diff options
Diffstat (limited to 'network/dropbox/policies')
-rw-r--r-- | network/dropbox/policies | 1857 |
1 files changed, 742 insertions, 1115 deletions
diff --git a/network/dropbox/policies b/network/dropbox/policies index 3392464a16..689bd92ee3 100644 --- a/network/dropbox/policies +++ b/network/dropbox/policies @@ -1,34 +1,36 @@ Dropbox Terms of Service - Posted: November 4, 2015 + Posted: December 8, 2016 + + Effective: February 10, 2017 Thanks for using Dropbox! These terms of service ("Terms") cover your use and access to our services, client software and websites ("Services"). If you reside outside of the United States of America, - Canada and Mexico (“North America”) your agreement is with Dropbox - Ireland, and if you reside in North America your agreement is with - Dropbox, Inc. Our [45]Privacy Policy explains how we collect and use - your information while our [46]Acceptable Use Policy outlines your - responsibilities when using our Services. By using our Services, you're - agreeing to be bound by these Terms, and to review our [47]Privacy and - [48]Acceptable Use policies. If you're using our Services for an - organization, you're agreeing to these Terms on behalf of that - organization. + Canada and Mexico ("North America") your agreement is with Dropbox + International Unlimited Company, and if you reside in North America + your agreement is with Dropbox, Inc. Our [45]Privacy Policy explains + how we collect and use your information while our [46]Acceptable Use + Policy outlines your responsibilities when using our Services. By using + our Services, you're agreeing to be bound by these Terms, our + [47]Privacy Policy and [48]Acceptable Use Policy. If you're using our + Services for an organization, you're agreeing to these Terms on behalf + of that organization. Your Stuff & Your Permissions When you use our Services, you provide us with things like your files, - content, email messages, contacts and so on ("Your Stuff"). Your Stuff - is yours. These Terms don't give us any rights to Your Stuff except for + content, messages, contacts and so on ("Your Stuff"). Your Stuff is + yours. These Terms don't give us any rights to Your Stuff except for the limited rights that enable us to offer the Services. We need your permission to do things like hosting Your Stuff, backing it up, and sharing it when you ask us to. Our Services also provide you - with features like photo thumbnails, document previews, email - organization, easy sorting, editing, sharing and searching. These and - other features may require our systems to access, store and scan Your - Stuff. You give us permission to do those things, and this permission - extends to our affiliates and trusted third parties we work with. + with features like photo thumbnails, document previews, commenting, + easy sorting, editing, sharing and searching. These and other features + may require our systems to access, store and scan Your Stuff. You give + us permission to do those things, and this permission extends to our + affiliates and trusted third parties we work with. Sharing Your Stuff @@ -37,7 +39,7 @@ Sharing Your Stuff Your Responsibilities - You're responsible for your conduct, Your Stuff and you must comply + You're responsible for your conduct. Your Stuff and you must comply with our [49]Acceptable Use Policy. Content in the Services may be protected by others' intellectual property rights. Please don't copy, upload, download or share content unless you have the right to do so. @@ -47,12 +49,15 @@ Your Responsibilities obligation to do so. We aren't responsible for the content people post and share via the Services. - Please safeguard your password to the Services, make sure that others - don't have access to it, and keep your account information current. + Help us keep you informed and Your Stuff protected. Safeguard your + password to the Services, and keep your account information current. + Don't share your account credentials or give others access to your + account. - Finally, our Services are not intended for and may not be used by - people under the age of 13. By using our Services, you are representing - to us that you're over 13. + You may use our Services only as permitted by applicable law, including + export control laws and regulations. Finally, our Services are not + intended for and may not be used by people under the age of 13. By + using our Services, you are representing to us that you're over 13. Software @@ -72,7 +77,7 @@ Beta Services We sometimes release products and features that we are still testing and evaluating. Those Services have been marked beta, preview, early access, or evaluation (or with words or phrases with similar meanings) - and may not be as reliable as Dropbox’s other services, so please keep + and may not be as reliable as Dropbox's other services, so please keep that in mind. Our Stuff @@ -104,11 +109,19 @@ Paid Accounts Billing. You can increase your storage space and add paid features to your account (turning your account into a "Paid Account"). We'll automatically bill you from the date you convert to a Paid Account and - on each periodic renewal until cancellation. You're responsible for all - applicable taxes, and we'll charge tax when required to do so. - - No Refunds. You may cancel your Dropbox Paid Account at any time but - you won't be issued a refund [52]unless it's legally required. + on each periodic renewal until cancellation. If you're on an annual + plan, we'll send you a notice email reminding you that your plan is + about to renew within a reasonable period of time prior to the renewal + date. You're responsible for all applicable taxes, and we'll charge tax + when required to do so. Some countries have mandatory local laws + regarding your cancellation rights, and this paragraph doesn't override + these laws. + + No Refunds. You may cancel your [52]Dropbox Paid Account at any time. + Refunds are only issued if [53]required by law. For example, users + living in the European Union have the right to cancel their Paid + Account subscriptions within 14 days of signing up for, upgrading to or + renewing a Paid Account. Downgrades. Your Paid Account will remain in effect until it's cancelled or terminated under these Terms. If you don't pay for your @@ -119,39 +132,62 @@ Paid Accounts notice of these changes via a message to the email address associated with your account. -Dropbox Business +Dropbox Teams Email address. If you sign up for a Dropbox account with an email - address provisioned by your employer, your employer may be able to - block your use of Dropbox until you transition to a Dropbox Business or - Dropbox Enterprise account or you associate your Dropbox account with a - personal email address. - - Using Dropbox Business or Dropbox Enterprise. If you join a Dropbox - Business or Dropbox Enterprise account, you must use it in compliance - with your employer's terms and policies. Please note that Dropbox - Business and Dropbox Enterprise accounts are subject to your employer's - control. Your administrators may be able to access, disclose, restrict, - or remove information in or from your Dropbox Business or Dropbox - Enterprise account. They may also be able to restrict or terminate your - access to a Dropbox Business or Dropbox Enterprise account. If you - convert an existing Dropbox account into a Dropbox Business or Dropbox - Enterprise account, your administrators may prevent you from later - disassociating your account from the Dropbox Business or Dropbox - Enterprise account. + address provisioned by your organization, your organization may be able + to block your use of Dropbox until you transition to an account on a + Dropbox team (e.g., Dropbox Business plans or Dropbox Education) or you + associate your Dropbox account with a personal email address. + + Using Dropbox Teams. If you join a Dropbox team, you must use it in + compliance with your organization's terms and policies. Please note + that Dropbox team accounts are subject to your organization's control. + Your administrators may be able to access, disclose, restrict, or + remove information in or from your Dropbox team account. They may also + be able to restrict or terminate your access to a Dropbox team account. + If you convert an existing Dropbox account into part of a Dropbox team, + your administrators may prevent you from later disassociating your + account from the Dropbox team. Termination - You're free to stop using our Services at any time. We also reserve the - right to suspend or end the Services at any time at our discretion and - without notice. For example, we may suspend or terminate your use of - the Services if you're not complying with these Terms, or use the - Services in a manner that would cause us legal liability, disrupt the - Services or disrupt others' use of the Services. Except for Paid - Accounts, we reserve the right to terminate and delete your account if - you haven't accessed our Services for 12 consecutive months. We'll of - course provide you with notice via the email address associated with - your account before we do so. + You're free to stop using our Services at any time. We reserve the + right to suspend or terminate your access to the Services with notice + to you if: + + (a) you're in breach of these Terms, + + (b) you're using the Services in a manner that would cause a real risk + of harm or loss to us or other users, or + + (c) you don't have a Paid Account and haven't accessed our Services for + 12 consecutive months. + + We'll provide you with reasonable advance notice via the email address + associated with your account to remedy the activity that prompted us to + contact you and give you the opportunity to export Your Stuff from our + Services. If after such notice you fail to take the steps we ask of + you, we'll terminate or suspend your access to the Services. + + We won't provide notice before termination where: + + (a) you're in material breach of these Terms, + + (b) doing so would cause us legal liability or compromise our ability + to provide the Services to our other users, or + + (c) we're prohibited from doing so by law. + +Discontinuation of Services + + We may decide to discontinue the Services in response to unforeseen + circumstances beyond Dropbox's control or to comply with a legal + requirement. If we do so, we'll give you reasonable prior notice so + that you can export Your Stuff from our systems. If we discontinue + Services in this way before the end of any fixed or minimum term you + have paid us for, we'll refund the portion of the fees you have + pre-paid but haven't received Services for. Services "AS IS" @@ -165,28 +201,40 @@ Services "AS IS" Limitation of Liability - TO THE FULLEST EXTENT PERMITTED BY LAW, EXCEPT FOR ANY LIABILITY FOR - DROPBOX’S OR ITS AFFILIATES’ FRAUD, FRAUDULENT MISREPRESENTATION, OR - GROSS NEGLIGENCE, IN NO EVENT WILL DROPBOX, ITS AFFILIATES, SUPPLIERS - OR DISTRIBUTORS BE LIABLE FOR: + WE DON'T EXCLUDE OR LIMIT OUR LIABILITY TO YOU WHERE IT WOULD BE + ILLEGAL TO DO SO—THIS INCLUDES ANY LIABILITY FOR DROPBOX'S OR ITS + AFFILIATES' FRAUD OR FRAUDULENT MISREPRESENTATION IN PROVIDING THE + SERVICES. IN COUNTRIES WHERE THE FOLLOWING TYPES OF EXCLUSIONS AREN'T + ALLOWED, WE'RE RESPONSIBLE TO YOU ONLY FOR LOSSES AND DAMAGES THAT ARE + A REASONABLY FORESEEABLE RESULT OF OUR FAILURE TO USE REASONABLE CARE + AND SKILL OR OUR BREACH OF OUR CONTRACT WITH YOU. THIS PARAGRAPH + DOESN'T AFFECT CONSUMER RIGHTS THAT CAN'T BE WAIVED OR LIMITED BY ANY + CONTRACT OR AGREEMENT. - (A) ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY OR + IN COUNTRIES WHERE EXCLUSIONS OR LIMITATIONS OF LIABILITY ARE ALLOWED, + DROPBOX, ITS AFFILIATES, SUPPLIERS OR DISTRIBUTORS WON'T BE LIABLE FOR: + + i. ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL DAMAGES, OR - (B) ANY LOSS OF USE, DATA, BUSINESS, OR PROFITS, REGARDLESS OF LEGAL + ii. ANY LOSS OF USE, DATA, BUSINESS, OR PROFITS, REGARDLESS OF LEGAL THEORY. - THIS WILL BE REGARDLESS OF WHETHER OR NOT DROPBOX OR ANY OF ITS - AFFILIATES HAS BEEN WARNED OF THE POSSIBILITY OF SUCH DAMAGES, AND EVEN - IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE. + THESE EXCLUSIONS OR LIMITATIONS WILL APPLY REGARDLESS OF WHETHER OR NOT + DROPBOX OR ANY OF ITS AFFILIATES HAS BEEN WARNED OF THE POSSIBILITY OF + SUCH DAMAGES. - ADDITIONALLY, DROPBOX, ITS AFFILIATES, SUPPLIERS AND DISTRIBUTORS WILL - NOT BE LIABLE FOR AGGREGATE LIABILITY FOR ALL CLAIMS RELATING TO THE - SERVICES FOR MORE THAN THE GREATER OF $20 OR THE AMOUNTS PAID BY YOU TO - DROPBOX FOR THE PAST 12 MONTHS OF THE SERVICES IN QUESTION. + IF YOU USE THE SERVICES FOR ANY COMMERCIAL, BUSINESS OR RE-SALE + PURPOSE, DROPBOX, ITS AFFILIATES, SUPPLIERS OR DISTRIBUTORS WILL HAVE + NO LIABILITY TO YOU FOR ANY LOSS OF PROFIT, LOSS OF BUSINESS, BUSINESS + INTERRUPTION, OR LOSS OF BUSINESS OPPORTUNITY. DROPBOX AND ITS + AFFILIATES AREN'T RESPONSIBLE FOR THE CONDUCT, WHETHER ONLINE OR + OFFLINE, OF ANY USER OF THE SERVICES. - Some places don't allow the types of limitations in this paragraph, so - they may not apply to you. + OTHER THAN FOR THE TYPES OF LIABILITY WE CANNOT LIMIT BY LAW (AS + DESCRIBED IN THIS SECTION), WE LIMIT OUR LIABILITY TO YOU TO THE + GREATER OF $20 USD OR 100% OF ANY AMOUNT YOU'VE PAID UNDER YOUR CURRENT + SERVICE PLAN WITH DROPBOX. Resolving Disputes @@ -203,33 +251,41 @@ Resolving Disputes will be brought in the federal or state courts of San Francisco County, California, subject to the mandatory arbitration provisions below. Both you and Dropbox consent to venue and personal jurisdiction in such - courts. + courts. If you reside in a country (for example, European Union member + states) with laws that give consumers the right to bring disputes in + their local courts, this paragraph doesn't affect those requirements. -IF YOU’RE A U.S. RESIDENT, YOU ALSO AGREE TO THE FOLLOWING MANDATORY +IF YOU'RE A U.S. RESIDENT, YOU ALSO AGREE TO THE FOLLOWING MANDATORY ARBITRATION PROVISIONS: We Both Agree To Arbitrate. You and Dropbox