End-User License Agreement (EULA) for CDR Link

End-User License Agreement (EULA)

THIS END-USER LICENSE AGREEMENT (“LICENSE AGREEMENT”) IS A LEGAL AGREEMENT BETWEEN YOU AS AN END-USER AND CENTER FOR DIGITAL RESILIENCE (CDR) GOVERNING THE USE OF CDR’S REMOTE-ACCESSIBLE SERVICE, CDR LINK. PLEASE READ THE FOLLOWING GENERAL TERMS AND CONDITIONS CAREFULLY BEFORE ACCESSING OR USING CDR LINK.

Status as of: 11 December 2020

§ 1 General

(1) These General Terms and Conditions (GTCs) are applicable to all Software-as-a-Service agreements concluded between Center for Digital Resilience (CDR), 1300 I Street NW, Suite 400E Washington DC, 20005 (the Provider) and end-users (Users) for the use of “CDR Link”. CDR Link is a secure human rights helpdesk that incorporates the open source Zammad project source code and a number of security and usability add-ons developed by CDR. CDR Link features custom messaging plugins for Signal and WhatsApp, enabling responders to safely and efficiently help communities seeking assistance.

§ 2 Subject Matter of the Agreement

(1) The subject matter of the License Agreement is the provision of CDR Link via a remote data connection by the Provider for use by CDR Partners – Users – who have entered into a separate agreement with CDR (the “Services”).

(2) Unless self-hosted, CDR Link is made available to Users by the Provider via the Provider’s web server.

(3) The Provider does not guarantee that the Services provided will work with any particular hardware or devices. Services may be subject to malfunctions and delays. This does not include times when CDR Link is not available via the Internet due to technical or other problems not under the sphere of influence of the Provider (force majeure, third party defaults, etc.). In agreement with the User, the Provider may interrupt the performance of the CDR Link service for a defined period if this is necessary for maintenance purposes. The User will not refuse agreement to such interruptions unreasonably.

§ 3 User Service

(1) The Provider makes available to the User a user service as support for technical questions. The CDR Link service can be reached via email (help@digiresilience.org). This is intended solely as support of the User for the utilization of the services to be rendered by the Provider pursuant to this License Agreement. User queries sent to this address will be processed in order of their arrival.

§ 4 Data Storage

(1) The User can store data on the data server established by the Provider to which the User has access in connection with the use of CDR Link. The Provider is responsible only for providing data storage to be used by the User in compliance with separate work agreements.

(2) The Provider will make every reasonable effort, using industry best practices, to secure and safeguard the data created and stored by the User on the data server established by the Provider. If indication is found of a data breach of a data server, the user will be notified within 24 hours of the discovery of the breach.

§ 5 Processing of Personal Data

(1) Should the User collect personal data within the framework of this contractual relationship, then the User shall be considered a “Data Controller” and CDR shall be considered a “Data Processer” as those terms are defined under the General Data Protection Regulation (GDPR). The User and CDR each are responsible for compliance with all data protection laws and regulations applicable to the provision of the Services by the Provider and the use of the CDR Link service by the User. The Provider only will process data transferred by the User within the framework of instructions given by the User. The Provider offers the User an encrypted transfer of the data by means of the communication protocol “Hypertext Transfer Protocol Secure” (HTTPS). Please see the CDR Privacy Policy for further information.

§ 6 Surrender of Data

(1) On demand of the User, the Provider will surrender a copy of the data provided by the User and stored in the CDR Link system.

(2) When specifically requested, the Provider will delete any User data it still has stored 14 days after the transfer of the data to the User in connection with the termination of this License Agreement, unless the User notifies the Provider within this deadline that the data transferred to the User are not legible or not complete. Failure to give such notification is deemed as agreement to the deletion of the data. When transferring the data, the Provider will specifically point out to the User the consequences of this action.

§ 7 Data Security and Data Backup

(1) The Provider will implement technical and organizational security precautions and measures at a level meeting or exceeding industry standards.

(2) The Provider will carry out an incremental backup of the data of the User on the data server on every working day.

(3) The User can delete data from CDR Link independently via time-controlled jobs. The User alone is responsible for such deletions. The Provider assumes no liability in this respect.

(4) Users are responsible for maintaining the security of their account and the activities on said account, and the Provider disclaims any liability for a breach of security of the User’s account.

§ 8 Access Rights

(1) The User shall acquire a specific number of access rights from the Provider. An access right entitles a person to access the CDR Link service made available by the Provider. An access right consists of a user name and a password. A user name and password may only be communicated by the User to those persons to whom the User has granted authorization and must otherwise be kept secret. The User is solely responsible for the actions of all individuals or entities to whom the User grants authorization to access the CDR Link service.

