Brightpearl Terms of Service

These terms govern the use of the Services and are an agreement between you and us.

1.Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with, the subject entity, where “control” is the direct or indirect ownership or control of at least a majority of the voting rights in the entity, or otherwise the power to direct the management and policies of the entity. An entity is an Affiliate only so long as such control continues.

“Agreement” means these terms, your Order(s), any Statement(s) of Work between you and us, the Data Protection Addendum, Privacy Notice and any attachments, schedules, exhibits and annexes hereto or to an or a Statement of Work.

“API” means the application programming interface made available by Sage to you which facilitates the incorporation of certain aspects of the Services into your existing software and systems.

“Customer Data” means the data, information or material provided, inputted or submitted by Users, or otherwise on your behalf, into the Services, which may include data (including Personal Data) relating to Users, your customers, suppliers or employees or other third parties.

“Data Protection Addendum” means the Data Protection Addendum posted on https://www.brightpearl.com/customer-terms-row/tos#dpa or such other URL as notified to you) as amended from time to time. Terms defined in the Data Protection Addendum shall have the same meanings when used in these terms and conditions unless otherwise specified

“Data Protection Laws” has the meaning set forth in the Data Protection Addendum.

“Documentation” means the online or written user guides, specifications, and manuals regarding the Services made available by Sage, and any updates thereto.

“Effective Date” (i) of the Agreement means the date when the first Order is signed by both you and us, and (ii) of an Order means when the Order is signed by both you and us.

“Force Majeure” means an act of God (e.g., a natural disaster, accident or epidemic) or another event outside of reasonable control of the party seeking excuse of performance (e.g., acts of war, terrorism, government authority or by another third party outside the party’s control).

“Intellectual Property Rights” means rights recognised by any jurisdiction with respect to intellectual work product, such as patent rights (including priority rights), design rights, copyrights (including moral rights), mask work rights, trade secret rights, trademarks, service marks,  domain name rights, database rights, know-how, rights in confidential information and all other intellectual property rights, in each case whether registered or unregistered and including all applications (or rights to apply) for and renewals and extensions of, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.

“Order” means an ordering document (such as an Order Schedule) executed by you and us for subscription to Services and/or, if applicable, for the provision of professional services by us.

“Personal Data” shall have the same meaning as in the Data Protection Laws.

“Privacy Notice” means the Sage privacy policy found at https://www.brightpearl.com/privacy-policy-eu, as updated from time to time.

“Reseller” means an authorised reseller through which you purchase a subscription to the Services.

“Sage” means The Sage Group plc or an Affiliate thereof. Brightpearl Limited is a Sage Affiliate.

“Sage Data” means the information on the Order, data about the configuration and use of the Services, Usage Data, the Documentation, and other information provided to you via login in the Services or otherwise by Sage in the course of performance under this Agreement, other than Customer Data. 

“Services” means the products and services ordered by you under an Order and made available online by Sage, including any associated offline or mobile components, but excluding Third-Party Services. The Services include any modifications, enhancements, updates, revisions and derivative works thereof.

“Statement of Work” means a statement of work between you and us for the provision of implementation, consulting or other professional services  related to the Services.

“Third-Party Provider” means any Third-Party Service provided by a party other than Sage.

“Third-Party Service” means any product (e.g. software, cloud services, or forms), tool (e.g. integration or development tools) or service (e.g. implementation, configuration, development or accounting) provided by a Third-Party Provider. .

“User” means a named individual authorized by you to use the Services and who has been supplied with user credentials for the Services by you or by us at your request.

“we”, “us” or “our” means Brightpearl Limited, or such other Sage entity identified on the Order or invoices issued to you under this Agreement.

“you” or “your” means the person accepting this Agreement, provided that if such acceptance is on behalf of a company or other legal entity then: (i) the signatory represents that he/she has the authority to bind such entity to the terms of this Agreement; (ii) “you” and “your” refers to such entity; and (iii) you may be referred to as “Company” in Orders.

Other capitalized terms have the respective meanings given to them elsewhere in this Agreement.

2. Usage Rights.

2.1.Access to the Services. Subject to the terms and conditions of this Agreement and your payment of all applicable fees, we grant you a limited-term, non-exclusive, non-sublicensable, non-transferable (except as expressly permitted herein) right to access and use the Services specified in your Order(s) solely for your internal business purposes.

2.2.Subscriptions. Unless otherwise noted on an Order, Services are purchased as time-based subscriptions. We reserve the right to monitor your use of the Services to effect this Agreement and/or verify compliance with any subscription limits and this Agreement.

2.3.Your Responsibilities. You are responsible for: (i) the confidentiality of User access credentials that are in your possession or control; (ii) setting up appropriate internal roles, permissions, policies and procedures for the safe and secure use of the Services, (iii) the activity of your Users in the Services; and (iv) your Users’ compliance with this Agreement and the Documentation. You must notify us promptly if you become aware, or reasonably suspect, that your account’s security has been compromised.

2.4.Restrictions. Except as expressly authorized by us prior to each instance, you shall not: (i) provide the Services to any third party other than your Users, use the Services as a service bureau, or otherwise violate or circumvent any use limitations or restrictions set forth in an Order, the Service or the Documentation; (ii) derive the source code or use tools to observe the internal operation of, or scan, probe or penetrate, the Services; (iii) copy, modify or make derivative works of the Services; (iv) remove any proprietary markings or notices from any materials provided to you by us; (v) frame or mirror the Services or any part thereof; or (vi) use the Services: (a) to send spam, duplicative, or unsolicited messages in violation of applicable laws or regulations; (b) to store sensitive data such as bank account data, social security (or equivalent) numbers and credit card data outside of the designated fields therefor; (c) to send or store material that violates the rights of a third party; (d) to send or store material containing viruses, worms, Trojan horses or other harmful computer code, files, scripts, agents or programs; or (e) for any other illegal or unlawful purpose. You may not knowingly facilitate or aid a third party in any of the foregoing activities.

3. Availability and Support 

3.1.Availability. We will use commercially reasonable efforts to maintain availability of the Services 24 hours a day, 7 days per week, subject to planned maintenance, Force Majeure events, and the terms of this Agreement. We will endeavour to schedule planned maintenance affecting the availability of the Services at non-peak times, and you will receive reasonable advance notice (which may be posted within the Services or otherwise) of such planned maintenance. We will use commercially reasonable efforts to notify you as soon as reasonably practical of any unplanned downtime of the Services and resolve the issue as soon as practical.

3.2.Changes. In the event that your use of the Services interferes with or disrupts the integrity, security, availability or performance of the Services, we may modify or temporarily restrict or suspend your use of the Services. The parties will cooperate in good faith to resolve the issue as soon as reasonably possible.

3.3.Technical Support. Your Users will receive technical support for the Services and/or upgraded support in accordance with the terms of the Order. Technical support may, at our discretion, include on-line help, FAQs, training guides and templates and the use of email, chat or live help. We are not obligated to maintain or support any customization to the Services or any Third-Party Service, even if sold by us, except under a separate agreement signed by the parties.

3.4 Professional Services. We may also provide professional services, such as implementation, training, customization, or consulting. Any such services are outside the scope of the Services and require a Statement of Work or a separate written agreement between the parties.