agree to resolve any claims relating to these Terms or the Services through final and binding - arbitration, except as set forth under Exceptions to Agreement to - Arbitrate below. + arbitration by a single arbitrator, except as set forth under + Exceptions to Agreement to Arbitrate below. This includes disputes + arising out of or relating to interpretation or application of this + "Mandatory Arbitration Provisions" section, including its + enforceability, revocability, or validity. Opt-out of Agreement to Arbitrate. You can decline this agreement to - arbitrate by [53]clicking here and submitting the opt-out form within - 30 days of first accepting these Terms. + arbitrate by [54]clicking here and submitting the opt-out form within + 30 days of first registering your account. However, if you agreed to a + previous version of these Terms that allowed you to opt out of + arbitration, your previous choice to opt out or not opt out remains + binding. - Arbitration Procedures. The [54]American Arbitration Association (AAA) + Arbitration Procedures. The [55]American Arbitration Association (AAA) will administer the arbitration under its Commercial Arbitration Rules and the Supplementary Procedures for Consumer Related Disputes. The arbitration will be held in the United States county where you live or work, San Francisco (CA), or any other location we agree to. Arbitration Fees and Incentives. The AAA rules will govern payment of - all arbitration fees. Dropbox will pay all arbitration fees for claims - less than $75,000. If you receive an arbitration award that is more - favorable than any offer we make to resolve the claim, we will pay you - $1,000 in addition to the award. Dropbox will not seek its attorneys' - fees and costs in arbitration unless the arbitrator determines that - your claim is frivolous. + all arbitration fees. Dropbox will pay all arbitration fees for + individual arbitration for claims less than $75,000. If you receive an + arbitration award that is more favorable than any offer we make to + resolve the claim, we will pay you $1,000 in addition to the award. + Dropbox will not seek its attorneys' fees and costs in arbitration + unless the arbitrator determines that your claim is frivolous. Exceptions to Agreement to Arbitrate. Either you or Dropbox may assert claims, if they qualify, in small claims court in San Francisco (CA) or @@ -247,13 +303,17 @@ ARBITRATION PROVISIONS: individual basis, and may not bring a claim as a plaintiff or a class member in a class, consolidated, or representative action. Class arbitrations, class actions, private attorney general actions, and - consolidation with other arbitrations aren't allowed. + consolidation with other arbitrations aren't allowed. If this specific + paragraph is held unenforceable, then the entirety of this "Mandatory + Arbitration Provisions" section will be deemed void. Controlling Law These Terms will be governed by California law except for its conflicts - of laws principles, unless otherwise required by a mandatory law of any - other jurisdiction. + of laws principles. However, some countries (including those in the + European Union) have laws that require agreements to be governed by the + local laws of the consumer's country. This paragraph doesn't override + those laws. Entire Agreement @@ -276,20 +336,36 @@ Waiver, Severability & Assignment Modifications - We may revise these Terms from time to time, and will always post the - most current version on our website. If a revision meaningfully reduces - your rights, we will notify you (by, for example, sending a message to - the email address associated with your account, posting on our blog or - on this page). By continuing to use or access the Services after the - revisions come into effect, you agree to be bound by the revised Terms. + We may revise these Terms from time to time to better reflect: + + (a) changes to the law, + + (b) new regulatory requirements, or + + (c) improvements or enhancements made to our Services. + + If an update affects your use of the Services or your legal rights as a + user of our Services, we'll notify you prior to the update's effective + date by sending an email to the email address associated with your + account or via an in-product notification. These updated terms will be + effective no less than 30 days from when we notify you. + + If you don't agree to the updates we make, please cancel your account + before they become effective. Where applicable, we'll offer you a + prorated refund based on the amounts you have prepaid for Services and + your account cancellation date. By continuing to use or access the + Services after the updates come into effect, you agree to be bound by + the revised Terms. If your organization signed a Dropbox Business or Dropbox Enterprise Agreement with Dropbox, that Agreement may have modified the privacy - policy below. Please [55]contact your organization’s Admin for details. + policy below. Please [56]contact your organization’s Admin for details. Dropbox Privacy Policy - Posted: February 12, 2016 + Posted: December 8, 2016 + + Effective: February 10, 2017 Thanks for using Dropbox! Here we describe how we collect, use and handle your information when you use our websites, software and @@ -301,64 +377,85 @@ What & Why protect our Services: Account. We collect, and associate with your account, information like - your name, email address, phone number, payment info, and physical - address. Some of our services let you access your accounts and your - information with other service providers. - - Services. When you use our Services, we store, process and transmit - your files (including stuff like your photos, [56]structured data and - emails) and information related to them (for example, location tags in - photos). If you give us access to your contacts, we'll store those - contacts on our servers for you to use. This will make it easy for you - to do things like share your stuff, send emails, and invite others to - use the Services. - - Usage. We collect information from and about the devices you use to + your name, email address, phone number, payment info, physical address, + and account activity. Some of our services let you access your accounts + and your information with other service providers. + + Services. Our Services are designed to make it simple for you to store + Your Stuff, collaborate with others, and work across multiple devices. + To make that possible, we store, process, and transmit Your Stuff—like + files, messages, comments, and photos—as well as information related to + it. This related information can be things like your [57]profile + information that makes it easier to collaborate and share Your Stuff + with others. Our Services provide you with different options for + sharing Your Stuff. + + You may choose to give us access to your contacts to make it easy for + you to do things like share and collaborate on Your Stuff, send + messages, and invite others to use the Services. If you do, we'll store + those contacts on our servers for you to use. + + Usage. We collect information related to how you use the Services, + including actions you take in your account (like sharing, editing, + viewing, and moving files or folders). This helps us provide you with + features like the "Events" page and version history. + + We also collect information from and about the devices you use to access the Services. This includes things like IP addresses, the type of browser and device you use, the web page you visited before coming to our sites, and identifiers associated with your devices. Your devices (depending on their settings) may also transmit location information to the Services. - Cookies and other technologies. We use technologies like [57]cookies + Cookies and other technologies. We use technologies like [58]cookies and pixel tags to provide, improve, protect and promote our Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with our Services, and improving them based on that information. You can set your browser to not accept cookies, but this may limit your ability to use the Services. If our systems receive a DNT:1 signal from your - browser, we'll respond to that signal as outlined [58]here. + browser, we'll respond to that signal as outlined [59]here. With whom We may share information as discussed below, but we won't sell it to - advertisers or other third-parties. + advertisers or other third parties. Others working for Dropbox. Dropbox uses certain trusted third parties - to help us provide, improve, protect, and promote our Services. These - third parties will access your information only to perform tasks on our - behalf and in compliance with this Privacy Policy. - - Other users. Our Services display information like your name and email - address to other users in places like your user profile and sharing - notifications. Certain features let you make additional information - available to other users. + (for example, providers of customer support and IT services) to help us + provide, improve, protect, and promote our Services. These third + parties will access your information only to perform tasks on our + behalf in compliance with this Privacy Policy, and we'll remain + responsible for their handling of your information per our + instructions. + + Other users. Our Services display information like your name, profile + picture, and email address to other users in places like your user + profile and sharing notifications. When you register your Dropbox + account with an email address on a domain owned by your employer or + organization, we may help collaborators find you and your team by + making some of your basic information—like your name, team name, + profile picture, and email address—visible to other users on the same + domain. This helps us show you teams you can join, and helps other + users share files and folders with you. + + Certain features let you make additional information available to + others. Other applications. You can also give third parties access to your - information and account - for example, via [59]Dropbox APIs. Just + information and account - for example, via [60]Dropbox APIs. Just remember that their use of your information will be governed by their privacy policies and terms. - Dropbox Business and Dropbox Enterprise Admins. If you are a Dropbox - Business or Dropbox Enterprise user, your administrator may have the - ability to access and control your Dropbox Business or Dropbox - Enterprise account. Please refer to your employer's internal policies - if you have questions about this. If you are not a Dropbox Business - user but interact with a Dropbox Business or Dropbox Enterprise user - (by, for example, joining a shared folder or accessing stuff shared by - that user), members of that organization may be able to view the name, - email address and IP address that were associated with your account at - the time of that interaction. + Dropbox Team Admins. If you are a user of a Dropbox team (e.g., Dropbox + Business plans or Dropbox Education), your administrator may have the + ability to access and control your Dropbox team account. Please refer + to your organization's internal policies if you have questions about + this. If you are not a Dropbox team user but interact with a Dropbox + team user (by, for example, joining a shared folder or accessing stuff + shared by that user), members of that organization may be able to view + the name, email address, profile picture, and IP address that was + associated with your account at the time of that interaction. Law & Order. We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to (a) comply @@ -370,15 +467,20 @@ With whom embrace. We believe that our users' data should receive the same legal protections regardless of whether it's stored on our services or on their home computer's hard drive. We'll abide by the following - [60]Government Request Principles when receiving, scrutinizing and - responding to government requests for our users' data: + [61]Government Request Principles when receiving, scrutinizing and + responding to government requests (including national security + requests) for our users' data: * Be transparent, * Fight blanket requests, - * Protect all users, and + * Protect all users and * Provide trusted services. - Please visit our [61]Government Request Principles and [62]Transparency - Report for more detailed information. + We publish a [62]Transparency Report as part of our commitment to + informing users about when and how governments ask us for information. + This report details the types and numbers of requests we receive from + law enforcement. We encourage users to review our [63]Government + Request Principles and [64]Transparency Report for more detailed + information on our approach and response to government requests. How @@ -394,7 +496,8 @@ How might be some latency in deleting this information from our servers and back-up storage; and (2) we may retain this information if necessary to comply with our legal obligations, resolve disputes, or enforce our - agreements. + agreements. You can access your personal information by logging into + your Dropbox account. Learn more [65]here. Where @@ -404,26 +507,27 @@ Where may also be stored locally on the devices you use to access the Services. - Safe Harbor. Dropbox complies with the EU-U.S. and Swiss-U.S. Safe - Harbor ("Safe Harbor") frameworks and principles. We have certified our - compliance, and you can view our certifications [63]here. You can learn - more about Safe Harbor by visiting [64]http://export.gov/safeharbor. - JAMS is the independent organization responsible for reviewing and - resolving complaints about our Safe Harbor compliance. We ask that you - first submit any such complaints directly to us via - privacy@dropbox.com. If you aren't satisfied with our response, please - contact JAMS at - [65]http://www.jamsinternational.com/rules-procedures/safeharbor/file-s - afe-harbor-claim. - - NOTE: When transferring data from the European Union, the European - Economic Area, and Switzerland, Dropbox relies upon a variety of legal - mechanisms, including contracts with our users. Dropbox doesn’t rely - upon Safe Harbor as a legal basis for data transfer but does adhere to - the [66]Safe Harbor Privacy Principles while specific guidance for the - forthcoming EU-US Privacy Shield program is developed. For information - about data transfers from Europe to the United States, please visit - [67]this page. + EU-US Privacy Shield and US-Swiss Safe Harbor. When transferring data + from the European Union, the European Economic Area, and Switzerland, + Dropbox relies upon a variety of legal mechanisms, including contracts + with our users. Dropbox complies with the U.S.