fully set forth in Exhibit 1. The Parties acknowledge and agree that Client is disclosing Client Personal Data to Vendor only for Business Purposes.
    2. Vendor will not: (i) retain, use, or disclose Client Personal Data for any purpose, including, without limitation, any commercial purpose other than Business Purposes, unless expressly permitted by Data Protection Laws; (ii) Sell or Share Client Personal Data; (iii) retain, use, or disclose Client Personal Data for any purpose, outside of the Parties’ direct business relationship, unless expressly permitted by Data Protection Laws; or (iv) combine or update Client Personal Data with Personal Data collected from its own interaction with an individual or received from another source, unless expressly permitted by Data Protection Laws. Vendor certifies that it understands these provisions.
    3. Vendor shall, without undue delay, but not later than twenty-four (24) hours from receipt, refer any requests received from regulators or other governmental entities regarding Client Personal Data or the privacy practices of Vendor to Client. Unless otherwise required by applicable Law, Vendor shall not refer to or disclose any Client Personal Data without Client’s prior written consent.
    4. Vendor shall notify Client, without undue delay, but within not more than five (5) days, if it determines that it is no longer able to comply with its obligations under applicable Data Protection Laws.
    5. Vendor shall comply with all applicable Data Protection Laws in the Processing of Client Personal Data and provide the same level of privacy protection as required of Client under applicable Data Protection Laws.
  5. Assistance. Vendor shall provide reasonable assistance to Client with (i) complying with Client’s obligations in relation to the security of Processing Client Personal Data and notification of a Data Breach, (ii) any data protection assessments, and (iii) any investigations by competent data privacy authorities, in each case solely in relation to Processing of Client Personal Data by and taking into account the nature of the Processing and information available to Vendor. Vendor shall provide to Client all information reasonably necessary to demonstrate compliance with applicable Data Protection Laws.
  6. Individual Requests. Upon receipt of an individual’s Privacy Rights Request, Vendor shall inform Client of such request and instruct the individual to submit the request directly to Client. Vendor will not respond to an individual’s Privacy Rights Request absent Client’s explicit instruction unless Vendor is required to respond under applicable Law, in which case Vendor will respond to the minimum extent necessary to comply with such law. To the extent Client is unable to comply with an individual’s Privacy Rights Request by using the self-service features available through the Services, Vendor shall provide reasonable assistance and information necessary to enable Client to comply with such request, taking into account the nature of the Processing and the information available to Vendor. Notwithstanding Client’s other obligations set forth in the Agreement and this DPA, Client acknowledges and agrees that it is solely responsible for complying with its own retention obligations under applicable Law.
  7. Technical and Organizational Measures. Vendor will provide at least the same level of privacy protection as required by applicable Data Protection Laws. Vendor represents and warrants that it has implemented and maintains appropriate technical and organizational measures to ensure a level of security commensurate to the risk to Client Personal Data as set forth in Exhibit 2. Such measures include taking appropriate administrative, physical, organizational, and technical safeguards to prevent and guard against the unauthorized or accidental access, disclosure, destruction, loss, processing, damage, or alteration of Client Personal Data. Client represents and warrants, as of the Effective Date, to have evaluated the security measures implemented by Vendor as providing an appropriate level of protection for the Client Personal Data, taking into account the risk associated with the Processing of such information.
  8. Vendor Personnel. Vendor shall ensure that its personnel engaged in the Processing of Client Personal Data are informed of the confidential nature of Client Personal Data and are subject to a duty of confidentiality with respect to such data.
  9. Audit.
    1. Client will have the right to take reasonable and appropriate steps to ensure that Vendor uses Client Personal Data in a manner consistent with Client’s obligations under applicable Data Protection Laws. Subject to the terms in this Section 9, Vendor shall: (i) make available to Client all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws; and (ii) allow Client (or an auditor appointed by Client) to conduct reasonable audits of Vendor’s systems to the extent such systems relate to the Processing of Client Personal Data by Vendor. Client cannot exercise this right more than once per any twelve (12) month period during the Term (defined below). Any audit performed pursuant to this Section 9 will be conducted under a confidentiality agreement and any information or report derived from such audit will be deemed Vendor’s Confidential Information.
    2. To request an audit, Client must submit a detailed audit plan to Vendor at least thirty (30) days in advance of the proposed audit date. Vendor will review the proposed audit plan and work cooperatively with Client to agree on a final audit plan. All such audits must be conducted subject to the final audit plan agreed to by the Parties. Notwithstanding the foregoing, the Parties agree that any such audit will be: (i) conducted during Vendor’s normal business hours; and (ii) limited to systems that relate to the Processing of Client Personal Data by Vendor.
    3. Upon Client’s request to perform an audit, to the extent permitted by applicable Data Protection Laws, Vendor may elect to retain a qualified and independent assessor to perform such audit, using an appropriate and accepted control standard or framework and assessment procedure for such assessments.
    4. Client shall, without undue delay, notify Vendor of any non-compliance discovered during the audit.
    5. Client shall be responsible and fully liable for the actions and omissions of its personnel and authorized representatives while on Vendor’s premises and/or inspecting Vendor’s systems and facilities. Client shall bear the costs for any audit initiated by Client.
    6. Upon notification of unauthorized use of Client Personal Data, Client shall have the right to take reasonable and appropriate steps to remediate the unauthorized use, and in doing so, Client and Vendor shall make reasonable efforts to mutually agree on steps to remediate and ensure Client Personal Data is used appropriately.