4. Fees and Payment 

4.1.Fees. You shall pay us the fees as set forth on the Order. Fees are in the currency specified on the Order. If you exceed any volume limitations set forth on the Order, then you will be required to upgrade to the next volume tier during the month following the month in which the overage occurs.  You may not downgrade to a lower volume tier until your next annual subscription period. From time to time, we may increase the price for our Services. You will be notified at least 30 days in advance before we apply any price increase to your Services subscriptions. Unless otherwise set forth in an Order, such changes will not affect the prices for Services during the then-current subscription term and will become effective upon your next renewal term that commences at least 30 days after our notification of the price change.

4.2.Add-Ons. If, during a then-current subscription term, you add new subscriptions to Services that you are not already subscribed to, such Services will be billed at a prorated amount at the then-current list price.

4.3.Billing and Contact Information. You agree to provide us with complete and accurate billing and contact information, including a specific technical contact if applicable, for your account with us and shall promptly notify us of any change thereto.

4.4.Taxes. All fees and other charges are exclusive of taxes, levies, and duties. Where applicable and unless you timely provide us with a valid tax exemption certificate in a timely manner, any taxes, with the exclusion of taxes on our net income, will either be added to the value of our fees or will be included in the value of our fees on our invoice to you, and you shall be responsible for their payment to us. Each party will timely provide the other with any documents and information as may be required under, or to comply with, applicable tax laws and regulations in a timely manner and within any such timing deadlines as may be required by the same.

4.5.Late Payment; Non-Payment. If we do not receive any fees you owe us by the due date specified on your Order, those fees shall accrue interest at the lower of 1.5% per month or the maximum rate permitted by law. Non-payment of any fees for the Services and/or professional services (whether owed to us or to a Reseller) or of any other amounts due by you to us is a material breach of this Agreement.

5. Proprietary Rights and Data

5.1.Services. Subject to the limited rights expressly granted hereunder, as between the parties Sage shall own all rights, title and interest, including all Intellectual Property Rights, in and to the Services (including any configurations and customizations thereof), Sage Data and the results of consulting and other professional services performed by Sage or on its behalf. All rights not expressly granted in this Agreement are reserved by Sage.

5.2.Customer Data. Subject to the limited rights expressly granted hereunder, as between the parties you own all rights, title and interest, including all Intellectual Property Rights, in and to Customer Data. You grant Sage and its subcontractors a worldwide, royalty-free, irrevocable, perpetual, non-exclusive license to host, copy, process, transmit, sublicence, display and use the Customer Data to: (i) carry out research and development to improve our, and our Affiliates’, services, products and applications; (ii) develop and provide new and existing functionality and services (including statistical analysis, benchmarking and forecasting, artificial intelligence/machine learning and other commercially reasonable purposes) to you and other Sage customers; (iii) provide, administer and ensure the proper operation of the Services and related systems and (iv) perform our rights and obligations under this Agreement. 

5.3.Feedback. You may, but are not required to, provide Sage or its Resellers or subcontractors with ideas, suggestions, requests, recommendations or feedback about the Services (“Feedback”). If you do so, Sage shall own all rights, title and interest, including all Intellectual Property Rights, in and to the Feedback, including any configurations and customisations thereof. All rights not expressly granted in this Agreement are reserved by Sage.

5.4.Data Privacy. Each party will abide by terms of the Data Protection Addendum, and references therein to the “Agreement” shall be construed as references to this Agreement. Any Customer Data shall be handled in accordance with the requirements of the Data Protection Addendum. You  agree that we may use Customer Data in order to (i) carry out research and development to improve our, services, products and applications; (ii) develop and provide new and existing functionality and services (including statistical analysis, benchmarking and forecasting services, predictive analysis and artificial intelligence/machine learning) to you and other Sage customers; and (iii) provide you with location-based services (for example, location relevant content) where we collect geo-location data to provide a relevant experience.  Further information on these activities and how Sage protects Personal Data is provided in Sage’s Privacy Notice. These activities may involve aggregating, anonymising or pseudonymising Customer Data.

6. Confidentiality and Data Security

6.1.Confidential Information. “Confidential Information” means all information of a party or its Affiliates (“Discloser”) disclosed to the other party or its Affiliates (“Recipient”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. The Services and Sage Data are our Confidential Information. Customer Data is your Confidential Information.

6.2.Exceptions. Confidential Information excludes: (i) information that was known to the Recipient without a confidentiality restriction prior to its disclosure by the Discloser; (ii) information that was or becomes publicly known through no wrongful act of the Recipient; (iii) information that the Recipient rightfully received from a third party authorized to make such disclosure without restriction; (iv) information that has been independently developed by the Recipient without use of the Discloser’s Confidential Information; and (v) information that was authorised for release in writing by the Discloser.

6.3.Confidentiality Obligations. The Recipient will use the same degree of care and resources as it uses for its own confidential information of like nature (but no less than reasonable care) to protect the Discloser’s Confidential Information from any use or disclosure not permitted by this Agreement or authorized by the Discloser. The Recipient may disclose the Discloser’s Confidential Information to its employees, Affiliates and service providers who need access to such Confidential Information to effect the intent of this Agreement, provided that they are bound by confidentiality obligations no less restrictive than those herein. Recipient shall be responsible for any breach of this clause by its employees, Affiliates and service providers.

6.4.Disclosure Required by Law. The Recipient may disclose Confidential Information to the extent required by court or administrative order or law, provided that the Recipient provides advance notice thereof (unless requested or ordered not to do so by law enforcement or a court) and reasonable assistance, at the Discloser’s cost, to enable the Discloser to seek a protective order or otherwise prevent or limit such disclosure.

6.5.Injunctive Relief. A breach of the Recipient’s confidentiality obligations may cause irreparable damage, which money cannot satisfactorily remedy, and therefore the Discloser may seek the remedies of  injunction, specific performance and other equitable relief for any threatened or actual breach of clause 6.3 without the need to prove damages or post a bond or other surety.

6.6.Data Security. We will maintain and enforce an information security program for the protection of Customer Data, including commercially reasonable administrative, physical, and technical measures designed to (i) protect the confidentiality, availability and integrity of Customer Data, (ii) restore the availability of Customer Data in a timely manner in the event of a physical or technical incident, and (iii) ensure the proper disposal and destruction of Customer Data. We will notify you, as required by applicable law, of any actual or reasonably suspected breach of security known to us that has resulted in, or creates a reasonable risk of, unauthorized access to Customer Data without undue delay, consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and to restore the integrity of the Services.

6.7.Non-Sage Equipment. The Services are provided over the internet via networks only part of which are within our control. Our obligations in clause 6.6 apply only to networks and equipment within our control, and we are not responsible for any delay, loss, interception, or alteration of Customer Data on a network or infrastructure outside of our control.