-Swiss Safe Harbor ("Safe + Harbor") framework and its principles. We also participate in the + EU-U.S. Privacy Shield Program ("Privacy Shield") and comply with its + framework and principles. You can find Dropbox's Safe Harbor + certification [66]here and our Privacy Shield certification [67]here. + You can also learn more about Privacy Shield at + [68]https://www.privacyshield.gov and Safe Harbor at + [69]http://2016.export.gov/safeharbor/swiss/. + + Dropbox is subject to oversight by the U.S. Federal Trade Commission. + JAMS is the US-based independent organization responsible for reviewing + and resolving complaints about our Privacy Shield and Safe Harbor + compliance — free of charge to you. We ask that you first submit any + such complaints directly to us via [70]privacyshield@dropbox.com. If + you aren't satisfied with our response, please contact JAMS at + [71]https://www.jamsadr.com/eu-us-privacy-shield. In the event your + concern still isn't addressed by JAMS, you may be entitled to a binding + arbitration under Privacy Shield and its principles. Changes @@ -440,267 +544,293 @@ Changes Contact Have questions or concerns about Dropbox, our Services and privacy? - Contact us at [68]privacy@dropbox.com. + Contact us at [72]privacy@dropbox.com. - This section of the agreement only applies to [69]Dropbox Business + This section of the agreement only applies to [73]Dropbox Business customers. If your organization signed a Dropbox Business or Dropbox Enterprise Agreement with Dropbox, that Agreement may be different from - the terms below. Please [70]contact your organization’s Admin for + the terms below. Please [74]contact your organization’s Admin for details. + Dropbox updated its Business Agreement on January 30th, 2017. [75]Click + here to view the previous version. + Dropbox Business Agreement - Posted: June 2, 2016 + Posted: 30 January 2017 This Dropbox Business Agreement (the "Agreement") is between Dropbox - Ireland if your organization is based outside of the United States, - Canada and Mexico ("North America") or, if your organization is based - in North America, with Dropbox, Inc., a Delaware corporation (each, - "Dropbox") and the organization agreeing to these terms ("Customer"). - This Agreement governs access to and use of the Dropbox Business client - software and services (together, "Dropbox Business"), as well as those - Beta Services that are made available to you (together, with Dropbox - Business, the "Services"). By clicking "I Agree," signing your contract - for the Services or using the Services, you agree to this Agreement as - a Customer. - - To the extent Dropbox, Inc. is, on behalf of Customer, processing - Customer Data that is subject to national laws implementing EU Data - Protection Directive (95/46/EC) ("EU Data Protection Laws"), then, by - clicking "I agree," you are also agreeing to the EU Standard - Contractual Clauses with Dropbox, Inc. for the transfer of personal - data to processors set forth in Schedule 1. - - If you are agreeing to this Agreement and Schedule 1 (if applicable) - for use of the Services by an organization, you are agreeing on behalf - of that organization. You must have the authority to bind that - organization to these terms, otherwise you must not sign up for the - Services. + International Unlimited Company if your organization is based outside + the United States, Canada and Mexico ("North America") or, if your + organization is based in North America, with Dropbox, Inc., a Delaware + corporation (each, "Dropbox") and the organization agreeing to these + terms ("Customer"). This Agreement governs access to and use of the + Services and Beta Services. By clicking "I agree," signing your + contract for the Services, or using the Services, you agree to this + Agreement as a Customer. + + To the extent that Dropbox, Inc. is, on behalf of the Customer, + processing Customer Data that is subject to EU Data Protection Laws, by + clicking "I agree", you are also agreeing to the EU Standard + Contractual Clauses, defined below, with Dropbox, Inc. for the transfer + of personal data to processors. + + If you are agreeing to this Agreement and, if applicable, the EU + Standard Contractual Clauses, for use of the Services by an + organization, you are agreeing on behalf of that organization. You must + have the authority to bind that organization to these terms, otherwise + you must not sign up for the Services. 1. Services. - a. Provision of Services. Customer and users of Customer's - Services account ("End Users") may access and use the Services - in accordance with this Agreement. - b. Facilities and Data Processing. Dropbox will use, at a - minimum, industry standard technical and organizational - security measures to transfer, store, and process Customer - Data. These measures are designed to protect the integrity of - Customer Data and guard against the unauthorized or unlawful - access to, use, and processing of Customer Data. Customer - agrees that Dropbox may transfer, store, and process Customer - Data in the United States and locations other than Customer's - country. To the extent that Customer Data is subject to EU - Data Protection Laws and is processed by Dropbox as a data - processor acting on Customer's behalf (as a data controller), - Dropbox will use and process such Customer Data as Customer - instructs in order to provide the Services and fulfil - Dropbox's obligations under the Agreement. "Customer Data" - means Stored Data and Account Data. "Stored Data" means the - files and structured data submitted to the Services by - Customer or End Users. "Account Data" means the account and - contact information submitted to the Services by Customer or - End Users. - c. Modifications to the Services. Dropbox may update the Services - from time to time. If Dropbox changes the Services in a manner - that materially reduces their functionality, Dropbox will - inform Customer via the email address associated with the - account. - d. Software. Some Services allow Customer to download Dropbox - software which may update automatically. Customer may use the - software only to access the Services. If any component of the - software is offered under an open source license, Dropbox will - make the license available to Customer and the provisions of - that license may expressly override some of the terms of this - Agreement. - e. Beta Services. Dropbox may provide features or products that - we are still testing and evaluating. These products and - features are identified as alpha, beta, preview, early access, - or evaluation (or words or phrases with similar meanings) - (collectively, "Beta Services"). Notwithstanding anything to - the contrary in this Agreement or in Schedule 1, the following - terms apply to all Beta Services: (a) you may use or decline - to use any Beta Services; (b) Beta Services may not be - supported and may be changed at any time without notice to - you; (c) Beta Services may not be as reliable or available as - Dropbox Business; (d) Beta Services have not been subjected to - the same security measures and auditing to which Dropbox - Business has been subjected; and (e) DROPBOX WILL HAVE NO - LIABILITY ARISING OUT OF OR IN CONNECTION WITH BETA - SERVICES—USE AT YOUR OWN RISK. + 1. Provision. This Agreement governs access to, and use of, the + Services and Software. Customer and End Users may access and + use the Services in accordance with this Agreement. + 2. Security Measures.. Dropbox will use, at a minimum, industry + standard technical and organizational security measures to + transfer, store, and process Customer Data. These measures are + designed to protect the integrity of Customer Data and guard + against the unauthorized or unlawful access to, use, and + processing of Customer Data. + 3. Data Processing and Transfer. + a. Data Processing. Dropbox and its Sub-processors will only + process Customer Data to provide the Services and to + fulfill Dropbox's obligations under the Agreement. + Sub-processors' processing activities will be restricted + to processing on Dropbox's behalf and in accordance with + Dropbox's instructions. Customer agrees that Dropbox and + its Sub-processors may transfer, store, and process + Customer Data in locations other than Customer's country. + b. EU-US Privacy Shield Program. Dropbox is certified and + complies with the EU-US Privacy Shield Program. If the + EU-US Privacy Shield Program is invalidated, Dropbox will + use commercially reasonable efforts to comply with the + resulting alternate or successor EU-US data transfer + mechanism. + c. EU Standard Contractual Clauses. To the extent Customer + Data is subject to EU Data Protection Laws and is + processed by Dropbox on Customer's behalf: (i) Dropbox + will use and process Customer Data as Customer instructs + in order to provide the Services and to fulfill Dropbox's + obligations under the Agreement; and (ii) Customer agrees + to the EU Standard Contractual Clauses with Dropbox, Inc. + for the transfer of personal data. The EU Standard + Contractual Clauses apply only to the Services and future + variations of the Services, but do not apply to Beta + Services or Excluded Features. + 4. Modifications. Dropbox may update the Services from time to + time. If Dropbox changes the Services in a manner that + materially reduces their functionality, Dropbox will notify + Customer at the email address associate with the account, and + Customer may provide notice within thirty days of the change + to terminate the Agreement. This termination right will not + apply to updates made to features provided on a beta or + evaluation basis. + 5. Software. + a. Generally. The Services allow Customer and End Users to + download Software that may update automatically. If any + component of the Software is offered under an open source + license, Dropbox will make the license available to + Customer and to the extent the provisions of that license + grant Customer additional rights, those provisions will + expressly override some terms of this Agreement with + respect to that component of the Software. + b. License. Dropbox hereby grants to Customer during the + Term a limited non-exclusive license to use the Software + solely in connection with the Services and in accordance + with this Agreement. This license is non-transferable + (subject to Section 12.8), irrevocable (except as set + forth in Section 7), non-sublicensable, and will be fully + paid up upon Customer's payment of the Fees. + 6. Customer Domains. Prior to providing the Services Dropbox may + require Customer to verify that Customer owns or controls the + Customer Domains. If Customer does not own or control the + Customer Domains, then Dropbox will have no obligation to + provide Customer with the Services. 2. Customer Obligations. - a. Compliance. Customer is responsible for use of the Services by - its End Users. Customer and its End Users must use the - Services in compliance with the [71]Acceptable Use Policy. - Customer will obtain from End Users any consents necessary to - allow Administrators to engage in the activities described in - this Agreement and to allow Dropbox to provide the Services. - Customer will comply with laws and regulations applicable to - Customer's use of the Services, if any. - b. Customer Administration of the Services. Customer may specify - End Users as "Administrators" through the administrative - console. Administrators may have the ability to access, - disclose, restrict or remove Customer Data in or from Services - accounts. Administrators may also have the ability to monitor, - restrict, or terminate access to Services accounts. Dropbox's - responsibilities do not extend to the internal management or - administration of the Services. Customer is responsible for: - (i) maintaining the confidentiality of passwords and - Administrator accounts; (ii) managing access to Administrator - accounts; and (iii) ensuring that Administrators' use of the - Services complies with this Agreement. Customer acknowledges - that if Customer purchases the Services through a reseller and - delegates any of such reseller's personnel as Administrators - of Customer's Services account, such reseller may be able to + 1. Customer Administration of the Services. Customer may specify + End Users as Administrators through the Admin Console. + Customer is responsible for maintaining the confidentiality of + passwords and Admin Accounts, and managing access to Admin + Accounts. Dropbox's responsibilities do not extend to the + internal management or administration of the Services for + Customer. The Customer acknowledges that, if the Customer + purchases the Services through a reseller and designates any + of the reseller's personnel as Administrators of the + Customer's Services account, the reseller may be able to control account information, including Customer Data, and - access Customer's Services account as further described above. - c. Unauthorized Use & Access. Customer will prevent unauthorized + access the Customer's Services account as described above. + 2. Unauthorized Use or Access. Customer will prevent unauthorized use of the Services by its End Users and terminate any - unauthorized use of or access to the Services. The Services - are not intended