  10. Data Breach. Vendor shall, to the extent permitted by Law, notify Client without undue delay and, where feasible, within twenty-four (24) hours after Vendor becomes aware of a Data Breach affecting Client Personal Data, provide Client with necessary information to allow Client to meet any obligations to report or inform individual(s) and/or regulators of the Data Breach under applicable Data Protection Laws. The notification, at a minimum, will include: (i) the types of Client Personal Data that were or are reasonably believed to be the subject of the Data Breach; (ii) the date or estimated date of the Data Breach; (iii) a general description of the Data Breach; and (iv) the steps Vendor has taken to remediate the Data Breach. Vendor shall continuously supplement the information provided to Client as additional information becomes available to it regarding the Data Breach. If it is determined that Vendor or a Sub-processor is responsible for the Data Breach, Vendor shall review the applicable technical and organizational measures and, if needed, make appropriate changes to prevent such Data Breach from occurring in the future.
  11. Sub-processing.
    1. Client hereby approves the Sub-processors currently engaged by Vendor and that are listed in Exhibit 3.
    2. Vendor shall provide written notice to Client within thirty (30) calendar days of engaging a new Sub-processor, and Client will have thirty (30) calendar days to provide written notice of its objection to such Sub-processor. Upon Client’s objection, Vendor shall use reasonable efforts to change the provision of the Services in a manner that avoids the use of the proposed Sub-processor. Where such a change cannot be made, notwithstanding anything in the Agreement, Client may, by written notice to Vendor, terminate the Agreement to the extent it relates to the Services, which require use of the proposed Sub-processor. In any event, Vendor will not provide Client Personal Data to the objected-to Sub-processor unless and until Client’s objections are resolved.
    3. If the Sub-processor is engaged without objection from Client, Vendor shall enter into a written agreement with each Sub-processor that complies with Data Protection Laws and imposes data protection obligations that are no less protective of Client Personal Data than Vendor’s obligations under this DPA. Vendor will remain responsible for Sub-processors’ compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor as if they were Vendor’s acts or omissions.
  12. Deletion or Return of Client Personal Data. At the choice of Client, Vendor shall delete or return all Client Personal Data (including copies) upon expiration or termination of the Agreement. This requirement does not apply to the extent Vendor is required by applicable Law to retain some or all of the Client Personal Data, or to Client Personal Data it has archived on back-up systems; provided, however, Vendor shall continue to protect the security and confidentiality of such data until the data is no longer in Vendor’s possession.
  13. Deidentified Data. To the extent Vendor collects on behalf of Client, or receives from Client deidentified data or pseudonymized data (as such terms are defined under applicable Data Protection Laws) (collectively, “D&P Data“) or to the extent the Agreement permits Vendor to render Client Personal Data into D&P Data, Vendor shall implement such deidentification or pseudonymization in accordance with applicable Data Protection Laws. In addition, for deidentified data, Vendor shall: (i) take reasonable measures to ensure that the information cannot be linked, attributed, or otherwise associated with an individual, household, or device (including without limitation: (a) implement and maintain technical and administrative safeguards that prohibit reidentification of the deidentified data; (b) implement and maintain business processes that specifically prohibit reidentification of the deidentified data and prevent inadvertent release of the deidentified data; (c) periodically reassess technical safeguards and processes to ensure that they are still adequate to prevent reidentification of and prohibit inadvertent release of the deidentified data); (ii) publicly commit to maintain and use the deidentified data in deidentified form and not to attempt to reidentify the deidentified data; and (iii) contractually obligate any recipients of the deidentified data to comply with all provisions of this Section 13.
  14. General.
    1. Indemnification. Indemnification under this DPA is subject to the indemnification section(s) of the Agreement.
    2. Limitation of Liability. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED IN THIS DPA OR THE AGREEMENT, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, INCLUDING DAMAGES FOR LOSS OF PROFITS, DATA OR USE, INCURRED BY THE OTHER PARTY OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Notwithstanding the foregoing, no provision of this DPA shall be deemed to waive or limit the rights of an individual or competent regulatory authority under applicable Data Protection Laws.
    3. Order of Precedence. In the event of a conflict between the terms of this DPA, SOW(s), and the Agreement with respect to the subject matter herein, the following order of precedence shall apply: (i) this DPA; (ii) the Agreement; (iii) SOW(s).
    4. Changes in Data Protection Laws. If any amendment is required for this DPA as a result of a change in applicable Law (including Data Protection Laws), then either Party may provide written notice to the other Party of that change in Law. The parties will discuss and negotiate in good faith any necessary amendment to the Agreement or this DPA to address such changes. If either Party gives notice under this Section 14, the Parties shall without undue delay discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable. If the Parties fail to amend the Agreement or this DPA in accordance with this Section 14, the notifying Party may terminate the Agreement upon written notice to the other Party.
    5. Term. The term (“Term“) of this DPA will commence on the Effective Date and end simultaneously and automatically at the later of: (i) the termination of the Agreement; or (ii) when Vendor is no longer in possession of any Client Personal Data.
    6. Jurisdiction and Governing Law. The Parties hereby submit to the choice of law and jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination, or the consequences of its nullity.
    7. Survival. The obligations set forth herein will survive termination of the Agreement and DPA for as long as Vendor Processes or stores Client Personal Data.
    8. Severability. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
    9. Exhibits. All Exhibits to this DPA are hereby incorporated by reference into, and made a part of, this DPA.