7. Third-Party Services 

7.1.No Endorsement or Warranty. We may present to you, including on our websites or via integrations with the Services, certain Third-Party Services. We do not endorse or make any representation, warranty or promise regarding, and do not assume any responsibility for, any such Third-Party Service or a Third-Party Provider, and shall have no liability whatsoever for any damages, liabilities or losses caused by any Third-Party Service or Third-Party Provider, regardless of whether it is described as “authorized,” “certified”, “recommended” or the like and regardless of whether the Third-Party Service is included in your Order. Your use of the Third-Party Services is subject to the terms and conditions imposed by the Third-Party Providers in addition to these terms and conditions (to the extent applicable). If there is a conflict or inconsistency between these terms and conditions and such terms and conditions imposed by the Third-Party Providers, these terms and conditions shall take precedence in connection with the use of the Service.  You are solely responsible for evaluating Third-Party Services and Third-Party Providers, and for reviewing all applicable terms and conditions and policies, including privacy and data gathering practices of any such Third-Party Provider.  We have no obligation to make available or to provide support for Third-Party Services and do not guarantee the initial or continuing interoperability of the Services with any Third-Party Services. If a Third-Party Provider ceases to make the Third-Party Services available for interoperation with any feature of the Services on reasonable terms, we may cease providing such feature without liability, refund or credit.

7.2.Data Sharing. If you obtain a Third-Party Service that requires access to or transfer of Customer Data, you acknowledge that any such access or transfer is between you and the Third-Party Provider pursuant to the Third-Party Provider’s own privacy notices and policies, and that we are authorized to provide the Customer Data as requested by the Third-Party Service. We are not responsible for any modification, loss, damage or deletion of Customer Data by any Third-Party Service obtained by you.

8. Term and Termination

8.1.Term. All Services subscriptions specified in your initial Order will run for the subscription period set forth therein. If you add subscriptions after the beginning of a subscription period, their initial term will be the remainder of the then-current subscription period, unless otherwise set forth in the Order. All subscriptions will automatically renew for additional subscription periods of one year (or for such different renewal term as set forth in the renewal Order), unless either party gives the other party notice of non-renewal at least 30 days prior to the end of the relevant subscription period. If you do not enter into a renewal Order prior to the end of a subscription period, then we may suspend your access to the Services until you do so. If you do not enter into a renewal Order prior to the end of a subscription period, then we may suspend your access to the Services until you do. This Agreement will remain in effect until all User subscriptions have expired or the Agreement has been terminated as provided below.

8.2.Termination. Either party may terminate the Agreement (i) by sending a notice of non-renewal as provided above, (ii) if the other party has materially breached this Agreement, upon written notice to the breaching party of the breach and, if such breach is capable of remedy , an opportunity  of at least 30 days to remedy the breach, or (iii) upon written notice to the other party if the other party becomes the subject of a petition in bankruptcy or another proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. If you materially breach this agreement, we may, without limitation of other rights and remedies, temporarily suspend or terminate your access to the Services or withhold further performance of our obligations under this Agreement.

8.3.Effect of Termination. On expiration or termination of this Agreement: (i) all applicable User licences and other rights granted to you will immediately terminate; (ii) a party’s rights, remedies, obligations (including payment obligations) and liabilities that have accrued up to the date of termination shall not be affected; (iii) unless you have terminated the Agreement for our material breach as provided above, we will not be obligated to refund any prepaid and unused fees; and (iv) subject to clause 8.5, the Recipient shall, at the request of the Discloser, delete or destroy the Discloser’s Confidential Information in its possession or control. Notwithstanding the foregoing, the Recipient may retain the Discloser’s Confidential Information (a) to the extent required by law or governmental authority, or (b) that is automatically stored in accordance with the Recipient’s generally applicable backup policies (“Backup Media”). All Backup Media shall remain subject to the confidentiality obligations set forth herein, notwithstanding the expiration or termination of this Agreement, so long as it remains undeleted.

8.4.Survival. Clauses 1, 5, 6, 8, 10, 11 and 12 will survive any expiration or termination of the Agreement.

8.5.Access to Customer Data. Customer Data may be exported at any time during the term of this Agreement. We will not delete Customer Data from our production environment for up to 90 days after termination or expiration of the Agreement and may assist you with exporting Customer Data during such period at our standard hourly consulting rate. After that 90-day period, we will have the right to delete all Customer Data and will have no further obligation to make it available to you. Should you desire longer storage of Customer Data, paid archival Services may be available. Please see the Data Protection Addendum and the Privacy Notice for further details of data retention.

9. Warranties

9.1.Authority. Each party represents to the other that it has the authority to enter into this Agreement, to carry out its obligations under it, and to give the rights and licenses granted herein.

9.2.Our Warranties. We warrant that: (i) the Services will perform materially in accordance with the Documentation; (ii) we will not decrease the material functionality of the Services during a current subscription term, and (iii) we will perform any professional services in a workmanlike manner and in accordance with industry standards.

9.3.Remedies. If you notify us in writing that the Services and/or our professional services do not conform with any of the warranties in clause 9.2, we will use commercially reasonable endeavours to investigate and correct any such non-conformance promptly. You will use commercially reasonable endeavours to mitigate any damage as a result of such non-conformance. Subject to your right to terminate this Agreement for cause, this clause 9.3 constitutes your sole and exclusive remedy for breach of the warranties in clause  9.2.

9.4.DISCLAIMER OF ALL OTHER WARRANTIES. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE SERVICES ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS AND IS ONLY FOR COMMERCIAL USE, SUBJECT TO ANY RESTRICTIONS IN THIS AGREEMENT OR THE DOCUMENTATION. WE, ON BEHALF OF OURSELVES, OUR AFFILIATES AND LICENSORS, DISCLAIM TO THE FULLEST EXTENT PERMITTED BY LAW ALL OTHER REPRESENTATIONS, WARRANTIES AND GUARANTEES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING THOSE (I) OF MERCHANTABILITY OR SATISFACTORY QUALITY, (II) OF FITNESS FOR A PARTICULAR PURPOSE, (III) OF NON-INFRINGEMENT AND (IV) ARISING FROM CUSTOM, TRADE USAGE, COURSE OF PRIOR DEALING OR COURSE OF PERFORMANCE. EXCEPT AS EXPRESSLY PROVIDED HEREIN, WE, OUR AFFILIATES AND LICENSORS DO NOT WARRANT, REPRESENT, GUARANTEE OR UNDERTAKETHAT YOUR USE OF THE SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE,THAT THE SERVICES ARE FREE FROM VIRUSES, BUGS, ERRORS OR MISTAKES OR THAT THE SERVICES, DOCUMENTATION AND/OR THE INFORMATION OBTAINED BY YOU THROUGH THE SERVICES WILL MEET YOUR REQUIREMENTS OR PRODUCE PARTICULAR OUTCOMES OR RESULTS, OR THAT THE SERVICES WILL PRODUCE ERROR-FREE MACHINE-GENERATED ANALYSES, BENCHMARKS OR INSIGHTS. WE ARE NOT RESPONSIBLE FOR ANY ISSUES WITH THE SERVICES THAT ARISE FROM CUSTOMER DATA, THIRD-PARTY SERVICES OR THIRD-PARTY PROVIDERS. YOU ACKNOWLEDGE THAT WE DO NOT PROVIDE ANY ACCOUNTING, TAXATION, FINANCIAL, INVESTMENT, LEGAL OR OTHER ADVICE TO YOU, USERS, OR ANY THIRD PARTY AND YOU ACCEPT THAT IT IS YOUR RESPONSIBILITY TO ENSURE THAT THE SERVICE MEETS YOUR REQUIREMENTS.