for End Users under the age of 13. Customer - will ensure that it does not allow any person under 13 to use - the Services. Customer will promptly notify Dropbox of any - unauthorized use of or access to the Services. - d. Restricted Uses. Customer will not (i) sell, resell, or lease - the Services; (ii) use the Services for activities where use - or failure of the Services could lead to physical damage, - death, or personal injury; or (iii) reverse engineer the - Services, nor attempt nor assist anyone else to do so, unless - this restriction is prohibited by law. - e. Third Party Requests. - i. "Third Party Request" means a request from a third party - for records relating to an End User's use of the Services - including information in or from an End User or - Customer's Services account. Third Party Requests may - include valid search warrants, court orders, or - subpoenas, or any other request for which there is - written consent from End Users permitting a disclosure. - ii. Customer is responsible for responding to Third Party - Requests via its own access to information. Customer will - seek to obtain information required to respond to Third - Party Requests and will contact Dropbox only if it cannot - obtain such information despite diligent efforts. - iii. Dropbox will make commercially reasonable efforts, to - the extent allowed by law and by the terms of the Third - Party Request, to: (A) promptly notify Customer of - Dropbox's receipt of a Third Party Request; (B) comply - with Customer's commercially reasonable requests - regarding its efforts to oppose a Third Party Request; - and (C) provide Customer with information or tools - required for Customer to respond to the Third Party - Request (if Customer is otherwise unable to obtain the - information). If Customer fails to promptly respond to - any Third Party Request, then Dropbox may, but will not - be obligated to do so. - 3. Third-Party Services. If Customer uses any third-party service - (e.g., a service that uses a Dropbox API) with the Services, (a) - Dropbox will not be responsible for any act or omission of the - third party, including the third party's access to or use of - Customer Data and (b) Dropbox does not warrant or support any - service provided by the third party. - 4. Suspension - a. Of End User Accounts by Dropbox. If an End User (i) violates - this Agreement or (ii) uses the Services in a manner that + unauthorized use of or access to the Services. End User + Accounts may only be provisioned, registered, and used by a + single End User. The Services are not intended for End Users + under the age of 13. Customer will ensure that it does not + allow any person under 13 to use the Services. Customer will + promptly notify Dropbox of any unauthorized use of or access + to the Services. + 3. Restrictions. Customer will not: (a) sell, resell, or lease + the Services or Software; (b) use the Services or Software for + activities where use or failure of the Services or Software + could lead to physical damage, death, or personal injury; (c) + reverse engineer the Services or Software, or attempt or + assist anyone else to do so, unless this restriction is + prohibited by law; or (d) use the Services or Software, + including the export or re-export of Customer Data, in + violation of Export Control Laws. + 4. Compliance. Customer and its End Users must use the Services + in compliance with the Acceptable Use Policy. Customer is + responsible for use of the Services by its End Users. Customer + will comply with laws and regulations applicable to Customer's + use of the Services, if any. Customer will obtain and maintain + from End Users any consents necessary to allow Administrators + to engage in the activities described in this Agreement and to + allow Dropbox to provide the Services. Customer will not + store, transmit or otherwise process any information via the + Services that falls within the definition of "Protected Health + Information" under the HIPAA Privacy Rule (45 C.F.R. Section + 164.051), unless Customer and Dropbox separately enter into a + HIPAA Business Associate Agreement, which may be done via the + Admin Console. + 5. Third-Party Apps and Integrations. If Customer uses any + third-party service or applications, such as a service that + uses a Dropbox API, with the Services: (a) Dropbox will not be + responsible for any act or omission of the third-party, + including the third-party's access to or use of Customer Data; + and (b) Dropbox does not warrant or support any service + provided by the third-party. + 6. Third-Party Requests. + a. Customer Responsibility. Customer is responsible for + responding to Third-Party Requests via its own access to + information. Customer will seek to obtain information + required to respond to Third-Party Requests and will + contact Dropbox only if it cannot obtain such information + despite diligent efforts. + b. Dropbox Responsibility. Dropbox will make commercially + reasonable efforts, to the extent allowed by law and by + the terms of the Third-Party Request, to: (i) promptly + notify Customer of Dropbox's receipt of a Third-Party + Request; (ii) comply with Customer's commercially + reasonable requests regarding its efforts to oppose a + Third-Party Request; and (iii) provide Customer with + information or tools required for Customer to respond to + the Third-Party Request, if Customer is otherwise unable + to obtain the information. If Customer fails to promptly + respond to any Third-Party Request, then Dropbox may, but + will not be obligated to do so. + 3. Payment. + 1. Fees. Customer will pay Dropbox or Customer's Reseller all + applicable Fees for the Services, in the currency indicated on + the Order Form. Customer authorizes Dropbox, or Customer's + reseller, to charge Customer for all applicable Fees using + Customer's selected payment method. Fees are non-refundable + except as required by law or as otherwise specifically + permitted in this Agreement. + 2. Payment. Customer will pay Dropbox invoices on the payment + interval set forth in the Order Form. Dropbox may suspend or + terminate the Services if Fees are past due. Customer will + provide complete and accurate billing and contact information + to Dropbox or to Customer's Reseller. + 3. Taxes. Fees are exclusive of taxes and Customer is responsible + for all Taxes. Dropbox, or Customer's reseller, will charge + Taxes when required to do so. If Customer provides Dropbox or + its reseller with a valid exemption certificate, Dropbox or + the reseller will not collect the taxes covered by that + certificate. + 4. Withholding Taxes. Customer will pay Dropbox or its reseller + net of any applicable Withholding Taxes. Customer and Dropbox, + or Customer's reseller as applicable, will work together to + avoid any Withholding Tax if exemptions, or a reduced treaty + withholding rate, are available. If Dropbox or Customer's + reseller qualifies for a tax exemption, or a reduced treaty + withholding rate, Dropbox or Customer's reseller will provide + Customer with reasonable documentary proof. Customer will + provide Dropbox or Customer's reseller reasonable evidence + that it has paid the relevant authority for the sum withheld + or deducted. + 5. Auto-renewals and Trials. IF THE CUSTOMER'S ACCOUNT IS SET TO + AUTO-RENEWAL OR IS IN A TRIAL PERIOD, DROPBOX (OR THE + CUSTOMER'S RESELLER) MAY CHARGE AUTOMATICALLY AT THE END OF + THE TRIAL OR FOR THE RENEWAL, UNLESS THE CUSTOMER NOTIFIES + DROPBOX (OR THE CUSTOMER'S RESELLER, AS APPLICABLE) THAT THE + CUSTOMER WANTS TO CANCEL OR DISABLE AUTO-RENEWAL. Dropbox may + revise Service rates by providing the Customer at least thirty + days' notice prior to the next charge. + 6. Purchase Orders. If Customer requires the use of a purchase + order or purchase order number, Customer: (i) must provide the + purchase order number at the time of purchase; and (ii) agrees + that any terms and conditions on a Customer purchase order + will not apply to this Agreement and are null and void. If the + Customer is purchasing via a reseller, any terms and + conditions from the Customer's reseller or in a purchase order + between the Customer and its reseller that conflict with the + Agreement are null and void. + 4. Suspension. + 1. Of End User Accounts by Dropbox. If an End User: (a) violates + this Agreement; or (b) uses the Services in a manner that Dropbox reasonably believes will cause it liability, then Dropbox may request that Customer suspend or terminate the applicable End User account. If Customer fails to promptly suspend or terminate the End User account, then Dropbox may do so. - b. Security Emergencies. Notwithstanding anything in this + 2. Security Emergencies. Notwithstanding anything in this Agreement, if there is a Security Emergency then Dropbox may automatically suspend use of the Services. Dropbox will make commercially reasonable efforts to narrowly tailor the suspension as needed to prevent or terminate the Security - Emergency. "Security Emergency" means: (i) use of the Services - that do or could disrupt the Services, other customers' use of - the Services, or the infrastructure used to provide the - Services and (ii) unauthorized third-party access to the - Services. + Emergency. 5. Intellectual Property Rights. - a. Reservation of Rights. Except as expressly set forth herein, - this Agreement does not grant (i) Dropbox any Intellectual - Property Rights in Customer Data or (ii) Customer any + 1. Reservation of Rights. Except as expressly set forth herein, + this Agreement does not grant: (a) Dropbox any Intellectual + Property Rights in Customer Data; or (b) Customer any Intellectual Property Rights in the Services or Dropbox - trademarks and brand features. "Intellectual Property Rights" - means current and future worldwide rights under patent, - copyright, trade secret, trademark, moral rights, and other - similar rights. - b. Limited Permission. Customer grants Dropbox only the limited - rights that are reasonably necessary for Dropbox to offer the - Services (e.g., hosting Stored Data). This permission also - extends to our affiliates and trusted third parties Dropbox - works with to offer the Services (e.g., payment provider used - to process payment of fees). - c. Suggestions. Dropbox may, at its discretion and for any - purpose, use, modify, and incorporate into its products and - services, license and sublicense, any feedback, comments, or - suggestions Customer or End Users send Dropbox or post in - Dropbox's forums without any obligation to Customer. - d. Customer List. Dropbox may include Customer's name in a list - of Dropbox customers on the Dropbox website or in promotional - materials. - 6. Fees & Payment. - a. Fees. Customer will pay, and authorizes Dropbox or Customer's - reseller to charge using Customer's selected payment method, - for all applicable fees. Fees are non-refundable except as - required by law. Customer is responsible for providing - complete and accurate billing and contact information to - Dropbox or Customer's reseller. Dropbox may suspend or - terminate the Services if fees are past due. - b. Auto Renewals and Trials. IF CUSTOMER'S ACCOUNT IS SET TO AUTO - RENEWAL OR IS IN A TRIAL PERIOD, DROPBOX (OR CUSTOMER'S - RESELLER) MAY AUTOMATICALLY CHARGE AT THE END OF THE TRIAL OR - FOR THE RENEWAL, UNLESS CUSTOMER NOTIFIES DROPBOX (OR - CUSTOMER'S RESELLER, AS APPLICABLE) THAT CUSTOMER WANTS TO - CANCEL OR DISABLE AUTO RENEWAL. Dropbox may revise Service - rates by providing Customer at least 30 days notice prior to - the next charge. - c. Taxes. Customer is responsible for all taxes. Dropbox or - Customer's reseller will charge tax when required to do so. If - Customer is required by law to withhold any taxes, Customer - must provide Dropbox or Customer's reseller with an official - tax receipt or other appropriate documentation. - d. Purchase Orders. If Customer requires the use of a purchase - order orpurchase order number, Customer (i) must provide the - purchase order number at the time of purchase and (ii) agrees - that any terms and conditions on a Customer purchase order - will not apply to this Agreement and are null and void. If - Customer is purchasing through a reseller, any terms and - conditions from Customer's reseller or in a purchase order - between Customer and its reseller that conflict with the - Dropbox Business Agreement are null and void. - 7. Term & Termination. - a. Term. This Agreement will remain in effect until Customer's - subscription to the Services expires or terminates, or until - the Agreement is terminated. - b. Termination for Breach. Either Dropbox or Customer may - terminate this Agreement if: (i) the other party is in + trademarks and brand features. + 2. Limited Permission. Customer grants Dropbox only the limited + rights that are reasonably necessary for Dropbox to provide + the Services. This limited permission also extends to + Subcontractors or Sub-processors. + 3. Suggestions. Dropbox may use, modify, and incorporate into its + products and services, license and sublicense, any feedback, + comments, or suggestions on the Services that Customer or End + Users may send Dropbox or post in Dropbox's forums without any + obligation to Customer. + 6. Term. + 1. Agreement Term. This Agreement will remain in effect for the + Term. + 2. Services Term. Dropbox will provide the Services to Customer + for the Services Term. Unless the parties agree otherwise in + writing, End User Accounts purchased during any Services Term + will have a prorated term ending on the last day of the + pre-existing Services Term. + 7. Termination. + 1. Generally. Either Party may terminate this Agreement, + including all Order Forms, if: (i) the other Party is in material breach of the Agreement and fails to cure that breach - within 30 days after receipt of written notice or (ii) the - other party ceases its business operations or becomes subject - to insolvency proceedings and the proceedings are not - dismissed within 90 days. - c. Effects of Termination. If this Agreement terminates: (i) the - rights granted by Dropbox to Customer will cease immediately - (except as set forth in this section); (ii) Dropbox may - provide Customer access to its account at then-current fees so - that Customer may export its Stored Data; and (iii) after a - commercially reasonable period of time, Dropbox may delete any - Stored Data relating to Customer's account. The following - sections will survive expiration or termination of this - Agreement: 2(e) (Third Party Requests), 5 (Intellectual - Property Rights), 6 (Fees & Payment), 7(c) (Effects of - Termination), 8 (Indemnification), 9 (Disclaimers), 10 - (Limitation of Liability), 11 (Disputes), and 12 - (Miscellaneous). + within thirty days after receipt of written notice; or (ii) + the other Party ceases its business operations or becomes + subject to insolvency proceedings and the proceedings are not + dismissed within ninety days. + 2. Effects of Termination. If this Agreement terminates: (a) + except as set forth in this Section, the rights and licenses + granted by Dropbox to Customer will cease immediately; (b) + Dropbox may, at Customer's request, provide Customer access to + its account at then-current fees so that Customer may export + its Customer Data; and (c) after a commercially reasonable + period of time, Dropbox may delete any Customer Data relating + to Customer's account. The following sections will survive + expiration or termination of this Agreement: 2.6 (Third Party + Requests), 3 (Payment), 5 (Intellectual Property Rights), 7.2 + (Effects of Termination), 8 (Indemnification), 9 + (Disclaimers), 10 (Limitation of Liability), 11 (Disputes), + and 12 (Miscellaneous). 