(2) The User must change the password assigned to them by the Provider to a secure password consisting of at least 8 characters. This must include at least one special character and one number.

§ 9 Rights

(1) All software made available to the User through CDR Link is made available under a free open source license (GNU AGPLv3).

(2) For the duration of the term of this License Agreement, the User shall have non-exclusive rights of use of the CDR Link service and any associated software made available by the Provider. This License Agreement shall not be valid unless the User accepts the relevant license conditions before using CDR Link and any associated software, and must observe these conditions at all times.

(3) The User grants the Provider the right to make secure copies (backups) of the data saved by the Provider for the User, insofar this is necessary for performance of contractually due Services.

(4) The User is not entitled to grant any third parties use of the Services of the Provider. Those individuals who use the Services free of charge on behalf of the User, such as employees of the User, are not deemed to be third parties.

§ 10 User’s Obligation to Cooperate

(1) The User undertakes to establish a data connection between the workplaces he/it intends to use and the data transfer point defined by the Provider. The data transfer point for the Services is the router output to the internet of the computer center used by the Provider. The Provider may redefine the data transfer point at any time should this become necessary to ensure trouble-free utilization of the Services for the User. In such event, the User shall establish a connection to this newly defined transfer point.

(2) The use of CDR Link by the User is dependent on compliance of the hardware and software used by the User, including workstation computers, routers, means of data communication, etc., with the minimum technical requirements for the use of CDR Link and on the individuals with access rights authorized by the User to use CDR Link being conversant with the operation of the software. The User is responsible for the configuration of its IT system. The Provider may provide technical support to the User related to the configuration of the User’s IT system by separate agreement between the parties.

(3) The User undertakes not to store any content on the Provider’s server that is unlawful, that infringes any laws, regulations, or rights of third parties and/or otherwise use the User account for such purposes. The User also undertakes to ensure that the name the User selects for the URL and email address does not infringe any laws, regulations, or rights of third parties. In this respect, the User shall hold the Provider harmless of any third-party use for which the User is responsible, including the costs arising from such use.

(4) The Provider is entitled to suspend the User’s account temporarily with immediate effect, in full or in part, in the event of any imminent or occurred infringement or violation of the above-mentioned obligations. Prior to the Provider taking such measures, the Provider will notify the User of any infringements or violations and afford the User a reasonable duration of time, as determined by the Provider, considering factors such as the amount of time reasonably expected to be required to remedy the infringement or violation.

§ 11 Term of the Agreement

(1) The minimum term of this License Agreement for all service packages is a fixed term of one year (the “Initial Term”), calculated from the time of the signing of the agreement. The Provider and the User are free to agree to a longer Initial Term. Upon the expiration of the Initial Term, the term of the License Agreement shall be automatically extended for a further year, or for a mutually agreed upon term longer than one year, unless the User or the Provider terminates the License Agreement within a period of notice of at least two months prior to the end of the Initial Term. (2) The right to termination for good cause remains unaffected.

§ 12 Confidentiality and Use

(1) Both parties recognize and agree that the data of each party is critical to their respective operations and that neither party would enter into this License Agreement without assurance that such information and its value will be protected. As a condition to being provided with any disclosure of or access to User data, the Provider shall for the duration of this License Agreement as per Section 11 of this License Agreement:

(a) not access or use, or permit the access or use of, User data other than as necessary to exercise its rights or perform its obligations under and in accordance with this License Agreement;

(b) not use or permit the use of any User data, directly or indirectly, in any manner to the detriment of the User or to obtain any competitive advantage over the User;

(c) except as may be permitted by and subject to its compliance with Section 13, not disclose or permit access to User data other than to its representatives who: (i) need to know such User data for purposes of the Provider’s exercise of its rights or performance of its obligations under and in accordance with this License Agreement; (ii) have been informed of the confidential nature of the User data and the Provider’s obligations under this section; and (iii) are bound by [written] confidentiality and restricted use obligations at least as protective of the User data as the terms set forth in this section;

(d) safeguard the User data from unauthorized use, access, or disclosure using at least the degree of care it uses to protect its [most/similarly] sensitive information and in no event less than a reasonable degree of care;

(e) notify the User in writing [promptly/within a reasonable time] of any unauthorized disclosure or use of User data and cooperate with the User to protect the confidentiality and ownership of all Intellectual Property Rights, privacy rights, and other rights therein.