10. Indemnification

10.1.Our Indemnification. Subject to clause 10.3, we shall indemnify and hold you and your Affiliates, officers, directors, employees, and agents harmless from and against any and all claims, costs, damages, losses, liabilities and expenses, including reasonable attorneys’ fees and costs (collectively, “Damages”) to the extent arising out of or in connection with a third-party claim alleging that the Services infringe or misappropriate the Intellectual Property Rights of a third party. In no event shall Sage, its Affiliates, employees, consultants, agents and subcontractors be liable to you , to the extent that the alleged infringement or misappropriation is based on: (a) a customization or modification of the Services at your direction or by anyone other than us; (b) your use of the Services in combination with any service, software, hardware, network or system not supplied by us, if the alleged infringement relates to such combination; or (c) your use of the Services in a manner contrary to our written instructions or the Documentation; or (d) your use of the Services after notice of the alleged or actual infringement from Sage or any appropriate authority. If the Services infringe or misappropriate, or we reasonably believe they may infringe or misappropriate, Intellectual Property Rights, we may, at our own expense and option: (i) procure the right for you to continue use of such Services; (ii) modify such Services so that they become non-infringing without material loss of functionality; or (iii) if (i) and (ii) are not feasible, terminate the Agreement and refund you a pro-rata portion of any prepaid and unused fees for the Services covering the period following the effective date of termination.

10.2.Indemnification by You. Subject to clause 10.3, you will indemnify and hold us and our Affiliates, officers, directors, employees, and agents harmless from and against any and all Damages to the extent arising out of or in connection with your and your Users’ acts or omissions with respect to the Services including (without limitation) your and your Users’ use of the Services and any Customer Data and/or your breach of any of your obligations under this Agreement including, but not being limited to a third-party claim alleging that your collection, retention or use of Customer Data or your use of the Services in breach of this Agreement infringes the rights of, or has caused harm to, a third party, or violates applicable law.

10.3.Indemnification Procedure. In the event of a potential indemnity obligation under this clause 10, the indemnified party shall provide to the indemnifying party: (i) prompt written notice of the claim or a known threatened claim, such that the indemnifying party’s ability to defend the claim is not prejudiced; and (ii) control of, and reasonable assistance in, the defence and settlement of the claim, at the indemnifying party’s expense. Without the prior written consent of the indemnified party, the indemnifying party shall not settle or consent to an adverse judgment in any such claim that adversely affects the rights or interests of, or imposes additional obligations on, the indemnified party.

10.4.Exclusive Remedy. The indemnification obligations set forth above represent the sole and exclusive liability of the indemnifying party and the exclusive remedy of the indemnified party for any third-party claim described in this clause .

11. Limitation of Liability

11.1.Limitations. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY SHALL HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY INDIRECT, SPECIAL, EXEMPLARY, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES. EXCEPT FOR THE INDEMNIFICATION OBLIGATIONS UNDER CLAUSE10 AND YOUR OBLIGATIONS TO PAY FEES UNDER THIS AGREEMENT, EACH PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT SHALL NOT EXCEED THE FEES ACTUALLY PAID OR PAYABLE BY YOU TO US IN THE 12-MONTH SUBSCRIPTION PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

11.2.Scope. The exclusions and limitations set out in this clause 11  apply to all causes of action, (in each case whether direct or indirect and howsoever arising) whether arising from breach of contract, tort (including negligence), breach of statutory duty or otherwise, even if such loss was reasonably foreseeable or if one party had advised the other of the possibility of such loss, provided that nothing in this Agreement shall be construed so as to limit or exclude any liability which cannot be excluded or limited as a matter of law. The allocation of risk in this Agreement is reflected in the level of fees payable hereunder. A party may not circumvent the limitations of liability herein or receive multiple recovery under this Agreement by bringing separate claims or claims on behalf of its Affiliates.

12. General Provisions

12.1.Compliance with Laws. Each party shall comply with all applicable laws, statutes, codes and regulations in relation to the Services, including applicable anti-bribery and anti-corruption laws, Data Protection Laws, tax evasion laws and all sanctions laws, regulations and regimes imposed by relevant authorities including but not limited to the Office of Foreign Assets Control (OFAC), the UN, the UK and EU (“Relevant Requirements”). You shall, and shall procure that persons associated with you shall: (i) comply with all Relevant Requirements; (ii) not engage in any conduct which would constitute an offence under, or otherwise breach, any of the Relevant Requirements; (iii) not do, or omit to do, any act that may lead Sage to be in breach of any Relevant Requirements; and (iv) have and maintain in place during the term of this Agreement your own policies and procedures to ensure and demonstrate compliance with the Relevant Requirements and will enforce them where appropriate. Notwithstanding the generality of this clause 12.1, the Services may be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that it and its Affiliates is not named on any U.S. government “denied persons list” (or equivalent targeted sanctions list) and that it and its Affiliates are not owned or controlled by a politically exposed person. You shall be obliged to notify us if, during the term of this Agreement, you or any of your Affiliates become named on any U.S. government “denied persons list” (or equivalent targeted sanctions list) or you become owned or controlled by a politically exposed person. In the event that these circumstances arise, we shall be entitled to terminate this Agreement immediately on written notice to you. You shall not permit Users to access or use the Services in a U.S embargoed country or in violation of any U.S., United Kingdom or European Union export laws or regulations or in any Prohibited  Territories. “Prohibited Territories” means (i) Cuba, Iran, North Korea, Syria and the territory of Crimea, Donetsk, Kherson, Luhansk, Sevastopol and Zaporizhzhia, (ii) any other country or territory that is subject to sanctions by the United Kingdom, the European Union, or the U.S. (iii) any other country or territory that becomes subject to sanctions by the United Kingdom, the European Union, or the U.S. after the Effective Date. You shall have and shall maintain throughout the term appropriate procedures and controls to ensure and be able to demonstrate your compliance with this clause 12.1. Each party will promptly report to the other party if it has violated, or if a third party has a reasonable basis for alleging that it has violated, this clause . In the event that this clause 12.1 is breached by you, we shall have a right to immediately suspend your use of the Services to the extent that we consider necessary without prior notice and/or terminate the Agreement immediately on written notice to you. You shall indemnify (and keep indemnified) Sage and our officers, directors, employees, attorneys and agents against any Damages arising out of or in connection with your, your Affiliates (or your Users) breach of this clause 12.1.

12.2.You shall assist in any due diligence process we may ask you to participate in from time to time to ensure your compliance with this Agreement and, in particular, this clause 12. You shall provide us with all reasonable co-operation, information and assistance in relation to our due diligence processes for any purpose, including but not limited to enabling us to establish ownership and to identify any territory in which you and any or all of your Users use and access the Services for whichever purpose. Your failure to engage in any such a process and/or provide the required information shall be deemed to be a material breach of this Agreement and we shall have a right to terminate this Agreement immediately on written notice to you.

12.3.Unfair Competition. You may not use the Services or any materials provided by us to build a competitive product or service or to benchmark with a non-Sage product or service.

12.4.Assignment. Neither party may assign any rights or obligations under this Agreement without the other party’s prior written consent, except that a party may assign the Agreement in its entirety in connection with a merger, acquisition, spin-off, corporate reorganization or restructuring, or sale of substantially all of its assets. Any attempted assignment in breach of this Agreement shall be void.

12.5.Remedies Not Exclusive. Except as expressly set forth herein, any remedy in this Agreement is not exclusive of any other available remedy.