8. Indemnification. - a. By Customer. Customer will indemnify, defend, and hold + 1. By Customer. Customer will indemnify, defend, and hold harmless Dropbox from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys' fees) arising out of any claim by a third party - against Dropbox and its affiliates regarding: (i) Customer - Data; (ii) Customer's use of the Services in violation of this - Agreement; or (iii) End Users' use of the Services in - violation of this Agreement. - b. By Dropbox. Dropbox will indemnify, defend, and hold harmless + against Dropbox and its Affiliates regarding: (a) Customer + Data; (b) Customer Domains; or (c) Customer's, or Customer's + End Users', use of the Services in violation of this + Agreement. + 2. By Dropbox. Dropbox will indemnify, defend, and hold harmless Customer from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys' fees) arising out of any claim by a third party against Customer to @@ -709,43 +839,56 @@ Dropbox Business Agreement misappropriates any copyright, trade secret, U.S. patent, or trademark right of the third party. In no event will Dropbox have any obligations or liability under this section arising - from: (i) use of any Services in a modified form or in - combination with materials not furnished by Dropbox and (ii) + from: (a) use of any Services in a modified form or in + combination with materials not furnished by Dropbox; and (b) any content, information, or data provided by Customer, End Users, or other third parties. - c. Possible Infringement. If Dropbox believes the Services - infringe or may be alleged to infringe a third party's - Intellectual Property Rights, then Dropbox may: (i) obtain the - right for Customer, at Dropbox's expense, to continue using - the Services; (ii) provide a non-infringing functionally - equivalent replacement; or (iii) modify the Services so that - they no longer infringe. If Dropbox does not believe the - options described in this section are commercially reasonable - then Dropbox may suspend or terminate Customer's use of the - affected Services (with a pro-rata refund of prepaid fees for - the Services). - d. General. The party seeking indemnification will promptly - notify the other party of the claim and cooperate with the - other party in defending the claim. The indemnifying party + 3. Possible Infringement. If Dropbox believes the Services or + Software infringe or may be alleged to infringe a third + party's Intellectual Property Rights, then Dropbox may: (a) + obtain the right for Customer, at Dropbox's expense, to + continue using the Services or Software; (b) provide a + non-infringing functionally equivalent replacement; or (c) + modify the Services or Software so that they no longer + infringe. If Dropbox does not believe the options described in + this section are commercially reasonable, then Dropbox may + suspend or terminate Customer's use of the affected Services + or Software, with a pro-rata refund of prepaid fees for the + Services or Software. + 4. General. The Party seeking indemnification will promptly + notify the other Party of the claim and cooperate with the + other Party in defending the claim. The indemnifying Party will have full control and authority over the defense, except - that: (i) any settlement requiring the party seeking + that: (a) any settlement requiring the Party seeking indemnification to admit liability requires prior written - consent, not to be unreasonably withheld or delayed and (ii) - the other party may join in the defense with its own counsel + consent, not to be unreasonably withheld or delayed; and (b) + the other Party may join in the defense with its own counsel at its own expense. THE INDEMNITIES ABOVE ARE DROPBOX AND CUSTOMER'S ONLY REMEDY UNDER THIS AGREEMENT FOR VIOLATION BY THE OTHER PARTY OF A THIRD PARTY'S INTELLECTUAL PROPERTY RIGHTS. - 9. Disclaimers. THE SERVICES ARE PROVIDED "AS IS." TO THE FULLEST - EXTENT PERMITTED BY LAW, EXCEPT AS EXPRESSLY STATED IN THIS - AGREEMENT, NEITHER CUSTOMER NOR DROPBOX AND ITS AFFILIATES, - SUPPLIERS, AND DISTRIBUTORS MAKE ANY WARRANTY OF ANY KIND, WHETHER - EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WARRANTIES OF - MERCHANTABILITY, FITNESS FOR A PARTICULAR USE, OR NON-INFRINGEMENT. - CUSTOMER IS RESPONSIBLE FOR MAINTAINING AND BACKING UP ANY STORED - DATA. + 9. Disclaimers. + 1. Generally. THE SERVICES AND SOFTWARE ARE PROVIDED "AS IS." TO + THE FULLEST EXTENT PERMITTED BY LAW, EXCEPT AS EXPRESSLY + STATED IN THIS AGREEMENT, NEITHER CUSTOMER NOR DROPBOX AND ITS + AFFILIATES, SUPPLIERS, AND DISTRIBUTORS MAKE ANY WARRANTY OF + ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, + INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A + PARTICULAR USE, OR NON-INFRINGEMENT. CUSTOMER IS RESPONSIBLE + FOR USING THE SERVICES OR SOFTWARE IN ACCORDANCE WITH THE + TERMS SET FORTH HEREIN AND BACKING UP ANY STORED DATA ON THE + SERVICES. + 2. Beta Services. Despite anything to the contrary in this + Agreement: (a) Customer may choose to use Beta Services in its + sole discretion; (b) Beta Services may not be supported and + may be changed at any time without notice; (c) Beta Services + may not be as reliable or available as the Services; (d) Beta + Services have not been subjected to the same security measures + and auditing to which the Services have been subjected; and + (e) DROPBOX WILL HAVE NO LIABILITY ARISING OUT OF OR IN + CONNECTION WITH BETA SERVICES - USE AT YOUR OWN RISK. 10. Limitation of Liability. - a. Limitation on Indirect Liability. TO THE FULLEST EXTENT + 1. Limitation on Indirect Liability. TO THE FULLEST EXTENT PERMITTED BY LAW, EXCEPT FOR DROPBOX OR CUSTOMER'S INDEMNIFICATION OBLIGATIONS, NEITHER CUSTOMER NOR DROPBOX AND ITS AFFILIATES, SUPPLIERS, AND DISTRIBUTORS WILL BE LIABLE @@ -755,741 +898,226 @@ Dropbox Business Agreement WHETHER DIRECT OR INDIRECT), EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE. - b. Limitation on Amount of Liability. TO THE FULLEST EXTENT + 2. Limitation on Amount of Liability. TO THE FULLEST EXTENT PERMITTED BY LAW, DROPBOX'S AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL NOT EXCEED THE LESSER OF $100,000 OR THE AMOUNT - PAID BY CUSTOMER FOR THE SERVICES HEREUNDER DURING THE TWELVE - MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY. + PAID BY CUSTOMER TO DROPBOX HEREUNDER DURING THE TWELVE MONTHS + PRIOR TO THE EVENT GIVING RISE TO LIABILITY. 11. Disputes. - a. Informal Resolution. Dropbox wants to address your concerns - without resorting to a formal legal case. Before filing a - claim, each party agrees to try to resolve the dispute by - contacting the other party through the notice procedures in - section 12(e). If a dispute is not resolved within 30 days of - notice, Customer or Dropbox may bring a formal proceeding. - b. Agreement to Arbitrate. Customer and Dropbox agree to resolve - any claims relating to this Agreement or the Services through - final and binding arbitration, except as set forth below. The - [72]American Arbitration Association (AAA) will administer the + 1. Informal Resolution. Before filing a claim, each Party agrees + to try to resolve the dispute by contacting the other Party + through the notice procedures in Section 12.6. If a dispute is + not resolved within thirty days of notice, Customer or Dropbox + may bring a formal proceeding. + 2. Arbitration. Customer and Dropbox agree to resolve any claims + relating to this Agreement or the Services through final and + binding arbitration, except as set forth below. The + [76]American Arbitration Association (AAA) will administer the arbitration under its Commercial Arbitration Rules. The arbitration will be held in San Francisco (CA), or any other location both parties agree to in writing. - c. Exception to Agreement to Arbitrate. Either party may bring a - lawsuit in the federal or state courts of San Francisco - County, California solely for injunctive relief to stop - unauthorized use or abuse of the Services or infringement of - Intellectual Property Rights without first engaging in the - informal dispute notice process described above. Both Customer - and Dropbox consent to venue and personal jurisdiction there. - d. NO CLASS ACTIONS. Customer may only resolve disputes with + 3. Exception to Arbitration. Either Party may bring a lawsuit in + the federal or state courts of San Francisco County, + California solely for injunctive relief to stop unauthorized + use or abuse of the Services or infringement of Intellectual + Property Rights without first engaging in the informal dispute + notice process described above. Both Customer and Dropbox + consent to venue and personal jurisdiction there. + 4. NO CLASS ACTIONS. Customer may only resolve disputes with Dropbox on an individual basis and will not bring a claim in a - class, consolidated, or representative action. Class - arbitrations, class actions, private attorney general actions, + class, consolidated or representative action. Class + arbitrations, class actions, private attorney general actions and consolidation with other arbitrations are not allowed. 12. Miscellaneous. - a. Terms Modification. Dropbox may revise this Agreement from + 1. Terms Modification. Dropbox may revise this Agreement from time to time and the most current version will always be posted on the Dropbox Business website. If a revision, in Dropbox's sole discretion, is material, Dropbox will notify Customer (by, for example, sending an email to the email address associated with the applicable account). Other revisions may be posted to Dropbox's blog or terms page, and - Customer is responsible for checking such postings regularly. + Customer is responsible for checking these postings regularly. By continuing to access or use the Services after revisions become effective, Customer agrees to be bound by the revised Agreement. If Customer does not agree to the revised Agreement - terms, Customer may terminate the Services within 30 days of - receiving notice of the change. - b. Entire Agreement. This Agreement, including Customer's invoice - and order form with Dropbox (if applicable), constitutes the - entire agreement between Customer and Dropbox with respect to - the subject matter of this Agreement and supersedes and - replaces any prior or contemporaneous understandings and - agreements, whether written or oral, with respect to the - subject matter of this Agreement. If there is a conflict + terms, Customer may terminate the Services within thirty days + of receiving notice of the change. + 2. Entire Agreement. This Agreement supersedes any prior + agreements or understandings between the Parties, and + constitutes the entire Agreement between the Parties related + to this subject matter. All attachments to the Agreement, + Customer invoices, and Order Forms executed by the Parties, + are hereby incorporated into the Agreement by this reference. + 3. Interpretation of Conflicting Terms. If there is a conflict between the documents that make up this Agreement, the - documents will control in the following order: the Dropbox - invoice, the Dropbox order form, the Agreement. - c. Governing Law. THE AGREEMENT WILL BE GOVERNED BY CALIFORNIA + documents will control in the following order: the invoice, + the Order Form, the Agreement. The terms and conditions of + this Agreement will be considered the confidential information + of Dropbox, and Customer will not disclose the information to + any third parties. Customer agrees that any terms and + conditions on a Customer purchase order will not apply to this + Agreement and are null and void. If End Users are required to + click through terms of service in order to use the Services, + those click through terms are subordinate to this Agreement + and this Agreement will control if there is a conflict. + 4. Governing Law. THE AGREEMENT WILL BE GOVERNED BY CALIFORNIA LAW EXCEPT FOR ITS CONFLICTS OF LAWS PRINCIPLES. - d. Severability. Unenforceable provisions will be modified to + 5. Severability. Unenforceable provisions will be modified to reflect the parties' intention and only to the extent necessary to make them enforceable, and the remaining provisions of the Agreement will remain in full effect. - e. Notice. Notices must be sent via first class, airmail, or - overnight courier and are deemed given when