§ 13 Compelled Disclosures

(1) If the Provider or any of its representatives is compelled by applicable law to disclose any User data, then, to the extent permitted by applicable law, the Provider shall: (i) promptly, and prior to such disclosure, notify the User in writing of such requirement so that the User can seek a protective order or other remedy, or waive its rights under Section 12; and (ii) provide reasonable assistance to the User in opposing such disclosure or seeking a protective order or other limitations on disclosure.

(2) If the User waives compliance or, after providing the notice and assistance required under this section, the Provider remains required by law to disclose any User data, the Provider shall disclose only that portion of the User data that the Provider is legally required to disclose [and, upon the User’s request, shall use reasonable efforts to obtain assurances from the applicable court or other presiding authority that such User data will be afforded confidential treatment]. No such compelled disclosure by the Provider will otherwise affect the Provider’s obligations hereunder with respect to the User data so disclosed.

§ 14 Dispute Resolution

(1) Exclusive Dispute Resolution Mechanism. The parties shall resolve any dispute, controversy, or claim arising out of or relating to this Agreement, or the breach, termination or invalidity hereof (each, a “Dispute”), under the provisions of this Agreement. The procedures set forth in Sections 2 through 4 shall be the exclusive mechanism for resolving any Dispute that may arise from time to time.

(2) Negotiations. A party shall send written notice to the other party of any Dispute (“Dispute Notice”). The parties shall first attempt in good faith to resolve any Dispute set forth in the Dispute Notice by negotiation and consultation between themselves. In the event that such Dispute is not resolved on an informal basis within 30 Business Days after one party delivers the Dispute Notice to the other party, either party may, by written notice to the other party (“Escalation to Executive Notice”), refer such Dispute to the executives of each party (or to such other person of equivalent or superior position designated by such party in a written notice to the other party) (“Executive(s)").

(3) Mediation.

(3.1) Subject to Section 2, the parties may, at any time after the Escalation to Mediation Date, submit the Dispute to any mutually agreed to mediation service for mediation by providing to the mediation service a joint, written request for mediation, setting forth the subject of the dispute and the relief requested. The parties shall cooperate with one another in selecting a mediation service, and shall cooperate with the mediation service and with one another in selecting a neutral mediator and in scheduling the mediation proceedings. The parties covenant that they will use commercially reasonable efforts in participating in the mediation. The parties agree that the mediator’s fees and expenses and the costs incidental to the mediation will be shared equally between the parties.

(3.2) The parties further agree that all offers, promises, conduct, and statements, whether oral or written, made in the course of the mediation by any of the parties, their agents, employees, experts, and attorneys, and by the mediator and any employees of the mediation service, are confidential, privileged, and inadmissible for any purpose, including impeachment, in any litigation, arbitration or other proceeding involving the parties, provided that evidence that is otherwise admissible or discoverable shall not be rendered inadmissible or non- discoverable as a result of its use in the mediation.

(4) Arbitration as a Final Resort. If the parties cannot resolve any Dispute for any reason, including, but not limited to, the failure of either party to agree to enter into mediation or agree to any settlement proposed by the mediator, within 30 Business Days after the Escalation to Mediation Date, either party may commence binding arbitration.

§ 15 Warranty

(1) The Provider is responsible for the availability of the CDR Link service within the contractually agreed scope.

(2) The Provider will rectify any errors or the (partial) failure of the CDR Link service of which it is notified within a reasonable period. The parties mutually agree to classify any errors that occur as (a) errors that prevent operation, (b) errors that handicap operation or (c) other errors. If the parties are unable to come to a mutual agreement, the Provider will decide on the classification taking reasonable account of the interests of the User. The following response and recovery times shall apply depending upon the classification of an error:

(a) Errors that prevent operation: response time: 24 hours / recovery time: 48 hours An error is deemed to prevent operation if it is due, for example, to malfunctions, incorrect work results or response times rendering the use of CDR Link as impossible or significantly handicapped (and such error cannot be avoided by means of reasonable organizational measures).

(b) Errors that handicap operation: response time: 48 hours / recovery time: 5 working days An error is deemed to handicap operation if it is due, for example, to malfunctions, incorrect work results or response times, and if use of CDR Link is in fact not impossible or significantly handicapped, but the restriction(s) on use is (are) nevertheless not merely negligible and cannot be avoided by means of reasonable organizational or other economic measures.

(c) Other errors: response time: 2 working days / recovery time: to be agreed individually with the Provider depending on the problem, taking release cycles into account.

Other errors are deemed to exist if the use of CDR Link is not directly and/or not significantly/considerably impaired, for example in the case of unfavorably defined default settings.

(d) The performance of CDR Link may be interrupted or affected during maintenance periods, but during these periods CDR Link will still be available.