12.6.Third Party Beneficiaries. Certain of the Services may be provided by our Affiliates. In such case, each such Affiliate shall be a third-party beneficiary of this Agreement to the extent of such Services. Except as expressly set out in this Agreement, a person who is not a party to this Agreement will have no rights to enforce it.

12.7.Entire Agreement. This Agreement constitutes the entire agreement between the parties regarding the use of the Services  and supersedes all prior or contemporaneous written and oral agreements, negotiations and discussions between the parties regarding the subject matter herein. The parties acknowledge that in entering onto this Agreement they have not relied on and will have no rights or remedies in respect of any statement, representation, assurance or warranty other than as expressly set out in this Agreement. Nothing shall limit or exclude either party’s liability for fraud.

12.8.Severability. If any provision or part-provision of this Agreement is held by a court of competent jurisdiction to be invalid, illegal or unenforceable, then to the extent possible such provision shall be deleted, or shall be construed, as far as possible, to reflect the intent of the original provision, with all other provisions in this Agreement remaining in full force and effect.

12.9.No Partnership or Agency. Each party is an independent contractor, and neither party has any authority to act on behalf of the other. Neither party will represent itself as agent, servant, franchisee, joint venture or legal partner of the other. We are entering into this Agreement as principal and not as agent for any other Sage company, and claims under this Agreement may be brought only against us and not against any of our Affiliates.

12.10.Waiver. A party’s failure or delay to exercise or enforce any of its rights under this Agreement will not act as a waiver or a continuing waiver of such rights. Such rights may only be waived in writing signed by the waiving party. 

12.11.Force Majeure. Notwithstanding any provision contained in the Agreement, neither party will be liable to the other to the extent fulfilment or performance of any obligations under the Agreement is delayed or prevented by a Force Majeure event.

12.12.Order of Precedence. In the event of any express conflict or inconsistency, the order of precedence shall be: (i) the Data Protection Addendum (ii) your Order; (iii) these terms (including any annexes or exhibits hereto); and (iv) the Documentation.

12.13.Updates. From time to time, we may amend the terms of this Agreement in our sole discretion. We will notify you of any material changes by promptly sending an email or posting a notice in the Services. By continuing to access or use the Services after such notice, you are indicating that you agree to be bound by the modified terms. Notwithstanding the foregoing, if the changes have a material adverse impact on and are not acceptable to you, then you must notify us within 30 days after receiving notice of the change. If we cannot accommodate your objection, then the prior terms shall remain in force until the expiration of your then-current subscription period. Any renewed subscription will be governed by our then-current terms.

12.14.No Publicity. Neither party shall make any public statement about this Agreement or the relationship of the parties governed by this Agreement that identifies the other party without the other party’s prior written consent, except that while you are a customer, Sage may use your name and logo in its customer list in a manner that does not suggest endorsement.

12.15.Governing Law; Dispute Resolution. This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any such dispute or claim. .For the avoidance of doubt, the United Nations Convention on Contracts for the International Sale of Goods shall not apply.

12.16.Notices. Except as otherwise specified in this Agreement, any notice required under this Agreement will be in writing and sent by pre-paid mail, courier service or email to the contact address or email last provided in writing to the notifying party by the notified party. Any notice will be deemed received: (i) if sent by pre-paid mail, 48 hours after posting; (ii) if sent by courier, on the next business day; or (iii) if sent by email, at 9 a.m. recipient’s local time on the next business day after the email is sent, or earlier if the intended recipient has confirmed receipt either expressly or by conduct.

12.17.Interpretation. Headings are for convenience only and may not be used in interpretation. The words “such as” and “including” do not signify limitation. The Agreement shall not be interpreted against the drafter.

12.18.Special Product Terms. Certain Services or modules may be governed by additional terms. When agreed by you, such terms will become part of this Agreement.

13. Purchase Through a Partner

13.1.Purchase through an Authorized Reseller. The following supplemental terms apply if you purchase a subscription to the Services through a Reseller: If you place an order for the Services with a Reseller then (i) such document shall constitute an Order hereunder, (ii) your payment obligations under such Order shall be to the Reseller, and (iii) your acceptance of such Order shall be an acceptance of this Agreement between you and us for the provision of the Services, provided that any transactions solely between you and the Reseller (such as professional services provided by the Reseller or other Third-Party Services sold by the Reseller) shall not be a part of this Agreement. First-tier technical support for the Services will be provided by the Reseller, unless otherwise set forth in the Order. Non-payment of fees owed to a Reseller under an Order shall constitute a material breach of this Agreement. If you grant a Reseller access to Customer Data or to your Services account, such access shall constitute consent to the disclosure of Customer Data to the Reseller pursuant to clause 6 above, and you will be responsible for terminating such access.

Customer Data Protection Addendum (DPA)

(Last updated March 2023)

This Data Protection Addendum together with its Schedules (“DPA”) is part of Brightpearl’s terms and conditions, or other written or electronic agreement between Brightpearl and the Customer, as amended or supplemented from time to time, all together forming the “Agreement”.

In this DPA, references to “Services” shall have the same meaning as set out in the terms and conditions.

Where there is any conflict between the terms of this DPA and any other part of the Agreement, the following order of precedence shall apply: (1) SCCs/UK Addendum/UK IDTA (as applicable); (2) this DPA; and (3) any other part of the Agreement.

1. DEFINITIONS & INTERPRETATION

Capitalised terms in this DPA have the meanings given to them below.