received. Notices - to Customer may also be sent to the applicable account email - address and are deemed given when sent. Notices to Dropbox - must be sent to Dropbox, Inc., P.O. Box 77767, San Francisco, - CA 94107, with a copy to the Legal Department. - f. Waiver. A waiver of any default is not a waiver of any + 6. Notice. Notices must be sent via email, first class, airmail, + or overnight courier and are deemed given when received. + Notices to Customer may also be sent to the applicable account + email address and are deemed given when sent. Notices to + Dropbox must be sent to Dropbox Legal at + [77]contractnotices@dropbox.com, with a copy to Dropbox, Inc., + P.O. Box 77767, San Francisco, CA 94107, attn.: Legal + Department. + 7. Waiver. A waiver of any default is not a waiver of any subsequent default. - g. Assignment. Customer may not assign or transfer this Agreement + 8. Assignment. Customer may not assign or transfer this Agreement or any rights or obligations under this Agreement without the written consent of Dropbox. Dropbox may not assign this Agreement without providing notice to Customer, except Dropbox may assign this Agreement or any rights or obligations under - this Agreement to an affiliate or in connection with a merger, + this Agreement to an Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets without providing notice. Any other attempt to transfer or assign is void. - h. No Agency. Dropbox and Customer are not legal partners or + 9. No Agency. Dropbox and Customer are not legal partners or agents, but are independent contractors. - i. Force Majeure. Except for payment obligations, neither Dropbox + 10. Subcontracting. Dropbox will remain liable for all acts or + omissions of its Subcontractors or Sub-processors, and for any + subcontracted obligations. + 11. Force Majeure. Except for payment obligations, neither Dropbox nor Customer will be liable for inadequate performance to the - extent caused by a condition that was beyond the party's + extent caused by a condition that was beyond the Party's reasonable control (for example, natural disaster, act of war or terrorism, riot, labor condition, governmental action, and Internet disturbance). - j. No Third-Party Beneficiaries. There are no third-party + 12. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement. Without limiting this section, a Customer's End Users are not third-party beneficiaries to Customer's rights under this Agreement. - k. Export Restrictions. The export and re-export of Customer Data - via the Services may be controlled by the United States Export - Administration Regulations or other applicable export - restrictions or embargo. The Services may not be used in Cuba, - Iran, North Korea, Sudan, or Syria or any country that is - subject to an embargo by the United States and Customer must - not use the Services in violation of any export restriction or - embargo by the United States or any other applicable - jurisdiction. In addition, Customer must ensure that the - Services are not provided to persons on the United States - Table of Denial Orders, the Entity List, or the List of - Specially Designated Nationals. - __________________________________________________________________ - -Schedule 1 - -Commission Decision C(2010)593 - -Standard Contractual Clauses (processors) - - For the purposes of Article 26(2) of Directive 95/46/EC for the - transfer of personal data to processors established in third countries - which do not ensure an adequate level of data protection - - Name of the data exporting organisation: The Customer that is a party - to the Dropbox Business Agreement with Dropbox Ireland - (the data exporter) - - And - - Name of the data importing organisation: Dropbox, Inc. - Address: 333 Brannan Street, San Francisco, CA 94107 USA - (the data importer) - - each a "party"; together "the parties", - - HAVE AGREED on the following Contractual Clauses (the Clauses) in order - to adduce adequate safeguards with respect to the protection of privacy - and fundamental rights and freedoms of individuals for the transfer by - the data exporter to the data importer of the personal data specified - in [73]Appendix 1. - -Clause 1 - -Definitions - - For the purposes of the Clauses: - a. 'personal data', 'special categories of data', - 'process/processing', 'controller', 'processor', 'data subject' and - 'supervisory authority' shall have the same meaning as in Directive - 95/46/EC of the European Parliament and of the Council of 24 - October 1995 on the protection of individuals with regard to the - processing of personal data and on the free movement of such - data^[74]1; - b. 'the data exporter' means the controller who transfers the personal - data; - c. 'the data importer' means the processor who agrees to receive from - the data exporter personal data intended for processing on his - behalf after the transfer in accordance with his instructions and - the terms of the Clauses and who is not subject to a third - country's system ensuring adequate protection within the meaning of - Article 25(1) of Directive 95/46/EC; - d. 'the subprocessor' means any processor engaged by the data importer - or by any other subprocessor of the data importer who agrees to - receive from the data importer or from any other subprocessor of - the data importer personal data exclusively intended for processing - activities to be carried out on behalf of the data exporter after - the transfer in accordance with his instructions, the terms of the - Clauses and the terms of the written subcontract; - e. 'the applicable data protection law' means the legislation - protecting the fundamental rights and freedoms of individuals and, - in particular, their right to privacy with respect to the - processing of personal data applicable to a data controller in the - Member State in which the data exporter is established; - f. 'technical and organisational security measures' means those - measures aimed at protecting personal data against accidental or - unlawful destruction or accidental loss, alteration, unauthorised - disclosure or access, in particular where the processing involves - the transmission of data over a network, and against all other - unlawful forms of processing. - -Clause 2 - -Details of the transfer - - The details of the transfer and in particular the special categories of - personal data where applicable are specified in Appendix 1 which forms - an integral part of the Clauses. - -Clause 3 - -Third-party beneficiary clause - - 1. The data subject can enforce against the data exporter this Clause, - Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) - and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party - beneficiary. - 2. The data subject can enforce against the data importer this Clause, - Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and - Clauses 9 to 12, in cases where the data exporter has factually - disappeared or has ceased to exist in law unless any successor - entity has assumed the entire legal obligations of the data - exporter by contract or by operation of law, as a result of which - it takes on the rights and obligations of the data exporter, in - which case the data subject can enforce them against such entity. - 3. The data subject can enforce against the subprocessor this Clause, - Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and - Clauses 9 to 12, in cases where both the data exporter and the data - importer have factually disappeared or ceased to exist in law or - have become insolvent, unless any successor entity has assumed the - entire legal obligations of the data exporter by contract or by - operation of law as a result of which it takes on the rights and - obligations of the data exporter, in which case the data subject - can enforce them against such entity. Such third-party liability of - the subprocessor shall be limited to its own processing operations - under the Clauses. - 4. The parties do not object to a data subject being represented by an - association or other body if the data subject so expressly wishes - and if permitted by national law. - -Clause 4 - -Obligations of the data exporter - - The data exporter agrees and warrants: - a. that the processing, including the transfer itself, of the personal - data has been and will continue to be carried out in accordance - with the relevant provisions of the applicable data protection law - (and, where applicable, has been notified to the relevant - authorities of the Member State where the data exporter is - established) and does not violate the relevant provisions of that - State; - b. that it has instructed and throughout the duration of the personal - data processing services will instruct the data importer to process - the personal data transferred only on the data exporter's behalf - and in accordance with the applicable data protection law and the - Clauses; - c. that the data importer will provide sufficient guarantees in - respect of the technical and organisational security measures - specified in [75]Appendix 2 to this contract; - d. that after assessment of the requirements of the applicable data - protection law, the security measures are appropriate to protect - personal data against accidental or unlawful destruction or - accidental loss, alteration, unauthorised disclosure or access, in - particular where the processing involves the transmission of data - over a network, and against all other unlawful forms of processing, - and that these measures ensure a level of security appropriate to - the risks presented by the processing and the nature of the data to - be protected having regard to the state of the art and the cost of - their implementation; - e. that it will ensure compliance with the security measures; - f. that, if the transfer involves special categories of data, the data - subject has been informed or will be informed before, or as soon as - possible after, the transfer that its data could be transmitted to - a third country not providing adequate protection within the - meaning of Directive 95/46/EC; - g. to forward any notification received from the data importer or any - subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data - protection supervisory authority if the data exporter decides to - continue the transfer or to lift the suspension; - h. to make available to the data subjects upon request a copy of the - Clauses, with the exception of Appendix 2, and a summary - description of the security measures, as well as a copy of any - contract for subprocessing services which has to be made in - accordance with the Clauses, unless the Clauses or the contract - contain commercial information, in which case it may remove such - commercial information; - i. that, in the event of subprocessing, the processing activity is - carried out in accordance with Clause 11 by a subprocessor - providing at least the same level of protection for the personal - data and the rights of data subject as the data importer under the - Clauses; and - j. that it will ensure compliance with Clause 4(a) to (i). - -Clause 5 - -Obligations of the data importer^[76]2 - - The data importer agrees and warrants: - a. to process the personal data only on behalf of the data exporter - and in compliance with its instructions and the Clauses; if it - cannot provide such compliance for whatever reasons, it agrees to - inform promptly the data exporter of its inability to comply, in - which case the data exporter is entitled to suspend the transfer of - data and/or terminate the contract; - b. that it has no reason to believe that the legislation applicable to - it prevents it from fulfilling the instructions received from the - data exporter and its obligations under the contract and that in - the event of a change in this legislation which is likely to have a - substantial adverse effect on the warranties and obligations - provided by the Clauses, it will promptly notify the change to the - data exporter as soon as it is aware, in which case the data - exporter is entitled to suspend the transfer of data and/or - terminate the contract; - c. that it has implemented the technical and organisational security - measures specified in Appendix 2 before processing the personal - data transferred; - d. that it will promptly notify the data exporter about: - i. any legally binding request for disclosure of the personal - data by a law enforcement authority unless otherwise - prohibited, such as a prohibition under criminal law to - preserve the confidentiality of a law enforcement - investigation, - ii. any accidental or unauthorised access, and - iii. any request received directly from the data subjects without - responding to that request, unless it has been otherwise - authorised to do so; - e. to deal promptly and properly with all inquiries from the data - exporter relating to its processing of the personal data subject to - the transfer and to abide by the advice of the supervisory - authority with regard to the processing of the data transferred; - f. at the request of the data exporter to submit its data processing - facilities for audit of the processing activities covered by the - Clauses which shall be carried out by the data exporter or an - inspection body composed of independent members and in possession - of the required professional qualifications bound by a duty of - confidentiality, selected by the data exporter, where applicable, - in agreement with the supervisory authority; - g. to make available to the data subject upon request a copy of the - Clauses, or any existing contract for subprocessing, unless the - Clauses or contract contain commercial information, in which case - it may remove such commercial information, with the exception of - Appendix 2 which shall be replaced by a summary description of the - security measures in those cases where the data subject is unable - to obtain a copy from the data exporter; - h. that, in the event of subprocessing, it has previously informed the - data exporter and