EXHIBIT 1
Description of Processing

Categories of individuals whose Personal Data is Processed:
  • Job applicants
  • Employees
Categories of Client Personal Data Processed:
  • Name
  • Email
  • Phone number
  • Home address
  • Gender
  • Date of Birth
  • Social Security Number
  • Hire date
  • Position of employment
  • Wage rate
  • Wage type (hourly, salaried)
  • Bank account and routing numbers
  • Biometric data (for use only in Biometric clock-in, if selected by Client)
The frequency of the Processing: Continuous for as long as Client uses the Services.

Nature of the Processing: Vendor will collect, receive, store, retain, transmit, delete (as provided in this DPA, the Agreement, and/or SOW(s)), use, and otherwise Process Client Personal Data as needed to provide the Services.

Specifically, the process involves the following:
  • Cloud-based Storage: Hosting and storage of data on our secure AWS cloud infrastructure/instance.
  • Automated Computation: Algorithmic processing to calculate scheduling availability, sales and cost estimates, candidate scoring, etc.
  • Data Transfer: Transmission of data to third-party integrations (e.g., payroll providers, background check services, etc.) as requested by Client.
  • Display and Reporting: Visualizing data within the Harri UI for Client’s use.
Purpose(s) of the Processing: The purpose of the Processing is to facilitate Vendor’s provision of the Services to Client in accordance with the Agreement, this DPA, any SOW(s), and applicable Law.

The period for which the Client Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Vendor will Process Client Personal Data for as long as required to provide the Services. In the event of contract termination, Vendor will retain Client Personal Data for up to seven (7) years from the termination date, unless a written request is provided by Client to destroy Client’s Personal Data.

EXHIBIT 2
Technical and Organizational Measures

Vendor implements and maintains policies and procedures that include appropriate technical and organizational measures to ensure a level of security appropriate to: (i) protect the security, confidentiality, and integrity of Client Personal Data; and (ii) protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of Client Personal Data. Vendor regularly monitors, evaluates, and assesses the effectiveness of the technical and organizational measures implemented. Vendor’s technical and organizational measures include:

Risk Management: Vendor maintains a risk management framework and conducts a yearly risk assessment of its environment and systems to understand its risks and applies appropriate controls to manage and mitigate risks before processing Client Personal Data.