Adequacy Decision a finding by the European Commission, or a government or body authorised to make a finding, in accordance with Data Protection Laws, that a Recipient Country ensures an adequate level of protection of personal data, so that further steps/mechanisms are not required to be implemented under Data Protection Laws in relation to a Restricted Transfer.
Affiliate an entity that directly or indirectly controls, or is controlled by, or under common control with, the subject entity. “Control” for the purposes of this definition means the ownership or control (whether directly or indirectly) of at least 50% of the voting rights in the entity, or otherwise the power to direct the management and policies of the entity. The terms “Controlled” and “Controls” shall be construed accordingly.
Applicable Law any law, enactment, regulation, or rule applicable to the Parties, including but not limited to the Data Protection Laws.
Brightpearl  the Brightpearl entity which has executed the Agreement, which may have authorised, or act together with, another Brightpearl Affiliate / Affiliates in Processing Personal Data in order to provide the Services.
Brightpearl  Affiliate an Affiliate of Brightpearl.
Controller the party that determines the purposes and means of the Processing of Personal Data, including as applicable any “business” as defined by Data Protection Laws.
Customer Affiliate an Affiliate of the Customer.
Customer the Customer entity that has entered into the Agreement.
Data Protection Laws local, national or international laws and regulations which relate to the protection or Processing of Personal Data, including but not limited to: (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); European Union (“EU”) member state data protection laws; and the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (the “EU Data Protection Laws”); (b) the UK Data Protection Act 2018 (and regulations made thereunder) and UK GDPR (the “UK Data Protection Laws”); and (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003; the US Health Insurance Portability and Accountability Act (HIPAA); the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, the Canada Personal Information Protection and Electronic Documents Act (PIPEDA); the Swiss Federal Act on Data Protection; the Australian Privacy Act 1988; and any other relevant, EU, local, state, provincial, or national data protection laws, in each case as amended, supplemented or replaced from time to time, and in each case to the extent that they apply to the Processing of Personal Data by a Party.
Data Subject an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, including as applicable a “consumer” as that term is defined by Data Protection Laws.
Non-Adequate Country A country that is not considered by the European Commission, or national government / authority authorised by a national government, to ensure an adequate level of personal data protection, or a similarly categorised country, such that any transfer of personal data to that country is a Restricted Transfer.
Parties the parties to this DPA, specifically Brightpearl and: (a) Customer; or (b) a Customer Affiliate in accordance with clause 2, each a “Party”.
Personal Data any information relating to a Data Subject or household (or any information defined as “personal data,” or “personal information” or other similar terms under Data Protection Laws) that is included in the data, information or material provided, inputted, or submitted by the Customer, a Customer Affiliate, Users, or others into the Services, or shared with Brightpearl  by any means in connection with the Services and the Agreement, which may include Personal Data relating to the Customer, Customer Affiliates, Users, or other contacts of Customer.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, or any comparable definition or meaning under Data Protection Laws.
Processing any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor a party that Processes Personal Data on behalf of a Controller, including as applicable any “service provider” or “contractor” as those terms are defined by applicable Data Protection Laws.
Restricted Transfer a transfer of Personal Data outside of the EEA or the UK, or any other country or jurisdiction, which requires further steps to be taken under Data Protection Laws.
Restricted Transfer Documentation the relevant module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, implemented through Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”), as adapted for any jurisdiction to the extent permitted by Data Protection Laws, or similar mechanism in respect of any other jurisdiction, such as the UK Addendum or UK IDTA.
Supervisory Authority a public regulatory or supervisory authority established in accordance with Data Protection Laws and which is concerned with the Processing of Personal Data, for instance the UK Information Commissioner’s Office (“ICO”) for the UK, the relevant EU data protection authorities for EU member states, or the Federal Data Protection and Information Commissioner or relevant cantonal or municipal supervisory authority for Switzerland.
Sub-Processor another party engaged by a Party to assist with that Party’s Processing of Personal Data.
User an individual who is authorised to use the Services (for instance individuals who have been supplied with a user identification and password by the Customer or a Customer Affiliate, or by Brightpearl  at the Customer’s or Customer Affiliate’s request). Users may include Customer’s or a Customer Affiliate’s employees, consultants, contractors, agents or other third parties.
UK Addendum the template Addendum B.1.0 issued by the ICO and laid before UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised from time to time.
UK IDTA the template IDTA A.1.0 issued by the ICO and laid before UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised from time to time.

2. APPLICATION OF THIS DPA

2.1 For the purposes of this DPA only, and to the extent necessary under the Data Protection Laws, the Customer enters into this DPA on behalf of itself and any Customer Affiliate(s) who may be involved in the Processing of Personal Data. A Customer Affiliate is not, and does not become, a party to the other parts of the Agreement by virtue of this clause 2.1, but only a party to this DPA.

2.2 Each Customer Affiliate agrees to be bound by the obligations of this DPA (including those of the Customer) to the extent that such obligations apply to its involvement (if any) in Processing Personal Data. The Customer shall wherever possible be responsible for communicating with Brightpearl, and co-ordinating relevant communications from Customer Affiliates ahead of communicating with Brightpearl, in relation to this DPA.

2.3 Where Brightpearl Affiliates are involved in the Processing of Personal Data, Brightpearl shall ensure that those Brightpearl Affiliates are bound by equivalent obligations to those contained in this DPA, including by way of an intra-group data processing agreement.

3. PROCESSING ROLES

3.1 The Parties agree that where the EU or UK Data Protection Laws apply to the Processing of Personal Data, the Customer is the Controller, and Brightpearl is the Processor, in relation to the Processing (which is more fully described in Schedule 1) and Brightpearl will act in accordance with the Customer’s documented instructions and in accordance with the Data Protection Laws in carrying out that Processing.

3.2 The Customer may alternatively be acting as a Processor under the EU or UK Data Protection Laws in Processing the Personal Data described in Schedule 1 on behalf of its own customers/other parties, in which case Brightpearl will be the Customer’s Sub-Processor, and the obligations in this DPA will apply to Brightpearl as a Sub-Processor.

4. CUSTOMER’S OBLIGATIONS

4.1 The Customer shall:

a. comply with; and
b.procure the compliance of Customer Affiliates, Users, other contacts of the Customer or Customer Affiliates, or third parties who may use the Services with,

the Data Protection Laws in Processing Personal Data ahead of sharing it in connection with the Services.

4.2 The Customer warrants on an ongoing basis that:

a. it has an appropriate lawful basis under the Data Protection Laws to share Personal Data with Brightpearl in connection with the Services; and
b. where it is acting as a Processor under EU or UK Data Protection Laws, the relevant Controller has authorised: (i) the Customer’s Personal Data Processing instructions to Brightpearl (as set out in this DPA); (ii) the Customer’s appointment of Brightpearl as a Sub-Processor; and (iii) Brightpearl ’s use of further Sub-Processors as described in Section 5 (Use of Sub-Processors).

4.3. The Customer further agrees that it shall:

a. as required by the Data Protection Laws, obtain any necessary consents and provide sufficient information to Data Subjects regarding the Processing of their Personal Data, or procure the same, for: (i) the Customer to share the Personal Data with Brightpearl or the Services; and (ii) Brightpearl to Process the Personal Data for the purposes set out in the Agreement and in accordance with the Data Protection Laws;
b. not do or cause Brightpearl to do anything which would put Brightpearl in breach of the Data Protection Laws or violate the rights of any Data Subject; and
c. provide reasonable assistance to Brightpearl in complying with Brightpearl ’s obligations under the Data Protection Laws, including by entering into any amendments or additions to this DPA which may be necessary to reflect any changes in the Customer’s, or Brightpearl’s, Personal Data Processing activities, or otherwise as required by the Data Protection Laws.

5. BRIGHTPEARL’S OBLIGATIONS 

INSTRUCTIONS

5.1 By entering into the Agreement including this DPA, the Customer is instructing Brightpearl to Process Personal Data to provide the Services and any related support to the Customer, as well as to inform improvements to Brightpearl’s products and services, carry out research, and further develop  Brightpearl’s products. Brightpearl ’s Personal Data Processing activities for these purposes are more fully described in Schedule 1. The Customer further instructs Brightpearl to comply with Brightpearl’s Personal Data Processing obligations as a Processor (or Sub-Processor where the Customer is acting as a Processor) as set out in the rest of this DPA.

5.2 Brightpearl shall Process Personal Data only on the instructions from the Customer as set out in this DPA, unless Brightpearl is required to Process Personal Data by applicable law to which Brightpearl is subject, in which case Brightpearl shall inform the Customer of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest. Brightpearl shall immediately inform the Customer if, in Brightpearl’s opinion, instructions given by the Customer infringe Data Protection Laws.

SECURITY

5.3 Brightpearl shall have in place at all times appropriate technical and organisational measures to prevent any unauthorised or unlawful Processing, or accidental loss or destruction, of Personal Data, taking into account the state of the art, the costs of implementation, the nature of the relevant Personal Data Processing, and the risk to the rights and freedoms of the relevant Data Subjects. Such security measures may include: (a) the pseudonymisation or encryption of Personal Data; (b) the ability to timely restore the availability and access to Personal Data in the event of an incident; (c) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.

5.4 Brightpearl grants internal access to Personal Data only where strictly necessary, and ensures that persons authorised to Process the Personal Data have committed themselves to confidentiality.