obtained its prior written consent; - i. that the processing services by the subprocessor will be carried - out in accordance with Clause 11; - j. to send promptly a copy of any subprocessor agreement it concludes - under the Clauses to the data exporter. - -Clause 6 - -Liability - - 1. The parties agree that any data subject, who has suffered damage as - a result of any breach of the obligations referred to in Clause 3 - or in Clause 11 by any party or subprocessor is entitled to receive - compensation from the data exporter for the damage suffered. - 2. If a data subject is not able to bring a claim for compensation in - accordance with paragraph 1 against the data exporter, arising out - of a breach by the data importer or his subprocessor of any of - their obligations referred to in Clause 3 or in Clause 11, because - the data exporter has factually disappeared or ceased to exist in - law or has become insolvent, the data importer agrees that the data - subject may issue a claim against the data importer as if it were - the data exporter, unless any successor entity has assumed the - entire legal obligations of the data exporter by contract of by - operation of law, in which case the data subject can enforce its - rights against such entity. - The data importer may not rely on a breach by a subprocessor of its - obligations in order to avoid its own liabilities. - 3. If a data subject is not able to bring a claim against the data - exporter or the data importer referred to in paragraphs 1 and 2, - arising out of a breach by the subprocessor of any of their - obligations referred to in Clause 3 or in Clause 11 because both - the data exporter and the data importer have factually disappeared - or ceased to exist in law or have become insolvent, the - subprocessor agrees that the data subject may issue a claim against - the data subprocessor with regard to its own processing operations - under the Clauses as if it were the data exporter or the data - importer, unless any successor entity has assumed the entire legal - obligations of the data exporter or data importer by contract or by - operation of law, in which case the data subject can enforce its - rights against such entity. The liability of the subprocessor shall - be limited to its own processing operations under the Clauses. - -Clause 7 - -Mediation and jurisdiction - - 1. The data importer agrees that if the data subject invokes against - it third-party beneficiary rights and/or claims compensation for - damages under the Clauses, the data importer will accept the - decision of the data subject: - a. to refer the dispute to mediation, by an independent person - or, where applicable, by the supervisory authority; - b. to refer the dispute to the courts in the Member State in - which the data exporter is established. - 2. The parties agree that the choice made by the data subject will not - prejudice its substantive or procedural rights to seek remedies in - accordance with other provisions of national or international law. - -Clause 8 - -Cooperation with supervisory authorities - - 1. The data exporter agrees to deposit a copy of this contract with - the supervisory authority if it so requests or if such deposit is - required under the applicable data protection law. - 2. The parties agree that the supervisory authority has the right to - conduct an audit of the data importer, and of any subprocessor, - which has the same scope and is subject to the same conditions as - would apply to an audit of the data exporter under the applicable - data protection law. - 3. The data importer shall promptly inform the data exporter about the - existence of legislation applicable to it or any subprocessor - preventing the conduct of an audit of the data importer, or any - subprocessor, pursuant to paragraph 2. In such a case the data - exporter shall be entitled to take the measures foreseen in Clause - 5 (b). - -Clause 9 - -Governing Law - - The Clauses shall be governed by the law of the Member State in which - the data exporter is established. - -Clause 10 - -Variation of the contract - - The parties undertake not to vary or modify the Clauses. This does not - preclude the parties from adding clauses on business related issues - where required as long as they do not contradict the Clause. - -Clause 11 - -Subprocessing - - 1. The data importer shall not subcontract any of its processing - operations performed on behalf of the data exporter under the - Clauses without the prior written consent of the data exporter. - Where the data importer subcontracts its obligations under the - Clauses, with the consent of the data exporter, it shall do so only - by way of a written agreement with the subprocessor which imposes - the same obligations on the subprocessor as are imposed on the data - importer under the Clauses^[77]3. Where the subprocessor fails to - fulfil its data protection obligations under such written agreement - the data importer shall remain fully liable to the data exporter - for the performance of the subprocessor's obligations under such - agreement. - 2. The prior written contract between the data importer and the - subprocessor shall also provide for a third-party beneficiary - clause as laid down in Clause 3 for cases where the data subject is - not able to bring the claim for compensation referred to in - paragraph 1 of Clause 6 against the data exporter or the data - importer because they have factually disappeared or have ceased to - exist in law or have become insolvent and no successor entity has - assumed the entire legal obligations of the data exporter or data - importer by contract or by operation of law. Such third-party - liability of the subprocessor shall be limited to its own - processing operations under the Clauses. - 3. The provisions relating to data protection aspects for - subprocessing of the contract referred to in paragraph 1 shall be - governed by the law of the Member State in which the data exporter - is established. - 4. The data exporter shall keep a list of subprocessing agreements - concluded under the Clauses and notified by the data importer - pursuant to Clause 5 (j), which shall be updated at least once a - year. The list shall be available to the data exporter's data - protection supervisory authority. - -Clause 12 - - Obligation after the termination of personal data processing services - 1. The parties agree that on the termination of the provision of data - processing services, the data importer and the subprocessor shall, - at the choice of the data exporter, return all the personal data - transferred and the copies thereof to the data exporter or shall - destroy all the personal data and certify to the data exporter that - it has done so, unless legislation imposed upon the data importer - prevents it from returning or destroying all or part of the - personal data transferred. In that case, the data importer warrants - that it will guarantee the confidentiality of the personal data - transferred and will not actively process the personal data - transferred anymore. - 2. The data importer and the subprocessor warrant that upon request of - the data exporter and/or of the supervisory authority, it will - submit its data processing facilities for an audit of the measures - referred to in paragraph 1. - -Additional Provisions - - Capitalised terms used in Sections A to C and the Appendices but not - defined in the Clauses shall have the meaning provided in the Dropbox - Business Agreement between the data exporter and Dropbox Ireland. - A. Security Audit. The data importer maintains ISO/IEC 27001:2013 and - ISO/IEC 27018:2014 certifications, which are issued by an - independent third party auditor. The data importer will continue to - undergo regular ISO/IEC 27001:2013 and ISO/IEC 27018 audits - necessary for maintaining such certifications for the Services - during the Term. The data importer also regularly undergoes Service - Organization Control 2 (SOC 2) Type II audits. Subject to the data - importer's confidentiality obligations and no more than once a - year, the data importer will provide the data exporter with a copy - of the SOC 2 Type II Report upon written request. The data importer - will make new SOC 2 reports available as they are completed subject - to the data importer's confidentiality requirements. The data - importer regularly reviews its third party subservice - organizations, which undergo Standards for Attestation Engagements - No. 16 (SSAE 16) / International Standard on Assurance Engagements - No. 3402 (ISAE 3402) Service Organization Control 1 (SOC 1) Type II - or Service Organization Control 2 (SOC 2) Type II audits that - evaluate the design and effectiveness of their security policies, - procedures, and controls. - The data exporter agrees that the data importer's obligations set - forth in this Section A fully satisfy the audit rights under Clause - 5(f) and Clause 12 (2) of the Clauses. - B. Sub-processing. The data importer may engage other companies to - provide limited parts of the Services (including support services) - on the data importer's behalf, and the data exporter consents to - the data importer subcontracting the processing of personal data to - such sub-processors as described in the Clauses. The data importer - will ensure that any sub-processor will only access and use - personal data to provide the Services as set forth in a written - agreement between the data importer and the sub-processor. The data - exporter acknowledges that any requirements applicable to the data - importer under the Clauses in respect of agreements with - sub-processors shall be satisfied in full provided that the - sub-processing agreement between the data importer and the - sub-processor provides at least the level of data protection - required under the Dropbox Business Agreement. - C. Liability. The Clauses shall be subject to the limitations and - exclusions of liability contained in the "Limitation of Liability" - section of the Dropbox Business Agreement, such that the total - liability of the data importer and Dropbox Ireland, in aggregate, - shall not exceed the limitations set out in the Dropbox Business - Agreement. For the avoidance of doubt, the data exporter shall not - be entitled to recover from both the data importer and Dropbox - Ireland in respect of the same loss. - __________________________________________________________________ - -Appendix 1 to the Standard Contractual Clauses - - This Appendix forms part of the Clauses and must be completed and - signed by the parties. - - The Member States may complete or specify, according to their national - procedures, any additional necessary information to be contained in - this Appendix. - -Data exporter - - The data exporter is (please specify briefly your activities relevant - to the transfer): - - The Customer to the Dropbox Business Agreement with Dropbox Ireland. - -Data importer - - The data importer is (please specify briefly activities relevant to the - transfer): - - Dropbox, Inc., a global provider of cloud services for individuals and - business. Dropbox, Inc., and its affiliates provide a website, software - and mobile applications that allow people to store files, synchronize - files across multiple devices, and collaborate with others. Dropbox, - Inc.'s service may also be accessed by Application Programming - Interfaces (APIs). - -Data subjects - - The personal data transferred concern the following categories of data - subjects (please specify): - - The data exporter and data exporter's affiliates' end users including - employees, consultants and contractors of the data exporter, as well as - any individuals collaborating or sharing with these end users using the - services provided by data importer. - -Categories of data - - The personal data transferred concern the following categories of data - (please specify): - - End users identifying information and organization data (both on-line - and off-line) as well as documents, images and other content or data in - electronic form stored or transmitted by end users via data importer's - services. - -Processing operations - - The personal data transferred will be subject to the following basic - processing activities (please specify): - - The data importer or its sub-processors will use and process personal - data and the data exporter instructs the data importer to use and - process personal data in order to provide the Services under the - Dropbox Business Agreement. - __________________________________________________________________ - -Appendix 2 to the Standard Contractual Clauses - - This Appendix forms part of the Clauses and must be completed and - signed by the parties. - - Description of the technical and organisational security measures - implemented by the data importer in accordance with Clauses 4(d) and - 5(c) (or document/legislation attached): - -Data Privacy Contact - - The data privacy officer of the data importer can be reached at - privacy@dropbox.com - -Security Measures - - The data importer has implemented and will maintain appropriate - administrative, technical and physical safeguards to protect personal - data as further described in the Dropbox for Business Security - Whitepaper (available as of the Effective Date at: - [78]https://www.dropbox.com/…/Security_Whitepaper.pdf) and additionally - set forth below. The data importer may update these security measures - from time to time, with the most recent version available at the above - URL (or other URL as communicated by data importer), provided however - that data importer will notify data exporter if data importer updates - the security measures in a manner that materially diminishes the - administrative, technical or physical security features described - therein or in this Appendix 2. - 1. Service Security - 1. Dropbox Architecture. The data importer's service is designed - with multiple layers of protection, covering data transfer, - encryption, network configuration and application-level - controls