Access Controls: Vendor implements the following access controls with respect to Client Personal Data:
  • Access to Client Personal Data is restricted to Vendor personnel authorized to have such access in accordance with their job function and based on the principle of “least privilege.”
  • Vendor maintains account creation and deletion procedures, with appropriate approvals, for each personnel role.
  • Vendor maintains a record of personnel security privileges for those personnel that have access to Client Personal Data.
  • Vendor reviews personnel access rights at regular intervals and makes adjustments as necessary.
  • Each account from which Client Personal Data can be accessed is attributable to a single user with a unique ID which is authenticated through a password or another authentication method.
  • Vendor uses industry-standard practices to identify and authenticate users who attempt to access its information systems, including multi-factor authentication.
  • Passwords are renewed regularly.
  • Passwords are required to conform to very strong password control parameters. Passwords are required to contain: (i) eight alphanumeric characters; (ii) upper and lowercase letters; (iii) one number; and (iv) one special character.
Physical Security: Vendor implements the following physical security measures with respect to Client Personal Data:
  • All devices are secured with a password/PIN screen lock with the automatic activation feature. Vendor personnel are required to lock the screen or log off when a device is unattended.
  • Access to locations where Client Personal Data is processed or stored is limited to authorized personnel only.
  • Visitors to locations where Client Personal Data is processed or stored are required to sign a visitor register and are escorted at all times.
  • Physical access logs detailing access are retained.
  • Physical documents that contain Client Personal Data are required to be kept in a locked office or file cabinet when not in use.
  • Vendor facilities are monitored 24/7.
Network Security: Vendor’s network employs the following safeguards:
  • Vendor maintains security controls designed to detect and mitigate attacks by use of network layer firewalls and intrusion detection/prevention systems (IDS/IPS).
  • All network traffic passes through firewalls, which are monitored at all times.
  • Vendor maintains management procedures that provide a consistent approach for controlling, implementing, and documenting changes for information systems.
  • Endpoint protection, including anti-virus and anti-malware, is implemented on all endpoints.
  • When remote connectivity to Vendor’s network is required, Vendor uses VPN servers for the remote access with encrypted connection of 256-bit encryption.
  • Vendor employs multi-factor authentication for administrative interfaces and for all access to Vendor systems and applications.
Vulnerability and Patch Management: All Vendor devices are configured for automatic patching and application security patches are installed without unreasonable delay. Vendor conducts regular testing and monitoring of the effectiveness of safeguards, controls, systems, including penetration testing.

Encryption: Vendor encrypts Client Personal Data as follows:
  • Vendor shall use encryption certified against U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard.
  • All emails between Vendor and Client shall utilize Transport Layer Security (TLS) if transmitting Client Personal Data.
  • Vendor will encrypt all Client Personal Data that resides on the Vendor’s systems, servers, backups, or other information systems, including Client Personal Data that resides on the systems and servers of any third-party with which the Vendor has subcontracted to store electronic data.
  • Vendor shall encrypt at rest using solutions that are certified against U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard, and verify that the encryption keys and any keying material are not stored with any associated data.
  • In the event Vendor uses a cloud-based environment to store Client Personal Data, Vendor must only use United-States based providers whose dedicated cloud-based environment encrypts data at rest.
  • In the event that Client Personal Data could be transferred to a mobile device, tablet, or laptop, Vendor implements, monitors, and maintains encryption and information leakage prevention tools using solutions that are certified against the U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard, and verifies that the encryption keys and keying material are not stored with any associated data.
Personnel: Vendor employs the following administrative safeguards for its personnel:
  • All Vendor personnel undergo privacy and data security training, upon hiring, and annually thereafter.
  • Vendor informs its personnel of relevant security procedures and their roles and ensure that all personnel sign a confidentiality agreement or be subject to statutory obligations of confidentiality.
  • Personnel that fail to comply with Vendor’s information security policies, practices, and procedures may be subject to disciplinary action, up to and including termination.
  • Vendor performs background checks on personnel where legally permissible.
  • Vendor maintains procedures for revoking or changing access in response to termination or changes in job functions.
Sub-processors: Vendor employs the following safeguards with respect to any Sub-processors that access, store, or transmit Client Personal Data on its behalf:
  • Due diligence is conducted on all Sub-processors who may gain access to, store, or transmit Client Personal Data in accordance with the DPA.
  • Sub-processor physical and electronic access to Client Personal Data is terminated no later than the date of separation or to a role no longer requiring access to Client Personal Data.
  • Vendor has agreements with all Sub-processors who may gain access to, store, or transmit Client Personal Data that requires compliance with Vendor’s information security requirements.
Business Continuity: Vendor maintains a disaster recovery and business continuity program for systems and facilities used to provide services. Such program is designed to ensure that Vendor is able to continue providing services after its systems are damaged, destroyed, or otherwise unavailable for use. Vendor’s disaster recovery and business continuity program is tested on an annual basis.

Incident Management: Vendor maintains an incident management plan designed to promptly identify, prevent, investigate, mitigate, and address the impact of security incidents.

EXHIBIT 3
Sub-processors

Vendor Sub-processors:
  • [insert here]