USE OF SUB-PROCESSORS

5.5 The Customer hereby generally authorises Brightpearl’s use of Sub-Processors and Brightpearl’s list of criteria used to select and appoint a Sub-Processor which is as follows: (a) Brightpearl will conduct reasonable due diligence on the data privacy and security measures of proposed Sub-Processors before providing them with access to Personal Data; (b) Brightpearl will carry out data protection impact assessments ahead of appointing a Sub-Processor where any Processing of Personal Data by a Sub-Processor is likely to result in a high risk to the rights and freedoms of Data Subjects; (c) as required under Data Protection Laws, Brightpearl will ensure that it puts in place a contract with any appointed Sub-Processor which imposes on the Sub-Processor, in substance, the same data protection obligations as imposed on Brightpearl in this DPA; and (d) Brightpearl shall keep its relationships with Sub-Processors under review and take any further steps as may be required under Data Protection Law or in relation to any changes to Customer’s or Brightpearl’s Personal Data Processing activities. Brightpearl shall remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations under the Sub-Processor’s contract with Brightpearl.

5.6 Brightpearl’s current list of Sub-Processors is in Schedule 1. Brightpearl shall inform the Customer if Brightpearl wishes to make any changes to its criteria for choosing a Sub-Processor, and the Customer may reasonably object at any time to such changes or find out more information about Brightpearl’s use of Sub-Processors by contacting their Brightpearl representative, or using the contact information on the Brightpearl website.

5.7 Brightpearl will take any reasonable objection that it receives from the Customer in relation to a Brightpearl Sub-Processor, or Brightpearl’s criteria to appoint Sub-Processors, seriously, and will work with a Sub-Processor where necessary to address the Customer’s concern. If a solution cannot be found to the Customer’s concern, and it is not possible for Brightpearl to stop using a particular Sub-Processor, or to find an alternative Sub-Processor (none of which shall be considered a material breach of the Agreement by Brightpearl) the Customer may choose to terminate the Agreement in accordance with its termination provisions.

INTERNATIONAL TRANSFERS

5.8 Brightpearl shall only carry out a Restricted Transfer in compliance with Data Protection Laws and shall implement appropriate safeguards to the extent necessary under Data Protection Laws (which may include Brightpearl’s intra-group Personal Data Processing agreements, or Brightpearl’s SCCs with third parties).

5.9 Where the EU Data Protection Laws or Swiss FDPA apply to a Restricted Transfer that occurs directly between the Customer and a Brightpearl Affiliate located in a Non-Adequate Country, and no other valid transfer mechanism applies to such transfer under Data Protection Laws, the EU C-P SCCs and/or EU P-P SCCs will apply (depending upon whether the Customer is a Controller or Processor).

5.10Where the UK Data Protection Laws apply to a Restricted Transfer that occurs directly between the Customer and a Brightpearl Affiliate located in a Non-Adequate Country, and no other valid transfer mechanism applies to such transfer under Data Protection Laws, the UK IDTA will apply.

5.11 Where the EU Data Protection Laws and UK Data Protection Laws both apply to Restricted Transfers that occur directly between the Customer and a Brightpearl Affiliate located in a Non-Adequate Country, and no other valid transfer mechanism applies to such transfers under Data Protection Laws, the SCCs stated in clause 5.9 together with the UK Addendum will apply.

5.12 Particulars in relation to the transfer mechanisms referred to in clauses 5.9 to 5.11 above are in Schedule 2.

PERSONAL DATA BREACH

5.13 In the case of a Personal Data Breach affecting Personal Data, Brightpearl shall notify the Customer without undue delay, and take actions that Brightpearl reasonably considers necessary and possible to contain and mitigate the effects of such Personal Data Breach (subject to any instructions regarding the same from the Customer).

5.14 The notification referred to in paragraph 5.13 shall at least: (a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by the controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

OTHER

5.15 At the Customer’s reasonable request and expense, and subject to the Customer and any third-party auditor entering into an appropriate confidentiality agreement, Brightpearl shall: (a) provide the Customer with information as may reasonably be necessary to demonstrate compliance with the obligations on a Processor as laid down in the Data Protection Laws; and (b) allow the Customer (or an independent, third-party professional auditor mandated by the Customer and acceptable to Brightpearl, both the Customer and Brightpearl acting reasonably) to conduct an audit, including inspection, of Brightpearl ’s Processing of the relevant Personal Data pursuant to the Agreement, and contribute to that audit.

5.16 Brightpearl shall, without undue delay, notify the Customer in relation to any communication from a Data Subject, Supervisory Authority or other body in relation to Personal Data.

5.17 At the reasonable expense of the Customer, Brightpearl shall:

a. taking into account the nature of the relevant Processing, assist the Customer by appropriate technical and organisational measures to fulfil the Customer’s obligation under the Data Protection Laws to respond to requests from Data Subjects; and
b. in each case if and to the extent required by the Data Protection Laws, and taking into account the nature of the relevant Processing and the information available to Brightpearl, assist the Customer in: (a) ensuring sufficient security measures to protect the Personal Data; (b) notifying any Personal Data Breach to the Supervisory Authorities or relevant Data Subjects; (c) preparing data protection impact assessments; and (d) carrying out prior consultation of the Supervisory Authorities.

5.18 If Brightpearl receives deidentified information from the Customer, Brightpearl agrees that it will (a) take reasonable measures to ensure that deidentified information cannot be associated with a Data Subject or household, (b) publicly commit to maintain and use the deidentified information in deidentified form, and (c) not attempt to reidentify the deidentified information except for the sole purpose of determining whether Brightpearl’s deidentification processes satisfy the requirements of the Data Protection Laws.

5.19 Brightpearl shall not combine Personal Data with Personal Data Sage receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in applicable Data Protection Laws.

5.20 Brightpearl shall not share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another person or entity for: (a) monetary or other valuable consideration; or (b) cross-context behavioural advertising for the benefit of a business in which no money is exchanged.

5.21 At the end of Brightpearl’s provision of the Services, Brightpearl shall, at the choice of the Customer, delete or return to the Customer all Personal Data Processed by Brightpearl as a Processor/Sub-Processor on behalf of the Customer and delete existing copies unless Applicable Law requires storage of the Personal Data.

Schedule 1 – Processing Particulars 

Categories of Data Subjects whose Personal Data is Processed

Personal Data submitted by the Customer or a Customer Affiliate to the Services, or otherwise shared with Brightpearl, as determined by the Customer or a Customer Affiliate in its/their discretion, specifically Personal Data relating to:

  • Employees, contractors, workers and other staff members;
  • Suppliers, customers, business partners, advisors or agents of the Customer or a Customer Affiliate (in each case where such parties are individuals);
  • Users (as defined in this DPA) to the extent not covered above; and
  • Other contacts of the Customer or Customer Affiliates (where these parties are individuals).

Categories of Personal Data Processed

Personal Data submitted to the Services, or otherwise shared with Brightpearl, as determined by the Customer or a Customer Affiliate in its discretion. This may include contact information, technical and authentication information, business and financial information, identification information, and profile information such as feedback, preferences, bank or transaction history, data captured through any integrations/specific additional functionality required, and inventory, order and warehouse information.