(3) An error in CDR Link is deemed to exist if:

(a) CDR Link does not fulfill the contractually agreed functions when used in accordance with the License Agreement; or

(b) if CDR Link proves unsuitable for the use indicated in the License Agreement; or

(c) if CDR Link proves unsuitable or does not have the necessary properties for normal use that is usual for applications of the same type and that the User can expect from this type of software.

An error pursuant to this provision is expressly deemed not to exist if the existence of one of the aforementioned conditions according to the letters (a) - (c) has only an insignificant adverse effect on the use of the application or if the failure is the result of improper handling of CDR Link by the User.

(4) The method for rectifying errors is chosen at the sole discretion of the Provider. Furthermore, rectification of an error could also take the form of instructions for action to be taken by the User. The User is obliged to follow such instructions for action unless this is unreasonable. The Provider’s obligation to rectify errors is fulfilled when the error in this sense no longer exists.

(5) Should the Provider not be able to rectify an error within the contractually agreed period, it will provide the User with a temporary workaround solution at its own expense provided that this is economically reasonable for the Provider. Supply of a temporary workaround solution by the Provider in no way affects the Provider’s obligation to provide a permanent rectification of the error.

(6) With the conclusion of the License Agreement, the User authorizes access to application data for the purposes of checking and rectifying error messages and errors. The Provider will only access said data to the extent necessary for such checking and rectification of errors.

§ 16 Liability

(1) The Provider is liable for willful intent and gross negligence in compliance with applicable law. In the case of mere negligence, the Provider is liable for damages only for breach of a material obligation, the amount of which is limited to damage typical for such a License Agreement and that was foreseeable at the time of the conclusion of the License Agreement. Material obligations are fundamental, elementary obligations arising from the contractual relationship, the fulfilment of which only makes the orderly fulfilment of the License Agreement possible, the breach of which jeopardizes the purpose of the License Agreement and on the observation of which the User regularly depends and may depend.

(2) The exclusion of liability shall not apply in the case of damage arising from injury to life, body or health nor with regard to liability pursuant to product liability law or any warranties that have been granted.

(3) In the case of mere negligence with regard to the breach of material obligations, the amount of the liability of the Provider is limited to foreseeable average damage typical of the License Agreement.

(4) All the above-mentioned liability limitations also shall apply to legal representatives and any associated vicarious agents.

(5) The Provider is liable for the loss of data in accordance with the preceding provisions only if such loss could not have been prevented by appropriate data security measures on the part of the User. The liability for the loss of data is limited to the justifiable expense required to reconstruct the lost data of the User by means of existing backup copies.

§ 17 Data Traffic

(1) The Provider does not limit data traffic. However, it reserves the right to limit this in the event of an unnecessarily high volume on the part of the User. This is in particular the case if data are exchanged in a considerable manner via Internet services such as file-sharing platforms. Normal use of the contractual Services will, however, not be prevented.

§ 18 Amendments to the Terms and Conditions of the License Agreement

(1) Unless otherwise specifically provided for, the Provider is entitled to amend or supplement the terms and conditions of the License Agreement insofar as this is necessary for good reason, in particular due to changes in the legal situation, technical modifications or further developments or other similar reasons, and insofar as this does not constitute an unreasonable disadvantage for the User. The Provider may change its terms of service for CDR Link at any time, but Users will receive notification of the changes via designated communication channels and project contacts.

(2) If the User does not agree with the amendments or supplements to the terms and conditions of the License Agreement, the User may object to the amendments within a period of one week prior to the intended time the amendments or supplements are to become effective. The objection must be in writing.

(3) If the User does not submit an objection, the amendments or supplements to the terms and conditions of the License Agreement are deemed accepted by the User. The Provider will particularly advise the User of the foreseen consequences of the User’s behavior with the notification of the amendments or supplements to the terms and conditions of the License Agreement.

§ 19 Final Provisions

(1) The assignment of claims is only permissible with the prior, written approval of the other party to the agreement. Approval may not be withheld unreasonably.

(2) A right of retention may only be asserted on account of counterclaims arising from the respective contractual relationship.

(3) The parties to the License Agreement may only offset such claims that are legally established or undisputed.

(4) All amendments and supplements to or termination of the License Agreement must be in writing. This also applies to the cancellation of this requirement for the written form, insofar as the License Agreement does not prescribe the text form.

(5) Should any provisions of this License Agreement be or become invalid, this shall in no way affect the validity of the remaining contents of the License Agreement. The invalid provisions of the License Agreement shall be replaced by such that come as close as possible to the commercial intent of the parties.