that are distributed across a scalable, secure - infrastructure. End users of data importer's service can - access files and folders at any time from the desktop, web and - mobile clients. All of these clients connect to secure - services to provide access to files, allow file sharing with - others, and update linked devices when files are added, - changed or deleted. The service can be utilized and accessed - through a number of interfaces. Each has security settings and - features that process and protect the data while ensuring ease - of access. - 2. Reliability. The data importer's service is developed with - multiple layers of redundancy to guard against data loss and - ensure availability. - 3. Encryption. To protect the data in transit between the data - exporter and data importer, data importer uses Secure Sockets - Layer (SSL)/Transport Layer Security (TLS) for data transfer, - creating a secure tunnel protected by 128-bit or higher - Advanced Encryption Standard (AES) encryption. File data at - rest is encrypted using 256-bit AES encryption. The data - importer's encryption key management infrastructure is - designed with operational, technical and procedural security - controls with very limited direct access to keys. Encryption - key generation, exchange and storage are distributed for - decentralized processing. - 4. User Management Features. End users of data importer's service - have the ability to restore lost files and recover previous - versions of files, ensuring changes to those files can be - tracked and retrieved. The data importer's service allows for - the use of a two-step authentication procedure which adds an - extra layer of protection. - 5. Data Centers. The data importer's corporate and production - systems are housed at third-party subservice organization data - centers located in the United States. The data importer - reviews all subservice organization data center Service - Organization Control (SOC) 1 and/or SOC 2 reports at a minimum - annually for sufficient security controls. - 2. Information Security. - 1. Policies. The data importer has established a thorough set of - security policies covering areas of information security, - physical security, incident response, logical access, physical - production access, change management and support. These - policies are reviewed and approved at least annually. The data - importer personnel are notified of updates to these policies - and are provided security training. - 2. Personnel Policy and Access. The data importer's internal - policies require onboarding procedures that include background - checks (as allowed by local laws), security policy - acknowledgement, communicating updates to security policy, and - non-disclosure agreements. All personnel access is promptly - removed when an employee or contractor leaves the company. The - data importer employs technical access controls and internal - policies to prohibit employees or contractors from arbitrarily - accessing file data and to restrict access to metadata and - other information about end users' accounts. In order to - protect end user privacy and security, only a small number of - employees or contractors have access to the environment where - end user files are stored. A record of access request, - justification and approval are recorded by management and - access is granted by appropriate individuals. - 3. Network Security. The data importer maintains network security - and monitoring techniques that are designed to provide - multiple layers of protection and defense. The data importer - employs industry-standard protection techniques, including - firewalls, network security monitoring, and intrusion - detection systems to ensure only eligible traffic is able to - reach data importer's infrastructure. - 4. Change Management. The data importer ensures that - security-related changes have been authorized prior to - implementation into the production environments. Source code - changes are initiated by developers that would like to make an - enhancement to a data importer application or service. Changes - to data importer's infrastructure are restricted to authorized - personnel only. Changes to the application level of the - services are required to go through automated quality - assurance ("QA") testing procedures to verify that security - requirements are met. Successful completion of QA procedures - leads to implementation of the change. - 5. Compliance. The data importer, its data center providers, and - its managed service provider undergo regular security audits - which are performed by an independent third party. The data - importer will continue to participate in regular ISO/IEC - 27001:2013 and ISO/IEC 27018:2014 audits. Data importer also - reviews SOC 1 and/or SOC 2 reports for all subservice - organizations. In the event a subservice organization's SOC 1 - and/or SOC 2 report is unavailable, data importer performs - security site visits to verify applicable physical, - environmental, and operational security controls satisfy - control criteria and contractual requirements. The data - importer evaluates additional certifications and compliance - attestations, as made available to data importer by the - subservice providers, on an ongoing basis. - 3. Physical Security - 1. Infrastructure. Physical access to subservice organization - facilities where production systems reside are restricted to - personnel authorized by data importer, as required to perform - their job function. Any individuals requiring additional - access to production environment facilities are granted that - access through explicit approval by appropriate management. - 2. Office. The data importer maintains a physical security team - that is responsible for enforcing physical security policy and - overseeing the security of data importer's corporate offices. - Access to areas containing corporate services is restricted to - authorized personnel via elevated roles granted through the - badge access system. - __________________________________________________________________ - -Footnotes - - 1. Parties may reproduce definitions and meanings contained in - Directive 95/46/EC within this Clause if they considered it better - for the contract to stand alone. [79]↩ - 2. Mandatory requirements of the national legislation applicable to - the data importer which do not go beyond what is necessary in a - democratic society on the basis of one of the interests listed in - Article 13(1) of Directive 95/46/EC, that is, if they constitute a - necessary measure to safeguard national security, defence, public - security, the prevention, investigation, detection and prosecution - of criminal offences or of breaches of ethics for the regulated - professions, an important economic or financial interest of the - State or the protection of the data subject or the rights and - freedoms of others, are not in contradiction with the standard - contractual clauses. Some examples of such mandatory requirements - which do not go beyond what is necessary in a democratic society - are, inter alia, internationally recognised sanctions, - tax-reporting requirements or anti-money-laundering reporting - requirements. [80]↩ - 3. This requirement may be satisfied by the subprocessor co-signing - the contract entered into between the data exporter and the data - importer under this Decision. [81]↩ + 13. Definitions. + + "Acceptable Use Policy" means the Dropbox acceptable use + policy set forth at the following link, or other link that + Dropbox may provide: + [78]https://www.dropbox.com/terms#acceptable_use. + + "Account Data" means the account and contact information + submitted to the Services by Customer or End Users. + + "Administrator" means the Customer-designated technical End + User who administers the Services to End Users on Customer's + behalf. Administrators may be able to access, disclose, + restrict or remove Customer Data in or from End User Accounts. + Administrators may also have the ability to monitor, restrict, + or terminate access to End User Accounts. + + "Admin Account" means the administrative account provided to + Customer by Dropbox for the purpose of administering the + Services. + + "Admin Console" means the online tool provided by Dropbox to + Customer for use in administering the Services. + + "Affiliate" means any entity that controls, is controlled by + or is under common control with a Party, where "control" means + the ability to direct the management and policies of an + entity. + + "Beta Services" means services or features identified as + alpha, beta, preview, early access, or evaluation, or words or + phrases with similar meanings. + + "Customer Data" means Stored Data, Account Data, and messages, + comments, structured data, photos, and other content submitted + to the Services by Customer or End Users. + + "Customer Domains" means Customer's Internet domain names. + + "Effective Date" means the date this Agreement is accepted by + Customer. + + "End Users" means users of Customer's Services account. End + Users may include Customer's and its Affiliate's employees and + consultants. + + "End User Account" means a Dropbox hosted account established + by Customer through the Services for an End User. + + "EU Data Protection Laws" means those laws implementing EU + Data Protection Directive (95/46/EC). + + "EU-US Privacy Shield Program" means the EU-U.S. Privacy + Shield Program framework and its principles as set forth by + the US Department of Commerce and the European Commission + regarding the collection, use, and retention of personal data + from EU member states. + + "EU Standard Contractual Clauses" means the EU Standard + Contractual Clauses with Dropbox, Inc. for the transfer of + personal data to processors set forth at the following link: + [79]https://assets.dropbox.com/documents/en-us/legal/eu-standa + rd-clauses-dfb-011017.pdf or other link that Dropbox may + provide. + + "Excluded Features" means services or features listed here + [80]https://assets.dropbox.com/documents/en-us/legal/dfb-servi + ces-exceptions.pdf, which list may be updated from time to + time by Dropbox, provided that non-Beta features incorporated + in the Services as of the Effective Date will not be + transitioned to the Excluded Features list during the Term. + + "Export Control Laws" means all applicable export and + re-export control laws and regulations, including the Export + Administration Regulations ("EAR<") maintained by the U.S. + Department of Commerce, trade and economic sanctions + maintained by the Treasury Department's Office of Foreign + Assets Control, and the International Traffic in Arms + Regulations ("ITAR") maintained by the Department of State. + + "Fees" means the amounts invoiced to Customer by Dropbox for + the Services as described on the Order Form. + + "Initial Services Term" means the term for the applicable + Services beginning on the Provisioning Date and continuing for + the duration set forth on the Order Form. + + "Intellectual Property Rights" means current and future + worldwide rights under patent, copyright, trade secret, + trademark, moral rights, and other similar rights. + + "Order Form" means the ordering document, or ordering page, + for the Services. + + "Provisioning Date" is the date upon which Dropbox makes the + Services available to Customer. + + "Renewal Term" means, unless otherwise agreed to in writing by + the Parties, the twelve-month renewal term following either + the Services Initial Term, or a previous Renewal Term. Renewal + Terms are set forth on the Order Form. + + "Security Emergency" means: (i) use of the Services that do or + could disrupt the Services, other customers' use of the + Services, or the infrastructure used to provide the Services; + or (ii) unauthorized third-party access to the Services. + + "Services" means the services ordered by Customer and provided + by Dropbox to Customer, which are described at + [81]https://www.dropbox.com/business, or other link that + Dropbox may provide. + + "Services Term" means the Initial Services Term and all + Renewal Terms for the applicable Services. + + "Software" means the client software provided as part of the + Services. + + "Stored Data" means the files uploaded to the Services using + the Software by Customer or End Users. + + "Subcontractor" means an entity to whom Dropbox subcontracts + any of its obligations under this Agreement. + + "Sub-processor" means an entity who agrees to process Stored + Data on Dropbox's behalf, or on behalf of another Dropbox + sub-processor, in order to provide the Services. + + "Taxes" means any sales, use, value added, goods and services, + consumption, excise, local stamp, or other tax, (including but + not limited to ISS, CIDE, PIS, CONFINS), duty or other charge + of any kind or nature excluding tax that is based on Dropbox's + net income, associated with the Services or Software, + including any related penalties or interest. + + "Term" means the term of the Agreement, which will begin on + the Effective Date and continue until the earlier of: (i) the + end of the Services Term; or (ii) the Agreement is terminated + as set forth herein. + + "Third-Party Request" means a request from a third-party for + records relating to an End User's use of the Services + including information in or from an End User Account, or from + Customer's Services account. Third-Party Requests may include + valid search warrants, court orders, or subpoenas, or any + other request for which there is written consent from End + Users, or an End User's authorized representative, permitting + a disclosure. + + "Withholding Taxes" mean any Taxes Customer is required by law + to withhold, which are then imposed on Dropbox, or Customer's + reseller, as applicable. Dropbox DMCA Policy @@ -1544,8 +1172,7 @@ Dropbox DMCA Policy Dropbox Inc. 333 Brannan Street San Francisco, CA 94107 - [83]copyright@dropbox.com - [84]Submit DMCA notice + [83]Submit DMCA notice Dropbox Acceptable Use Policy |