Sensitive Personal Data Processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Sensitive Personal Data (including “Special Category” data under the GDPR, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) may at times be captured and transferred in connection with the Services, if shared by a Data Subject described above.

Brightpearl  ensures that it applies additional restrictions or safeguards with regard to Processing sensitive Personal Data, including by ensuring that the Processing of sensitive Personal Data is avoided wherever possible, accountability processes (for instance carrying out data protection impact assessments) are followed in relation to processing sensitive Personal Data, staff are provided with appropriate training on handling sensitive Personal Data, additional contractual and due diligence measures are applied where possible, and anonymisation, pseudonymisation and password-protection are applied to sensitive Personal Data where possible.

Frequency of the Processing

Continuous basis based on the Customer or Customer Affiliate’s use of the Services.

Nature of the Processing

The nature of the Processing of the Personal Data described above may include the following: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Purpose(s) of the Processing

Personal Data is Processed by Brightpearl in the capacity of a Processor (or Sub-Processor, where the Customer is a Processor) to provide, protect, support, enable, improve and maintain the Services in connection with the Agreement.

If the Customer opts to subscribe to, or interact with, any particular additional services or features (as described in the Agreement), Brightpearl may upload, copy and/or transfer Customer Personal Data to facilitate these options. If the Customer chooses to connect the Services to third-party products or Services, Brightpearl will use the Customer’s Personal Data to make that connection. Where Brightpearl receives Personal Data because of that connection, Brightpearl will use that Personal Data in line with the Agreement (including this DPA).

Brightpearl may additionally Process some Personal Data described in this Schedule to inform improvements that Brightpearl makes to its products and services, undertake internal research, and further develop its products.

Sub-Processors

Brightpearl uses the following sub-processors: Amazon Web Services, Google, Hubspot, Salesforce, Microsoft, Zoom, Intercom, Partnerstack, Snowflake, Rudderstack, Metabase, Hightouch, Zuora, Baremetrics, Cloudflare

Schedule 2 – Restricted Transfer Documentation

3.1 OPTIONS AND ANNEXES I, II AND III TO EU SCCS

OPTIONS:

Clause 7 (Docking Clause) – the optional docking clause shall be included.

Clause 9 (a) (Use of sub-processors) – option 2 shall apply and the specified time period shall be a reasonable time period.

Clause 11 (Redress) – the optional language shall not be included.

Clause 13 (Supervision) – the competent supervisory authority shall be the supervisory authority of: (a) the EU member state in which the data exporter is established; (b) if the data exporter does not have an EU establishment, the EU member state in which the data exporter’s representative is established; or (c) if the data exporter does not have an EU establishment and is not required to appoint a representative, one of the member states in which the relevant data subjects are located.

Clause 17 (Governing Law) – option 2 shall apply and the specified law shall be Irish law.

Clause 18 (Choice of Forum and Jurisdiction) – the courts of Ireland shall be specified.

The additional sections for the Processor to Processor module in clauses 14, 15 and 16 shall be included where the Processor to Processor module applies to transfer.

ANNEX I A: LIST OF PARTIES

Data exporter(s): Customer

Name and Address: as provided to Brightpearl

Contact person’s name, position and contact details: as provided to Brightpearl

Activities relevant to the data transferred under these Clauses: as provided to Brightpearl

Signature and date: as Agreement confirmed or executed by Customer

Role (controller/processor): Controller or Processor, depending upon Customer’s relationship with Data Subjects.

Data importer: Brightpearl, Inc. and possibly other importers in the Sage group from time to time (see signature pages)

Name: As below

Address: As below

Contact person’s name, position and contact details: Brightpearl Global Data Protection Officer – globalprivacy@sage.com

Activities relevant to the data transferred under these Clauses: Assisting in provision of the Services

Signature and date: As below

Role (controller/processor): Processor

ANNEX I B: DESCRIPTION OF TRANSFER

See Schedule 1. Additionally:

a. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): the Personal Data may be transferred on a continuous basis for the duration of the Services.
b. The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: the Personal Data described in Schedule 1 shall be retained for as long as is necessary in order to provide the Services, and in order for the data importer to fulfil any applicable legal requirements or obligations.
c. For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing: the subject matter, nature and duration of sub-processing is as described in Schedule 1 and above.

ANNEX I C: COMPETENT SUPERVISORY AUTHORITY

Irish supervisory authority for transfers from EEA, or Switzerland supervisory authority for transfers from Switzerland

ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES

Available at https://www.sage.com/en-gb/trust-security/

ANNEX III: LIST OF SUB-PROCESSORS

See Section 5 of DPA

3.2 PARTS 1 AND 2 OF UK ADDENDUM (defined terms used in this section shall have the meaning given to them in UK Addendum. If not defined in UK Addendum, they shall have the meaning given to them in the DPA).

Part 1: Tables

Table 1: Parties

Start date Start date of Agreement
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties’ details Customer As stated in section 3.1 of this Schedule 2.
Key Contact As provided to Brightpearl As stated in section 3.1 of this Schedule 2.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs The version of the Approved EU SCCs which this Addendum is appended to.

 

 

Module Module in operation Clause 7 (Docking Clause) Clause 11
(Option)
Clause 9a (Prior Authorisation or General Authorisation) Clause 9a (Time period) Is personal data received from the Importer combined with personal data collected by the Exporter?
1 Module 2 Yes No General Authorisation Reasonable time period May occur from time to time, depending on Exporter’s requirements
2 Module 3 Yes No General Authorisation Reasonable time period May occur from time to time, depending on Exporter’s requirements

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in section 3.1 of this Schedule 2.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum:

Importer

  • Exporter

neither Party

3.3 PARTS 1 – 4 OF UK IDTA

Part 1: Tables

Table 1: Parties and signatures

See section 3.1 of this Schedule 2.

Table 2: Transfer Details 

UK country’s law that governs the IDTA: England and Wales
Primary place for legal claims to be made by the Parties England and Wales
The status of the Exporter See section 3.1 of this Schedule 2
The status of the Importer See section 3.1 of this Schedule 2
Linked Agreements (a) If the Importer is the Exporter’s Processor or Sub-Processor – the Agreement (including the DPA)

(b) If the Exporter is a Processor or Sub-Processor – the agreement(s) between the Exporter and the Party(s) which sets out the Exporter’s instructions for Processing the Transferred Data

Term The Importer may Process the Transferred Data for the following time period:

the period for which Linked Agreement (a) is in force

Ending the IDTA before the end of the Term The Parties can end the IDTA before the end of the Term by serving six months’ written notice, as set out in(How to end this IDTA without there being a breach) section.
Ending the IDTA when the Approved IDTA changes Which Parties may end the IDTA:Importer or Exporter
Can the Importer make further transfers of the Transferred Data? The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section: Transferring on the Transferred Data.
Specific restrictions when the Importer may transfer on the Transferred Data There are no specific restrictions.
Review Dates  The Parties must review the Security Requirements each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment.

Table 3: Transferred Data

Transferred Data See Schedule 1 of the DPA
Special Categories of Personal Data and criminal convictions and offences See Schedule 1 of the DPA
Relevant Data Subjects See Schedule 1 of the DPA
Purpose See Schedule 1 of the DPA

Table 4: Security Requirements

See Annex II of Schedule 2

Mandatory Clauses

The following are hereby incorporated: Part 4: Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎5.4 of those Mandatory Clauses.